VOICE OVER IP (VOIP) TO ENTERPRISE USERS GIOTIS KONSTANTINOS

Transcription

1 VOICE OVER IP (VOIP) TO ENTERPRISE USERS GIOTIS KONSTANTINOS Master of Science in Networking and Data Communications THESIS

2 Thesis Title Voice over IP (VoIP) to Enterprise Users Dissertation submitted for the Degree of Master of Science in Networking and Data Communications By GIOTIS KONSTANTINOS SUPERVISOR Dr. PAPADAKIS ANDREAS KINGSTON UNIVERSITY, FACULTY OF COMPUTING, INFORMATION SYSTEMS & MATHEMATICS ΤEI OF PIRAEUS, DEPARTMENTS OF ELECTRONICS AND AUTOMATION JANUARY

3 Abstract In this dissertation VoIP technology will be introduced. The architecture, components and operation of H.323 and SIP will be analysed. The goal is to focus and learn this interesting technology of VoIP and how it works. Security will also be a concern here, included attacks and security mechanisms and how much they can protect. Quality of Service is an important aspect of this technology which will be also analysed, along with the security impact, and countermeasures will be presented. Technologies (such as ATM and Frame Relay) and mechanisms providing QoS, from providers also will be presented. In the last part a case study using OPNET IT Guru Academic Edition will help to understand the technology, by simulating an enterprise implementing VoIP. Security and QoS mechanisms along with ATM and Frame Relay technologies will be tested. 2

4 Acknowledgements I would like to thank my supervisor Dr. Papadakis Andreas for his help and guidance through this Thesis. He was there to support me despite his heavy schedule. I also want to thank my professors in this master, Dr Adamopoulos Dionysios, Dr. Kardaras Dimitrios, Dr Katopodis Harilaos, Dr. Maniatis Sotirios, Dr Nikolozou Eugenia, Dr Pikrammenos Ioannis and Dr Savvaidis Stylianos. They made this program easier with their teachings. Finally I would like to dedicate this Thesis to Bill and Maria for their support all these years. 3

5 Table of Contents ABSTRACT... 2 INTRODUCTION... 8 CHAPTER 1: VOIP PROTOCOLS H.323 Overview H.323 Features H.323 Advantages H.323 Components H.323 Protocol Suite SIP Overview SIP Structure Call Establishment SIP Implementations CHAPTER 2: VOIP SECURITY Attacks on VoIP Security Measures H.323 Security H.323 Security Issues SIP Security SIP Security Issues Solution to the NAT problem CHAPTER 3: QUALITY OF SERVICE (QOS) IN VOIP Latency

6 3.2 Jitter Packet Loss Bandwidth and Speed Security impact in QoS QoS in Providers networks ATM QoS Mechanisms Frame Relay QoS Mechanisms CHAPTER 4: CASE STUDY The Scenario The Enterprise structure The Simulation CONCLUSION REFERENCES GLOSSARY

7 Table of Figures Figure 1: H.323 Architecture Figure 2: H.323 Call Establishment Figure 3: H.245 Control Signaling Figure 4: SIP Architecture Figure 5: Call Setup in SIP Figure 6: The Enterprise Figure 7: The Corporate Site 53 Figure 8: The Remote Site Figure 9: Configured Services Figure 10: Configured Profiles Figure 11: Supported Profiles Figure 12: Destination Server Figure 13 : DB response time (sec) 58 Figure 14: Http page response time (sec) Figure 15: download time (sec) Figure 16: Configured IP Telephony Figure 17: VoIP Profile Configuration Figure 18: Corporate Site Figure 19: DB response time (sec).61 Figure 20: Http page response time (sec) Figure 21: download time (sec)..61 Figure 22: Voice end-to-end delay (sec) Figure 23: Time Response (sec) DB, ,Http.62 Figure 24: Voice end-to-end delay (sec) Figure 25: Queuing delay in ISDN lines (sec)..62 Figure 26: Utilization of ISDN lines Figure 27: G.729 Encoding scheme Figure 28: TLS Configuration

8 Figure 29: Time Response (sec) DB, ,Http.65 Figure 30: Voice end-to-end delay (sec) Figure 31: Queuing delay in PPP lines (sec) 65 Figure 32: Utilization of PPP lines (sec) Figure 33: ATM QoS Parameters Figure 34: Frame Relay QoS Parameters Figure 35: Time Responses with ATM (sec) 67 Figure 36: Voice end-to-end delay with ATM (sec) Figure 37: Time Response with FR (sec).68 Figure 38: Voice end-to-end delay with FR (sec)

9 Introduction In order to send human voice conversation through data networks like LANs, WANs and the Internet VoIP was designed. With this technology the existing data networks can be used in our advantage in order to transfer voice data, instead of the traditional Public Switched Telephone Network (PSTN). As easily can be thought this technology have many advantages based on the rapid growth of data networks. Benefits of Voice over IP (VoIP) in comparison with PSTN include: Cost savings Infrastructure savings New applications (such as voice mail, video conferencing etc.) The basic protocols on which the technology relies are H.323 and SIP. H.323 is the proposed protocol of ITU (International Telecommunication Union) for VoIP. H.323's strength lies in its ability to have multiple implementations, range from single voice and video transmission to simultaneous multiple transmissions (conferencing), along with its compatibility with other networks like PSTN when needed. This protocol also provides the means to conserve bandwidth and network resources because voice and particularly video can affect the performance of the network when are present. SIP (Session Initiation Protocol) is the IETF recommendation for VOIP that was developed as a media based protocol. The features that made SIP so successful are that is very easy to implement, scalable and adaptable. SIP also provides encryption and authentication for protecting the transmission from attacks. In order to support the VoIP load between high-speed LANs and WANs the ISPs, in their network, use Frame Relay or ATM technologies as the preferred link level protocols. 8

10 Frame Relay is a popular solution for ISPs. This technology is used by the service providers in their core network in order to provide a high speed, with reasonable cost, connections between the various LANs and WANs. With Frame Relay the users transmit data traffic through permanent virtual circuits known as PVC, which provide access at any time without having the big cost of a leased line. Depending on the importance of the data that needed to be transmitted the customers choose the level of QoS that they want and pay based on this level. Another solution being adopted by the service providers for their core network is asynchronous transfer mode (ATM). This technology also allows the users to have access in permanent connections which are taking place by using hardware a feature that provides fast connections and speeds up to 10Gbps. ATM technology is designed for real time video and voice transmission, all simultaneously. The architecture ATM uses switches that organise logical circuits which ensure incredible quality of service (QoS). The aim of this dissertation is to focus and learn this interesting technology of VoIP and how it works. Another goal of the dissertation is to see how this technology can be used for enterprise use (user requirements, architectures, services, QoS) and how the ISPs can support this technology. A medium size enterprise scenario will be presented (features, requirements) and simulated in order to see how VoIP performs and in what degree the services of the enterprise can be affected. In order to perform this case study I will use OPNET IT Guru Academic Edition

11 Chapter 1: VoIP Protocols H H.323 Overview H.323 protocol is actually a suite of protocols combined in order to support all kind of data communication, especially voice and video, through the existing data networks. The H.323 suite was developed and proposed by ITU-T organization, as a solution for voice and video transmission. The main advantage of this protocol is that it was designed to work over the transport layer of the OSI model. This design made the use of H.323 efficient for most of the existing data networks, since the OSI model acts as a reference point. Examples of such kind of networks are LANs, MANs, WANs [9] and of course the internet. From the above I can conclude that H.323 compatibility contribute to its rapid growth and made its implementation popular. ITU-T organization has released many protocols based on the type of networks and traffic that needed to be supported. Such releases are H.310, H.320, H.321, H.322 and H.324 [15]. Each of these protocols was designed to work with one type of network. For example H.310 and H.320 were intended for ISDN, H.321 was developed for ATM and H.322 for LANs. Finally H.324 was designed to work over the PSTN. All these protocols function without problems until there is a need to communicate with protocols other themselves. The main reason for releasing the H.323 protocol was interoperability [1]. With the implementation of H.323 users from different type of networks could communicate without considerable problems. This was the great success of H.323 protocol. 10

12 1.2 H.323 Features H.323 allows for voice and video communication between two or more users through the same or different data networks, without focusing entirely on quality of service (QoS). Due to its design (suite of protocols), H.323 has the ability to support various features such as the following: Point-to-point and multipoint conferencing support: Through H.323, simultaneous multiple transmissions between more than two users can be achieved without using extra hardware or software. But even if such units are used, like a multipoint control unit (MCU) [14], H.323 protocol can achieve decentralization of the conference in order for the users to have the ability of choosing which participants to connect to. This feature introduces flexibility into the communication. Audio and video codecs: The H.323 recommendation [15] specifies an essential for the conferencing, audio and video codec. But the H.323 protocol does not restrict the use of other types of codecs regardless of their efficiency. The only restriction is that the codecs on which the participants concluded must be supported by all of them. Management and accounting support: H.323 allows for better management of the calls and the network resources. Also with this protocol policies can be applied such as call and time restrictions. So by using the above the network can be easily administered without serious problems, providing also adequate information for accounting services such as billing. Security: Another important feature that H.323 protocol supports is the security that offers to the participants through security measures such as encryption and authentication. 11

13 Additional services: Last but not least is that ITU-T developed H.323 with an eye to the future because of the rapid growth of multimedia communications through data networks. So H.323 can be easily adapted to future technologies, by adding features, due to its design. This gives a great advantage to this protocol. 1.3 H.323 Advantages The last years data networks such as the internet and local area networks have been growth rapidly and new technologies are constantly developed. So corporations but also individual users take advantage of the existing data networks for multimedia communications, instead of using the traditional telephone network. This explosive growth of multimedia made necessary the development of a broad and flexible standard such as H.323 [2] [6]. Flexibility: H.323 protocol provides many services and for this reason it may be the solution for the simple user, the company and also in the area of entertainment with the same efficiency. As new technologies being constantly introduced in multimedia communications flexibility allows H.323 to adapt with no significant effort. Standardization: At first many companies in front of the rapid growth of multimedia communications design hardware based on proprietary protocols. This had the effect of malfunction when products from different companies had to communicate with each other. But because of the design of H.323 and its popularity most vendors based their products on it, an important factor which in turn made this protocol to be adopted with even higher rate as a solution for multimedia communications. Internetworking: As mentioned earlier the success of H.323 based on its ability to support interoperability between traditional networks (SCN) and data networks [5]. Users in those different networks can communicate with H.323 users by adopting the appropriate protocol based on the network s underlying technology [15]. This also 12

14 allows companies to easily upgrade from traditional network to data network without encounter serious problems. Integrated services: H.323 standard provides, among others, the framework for expanding its support for additional features like , fax, voice mail even acting as call center. A few services have been already integrated in H.450x protocol (such as call transfer and call forwarding). Other services could be added in the future based on the needs of each enterprise. This is the source of H.323 s popularity and strength. It was designed to be flexible and adaptable with future technologies by using its integration ability. 1.4 H.323 Components H.323 suite of protocols describes the elements needed in order for the protocol to provide multiple simultaneous multimedia connections. These elements are very important and with the proper use can boost the efficiency of H.323. The elements can be divided in four categories [7] [15]. These categories are: 1. Terminals 2. Gateways 3. Gatekeepers 4. Multipoint control units (MCUs) Terminals As H.323 defines, the terminal [14] is the element that makes real time two way communication possible between the units of the network, which could be another terminal, gateway or a multipoint control unit. Data traffic between those units can be consisted by audio, video (fore example moving colour pictures) or data. By their design terminals must provide at least voice capability, supporting G.711 audio codec, while data and video are not compulsory. Based on the protocol each terminal must provide: 13

15 H.245 in order to communicate their capabilities and establish channels H.225 for call synchronization and establishment RAS for resource allocation, admission control and status information RTP/RTCP for time stamps, sequence numbers and feedback Gateways The gateway [14] is an optional component as defined by H.323 recommendation that act as an intermediate unit for connectivity with other endpoints in different networks (for example, between traditional and data networks). Based on this characteristic gateways are not needed when the calls are established between endpoints in the same network. Apart from the translation, the gateways can establish or tear down connections at both data networks and switched circuit networks, which make this element essential for interoperability between different networks. Generally, the role of this element can be thought as a bridge between users in different networks. An endpoint can send and receive data using different gateways. This characteristic introduces flexibility in the network. Gatekeepers A gatekeeper [14], as with gateways, is not compulsory based on H.323 recommendation, nevertheless provides the H.323 endpoints with call control services. This H.323 element act as the coordinator of the network operation. Therefore, in the presence of those elements in the H.323 network, the clients are forced to use the services that are offered by these gatekeepers. More than one gatekeeper can be used based on the recommendation and can cooperate with each other for maximum results. According H.323 protocol gatekeepers must also support: authorization and authentication resource allocation, accounting, billing call routing services 14

16 Multipoint Control Units As its name implies the MCU [14] is the H.323 element that allows for more than two users to communicate simultaneous providing the conference feature of H.323 protocol. The MCU may establish a point to point connection but if needed it can upgrade it to multipoint without having to tear down the connection. This operation is what makes MCU so important for H.323. Another operation of the MCU is the resource allocation for the conference, also it negotiates between the terminals in order for them to conclude on the audio or video coder/decoder and finally in some cases, if needed take charge of the media stream. Figure 1: H.323 Architecture All these four categories of H.323 elements are considered discrete units, but H.323 recommendation does not restrict the combination of these characteristics into a single unit, something which many vendors take advantage in order to develop products with multifunction operation. 15

17 1.5 H.323 Protocol Suite H.323 protocol is actually a suite of protocols combined in order to support all kind of data communication, such as voice and video, through the existing data networks. H.323 was designed to work over the transport layer so it can be applied independently the underlying network. The H.323 suite is consisted from the following [15] [7]: audio codecs video codecs H.225 registration, admission, status H.225 call signalling H.245 control signalling H.235 security protocol Real time transfer protocol (RTP) Real time control protocol (RTCP) Audio CODEC An audio CODEC on the transmitting H.323 terminal is used in order to encode for transmission the audio signal that is detected by the microphone and transmitted from the source to destination terminal and be decoded in order to be repeated by the speaker. Because audio is the basic and most common service that is required by the H.323 protocol, the terminals in a H.323 network are obliged to provide at least one audio CODEC, as recommended by the G.711 release. Based on the current needs additional codecs may be used according ITU-T releases. Video CODEC A video CODEC on the transmitting H.323 terminal is used to encode video from a camera, in order to be transmitted from the source to destination terminal at which it will be decoded and sent to the video display. Because as defined by the ITU-T recommendation providing video is not compulsory the use of video codecs is also 16

18 optional. Nevertheless if the H.323 terminal is to support video conferencing it must first of all provide video encoding and decoding based on the H.261 recommendation [16]. Registration, Admission, and Status H.225 [15] is the protocol that H.323 network elements use in order to communicate with each other. This communication includes network resource status, connection information, registration and admission status. H.225 creates a separate independent connection which must first be established in order for other operations take place. It has a very important function because all the feedback of the H.323 network can be communicated by this protocol. Call Control Signalling When communication must be achieved between users in the H.323 network the H.225 protocol is used for call setup. This is accomplished by exchanging messages that defined by the H.225 protocol. In order for these messages to be exchanged without problems H.225 uses a separate channel which can be established between all the H.323 components. Figure 2: H.323 Call Establishment In figure 2 we can see the call setup in H.323. First the source endpoint sends an ARQ message to the gatekeeper requesting to connect with the destination endpoint, indicating the required bandwidth and the destination endpoint s name. The gatekeeper responds with bandwidth requirements and transport address. Then the source endpoint 17

19 sends a setup message in the transport address (destination). The destination reply with call proceeding (if accepts the call) or with release complete. Then the destination request requirements from the gatekeeper and if it acquires them it alerts the source and sends a connect message to complete the setup. Control Signalling H.245 [5] [6] plays an important role in the H.323 network because it is used to transfer control messages between the network s components along with essential information about the connections. In the following lines the overall operation of H.245 is described: Exchange capabilities Setup and tear down of channels Flow control messages Connection information Figure 3: H.245 Control Signaling 18

20 In figure 3 we can see the operation of H.245. The source sends its transport address and capabilities to the destination (TerminalCapabilitiesSet). Then the destination acknowledges (TerminalCapabilitiesSetAck) the received message and sends its own capabilities (TerminalCapabilitiesSet). When the source acknowledges the last message the H.245 channel has been established. Then the source sends a request message to open a logical channel (OpenLogicalChannel) along with the type of data and the transport address. The destination responds with a same request and an acknowledgement when it is ready to receive data. After it receives the message the source can start sending data through the channel. Security protocol For securing procedures such as control, signalling, multimedia communication and data conferencing (audio, video), H.235 [17] security protocol is used. It is the hurt of H.323 security mechanism. It will be described in more depth in chapter 3. Real time Transport Protocol Real time Transport Protocol (RTP) [7] is used when transmission of time sensitive data such as voice and video in real time must be achieved. In order to transmit this kind of data UDP transport layer protocol is used. The problem with UDP is that it does not guarantee that data will reach the destination in time or intact. For this reason RTP adopts several features such as sequence numbers, time stamps and checksum computation. The advantage of using RTP is that it can work with other transport layer protocols other than UDP. Real Time Transport Control Protocol RTP and RTCP [7] are almost identical in their operation except of the data that have to transfer. Exactly as RTP is responsible to transmit real time voice and video RTCP is intended to transmit control information. It is very important for the operation of the H.323 network because of the feedback that provides in order for the network elements to adjust with the condition of the network. 19

21 SIP (Session Initiation Protocol) 1.6 SIP Overview Another solution for real time multimedia communication was introduced by IETF and is known as Session Initiation Protocol (SIP) [1] [3]. This standard despite the fact that was came after the successful H.323 protocol managed to be world wide accepted as a VoIP protocol. Its strength is based on its function and simplicity which was designed to work over the application layer of the OSI model [9]. This design made the use of SIP efficient for most of the existing data networks, since all these networks are based on the OSI model. Examples of such kind of networks are LANs, MANs, WANs and of course the internet. Some of the features of SIP are described in the following lines: SIP maintains detailed tables with information for the network such as addresses and names in order to achieve call setup fast with any user in the network. One of the key features of SIP is the Session Description Protocol (SDP) [7] which allows SIP to find out what type of media can, the involved parties, support. SDP ensures that all participants in a conference have no compatibility issues. So based on the information that SDP provides SIP establish the connection only when all the participants can support the media, saving network resources. Another capability of SIP is that allows the user which initiates the call to know whether or not the destination is available, for any reason, before establishing the connection. With this feature SIP free the network from unnecessary connections which could consume bandwidth and network resources. SIP also manages to alter the connections without having to tear down them. Call forwarding and redirection are examples of such managing. SIP can provide 20

22 these services without users experience any changes in their status. This feature can be especially useful for conferences because they can be more flexible since SIP can add or remove parties without the rest participants have to stop the communication. 1.7 SIP Structure The SIP protocol describes two main elements for the network [7] the user agent and the network server: SIP User Agent (UA) can be considered the endpoints of the network. Both hardware and software devices implementing SIP (such as an IP phone) can be considered as user agents. UA consists of two basic components: o User Agent Client (UAC) the component that initiates the call. o User Agent Server (UAS) the component that serves the call. The SIP Network Server is responsible for managing signalling and call establishment. It maintains detailed tables with information for the network such as addresses and names in order to achieve call setup. Three types of such servers exist: o SIP Register Server. The role of a register server is to make a network map based on the user registrations the addresses and other related information such as domains. With these mappings SIP is able to establish connections between all the users of the network. This information can be exchanged between the servers for redundancy and faster access. 21

23 o SIP Proxy Server. For SIP to be sure that the call requests will reach their destination, it uses the nearest proxy to forward these requests to other proxies across the network, creating a search tree which ensures that the requests will not be lost. These proxy servers can be divided based on their operation into stateless and statefull. With the stateless operation the server does not maintain any information once the call request is sent and the statefull operation in which proxies maintain knowledge of passed requests in order to achieve faster calls setup. o SIP Redirect Server. When a SIP user wants to make a call but the destination address remain unknown this type of server redirect him in order to try another server which might have or know where to find the specified destination address. Figure 4: SIP Architecture 22

24 1.8 Call Establishment In order for SIP to establish a call the following messages [1] [7] are being exchanged between the network elements: INVITE: This message start a connection. ACK: This type of message confirms a connection as a reply of INVITE. BYE: Is used to terminate a connection. CANCEL: Cancels an INVITE request. OPTIONS: For exchange capabilities. REGISTER: The message is used for address allocation. Figure 5: Call Setup in SIP For establishing a connection in a SIP network the user that initiates the call transmits an INVITE message to the redirect server for acquiring the destination address. The next step is to connect the redirect server with the register server to acquire the destination address from its database. Then the redirect server transmits the address back to the user which acknowledges upon the receipt. By using the destination address the user is able to continue the call establishment by transmitting a call request to the recipient which 23

25 responses to this request. When the caller receives this response transmits an acknowledgement. After the connection is established RTP [7] take over the transmission of data. When the transmission of data is over the called user sends a BYE message to terminate the connection and the caller acknowledges this message. 1.9 SIP Implementations One of the main reasons for its popularity and wide acceptance is that SIP can be applied as a solution in several cases. The flexible design makes it ideal to be adopted by devices such as IP phones, media Gateways, internet call centers and application servers. In the following section these implementations [3] will be described in more depth. Unified Communications: Except of the flexibility that SIP protocol provides for its connections it can also used to unify many components and features to a single application. For example when SIP is used web interfaces can have multiple implementations by using multimedia plug-ins along with extended managing capabilities of profiles and connections. Also integrated existing URL and DNS [9] services are being used for maximum compatibility. Unified Messaging: With this implementation the users can be free from the use of several different devices, each one for different use and application. For example with this feature telephony, , fax and other communication technologies can be integrated into a single and portable device that can allow the user to be more flexible. Directory Services: This feature allows the administrator to have a complete knowledge about the network s resources and devices (such as printers, PCs, servers and other network elements). This database can be configured to be accessed from any user in the network that wants to find a certain device according the services that wants to use. Finally by using this database the administrator can apply policies based on time and rights restrictions. 24

26 IP-PBX functionality: PBX (Private Branch Exchange) [5] implementation is another important feature which allows enterprises to use this technology for their corporate network. It also allows for companies to migrate from traditional technologies to VoIP without having compatibility or interoperability issues. Mobile phones / PDAs: Because of its simplicity and that does not need many requirements in order to work SIP is the ideal solution for mobile devices. The user can perform the same actions with these devices as that would perform with traditional equipment. Especially when SIP is combined with mobile devises that support wireless access in data networks allows the users to have access in even more services. This portability made the protocol very popular and used by many vendors that design products not only for professional use but also for simple users. Desktop Call Management: As its name implies this feature allows managing multimedia services through other computer applications. It is a very important feature because allows vendors to take advantage of existing popular applications to integrate the SIP protocol. This makes users to adapt faster with this technology since it can be accessed through well known programs. 25

27 Chapter 2: VoIP Security Voice over IP technology allows for existing data networks to take over voice calls which offers increased features and productivity along with significant cost saving. All these advantages make this technology very attractive but it has a disadvantage which is the attacks on these networks. Data networks suffer from hacker attacks which have many ways to steal or alter data. The existing security mechanisms that protect with efficiency these networks cannot be used, at least in their current form, when VoIP is used. Many issues, such as type of attacks and security, need to be addressed before VoIP can be implemented. 2.1 Attacks on VoIP As mentioned earlier attacks in these networks can take several forms. Some attacks are more passive and just try to acquire important information while other attacks are more aggressive and can cause more damage to the data or to the entire network. Some of the most frequent types of attacks are eavesdropping, spoofing, denial of service, call redirection, and replay attacks [8] [10]. Eavesdropping is one of the most common attacks were hackers interfere in to the communication to steal VoIP packets, in order to hear the conversation. This type of attack can be easily performed using network analyzers, which can sniff and capture packets in order to transform VoIP traffic into wave files. These wave files can then be saved locally on the computer and play them back with a media player and hear the conversation. This type of attack cannot affect the entire network but usually the domain or subnet in which the attack is taking place. 26

28 Replay attacks allow hackers to retrieve all kind of data related to the network. In order to perform this attack the hacker steals a data packet which in turn must send it back to the network. As a result of this action is for more packets to be produced acquiring with this way additional knowledge about the entire network. With packet spoofing hackers have the ability to change the source address of a packet in order for the recipient to think that the packet was send from a trusted member of the network and allow the delivery. Along with the source address the caller ID number can also be modified when VoIP packets are sent. Many free programs exist that allows you to spoof your phone number. An important issue with spoofing is how the identity of the participants can be protected. Call redirection is happening when the hacker alters the call in order to take another road than the original. This redirection can cause improper use of the network s resources and can affect its performance. Also can be the cause of other type of attacks since the network have been breached. Denial of Service [5] is one of the most dangerous and affective methods that hackers have to create problems to the network because it is overwhelmed with unnecessary packets that consumes bandwidth and network resources. One of the first services that are affected is VoIP which is sensitive in network changes. Also the attack can focus on VoIP, by using messages that can create useless connections or tear down important connections. Such messages include CANCEL, GOODBYE and PORT UNREACHABLE. This has a negative impact on the VoIP conversation since calls or hang up procedures cannot be completed. The problem with DoS is that not only the VoIP service is compromised but also the entire network. Message alteration: Message alteration is a very serious attack because although the message doesn t have anything suspicious it s not what the originating source has sent. 27

29 The attacker could have easily alter the content of the message. This attack can be blocked if I use encryption with one way hash function before sending the message. From the above information for each attack, they can be categorized based on their way that they affect the network. Eavesdropping and Replay attacks affect the confidentiality in the network. Packet spoofing and message alteration affect the integrity of data transmitted into the network. Call redirection affects both confidentiality and integrity. Finally Denial of Service compromises the availability of the network. These three characteristics confidentiality, integrity and availability must all be addressed in order for the network to be secure. 2.2 Security Measures To support the network against hacker attacks several mechanisms exist such as encryption, firewalls, virtual LANs and network address translation. But these security measures come with a price in the performance of the network that can affect VoIP. In the next sections it will be described how these measures can be adapted when VoIP is present in the network. Encryption is required in order to protect network s privacy and to authenticate the messages. Two main encryption methods that are used are Transport Layer Security and IPsec [5]. These methods can adopt several types of encryption algorithms like DES, 3DES, AES, RC4 and RC5 [11]. This wide range allows for flexibility according the network s needs. Each algorithm provides a certain level of security but the bigger the security, more the network s performance will decrease and time delays will introduced by the processing. In their majority all data networks use firewalls [5] [8] in order to filter traffic coming in and out of the network. This mechanism is the first line of defence against attacks. But when firewalls have to cope with VoIP traffic some issues are emerged. These issues are 28

30 the time delays that introduced into the network and more important the thousands of ports that must open and close in order for VoIP to work properly. Virtual LANs (VLANS) [5] can be used in the network in order to isolate domains. This will make it more difficult for the attacker to hack the entire network. When a part of the network experience problems the other VLANs will be working without issues. So traffic could be routed through those VLANs that have not been attacked and the services will continue to work. Virtual LANs actually work as sealed rooms in a ship which prevent the ship from flooding. Network address translation [8] [5] is another typical feature in the network. NAT provides a method to substitute private IP addresses with addresses that can be used outside the network. NAT can also act as a security measure since internal addresses are staying secret. Along with these benefits, NAT can have a negative impact on the VoIP operation. This alteration of private to public and back to private addresses can cause problems to VoIP operation because of its lack to follow this contiguous address-port assignment. All these security measures can help administrators to protect their network from unauthorised access and attacks. But these measures can also hold back the network s performance affecting sensitive services such as VoIP. It is a very important issue because users not only need security in their network but also QoS, an important aspect that will be examined in Chapter H.323 Security For protecting the conversations in the H.323 network from attacks the H.235 release propose several features that when combined properly provide maximum efficiency with the least cost. Some of these features are authentication, integrity, privacy and non repudiation [5]. In the VoIP network gatekeepers are responsible to authenticate users 29

31 and providing non repudiation in order for users that take part in a conversation cannot deny their participation. Encryption can be adopted in order to provide privacy along with integrity. Two main encryption methods that are used are Transport Layer Security (TLS) and IP Security (IPSec) [5]. The basic characteristic of H.235 is that it recognises a person instead of a device. There are three kinds of security profiles in H.235: 1) Security profiles which are based on a simple password. 2) Profiles which make use of digital certification and depends on public key infrastructures. 3) Profiles which combines passwords, digital certifications and public key infrastructures. H.235 recommendation provides many encryption algorithms with various options, depending on the security requirements [5]. The structure of H.235 is described below: IPSec or TLS are mainly used in order to protect the signalling channel from unauthorized access or attack. The encryption algorithm that is going to be used is chosen by a capability negotiation mechanism. Initial distribution of key is done by H.245 commands, such as OpenLogicalChannel, OpenLogicalChannelAck. The distribution of key can either be encrypted by an algorithm or the H.245 channel can be used as its transmission channel. H.245 message and H.225 signalling can be protected by using TLS on transport layer, or IPSec on network layer. VoIP packets transferred by RTP can be protected by encryption and authentication. Also H.235 supports security protection for the H.225 terminal to Gatekeeper signalling (RAS) [1]. 30

32 2.4 H.323 Security Issues Firewalls cause the majority of the problems for VOIP networks using H.323 [5]. The use of stateless firewalls enhances the presence of these problems since this type of firewalls can t control this kind of traffic. H.323 protocol uses dynamic ports for its traffic. Stateless firewalls find it difficult to track down UDP queries and replies. The solution in this problem is to manually open ports in the firewall in order for H.323 traffic to get pass through it. This practice can cause problems to the security of the network because thousands of UDP and TCP ports would be left open. For this reason statefull firewalls that can control H.323 traffic must be used in the VoIP network. This type of firewalls can let VoIP traffic to get pass through them by open and close the ports, that H.323 protocol requires, dynamically providing a solution to the grate number of ports which a stateless firewall would have left open. Even if a statefull firewall is used instead of a conventional firewall, it can still experience problems in managing H.323 traffic that pass through it. H.323 traffic is encoded in a binary form which can be found also on ASN.1 [5]. The use of ASN.1 makes difficult for statefull firewalls to manage H.323 traffic. So along with firewalls specialized hardware (such as gateways) can be used in order to compensate the problems which VoIP traffic creates upon these firewalls. The drawback of using this VoIP aware hardware is the latency that is introduced into the network by this hardware. In addition with the firewall problem, NAT is coming to add further problems in VoIP networks that use the H.323 protocol [5]. NAT works by translating the private address of the VoIP message into a public in order for VoIP traffic to travel outside the user s network. The problem is that the use of NAT makes the conversation more complex to be managed by firewalls and VoIP hardware, since the actual (private) address must be found and replaced into the VoIP message at the destination before it reaches the recipient. 31

33 2.5 SIP Security When SIP is used in an IP network can be exposed to a broad range of different threats such identity problems and threats originated from the internet. Displaying the right ID of a caller is an important requirement for the phone companies. The main reason that makes internet not safe is that there has never been enough security policies and equipment to keep a network totally safe from attacks originated from the web. In order for a SIP based network to be safe, it must confront two different types of threats [5]. These two types are internal and external threats. The external threats are attacks generated by an attacker who is not participating in the actual SIP based communication. The external threats are more likely to happen when the information crosses boundaries of networks which involve a third-party or other untrusting networks. The other type of threat is the internal threat. This is normally a threat launched by a SIP session participant. Because the SIP-session participant is generating the attack the participant can no longer be trusted. Firewalls are designed to protect the network from external attacks. For this reason attacks from the inside are more complex and it is much more difficult to find the source of the attack in order to repel it [8]. A number of mechanisms exist in order to provide security for the SIP protocol. Many of these mechanisms exist as part of the SIP protocol and others as separate modules. These security mechanisms which are presented below can be found in more detail in RFC 3261 [18]. Digest Authentication S/MIME Usage within SIP Confidentiality of Media Data TLS usage within SIP IPsec usage within SIP Security Enhancements for SIP 32

34 The Digest authentication [18] mechanism, described in RFC 2617, is based on the function of the MD5 algorithm which calculates the checksum of certain parameters such as the user name and password, the HTTP method that is used and the URI (Universal Resource Indicator, which means secure SIP, like Https ). With this mechanism, the password is never sent out in plain text, which reduces the chances for a hacker to acquire the password at least without significant effort (time consuming to break the password). S/MIME mechanism [8]. S/MIME itself specifies the means for ensuring the integrity and providing the encryption of the content. Mechanisms such as public key distribution, authentication and integrity protection, confidentiality of SIP signalling data and tunnelling are some of the measures that S/MIME adopts. S/MIME can also be considered as the successor of PGP (Pretty Good Privacy). SIP protocol from its own does not provide encryption for media. In order for the media data to be confidential SIP works with SDP to provide encryption. An alternate path for data confidentiality is through SRTP [8] [10]. The drawback of using SRTP is the overhead that adds at the process because of the encryption that perform on the media streams. Something that SDP is not able to do. Again the choice between security and processing time must be made. TLS is specified by RFC 3261 [18] for the use on proxies, redirect and register servers because it provides the mechanisms to the SIP conversation, to protect the messages from data loss, hacker attacks and confidentiality. Because of the security issues TLS needs a transport layer protocol that can support these features. Obviously UDP cannot provide the support for the features of TLS. But the other transport layer protocol, TCP, can. The disadvantage of this protocol is that the use of TCP introduces delay in a time sensitive SIP communication. 33

35 For securing SIP communication at the network layer IPsec protocol is the most adaptive solution, because of its ability to provide the security features, mentioned earlier, using both TCP and UDP as the underlying transport layer protocol. As shown earlier TCP is used when security and quality is needed between the communicating parties. But when time and delays are essential in order for the communication to take place, then UDP can be used since the security features can be provided by IPsec. One of the main mechanisms that IPsec uses for providing security is the IKE (Internet Key Exchange) protocol. IKE works by exchanging encrypted keys and security parameters between the involved parties. By offering security at the network layer IPsec manage to give security at SIP communication when delays are not significant. Several drafts concerning Security Enhancements for SIP are being discussed by IETF, which focus on finding a universal security solution for various SIP scenarios. Several drafts have been released related with the support for authentication, integrity, and confidentiality in SIP: SIP Authenticated Identity Body (AIB) [19] SIP Authenticated Identity Management [20] S/MIME AES Requirement for SIP [18] 2.6 SIP Security Issues As I saw with H.323 protocol, when SIP is adopted as the VoIP protocol in the network some security problems are emerging. These security problems are related to the firewalls used to protect the network and also with the use of NAT. As with H.323, SIP protocol need to use ports through the firewall for its traffic. With simple stateless firewalls thousands ports are opened, leaving weak points in the network for hackers to attack. To perform this task manually is very difficult and time consuming, if not impossible. So as with H.323 statefull firewalls must be used that can follow SIP traffic while opening and closing the ports that SIP needs. The second security problem, NAT, 34

36 causes the same problems to SIP communication with H.323. The mapping between private and public addresses makes difficult for the network s components (hardware and/or software) to follow the conversation. But because of the important role that NAT plays in the world of internet, is something that its use cannot be avoided. In the following section solutions for the NAT problem will be presented. 2.7 Solution to the NAT problem As mentioned in the previous sections H.323 and SIP protocols encounter problems when used with NAT in the network. This problem origin from the fact that NAT changes the private IP addresses, which included in the header of VoIP messages on both protocols, with public. This operation leads to the conclusion that the third parties who perform the operation of NAT must be secure in order for the integrity of the conversation to be preserved. In the following lines some techniques for solving the NAT problem will be presented [3] [5]. Simple Traversal of UDP through NATs (STUN). The use of STUN allows the software that handles VoIP conversations to detect what kind of firewalls and NATs are intervened between the communication parties and take the necessary actions. STUN is kept simple which means that it can be easily adopted without changing the network s structure. Also it provides maximum compatibility with a wide range of NATs and firewalls, something which makes it flexible. Traversal Using Relay NAT (TURN). TURN protocol is similar with STUN regarding its structure and the way it works. Actually TURN came to complete STUN, as it was designed to do what STUN couldn t. TURN works like a database with address and port mappings used by both H.323 and SIP. So now a secure party exists in the VoIP communications which keep track of address and port mappings. The security derives from usernames and passwords which are needed in order to logon to the TURN party and obtain the information. 35

37 Interactive Connectivity Establishment (ICE). ICE is a protocol that was designed be IETF and describes the operations, that both parties of the VoIP communication, take in order to outrun the limitations that NAT introduces into the network. It can be thought, in a certain degree, as the combination of these two protocols, STUN and TURN, with only difference that the two parties communicate with each other without having a third interfering in the conversation. So the risk of having an unreliable knot in the network is eliminated. 36

38 Chapter 3: Quality of Service (QoS) in VoIP When VoIP is to be introduced into the network, this network must ensure Quality of Service (QoS), in order for VoIP to work without problems. The use of various security mechanisms can degrade QoS. This can lead to a variety of quality issues which derive from the use of firewalls that can introduce delays or stop completely VoIP traffic. Encryption and delay fluctuation (jitter) are also sources of problems for this time sensitive service. VoIP as a service that can be easily affected by delay, data loss and disruptions, cannot be protected by security solutions used successfully in networks that manage services which do not have the same behaviour when delays, data loss and disruptions are present. So these security solutions must be adapted in order to secure VoIP traffic. QoS is affected by [1]: Latency: A major factor in VoIP networks is latency. When I refer of latency in these networks, I refer of how much time VoIP traffic needs in order to travel from the sender node to the destination node. To give an idea of the latency effect, while 400 ms can be thought as reasonable time for an international call to take place, it s not acceptable for local calls which have an average of 150 ms of latency. Jitter: Jitter refers to another quality issue, the variation of packet delays, often caused by low bandwidth problems in the network. Although UDP is used to transfer VoIP packets along the network, RTP is used to provide the applications the ability to reconstruct VoIP traffic by using fields from the header in the packet like sequence numbers and timestamps. However in networks that security measures such as IPsec encryption are used, may introduce delays too great to be compensated by the protocol, which result in increased jitter. Packet loss: Packet loss is the major effect derived from the presence of latency and jitter in the VoIP network. Despite the fact of the small size of packets that VoIP uses, 37

39 normally the packet loss happens in massive numbers, often due to congestion, so signal degradation can rapidly cause a problem. In spite of the cost savings that VoIP technology can offer and the flexibility that give to the network, if VoIP cannot give the same services with the public switched telephone network, then it will provide little added value and will be no reason to by adopted by enterprises and providers. 3.1 Latency As mentioned earlier the latency [1] [4] in the network shows how much time the packet need in order to go from source to destination endpoint. The best that would be in the network, is to have very low latency but there are practical constrains that introduce delay in VoIP. G.114 is a protocol designed by ITU-T and describes several boundaries for VoIP communication. Some of the most important boundaries are the 150 and 400 ms that must not get passed for local and distant communications respectively. Because during the travel from the sender to the recipient VoIP traffic suffers more from latency, the case in which the delays are produced from components of the internal network will be unfold. In order to successfully achieve the QoS that most public switched telephone networks provide, VoIP packets must be delivered in less than 150 ms. Because of this limit VoIP traffic must reach its destination without significant delays. The level of security that can be used with VoIP is affected by this limit, because the more security is used the more process is to be done thus more delay is introduced into the network. Delay is not added only from the endpoints of the network. Each element the packets travel through across the network, introduce a new delay created by queuing and processing if it is a security checkpoint (such as encryption/decryption points and firewalls). Furthermore, larger packets can consume bandwidth thus creating congestion 38

40 which results in increased latency. So in order to decrease latency VoIP uses small size of packets. 3.2 Jitter The variations of packet delay, known as jitter is another quality issue, usually derived from lack of capacity (bandwidth) in the network. Despite the fact that delays create problems for VoIP, the continues alternation of these delays can be even more dangerous for the service [1] [4]. Jitter is the number one cause when VoIP traffic reaches the destination out of order. VoIP traffic is transferred through the network by using RTP which is a UDP based protocol. This means that RTP, as UDP, doesn t have the ability to reconstruct the data sequence by using the corresponding fields in the packet. The protocol leaves this job to upper layer applications. As a result, delays from additional computing are introduced into the network which may affect VoIP due to the time sensitive nature of the service. When jitter cannot be reduced VoIP traffic reach the recipient not periodically but in random and for this reason, in massive numbers. The dominant solution to reduce the effect of delay variation is by buffering VoIP traffic, but for less than the limit of 150 ms (for local calls) and must take into account the transport delay. If this is achieved the variations in delay should be decreased. The problem with the use of a buffer is that when VoIP traffic arrives out of order there is no way to know if the packet is lost or just delayed. Due to the presence of jitter the application has no way to find out which delay time can be used to make the decision whether a packet was delayed or lost. So the application is incapable of taking actions regarding the specified packet. Routers, firewalls and other network units, which provide QoS, can be used to control jitter in the network. Time sensitive traffic such as VoIP packets can be processed and forwarded much faster than data packets from services which are delay tolerant. Despite the fact that most of the elements that compose the network are intended for QoS, not all 39

41 of these are designed to ensure it. Such devises does not ensure QoS because they don t use the Type of Service (ToS) bits included in the packet s header [1] [9]. So there is no way to know which packets have priority in forwarding and which packets don t. Bandwidth is very important because jitter is related with it. The more capacity the network has the less jitter will be introduced. The relationship between bandwidth and jitter creates a conflict with some security measures in VoIP. For example with IPsec, whose processing requirements introduce latency and consuming bandwidth thus increasing jitter. The network s capacity decrease when additional headers are added to the packet and force it to expand. In normal IP traffic, this doesn t cause problems because the size of the packet is significant related with the added information. But this doesn t apply to VoIP packets since with their small size the slight of change in their size can affect the performance. The time constraint in order for a VoIP packet to arrive at the recipient is very tight, so the lower the jitter in the network the better for its QoS. Despite that the network needs security in order for data to be protected by attacks, the security itself must not cause problems for VoIP. As the level of security, provided by the security elements, increases so does the delay variations. If these variations do not kept low, problems in the delivery of VoIP packets will be occur. For this reason devices which ensure QoS must be used, in order for the bandwidth of the network to be used more efficient and the variations in the size of the packet header will not affect the service. 3.3 Packet Loss Services like VoIP does not work well when packet loss occur in the network. Latency is the major factor that leads to loss of data. This occurs because when the packet reaches the recipient with delay the packet must be dropped in order for more recent packets to be processed. Another factor for packet loss is jitter which causes traffic to be delivered out of order, making the destination to drop the packets. RTP cannot compensate packet loss [1] [7] because it does not have the mechanisms to ensure that data will be delivered 40

42 at any cost. But if it had the mechanisms, it would do no good because of the time boundaries of VoIP service. The entire proceeding of detecting which packets are lost, request them back, retransmit them and receive them, would take to long and VoIP would confront problems. The advantage with VoIP technology is the small size of packet that it uses. Because of this small size the loss of a packet cannot affect the service and the users cannot tell the difference. But in VoIP networks the lack of effective bandwidth can lead to continues loss of packets and that can lead to the loss of a massive number which can create problems in the conversation. In order to ensure that packet loss will not create problems to VoIP another solution can be used rather than TCP [9]. The solution is the sender to transmit duplicates of each packet, so if one packet gets lost the others will reach the recipient. The drawback with this method is that consumes bandwidth. When bandwidth is available no problems occur in the network. But when bandwidth is not available can cause massive loss of packets. Codecs are another source of delays for VoIP networks, due to the processing and coding of the media stream. But new types of codecs are designed to offer the same coding quality while using less processing. This can decrease significant the delays. An example of such codec is the internet Low Bit rate Codec (ilbc) [13], which manage to provide the same features as G Bandwidth and Speed Bandwidth plays an important role in VoIP networks. Because in this kind of networks both conventional data and speech is transferred, congestion may occur more often than expected which result in packet loss. So there is a need for a more efficient use of the bandwidth, by the administrators, because it is not unlimited. If bandwidth do not used with caution it may lead to latency and jitter both causing VoIP to miss function. For this reason when a network is to be designed, the goal is to achieve the maximum bandwidth through modern equipment that can provide high speed transfer of data. In addition to 41

43 the hardware, RTP header compression and Voice Activity Detection (VAD) [1] can be adopted for more efficient use of bandwidth. RTP compression [7] [1] is used in order to compress the media stream traffic, so less bandwidth is wasted. Nevertheless, a compression scheme that doesn t perform well can result in latency and voice degradation, causing a serious impact in QoS. When a VoIP call has been established between the parties Voice Activity Detection [1] saves bandwidth by stopping unwanted traffic, such as the empty packets that the parties exchange when no conversation exist between them while the call is still up. The drawback of this method relies on the fact that for a time the network will have no traffic, but without a notice it can be overwhelmed by VoIP packets. This can make buffers to fill up and start to drop packets, which in turns lead to latency and jitter having an overall effect on VoIP performance. The best way to solve QoS problems such as latency and network congestion is speed. It is obvious that faster networks will result in reduced latency and probably less chances for network congestion. So every operation of the data network must be accomplished faster when VoIP is introduced into the network. The latency which is related with operations of the data networks will not be tolerated by VoIP. The use of security elements such as firewalls, NATs and encryption are the number one cause of delays, latency and congestion. But at the same time are the most useful tools for securing data networks. So these elements must understand how VoIP works in order to be used in VoIP networks. Because of the above, the solutions that work well with data networks must be modified in order to support security without creating problems in VoIP. Both security and QoS are very important for VoIP networks, but also create problems to each other. It is necessary to find a balanced relation between those two. In the next section will be described how these security issues can affect quality of service which is important for the operation of VoIP. Also the modifications of the security elements in order to comply with VoIP will be presented. 42

44 3.5 Security impact in QoS The time boundaries that VoIP sets in order to function have a serious impact in security, especially with denial of service (DoS) issues [8]. Many attacks focused on VoIP, in order to lead many VoIP based devices in denial of service situations. These attacks force the devices to no longer function because of the load that needs to compute. The servers that handle VoIP traffic face the same danger as the more simple devices. The problem with this kind of attacks is that even if the bandwidth is adequate, the success of these attacks is based on the computational ability of the machine. Delay in VoIP networks can be introduced by additional processing such as encryption [11]. With encryption in VoIP networks the conversation between the parties can be protected from hacker attacks. Also by using encryption each participant can be sure for the source of the VoIP traffic. In order for VoIP to function properly the encryption that is used into the network uses a stream cipher to encrypt voice data. The uses of stream ciphers produce small amounts of delay which does not affect the service. In some cases were the network does not have significant delays, block ciphers are another solution for encryption. Authentication service, which is achieved by calculating HMAC (Hash Message Authentication Code) hash functions, introduces the most considerable delays in a VoIP network. MD5 or SHA-1 [11], the most common hash functions, is combined with HMAC. When MD5 and SHA are combined with HMAC [17] they create an authentication message block ranged between 128 bit and 160 bit. But the strength of this combination is also its drawback because in order for data to be encrypted or decrypted, the entire block must be first received. As a result of this type of encryption, the delays that being produced creates big problems. Despite the fact that authentication is very important, due to the nature of speech the participants does not need it since they know each other by the voice. So a solution in order to keep the delays as low as they 43

45 can be, the authentication process can be maintained only at the handshaking function and not during the actual conversation. Both firewalls and NATs can have an impact on how well the services in the network function, because these elements must process traffic before they can forward it. But this process introduces delays into the network. Furthermore NAT not only produces latency but also can act as a bottleneck, because in order for packets to go out of the network must get pass through it. Most QoS problems are produced from these elements. VoIP is highly sensitive and easily affected by latency. Both of these elements would have to process and forward all types of traffic almost instantly in order to avoid the creation of delays that could cause the slight change in the behaviour of the network [5]. Firewalls must not only interact fast with the network traffic, but also their processor need to process VoIP packets equally fast. There are two main reasons for which firewalls introduce latency into the VoIP network due to processing overhead. The first reason is the handshaking process which cannot be avoided since it is integrated in both protocols that VoIP uses. Even if the handshaking process could be bypassed, firewalls still need to check the inside of these packets in order to determine their authenticity (application level). Furthermore when NAT is present into the network, traffic must also be processed in order for the packets to be supplied with the correct addresses for getting out or in the network. This operation is also essential and cannot be avoided. In addition this continuous teardown and reconstruction of the packets, takes time and processing power and forces these elements to perform these operations with the minimum possible boundaries. The second reason for which firewalls introduce latency into the VoIP network, due to processing overhead, is that despite VoIP packets are considerably small firewalls must deal with them in enormous numbers, something which creates serious problems. Since firewalls must teardown and reconstruct every packet passing through it in order to check the payload of each packet, a massive number of packets can cause firewall s CPU to overload. Suppose there is a firewall that is designed for networks of 100BaseT 44

46 technology. Despite the fact that this network can support VoIP traffic, when a conversation is taking place the firewall must process a massive number of small packets. This results in congestion at the firewall while the network does not experience this kind of problem and continue to send packets to the firewall. In order to solve this issue vendors create firewalls that are VoIP sensitive and can provide QoS to the service. 3.6 QoS in Providers networks In order for ISPs to ensure that they can provide quality of service for their costumers, they need to implement in their core networks WAN technologies that can provide the means to do so. The two most well known and common WAN technologies are Asynchronous Transfer Mode (ATM) [21] and Frame Relay (FR) [22]. These technologies do not provide the maximum bandwidth at 24 hour base but only when it needed. For example in rush hours when the data loads are greater. Nevertheless they have other mechanisms that provide the maximum quality of service with the minimum bandwidth as mentioned in sections 3.7 and 3.8. These mechanisms are based on a variety of solutions such as the way they treat specific data, traffic manipulation, priority profiles, congestion control and transmission handling. 3.7 ATM QoS Mechanisms Constant Bit Rate (CBR): As its name implies CBR [12] [21] is a mechanism that offer constant bit rate for data traffic. It is mainly used by ATM networks which are characterised by the use of virtual circuits. With these non physical circuits any kind of multimedia data, voice or video, can be transmitted without significant delays. Usually the amount of traffic known as Peak Cell Rate (PCR) that is to be transmitted through the virtual circuits is predefined and so the network can easily allocate the resources without wasting any bandwidth. It is essential for ISPs because when you have to deal 45

47 with thousands of clients, saving bandwidth can solve many problems that can cost a lot of money to the providers. Real-time and non-real-time variable bit rate (rt- and nrt-vbr): When the services in the network does not encounter problems with certain amount of information loss, then the VBR mechanism [12] [21] can be used for data transmission at variable data rates. With the use of VBR, the transmission can be adopted based on the condition of the network, always ranged within the boundaries which the services set for proper function and adequate QoS. Rt-VBR method is normally oriented for transmission of data traffic between endpoints that need to handshake first. Such service that needs synchronization between the participants and thus the use of rt-vbr is compressed video streams. In the other hand when the services does not need handshaking between the source and the destination, nrt-vbr method can be used. However there is a need to guarantee bandwidth and latency every time in order for the services to function properly. Available Bit Rate (ABR): As with nrt-vbr method, when transmission can be accomplished at variable data rates and no need exist for source and destination to be synchronized before any transfer can occur, then ABR method [12][21] can be used. The difference with ABR method is that no bandwidth and latency guarantees are required during data transfer. When ABR is adopted by the network then every kind of data can be transmitted without problems providing that no time constraints are present. The main characteristic of ABR is that allows the participants to adapt their transmission rate according to the performance of the network. So by exchanging resource management (RM) messages, as they called, ABR can control the flow of data into the network by providing, through the RM messages, information for the condition of the network to the endpoints. Then the participants in turn throttle or increase their transmission rate according to the RM messages. As a result of this operation the network can adjust the traffic to the existing bandwidth and not the opposite. 46

48 Unspecified Bit Rate (UBR): When the network serves applications which does not encounter problems when data loss and delay are present, such as and file transfers, then the UBR method [12] [21] can be adopted. Again the transmission can be accomplished at variable data rates and no need exists for source and destination to be synchronized before any transfer can occur. The main difference of UBR against ABR is that the first does not provide any information about the network s status to the endpoints. The proper function of the network is being taken over by the upper layer protocols such as TCP/IP. The same features that make local networks so efficient, guarantees that transmission of data will not experience problems that can make the services to fail. ATM Block Transfer (ABT): The ATM block transfer (ABT) [12], also known as the fast reservation protocol, is used to allocate bandwidth. For each block of data that is sent, a resource management message specifies the bandwidth that is needed. Another resource management message follows at the end of each block to release the reserved resources. During a block transfer, the transfer and QoS options are the same as if I have used the CBR service. The bandwidth is allocated based on a Peak Cell Rate value. The quality of service that ABT and CBR provide is very similar. The transfer rate that is selected for a block transfer is called a Block Cell Rate (BCR). Each block of data negotiates for a change in the bandwidth allocation by either Delayed Transmission (DT) or Immediate Transmission (IT). Traffic Control Functions: Traffic control [21] operations must used in order for ATM networks to have Quality of Service. Flow management of data is the number one goal of ATM based networks, because it allows for more efficient use of the available bandwidth and network resources. Despite the fact that the way which ATM networks function does not make the traffic control easier, ATM technology provide adequate QoS for the applications. Traffic control is necessary for avoiding congestion. Traffic control methods can be divided in two categories: reactive control and preventive control. Reactive control methods regulate the traffic flow at the access points based on 47

49 current traffic levels within the network. Preventive control methods provide a fair allocation of bandwidth by requiring, at times of high network load, that each connection s traffic flow remains within specified boundaries acceptable by the supported service. Due to real time constraints preventive control is more suitable than reactive control in high speed networks. Connection Admission Control: When the network cannot always provide a steady performance, Connection Admission Control (CAC) [12] [21] can be used. CAC is a mechanism that allows the endpoints to negotiate their network parameters that need in order for their applications to function without problems. These network parameters such as QoS, bandwidth and delays are examined and if they can be served by the network the connection between the endpoints is taking place. This operation is repeated every time the participants need to transmit data. The advantage of this mechanism is that allows the network to choose which applications can serve depending on its resources, without facing performance problems. Priority Control: There are static, dynamic and state dependent priorities queuing schemes, each of the three with different service requirements [21]. The simplest priority scheme is the static priority scheme, in which the strict delay requirement of a high priority service is always scheduled for processing before a low priority service. When a large number of the network traffic consists of high priority services, the QoS of low priority services will be degraded because the delay will become intolerable. The dynamic priority scheme is used to overcome the drawbacks of static priority scheme. The dynamic priority scheme can be applied to improve the performance of a delay tolerant service while still satisfying the delay requirements of a time sensitive service. A possible disadvantage of the dynamic priority scheme is the processing overhead required for inspecting the packets for priority and also each arriving packet needs to be time stamped. The state dependent priority schemes are implemented in ATM networks to improve the QoS in terms of packet delay for each service and to reduce the packet loss rate of low priority services. 48

50 3.8 Frame Relay QoS Mechanisms In order for Frame Relay networks to provide quality of service, four mechanisms have been developed. These mechanisms are Fragmentation, Prioritization, Transmission Scheduling and Congestion Management. The combination of the above measures can provide QoS to the applications served by the Frame Relay based network, in many different situations which require adaptation. Fragmentation [4]: Because in the network the packets that are being transmitted back and forth does not all have the same size, in some cases large packets which are not urgent can be the cause to delay other packets with smaller size but more urgent. For this reason fragmentation is used in order to tear down the large packets and create smaller which cannot introduce significant delays. Prioritization [23]: As its name implies prioritization is used in order to tag data according to how much quickly must be forwarded across the network. There are several levels of priorities depending on the requirements of each service. Some services must be served faster than others such as VoIP which has several time constraints and must not suffer from any delays. On the other hand services such as do not need to be forwarded fast, just reliable. So by using prioritization the network can support all kind of services by having priorities in forwarding, which are predefined. Transmission Scheduling: Despite the fact of its specific use, transmission scheduling can be critical for the operation and performance of the entire network. It allows the endpoints to transmit data not immediately but only when the receivers are able to process or in case of intermediate devices to forward the data. As a result of this mechanism queuing delays can be significantly decreased and also less processing is needed since the devices does not have to deal with massive numbers of packets. Providers use this measure extensively in their core network and when this mechanism is combined with prioritization the network s performance can be increased rapidly. 49

51 Congestion Management [22] [23]: Flow control is another advantage of Frame Relay networks that use congestion management. By using certain network measures such as Discard Eligible (DE), Backward Explicit Congestion Notification (BECN), Forward Explicit Congestion Notification (FECN) and Committed Information Rate (CIR), the network can achieve efficient data flow of both critical and non critical data. By managing the data flow, increased network performance is achieved and in turn the services have better function. Discard Eligible (DE): When the network is experience congestion the DE bit is used in order for marked packets to be discarded and the network decongest. So with this measure non critical data is dropped in favour of critical data. Backward Explicit Congestion Notification (BECN): When queuing problems start to increase in the network then the intermediate devices can use the BECN notification to inform the endpoint which is the source of the traffic to decrease transmission rate and control the traffic flow into the network. Since the flow management is done by upper layer protocols no addition must be made in the network. Forward Explicit Congestion Notification (FECN): Just as BECN, FECN is used by the intermediate devices to notice the destination endpoint this time and not the source, about potential queuing issues and delays. The transmitted node is informed by the receiving node to take actions in regard with the flow management. FECN and BECN are completely the same except which node is informed first. Committed Information Rate (CIR): The CIR rate is used by the endpoints when they need to transmit data, in order to allocate bandwidth resources from the Frame Relay network. If the network is able to support the rate, it allows the transfer. But if at any moment its performance diminished then it will throttle the transfer rate. 50

52 Chapter 4: Case Study 4.1 The Scenario In this chapter of the dissertation a simulation of a middle size enterprise adopting VoIP will be presented. The goal is to see how the network and its services will react to the introduction of this new technology and what actions will need to be taken in order for the network to operate properly. Security and quality of service will be a concern for the enterprise. Also ATM and Frame Relay will be tested as solutions for the connections between the sites. Database, , Http and Printing are the main services that the users Figure 6: The Enterprise 51

53 work with. The enterprise main office is allocated in Attiki (Athens) and the remote sites can be found in Thessaloniki, Patra and Hrakleio as shown in figure 6. The tool that will be used is called OPNET IT Guru Academic Edition. Is developed by OPNET technologies for educational purposes and for that reason it has some limitations regarding the total events that can be simulated. However it covers most of our needs for this case study. 4.2 The Enterprise structure As mentioned in 4.1 section the enterprise is composed by four sites. The corporate site and the three remote sites that are connect in a star topology [9]. The main advantage of this topology is that the remote sites are independent from each other. So if a site encounters problems doesn t affect the others. On the other hand it introduces a single point of failure which is the corporate site. If this site has problems then the remote sites have problems too. The components of each site can be seen in the figures 7 and 8. The central site is composed by the corporate Lan1 (implementing 10baseT technology which means 10Mbps over twisted pair cable [9] and 25 users), a switch (Cisco Catalyst 3550 of 48 interfaces at selectable data rates), the router (a CISCO7000 supporting 10 and 100Mps, along with ATM, Frame Relay and serial interfaces) and two servers (supporting database, printing, http and services). The other three sites which connect to the corporate Lan1 are composed by a lan (implementing 10baseT technology which means 10Mbps over twisted pair cable and 15 users), a switch (Cisco Catalyst 3550 of 24 interfaces at selectable data rates), the router (a CISCO3660 supporting 10Mbps along with serial interfaces). The selected routers have integrated firewall and security capabilities and for this reason there is no need for a separate firewall unit. The firewall protects the sites from unauthorized access while providing encryption features for protection of sensitive data. 52

54 Figure 7: The Corporate Site Figure 8: The Remote Site The internal components of the networks are connected with 10baseT links and the remote sites are connected to the corporate LAN with ISDN lines at 128kbps (between the routers, R1 with R2, R3 and R4 in a star topology). The components of the scenario are easily inserted from large libraries that OPNET maintain. These components are inserted into the scenario by simple drag and drop in the graphical environment. This makes OPNET very easy for use even from less experienced users. The elements have default configurations set show anyone can built a scenario without special knowledge, while it can be used from professionals due to advanced features that it support. After building thr network the next step is to configure the services that the network will provide and the profiles, indicating which services each LAN will use. As we can see at the top right corner of Figure 6 I have inserted (just the same as with the other components) an application and a profile definition node. In the application node I will configure the services that the network will support and in the profile node I ll configure the profiles with the services that each profile will have. 53

55 Figure 9: Configured Services As presented from Figure 9 I have configured the four services Database, Printing, Http and which are the most common among the enterprise s users. Along with the services I define and the load that each service introduce into the network. As displayed in Figure 9 I chose the High Load for all the services. The reason for this decision is that if the network manages to function with the worst scenario of data traffic then it will have no problem in any other traffic situation. 54

56 With the same procedure I configure the profile that each LAN will adopt. There will be four profiles one for every service. It is simple, I first create the profiles and then I assign the appropriate service to each profile. As we can see from Figure 10 along with the service the profile can be configured with the time that it will be active. In this case the profiles are active from the start until the end of simulation. Figure 10: Configured Profiles The last step that remains before I simulate the scenario is to apply the profiles on each LAN and the destination server to each profile. All the LANs in the corporate and in the remote sites are configured with the four profiles which means that the users are work with all the services (database, printing, http, ) and also that the traffic in the network will be as heavy as it gets. 55

57 The database and print services will have as destination the DB_Print_Server. The http and services will have the Http_ _Server as their destination server. This is done by assigning to each of the application a destination server from those that are present in the network. The same configuration as with the corporate LAN will be applied to the remote LANs. This assignment is very important for the simulation because if there is no server assigned to the applications, after the simulation there will be no results presented. In the following figures we can see the configuration: Figure 11: Supported Profiles 56

58 Figure 12: Destination Server Now that I have the scenario build and configured I can advance to the simulation. The main approach is to first simulate the network with the configured basic services (database, print, http and ) and acquire the delay time of each service to use it as a reference point. Next I will introduce IP telephony into our network and examine the delay responses again and based on the delays, take the appropriate actions in order for the network to compensate the changes. 57

59 4.3 The Simulation Now that I have the scenario ready I perform the simulation. From the simulated results I focus on the delay times in order to find out how the network response to the services. The following pictures shows the delay times for each service: Figure 13 : DB response time (sec) Figure 14: Http page response time (sec) Figure 15: download time (sec) 58

60 As we can see from the response times above (the peak in the graphs is caused by OPNET), the network even in the worst traffic conditions can support these services without problems since the responses are very low and not perceptible by the users. Now that I have the references I ll introduce IP telephony into the network and take again the response times for comparison with those of the last simulation. The configuration of IP telephony is the same with the rest of the services (including the actual service, the profile and the applied LANs). The only deference is that an extra server, at the corporate site, will be added in order to take charge of VoIP calls and authentication services. The enterprise is likely to communicate with clients using traditional telephony, so compatibility between packet-based and switched-circuit networks is necessary. So the protocol that will be used is the H.323 and the main reason is that makes multimedia communications and data conferencing, between switched-circuit networks (SCN) and packet-based networks, possible. The default encoding scheme that H.323 use is the G.711 (audio coding at 64 kbps). Figure 16: Configured IP Telephony 59

61 Figure 17: VoIP Profile Configuration Figure 18: Corporate Site 60

62 After the simulation I take the following responses: Figure 19: DB response time (sec) Figure 20: Http page response time (sec) Figure 21: download time (sec) Figure 22: Voice end-to-end delay (sec) As we can see from the comparison of the delay responses, the services are completely crashed which means that after the introduction of IP telephony the network cannot 61

63 support the extra load and fails to provide the users with the configured services. So I am going to upgrade the LANs from 10baseT to 100baseT (fast Ethernet). I simulate again the network with the current changes and from the results we can see that although the basic services are working well (delay tolerant), IP telephony encounter problems (time sensitive) as shown in following figures: Figure 23: Time Response (sec) DB, ,Http Figure 24: Voice end-to-end delay (sec) Figure 25: Queuing delay in ISDN lines (sec) Figure 26: Utilization of ISDN lines 62

64 This is partially caused because of the high utilization and the queuing delays of the ISDN lines between the remote and the corporate site as we can see in figures 25, 26. As mentioned in sections 1.4 and 4.2 the routers can have multiple roles in the network. Not only act as voice gateways but also have firewall and security capabilities. This leads to the other most important cause of the problem in VoIP performance. The current routers are not suitable for managing VoIP traffic. As we saw VoIP is highly sensitive and easily affected by queuing delays. So the router s firewall must be able to process and forward data traffic without introduce significant time delays. Processing power is needed. Also there is a need of stateful firewalls to keep track of information from previous VoIP traffic and can inspect the data payload in the packet. The routers with this kind of integrated firewalls can control H.323 traffic and automatically open and close the ports needed by the protocol for its handshaking process. When H.323 is used in the network TLS can be an alternate solution of IPsec. TLS has the mechanisms to protect H.323 signalling messages from hacker attacks that can affect the integrity and confidentiality of data. It also support for integrated key control with two way authentication and secure key exchange. TLS encrypts the VoIP call that is established between two applications, while IPSec encrypts data between two devices and all the applications that they running. This makes TLS more efficient and consumes less bandwidth improving QoS. In order to save more bandwidth (especially in the links between the sites) and improve QoS another encoding scheme can be used such G.729 (audio coding at 8 kbps). In order to apply the above I am going to change the routers with others that can manage VoIP traffic. In the corporate site a CISCO 7200 router (supporting 10 and 100Mps, along with ATM, Frame Relay and serial interfaces) will be used and at the remote sites a CISCO 3800 router (supporting 10 and 100Mps and serial interfaces along with modular capabilities). These routers are designed to process VoIP traffic while 63

65 managing security and QoS issues. If the links can support more load then the response times of all the services should be lower than the previous results. I am going to upgrade the lines with PPP [9] E1 (2.048 Mbps) leased lines. Along with the changes the following parameters (encoding scheme and TLS) must also be configured: Figure 27: G.729 Encoding scheme Figure 28: TLS Configuration 64

66 We can see the simulated results in the following figures: Figure 29: Time Response (sec) DB, ,Http Figure 30: Voice end-to-end delay (sec) Figure 31: Queuing delay in PPP lines (sec) Figure 32: Utilization of PPP lines (sec) From the results it was clear that the problem was the queuing delays between the sites and after the specified changes in hardware and security queuing delays were diminished significantly. 65

67 The delay tolerant services were improved without great changes but the time sensitive IP telephony as shown in the figures above was improved in exponential rate. From this example it s obvious how much the time sensitive services can suffer from queuing delays across the network and how much important is QoS. Although PPP leased lines offer dedicated speeds at high data rates, at 24 hour base, they also have an increased cost for maintain them. For these reason the technologies, that I have mentioned in the end of chapter 3, ATM and Frame Relay can be used between the sites. These technologies do not provide the maximum bandwidth at 24 hour base but only when it needed. For example in rush hours when the data loads are greater. Nevertheless they have other mechanisms that provide the maximum quality of service with the minimum bandwidth as mentioned in sections 3.7 and 3.8. These mechanisms can be configured into the routers: Figure 33: ATM QoS Parameters 66

68 Figure 34: Frame Relay QoS Parameters So the enterprise can save money with these technologies since it doesn t need to pay for the extra bandwidth but only when it is needed, for example the hours when the productivity of the employees is at the peak. So ATM and Frame Relay are suitable solutions since the combination of cost and delay times that they provide, make them very satisfactory as we can see from the following simulated results. Figure 35: Time Responses with ATM (sec) Figure 36: Voice end-to-end delay with ATM (sec) 67

69 Figure 37: Time Response with FR (sec) Figure 38: Voice end-to-end delay with FR (sec) From the results we can see that the quality of service that ATM and Frame Relay provide is very good. The delays that these technologies provide, as we can see from the above figures, are decent and along with cost savings that they offer make them a reasonable solution, especially for middle and small enterprises where their budget is limited. Also it became clear how queuing delays can have a serious impact on time sensitive services (such as IP telephony) while the effect on delay tolerant services are minimal. From the simulations we saw that for VoIP to operate fast Ethernet is required along with WAN technologies that provide adequate data rates and quality of service. This is not a problem since in nowadays fast and gigabit Ethernet have become very common and cheap to implement even for simple users. The same is applied to WAN and internet technologies that become more accessible day by day. These advantages of technology made VoIP a standard, easy to implement by enterprises rather than a special and demanding service. 68

70 Conclusion During this dissertation I tried to introduce Voice over IP technology. I presented the basic protocols on which the technology relies such as H.323 and SIP. H.323 is the proposed protocol of ITU (International Telecommunication Union) for VoIP and SIP (Session Initiation Protocol) is the IETF (Internet Engineering Task Force) protocol for VOIP that was developed as a media based protocol. The architecture, components and operation are also presented in order for the global understanding of these two protocols and why are used in VoIP. Security in VoIP is essential because anything that has success attract attacks. Since this technology is implemented, for now, most by enterprises it is important to provide advanced security. Attacks where analysed (such as Eavesdropping, Replay attacks, Packet spoofing, Call redirection, Denial of Service) in order to understand the vulnerabilities of the technology and security features (such as Encryption, Firewalls and NAT) where presented for both H.323 and SIP. Security issues of these protocols where specified and countermeasures has been discussed. In VoIP quality of service is also very important, because if it cannot provide the users with at least the same services (with the same quality) as its rivals then there is no reason to implement it. Latency, Jitter and Packet loss the main problems in QoS where analysed and solutions has been presented. The security effect in QoS is a serious matter which has been covered and ways to compensate it where presented. Also ATM and Frame Relay that providers uses and their QoS mechanisms that these technologies adopt where analysed. Finally in the last chapter a case study using OPNET IT Guru Academic Edition was developed. An enterprise with its services was simulated. Then VoIP was introduced which had an impact on the network performance. From the simulation it was clear how 69

71 VoIP is affected by queuing delays and how with appropriate equipment and specialized software we can overcome this problem. Also ATM and Frame Relay are used in this simulation as a different solution for the interconnection of the sites. From the simulated results it was clear that for VoIP to operate without affecting the network fast Ethernet is required combined with WAN technologies providing data rates that can support the additional load and quality of service. This is not a problem since in nowadays fast and gigabit Ethernet have become very common and cheap to implement even for simple users. The same is applied to WAN and internet technologies that become more accessible day by day. These advantages of technology made VoIP a standard, easy to implement by enterprises rather than a special and demanding service. 70

72 References [1] Jonathan Davidson, James Peters, Voice over IP Fundamentals, Cisco Systems 2000 [2] Markku Korpi, Vineet Kumar and Senthil Sengodan, IP Telephony with H.323: Architectures for Unified Networks and Integrated Services, John Wiley & Sons [3] Henry Sinnreich, Alan B. Johnston, Internet Communications Using SIP: Delivering VoIP and Multimedia Services with Session Initiation Protocol, Second Edition, Wiley Publishing Inc. [4] Jonathan Davidson, Tina Fox, Deploying Cisco Voice over IP Solutions, Cisco Systems 2000 [5] Thomas Porter, Practical VoIP Security, Syngress Publishing 2006 [6] Pavlos Papageorgiou, A Comparison of H.323 vs SIP, University of Maryland at College Park, 4 June 2001 [7] Debashish Mitra, Network Convergence and Voice over IP, Tata Consultancy Services, March 2001 [8] Peter Thermos, Ari Takanen, Securing VoIP Networks: Threats, Vulnerabilities and Countermeasures, Addison-Wesley, August 2007 [9]Cisco Networking Academy Program, CCNA 1, 2, 3, 4 Companion Guide, Cisco Systems, Third edition 71

73 [10] Fiifi Botwe Arkaah, VoIP in the Context of Security, Stockholm University / Royal Institute of Technology,April 2006 [11] Dr. Harilaos Katopodis, Network Security, Kingston University, March 2008 [12] Steven B. Winstanley, Quality of Service over ATM Networks, Department of Electronic Engineering, Queen Mary and Westfield College University of London 1998 [13] ilbc White Paper, ilbc Designed For The Future, Global IP Sound, October 15, 2004 [14] Kai Vanaanen, H.323 in Telecommunications, Teknillinen Korkeakoulu Teletekniikan laboratorio,october 17th, 1999 [15] ITU-T, H.323 Recommendation, International Telecommunication Union, September 1999 [16] ITU-T, H.261 Recommendation, International Telecommunication Union, March 1993 [17] ITU-T, H.235 Recommendation, International Telecommunication Union, May 2003 [18] J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, E. Schooler, RFC SIP: Session Initiation Protocol, Network Working Group, June 2002 [19] J. Peterson, RFC 3893 SIP: Authenticated Identity Body (AIB) Format, Network Working Group, September

74 [20] J. Peterson, C. Jennings, RFC 4474: Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP), Network Working Group, August 2006 [21] Abhijit S. Pandya, Ercan Sen, ATM Technology for Broadband Telecommunications Networks,CRC Press, January [22] Jan Thibodeau, The Basic Guide to Frame Relay Networking, Frame Relay Forum, 1998 [23] Cisco Systems, Internetworking Technologies Handbook, Cisco Press, 4 th Edition, September

75 Glossary ABR: Available Bit Rate ABT: ATM Block Transfer ACR: Average Cell Rate ADSL: Asymmetric Digital Subscriber Line AES: Advanced Encryption System AIB: Authenticated Identity Body ASN.1: Abstract Syntax Notation ATM: Asynchronous Transfer Mode BCR: Block Cell Rate BECN: Backward Explicit Congestion Notification CAC: Connection Admission Control CBR: Constant Bit Rate CIR: Committed information rate CPU: Central Processing Unit DE: Discard Eligible DES: Data Encryption Standard DoS: Denial of Service DT: Delayed Transmission EN: Enterprise Network FECN : Forwards Explicit Congestion Notification FR: Frame Relay FTP: File Transfer Protocol HMAC: Hash Message Authentication Code HTTP: Hypertext Transfer Protocol ICE: Interactive Connectivity Establishment IETF: Internet Engineering Task Force IKE: Internet Key Exchange ilbc: internet Low Bit rate Codec 74

76 IM: Instant Messaging IP: Internet Protocol IPSec: Internet Protocol Security ISAKMP: Key Management Protocol ISDN: Integrated Services Digital Network ISP: Internet service provider IT: Immediate Transmission IT: Information Technology ITU: International Telecommunication Union LAN: Local Area Network MAC: Message Authentication Code MAN: Metropolitan Area Network MBS: Maximum Burst Size MCU: Multipoint Control Unit MD5: Message Digest algorithm 5 NAT: Network Address Translation DNS: Domain Name System nrt-vbr: non real time Variable Bit Rate OSI: Open Systems Interconnection PBX: Private Branch Exchange PCR: Peak Cell Rate PDA: Personal Digital Assistant PGP: Pretty Good Privacy PPP: Point to Point Protocol PSTN: Public Switched Telephone Network PVC: Permanent Virtual Circuit QoS: Quality of Service RAS: Registration, admission, and status RFC: Requests for Comments RM: Resource Management 75

77 RSIP: Real Specific Internet Protocol RTCP: Real-time Transport Control Protocol RTP: Real-time Transport Protocol rt-vbr: real time Variable Bit Rate S/MIME: Secure / Multipurpose Internet Mail Extensions SCN: switched-circuit Network SCR: Sustained Cell Rate SDP: Session Description Protocol SHA: Secure Hash Algorithm SIP: Session Initiation Protocol SKEME: Secure Key Exchange Mechanism SSL: Secure Sockets Layer STUN: Simple Traversal of UDP through NATs TCP: Transmission Control Protocol TLS: Transport Layer Security ToS: Type of Service TURN: Traversal Using Relay NAT UA: User Agent UAC: User Agent Client UAS: User Agent Server UBR: Unspecified Bit Rate UDP: User Datagram Protocol UPnP: Universal Plug and Play URI: Universal Resource Indicator URL: Uniform Resource Locator VAD: Voice Activity Detection VC: Virtual Circuit VCI: Virtual Channel Identifier VLAN: Virtual Local Area Network VoIP: Voice over IP 76

78 VoMIT: Voice over Misconfigured Internet Telephones VPI: Virtual Path Identifier VPN: Virtual Private Network WAN: Wide Area Network 77