Voice Media IP Expansion Security FAQ

What is happening?

Twilio is migrating our public Voice media connectivity to a new range of IPs and an expanded port range. Our previously published region-specific IP/port ranges will be decommissioned and will no longer send or accept Voice media traffic. Beginning on 10 October 2023 Twilio Voice Media IPs will use a single global range; 168.86.128.0/18 with a UDP port range 10000-60000.

When is this happening?

Starting 26 September 2023 Twilio will be updating the media IPs and port ranges for SIP and Voice SDK calls in all regions to 168.86.128.0/18 and expanding the UDP port range to 10000-60000. You will need to update your network infrastructure to ensure that you have whitelisted the full IP and port ranges before the migration completes on 10 October 2023. Old IP and port ranges will no longer accept or send traffic after this date but will need to be kept open in your infrastructure until that time. Failure to do so will result in one-way audio and dropped calls.

Which Twilio products are impacted by this change?

Elastic SIP Trunking, Flex, Programmable SIP, and Voice SDK (Android/iOS/Javascript) calls, Media Streams, and SIPREC all utilize the public media IP/port ranges impacted by this change. If you or your customers use these methods to get calls into or out of Twilio, you will need to validate that the systems communicating with Twilio's media edge(s) have been updated.

Why does Twilio require voice customers to open so many IP addresses/UDP ports?

Due to the size of Twilio's Voice customer base and the growth of traffic on the platform, we have a large pool of IP addresses and a wide port range to provide reliability and scalability for the foreseeable future.

Isn't it a security risk for us to have so many IPs/Ports open?

It is a security risk to have any IPs/ports allowlisted. If an attacker can take over one IP or port from a given range they can take over others, so the threat doesn't increase with the number of IPs or ports open.

Additionally, this IP range is owned by Twilio and registered with ARIN. This is not an ephemeral IP range that is at risk of being recycled by our cloud providers and could potentially be used by another organization in the future; with this in mind it is Twilio's position that this is a security improvement over the previous paradigm, despite the larger range(s).

The size of the allowlist makes me nervous, you're asking us to blindly open our systems!?!

Every RTP media session is negotiated by one of a small number of trusted Twilio signaling edges. The IP/ports here refer to the Twilio media edge, you should allow UDP traffic to be sent and received from the published IP address ranges, but you do not need to open any additional IPs or ports on your side. The IP range is owned by Twilio and registered with ARIN, this is not an ephemeral IP range that is at risk of being recycled by our cloud providers and could potentially be used by another organization in the future; with this in mind it is Twilio's position that this is a security improvement over the previous paradigm.

Why doesn't Twilio offer region-specific/product-specific IP ranges?

The new media pool is not region- or product-specific by design. It allows Twilio to allocate IP addresses dynamically based on current capacity needs. For example, if there are traffic spikes in us1 Twilio can dynamically re-allocated unused capacity from au1 or sg1 which are likely to be dormant.

What are some security best practices customers can use to lower their risk?

Using secure RTP (Programmable SIP | Elastic SIP Trunking) will additionally lower the risk of RTP injection and hijacking attacks, as will disabling symmetric RTP on your SIP infrastructure unless it is absolutely necessary for NAT traversal.

Why don't other companies have such broad requirements?

We can't speak for the decision making processes of other companies or their architectural designs, but we do see other companies with broadly similar requirements; Telnyx for example has a single non-regional /19 IP range, and Zoom Phone and Zoom Contact Center has a UDP port range of 20000-64000.

Why is Twilio doing this all at once?

We are making changes to public media edges and private Interconnect media edges separately so there is some distribution of changes, but our thinking is to do a once-and-for-all change that migrates as much traffic as possible to the new media range to limit the number of discrete changes necessary to both customer and Twilio systems.

Why doesn't Twilio just use multiplexing or IP forwarding to reduce the number of IPs and ports that we need to receive traffic from?

Twilio does multiplexing and IP forwarding. The IP and port range requirements are based on our growth projections for the next ~10 years and take our multiplexing and IP forwarding capabilities into consideration.

This isn't going to work for us, we need to stay on the old IP addresses.

Unfortunately, this is not an option. Twilio needs to increase the size of our media fleet to ensure the reliability, resiliency, scalability, and stability of our network. Twilio offers a Network Traversal Service which provides media relay capabilities using TURN for Voice SDK calls to reduce the number of IP addresses and ports required.