Network — Callivex

🇪🇺

Primary PoP — Frankfurt

EU-central placement for low-latency reach across Germany, Benelux, France, Switzerland, Austria, Poland, the Nordics, the UK, and the Mediterranean. Active-active SBC pair behind a single FQDN.

🇬🇧

Edge — London

UK edge for sub-15ms reach to BT, Vodafone, Virgin Media. Failover for Frankfurt-primary customers; primary for UK-domestic customers.

📡

Carrier interconnects

Direct SIP interconnects with EU wholesale carriers for A–Z termination. Multi-carrier LCR per destination with ASR-weighted failover.

🛡

Edge protection

SIP scanner mitigation, fail2ban-equivalent at the SBC, source-IP enforcement, signaling rate limits per source. DDoS protection at the network layer.

The same stack the rest of the industry runs

We don't build a clever proprietary softswitch. The signal-path components are the carrier-grade open-source projects every serious operator relies on. The differentiator is operational discipline, not exotic software.

Kamailio — SIP edge proxy, registration, dispatcher, ACL, KEMI Lua scripting
Asterisk — B2BUA for media/codec handling, transcoding, AMI integration
RTPEngine — media relay, SRTP termination, codec normalization
CGRateS — real-time rating engine, per-second billing, balance enforcement
MariaDB — provisioning, CDR archive, audit log
Prometheus + Grafana + Homer — metrics, dashboards, SIP capture
Fail2ban — automated source-IP banning on SIP authentication failures

# Signal path — outbound call caller (your SBC) ↓ SIP INVITE [ Kamailio ] ← AUTH, ACL, dispatcher, LCR ↓ INVITE (re-routed) [ Asterisk ] ← codec negotiation, transcoder ↓ B2BUA [ RTPEngine ] ← media relay, SRTP ↓ SIP + RTP upstream carrier ↓ PSTN delivery # Billing path — parallel, real-time [ CGRateS ] ← rate, balance, cut-off

# Signaling + media — security profile Signaling: SIP / UDP, TCP, TLS 1.2+ Media: RTP / SRTP (AES-128 / AES-256) Codecs: G.711 a-law, G.711 u-law, G.722, G.729, opus DTMF: RFC 2833, SIP INFO Fax: T.38 (transcoding on request) Transports: UDP, TCP, TLS Auth options: IP whitelist, digest, mutual TLS Source-IP cap: 8 IPs per trunk default CIDR support: /29 to /32, /28 on review

Encryption-ready, IP-locked, scanner-shielded

Encryption is available on every leg from customer SBC to carrier (where the carrier supports TLS+SRTP). IP-auth is the default; SIP digest is supported but discouraged for high-volume trunks.

TLS 1.2+ on signaling for any customer that requests it
SRTP on media (AES-128 / AES-256) end-to-end where carrier-supported
Mutual TLS (mTLS) on request for sensitive deployments
Source-IP whitelisting enforced at SBC, not just provisioning DB
SIP scanner mitigation: fail-rate based banning, signature filtering
Per-customer signaling rate limits (CPS, REGISTER bursts)

Engineering ops, not "we'll look at logs if you call"

Every leg is captured, every CDR is rated, every metric is graphed. Customer-facing dashboards show per-route ASR, ACD, NER, PDD. Internal alerts fire before customers feel impact.

Per-customer dashboard: ASR, ACD, attempts, billable mins, top destinations
Per-route quality metrics windowed at 5/15/60-minute intervals
SIP capture (Homer / sipcapture.org protocol) for incident forensics
Active synthetic call probes from each PoP, every minute
PagerDuty escalation on threshold breaches
Public status page at status.callivex.com (planned)

# Quality probe — last 24h, all routes ASR ACD NER PDD all routes 52% 164s 81% 2.1s UK · Mobile 61% 198s 87% 1.8s DE · Mobile 58% 173s 85% 2.0s FR · Landline 54% 148s 82% 2.2s PL · Landline 47% 127s 78% 2.4s # Internal alert thresholds ASR drop >15% in 15min → page on-call PDD >5s on top route → page on-call Carrier 5xx >2% / 5min → auto-fallback

Network & infrastructure