Open Source Telecom Software
Survey 2022

Thank You
© Alan Quayle, 2022

2022 Survey Introduction
● Back in 2019 we created a survey to gather people’s experiences and opinions on
using Open Source Telecom Software.
○ We share an anonymized aggregate view of the survey with those that compete the survey as soon as the
results are prepared, usually in July; and present a summary for everyone at TADSummit in November.
● Here are the surveys from 2021, 2020 and 2019, with the results
from 2021, 2020 and 2019. Thank you for your continued support.
● This year we’ve focused on general questions across participants’ categories, DDoS,
Security, STIR/SHAKEN, IP Messaging and SMS, IPv6, broader open source usage,
impact of the recession and investment plans, accelerators, RTC device lifecycle
management, and vCon.
● 120 responses (2022) versus 114 (2021)
● The project specific surveys only change slightly year to year, so we’re taking a break
this year.
© Alan Quayle, 2022

Summary Part 1
● Even representation between Europe and NA, and better question response rate
○ Africa and North America participants doubled from 2021. In the case of NA, likely interest in the more
general question than focus on specific OSS projects.
○ Fewer consultants and resellers responded, 35% increase in XaaS (UCaaS, CCaaS,CPaaS) and doubling of
Telcos/ISPs.
○ Better question design and shorter survey improved response rates by factor of 2-3 for some questions
● Popular open-source projects used
○ Telecom: Asterisk (87), Kamailio (66), OpenSIPS (65), Homer (63), FreeSWITCH (61)
○ Enterprise/Web: Docker (89), PHP (69), Apache (68), Grafana (61), HAProxy (61)
○ OS/DB: Ubuntu (77), Centos (61), REDIS (68), MariaDB (58), Postgres (51)
● Accelerators: AWS Global Accelerator is bundled in standard pricing, which has created a
perception of a low / no price point.
● End2end security for Real Time Platforms? Even split between yes and no. ‘No’ camp considered
TLS and SRTP for SIP adequate, or PSTN will never try so why bother for SIP, or clients are too
simple.
© Alan Quayle, 2022

Executive Summary Part 2
● IPv6 – only 6% see mostly new deployments are IPv6, 94% are mostly IPv4
● RTC Device lifecycle management (DLM): Yes 46%, Not sure 38%, No 15%
○ Most of the Yes answers were working on something in the absence of standards. A common justification is
RTC devices need special treatment as they are an easy attack vector. Perhaps its time to start a standard?
● Most important vCon feature: An open standard, with both open source and commercial
ecosystems (81%)
● Over the next 2 years which companies do you expect to
○ Do well: Microsoft, Amazon, Google
○ Stable: Carriers and UC/CCaaS focused on cost savings through bundling
○ Struggle: Meta, Cisco, Sangoma, Vonage, CPaaS at the expense of UC/CCaaS focused on bundle and cost
savings, IDT, MNOs
○ Like the financial analysts, Twilio had its bulls and bears.
● What are your investment plans for the next 2 years?
○ Only 7% are conserving cash (currently)
○ Product and sales investment accounted for 60%
© Alan Quayle, 2022

Executive Summary Part 3
© Alan Quayle, 2022
● DDoS
○ Only 41% have a solution in place for volumetric DDoS, yet attacks are on the rise. 80% of service provider
participants could see an attack in 2022.
○ Application-level DDoS solutions are more mature with API (50%), SIP (35%), WebRTC (15%)
○ In-house solutions dominate application-level DDoS (75%), while solutions based on Cloudflare dominate
volumetric (46%)
● Security
○ Interesting mix of results, some starkly different while some quite close between 2021 and 2022. Differences
due to mix and region of participants; and the growing importance of security.
○ Popular tools: SIPp (38), nmap (31), SIPVicious OSS (25)
○ Media encryption: SRTP/DTLS with ephemeral certificates doubled in use to dominate.
● STIR/SHAKEN
○ Even though the perception of STIR/SHAKEN is not positive. Effective? Yes (32%), No (68%).
○ Implementations have grown from 11 (22%) in 2021 to 28 (39%) in 2022
○ Growing internationally: NA (75%), UK, France, India and international to the US (25%)

2022 Results: What Region are you based?
© Alan Quayle, 2022
2020
Africa and North
America responses
doubled from 2021.
Likely interest in
the more general
question than focus
on specific projects.
While Russia, China
and Middle East did
not respond.
2021

2022 Results: What region(s) are most of your
customers based?
© Alan Quayle, 2022
With more North
America participants
their home market
also increased,
passing Europe as
the dominant market
We’re also seeing
significantly more
customers from
outside Europe/NA.
With China, Middle
East and Asia
showing the largest
increases.
I think this survey is
getting closer to the
actual market
situation.
2021

2022 Results: Business Category
© Alan Quayle, 2022
Fewer consultants
and resellers, but a
leap in XaaS and
Telcos.
More service
providers based on
open source, than
implementors.
2021

2022 Results: Business Size
© Alan Quayle, 2022
This year the distribution is
closer to my expectations.
Last year the dominance of
100-1000 employees
surprised me. Perhaps
resellers biased the results?
2021

What open source software do you use (Telecom)?
© Alan Quayle, 2022
Voice
OpenSIPS 24
Kamailio 23
FreeSWITCH 22
Asterisk 21
Homer 18
rtpengine 18
drachtio / jambonz 18
wazo 15
RTPproxy 15
freepbx 12
SIPp 11
Matrix 11
VICIDial 9
Jitsi 8
ASTPP 8
XiVO 7
Janus 5
Sippy/b2bua 5
WSO2 3
Restcomm 2
2021
Given greater NA response,
Asterisk dominates. In my
experience 2022 is better
representation across the
market.

What open source software do you use (Telecom)?
© Alan Quayle, 2022
Voice
OpenSIPS 24
Kamailio 23
FreeSWITCH 22
Asterisk 21
Homer 18
rtpengine 18
drachtio / jambonz 18
wazo 15
RTPproxy 15
freepbx 12
SIPp 11
Matrix 11
VICIDial 9
Jitsi 8
ASTPP 8
XiVO 7
Janus 5
Sippy/b2bua 5
WSO2 3
Restcomm 2
Asterisk 87
Kamailio 66
OpenSIPS 65
Homer 63
FreeSWITCH 61
rtpengine 61
SIPp 43
VICIDial 38
dratchio / jambonz 25
Janus 24
Jitsi 22
freepbx 21
RTPproxy 17
Matrix 12
Sippy/b2bua 7
wazo 2
Mediasoup 1
pjsip 1
Erlang 1
2021
2022 The large difference in
votes given total number of
responses is 120 (2022)
versus 114 (2021), shows
general survey needs to
standalone, as project
surveys are the focus of
participants.
Plus we’re getting better at
question design – it has an
impact.
We’ll do the General survey
one year (2022), and
project surveys the other
(2023).

What open source software do you use (Web/Enterprise)?
© Alan Quayle, 2022
Web/
Enterprise
Part 1
Ansible 19
Confluent
Kafka 19
Apache 18
Node.js 16
Docker 14
nginx 12
Grafana 12
HAProxy 11
RabbitMQ 9
PHP 8
Prometheus 7
suitecrm 7
Puppet 7
Web/
Enterprise Part
2
Jenkins 6
Zabbix 5
GnuCash 5
Perl 4
vscode 4
Kibana 4
SpagoBI 4
Elasticsearch 3
EspoCRM 3
QGIS 3
FRRouting 3
D3 2
Thunderbird 2
ActiveMQ 2
odoo 2
Karaf 1
Passbolt 1
Univention 1
Docker 89
PHP 69
Apache 68
Grafana 61
HAProxy 61
Node.js 59
nginx 57
Ansible 45
Many many tools: Ruby on
Rails, C# .Net Core, Trivvy,
Zeek, Suricata, Kubernetes,
Istio, etcd, Patroni, Palumi 45
Elasticsearch 44
vscode 40
Prometheus 39
RibbitMQ 39
Kibana 31
Jenkins 28
Zabbix 25
Confluent
Kafka 21
Perl 21
Puppet 19
FRRouting 10
Thunderbird 10
D3 6
odoo 6
ActiveMQ 4
Karaf 3
QGIS 3
suitecrm 3
EspoCRM 0
GnuCash 0
Passbolt 0
SpagoBI 0
Univention 0
2021
2022
Please let me
know if we’re
missing
packages in
the 2022 list
and I’ll break
them out. I’d
like to keep
this question
as a
‘popularity
index’ of
packages. Let
me know if
we should
break this
into a couple
of sub-
categories to
stop this list
getting too
long.

What open source software do you use (Linux/DB)?
© Alan Quayle, 2022
Linux
Linux 15
debian
linux 15
OpenSuS
E Linux 9
centos 9
linux mint 8
Manjaro 7
Percona 4
Ubuntu 3
DB
Postgres 19
MariaDB 9
REDIS 5
MongoDB 4
MySQL 4
CouchDB 4
Ubuntu 77
centos 61
Linux 49
debian linux 47
OpenSuSE Linux 17
linux mint 8
Fedora Server 1
RockyLinux 1
Manjaro 0
Percona 0
REDIS 68
MariaDB 58
Postgres 51
TimescaleDB 1
Influx 1
ClickHouse 1
CouchDB 0
Question design helped greatly on response rate.
More North American and XaaS provider responses
likely caused the Ubuntu and centos jump.
I have seen REDIS grow in popularity through the
pandemic.

Accelerators. Subspace, AWS Global Accelerator
© Alan Quayle, 2022
New Question, 58 responses.
Voice is commoditized, so the pricing needs
to be low.
Geographically Africa, South America, and
parts of Asia see a need, in part this is linked
to the lack of AWS PoPs in the region. BUT
coupled with the commoditization of voice
makes pricing particularly difficult those
regions.
AWS Global Accelerator is bundled in
standard pricing, which has created a
perception of a low / no price point.
The responses showed the challenges
Subspace faced.

End2end security/encryption for Real Time
Platforms?
© Alan Quayle, 2022
New Question, 100 responses.
This one clearly touched a nerve in the
emotion of the responses.
The ‘No camp’ considers TLS and SRTP for SIP
adequate or thinks the PSTN will never try so
why bother for SIP or clients are too simple to
implement encryption.
Yes camp offer a range of solutions such as
key based (Kerberos – not sure on this one),
copying approach of the messaging folks like
Matrix and Olm (Double Ratchet
cryptographic ratchet), or list the challenges
an end2end solution for RTC needs to
address.

Current State of IPv6 Deployment
© Alan Quayle, 2022
New question. 76
responses.
Seems reasonable, no
obvious geographic
differences, e.g. NA and EU
similar results. Provides a
metric to track in
subsequent surveys.
IPv4/6 question is more
appropriate to this
community than the SMS/IP
question.
Format of legend is:
Support IPv4/6 – most
deployments IPv4

RTC Device lifecycle management (DLM) should we do more?
© Alan Quayle, 2022
New question, 80 responses
Most of the Yes answers
were working on something
in the absence of standards.
A common justification is RTC
devices need special
treatment as they are an easy
attack vector.
No and not sure answers
were not justified.
This shows there is already
DLM work in place, albeit not
through standards.

What is the one most important feature of vCon?
© Alan Quayle, 2022
New question, 92
responses.
An open standard, with both
open source and
commercial ecosystems.
Tamper proof, yet easy to
update and add additional
information such as labels.
Standard tools can be
written to process, clean,
mask and manage
conversation data.

Over the next 2 years which companies do you expect to
© Alan Quayle, 2022
New question. This was a fun question to see
what people thought. 74 responses.
Like the financial analysts, Twilio had its bulls
and bears.
Meta is seen as on the wrong track, and Apple /
Google squeezing their ad revenue.
Cisco is being squeezed by RingCentral in
Telco, and other UCaaS/CCaaS in the
enterprise.
CPaaS is seen as being squeezed by the those
UCaaS/CCaaS focused on cost saving.
Carriers could be stable, or squeezed as there
is little new revenue from 5G and consumer and
enterprise customers migrate to better value
offers.
Do Well Struggle
Microsoft,
Amazon,
Google
Meta, Cisco,
Slack
Twilio
Sangoma
Vonage
CPaaS as
UC/CCaaS
offer cheaper
bundle
Carriers
should be
stable
IDT, MNOs
will struggle
Stable
UC/CCaaS
focused on
cost savings

What are your investment plans for the next 2 years?
© Alan Quayle, 2022
New question.
A surprising result with only 7%
conserving cash.
Some of the participants are
likely to be stable through a
recession so being able to
invest can enable them to jump
ahead when the market picks-
up, or win business from
struggling competitors. Hence
product and sales investment
are top.

Do you have a solution in place for volumetric DDoS attacks (i.e.
bandwidth saturation)?
© Alan Quayle, 2022
New question. 74 responses.
Solutions mentioned include Cloudflare magic
transit (17), Google Cloud Armor (5), hoster
provides (8) AT&T (1), Colt (1).
Given all the attacks through 2019-2022 I
thought more would have implemented DDoS
protections.
However, to counter DDoS, the changes
required have friction. It is not simply a matter
of buying a product; changes to the Internet
presence is required. And some of the ‘Yes’ are
because their service provider offers DDoS
protection.

Do you have a solution in place for application-level DDoS attacks?
© Alan Quayle, 2022
New question. 81 responses.
Application-level protections are
more mature. Volumetric DDoS
were only implemented by 30
participants, versus 81 for
application-level.
Given WebRTC has a greater
web attack surface I was
surprised at how few had
implemented. I think this is
linked to the revenue at risk
versus APIs and SIP.

When where your DDoS attacks?
© Alan Quayle, 2022
New question. 85 responses.
There was a gap between how the
question was asked and how people
responded. They included multiple
years, which was allowed.
Clearly the number of DDoS are
increasing. We’re halfway through 2022
and could achieve 50 attacks across the
participants
About 25% have avoided being
attacked, though most are
consultancies rather than service
providers. We estimate >80% of service
providers have been attacked.
We should ask for next year the
purpose of the attacks: ransom or
something else?

Volumetric or Application?
© Alan Quayle, 2022
New question. 88 responses.
Given all the attention given to
volumetric attacks, the level of
application attacks surprised me.
Though the number of responses
to both Volumetric and
Application-level attacks backs up
this even split.
In examining the type of
participant there was no clear
trend. XaaS, CSP, and Telco/ISPs
were all attacked equally.

Security: Internal Security Teams
© Alan Quayle, 2022
Starkly different answers this
year. In part due to the mix and
region of participants. But also
the growing security threats
raises its importance.
78 Responses.
2021
2022

Security
● If you are using security testing tools for RTC, please list them
○ 2021: None 75%, SIPVicious / SIPVicious Pro 13%, Sipp 4%. Sipcrack suite 4%, Test
RTC 4%
© Alan Quayle, 2022
Better question design
delivered richer response.
Plus different mix of
participants with greater
security concerns.
83 Responses.

STIR/SHAKEN
● Have you implemented STIR/SHAKEN for your project / deployment?
○ 2021: Yes 11 (22%), No 39 (78%) (44% of participants answered this section)
○ 2022: Yes 28 (39%), No 44 (61%) (60% answered, reflecting greater NA
contingent)
● Do you have a need for STIR/SHAKEN in any open source telecom software?
○ 2021: Yes 21 (45%), No 26 (55%)
○ 2022: Yes 35 (49%), No 37 (51%)
○ However, requirement on open source remains the same
● Have you taken part in STIR/SHAKEN interoperability testing?
○ 2021: Yes 12 (25%), No 31 (65%), planning 5 (10%)
○ 2022: Yes 18 (25%), No 47 (65%), planning 7 (9%)
○ Similarly, interop testing remains the same
© Alan Quayle, 2022

In your opinion, is STIR/SHAKEN proving effective?
© Alan Quayle, 2022
Reasons for No include:
SLOW - Speed of process,
implementation, FCC
enforcement (80%)
Same effect could have
been achieved by database
dip, similar to LRN or
CNAM.
Frustration at how it’s been
implemented by the NA
carriers.
72 Responses.

Where are your STIR/SHAKEN projects discussions?
© Alan Quayle, 2022
Growing area is carriers
outside NA needing to
terminate traffic there.
Seeing discussions pop up
in other countries (UK,
France, India)
54 Responses.

What's your view on the future of STIR/SHAKEN?
● Aggregated opinion on its future closely follows the effective question. 50
responses.
○ Effective? Yes 32%, No 68%
● Positive on the future
○ Have to start somewhere. Necessary. Important. Cross-carrier
implementation provides a base to build upon. Something similar needed
everywhere - at least until the end of telephony. Good idea, just needs more
work.
● Negative on the future
○ Certification center confusion. Given fraudulent use of services and hacking
of customer premises equipment; while that persists, CLI remains unreliable
and calls untraceable. Dead end. Hope it goes away. Not a silver bullet.
© Alan Quayle, 2022

Thank You
© Alan Quayle, 2022