Ki Simco-Sctp 36454

Universitt
UniversittStuttgart
Stuttgart
INSTITUT FR
INSTITUT FR
NACHRICHTENVERMITTLUNG KOMMUNIKATIONSNETZE
UND DATENVERARBEITUNG UND RECHNERSYSTEME
Prof. Dr.-Ing. Dr. h. c. mult. P. J. Khn Prof. Dr.-Ing. Dr. h. c. mult. P. J. Khn
Evaluation of SCTP as transport layer

protocol for firewall control
Sebastian Kiesel, Michael Scharf
Institute of Communication Networks and Computer Engineering
University of Stuttgart
kiesel@ikr.uni-stuttgart.de, scharf@ikr.uni-stuttgart.de
Workshop "Neue Herausforderungen in der Netzsicherheit"
an der Universitt Duisburg-Essen
06/07.10.2005
Outline
Motivation
Overview of problems with SIP and firewalls
Introduction to IETF MIDCOM/SIMCO
Overview of SCTP
Testbed and measurement results
Conclusions and future work
Motivation
Next Generation Networks
Carrier operated VoIP networks (SIP, RTP)
Multi-operator scenarios
Requirements
- Protection against denial-of-service attacks and VoIP spam
- Accountability
Signaling and media path secured by firewalls
Firewalls
"A firewall is a system or group of systems that enforces an access
control policy between two networks."
Realization by packet filter and/or proxies
Firewalls in media path have to interact with session signaling
SIP/RTP: basic call flow

SIP user A
SIP proxy
SIP user B

SIP user A
SIP proxy
SIP user B
INVITE (+SDP)
A
100 TRYING
INVITE (+SDP)
A
180 RINGING
180 RINGING

SIP user A
SIP proxy
SIP user B
INVITE (+SDP)
A
100 TRYING
INVITE (+SDP)
A
180 RINGING
200 OK (+SDP )
B
180 RINGING
200 OK
ACK
ACK

SIP user A
SIP proxy
SIP user B
INVITE (+SDP)
A
100 TRYING
INVITE (+SDP)
A
180 RINGING
200 OK (+SDP )
B
180 RINGING
200 OK
ACK
ACK
RTP/RTCP
SIP/RTP: dyn. cross-layer parameter negotiation

SIP user A
SIP proxy
SIP user B
INVITE (+SDP)
A
100 TRYING
INVITE (+SDP)
A
180 RINGING
200 OK (+SDP )
B
180 RINGING
Parameter negotiation
(Codec, bit rate,
UDP port numbers,
IP addresses, ...)
200 OK
ACK
ACK
RTP/RTCP
Firewalls and out-of-band signaling
Clouds: IP based Operator Networks (e.g., NGN)

Network interconnection based on bilateral agreements,
protected by means of firewalls

SIP
SIP
SIP
SIP

SIP
SIP
SIP
SIP
RTP

SIP
SIP
SIP
SIP
ACL?
RTP
ACL?
Signaling messages may travel on different path through network

than media streams do
How to open pinholes in firewalls on media path?

SIP
SIP
SIP
SIP
pathcoupled FW signaling
ACL
RTP
ACL
Examples for path-coupled firewall signaling:

RSVP
IETF NSIS (Next Steps In Signaling) - NAT/FW NSLP

SIP
SIP
SIP
SIP
pathcoupled FW signaling
ACL
RTP
ACL
SIP
SIP
SIP
SIP
pathdecoupled FW signaling
ACL
RTP
ACL
IETF MIDCOM - SIMCO

Examples for path-decoupled firewall signaling:
UPnP (home and small office LANs only)
IETF MIDCOM (framework architecture) -> MIDCOM MIB or SIMCO
policy
repository
SIP
proxy
MIDCOM
PDP
MIDCOM
impl.
specific
MIDCOM policy
protocol protocol
interface interface
packet filter
("middlebox")
SIP
SIP UA
user A
RTP
SIP UA
user B
private domain
public network (e.g., Internet)

IETF MIDCOM - SIMCO
MIDCOM/SIMCO agent
(e.g., SIP proxy)
Middlebox
(e.g., packet filter)
IETF MIDCOM - SIMCO
MIDCOM/SIMCO agent
(e.g., SIP proxy)
Middlebox
Policy E nable Rule

(IP1, IP2, TCP/UDP/..., Port1, Port2, ..., TID, Lifetime)
IETF MIDCOM - SIMCO
MIDCOM/SIMCO agent
(e.g., SIP proxy)
Middlebox
Policy E nable Rule

Policy Enable Rule Positive Reply (TID,PID)
IETF MIDCOM - SIMCO
MIDCOM/SIMCO agent
(e.g., SIP proxy)
Middlebox
Policy E nable Rule

Policy Lifetime C hange (TID, PID, new Lifetime)

Policy Lifetime C hange Positive Reply (TID)
IETF MIDCOM - SIMCO
MIDCOM/SIMCO agent
(e.g., SIP proxy)
Middlebox
Policy E nable Rule

Policy Lifetime C hange (TID, PID, new Lifetime)

Policy Lifetime C hange Positive Reply (TID)
Policy Lifetime C hange (TID, PID,new Lifetime=0)
Policy Rule Deletion (TID)
SIMCO - Interaction with SIP/RTP

SIP user A
SIP proxy
SIP user B
INVITE (+SDP)
A
100 TRYING
INVITE (+SDP)
A
180 RINGING
200 OK (+SDP )
B
180 RINGING
Parameter negotiation
(Codec, bit rate,
UDP port numbers,
IP addresses, ...)
200 OK
ACK
ACK
RTP/RTCP

SIP user A
SIP proxy
packet filter
SIP user B
INVITE (+SDP)
A
100 TRYING
INVITE (+SDP)
A
180 RINGING
200 OK (+SDP )
B
180 RINGING
200 OK
ACK
ACK
RTP/RTCP

SIP user A
SIP proxy
packet filter
SIP user B
INVITE (+SDP)
A PER RQ
RTPA
100 TRYING
PER PR
INVITE (+SDP)
A
180 RINGING
200 OK (+SDP )
B
180 RINGING
PER RQ
RTPB
200 OK
PER PR
ACK
ACK
RTP/RTCP

SIP user A
SIP proxy
packet filter
SIP user B
INVITE (+SDP)
A PER RQ
RTPA
100 TRYING
PER PR
INVITE (+SDP)
A
180 RINGING
200 OK (+SDP )
B
180 RINGING
PER RQ
RTPB
200 OK
PER PR
ACK
ACK
Call setup delay
RTP/RTCP
Summary SIMCO
Signaling protocol for Firewall and NAT control
Implements (abstract) IETF MIDCOM architecture and semantics
Policy Rules
- Generalized representation of packet filter rules, NAT bindings, etc.
- Soft state
Messages
- Session management
- Create, modify, delete policy rules by means of transactions
- Status query transactions
- Asynchronous notifications
Current status: Internet Draft
Prototype Implementations: NEC Europe, Ltd., Uni Stuttgart/IKR
Stream Control Transmission Protocol

SCTP (Stream Control Transmission Protocol, RFC 2960)
Generic transport layer protocol optimized for signaling purposes,
originally developed as part of the SIGTRAN stack for "SS7 over IP"
Connection oriented: "SCTP association"
- Reliable transmission (checksums, flow-control, etc.)
- "TCP friendly" congestion control
- Message-oriented interface to upper layers (no continous byte-stream)
Protocol mechanisms for deployment in high-reliability environments
- Multihoming, heartbeat/keepalive messages for automatic changeover
- Protection against "blind spoofing" and DoS attacks
SCTP association subdivided in several "SCTP streams"
- Flow & congestion control applied to whole SCTP association
More efficient than parallel TCP connections
- In-order delivery of messages ensured only within same stream
Reduced head-of-line blocking
Head-of-line blocking: Illustration

TCP
SCTP with 3 streams

1
2
4
3
2
1
1
3
2
3
4
3 4 3 2 1
3 4 3 2 1
IP packet 3 lost or corrupted
IP packet 3 lost or corrupted
Retransmission
Retransmission
Packet 4 has to wait in

resequencing queue at
receiver until packet 3 is
retransmitted
Packets in other streams

(e.g., packet 4) not affected
by head-of-line blocking
Head-of-line blocking
SIMCO over SCTP

Basic Question: how to leverage SCTPs multiple streams feature?
Constraint:
retain causality for SIMCO
Basic idea:
Agent and middlebox agree to use N bidirectional stream pairs
upon session establishment
Distribution of messages to streams:
SIMCO Agent ("client")
- Create new policy rules: use round-robin scheme to distribute requests
on streams, once decided save mapping PID - stream ID
- Modify/Delete existing policy rule: reuse saved mapping
Middlebox ("server")
- Send answer on same stream number than request was received on
Specification needs to consider some special cases
SIMCO over SCTP: Prototypical implementation
SIP Proxy
SIP protocol entity
add/
del
rule
ACK
Middlebox
SIMCO client
TCP
transceiver
UDP
SIMCO server
SCTP
transceiver
TCP
transceiver
TCP SCTP
IP
TCP
WAN
IP
SCTP
transceiver
SCTP
packet
filter
SIMCO over SCTP: Measurement testbed
Load Generator
add/
del
rule
response
time
Middlebox
SIMCO client
TCP
transceiver
UDP
SCTP
transceiver
TCP SCTP
IP
SIMCO server
TCP
transceiver
Delay,
Packet loss
WAN
Emulator
TCP
IP
SCTP
transceiver
SCTP
packet
filter
Measurement results
Comparison of mean response time
System load
30 ms call IAT (neg.-exp.)
180 s call duration
(neg.-exp.)
Equiv. to 120,000 users
with 0.05 Erl.
100 transactions/s
Mean SIMCO response time (in ms)
1000
TCP
1 stream
Network
20 ms RTT
10 Mbps data rate
4 str.
8 streams
Linux 2.6.11 TCP/SCTP
100
SCTP
Random packet loss
Theoretical lower bound

10
10
Packet loss probability (in %)
Several SCTP streams improve SIMCO response time

Measured TCP performance much worse than SCTP
Measurement results
Response time distribution
Compl. cumul. distr. function (CCDF)
4% packet
loss
0.1
4 str. 1 stream
Theoretical
lower bound
SCTP
System load
30 ms call IAT (neg.-exp.)
180 s call duration
(neg.-exp.)
Equiv. to 120,000 users
with 0.05 Erl.
100 transactions/s
Network
20 ms RTT
10 Mbps data rate
TCP
0.01
Random packet loss
Linux 2.6.11 TCP/SCTP
0.001
10
100
1000
SIMCO response time (in ms)
More than 8 SCTP streams will not significantly improve performance
Conclusions
Conclusions
Firewalls in VoIP networks to achieve PSTN-like security model
SIMCO is a signaling protocol for path-decoupled firewall control
SCTP is beneficial as transport protocol for SIMCO
- Less implementation complexity
- Protocol mechanisms for high-reliability environments
- Reduced head-of-line blocking
Measurements with prototype implementation show that small
number of SCTP streams is sufficient
Future Work
Performance impact of actually controlling a packet filter with
SIMCO middlebox entity (e. g., Linux netfilter)
Performance optimization by rule grouping/reordering possible?
Explanation of observed TCP performance problems

Ki Simco-Sctp 36454

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Ki Simco-Sctp 36454

Transféré par

Droits d'auteur :

Formats disponibles

Universitt

Evaluation of SCTP as transport layer

Institute of Communication Networks and Computer Engineering

Institute of Communication Networks and Computer Engineering

SIP/RTP: basic call flow

Institute of Communication Networks and Computer Engineering

SIP/RTP: basic call flow

Institute of Communication Networks and Computer Engineering

SIP/RTP: basic call flow

Institute of Communication Networks and Computer Engineering

SIP/RTP: basic call flow

Institute of Communication Networks and Computer Engineering

SIP/RTP: dyn. cross-layer parameter negotiation

Institute of Communication Networks and Computer Engineering

Firewalls and out-of-band signaling

Clouds: IP based Operator Networks (e.g., NGN)

Institute of Communication Networks and Computer Engineering

Firewalls and out-of-band signaling

Institute of Communication Networks and Computer Engineering

Firewalls and out-of-band signaling

Institute of Communication Networks and Computer Engineering

Firewalls and out-of-band signaling

Signaling messages may travel on different path through network

Institute of Communication Networks and Computer Engineering

Firewalls and out-of-band signaling

Examples for path-coupled firewall signaling:

Institute of Communication Networks and Computer Engineering

Firewalls and out-of-band signaling

Institute of Communication Networks and Computer Engineering

IETF MIDCOM - SIMCO

Institute of Communication Networks and Computer Engineering

public network (e.g., Internet)

IETF MIDCOM - SIMCO

Institute of Communication Networks and Computer Engineering

IETF MIDCOM - SIMCO

Policy E nable Rule

Institute of Communication Networks and Computer Engineering

IETF MIDCOM - SIMCO

Policy E nable Rule

Institute of Communication Networks and Computer Engineering

IETF MIDCOM - SIMCO

Policy E nable Rule

Policy Lifetime C hange (TID, PID, new Lifetime)

Institute of Communication Networks and Computer Engineering

IETF MIDCOM - SIMCO

Policy E nable Rule

Policy Lifetime C hange (TID, PID, new Lifetime)

Institute of Communication Networks and Computer Engineering

SIMCO - Interaction with SIP/RTP

Institute of Communication Networks and Computer Engineering

SIMCO - Interaction with SIP/RTP

Institute of Communication Networks and Computer Engineering

SIMCO - Interaction with SIP/RTP

Institute of Communication Networks and Computer Engineering

SIMCO - Interaction with SIP/RTP

Call setup delay

Institute of Communication Networks and Computer Engineering

Institute of Communication Networks and Computer Engineering

Stream Control Transmission Protocol

Head-of-line blocking: Illustration

SCTP with 3 streams

IP packet 3 lost or corrupted

IP packet 3 lost or corrupted