Multimedia networking Voice/data integration

Multimedia networking Voice/data integration Eric Vyncke Distinguished Engineeer Cisco Systems evyncke@cisco.com Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 1 1 Agenda XXth Century voice = Analog thentime Division Multiplexing (TDM) XXIst Century voice packetization Quality of service Signalling Issues with NAT Security 3

Loop Start Signaling On-hook, open loop Station Loop PBX or Central Office Off-hook, close loop BELL BELL (Local or Station) + T Switch 48v Current R DC Current sense Switch + 48v Ring on-hook Ans off-hook BELL BELL!! Ringing AC Switch + 48v 5 Echo in Voice Networks Listener Talker Delay in the network Talker Echo Listener Echo 6

Echo Is Always Present Too Much Echo Is Bad, but No echo is also bad!! - 50 High Loss Echo Loss (db) Echo Is Unnoticeable Echo Is a Problem Low Loss - 10 ~20 ~200 Echo Path Delay (ms) 7 Speech and the Telephone Network 3700Hz voice bandwidth Power / Volume Human Ear Response Telephone Network 300Hz 3400Hz 4kHz 16kHz Frequency / Pitch 8

Mean Opinion Score Source Channel Simulation Impairment Codec X 1 2 3 4 5 Nowadays, a chicken leg is a rare dish Rating Speech Quality Level of Distortion 5 Excellent Imperceptible 4 Good Just perceptible but not annoying 3 Fair Perceptible and slightly annoying 2 Poor Annoying but not objectionable 1 Unsatisfactory Very annoying and objectionable 1 2 3 4 5 MOS of 4.0 = Toll Quality 9 Summary Analogue voice technology dates back to the late 1800s; Analogue information exchange is based on voltage, current sense, grounding; Echo is a fundamental component of Analogue voice and must be controlled. 10

Agenda XX Century voice XXI Century voice packetization Quality of service Signalling Issues with NAT Security 11 IP Phones QoS in phones - standard 802.1p/q Integrated Ethernet switching Easy access to new world features IPv6 GigaEthernet Video IEEE 802.1x 12

Inline Power: IEEE 802.3AF Provides DC Power over Standard Category-5 Ethernet IP phone are power hungry and you do not want to have a 220V power cable => get power through the UTP cable Inline Power 10/100 Ethernet without Inline Power 13 Agenda XXth Century voice XXIst Century voice Packetization Quality of service Signalling Issues with NAT Security 14

Analogue to Digital Voice Pulse Code Modulation Nyquist Theorem Sample rate = 2 x highest frequency Analogueue Audio Source B/W = 300 to 4000Hz Sampling Stage 8,000 samples per second 1 sample = 8 bits; 8000 samples/sec = 64,000 bit/s...00100101111011001001... Digital Audio Stream 15 Speech Compression Techniques Overview 16

Mean Opinion Scores Subjective Quality (MOS) 5 4 3 2 1 Hybrid Coders (LD-CELP & CS-ACELP) Vocoders (Older Technology) Waveform Coders (ADPCM) 2 4 8 16 32 64 Kbps Score Quality Description of Impairment 5 4 3 2 1 Excellent Good Fair Poor Bad Imperceptible Just Perceptible, not Annoying Perceptible and Slightly Annoying Annoying but not Objectionable Very Annoying and Objectionable Source: A.M. Kondoz, Digital Speech Coding for Low Bit-Rate Communications Systems, 1995 17 RTP/RTCP RFCs 1889/1890 End-to-end network transport function Payload type identification voice, video, compression type Sequence numbering Time stamping Delivery monitoring RTCP (Real-Time Control Protocol) 4 Bytes 4 Bytes 4 Bytes V E R CC M Payload Type RTP Timestamp Sequence Number Synchronization Source (SSRC) ID 19

Bandwidth Per IP Call 20ms @ 8kbit/s of compressed voice IP Header (20) UDP (8) RTP (12) PAYLOAD : 20 Header is 40 bytes 26 kbps of bandwidth per call Compressing RTP Header gives 4-5 PAYLOAD : 20 11 kbps of bandwidth per call 20 Summary All voice over the telephone network is somewhat compressed; DSPs allow very high compression rates while producing good quality speech Silence suppression can deliver additional bandwidth efficiencies 21

Agenda XXth Century voice XXIst Century voice Packetization Quality of service Signalling Issues with NAT Security 22 Delay and Voice Sender Receiver PBX Network PBX First Bit Transmitted A A Last Bit Received Processing Delay Network Transit Delay End-to-End Delay Processing Delay t 23

Delay Variation Jitter SenderA ReceiverB Network C B A Sender Transmits d2 d1 t C B A B Receives Jitter D2 = d2 D1 = d1 t 24 Delay and Jitter Delay and jitter are generated when a packet is stored and forwarded: by router and switches Delay is also generated by links 1 microsecond every 200 Km Jitter is also caused by burst Jitter requires play-back buffers Adding more delay... 25

Integrated Services QoS Model Resource Reservation Protocol Reserve 1 Mbps BW on this line This app needs 1 Mbps BW and 200 msec delay I need 1 Mbps BW and 200 msec delay Reserve 1 Mbps BW on this line Main use: Call Admission Control Is the network ready for a new call? 26 Differentiated Services Finance Manager Remote Campus Classification Enforcement Campus Backbone Classification Order Entry, Finance, Manufacturing Multimedia Training Servers 27

Packet Classification Layers Layer 3 IPV4 3 bits called IP Precedence for differentiated services (DiffServ may use 6 D.S. bits plus 2 for flow ctrl) Version Length ToS 1 Byte Layer 3 IPV6 Version Length Len ID offset TTL Proto FCS IP-SA IP-DA Data Traffic Class 1 Byte Layer 2 802.1Q/p 6 diff serv code points + 2 for flow control Flow Label Len PREAM. SFD DA SA Next Hdr Hop Limit TAG 4 Bytes IP-SA IP-DA Data 3 bits used for COS (user priority) PT DATA FCS 28 Evolving Business Requirements Business Requirements Will Evolve and Expand over Time 4-Class Model 8-Class Model 12-Class Model Realtime Signaling / Control Critical Data Best Effort Voice Interactive Video Streaming Video Call Signaling Network Control Critical Data Best Effort Scavenger Voice Realtime Interactive Multimedia Conferencing Broadcast Video Multimedia Streaming Call Signaling Network Control Network Management Transactional Data Bulk Data Best Effort Scavenger http://www.cisco.com/en/us/docs/solutions/enterprise/wan_and_man/qos_srnd_40/qosintro_40.html#wp61135 Time 29

ML-PPP queueing algorithm Voice 2 Voice 1 Jumbogram Fragment 4 Fragment 3 Voice 2 Fragment 2 Voice 1 Fragment 1 Fragment large packets Let small packets: Use normal encapsulation Interleave with fragmented traffic 30 Collaboration & Presence Presence augmented Instant Messaging Who is on-line Are they busy? Where are they? All of this pieces of information Can be automated Crucial for quick and efficient interaction décembre 12 31 31

Collaboration & Teleconference High-speed, ubiquitous Internet allows Cheap (Internet based) communications Visual interaction Sharing slides, documents Seeing others on video Working on the same document décembre 12 ULg VoIP 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32 32 33 33 Collaboration and Telepresence décembre 12 ULg VoIP 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Collaboration and Telepresence Next step: large HDTV screens, smooth video Next next step: HDTV replacing walls Best seen over Youtube http://www.youtube.com/watch?v=j0jrmtf_0te (commercial) http://www.youtube.com/watch?v=rcfnc_x0vve (start at 1 minute, 3D) décembre 12 34 34 New Application Requirements The Impact of HD on the Network User demand for HD video has a major impact on the network (H.264) 720p HD video requires twice as much bandwidth as (H.323) DVD (H.264) 1080p HD video requires twice as much bandwidth as (H.264) 720p 35

Agenda XXth Century voice XXIst Century voice Packetization Quality of service Signalling Issues with NAT Security 36 SIP: Session Initiated Protocol SIP is another VoIP signaling protocol Web like Text format messages Similar to HTTP Fast call setup Run over UDP or TCP SIP proxies are the equivalent of H.323 gatekeepers 39

SIP Basics SIP is a peer-to-peer protocol where end-devices (User Agents - UAs) initiate sessions SIP defines the signaling mechanism SIP works for voice, video, instant messaging SIP uses IETF protocols HTTP 1.1 Session Description Protocol (SDP) media (RTP) name resolution & mobility (DHCP & DNS) application encoding (MIME) SIP is ASCII text-based:- implementation & debugging 40 VoIP Architecture Based on Session Initiation Protocol Old Phone network Internet or private IP network 3) External voice SIP Trunk SIP Proxy Extensio n IP Address 2000 192.168.0.1 6000 2001:db8::abba:babe 1) SIP registration SIP Clients décembre 12 Ext: 2000 IP: 192.168.0.1 2) Voice Ext: 6000 IP: 2001:db8::abba:babe Technologies - 41 41

VoIP Pricing... SIP: Session Initiation Protocol Used to allow only authenticated device SIP Proxy Register the IP address of a phone extension SIP Trunk: gateway to classical analog voice SIP proxy: free software (Asterisk) on an existing server SIP trunk: cheap calls fixed price for Europe 5 EUR/month SIP client on mobile/pc: free SIP physical phones: 100 EUR décembre 12 Technologies - 42 42 SIP Commands/Responses Commands Responses INVITE CONNECTED BYE UNREGISTER REGISTER 1XX Information 2XX Success 3XX Redirection 4XX Client Error 5XX Server Error 6XX Global Failure 43

SIP Call Flow SIP Phone INVITE 3xx Redirect Redirect Server Or SIP proxy SIP UA / GW INVITE to Address Returned in Contact: of 3XX response 100 Trying 180 Ringing 200 OK ACK BYE 200 OK 44 What Is 9-1-1 (or 1-1-2 or 9-9-9)? A simple, easy to remember telephone number that allows automated call routing to the local public safety agency, based on where you are calling from In some jurisdictions (North America) there are many different destinations; source routed Mostly ubiquitous for residential service Varying degrees of deployment globally Enhanced 9-1-1 in North America European Union current efforts to converge on 1-1-2 India currently has country-wide rollout of 1-0-8 45

Residential 9-1-1 Call-Flow (US view) PSAP #001 911 Tandem Switch (Selective Router) PSAP #002 Home 555-1234 Class 5 CO Switch Class 4 CO Switch PSAP #003 Plain Old Telephone Service (POTS) line dials 9-1-1 (fixed ANI) CO forwards to SR and includes ANI SR determines proper PSAP and forwards call including ANI 46 Legacy Architecture Smart Network Dumb Endpoints OSI Model Layer 7 Mydialtone PhoneCompany, Inc. The End Device Location Layer 3 Mynetwork Layer 1/2 Mywires PhoneCompany, Inc. PhoneCompany, Inc. 47

VPN to Corporate Internet Architecture Dumb Network Smart Endpoints OSI Model Layer 7 Application Location/Presence.com Common Point The End Device Location I Think I ll Advertise My Location Layer 3 Network Layer 2 Access ISP, Inc. Last Mile, Inc. Location 48 Problem: The Global Road Warrior Hotel in Chicago 112, What s That? Chicago, Where s That? Internet Corporate HQ in Paris How Do I Route This One? Chicago PSAP This issue Must be solved! 49

SIP Routing Based on UAC s Location Alice Outbound Proxy INVITE w/ SDP and Location SIP Routing based on Location urn:service:sos is not globally unique If LoST query done by UA, may be as a Route header Though not sure yet Proxy MUST learn UAC s location, determine where UAC is, then Route the call to the proper Public Safety Answering Point (PSAP) * Short form means not enough room here INVITE sips:urn:service:sos SIP/2.0 Via: SIP/2.0/TLS pc33.atlanta.com;branch=z9hg4bk74 Max-Forwards: 70 From: Alice <sip:alice@atlanta.com>;tag=9fxced76sl To: <sip:urn:service:sos> Call-ID: 3848276298220188511@pc33.atlanta.com CSeq: 31862 INVITE Geolocation: <cid:alice123@atlanta.example.com> Route: <sips:psap1@orlando.fl.gov;lr> Contact: <sip:alice@atlanta.com> Content-Type: multipart/mixed; boundary=0a0 Content-Length: 311 --0a0 Content-Type: application/sdp v=0 o=alice 2890844526 2890844526 IN IP4 atlanta.com c=in IP4 10.1.3.33 t=0 0 m=audio 49172 RTP/AVP 0 a=rtpmap:0 PCMU/8000 --0a0 Content-Type: application/pidf+xml (short form*) <gml:location> <gml:coordinates>28.44n 81.46W </gml:coordinates> </gml:location> <method>802.11</method> <provided-by>www.cisco.com</provided-by/> --0a0-- 50 Agenda XXth Century voice XXIst Century voice Packetization Quality of service Signalling Issues with NAT Security 51

Network Address Translation: IP at Home IPv4 addresses are scarce and close to exhaustion Network Address Translation helps 192.168.1.1 Internet 192.168.1.2 ADSL or Cable modem: 1 IPv4 address WiFi ʻRouterʼ Multiplex all inside Hosts over the ISP address ADSL Modem 52 Different NAT Behaviors... Mainly for stateless UDP sessions like RTP streams Symmetric NAT: one entry only for a specific 5-uple <udp, global address, global port, remote address, remote port> Full-Cone NAT: one entry only a for a 3-uple <udp, global address, global port> Restricted-Cone NAT: one entry only a for a 4-uple <udp, global address, global port, remote address> Port-Restricted-Cone NAT: one entry only a for a 4-uple <udp, global address, global port, remote port> Good reading: The Internet Protocol Journal, Volume 7, Number 3 by Geoff Huston 53

Symmetric NAT 54 Full Cone NAT 55

What is STUN/ICE? STUN Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NAT) STUN (RFC3489) is a request/response protocol Response contains IP address and UDP port of request Allows client behind a NAT to find out its public address, the type of NAT it is behind and the internet side port associated by the NAT Example application: Googletalk ICE Interactive Connectivity Establishment Defines a standardized method for SIP-enabled clients to determine a set of IP addresses where clients can establish contact behind firewall Leverages STUN to collect IP addresses Example: MSN Live Messenger 56 STUN Overview Simple Traversal of UDP through NAT RFC 3489 Client-server protocol Allows a client behind a NAT find out its public address the internet side port associated by NAT with a particular local port type of NAT it is behind This information is used for UDP communication between two hosts that are both behind NAT routers. Free implementation of STUN client/server http://sourceforge.net/projects/stun 57

STUN Operation STUN server located on the public Internet. Using 2 addresses and 2 ports. STUN usages binding discovery, NAT keepalives STUN messages are sent on the very same ports that RTP will use latter First 2 bits allow to differentiate between STUN and RTP STUN STUN Server NAT2 NAT1 Public Internet Private Net 2 STUN Client Private Net 1 58 Interactive Connectivity Establishment (ICE) Overview offer-answer model for media streams through NAT. use of STUN and its relay extension TURN in a specific methodology which avoids many of the pitfalls of using any one alone. Each agent can have its own STUN server, or they can be the same ICE agents (endpoints) discover their topologies to find a path or paths by which they can communicate. Agents L and R are capable of engaging in an offer/answer exchange SDP messages to set up a media session between L and R. Exchange will occur through a SIP server... 59

Gathering Candidate Addresses each agent has a variety of candidate transport addresses: directly attached network interface A translated address on the public side of a NAT (a "server reflexive" address) The address of a media relay the agent is using Could be IPv4 or IPv6 or both 60 Example 192.0.2.3 NAT Stun Srvr Binding discovery usage 192.0.2.2:3478 10.0.1.1 Agent L 192.0.2.1 Agent R 61

Connectivity Checks Local Order highest to lowest priority candidates Sends them to R over the signaling channel in the SDP offer. When R receives the offer: same gathering process responds with its own ordered list of candidates. sorts the candidate pairs in priority order. Sends checks on each candidate pair in priority order. Both acknowledge checks received from the other agent. 62 Agenda XXth Century voice XXIst Century voice Packetization Quality of service Signalling Issues with NAT Security 63

Voice and Data Threat Models Merge IP Telephony inherits IP data network threat models: Reconnaissance, DoS, host vulnerability exploit, surveillance, hijacking, identity, theft, misuse, etc. QoS requirements of IP Telephony increase exposure to DoS attacks that affect: Delay, jitter, packet loss, bandwidth PC endpoints typically require user authentication, phones typically allow any user (exceptions: access/billing codes, Class of Service) 64 IPT Servers They are essential to IPT Protected by Strict security policy enforcement (firewall, ) Host security: IPS, AV, Applying security fixes RBAC management 65

Design a Secure IP Network Data And Voice Segmentation Physical separation is of course giving the best security but has investment constraints Use the same physical access, core, and distribution layers for the two segments but segment logically Segmentation also provides easier QoS configuration, scalability, and manageability Technologies such as Layer 3 access control, stateful firewall, MPLS-VPN and VLANs make this possible Call-Process Manager Access Distribution Server Proxy, E-Mail, & Voice-Mail Servers User Systems Core 66 Firewall and NAT Voice ALGs ALG = Application Layer Gateway = Firewall Fixup Perform stateful inspection of voice signaling protocols ALGs exist for SIP, SCCP, H.323, and MGCP 67

Different Paths for Signaling and Media Streams Perform stateful inspection of voice signaling protocols exists for SIP, SCCP, H.323, and MGCP Issue if the signaling does not follow the media streams 2) Media Stream 3) No state => block 1) Signaling 68 Securing the IP Telephony Itself Plain SIP/SCCP protocols: No authentication No integrity No confidentiality Secure SIP/SCCP protocols With authentication: using X.509 certificates With integrity and confidentiality Rely on cryptographically secure protocols Secure firmware and configuration with RSA signatures 69

Protecting Signaling TLS: Transport Layer Security Supports any application protocol HTTP SCCP SIP LDAP TLS TCP IP Bi-directional PKI establishes Authentication HMAC provides Integrity Encryption offers Confidentiality Needs secure method to exchange shared secret Bi-directional PKI pairs for mutual authentication Shared secret exchanged using RSA Computes Hashed Message Authentication Code (HMAC) Allows MD5 or SHA1 Conventional cryptography using shared secret DES, 3DES, AES RC2, RC4 IDEA 70 Authentication and Encryption Basics Protecting the Signaling TLS is the transport for signed (RSA), authenticated (HMAC- SHA1) and encrypted (AES-128) signaling (1) 71

SRTP: Secure RTP RFC 3711 for transport of secure media Uses AES-128 for both authentication and encryption High throughput, low packet expansion V P X CC M PT sequence number timestamp synchronization source (SSRC) identifier contributing sources (CCRC) identifiers RTP extension (optional) RTP payload SRTP MKI -- 0 bytes for voice Authentication tag -- 4 bytes for voice Encrypted portion Authenticated portion 72 Authentication and Encryption Basics Protecting the Media Streams CTL Client CAPF SRTP is the transport for authenticated and encrypted (AES- 128) media (2) 73

SPIT Spam over IP Telephony Potential issue of getting spammed by IP telephony Easy for spammers Scan the Internet Send 1000's of SIP invite/sec (using UDP) Play message over RTP when someone pick-up Hopefully Not a lot of SIP phones on the Internet SIP phones will probably accept invites only over TCP and from known/trusted SIP proxy 75 Final Words IP Telephony is now a proven technology SIP is the standard IP Telephony can be secured 76