Viop phone - Voice Over IP

Although we’re presenting some typical numbers here, you should run the numbers using your own particular configuration. The most beneficial comparisons of a VPN occur when compared to a dedicated, line−based network or one that makes extensive use of long distance dial−up lines. If you are already using a shared network (Frame Relay or ATM), the cost savings are not so striking. Consider that a VPN box at each location might cost $5,000 including installation; multiplied by seven sites is equal to $35,000. Now, how long will it take to save this cost if you substitute your ISP charges for each location and subtract the cost of your existing T1 or Frame Relay network? If you had six T1s at $5,000/month, you might now have seven T1 access lines from your ISP at $3,000 or $4,000/month. The $7,000/month savings will pay off the $35,000 investment in 5 months. If your Frame Relay service is costing $1,000/month per location, the break−even point doesn’t happen in any reasonable period. Using remote access server and dial−up lines is cheaper to install, costing about $6,000 to $7,000 for about 20 users to install at the central location. Now comes the big bite, which is the long distance charge from all the remote locations. This could easily grow to $5,000/month if each of the users spent two hours online. Each working day at $0.10/minute is about $8,000/month. Plug in your own assumptions as to duration and cost of telephone calls here. (Even at 1 hr/day and
$0.06/minute, that is $2,000/month for 20 users). A VPN system might cost $14,000 to install, including licenses for PC software at each location. The ISP charges that are $20/user/month, plus an ISDN line at the home shop for $100/month, means that we are saving $1,500 in monthly charges. We can pay off the system in 10 months. Again, do not assume that it will pay off in all cases. But, in all cases, it is worth the effort to perform the calculations. viop Your VPN will definitely require more network management than a dial−up system, so the cost of perhaps an additional system administrator may have to be added.

Proprietary Protocols
Most VPN products are designed strictly around IP. They will often handle other protocols, such as AppleTalk and IPX, by tunneling them inside of IP packets. This introduces both overhead and delay. If the amount of “foreign” protocol traffic is small, then this is not significant. If the bulk of your network is IPX or Apple talk, we recommend you investigate VPN vendors who will support these protocols in native mode.

VoIP VPN
The justification for doing VoIP on a VPN is primarily security, along with the reduced cost of VoIP. Depending on usage, voice generates relatively large amounts of traffic. Be sure to include this additional traffic in your sizing estimates. Our discussion of VoIP applies to whether we have a VPN or not. With a VPN, the delays due to encryption are larger, and therefore we would expect that the performance of voice over the VPN would be worse than VoIP. If we have chosen a network provider who will offer a SLA with QoS, there is a better chance for success, but the delays due to encryption and basic packet switching will still be there. With the exception of international calling, one must have a very large calling volume to make it worthwhile to put voice over the Internet and suffer the attendant quality
reduction.

Summary

VPNs can provide a cost−effective solution to have secure communications across the Internet. Performance can be improved by utilizing a national/international ISP that will offer SLAs and QoS. Choosing hardware−based over software−based VPN equipment will generally provide better performance. Choosing VPN vendors who embrace standards and support multiple standards increases your flexibility to your vendor/equipment choices. Knowing your current and anticipated traffic volumes permits you to make improved cost performance studies.

read comments (0)

The layman’s version (don’t try this at home because it won’t work as described here) is that each of us thinks up a couple of prime numbers (the bigger the better). One number we keep for ourselves and the other number we publish on our web site along with the product of the two prime numbers as our public key. Anyone wanting to send us something will use the public key to encrypt it with the public key, and only we can decrypt the message with our private key. We can authenticate the source if the sender used his private key to encrypt his signature because only his public key will decrypt his signature.

This system is secure because of the tremendous amount of processing power it takes to factor large prime numbers. (For example, if we could factor the product, we could determine the private key.) Unfortunately, performing the encryption and decryption are also processor intensive (slow). But it sure solves the key distribution problem. Therefore, we could use public key cryptography to
encrypt and distribute the keys to all our VPN boxes.
Authentication
Authentication is the process of verifying that this is the party to whom I am speaking, and that they have authorized access. There are several ways of doing this; however, the most common way is to provide an authentication server that passes out authenticated certificates based on something the user has or knows. User Level Authentication The user has or knows his/her account code (name) and password. User names are public, and passwords can be compromised. A more secure system is to use a type of secure ID card. These credit card sized devices are based on an internal clock that generates a different pseudo random code every minute. The authentication server is time synchronized with the card and therefore generates the same number at the same time. When the user calls in, he/she must enter his/her account code and the code from the card as the password. The IP has embedded in it a set of layer 2 protocols called the Point−to−Point Protocol (PPP). In PPP, the basic security methods used are Password Authentication Procedure (PAP) and the
Challenge Handshake Authentication Protocol (CHAP). PAP and CHAP do little for security. In fact, PAP and CHAP are part of the basic PPP protocol suite and fall short in providing a true security procedure. These schemes do not address issues of ironclad authentication and integrity, oreavesdropping. The PAP and CHAP are rudimentary procedures used to log on to a network, but
hackers and crackers easily defeat both.

Tunnel Protocol (L2TP) is another variation of an IP encapsulation protocol as shown in Figure 4−6. An L2TP tunnel is created by encapsulating an L2TP frame inside a UDP packet, which in turn is encapsulated inside an IP packet, whose source and destination addresses define the tunnel’s ends. Because the outer encapsulating protocol is IP, clearly IPSec protocols can be applied to this composite IP packet, thus protecting the data that flows within the L2TP tunnel. Authentication Header (AH), Encapsulated Security Payload (ESP), and Internet Security Association and Key Management Protocol (ISAKMP) can all be applied in a straightforward way.

L2TPs are an excellent way of providing cost−effective remote access, multiprotocol transport, and remote LAN access. It does not provide cryptographic robust security. L2TP should, therefore, be used in conjunction with IPSec for providing secure remote access. L2TP supports both host−created and ISP−created tunnels. A remote host that implements L2TP should use IPSec to protect any protocol that can be carried within a PPP packet. Integrated at the VPN point of access, user authentication establishes the identity of the person using the VPN node, and this is because an encrypted session is established between the two locations. The user authentication mechanism enables the authorized user of the VPN system access to the system, while preventing the attacker from accessing the system. Some of the common user authentication schemes are

• Operating system username/password
• S/Key (one time) password
• Remote Authentication Dial−In User Service (RADIUS)
• Strong two−factor token−based scheme

The strongest user authentication schemes available on the market are two−factor authentication schemes. These require two elements to verify a user’s identity: a physical element in their possession (a hardware electronic token), and a code that is memorized (a PIN). Some cutting−edge solutions are beginning to use biometrics mechanisms such as fingerprints, voiceprints, and retinal scans. However, these are still relatively unproven. When evaluating VPN solutions, it is important to consider a solution that has both data authentication and user authentication mechanisms. Currently, there are VPN viop solutions that provide only one form of authentication.
Because of this, VPN solution providers that only support one of the two authentication mechanisms will typically refer to authentication generically, without qualification of whether they support data authentication, user authentication, or both. A complete VPN solution will support both data authentication (also known as the digital signature process or data integrity) as well as user authentication (the process of verifying VPN user identity).

Packet Level Authentication The IPSec standard provides for packet level authentication to prevent man−in−the−middle attacks. (This is where someone intercepts your packets and substitutes his/her own.) IPSec is a layer 3 protocol that enhances the use of the layer 2 underlying checksum is calculated and encrypted with the data. If the checksum calculated by the recipient doesn’t match the one sent by the originator, someone has tampered with the data. The IPSec standard specifies two different algorithms for doing this MD−5 and SHA−1. If your vendor’s equipment supports both algorithms, it improves the chances for intervendor compatibility. The other alternative is to simply not use packet level authentication. In order to guarantee authenticity of the packets, a digital signature is required to authenticate the devices to one another. IPSec has included the X.509 digital certificate standard. Essentially, the X.509 certificate server keeps a list of certificates for each user. When you want to receive data from another device, you first ask for the certificate from the certificate server. The sender stamps all data with that certificate. Because this process is secure, you may be sure that these packets are
authentic. Your vendor then ideally supports both authentication algorithms and X.509. In any case, it is essential that someone in your organization understands in detail how each vendor supports the various levels of security that you intend to use. These authentication and encryption systems all have to work together flawlessly. If the vendors you choose stick to the standards, it improves the chances of, but does not guarantee, an integrated working environment.

IPSec offers a variety of advantages. Chief among those are

• IPSec is widely supported by the industry including Cisco, Microsoft, Nortel Networks, and so on.
• This universal presence ensures interoperability and availability of secure solutions for all types of end users. In addition, all IPSec−compliant products from different vendors are required to be compatible.
• IPSec provides for transparent security, irrespective of the applica−tions used.
• IPSec is not limited to operating system−specific solutions. It will be ubiquitous with IP. It will also be a mandatory part of the forthcoming Internet Protocol Version 6 (IPv6) standard.
• IPSec offers a variety of strong encryption standards. The key design decision to support an open architecture allows for easy adaptability of newer, stronger cryptographic algorithms.
• IPSec includes a secure key−management solution with digital certificate support. IPSec guarantees the ease of management and use. This reduces deployment costs in large−scale corporate networks

IPSec used in conjunction with L2TP provides secure remote−access client−to−server communication. L2TP alone cannot provide for a totally secure communication channel due to its failure to provide per packet integrity, inability to encrypt the user datagram, and the limited security coverage only at the ends of the established tunnel. The major drawback to packet−filtering techniques is that they require access to clear text, both in packet headers and in the packet payloads.
There are two major drafts in IPSec: AH and ESP. They are defined as follows:

• AH is used to provide connectionless integrity and data origin authentication for an entire IP datagram (hereafter referred to as authentication).
• ESP provides authentication and encryption for IP datagrams with the encryption algorithm determined by the user. In ESP authentication, the actual message digest is now inserted at the end of the packet (whereas in AH the digest is inside the authentication).

AH provides data integrity only and ESP, formerly encryption only, now provides both encryption and data integrity. The difference between AH data integrity and ESP data integrity is the scope of the data being authenticated. AH authenticates the entire packet, while ESP doesn’t authenticate the outer IP header. In ESP authentication, the actual message digest is now inserted at the end of the packet, whereas in AH the digest is inside the authentication header. The IPSec standard dictates that prior to any data transfer occurring, a Security Association (SA) must be negotiated between the two VPN nodes (gateways or clients). The SA contains all the information required for execution of various network security services such as the IP layer services (header authentication and payload encapsulation), transport or application layer services, and self−protection of negotiation traffic. These formats provide a consistent framework for transferring key and authentication data that is independent of the key generation technique, encryption algorithm, and authentication mechanism. One of the major benefits of the IPSec efforts is that the standardized packet structure and security association within the IPSec standard will facilitate third−party VPN solutions that interoperate at the data transmission level. However, it does not provide an automatic mechanism to exchange the encryption and data authentication keys needed to establish the encrypted session, which introduces the second major benefit of the IPSec standard: key management infrastructure or Public Key Infrastructure (PKI).
The IPSec working group is in the development and adoption stages of a standardized key management mechanism that enables safe and secure negotiation, distribution, and storage of encryption and authentication keys. A standardized packet structure and key management mechanism will facilitate fully interoperable third−party VPN solutions. Other VPN technologies that are being proposed or implemented as alternatives to the IPSec standard are not true IP security standards at all. Instead, they are encapsulation protocols that tunnel higher level protocols into a link layer protocols. When encryption is applied, some or all of the information needed by the packet filters may no longer be available.

read comments (0)

Internet−Based VPN

the same time. The philosophical point is that a dedicated network will be overbuilt in some areas and underbuilt in others. A shared network offers the hope that we can spread the overall cost out while getting the benefits of a private network. Historically, this accounts for the popularity of shared data networks beginning with X.25, Frame Relay, ATM, and now the Internet. The Internet has become a popular, low−cost backbone infrastructure.
Because of its ubiquity, many companies now want to use a secure Virtual Private Network (VPN) over the public Internet. The challenge in designing a VPN is to exploit the technologies for both intracompany and intercompany communication while still providing security. Of course the rule of thumb we now use in an Internet Protocol (IP) network is “IP on everything.” A VPN is an extension of an organization’s private intranet across a public network (that is, the Internet), creating a secure connection essentially through a tunnel. VPNs securely convey information across the Internet connecting remote users, branch offices, and business partners into the corporate network.

VPNs are owned by the carriers, but used by corporate customers, as though the customers owned them. A VPN is a secure connection that offers the privacy and management controls of a dedicated point−to−point leased line, but actually operates over a shared routed network. In the past we saw traditional networks being built as part of a leased line, point−to−point network. This was expensive and risky. A single link error brought the network down. Later a virtual networking scenario emerged using a packet−switching technology called Frame Relay. This demanded that presubscribed links were established by being premapped in logic. VPNs are created using encryption, authentication, and tunneling, a method by which data packets in one protocol are encapsulated in another protocol. Tunneling enables traffic from multiple organizations to travel across the same network, unaware of each other, as if enclosed inside their
own private steel pipe. It is easy to jump to the conclusion that the Internet is free and, therefore, there are tremendous cost savings to be had from this free shared network. Later, we will explore some cost comparisons, but as one might guess, the relative cost benefit depends very much on each network’s geography and traffic volume.

read comments (0)

Using these dedicated lines between locations, organizations created a private network. The next step in the evolution of private networks was to devise a corporate−wide numbering plan and have the now intelligent PBX determine the route to the dialed destination via its peers, just like the local telephone office does. After all, other than size, there is little difference between a PBX and a telephone company central office switch!

read comments (0)

As corporate communication volumes increased, organizations realized the cost of telephone service was escalating. Originally, all long distance service was charged on a per minute basis. AT&T introduced a volume discount outbound calling plan called Wide Area Telephone Service (WATS) [1] Some people refer to the term as Wide Area Telecommunications Services. For a monthly fixed payment, the organization got 240 hours of service to one of five bands across the country. Each band was priced, based on the distance from the originator’s location. A typical company usually had a band 5 line and a band 1 or 2 to cover adjacent state calls. It took some analysis to determine the most cost−effective solution for each company’s particular calling pattern. Foreign exchange (FX) service provided a fixed rate calling plan if a company had a large call volume for in−state locations. This is essentially subscribing to telephone service at the foreign central office location and leasing an extension cord from the telephone company to the home location. Originally, there were no usage charges on this line so the more you used it, the less expensive it was. Of course, long distance calls made from the foreign exchange were billed at the long−distance rate. An FX line is needed to each high volume calling location. Alternatively, a company could use a leased telephone line between locations. These lines went by several names: Terminal Interface Equipment (TIE) line, dedicated line, and a data line, when used for data. These are essentially point−to−point telephone lines that are available in two−wire or four−wire configurations. Because the difference in cost between two− and four−wire connections was small (relative to the cost of the line), the four−wire option was preferred unless the company needed many lines. The next logical step was to use these TIE lines to connect private branch exchanges (PBXs) at the various locations. Here again, there were no usage charges on these dedicated lines. A company with locations in Seattle, Phoenix, Atlanta, and headquarters in Chicago might have a “hub and spoke” arrangement of TIE lines from their headquarters to each regional office. Each location then might have FX lines to adjacent cities; for example, a company based in Seattle might have an FX
line to Tacoma, Kent, and Everett. There were corresponding inbound services where the called party paid. For example, the original Zenith operator provided toll−free calling in the days of manual switchboards. The inbound WATS service, now known as 800 service, was originally also structured in bands. Finally, for local toll service, remote call forwarding (RCF) allowed people to sign up for telephone service in a foreign exchange and have them make a long distance call from Tacoma, for example, back to Seattle at your expense. Although this was more expensive (depending on the number of calls) than FX, an advantage of RCF is that you can receive multiple calls at a time. It soon became apparent to people working in the Phoenix location that they could call their uncle in Kent by first asking the company operator (later by dialing) for the TIE line to Chicago. They would then choose the TIE line to Seattle and finally dial across the FX line to Kent. The PBX, although not smart, did allow a person to dial up the TIE and FX lines. The important fly in this otherwise ingenious solution (ointment) to high−cost long distance telephone service is that each TIE or FX line could only handle one call at a time. The challenge for the telecommunications manager was therefore to figure out the optimum number of TIE lines between locations to minimize cost and waiting time for the TIE line, while maximizing savings across the commercial long distance circuits. About this time, AT&T noticed a small drop in its long distance revenue from such business and a sharp increase in the number of leased lines it was providing. Now, clearly it is much more profitable to rent a telephone channel out at $0.25 per minute than to lease that capacity to a corporation for 1,000 per month. One should also be aware that the average corporation will not pay these prices, but smaller companies and independent contractors may! On average, 75 percent of the paying public is overpaying the cost of long distance because of the complexity and the various changes that take place. Recently, the three top providers of long distance service raised their rates by 7 percent (12/2001). The impact was primarily in the area of basic long distance service. This means that many small companies have subscribed to a plan with the carrier. The carrier selects the plan that best fits the customer’s dialing habits and number of circuits used (lines). However, the plan is current at the time of the deal and may change several times in the next year. Better pricing or packaging may become available the very next day. The consuming public may not realize that the new package is available and continue to pay the agreed to rates for the next x years, costing them hundreds to thousands of dollars extra per year. To rectify the problem, many organizations periodically call the carrier and ask for the best plan to meet their dialing habits. Once again, the best plan is selected at the time of the call, not forever adjusted automaticall.

read comments (0)

Many companies created or built their own private networks in the past. These networks are usually cost−justified or based on the availability of lines, facilities, and special needs. Often these networks employ a mix of technologies, such as private microwaves, satellite communications, fiber optics, and infrared transmission. The convergence of the networks has further been deployed because of the mix of services that the telephone companies did not service well. Many companies with private networks have been subjected to criticisms because the networks were misunderstood. Often the networks were based on voice savings and could not be justified. Now that the telecommunications networks and systems are merging, the demand for higher speed and more availability is driving either a private network or a hybrid.

read comments (0)

Prior to 1984, AT&T owned most of the network through its local Bell operating telephone companies. A layered hierarchy of office connections was designed around a five−level architecture. Each of these layers was designed around the concept of call completion. The offices were connected together with wires of various types called trunks. These trunks can be twisted pairs of wire, coaxial cables (like the CATV wire), radio (such as microwave), or fiber optics. As the convergence of voice and data networks continues, we see a revisitation to the older technologies as well as the new ones. Fiber is still the preferred medium from a carrier’s perspective. However, microwave radio is making a comeback in our telecommunications systems, linking door−to−door private−line services. Carrying voice, data, video, and high−speed Internet access is a given for a microwave system. Light−based systems, however, are limited in their use by telephone companies. It has been user demand that has brought infrared light and now Synchronous Optical Network−based (SONET) infrared systems in place. Recently, the introduction of an unguided light introduced by Lucent Technologies operates at speeds up to 2.4 Gbps to 10 Gbps. This offers the connectivity to almost anyone who can afford the system, because the right of way is no longer an issue.

read comments (0)

A network is a series of interconnections that form a cohesive and ubiquitous connectivity arrangement when all tied together. That sounds rather vague, so let’s look at the components of what constitutes the telecommunications network. The telecommunications network referred to here is the one that was built around voice communications but has been undergoing a metamorphosis for the past two decades. The convergence of voice and data is nothing new; we have been trying to run data over a voice network since the 1970s. However, to run data over the voice network, we had to make the data look like voice. This caused significant problems for the data because the voice network was noisy and error−prone. Reliability was a dream and integrity was unattainable, no matter what the price.
Generally speaking, a network is a series of interconnection points. The telephone companies over the years have been developing the connections throughout the world so that a level of cost−effective services can be achieved and their return on investment (ROI) can be met. As a matter of due course, whenever a customer wants a particular form of service, the traditional carriers offer two answers:

• It cannot be done technically.
• The tariff will not allow us to do that!

Regardless what the question happened to be, the telephone carriers were constantly the delay and the limiting factor in meeting the needs and demands for data and voice communications. In order to facilitate our interconnections, the telephone companies installed wires to the customer’s door. The wiring was selected as the most economical way to satisfy the need and the ROI equation. Consequently, the telephone companies installed the least expensive wiring possible.

Because they were primarily satisfying the demand for voice communications, they installed a thin wire (26−gauge) to most customers whose locations were within a mile or two from the central office. At the demarcation point, they installed the least expensive termination device (RJ−11), satisfying the standard two−wire unshielded twisted pair communications infrastructure. The position of the demarcation point depended on the legal issues involved. In the early days of the telephone network, the telephone companies owned everything, so they ran the wires to an interface point and then connected their telephone equipment to the wires at the customer’s end. The point here is that the telephone sets were essentially commodity−priced items requiring little special effect or treatment. When the data communications industry began during the late 1950s, the telephone companies began to charge an inordinate amount of money to accommodate this different service. Functionally, they were in the voice business and not the data business. As a matter of fact, to this day, most telephone companies do not know how to spell the word data! They profess that they understand this technology, but when faced with tough decisions or generic questions, few of their people can even talk about the services. How sad, they will be left behind if they do not change quickly. New regulations in the United States, in effect since the divestiture agreement, changed this demarcation point to the entrance of the customer’s building. From there, the customer hooked up whatever equipment was desired. Few people remember that in early 1980, a 2400 bps modem cost $10,000. The items that customers purchase from myriad other sources include all the pieces
we see during the convergence process. In the rest of the world today, where full divestiture or privatization has not yet taken place, the
telephone companies (or Post, Telephone, and Telegraph [PTTs]) still own the equipment. Other areas of the world have a hybrid system under which customers might or might not own their equipment. The combinations of this arrangement are almost limitless, depending on the degree of privatization and deregulation. However, the one characteristic that is common in most of the world to date is that the local provider owns the wires from the outside world to the entrance of the customer’s building. This local loop is now under constant attack from the wireless providers offering satellite service, local multipoint distribution services (LMDS), and multichannel multipoint distribution services (MMDS). Moreover, the CATV companies have installed coaxial cable or fiber, if new wiring has been installed, and they offer the interconnection to business and residential consumers alike. The Competitive Local Exchange Carriers (CLECs) who survived the bloodbath and fallout of 2000 and 2001 still remain as formidable foes to the local providers. They are installing fiber to many corporate clients (or buildings) with less expense and long−term write−off issues. The CLECs are literally walking away from the telephone companies’ local loop and using their own infrastructure. Add the x−Type Digital Subscriber Line (xDSL) family of products to this equation and the telephone companies are running out of options. The Community Antenna Television (CATV) companies are still outpacing the installation of Internet cable modems compared to the use of DSL services by the Regional Bell Operating Company (RBOC) and the CLECs. The numbers will probably change over time, but the current rate of installation is in the favor of the cable companies. This is where the CATV companies see the convergence occurring.

read comments (0)

In the local loop, the topological layout of the wires has traditionally been a single−wire pair or multiple pairs of wires strung to the customer’s location. Just how many pairs of wires are needed for the connection of a single line set to a telecommunications system and network? The answer (one pair) is obvious. However, other types of services, such as digital circuits and connections, require two pairs. The use of a single or dual pair of wires has been the norm. More recently, the local providers have been installing a four−pair (eight wires) connection to the customer location. The end user is now using separate voice lines, separate fax lines, and separate data communications hookups. Each of these requires a two−wire interface from the LEC. However, if a CATV provider has the technology installed, they can get a single coax (or fiber) to satisfy the voice, fax, data, and high−speed Internet access on a single interface, proving the convergence is rapidly occurring at the local loop. It is far less expensive to install a coax running all services (TV, voice, and data) than multiple pairs of wire, so the topology is a dedicated local connection of one or more pairs from the telephone provider to the customer location or a shared coax from the CATV supplier. This is called a star and/or shared star−bus configuration. The telephone company connection to the customer originates from a centralized point called a central office (CO). The provider at this point might be using a different topology. Either a star configuration to a hierarchy of other locations in the network layout or a ring can be used. The ring is becoming a far more prevalent method of connection for the local Telcos. Although we might also show the ring as a triangle, it is still a functional and logical ring. These star/ring or star/bus combinations constitute the bulk of the networking topologies today. Remember one fundamental fact: the telephone network was designed to carry analog electrical signals across a pair of wires to recreate a voice conversation at both ends. This network has been built to carry voice and does a reasonable job of doing so. Only recently have we been transmitting other forms of communication, such as fax, data, and video. The telephone switch (such as DMS−100 or #a5ESS) makes routing decisions based on some parameter, such as the digits dialed by the customer. These decisions are made very quickly and a cross−connection is made in logic. This means that the switch sets up a logical connection to another set of wires. Throughout this network, more or fewer connections are installed, depending on the anticipated calling patterns of the user population. Sometimes there are many connections among many offices  At other times, it can be simple with single connections. The telephone companies have begun to see a shift in their traffic over the past few years. More data traffic is being generated across the networks than ever before. As a matter of fact, 1996 marked the first year that as much data was carried on the network as voice. Since that time, data has continued its escalated growth pattern upwards of 30 percent, whereas voice has been stable at around a 4−percent growth.

read comments (0)