TraceSim 3.0: Advanced Measurement Functionality for Secure VoIP Networks and Simulation of Video over IP
No part of this brochure may be copied or published by means of printing, photocopying, microfilm or any other process whatsoever without prior permission in writing by Nextragen GmbH; nor may it be stored, processed, reproduced or distributed using electronic systems. Please note that all terms and brand names of the respective companies used in this document are subject to the general brand, trade mark and patent protection. Copyright: 2012 Nextragen GmbH Version: 01/2012 Publisher: Nextragen GmbH Lise-Meitner-Str.2 24941 Flensburg Germany 2
Management Summary Version 3.0 of Nextragen s measurement and analysis software TraceSim now features VoIP Security which protects against security risks associated with a converged voice and data network. In addition, TraceSim 3.0 supports the latest video technology (video conferencing, video streaming). TraceSim 3.0 is an advanced measurement tool which actively monitors voice and data networks by generating VoIP and Video over IP traffic to measure and report on the VoIP, video and QoS parameters. TraceSim 3.0 is specifically designed to decrease time and costs associated with the installation and provision of VoIP networks and, thus, increases efficiency and improves productivity of companies. 3
Table of Contents Management Summary... 3 Table of Contents... 4 The Latest Features of TraceSim 3.0 in a Nutshell... 5 Optimal Measurement Technology for VoIP Security and Video over IP... 5 Network security comes first... 5 Secure Real-Time Transport Protocol... 6 Transport Layer Security (TLS)... 6 TraceSim 3.0 Now Also Supports SRTP and TLS... 7 4
Features of TraceSim 3.0 in a Nutshell TraceSim 3.0 features many functions to meet the rapidly increasing standards of the VoIP and Video over IP technology. Main features include: TLS/SRTP SRTP according to RFC: 3711 AES_CM_128_HMAC_SHA1_80 AES_CM_128_HMAC_SHA1_32 SRTCP SDESC according to RFC 4568 TLS SIP over TCP/TLS Video Simulation of Video over IP traffic (e. g. connecting with another TraceSim or Test Agent) Stepless adjustable bandwidth Individual configuration of video and audio channels Calculation of MOS according to PEVQ Support of the codecs H.263 and H.264 Concurrent video streams Overview of sent and received streams Optimal Measurement Technology for VoIP Security and Video over IP Many companies implementing VoIP and Video over IP underestimate the growing security requirements for VoIP. Yet, end-to-end quality is a key factor to secure the smooth running of real-time applications; in order to save time and reduce costs, system administrators rely on adequate measurement tools to quickly and efficiently locate and analyse network problems. Nextragen GmbH will introduce TraceSim 3.0 at the German Trade Show CeBIT in Hannover. TraceSim 3.0 features advanced functionality to measure, simulate and analyse VoIP and Video over IP traffic and to ensure VoIP security. The measurement software is based on proven analysis technology and offers user-friendly measurement configurations allowing for quicker and more precise identification of errors in VoIP and/or Video over IP networks. A single measurement is sufficient to accurately target a network problem! Network Security comes First Companies have become aware of the numerous threats to VoIP networks and how these can put their company success at risk; IT security has become a priority corporate concern. Also, risks associated with a converged voice and data network have aggravated, and the possibility to use the telephone network in case of an Internet crash in order to, for instance, receive e-mails or faxes will not be available in the future. With a standard public switched telephone network (PSTN) connection eavesdropping, manipulating or intercepting conversations requires physical access to telephone 5
lines. VoIP networks, on the other hand, are vulnerable to common and widely-used hacker tools. ISDN networks, for instance, require a specific hardware analyser in order to capture the data stream. SIP and RTP can be easily modified via freeware providing attackers the opportunity to access the information the VoIP system carries. Thus, for the implementation of VoIP security, the following key factors must be considered: Confidentiality: Confidential data must be secured against access by unauthorised third parties. Confidentiality in VoIP networks is specifically focused on conversations and connection data. Integrity: Integrity of the used data and devices requires the highest level of security against third parties. With respect to VoIP, integrity involves the signalling data, network devices (software and configuration data) and the connection data. Availability: Availability is a major concern regarding critical applications (e.g. calling an emergency hotline). Availability must be provided even under extreme conditions (high traffic load) and must withstand disruptions and network attacks. Liability: Liability means that all IP calls or transactions comply with the respective legal regulations. Authentication: Authentication of the network user s identification. Access Control/ Authorisation: Control and authorisation of user rights. User rights are assigned with granularity. VoIP systems are susceptible to attacks and threats. A single security failure is sufficient to threaten the entire network system. Secure Real-Time Transport Protocol The aim of Secure Real Time Transport Protocols (SRTP) is to extend RTP and RTCP to secure the control data and user data against third parties. A further feature of SRTP includes easy integration into existing RTP/RTCP protocol stacks (the existing header structure has been extended by only a few new fields). SRTP has been documented by the IETF in the specification RFC 3711. SRTP defines the calculation of a session key or SALT used for authentication and encryption based on the master key. SRTP does not regulate the distribution of the master key among the various devices. SRTP defines the encryption of user data and control data. The specification RFC 3711 defines a 128-bit long AES algorithm. For security reasons, data is hashed with a 128-bit HMAC-SHA-1 algorithm and with a specific authentication key. To counteract replay attacks, an index is created listing the already received packets. Packets which according to the index have already been received are ignored. Transport Layer Security (TLS) The Transport Layer Security (TLS) is a protocol specified in RFC 2246 which is based on the Secure Sockets Layer (SSL) Version 3.1 and implements a secure (authenticated and confidential) channel on the transport layer. The SIP specification RFC 3261 states that all SIP servers (proxy servers, redirect servers and registry 6
servers) must support the TLS protocol with mutual and one-way authentication. In addition, SIP applications supporting TLS should support the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA. Using a SIPS Request URI requires a TLS with mutual authentication and the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA. The SIP standard states that implementations should meet this requirement. UAs should use TLS in order to secure communication via proxy servers, redirect servers or registry servers. Using an SIPS URI means that each hop is secured via TLS until reaching the target domain. The last hop of the target domain s proxy must also be secured. Here, the used security mechanism is defined by the security policy of the target domain. TLS 1.0 is considered a secure and established protocol with various freely-available implementations which facilitate penetration into the VoIP market. TLS 1.0 is based on certificates and can be used among non-confidential systems (e.g. by using symmetrical keys). With respect to SIP systems, TLS offers hop-to-hop security between two neighbouring hops. This offers many advantages because individual hops need to access parts of plain text messages in order to forward these to the correct domain. On the other hand, this may cause a threat to the end-to-end security of networks because the enduser devices must trust all proxy servers in the signalling path. In addition, the transportation layer must be reliable in order to use TLS. SIPS-initiated and TLS-secured sessions should not be initiated via UDP since this would increase the overhead due to TCP-based signalling. TraceSim 3.0 Now also Supports SRTP and TLS The latest version of Nextragen s VoIP simulation tool TraceSim features the SRTP functionality (according to RFC 3711) as well as Transport Level Security (TLS). Nextragen products support the commonly-used AES variants HMAC_SHA1_80 and HMAC_SHA1_32. The RTP control sequences are exchanged safely (based on SRTCP) between the communication partners; also, the key exchange is secure based on RFC 4568. The complete implementation of the Transport Level Security (TLS) allows TraceSim to transmit the SIP information via a secure transportation connection (SIP over TCP/TLS). Thanks to the advanced VoIP security features, TraceSim 3.0 is an easy-to-use tool to actively measure networks and identify and target VoIP security threats. Based on signalling encryption and VoIP-load encryption of generated VoIP traffic, the relevant VoIP and QoS parameters are measured and documented. The integrated measurement algorithms test the current speech quality and deliver reports on an end-to-end basis. Up to 300 concurrent connections simulate real VoIP traffic to test the existing prioritisation mechanisms across networks and WAN connections. Further Challenges: Video Transmission and Interactive Video Conferencing 7
The introduction of Voice over IP paved the way for Video transmission and video conferencing. Yet, video transmission and video conferencing require huge bandwidths and are very sensitive towards network disturbances. Without proper knowhow and measurement instruments network administrators are faced with almost unsolvable problems. Video conferencing transmits moving images (e. g. video surveillance cameras feeds) and voice data. This form of data transmission can be placed somewhere between traditional telephone and face-to-face communication. The participants situated at separate locations experience different network qualities. The collected isochrone images and audio data are transmitted via the web. Video conferencing connects participants via point-to-point or point-to-multipoint communications which exclude multicasting. Multicasting is used during traditional video transmission of movies to save bandwidth. Bidirectional video information is sent by the IP platform via Real Time Protocol (RTP) Packets. Real-time applications communicate via RTP which in turn transports data via the UDP (User Datagram Protocol). UDP is a data transmission service which does not provide control mechanisms to manage connections. Connections are controlled via RTP. The data section of RTP packets contains the actual raw data. This data is encoded by the sender depending on the respective codec. A codec is an algorithm which converts the image and audio data into digital information. The codec is essential for the quality of transmission. Specific codecs send image and audio data directly; compression is not required. Various compression techniques are available to reduce large file sizes of transmission data. However, reducing transmission data results in an overall deterioration of the image and audio signals. The most common codecs used today are H.263 and H.264. Data paths can be analysed to identify and locate the source of errors by employing adequate measurement tools. For instance, analysers specialised in video conferencing or unidirectional transmission of videos can identify and analyse applicationspecific quality parameters and timing values. The parameters provided by network analysers are subsequently processed by the respective calculation models and deliver video-mos values to evaluate the quality of the video connection. MOS values lie between one and five. The value one indicates a poor speech quality, and five indicates excellent quality. TraceSim was specifically developed to measure video systems and has numerous additional functions, such as connection lists, reporting on quality parameters, etc. Simulation allows for detailed evaluation of the expected video transmission quality. The integrated PEVQ (Perceptual Evaluation of Video Quality) measurement is based on the ITU (International Telecommunication Union) specification ITU J.247 and serves to actively evaluate the video quality across networks. This evaluation method sends a defined reference signal across the network to the respective communication partner. Then, the received signal is recorded and compared with the reference signal. Based on this data, the PEVQ algorithm determines the specific quality of the data path on an end-to-end basis. Thanks to the JobPlaner integrated into Nextragen s products, measurements can be automated to continuously monitor and control networks. TraceSim s extensive reporting functionality creates the necessary documentation of the measurement results. The overview of the protocol data is precise and user-friendly. TraceSim 3.0 users quickly familiarise themselves with the measurement software. 8
TraceSim 3.0 not only provides the technology necessary to measure, simulate and analyse VoIP data streams, but also Video over IP, including Video over IP readiness checks. With TraceSim 3.0 Nextragen is responding to the ever growing number of companies sending Video over IP (combined audio and video signals) connections over IP networks. Video over and IP and VoIP compete for the same computer resources and network resources. 9
About Nextragen Nextragen GmbH is specialised in the development of Monitoring, Analysing and Testing software for VoIP/ video solutions to ensure the quality of End2End services (QoS, QoE) for Next Generation Networks and triple-play services. The company was founded in 2009 and is based in Flensburg in Germany. Nextragen s customers, including carriers, enterprise customers and telecommunication businesses, make use of its solutions to monitor, analyse and test the quality, reliability and availability of VoIP and video applications. Nextragen s products, solutions and services are 100% made in Germany and are distributed globally through certified partners. For more information, visit the company website at www.nextragen.de. Nextragen GmbH Lise-Meitner-Str.2 24941 Flensburg Germany T +49 461 9041-4440 F +49 461 9041-4449 www.nextragen.de info@nextragen.de Errors and omissions expected. 10