Open Source Telecom Software
Survey 2022

2022 Survey Introduction
● Back in 2019 we created a survey to gather people’s experiences and opinions on
using Open Source Telecom Software.
○ We share an anonymized aggregate view of the survey with those that compete the survey as soon as the
results are prepared, usually in July; and present a summary for everyone at TADSummit in November.
● This year we’ve focused on general questions: DDoS, Security, STIR/SHAKEN, IP
Messaging and SMS, IPv6, broader open source usage, impact of the recession and
investment plans, accelerators, RTC device lifecycle management, and vCon.
● 120 responses (2022) versus 114 (2021)
© Alan Quayle, 2022

2022 Results: What Region are you based?
© Alan Quayle, 2022
2020
Africa and North
America responses
doubled from 2021.
Likely interest in
the more general
question than focus
on specific projects.
While Russia, China
and Middle East did
not respond.
2021

2022 Results: Business Category
© Alan Quayle, 2022
Fewer consultants
and resellers, but a
leap in XaaS and
Telcos.
More service
providers based on
open source, than
implementors.
2021

What open source software do you use (Telecom)?
© Alan Quayle, 2022
Voice
OpenSIPS 24
Kamailio 23
FreeSWITCH 22
Asterisk 21
Homer 18
rtpengine 18
drachtio / jambonz 18
wazo 15
RTPproxy 15
freepbx 12
SIPp 11
Matrix 11
VICIDial 9
Jitsi 8
ASTPP 8
XiVO 7
Janus 5
Sippy/b2bua 5
WSO2 3
Restcomm 2
Asterisk 87
Kamailio 66
OpenSIPS 65
Homer 63
FreeSWITCH 61
rtpengine 61
SIPp 43
VICIDial 38
dratchio / jambonz 25
Janus 24
Jitsi 22
freepbx 21
RTPproxy 17
Matrix 12
Sippy/b2bua 7
wazo 2
Mediasoup 1
pjsip 1
Erlang 1
2021
2022 The large difference in
votes given total number of
responses is 120 (2022)
versus 114 (2021), shows
general survey needs to
standalone, as project
surveys are the focus of
participants.
Plus we’re getting better at
question design – it has an
impact.
We’ll do the General survey
one year (2022), and
project surveys the other
(2023).

What open source software do you use (Web/Enterprise)?
© Alan Quayle, 2022
Web/
Enterprise
Part 1
Ansible 19
Confluent
Kafka 19
Apache 18
Node.js 16
Docker 14
nginx 12
Grafana 12
HAProxy 11
RabbitMQ 9
PHP 8
Prometheus 7
suitecrm 7
Puppet 7
Web/
Enterprise Part
2
Jenkins 6
Zabbix 5
GnuCash 5
Perl 4
vscode 4
Kibana 4
SpagoBI 4
Elasticsearch 3
EspoCRM 3
QGIS 3
FRRouting 3
D3 2
Thunderbird 2
ActiveMQ 2
odoo 2
Karaf 1
Passbolt 1
Univention 1
Docker 89
PHP 69
Apache 68
Grafana 61
HAProxy 61
Node.js 59
nginx 57
Ansible 45
Many many tools: Ruby on
Rails, C# .Net Core, Trivvy,
Zeek, Suricata, Kubernetes,
Istio, etcd, Patroni, Palumi 45
Elasticsearch 44
vscode 40
Prometheus 39
RibbitMQ 39
Kibana 31
Jenkins 28
Zabbix 25
Confluent
Kafka 21
Perl 21
Puppet 19
FRRouting 10
Thunderbird 10
D3 6
odoo 6
ActiveMQ 4
Karaf 3
QGIS 3
suitecrm 3
EspoCRM 0
GnuCash 0
Passbolt 0
SpagoBI 0
Univention 0
2021
2022
Please let me
know if we’re
missing
packages in
the 2022 list
and I’ll break
them out. I’d
like to keep
this question
as a
‘popularity
index’ of
packages. Let
me know if
we should
break this
into a couple
of sub-
categories to
stop this list
getting too
long.

What open source software do you use (Linux/DB)?
© Alan Quayle, 2022
Linux
Linux 15
debian
linux 15
OpenSuS
E Linux 9
centos 9
linux mint 8
Manjaro 7
Percona 4
Ubuntu 3
DB
Postgres 19
MariaDB 9
REDIS 5
MongoDB 4
MySQL 4
CouchDB 4
Ubuntu 77
centos 61
Linux 49
debian linux 47
OpenSuSE Linux 17
linux mint 8
Fedora Server 1
RockyLinux 1
Manjaro 0
Percona 0
REDIS 68
MariaDB 58
Postgres 51
TimescaleDB 1
Influx 1
ClickHouse 1
CouchDB 0
Question design helped greatly on response rate.
More North American and XaaS provider responses
likely caused the Ubuntu and centos jump.
I have seen REDIS grow in popularity through the
pandemic.

Accelerators. Subspace, AWS Global Accelerator
© Alan Quayle, 2022
New Question, 58 responses.
Voice is commoditized, so the pricing needs
to be low.
Geographically Africa, South America, and
parts of Asia see a need, in part this is linked
to the lack of AWS PoPs in the region. BUT
coupled with the commoditization of voice
makes pricing particularly difficult those
regions.
AWS Global Accelerator is bundled in
standard pricing, which has created a
perception of a low / no price point.
The responses showed the challenges
Subspace faced.

SMS versus IP for A2P
© Alan Quayle, 2022
New Question, 106 responses.
Clearly there are two camps, SMS or IP. I thought we
would have seen more “both” votes for the situation
today and in the future.
Today SMS dominates A2P in most markets, the
exception being Asia (LINE, WeChat).
Please take these results with a grain of salt, being
frank, its not the right audience.

End2end security/encryption for Real Time
Platforms?
© Alan Quayle, 2022
New Question, 100 responses.
This one clearly touched a nerve in the
emotion of the responses.
The ‘No camp’ considers TLS and SRTP for SIP
adequate or thinks the PSTN will never try so
why bother for SIP or clients are too simple to
implement encryption.
Yes camp offer a range of solutions such as
copying approach of the messaging folks like
Matrix and Olm (Double Ratchet
cryptographic ratchet), or list the challenges
an end2end solution for RTC needs to
address.

Current State of IPv6 Deployment
© Alan Quayle, 2022
New question. 76
responses.
Seems reasonable, no
obvious geographic
differences, e.g. NA and EU
similar results. Provides a
metric to track in
subsequent surveys.
IPv4/6 question is more
appropriate to this
community than the SMS/IP
question.
Format of legend is:
Support IPv4/6 – most
deployments IPv4

RTC Device lifecycle management (DLM) should we do more?
© Alan Quayle, 2022
New question, 80 responses
Most of the Yes answers
were working on something
in the absence of standards.
A common justification is RTC
devices need special
treatment as they are an easy
attack vector.
No and not sure answers
were not justified.
This shows there is already
DLM work in place, albeit not
through standards.

What is the one most important feature of vCon?
© Alan Quayle, 2022
New question, 92
responses.
An open standard, with both
open source and
commercial ecosystems.
Tamper proof, yet easy to
update and add additional
information such as labels.
Standard tools can be
written to process, clean,
mask and manage
conversation data.

Over the next 2 years which companies do you expect to
© Alan Quayle, 2022
New question. This was a fun question to see
what people thought. 74 responses.
Like the financial analysts, Twilio had its bulls
and bears.
Meta is seen as on the wrong track, and Apple /
Google squeezing their ad revenue.
Cisco is being squeezed by RingCentral in
Telco, and other UCaaS/CCaaS in the
enterprise.
CPaaS is seen as being squeezed by the those
UCaaS/CCaaS focused on cost saving.
Carriers could be stable, or squeezed as there
is little new revenue from 5G and consumer and
enterprise customers migrate to better value
offers.
Do Well Struggle
Microsoft,
Amazon,
Google
Meta, Cisco,
Slack
Twilio
Sangoma
Vonage
CPaaS as
UC/CCaaS
offer cheaper
bundle
Carriers
should be
stable
IDT, MNOs
will struggle
Stable
UC/CCaaS
focused on
cost savings

Do you have a solution in place for volumetric DDoS attacks (i.e.
bandwidth saturation)?
© Alan Quayle, 2022
New question. 74 responses.
Solutions mentioned include Cloudflare magic
transit (17), Google Cloud Armor (5), hoster
provides (8) AT&T (1), Colt (1).
Given all the attacks through 2019-2022 I
thought more would have implemented DDoS
protections.
However, to counter DDoS, the changes
required have friction. It is not simply a matter
of buying a product; changes to the Internet
presence is required. And some of the ‘Yes’ are
because their service provider offers DDoS
protection.

Do you have a solution in place for application-level DDoS attacks?
© Alan Quayle, 2022
New question. 81 responses.
Application-level protections are
more mature. Volumetric DDoS
were only implemented by 30
participants, versus 81 for
application-level.
Given WebRTC has a greater
web attack surface I was
surprised at how few had
implemented. I think this is
linked to the revenue at risk
versus APIs and SIP.

If there is a solution in place for application-level DDoS attacks for SIP, is
it…
© Alan Quayle, 2022
New question. 28 responses.
Given the maturity and
specialized nature of SIP, this
topic has been studied for over
one decade. Hence in-house /
custom dominate.

If there is a solution in place for application-level DDoS attacks for HTTP
/ API, is it
© Alan Quayle, 2022
New question. 39 responses.
Given the wide availability of HTTP/API
application-level DDoS solutions I was
expecting Hosted to dominate. While in-
house / custom remain dominant.
I think there is a concern on the security
issues of passing traffic through a 3rd
party. Plus when will Cloudflare be
hacked?
Examining protections between XaaS
providers and telco / ISP both showed
the same split between hosted and in-
house. For next year we should examine
how the in-house solutions are tested.

Do you have a solution in place for application-level DDoS attacks?
© Alan Quayle, 2022
New question. 22 responses.
I’m not sure why for this question
we had more responses than
those that implement WebRTC-
only. I think the question wording
should be changed to allow
multiple implementations.
Similar split to API between in-
house and hosted. All groups
had a similar split.

When where your DDoS attacks?
© Alan Quayle, 2022
New question. 85 responses.
There was a gap between how the
question was asked and how people
responded. They included multiple
years, which was allowed.
Clearly the number of DDoS are
increasing. We’re halfway through 2022
and could achieve 50 attacks across the
participants
About 25% have avoided being
attacked, though most are
consultancies rather than service
providers. We estimate >80% of service
providers have been attacked.
We should ask for next year the
purpose of the attacks: ransom or
something else?

Volumetric or Application?
© Alan Quayle, 2022
New question. 88 responses.
Given all the attention given to
volumetric attacks, the level of
application attacks surprised me.
Though the number of responses
to both Volumetric and
Application-level attacks backs up
this even split.
In examining the type of
participant there was no clear
trend. XaaS, CSP, and Telco/ISPs
were all attacked equally.

Security: Internal Security Teams
© Alan Quayle, 2022
Starkly different answers this
year. In part due to the mix and
region of participants. But also
the growing security threats
raises its importance.
78 Responses.
2021
2022

Security
● If you are using security testing tools for RTC, please list them
○ 2021: None 75%, SIPVicious / SIPVicious Pro 13%, Sipp 4%. Sipcrack suite 4%, Test
RTC 4%
© Alan Quayle, 2022
Better question design
delivered richer response.
Plus different mix of
participants with greater
security concerns.
83 Responses.

Security:
● How much of the security efforts are
reactive / proactive?
© Alan Quayle, 2022
2021
2022
Starkly different answers this year. In part
due to the mix and region of participants.
But also the growing security threats
raises its importance.
98 Responses.

STIR/SHAKEN
● When do you plan to implement STIR/SHAKEN?
© Alan Quayle, 2022
2021
2022
Given its one year later and there are
roughly double the NA participants,
results seem to be inline with 2021.
Where there is no local market need,
international drives need to implement.
83 Responses.

In your opinion, is STIR/SHAKEN proving effective?
© Alan Quayle, 2022
Reasons for No include:
SLOW - Speed of process,
implementation, FCC
enforcement (80%)
Same effect could have
been achieved by database
dip, similar to LRN or
CNAM.
Frustration at how it’s been
implemented by the NA
carriers.
72 Responses.

Where are your STIR/SHAKEN projects discussions?
© Alan Quayle, 2022
Growing area is carriers
outside NA needing to
terminate traffic there.
Seeing discussions pop up
in other countries (UK,
France, India)
54 Responses.

THANK YOU
Please LMK what we should ask in 2023