Impact of IPsec and 6to4 on VoIP Quality over IPv6



Similar documents
VoIP performance with IPsec in IPv4-IPv6 transition networks

VoIP CALL PERFORMANCE OVER IPv6 DURING HTTP AND BITTORRENT DOWNLOADS

Performance Monitoring of VoIP with Multiple Codecs Using IPv4 and IPv6to4 Tunnelling Mechanism on Windows and Linux

A Performance Analysis of Gateway-to-Gateway VPN on the Linux Platform

Quality of Service Analysis of site to site for IPSec VPNs for realtime multimedia traffic.

Performance Evaluation of VoIP Services using Different CODECs over a UMTS Network

Encapsulating Voice in IP Packets

An Introduction to VoIP Protocols

Quantifying the Performance Degradation of IPv6 for TCP in Windows and Linux Networking

Remote Access VPNs Performance Comparison between Windows Server 2003 and Fedora Core 6

Performance Analysis of IPv4 v/s IPv6 in Virtual Environment Using UBUNTU

Voice Over Internet Protocol (VOIP) SECURITY. Rick Kuhn Computer Security Division National Institute of Standards and Technology

TECHNICAL CHALLENGES OF VoIP BYPASS

Network Simulation Traffic, Paths and Impairment

An Experimental Study of Cross-Layer Security Protocols in Public Access Wireless Networks

ANALYSIS OF LONG DISTANCE 3-WAY CONFERENCE CALLING WITH VOIP

Cisco Networks (ONT) 2006 Cisco Systems, Inc. All rights reserved.

Clearing the Way for VoIP

Requirements of Voice in an IP Internetwork

Rohde & Schwarz R&S SITLine ETH VLAN Encryption Device Functionality & Performance Tests

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Measure wireless network performance using testing tool iperf

Pre-lab and In-class Laboratory Exercise 10 (L10)

VoIP QoS on low speed links

Performance Evaluation of Linux Bridge

WEB SERVER PERFORMANCE WITH CUBIC AND COMPOUND TCP

High Performance VPN Solutions Over Satellite Networks

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Network Considerations for IP Video

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Voice Over IP Per Call Bandwidth Consumption

Technote. SmartNode Quality of Service for VoIP on the Internet Access Link

An Experimental Study on Wireless Security Protocols over Mobile IP Networks

STANDPOINT FOR QUALITY-OF-SERVICE MEASUREMENT

Quantifying TCP Performance for IPv6 in Linux- Based Server Operating Systems

Application Notes. Introduction. Contents. Managing IP Centrex & Hosted PBX Services. Series. VoIP Performance Management. Overview.

Voice-Over-IP. Daniel Zappala. CS 460 Computer Networking Brigham Young University

SIP Trunking Configuration with

Transport and Network Layer

VegaStream Information Note Considerations for a VoIP installation

Troubleshooting Common Issues in VoIP

Application Note How To Determine Bandwidth Requirements

Applications that Benefit from IPv6

EINDHOVEN UNIVERSITY OF TECHNOLOGY Department of Mathematics and Computer Science

Optimizing Converged Cisco Networks (ONT)

Why SSL is better than IPsec for Fully Transparent Mobile Network Access

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

Network Performance Evaluation of Latest Windows Operating Systems

AC : A VOICE OVER IP INITIATIVE TO TEACH UNDERGRADUATE ENGINEERING STUDENTS THE FUNDAMENTALS OF COMPUTER COMMUNICATIONS

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Performance of Host Identity Protocol on Nokia Internet Tablet

VoIP Bandwidth Considerations - design decisions

Authors Mário Serafim Nunes IST / INESC-ID Lisbon, Portugal mario.nunes@inesc-id.pt

Fundamentals of VoIP Call Quality Monitoring & Troubleshooting. 2014, SolarWinds Worldwide, LLC. All rights reserved. Follow SolarWinds:

Voice over IP Basics for IT Technicians

UPPER LAYER SWITCHING

VoIP Analysis Fundamentals with Wireshark. Phill Shade (Forensic Engineer Merlion s Keep Consulting)

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

ENSC 427: Communication Networks. Analysis of Voice over IP performance on Wi-Fi networks

CT LANforge-FIRE VoIP Call Generator

UDP-IPv6 Performance in Peer-to-Peer Gigabit Ethernet using Modern Windows and Linux Systems

Issues for the performance monitoring of an open source H.323 implementation ported to IPv6-enabled networks with QoS characteristics

Quality of Service Analysis of Video Conferencing over WiFi and Ethernet Networks

Broadband Networks. Prof. Dr. Abhay Karandikar. Electrical Engineering Department. Indian Institute of Technology, Bombay. Lecture - 29.

Voice over IP (VoIP) for Telephony. Advantages of VoIP Migration for SMBs BLACK BOX blackbox.com

Analysis of QoS parameters of VOIP calls over Wireless Local Area Networks

Combining Voice over IP with Policy-Based Quality of Service

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX

Traffic Characterization and Perceptual Quality Assessment for VoIP at Pakistan Internet Exchange-PIE. M. Amir Mehmood

Is Your Network Ready For IP Telephony?

Call Admission Control and Traffic Engineering of VoIP

Cisco Integrated Services Routers Performance Overview

Advanced Networking Voice over IP: RTP/RTCP The transport layer

UIP1868P User Interface Guide

Performance Evaluation of AODV, OLSR Routing Protocol in VOIP Over Ad Hoc

Technical papers Virtual private networks

Measurement of IP Transport Parameters for IP Telephony

B12 Troubleshooting & Analyzing VoIP

Application Note. Pre-Deployment and Network Readiness Assessment Is Essential. Types of VoIP Performance Problems. Contents

NETWORK REQUIREMENTS FOR HIGH-SPEED REAL-TIME MULTIMEDIA DATA STREAMS

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

ISG50 Application Note Version 1.0 June, 2011

Unit 23. RTP, VoIP. Shyam Parekh

Introduction VOIP in an Network VOIP 3

Chapter 2 - The TCP/IP and OSI Networking Models

Application Note. Onsight Mobile Collaboration Video Endpoint Interoperability v5.0

VoIP versus VoMPLS Performance Evaluation

VoIP in Mika Nupponen. S Postgraduate Course in Radio Communications 06/04/2004 1

Voice over IP. Demonstration 1: VoIP Protocols. Network Environment

Voice over IP (VoIP) Basics for IT Technicians

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Voice over IP: RTP/RTCP The transport layer

IP videoconferencing solution with ProCurve switches and Tandberg terminals

UVOIP: CROSS-LAYER OPTIMIZATION OF BUFFER OPERATIONS FOR PROVIDING SECURE VOIP SERVICES ON CONSTRAINED EMBEDDED DEVICES

Voice over Internet Protocol (VoIP) systems can be built up in numerous forms and these systems include mobile units, conferencing units and

Cisco Which VPN Solution is Right for You?

Transcription:

Impact of IPsec and on VoIP Quality over R. Yasinovskyy, A. L. Wijesinha, and R. Karne Towson University, Maryland, USA ryasin1@students.towson.edu, awijesinha@towson.edu, rkarne@towson.edu Abstract We conduct experiments in a LAN environment to determine the impact of IPsec and encapsulation on VoIP quality in future networks. We measure VoIP performance in the presence of varying background traffic for each of four IPsec scenarios with and encapsulation, with and without NAT, and compare with. The scenarios reflect situations commonly encountered in today s VPNs including no-security (i.e., traffic bypasses IPsec), network-to-network (i.e., an IPsec VPN between corporate sites), client-to-network (i.e., remote user access to a corporate network via IPsec tunnels), and client-to-client (i.e., IPsec transport mode for secure end-toend communication). We use the popular Openswan implementation of IPsec and focus on ESP with the authentication option. The measures used for evaluating VoIP performance are delta (packet inter-arrival time), jitter, packet loss, throughput, and MOS. Our results demonstrate that VoIP quality due to using IPsec with,, and NAT in VPNs during the / transition is not significantly different from using IPsec with, and that there is a minimal impact on voice quality as long as the network capacity is not exceeded. I. INTRODUCTION IP networks are expected to carry more VoIP traffic in the future. It is also expected that will gradually replace in the next-generation Internet. In this paper, we study the impact of IPsec and on VoIP quality over. Several approaches to securing VoIP data are currently available. However, VPNs employing IPsec are commonplace in networks and afford a generalpurpose solution for securing all IP traffic in corporate networks regardless of the IP version and the techniques that may be used for encryption and/or authentication of VoIP and other application-level data. During IPV6/ transition, encapsulation [1] will be used to transfer traffic over transit networks or backbones with or without IPsec. The basic question we address in this research is to what extent does the overhead added by IPsec to VoIP conversations between clients in / networks during the transition period impact VoIP quality? To better assess this impact, we compare VoIP quality with IPsec in networks, networks using, and networks. Since NAT is currently used in most networks, we also study its effect on VoIP quality when used in segments that may coexist with networks during the transition period. For this purpose, we set up a test LAN with IPsec/ gateways at each end allowing VoIP quality to be evaluated using four separate IPsec scenarios. The scenarios are no-security (i.e., traffic bypasses IPsec), network-to-network (i.e., an IPsec VPN between corporate sites), client-to-network (i.e., remote user access to a corporate network via IPsec tunnels), and client-to-client (i.e., IPsec transport mode for secure endto-end communication; although transport mode would typically be used when there is no VPN as we explain later, IPsec allows clients communicating through a VPN to use end-to-end security for added protection). We use ESP tunnel and transport modes of IPsec with the authentication option [2] and do not consider AH since it seems to be rarely used in practice. Most corporate networks will also continue to employ NAT for their remaining subnets. NAT and are not directly compatible unless NAT and are colocated in the same box (gateway). While Teredo [3] offers a solution to this problem as well as several others, it requires Teredo gateways, Teredo relays, and Teredoaware clients. Issues related to implementing Teredo servers and the performance of public Teredo servers is described in [4]. We do not include Teredo in the present study due to the inability to conveniently set up a Teredo infrastructure for testing in our lab and network environment. To examine the effect on VoIP with IPsec and due to the additional overhead of NAT, we configured the IPsec/ gateway to serve as a NAT box and also measure VoIP quality when NAT is enabled. In our experiments, VoIP traffic is transmitted through Linux routers on a LAN together with data traffic at various rates. Congestion is introduced by using a 100 Mbps transit network to carry traffic from a gigabit Ethernet. VoIP performance and voice quality is studied by measuring values of delta (packet inter-arrival time), jitter, packet loss, and throughput using Wireshark, and also computing the MOS. The values of delta (packet inter-arrival time) reflect delay in the network, but do not estimate the actual endto-end delay. Auxiliary measurements we conducted to determine the actual end-to-end delay in our network showed that it is well within the commonly accepted 150 ms limit except when the network is unstable at very high loads. Also, since Wireshark was run on a separate machine and not on the softphones (except when clientto-client tests were conducted), the values of reported measures may not precisely represent the actual voice quality at the receiver due to the jitter buffer, decoding, and decryption delay prior to playback (packet loss 10th International Conference on Telecommunications - ConTEL 2009 ISBN: 978-953-184-131-3, June 8-10, 2009, Zagreb, Croatia 235

R. Yasinovskyy, A.L. Wijesinha, R. Karne concealment if implemented would also improve voice quality). To address this difficulty, we computed an average MOS based on MOS values assigned by human listeners. Since this average MOS correlated well with the computed MOS, we believe that our results accurately reflect actual call quality. The main contributions of this paper are results demonstrating that 1) today s popular IPsec-based VPN technology used with can be used on networks with no significant impact on VoIP quality 2) the additional overhead due to processing and NAT during the / transition has a negligible effect on VoIP quality with IPsec even when the network is operating close to capacity. The rest of this paper is as follows. In Section 2, we briefly discuss related work. In Section 3, we describe the test network, and in Section 4, we present the results. In Section 5, we present the conclusion. II. RELATED WORK In a previous study on IPsec with using real traffic [5], hosts with an Intel Pentium II 450 MHz processor and 128 MB memory running Free BSD 2.2.8, and routers with an Intel Pentium III 500 MHz processor were used. Their study compared the end-to-end throughput for and without IPsec, with only AH, with only ESP, and with both AH and ESP. The application used for the study was digital video. The experiments showed that for large amounts of data, the use of authentication and encryption reduces the throughput by 1/9. In this case, the throughput was about 10 Mbps for UDP and 6 Mbps for TCP. Their study demonstrated the feasibility of securely transmitting video using IPsec over with ordinary hardware. However, their study does not apply to VoIP and it did not specifically consider IPsec scenarios that are common to today s VPNs using modern implementations on Linux systems that are popular today. The overheads of an IPSec VPN server with, and performance improvements are studied in [6, 7]. The studies use Openswan, were mainly concerned with the overhead due to the IKE/ISAKMP key exchange, and show that it is much larger than the ESP overhead. In [8], performance of voice and video in an IPsec VPN for videoconferencing is analyzed and it is concluded that the VPN cannot meet QoS requirements under heavy loads. Studies have also examined the IPsec overhead with for email and Web applications [9], and Web servers with and [10]. The performance of without IPsec for TCP traffic is evaluated in [11] and it is found that the additional overhead due to tunneling is minimal. An evaluation of IPsec with is done in [12], but the study does not address VoIP performance. In [13], the authors describe the implementation of an IPsec VPN using, discuss the tradeoffs, and perform testing. Our study focuses on the impact of IPsec and on VoIP quality in networks with and without NAT. To this end, we make calls using softphones and send the VoIP traffic and other UDP data traffic through a LAN with several routers. We earlier conducted a study [14] comparing VoIP performance over and without IPsec or tunneling, which showed that the difference in VoIP call quality due to the different IP versions was found to be negligible. If voice traffic must pass through a VPN, additionally, all IP payloads carrying the voice traffic (including UDP and RTP headers) and ESP trailer and message authentication code are encrypted and these fields (excluding the authentication code field) plus the ESP header can be authenticated. Furthermore, in case of IPsec tunnel mode (network-to-network and client-tonetwork scenarios) the inner IP header is also encrypted and could be authenticated. However, there is no IPsec protection in this case when within the corporate network sites. VoIP networks can use SRTP [15], which protects the voice (RTP) payload end-to-end. We do not study the impact of SRTP. If SRTP is not used, end-to-end IPsec payload protection (client-to-client encryption and authentication that includes the ESP header) can be obtained using transport mode. In this client-to-client scenario regardless of whether traffic passes through a VPN tunnel, more protection for the VoIP traffic is afforded by IPsec versus SRTP (since in addition to the VoIP data the UDP and RTP headers are also encrypted and authenticated). Since we only focus on the impact on VoIP call quality over due to IPsec, we do not study the overhead due to call setup and the use of SIP messages. III. NETWORK AND EXPERIMENTAL SETUP An example test LAN used for our studies is shown in Figure 1. While this figure shows the IPsec gateways for the network-to-network VPN scenario, the test LANs used for the other three scenarios we studied are the same except that in the case of client-to-network and client-toclient, IPsec is enabled at one or both clients. Calls using Linphones [16] (softphones) are made between two clients. We use Linphones for consistency and convenience as they exhibited stable behavior and were easy to configure with either IP version. One client (client #2) and the background MGEN [17] UDP background data traffic generators (MGEN#1 and MGEN #2) are located on a gigabit Ethernet. During a call, the VoIP data consisting of 20 ms voice packets generated by a Linphone is collected for 2 minutes (i.e., 2-minute conversations) and the results for the second minute only are used to eliminate any start-up effects). This voice traffic and the background traffic (MGEN UDP data at rates of 50, 100, 150 and 200 Mbps) first passes through a Linux router (router #4) that can also act as an IPsec/ gateway and as a NAT box when needed. Since it is used in many VPNs, we use the Openswan implementation of IPsec [18] with IKEv1 in a Linux environment instead of the newer Strongswan [19] implementation with IKEv2 that addresses several security issues with IKEv1. The IPsec ESP traffic passes through three 100 Mbps networks connected by 2 Linux routers (router #3 and router #2 respectively) before entering the destination network via a Linux router (router 1) that acts as an 236 ConTEL 2009, ISBN: 978-953-184-131-3

Impact of IPsec and on VoIP Quality over IPsec/ endpoint gateway as shown in the figure. While packet loss is possible in our network, packets cannot arrive out of order. When IPsec processing is necessary, it is always done first. For packets, this is followed by processing. Figure 1. Test LAN with IPSec/ the case of a site-to-site VPN For example in the network-to-network VPN scenario shown in the figure, ESP encryption and authentication is applied by router #4 to packets carrying the VoIP data with the addition of an ESP header and an outer IPsec header (tunnel mode) and the resulting packets are prefixed with an header ( tunnel) (analyze overhead and suggest improvement) and forwarded to the destination through the intermediate networks and routers. At the destination network, router #1 de-tunnels the received packet, does IPsec authentication and decryption before forwarding the encapsulated voice and data traffic to their respective destinations. Wireshark [20] running on the destination network captures the voice traffic delivered to the client by port mirroring at the switch and reports values of the metrics needed to estimate VoIP performance. The machine running Wireshark doubles as an OpenSER SIP server [21] for setting up the calls. In the client-to-client scenario, Wireshark is run on the receiving client since the packets must first be decrypted for Wireshark to analyze them. The specifics of hardware, software and MGEN traffic used for the experiments are as follows: Hardware: Router/Server/MGEN: Dell Optiplex GX260 (Pentium 4, 2.4 GHz, 512 Mb RAM, Intel PRO/1000, 3Com 10/100); Client: Dell Optiplex GX270 (Pentium 4, 2.4 GHz, 2048 Mb RAM, 3Com 10/100); Switches: Cisco Catalyst 2950, Netgear GS108 (1000), Netgear FS308 (10/100), Trendnet TE100-S55E (10/100). Software: CentOS 5 (2.6.18-92.1.22) (Routers, SIP Server, NTP Server, Wireshark), Windows XP (SP3) (Generators + Sink), Fedora 10 (2.6.27.9-159) (Clients), Linphone 2.1.1-1 (ITU-G.711 codec), Wireshark 1.0.3, MGEN 4.2b4, OpenSER 1.3.4-1, Openswan 2.6.14-1. MGEN Background Traffic: n streams will generate 5n Mbps of background traffic, where n=10, 20, 30, 40. We measure the values of delta, jitter, packet loss, MOS, and throughput for the four IPsec scenarios above with and, and compare them with. We then determine their values for these cases when NAT is also used. IV. RESULTS Each experiment is run several times and the results shown are averages over three runs. The results demonstrate that while the overhead due to IPsec and in an transition environment due to the additional headers is not negligible (especially in the IPsec network-to-network scenario with, where all packets, voice as well as other, are processed and encapsulated by IPsec and ), the effects on VoIP quality are not significant as long as the load does not exceed the capacity of the network; under heavily overloaded conditions (200 Mbps load over 100 Mbps links and passed through several routers), VoIP quality degrades significantly A. Delta (Packet Inter-arrival Time) We consider the maximum (max) and mean values of delta (shown in Figure 2) and its relative frequency distribution. If two packets are sent consecutively and received in order and the delay of the first packet is more than 20 ms, then delta > 20 ms and the delay of the later packet is at least the delay difference, which is (delta-20) ms. However, when the delay of the first packet is less than 20 ms or there is packet loss, it is not possible to directly relate the value of delta to the actual delay. Max Delta: When there is no background traffic, there is no packet loss and max delta is about 40 ms for all four IPsec scenarios with either IP version or encapsulation. When there is 50 Mbps of background traffic, there is still no packet loss, and max delta increases slightly, but again the differences due to IPsec scenario, IP version and encapsulation are insignificant. When background traffic is at 100 or 150 Mbps, larger increases in max delta are seen but the values are not significantly different for the no-security, client-to-client and client-to-network scenarios with either IP version or encapsulation. When background traffic is increased to 200 Mbps, delta for some packets exceeds 100 ms for no-security with and client-to-network with either IP version. For the network-to-network scenario, it is possible for some packets to have extremely large delta values at 100 Mbps with, at 150 and 200 Mbps with, and at 200 Mbps with (max delta exceeds 800 ms in these cases). These large delta values for the network-tonetwork scenario at high background traffic rates are due to packet loss and increased delays. Mean Delta: In contrast to max delta, the values of mean delta are stable. For the no-security, client-to-client and client-to-network scenarios, there is very little difference in mean delta values with either IP version or encapsulation, and it varies from 19-26 ms (the mean is 26 ms at 200 Mbps for no-security with and, and for client-to-net with and ). For the network-to-network scenario at background traffic rates of 100 Mbps or less, mean delta values are similar to those for the other scenarios and there is at most a small ConTEL 2009, ISBN: 978-953-184-131-3 237

R. Yasinovskyy, A.L. Wijesinha, R. Karne difference in values with either IP version or encapsulation. At a background traffic rate of 150 Mbps, mean delta values are 33 ms, and at 200 Mbps it is 37 ms with and 42 ms with and. For the nosecurity, client-to-client and client-to-network scenarios, the standard deviation of delta varies from 8-16 ms when the background traffic is increased from 0-200 Mbps, and there is little difference in the standard deviation with either IP version or encapsulation. For the networkto-network scenario, there is more variability in the delta values: at 0 and 50 Mbps, the standard deviation is 8 ms with either IP version or encapsulation; at 100 Mbps it is 11 ms with and, and 24 ms with ; at 150 Mbps it is 21 ms with and 6to 4 and 29 ms with ; and at 200 Mbps it is 30 ms for and approximately 40 ms for and. Relative Frequency Distribution: The relative frequency distribution of delta provides more details concerning the actual values of delta that are obtained. At background traffic rates of 0 and 50 Mbps, for all four IPsec scenarios with either IP version or encapsulation, approximately 70-80% of packets have delta values between 0-24 ms and the rest have delta values between 25-49 ms. The same is true at 100 Mbps, for the no-security, client-to-client, and client-to-network scenarios, with either IP version or encapsulation, except that a very small number (less than 1%) of packets have delta values between 50-74 ms (in the client-toclient scenario with, a single packet also has a delta value of 75 ms or more). For the same three scenarios with either IP version or encapsulation at 150 and 200 Mbps, at most 6% of packets have delta values between 50-74% and a very small number (at most 1.5%) have delta values of 75 ms or more. For the network-tonetwork scenario, the delta distribution has more variability: with either IP version or encapsulation at 0 and 50 Mbps, the delta distribution is similar to the other scenarios; at the higher rates of background traffic, the distribution is also similar to the other scenarios except that the percentages of packets having delta values respectively between 50-74 ms and 75 ms or more increases (for instance, the percentage of packets having delta values between 50-74 ms varies from about 5-30% and the percentage of packet having delta values of 75 ms or more varies from about 5-15%. B. Jitter Max Jitter: Max jitter ranges from 13 ms for with no security to 24 ms at 150 Mbps for the network-tonetwork scenario with. In the case of, max jitter ranges from 13 ms for the client-to-client, client-tonetwork or network-to-network scenarios with no background traffic to 21 ms for the network-to-network scenario with background traffic at 200 Mbps. With, max jitter varies from 13 ms with no security and no background traffic to 26 ms for the network-to-network scenario with background traffic at 100 Mbps. However, max jitter sometimes reached 27 ms even with no security and no background traffic. Thus, it is important to examine both maximum and mean jitter. Mean Jitter: Mean jitter values are shown in Figure 3. The values range from 7-10 ms for, from 7-11 ms for, and from 7-10 ms with. The results show that mean jitter is not affected significantly by IPsec and processing. C. Packet Loss Packet loss percentages are shown in Figure 4. We note that there is no packet loss when background traffic is at 0 or 50 Mbps for all IPsec scenarios with either IP version or encapsulation. At 100 Mbps of background traffic, packet loss with varies from 2% for no-security to 10% for the network-to-network scenario. For, the range is from 4-16% and for, it is from 4-27%. The highest packet loss percentage is 55% for the network-to-network scenario at 200 Mbps with either or. D. MOS The maximum MOS of 4.41 is obtained with 0 or 50 Mbps of background traffic regardless of the IPsec scenario and regardless of whether, or encapsulation is used. At 100 Mbps of background traffic, MOS values are good with a slight drop for the client-to-network and network-to-network IPsec scenarios with either IP version or encapsulation. As expected, at 150 or 200 Mbps of background traffic, the MOS drops to unacceptable levels. E. Throughput The throughput is the number of bits transferred per second considering only the voice packets. Throughput is shown in Figure 5. As expected, the throughput is close to 100 kbps with background traffic rates up to 50 Mbps but drops when the rates are 100 Mbps and higher. In general, the throughput for all IPsec scenarios is about the same for a given rate of background traffic with either IP version or encapsulation. This implies that the additional overhead due to the extra headers and processing due to IPsec and does not significantly affect the voice throughput. Analysis: The throughput is ( 1 p ) * ( n / t) * s, where p is the packet loss percentage, n is the total number of voice packets sent during a time period t, and s is the total size of the voice packets including all headers and data. As an example, we consider the IPsec network-tonetwork scenario. We can compare the VoIP throughput when background traffic is at 100 Mbps for the IPsec network-to-network scenario with,, and. Since the number of packets sent during a given time period should be approximately the same (i.e., 50 packets/sec assuming packets are sent every 20 ms), the / throughput ratio is T T (1 p ) s v4 4 v4 =, v6 (1 p6 ) sv6 where the subscripts denote the IP version. Using the measured packet loss rates from Figure 4 and the packet sizes from Wireshark, this ratio is (1-.099)*278/(1-.16)*314=0.9496. Note that Wireshark does not see the 4-238 ConTEL 2009, ISBN: 978-953-184-131-3

Impact of IPsec and on VoIP Quality over byte CRC at the end of an Ethernet packet. The observed throughput ratio using the throughput values from Figure 5 is 82.71/84.32 =0.9809 so the throughput with IPsec and is 0.98 times the throughput with IPsec and. The difference in the observed and computed throughput ratio is because Wireshark computes the observed (actual) throughput by counting the number of packets actually received during the measurement interval (it computes the packet loss percentage p based on missing RTP sequence numbers). Similarly, when the background traffic is at 100 Mbps, the computed throughput ratio / is 1.0834, while the observed value is 1.1524. Thus, the throughput with IPsec only is 1.15 times the throughput with and IPsec. F. NAT To determine the additional overhead on the IPsec/ router when it is using NAT to handle traffic from subnets, we repeated the previous experiments after enabling NAT. The difference in the values of all measures of interest due to NAT processing was found to be negligible regardless of the IPsec scenario. For reasons of space, we only show mean delta, mean jitter and packet loss for the no security and network-to-network IPsec scenarios with NAT (Figures 6-8). In the figures, +NAT means the clients are and the background traffic is with NAT, NAT+ means clients are with NAT and background traffic is, and so on. G. Key Exchange Finally, we determined the delay due to the IKE/ISAKMP handshake during the initial key exchange. This delay would be a factor in evaluating overall VoIP performance if the handshake is repeated several times during a call to provide additional protection against key compromise or staleness. Our experiments showed that the handshake delay is on the order of a few milliseconds. V. CONCLUSION We conducted a study to determine the overhead of IPsec and on VoIP quality in a LAN environment. The study used softphones to make calls and generated background traffic to create congestion on the links and routers. The results demonstrated the feasibility of using a single Linux box to handle IPsec, and NAT processing, and verified that voice quality does not degrade even when the network is operating close to its capacity of 100 Mbps. The study serves to demonstrate that today s popular IPsec-based VPN technology is capable of being supported by during the anticipated / transition. Future studies should evaluate the impact of multiple calls and the use of IPsec with both Teredo and in a more complex test network. REFERENCES [1] B. Carpenter and K. Moore, "Connection of Domains via Clouds", RFC 3056, February 2001. [2] S. Kent, "IP Encapsulating Security Payload (ESP)", RFC 4303, December 2005. [3] C. Huitema, Teredo: Tunneling over UDP through Network Address Translations (NATs), RFC 4380, December 2006. [4] S-M. Huang, Q. Wu, and Y-B. Lin, "Tunneling through NAT with Teredo Mechanism," pp.813-818, In Proc. 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 2, 2005. [5] S. Ariga, K. Nagahashi, M. Minami, H. Esaki, and J. Murai. Performance Evaluation of Data Transmission Using IPSec over Networks, In Proc. INET 2000, July 2000. http://www.isoc.org/inet2000/cdproceedings/1i/1i_1.htm. [6] C. Shue, Y. Shin, M. Gupta, and J. Y. Choi, "Analysis of IPSec overheads for VPN servers," npsec, pp.25-30, 1st IEEE ICNP Workshop on Secure Network Protocols, 2005. [7] C. Shue, M. Gupta, and S. A. Myers, "IPSec: Performance Analysis and Enhancements," In Proc. IEEE International Conference on Communications (ICC), Glasgow, Scotland, June 2007. [8] J. A. Perez, V. Zarate, A. Montes, and C. Garcia, Quality of Service Analysis of IPSec VPNs for Voice and Video Traffic, aict-iciw, pp.43-43, International Conference on Internet and Web Applications and Services/Advanced International Conference on Telecommunications, 2006. [9] G. C. Hadjichristophi, N. J. Davis IV, and S. F. Midkiff, IPSec overhead in wireline and wireless networks for web and email applications, In 22nd IEEE IPCCC, April 2003. [10] S.P. Meenakshi and S. V. Raghavan, Impact of IPSec Overhead on Web Application Servers, adcom, pp.652-657, International Conference on Advanced Computing and Communications, 2006. [11] L. Liu and W. Gao, Building IPsec VPN in Based on Openswan, npc, pp.784-787, IFIP International Conference on Network and Parallel Computing Workshops, 2007. [12] S. Zeadally and I. Raicu, "Evaluating to transition mechanisms," ict, pp.1091-1098, 10th International Conference on Telecommunications, 2003. [13] M. Mujinga, H. Muyingi, and G.S.V.R.K Rao, IPSec overhead analysis in dual stack / transition mechanisms, ICACT, 2006. [14] R. Yasinovskyy, A. L. Wijesinha, and R. Karne, "A Comparison of VoIP Performance on and Networks", The 7th ACS/IEEE International Conference on Computer Systems and Applications, Rabat, Morocco, May 2009, in press. [15] M. Baugher, D. McGrew, M. Naslund, E. Carrara, and K. Norrman, The Secure Real-time Transport Protocol (SRTP), RFC 3711, March 2004. [16] Linphone, http://www.linphone.org [17] The Multi-Generator (MGEN) Version 4.2, http://pf.itd.nrl.navy.mil/mgen/mgen.html [18] Openswan, http://www.openswan.org [19] strongswan, http://www.strongswan.org [20] Wireshark, http://www.wireshark.org [21] OpenSER SIP server (now OpenSIPS), http://www.openser.org ConTEL 2009, ISBN: 978-953-184-131-3 239

R. Yasinovskyy, A.L. Wijesinha, R. Karne Client-to-Client 5 4 3 2 1 5 4 3 2 1 Client-to-Net 5 4 3 2 1 5 4 3 2 1 Figure 2. Mean Delta Client-to-Client 1 1 1 1 Client-to-Net 1 1 1 1 Figure 3. Mean Jitter 240 ConTEL 2009, ISBN: 978-953-184-131-3

Impact of IPsec and on VoIP Quality over Client-to-Client 6 4 2 6 4 2 Client-to-Net 6 4 2 6 4 2 Figure 4. Packet Loss Client-to-Client Throughput (kbps) 15 10 5 Throughput (kbps) 15 10 5 Client-to-Net Throughput (kbps) 15 10 5 Throughput (kbps) 15 10 5 Figure 5. Throughput ConTEL 2009, ISBN: 978-953-184-131-3 241

5 4 3 2 1 + NAT+ +NAT 5 4 3 2 1 + NAT+ +NAT Figure 6. Mean Delta (NAT) 1 + NAT+ +NAT 1 + NAT+ +NAT Figure 7. Mean Jitter (NAT) 6 4 2 + NAT+ +NAT 6 4 2 + NAT+ +NAT Figure 8. Packet Loss (NAT) 242 ConTEL 2009, ISBN: 978-953-184-131-3

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information