Investigation of Media Streaming Service in Secure Access Network
Download
Report
Transcript Investigation of Media Streaming Service in Secure Access Network
Investigation of Media
Streaming Service in
Secure Access Network
Binod Vaidya
Institute of Engineering
Tribhuvan University
Nepal
[email protected]
Introduction
With growth of Internet and high-speed access links,
Internet users can enjoy large amounts of web content
on Internet.
At same time, multimedia streaming services are
becoming popular over the Internet.
Wireless access networks as well as mobile networks
are becoming popular for providing IP-based multimedia
streaming services.
With rise of multimedia and network technologies,
multimedia has become indispensable feature on
Internet.
Animation, voice and video clips become more and more
popular on Internet
Introduction
Multimedia networking applications such as Internet
telephony, Internet TV, video conferencing have
appeared on market.
Other multimedia products in distance learning,
distributed simulation, distributed work groups and other
areas.
Streaming services, however, present lot of challenges
for network engineers.
Streaming services require certain amount of bandwidth
to ensure bit-rate needed by each media stream and
strict delay variation needed to avoid buffer underflow at
streaming clients.
Architectural Model
Architectural model comprises of service provider, IP
backbone network and wireless access networks.
Service Provider is meant for multimedia streaming
services.
IP Backbone network is public network such as Internet
Wireless access networks are meant for providing
access to mobile users.
As service provider provides audio and video streaming
services, secure channel such as VPN is created over
public IP network.
Architectural Model
cl i ent
cl i ent
I P Tunnel i ng
AP
cl i ent
cl i ent
Ser vi ce Pr ovi der
cl i ent
cl i ent
AP
I P Net wor k
cl i ent
Wi r el ess Access Net wor ks
AP
cl i ent
cl i ent
Security Issues
IP Tunneling
Due to interest in emerging scenarios such as wireless access
networks and mobile IP environments, some tunneling
technologies have been introduced.
Currently four primary tunneling protocols relevant to VPNs:
Layer 2 Tunneling Protocol (L2TP) Tunnel
Layer 2 Forwarding (L2F) Tunnel
IP Security (IPSec) Tunnel
Generic Route Encapsulation (GRE) Tunnel
Security Issues
IPSec
IPSec is suite of protocols “designed to provide
interoperable, high quality, cryptographically-based
security for IPv4 and IPv6”.
IPSec provides security services, such as access
control, data integrity, authentication, confidentiality
(encryption), and replay protection to IP layer as well as
layers above.
IPSec could protect one or more paths between two
pairs of hosts, between pair of security gateways, or
between host and security gateway.
Security Association (SA) is “simplex connection that
affords security services to traffic carried by it”.
SA is uniquely identified by Security Parameter Index
(SPI), IP destination address, and security protocol.
Security Issues
IPSec
Authentication Header (AH) and Encapsulating Security
Payload (ESP) are secure protocols provided by IPSec
to form SAs.
AH provides connectionless integrity, data origin
authentication, and optional anti-replay service.
ESP may provide confidentiality and limited traffic flow
confidentiality, as well as all functionality provided by AH.
These protocols can be used alone or in combination.
Security Issues
IPSec
IPSec supports two modes of use: transport mode and
tunnel mode.
Transport mode provides protection primarily for upper
layer protocols,
Tunnel mode is used to encapsulate IP packets.
If path to protect has in its ends SG then tunnel mode
must be used.
Transport mode can only be used when communicating
host to host.
Each SA defines algorithms for encryption, authentication,
hash and key exchange (attributes) for protecting a
particular path.
Security Issues
Generic Route Encapsulation (GRE)
GRE tunnels allows any protocol to be tunneled in IP
packet.
This feature allows Type of Service bits to be copied to
tunnel header when router encapsulates packets using
GRE.
GRE encapsulates traffic with new packet headers to
ensure delivery to specific destinations.
Network is considered private because traffic normally
enters tunnel only at beginning and endpoint of tunnel.
Although limiting traffic access in this manner may deem
network private, it does not provide message
confidentiality or integrity.
Security Issues
Generic Route Encapsulation (GRE)
Performance Benefits of GRE tunneling:
GRE reduces size and complexity of Access Control List (ACL)
used for traffic matching.
GRE speeds up traffic flow.
GRE used with routing protocol can significantly reduce time
taken by IPsec keep-alive messages to detect tunnel outage and
optionally fail over to using different tunnel.
Several benefits of using GRE and IPsec on same
router.
GRE tunnels do support transporting IP multicast and broadcast
packets to other end of GRE tunnel.
GRE tunnel packet is IP unicast packet, so GRE packet can be
encrypted using IPsec. In this scenario, GRE does tunneling
work and IPsec does encryption part of supporting VPN network.
Quality of Service Issues
When delivering real-time applications, QoS protocols
must be adopted in order to be able to meet
requirements on transmission parameters such as
transmission delay, delay variation and buffering delay.
QoS protocols try to meet imposed requirements
using different features such as packet classification,
queuing mechanisms, traffic shaping, header
compression, congestion avoidance strategies and
Resource Reservation protocols.
Real-time service will enable IP networks to provide QoS
to multimedia applications.
It is comprehensive approach to provide applications
with the type of service they need and in quality they
choose.
Quality of Service Issues
Real-time Transport Protocol
RTP is IP-based protocol providing support for transport
of real-time data such as video and audio streams.
Services provided by RTP include time reconstruction,
loss detection, security and content identification.
RTP can be used for one-way transport such as videoon-demand as well as interactive services such as
Internet telephony.
RTP is designed to work in conjunction with auxiliary
control protocol RTCP to get feedback on quality of data
transmission and information about participants in ongoing session.
Quality of Service Issues
Real-time Transport Protocol
RTP provides end-to-end delivery services for data with
real-time characteristics, such as interactive audio and
video.
RTP does not address resource reservation and does
not guarantee quality-of-service for real-time services.
It can be used over unicast or multicast networks.
RTP itself however, does not provide all of functionality
required for transport of data and, therefore, applications
usually run it on top of transport protocol such as UDP.
Quality of Service Issues
Compressed RTP
As networks evolve to provide more bandwidth,
applications, services and consumers of those
applications all compete for that bandwidth.
As for wireless networks with their high bit error rates and
high latency, it is difficult to attain those high bandwidths
required.
When all these factors are taken into account it means
that the available resources must be used as efficiently as
possible.
In Voice over IP, interactive games, messaging etc,
payload of IP packet is almost of same size or even
smaller than header.
IP header compression also provides other important
benefits, such as reduction in packet loss and improved
interactive response time.
Quality of Service Issues
Compressed RTP
Existing standard for compressing IP/UDP/RTP headers is
Compressed Real-time Transport Protocol (CRTP).
It compresses headers over single link by maintaining a
‘context’, which is essentially full version of last header
transmitted over link, at both ends of link and transmitting
only differences between consecutive headers.
When packet is lost between compressor and
decompressor, context of decompressor is not updated
properly, and decompression will fail. To deal with such
problems, CRTP has context repair mechanism which
relies on signaling.
CRTP thus performs very badly when error rates are high
as each lost packet is accompanied by several packets
being lost due to context mismatch.
Experimental Validation
In order to validate conceived architectural
model, we have simulated wireless access
network scenario using OPNET Modeler,
OPNET is discrete event-driven simulator tool
capable of modeling both wireless and
wireline network.
Scenarios
Multimedia services for mobile users using wireless
access network over public IP backbone network (i.e.
Internet).
For experimental purpose, two scenarios have been
designed.
First scenario is wireless access network with IP
tunneling.
In order to securely deliver real-time traffics over public
IP network, GRE tunnel over IPSec is used.
So only designated wireless access network can have
access to the Media Service Provider.
Scenarios
Second scenario is wireless access network with IP
tunneling along with CRTP.
As OPNET Modeler does not have module with CRTP,
we have modified the router and access point.
Experimental Model
Modified Components
Modified Router
Modified Access Point
Assumptions
For multimedia applications, we have selected two
applications: audio and video services.
In case of audio application, we have considered
Interactive voice using encoder scheme G.711
For video application, we have considered low quality
video having frame 128x120x10 frames per sec and
TOS– multimedia streaming.
In case of tunneling, we have considered GRE tunneling
with ESP (transport) for encryption, and AH for integrity
and authentication is used to secure channel.
For VPN, we have considered following parameters in
IPsec:
Protocol: Bundle (AH+ESP)
Authentication algorithm: HMAC-SHA1;
Encryption algorithm: 3DES
Assumptions
IP Network is considered such that there is 5%
percentage of packet drop and packet latency is 1 sec.
Packet size increase has negative effects not only on
bandwidth usage but it also impacts on the transmission
delay, router internal delays, queuing delay, thus
affecting jitter and overall packet delay.
Transmission delay increases proportionally with packet
size and is constant for every router.
Internal router delays are considered in generic IPsec
delay.
Queuing delay is sensitive to packet size as well and this
is evident with low bandwidth links.
Result and Analysis
We have considered end-to-end delay and delay
variation at mobile end-users for investigation of
performance of real-time media streaming services.
It has been considered for both scenarios, ie, only IP
tunneling and with IP tunneling along with CRTP.
It can be seen that in both cases, packet end-to-end
delays have been reduced with IP tunneling using CRTP.
Result
– Packet end-to-end delay for video streaming and voice
streaming are shown above.
Result
– Delay variation, ie jitter, for video streaming and voice
streaming are shown above
Result and Analysis
It can be seen that in both cases, delay
variations have been reduced with IP
tunneling using CRTP.
CONCLUSION
Framework for multimedia streaming through public IP backbone
network to wireless access network using IP tunneling.
Results of experimental analysis of multimedia streaming over
secure communication links implementing GRE tunneling over
IPsec.
Critical parameters characterizing real-time transmission of voice as
well as video over a secured IP network, as well as techniques that
could be adopted to overcome some of the limitations of secured
network are presented.
We present efficient solution for packet header compression, CRTP,
for real-time traffic in IP tunneled network using IPsec.
Simulation results show that compression scheme significantly
reduces overhead of packet headers, thus increasing effective
bandwidth used by transmission.
Our results show that packet end-to-end delay and delay variations
can be reduced using CRTP.
THANK YOU