Académique Documents
Professionnel Documents
Culture Documents
UniversittStuttgart
Stuttgart
INSTITUT FR
INSTITUT FR
NACHRICHTENVERMITTLUNG KOMMUNIKATIONSNETZE
UND DATENVERARBEITUNG UND RECHNERSYSTEME
Prof. Dr.-Ing. Dr. h. c. mult. P. J. Khn Prof. Dr.-Ing. Dr. h. c. mult. P. J. Khn
Outline
Motivation
Overview of problems with SIP and firewalls
Introduction to IETF MIDCOM/SIMCO
Overview of SCTP
Testbed and measurement results
Conclusions and future work
University of Stuttgart
Motivation
Next Generation Networks
Carrier operated VoIP networks (SIP, RTP)
Multi-operator scenarios
Requirements
- Protection against denial-of-service attacks and VoIP spam
- Accountability
Signaling and media path secured by firewalls
Firewalls
"A firewall is a system or group of systems that enforces an access
control policy between two networks."
Realization by packet filter and/or proxies
Firewalls in media path have to interact with session signaling
University of Stuttgart
SIP proxy
SIP user B
University of Stuttgart
SIP proxy
SIP user B
INVITE (+SDP)
A
100 TRYING
INVITE (+SDP)
A
180 RINGING
180 RINGING
University of Stuttgart
SIP proxy
SIP user B
INVITE (+SDP)
A
100 TRYING
INVITE (+SDP)
A
180 RINGING
200 OK (+SDP )
B
180 RINGING
200 OK
ACK
ACK
University of Stuttgart
SIP proxy
SIP user B
INVITE (+SDP)
A
100 TRYING
INVITE (+SDP)
A
180 RINGING
200 OK (+SDP )
B
180 RINGING
200 OK
ACK
ACK
RTP/RTCP
University of Stuttgart
SIP proxy
SIP user B
INVITE (+SDP)
A
100 TRYING
INVITE (+SDP)
A
180 RINGING
200 OK (+SDP )
B
180 RINGING
Parameter negotiation
(Codec, bit rate,
UDP port numbers,
IP addresses, ...)
200 OK
ACK
ACK
RTP/RTCP
University of Stuttgart
University of Stuttgart
SIP
SIP
University of Stuttgart
SIP
SIP
SIP
RTP
University of Stuttgart
SIP
SIP
SIP
ACL?
RTP
ACL?
University of Stuttgart
SIP
SIP
SIP
pathcoupled FW signaling
ACL
RTP
ACL
University of Stuttgart
SIP
SIP
SIP
pathcoupled FW signaling
ACL
RTP
ACL
SIP
SIP
SIP
SIP
pathdecoupled FW signaling
ACL
RTP
ACL
University of Stuttgart
policy
repository
SIP
proxy
MIDCOM
PDP
MIDCOM
impl.
specific
MIDCOM policy
protocol protocol
interface interface
packet filter
("middlebox")
SIP
SIP UA
user A
RTP
SIP UA
user B
private domain
MIDCOM/SIMCO agent
(e.g., SIP proxy)
Middlebox
(e.g., packet filter)
University of Stuttgart
MIDCOM/SIMCO agent
(e.g., SIP proxy)
Middlebox
(e.g., packet filter)
University of Stuttgart
MIDCOM/SIMCO agent
(e.g., SIP proxy)
Middlebox
(e.g., packet filter)
University of Stuttgart
MIDCOM/SIMCO agent
(e.g., SIP proxy)
Middlebox
(e.g., packet filter)
University of Stuttgart
MIDCOM/SIMCO agent
(e.g., SIP proxy)
Middlebox
(e.g., packet filter)
University of Stuttgart
SIP proxy
SIP user B
INVITE (+SDP)
A
100 TRYING
INVITE (+SDP)
A
180 RINGING
200 OK (+SDP )
B
180 RINGING
Parameter negotiation
(Codec, bit rate,
UDP port numbers,
IP addresses, ...)
200 OK
ACK
ACK
RTP/RTCP
University of Stuttgart
SIP proxy
packet filter
SIP user B
INVITE (+SDP)
A
100 TRYING
INVITE (+SDP)
A
180 RINGING
200 OK (+SDP )
B
180 RINGING
200 OK
ACK
ACK
RTP/RTCP
University of Stuttgart
SIP proxy
packet filter
SIP user B
INVITE (+SDP)
A PER RQ
RTPA
100 TRYING
PER PR
INVITE (+SDP)
A
180 RINGING
200 OK (+SDP )
B
180 RINGING
PER RQ
RTPB
200 OK
PER PR
ACK
ACK
RTP/RTCP
University of Stuttgart
SIP proxy
packet filter
SIP user B
INVITE (+SDP)
A PER RQ
RTPA
100 TRYING
PER PR
INVITE (+SDP)
A
180 RINGING
200 OK (+SDP )
B
180 RINGING
PER RQ
RTPB
200 OK
PER PR
ACK
ACK
RTP/RTCP
University of Stuttgart
Summary SIMCO
Signaling protocol for Firewall and NAT control
Implements (abstract) IETF MIDCOM architecture and semantics
Policy Rules
- Generalized representation of packet filter rules, NAT bindings, etc.
- Soft state
Messages
- Session management
- Create, modify, delete policy rules by means of transactions
- Status query transactions
- Asynchronous notifications
Current status: Internet Draft
Prototype Implementations: NEC Europe, Ltd., Uni Stuttgart/IKR
University of Stuttgart
University of Stuttgart
4
3
2
1
1
3
2
3
4
3 4 3 2 1
3 4 3 2 1
Retransmission
Retransmission
Head-of-line blocking
Institute of Communication Networks and Computer Engineering
University of Stuttgart
Basic idea:
Agent and middlebox agree to use N bidirectional stream pairs
upon session establishment
Distribution of messages to streams:
SIMCO Agent ("client")
- Create new policy rules: use round-robin scheme to distribute requests
on streams, once decided save mapping PID - stream ID
- Modify/Delete existing policy rule: reuse saved mapping
Middlebox ("server")
- Send answer on same stream number than request was received on
Specification needs to consider some special cases
University of Stuttgart
SIP Proxy
SIP protocol entity
add/
del
rule
ACK
Middlebox
SIMCO client
TCP
transceiver
UDP
SIMCO server
SCTP
transceiver
TCP
transceiver
TCP SCTP
IP
TCP
WAN
IP
SCTP
transceiver
SCTP
packet
filter
University of Stuttgart
Load Generator
add/
del
rule
response
time
Middlebox
SIMCO client
TCP
transceiver
UDP
SCTP
transceiver
TCP SCTP
IP
SIMCO server
TCP
transceiver
Delay,
Packet loss
WAN
Emulator
TCP
IP
SCTP
transceiver
SCTP
packet
filter
University of Stuttgart
Measurement results
Comparison of mean response time
System load
30 ms call IAT (neg.-exp.)
180 s call duration
(neg.-exp.)
Equiv. to 120,000 users
with 0.05 Erl.
100 transactions/s
1000
TCP
1 stream
Network
20 ms RTT
10 Mbps data rate
4 str.
8 streams
100
SCTP
10
University of Stuttgart
Measurement results
Response time distribution
Compl. cumul. distr. function (CCDF)
4% packet
loss
0.1
4 str. 1 stream
Theoretical
lower bound
SCTP
System load
30 ms call IAT (neg.-exp.)
180 s call duration
(neg.-exp.)
Equiv. to 120,000 users
with 0.05 Erl.
100 transactions/s
Network
20 ms RTT
10 Mbps data rate
TCP
0.01
0.001
10
100
1000
University of Stuttgart
Conclusions
Conclusions
Firewalls in VoIP networks to achieve PSTN-like security model
SIMCO is a signaling protocol for path-decoupled firewall control
SCTP is beneficial as transport protocol for SIMCO
- Less implementation complexity
- Protocol mechanisms for high-reliability environments
- Reduced head-of-line blocking
Measurements with prototype implementation show that small
number of SCTP streams is sufficient
Future Work
Performance impact of actually controlling a packet filter with
SIMCO middlebox entity (e. g., Linux netfilter)
Performance optimization by rule grouping/reordering possible?
Explanation of observed TCP performance problems
University of Stuttgart
University of Stuttgart