an optimisation scheme for ipsec enabled voip calls over unicast transmissions · 2013-02-17 · an...
TRANSCRIPT
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
An Optimisation Scheme for IPSec Enabled VoIP Calls
over Unicast Transmissions
Dr Gregory Epiphaniou 1
CEH CSTP IPTX MBCS AHEA
1Institute for Research in Applicable Computing, IRACDepartment of Computer Science and Technology, University of Bedfordshire, United Kingdom
2th International Workshop on Recent Advances in Networking, Security andForensics, 2012
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Outline
1 VoIP Quality of Service and SecurityVoice over IP TechnologySecure Convergence
2 BackgroundWhat is Quality of Service?Network Impairments
3 Formulating the ProblemDecision VariablesModel Constraints
4 Simulation Testbed
5 Results
6 Conclusion
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Voice over IP TechnologySecure Convergence
The Big Questions Around VoIP QoS and Security
How variable speech encoding schemes can affect VoIP QoS when used inconjunction with security protocols?
What is the accurate combination of encoding schemes, ciphers and payloadsizes?
How to address the tradeoffs between delay, loss, jitter buffers and packetsizes for a given VoIP service?
Is the default voice payload size for each speech compressor (coder) theaccurate setting when encryption is applied?
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Voice over IP TechnologySecure Convergence
What is Voice over IP?
Definition
The technology for delivering voice communications over IP-based networks such
as the Internet or other packet-switched networks
Why VoIP?
Cost savings up to 40% on local calls and 90% on international calls
Permits multicast transmissions (conference calls)
Cheap user equipment (software/hardware)
Easy integration to existing network (best-effort) services
Mobility
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Voice over IP TechnologySecure Convergence
Addressing the problematic areas
Security constraints may impose a serious degradation to VoIP quality
Increased end-to-end (e2e) delay due to security processing
Strong encryption cannot provide adequate QoS
Tackle the encryption penalty without degrading the call quality
Voice payload encryption, or packet encryption and encapsulation into a newpacket
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Voice over IP TechnologySecure Convergence
Addressing the problematic areas (cont.)
Proper selection of the encryption algorithm
Impossibility for the crypto-engine to favour voice traffic over normal one
Disproportional ratio between the headers and the actual voice carried acrossthe network
QoS protocols cannot be well suited with all the security mechanisms
Tradeoffs between the crypto-engine’s throughput, e2e delay and VoIP packetsize
Increased bandwidth consumption due to security mechanisms
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
What is Quality of Service?Network Impairments
The perceived QoS
Definition
Capabilities for, or the classes defined to achieve, preferential handing of different
types of traffic in packet-switched networks
How this can be perceived by VoIP users?
Frequency and level of service disruption
Delay
Echo
Encryption is transparent...
What does this mean for IP-Telephony Service Providers?
Network engineering and traffic shaping for sensitive traffic
Fit security protocols into the overall QoS picture
Encryption is not a panacea
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
What is Quality of Service?Network Impairments
VoIP’s inheritance from best-effort networks
Jitter, delay and packet loss may impose additional challenges when it comesto VoIP
Jitter is the unwanted variation in the inter-arrival time between consecutivepackets
The total packet loss rate must not exceed 5% of the total packetstransmitted
The e2e delay must not exceed 120ms for plain VoIP traffic and 200 ms forencrypted
NETWORK
x
xxx
x
x
x
x
xxx
x
x
xSENDER RECEIVER
Codec DelayPropagation Delay
Queuing DelaySerialisation Delay
Switching Delay
De-jitter buffer DelayDe-packetisation Delay+ + = End-to-End Delay
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Decision VariablesModel Constraints
Fitness Function
Definition
A performance function G(x) is derived consisting of the sub-objective functionsof call volume Cv(x) and the Level of Encryption LoE(x) for a given vector ofdecision variables x. The Call Volume Cv(x) is the number of simultaneous VoIPcalls into the network and Level of Encryption LoE(x) is the cipher/hashingselection for each call, for the given vector x. Therefore, the required functionG(x) to be maximised can be expressed as:
G(x) = [Cv(x), LoE(x)] (1)
Where x is a vector of the decision variables defined as:
x = [Cidi ,Kli , Cri , P si , Ni , Cei , Cdi , tei , tdi ] (2)
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Decision VariablesModel Constraints
Decision Variables
Table: Description of decision variables
Decision Variables Description
Cidi The cryptographic index for each cipher used for the ith VoIP call
Kli The key length for the ciphers used for the ith VoIP call (bits)
Cri The Codec bit rate for the ith VoIP call (bit/sec)
Psi The payload size of the ith VoIP call [bytes]
Ni The maximum number of simultaneous VoIP calls fed into the network
Cei The processing cycles required for encryption for the ith VoIP call
Cdi The processing cycles required for decryption for the ith VoIP call
tei The time required to encrypt a single block of data from the ith VoIP call (sec)
tdi The time required to decrypt a single block of data from the ith VoIP call (sec)
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Decision VariablesModel Constraints
Modelling the parameters
Each VoIP call i has been assigned a cryptographic index Cidi corresponding thecombination of cipher and hashing used for a particular call. The index followsinteger values in the scale of 1 to 3. In this way the minimum level of security canbe assured for every call. Table 2 illustrates this numerical relationship:
Table: Cryptographic index Cidi and its mapping to the encryption strength
Cryptographic Index Cidi Corresponding Ciphers
1 DES/HMAC-SHA12 AES(128-256)/HMAC-SHA13 3DES/HMAC-SHA1
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Decision VariablesModel Constraints
Modelling the parameters
The mathematical expression of the call volume Cv(x) from equation 1 was thenfurther expanded as:
Cv(x) =
Ni∑
i=1
Cri
Psi(3)
LoE(x) =current Soi(x)
maximum Soi(x)(4)
Where Soi(x) is the security overhead for the ith VoIP call, as a result ofconfidentiality and authentication mechanisms. The Soi(x) can be furtherexpressed as:
Soi(x) = tei(x) + tdi(x) + auti(x) (5)
Where tei(x) is the time required to encrypt a single block of data for the ith
VoIP call, tdi(x) is the time required to decrypt a single block of data for the ith
VoIP call and auti(x) is the authentication and verification time required forHMAC-SHA1 for the same VoIP call.
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Decision VariablesModel Constraints
Modelling the parameters
Combining equations 3 - 5 equation 1 can be expressed as:
G(x) =
[
Ni∑
i=1
Cri
Psi,
current [tei(x) + tdi(x) + auti(x)]
maximum [tei(x) + tdi(x) + auti(x)]
]
(6)
Based on Xenakis mathematical model the fitness function in 5 can be furtherexpressed as:
Soi(x) =
(⌈
8 ∗ Psi
BSi
⌉
∗ Cei
)
+
(⌈
8 ∗ Psi
BSi
⌉
∗ Cdi
)
+ auti(x) (7)
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Decision VariablesModel Constraints
Modelling the parameters
Using equations 6 and 7, and by employing the Weighted Sum Method themulti-objective function under maximisation can be transformed into a singleobjective as:
macG(x) =
wcv ∗
Ni∑
i=1
Cri
Psi
+
wLoE ∗
current
⌈
8∗PsiBSi
⌉
∗ Cei
+
⌈
8∗PsiBSi
⌉
∗ Cdi
+ auti(x)
maximum
⌈
8∗PsiBSi
⌉
∗ Cei
+
⌈
8∗PsiBSi
⌉
∗ Cdi
+ auti(x)
(8)
The maximisation problem can be effectively transformed into a minimisationproblem by simply minimising the negative G(x), where Bsi is the block sizeprocessed by the cipher (Bsi=64 for DES/3DES and Bsi=128 for AES).
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Decision VariablesModel Constraints
Modelling the parameters
The Weighted Sum Method method is computationally efficient and cangenerate a strong non-dominated solution as an initial answer to the problem.The difficulty of this method lies in selecting the appropriate weightedmetrics, especially in cases where there is a lack of information about theproblem.
Most researchers use a linear combination of the objectives and generate thetrade-off surface by varying the weights based on the importance eachobjective may have to the overall calculations.
For simplicity of the analysis both objectives in the problem have been treatedas equally important and have been assigned weight metrics of 0.5 each.Varying the weighted metrics can influence the way a particular objective willbe favoured over the other and seriously affect the solutions extracted.
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Decision VariablesModel Constraints
Constraints
0 ≤ W ≤ 1 (9)
The perceived QoS from a customer point of view must be kept under a specificthreshold. The constraint demands that the majority of the users must be satisfiedby the service provided with some users dissatisfied for the same combinations ofdecision vector x. From practical experience this can be represented by theso-called R factor which represents the mapping values for the perceived QoS as:
R(x) ≥ 70 (10)
An R(x) ≥ 70 can be effectively translated to “the majority of the users satisfiedwith the service” that provides a good metric on the lower threshold of perceivedQoS1 to be maintained.
1The notion of perceived QoS has been recently assigned a new descriptor known asthe Quality of Experience (QoE).
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Decision VariablesModel Constraints
Constraints (Cont.)
For the accuracy of the model proposed the following assumptions are made:
Authentication in band is employed.
Each link except the access link is linked to a particular VoIP flow (call) witha given payload size and LoE based on the codec selected.
Each link can support different encryption levels.
End points (UA) can support cryptographic functions.
Transcoding during the transmission has not been investigated due to itsadded complexity and irrelevance to the scope.
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Decision VariablesModel Constraints
Optimisation routines
Figure: OptimisationFlowchart using GA Figure: Optimisation Flowchart using ES
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Simulation Testbed
NS-2 simulator
IPSec in transport mode
600 User Agents interconnected (VoIPendpoints)
All codecs and payloads supported
DES, 3DES, HMAC-SHA-1
Completely automated with Pythonscripting
10ms propagation delay
300 simultaneous VoIP calls
Intel Xeon Quad Core (2.4GHz) with4GB RAM and a Linux Centos 5.4
Simulation Process
Initial Configuration for G.729Default payload/burst-idle
times/rate/cipher
AWK scripting to interpret simulation
output filesCall NS2 Simulator
Python Script that generates network topology for NS-2
Change payload size and cipher
Delay Traces
Packet Loss Traces
Results Visualisation with MATLAB
PHASE 1
PHASE 2 Output call 1
Output call 2
Output call 300
PHASE 3
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Results for G.711
Figure 5 illustrates the optimisation process for GA and the fitness value for eachcandidate solution in the selected population during the convergence process. TheS1 is the vector of the optimised parameters from the solution space set thatoptimise (maximise in that problem) G(x) function for G.711 (64 kbps) codec.Simply put, Figure 5 illustrates the actual convergence process whereas S1 is theoutput vector (optimised) the routine returns as the result. An interesting findingis that both algorithms converged towards the same solution S1 due to the strictsize of the problem (feasible solution space set) primarily dictated by theconstraint.
0 5 10 15 20 25 30−8
−6
−4
−2
0x 10
6
Generation
Fitn
ess
valu
e
Best: −7032000.0188 Mean: −1868533.3601
0 5 10 15 20 25 30−8
−6
−4
−2
0x 10
6 Fitness of Each Sk
Best fitnessMean fitness
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Results of G711 (Cont.)
In the case of G.711 the resulting vector is S1 = [2 256 80 60] and mapped to theactual solution as represented during the problem formulation. The solution hasbeen phenotyped as Sk = [Cidi Kli Psi Nci] and both algorithms in the case ofG.711 (64 kbps) have returned the numerical mappings: Cidi = 2 correspondingto the combination of AES/HMAC-SHA1, Kli = 256 the key length, Psi = 80the payload size in bytes and Nci = 60 is the maximum number of calls thatsatisfies the constraint for the codec and network scenario given.
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Conclusion
Which combination of ciphers payloads and codecs to be used is an area ofserious considerations for VoIP
VoIP unavoidably suffers from the impairments normal packet transmissioncan suffer
There is a significance to the payload size used by the codecs in terms of e2edelay end packet loss rates
The crypto-engine seems to perform better with large payload sizes
Work is underway to exponentially increase the solution space set of theproblem
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls
VoIP Quality of Service and SecurityBackground
Formulating the ProblemSimulation Testbed
ResultsConclusion
Thank You
Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls