an optimisation scheme for ipsec enabled voip calls over unicast transmissions · 2013-02-17 · an...

VoIP Quality of Service and SecurityBackground

Formulating the ProblemSimulation Testbed

ResultsConclusion

An Optimisation Scheme for IPSec Enabled VoIP Calls

over Unicast Transmissions

Dr Gregory Epiphaniou 1

CEH CSTP IPTX MBCS AHEA

1Institute for Research in Applicable Computing, IRACDepartment of Computer Science and Technology, University of Bedfordshire, United Kingdom

2th International Workshop on Recent Advances in Networking, Security andForensics, 2012

Epiphaniou An Optimisation Scheme for IPSec Enabled VoIP Calls



ResultsConclusion

Outline

1 VoIP Quality of Service and SecurityVoice over IP TechnologySecure Convergence

2 BackgroundWhat is Quality of Service?Network Impairments

3 Formulating the ProblemDecision VariablesModel Constraints

4 Simulation Testbed

5 Results

6 Conclusion




ResultsConclusion

Voice over IP TechnologySecure Convergence

The Big Questions Around VoIP QoS and Security

How variable speech encoding schemes can affect VoIP QoS when used inconjunction with security protocols?

What is the accurate combination of encoding schemes, ciphers and payloadsizes?

How to address the tradeoffs between delay, loss, jitter buffers and packetsizes for a given VoIP service?

Is the default voice payload size for each speech compressor (coder) theaccurate setting when encryption is applied?




ResultsConclusion


What is Voice over IP?

Definition

The technology for delivering voice communications over IP-based networks such

as the Internet or other packet-switched networks

Why VoIP?

Cost savings up to 40% on local calls and 90% on international calls

Permits multicast transmissions (conference calls)

Cheap user equipment (software/hardware)

Easy integration to existing network (best-effort) services

Mobility




ResultsConclusion


Addressing the problematic areas

Security constraints may impose a serious degradation to VoIP quality

Increased end-to-end (e2e) delay due to security processing

Strong encryption cannot provide adequate QoS

Tackle the encryption penalty without degrading the call quality

Voice payload encryption, or packet encryption and encapsulation into a newpacket




ResultsConclusion


Addressing the problematic areas (cont.)

Proper selection of the encryption algorithm

Impossibility for the crypto-engine to favour voice traffic over normal one

Disproportional ratio between the headers and the actual voice carried acrossthe network

QoS protocols cannot be well suited with all the security mechanisms

Tradeoffs between the crypto-engine’s throughput, e2e delay and VoIP packetsize

Increased bandwidth consumption due to security mechanisms




ResultsConclusion

What is Quality of Service?Network Impairments

The perceived QoS

Definition

Capabilities for, or the classes defined to achieve, preferential handing of different

types of traffic in packet-switched networks

How this can be perceived by VoIP users?

Frequency and level of service disruption

Delay

Echo

Encryption is transparent...

What does this mean for IP-Telephony Service Providers?

Network engineering and traffic shaping for sensitive traffic

Fit security protocols into the overall QoS picture

Encryption is not a panacea




ResultsConclusion

What is Quality of Service?Network Impairments

VoIP’s inheritance from best-effort networks

Jitter, delay and packet loss may impose additional challenges when it comesto VoIP

Jitter is the unwanted variation in the inter-arrival time between consecutivepackets

The total packet loss rate must not exceed 5% of the total packetstransmitted

The e2e delay must not exceed 120ms for plain VoIP traffic and 200 ms forencrypted

NETWORK

x

xxx

x

x

x

x

xxx

x

x

xSENDER RECEIVER

Codec DelayPropagation Delay

Queuing DelaySerialisation Delay

Switching Delay

De-jitter buffer DelayDe-packetisation Delay+ + = End-to-End Delay




ResultsConclusion

Decision VariablesModel Constraints

Fitness Function

Definition

A performance function G(x) is derived consisting of the sub-objective functionsof call volume Cv(x) and the Level of Encryption LoE(x) for a given vector ofdecision variables x. The Call Volume Cv(x) is the number of simultaneous VoIPcalls into the network and Level of Encryption LoE(x) is the cipher/hashingselection for each call, for the given vector x. Therefore, the required functionG(x) to be maximised can be expressed as:

G(x) = [Cv(x), LoE(x)] (1)

Where x is a vector of the decision variables defined as:

x = [Cidi ,Kli , Cri , P si , Ni , Cei , Cdi , tei , tdi ] (2)




ResultsConclusion


Decision Variables

Table: Description of decision variables

Decision Variables Description

Cidi The cryptographic index for each cipher used for the ith VoIP call

Kli The key length for the ciphers used for the ith VoIP call (bits)

Cri The Codec bit rate for the ith VoIP call (bit/sec)

Psi The payload size of the ith VoIP call [bytes]

Ni The maximum number of simultaneous VoIP calls fed into the network

Cei The processing cycles required for encryption for the ith VoIP call

Cdi The processing cycles required for decryption for the ith VoIP call

tei The time required to encrypt a single block of data from the ith VoIP call (sec)

tdi The time required to decrypt a single block of data from the ith VoIP call (sec)




ResultsConclusion


Modelling the parameters

Each VoIP call i has been assigned a cryptographic index Cidi corresponding thecombination of cipher and hashing used for a particular call. The index followsinteger values in the scale of 1 to 3. In this way the minimum level of security canbe assured for every call. Table 2 illustrates this numerical relationship:

Table: Cryptographic index Cidi and its mapping to the encryption strength

Cryptographic Index Cidi Corresponding Ciphers

1 DES/HMAC-SHA12 AES(128-256)/HMAC-SHA13 3DES/HMAC-SHA1




ResultsConclusion



The mathematical expression of the call volume Cv(x) from equation 1 was thenfurther expanded as:

Cv(x) =

Ni∑

i=1

Cri

Psi(3)

LoE(x) =current Soi(x)

maximum Soi(x)(4)

Where Soi(x) is the security overhead for the ith VoIP call, as a result ofconfidentiality and authentication mechanisms. The Soi(x) can be furtherexpressed as:

Soi(x) = tei(x) + tdi(x) + auti(x) (5)

Where tei(x) is the time required to encrypt a single block of data for the ith

VoIP call, tdi(x) is the time required to decrypt a single block of data for the ith

VoIP call and auti(x) is the authentication and verification time required forHMAC-SHA1 for the same VoIP call.




ResultsConclusion



Combining equations 3 - 5 equation 1 can be expressed as:

G(x) =

[

Ni∑

i=1

Cri

Psi,

current [tei(x) + tdi(x) + auti(x)]

maximum [tei(x) + tdi(x) + auti(x)]

]

(6)

Based on Xenakis mathematical model the fitness function in 5 can be furtherexpressed as:

Soi(x) =

(⌈

8 ∗ Psi

BSi

⌉

∗ Cei

)

+

(⌈

8 ∗ Psi

BSi

⌉

∗ Cdi

)

+ auti(x) (7)




ResultsConclusion



Using equations 6 and 7, and by employing the Weighted Sum Method themulti-objective function under maximisation can be transformed into a singleobjective as:

macG(x) =

wcv ∗

Ni∑

i=1

Cri

Psi

+

wLoE ∗

current

⌈

8∗PsiBSi

⌉

∗ Cei

+

⌈

8∗PsiBSi

⌉

∗ Cdi

+ auti(x)

maximum

⌈

8∗PsiBSi

⌉

∗ Cei

+

⌈

8∗PsiBSi

⌉

∗ Cdi

+ auti(x)

(8)

The maximisation problem can be effectively transformed into a minimisationproblem by simply minimising the negative G(x), where Bsi is the block sizeprocessed by the cipher (Bsi=64 for DES/3DES and Bsi=128 for AES).




ResultsConclusion



The Weighted Sum Method method is computationally efficient and cangenerate a strong non-dominated solution as an initial answer to the problem.The difficulty of this method lies in selecting the appropriate weightedmetrics, especially in cases where there is a lack of information about theproblem.

Most researchers use a linear combination of the objectives and generate thetrade-off surface by varying the weights based on the importance eachobjective may have to the overall calculations.

For simplicity of the analysis both objectives in the problem have been treatedas equally important and have been assigned weight metrics of 0.5 each.Varying the weighted metrics can influence the way a particular objective willbe favoured over the other and seriously affect the solutions extracted.




ResultsConclusion


Constraints

0 ≤ W ≤ 1 (9)

The perceived QoS from a customer point of view must be kept under a specificthreshold. The constraint demands that the majority of the users must be satisfiedby the service provided with some users dissatisfied for the same combinations ofdecision vector x. From practical experience this can be represented by theso-called R factor which represents the mapping values for the perceived QoS as:

R(x) ≥ 70 (10)

An R(x) ≥ 70 can be effectively translated to “the majority of the users satisfiedwith the service” that provides a good metric on the lower threshold of perceivedQoS1 to be maintained.

1The notion of perceived QoS has been recently assigned a new descriptor known asthe Quality of Experience (QoE).




ResultsConclusion


Constraints (Cont.)

For the accuracy of the model proposed the following assumptions are made:

Authentication in band is employed.

Each link except the access link is linked to a particular VoIP flow (call) witha given payload size and LoE based on the codec selected.

Each link can support different encryption levels.

End points (UA) can support cryptographic functions.

Transcoding during the transmission has not been investigated due to itsadded complexity and irrelevance to the scope.




ResultsConclusion


Optimisation routines

Figure: OptimisationFlowchart using GA Figure: Optimisation Flowchart using ES




ResultsConclusion

Simulation Testbed

NS-2 simulator

IPSec in transport mode

600 User Agents interconnected (VoIPendpoints)

All codecs and payloads supported

DES, 3DES, HMAC-SHA-1

Completely automated with Pythonscripting

10ms propagation delay

300 simultaneous VoIP calls

Intel Xeon Quad Core (2.4GHz) with4GB RAM and a Linux Centos 5.4

Simulation Process

Initial Configuration for G.729Default payload/burst-idle

times/rate/cipher

AWK scripting to interpret simulation

output filesCall NS2 Simulator

Python Script that generates network topology for NS-2

Change payload size and cipher

Delay Traces

Packet Loss Traces

Results Visualisation with MATLAB

PHASE 1

PHASE 2 Output call 1

Output call 2

Output call 300

PHASE 3




ResultsConclusion

Results for G.711

Figure 5 illustrates the optimisation process for GA and the fitness value for eachcandidate solution in the selected population during the convergence process. TheS1 is the vector of the optimised parameters from the solution space set thatoptimise (maximise in that problem) G(x) function for G.711 (64 kbps) codec.Simply put, Figure 5 illustrates the actual convergence process whereas S1 is theoutput vector (optimised) the routine returns as the result. An interesting findingis that both algorithms converged towards the same solution S1 due to the strictsize of the problem (feasible solution space set) primarily dictated by theconstraint.

0 5 10 15 20 25 30−8

−6

−4

−2

0x 10

6

Generation

Fitn

ess

valu

e

Best: −7032000.0188 Mean: −1868533.3601

0 5 10 15 20 25 30−8

−6

−4

−2

0x 10

6 Fitness of Each Sk

Best fitnessMean fitness




ResultsConclusion

Results of G711 (Cont.)

In the case of G.711 the resulting vector is S1 = [2 256 80 60] and mapped to theactual solution as represented during the problem formulation. The solution hasbeen phenotyped as Sk = [Cidi Kli Psi Nci] and both algorithms in the case ofG.711 (64 kbps) have returned the numerical mappings: Cidi = 2 correspondingto the combination of AES/HMAC-SHA1, Kli = 256 the key length, Psi = 80the payload size in bytes and Nci = 60 is the maximum number of calls thatsatisfies the constraint for the codec and network scenario given.




ResultsConclusion

Conclusion

Which combination of ciphers payloads and codecs to be used is an area ofserious considerations for VoIP

VoIP unavoidably suffers from the impairments normal packet transmissioncan suffer

There is a significance to the payload size used by the codecs in terms of e2edelay end packet loss rates

The crypto-engine seems to perform better with large payload sizes

Work is underway to exponentially increase the solution space set of theproblem




ResultsConclusion

Thank You


an optimisation scheme for ipsec enabled voip calls over unicast transmissions · 2013-02-17 · an...

Documents