Ijcsrt Ijcsrt: Qos Optimization and Security Enhancements For Voip in Wlans-Issues
Ijcsrt Ijcsrt: Qos Optimization and Security Enhancements For Voip in Wlans-Issues
Ijcsrt Ijcsrt: Qos Optimization and Security Enhancements For Voip in Wlans-Issues
ISSN: 2321-8827
Vol. 1 Issue 5, October - 2013
Abstract
We have addressed issues in implementing VoIP design CACs. Other than delay requirements, VoIP
services in packet switching networks, challenges to has differences over PSTNs such as voice compression
enhance quality of service (QoS) and put several techniques are applied in VoIP networks which
solutions to improve VoIP performance in WLANs. To increase bandwidth efficiency in a sense that the
provide competent QoS in VoIP system, several well remaining bandwidth is shared between other web
designed call admission control (CAC) mechanism based traffic such as media and data application like
have been designed addressing issues such as video, file share etc.
throughput, quality of voice, transmission delays etc.
But in practice, existing VoIP systems have not been However, current situation with VoIP systems is that,
able to adequately apply and support these CAC
T they cannot provide QoS guarantees to VoIP
mechanisms which has been brought into one of the networks. The main reason is that none of the systems
SR
focuses of this paper. In the latter part of the article, are able to adequately support and implement the
we present a brief survey of VoIP security academic designed CAC mechanisms. [2] Other challenges are
research providing a roadmap for researchers to find explained in [3] as: VoIP systems deployed in IEEE
IJC
out gaps among the existing capabilities of VoIP and 802.11 WLANs use contention based medium access
document the challenges which such infrastructure is control (MAC) protocol, the distributed coordination
facing and analyze some of the solutions. function (DCF) which supports best effort traffic but
introduces large delays and delay jitter arbitrarily.
Thus it becomes unsuitable for real time applications
1.Introduction such as VoIP to provide strict QoS requirements.
Voice over IP (VoIP) is a critical real time Besides, PSTN and cellular networks have channels
internet application which delivers voice packets over dedicated to voice traffic, whereas in voice over
the internet which reduces communication costs wireless LANs (VoWLANs) voice traffic is
immensely relative to telephone calls through public multiplexed with data traffic and sent over WLANs.
switch telephone network (PSTN). Real time This makes voice traffic unprotected. So mechanisms
transmission of voice packets has to follow very strict to secure data involved in real time communication are
requirements on delays and thus delay is an important also a major research focus. Again when best effort
factor to impact the call quality. According to traffic load increases, the QoS for VoWLAN can be
International Telecommunication Union (ITU) a one severely degraded due to interference between each
way delay maximum of 200 ms is acceptable in other and due to reduction in system capacity. So
Recommendation G.114. [1]. CACs have to be designed so that there is an optimum
condition between the high level of QoS in
Call admission technique in traditional telephone VoWLANs and the high throughput of other traffic.
network follows that if sufficient link capacity is not
available, new calls are not admitted while current The basic building blocks installed at sender and
calls remain unaffected. In IP networks, best effort receiver ends required to run a PC-PC VoIP services
services are provided and regardless of the link are given in Figure 1.The speech signal is encoded at
capacity, new calls are accepted whenever requested, the speech encoder which includes acquisition,
as a result channel congestion occurs along with sampling and compression operations. The analog
packet drops and delays. Hence, the necessity to voice signals are sampled at a fixed frequency where
IJCSRTV1IS050073 www.ijcsrt.org 62
International Journal of Computer Science Research & Technology (IJCSRT)
ISSN: 2321-8827
Vol. 1 Issue 5, October - 2013
IJCSRTV1IS050073 www.ijcsrt.org 63
International Journal of Computer Science Research & Technology (IJCSRT)
ISSN: 2321-8827
Vol. 1 Issue 5, October - 2013
IJCSRTV1IS050073 www.ijcsrt.org 64
International Journal of Computer Science Research & Technology (IJCSRT)
ISSN: 2321-8827
Vol. 1 Issue 5, October - 2013
The rate control regulation controls the packet bandwidth usage. A call is admitted whenever the used
sending ratio by using another parameter called „s‟ bandwidth resource and the requested bandwidth
(0<s<1) which is the allowed share for best effort resource do not exceed this limit which is prefixed
traffic for a node to contend for the shared channel. offline at the time of configuration. The call admission
There traffic shall use the residual bandwidth left by procedure is executed basically upon two modules
the real time traffic. Allowed share „s‟ is defined by which are utilization computation module and
𝑡 admission decision making module. The utilization
𝑇 = 𝑝 where 𝑡𝑝 is the time a successful transmission
𝑠 computation module performs the delay analysis and
of packet „p‟ will last over a channel and T is the time
computes bandwidth utilization. The utilization
between two consecutive packets that passes to the
module have two kinds of submodules which are link
MAC layer.[3] According to CARC scheme, the
utilization based call admission control (LU-CAC) and
parameter „s‟ adjusts its value dynamically according
site utilization based call admission control (SU-
to the network condition. The adaptation procedure
CAC). The computed utilization is placed in either of
goes as follows:
LU-CAC or SU-CAC, then the admission decision
making module decides for each incoming call on the
-if the channel busyness ratio 𝑅𝑏 < 𝐵𝑀 , the channel is
basis of the received data.
assumed to be underloaded, in that case the rate
control mechanism adopts a multiplicative-increase The main task of LU computation submodule is to
law, multiplying „s‟ by the ratio of 𝐵𝑢 to 𝑅𝑏 : compute maximum link utilization for LU-CAC by a
𝐵
𝑠←𝑠× 𝑢 utilization verification procedure which is given in
𝑅𝑏
Figure 3.[14] The delay analysis technique determines
This way 𝑅𝑏 quickly converges to 𝐵𝑢 . When worst case delays of deadline violation probabilities
𝐵𝑀 ≤ 𝑅𝑏 < 𝐵𝑢 , the channel is considered as assuming a worst case combination of flows and it is
T performed by LU-CAC both in deterministic and
moderately loaded. Then the rate control mechanism
statistical manner.
SR
𝑡
adopts an increase law [3]: 𝑠 ← 𝑠 + 𝑝 𝛿 where 𝛿 is the
𝑠
𝑡
increase factor and 𝑝 is the interval between two
𝑠
consecutive packets passed to the MAC layer. Here
IJC
When 𝑅𝑏 > 𝐵𝑢 , the „s‟ factor has to be decreased, Figure 3. Utilization verification process
according to [3] the multiplicative decrease law is
𝐵
given by- 𝑠 ← 𝑠 × 𝛾 × 𝑢 where 𝛾 is the decrease 3.3.1. Utilization based Deterministic Delay
𝑅𝑏
Analysis. Assuming the potential end to end delay for
factor and 0 < 𝛾 ≤ 1. In these equations, the factors 𝛿 a certain network topology and the bandwidth
and 𝛾 control the convergence speed. This way the utilization is known, the worst case queuing delay 𝑑𝑘
bandwidth is attempted to be utilized in an optimized suffered by any voice packet with highest priority at
manner and collision occurance is handled well the buffer of o/p link „k‟ is bounded by-
enough too. To alleviate collisions as much as ( 𝐶)
𝑐 −1 𝜍
possible, the CARC adopts a packet defer procedure 𝑑𝑘 ≤ 𝑘 𝑢𝑘 ( + 𝑌𝑘 ), where 𝑐𝑘 = 𝑗𝜖𝑙 𝑘 𝑗 𝐶 ,
𝑐 𝑘 −𝑢 𝑘 𝜌 𝑘
separately. From the simulation results in [3], it shows
the CARC method allows delays for voice traffic at 𝑌𝑘 = 𝑚𝑎𝑥𝑅𝜖 𝑠𝑘 𝑠𝜖𝑅 𝑑𝑠 , 𝐿𝑘 is the set of all the i/p links
around 70-80 ms maintaining a very high throughput
of o/p link „k‟, and 𝑆𝑘 is the set of all subroutes used
and avoiding collisions.Thus it provides good
by voice packets with highest priority upstream from
statistical guarantee for QoS and also does not need
o/p link ‘k’. [19]
upgradation on the firmware of MAC controller chip.
3.3.2. Utilization based Statistical Delay Analysis.
3.3. Utilization based call admission control When deadline requirement is probabilistic, we can
This is a kind of call admission control mechanism find delay probabilities as-
which uses predefined utilization limit in terms of
IJCSRTV1IS050073 www.ijcsrt.org 65
International Journal of Computer Science Research & Technology (IJCSRT)
ISSN: 2321-8827
Vol. 1 Issue 5, October - 2013
If 𝑑𝑘 is a random variable and 𝐷𝑘 is denoted as its In this scheme the major advantage which has been
deadline, the violation probability of delay for any demonstrated over any other QoS design mechanisms
voice packet with the highest priority suffered at the is that this have been integrated experimentally with
buffer of o/p link „k‟ is bounded by- existing VoIP system such as Cisco VoIP system and a
satisfactory QoS level has been observed. Whereas,
𝑃 𝑑𝑘 > 𝐷𝑘 ≤ currently Cisco systems used to perform resource pre
1 1 − 𝑢𝑘 𝐷𝑘 𝐷𝑘 allocation in an adhoc manner, hence no QoS could be
exp −24 2 𝜍 , 𝑢𝑘 ≥ 𝜍 guaranteed. [20]
2𝜋 𝑢𝑘 𝜌 𝜌
2
1 1 − 𝑢𝑘 𝐷𝑘 𝐷𝑘
exp −6 3 𝑢𝑘 + 𝜍 , 𝑢𝑘 < 𝜍 4.Security Issues in VoIP
2𝜋 𝑢𝑘 𝜌 𝜌 Security issues are categorized in three categories
confidentiality, integrity and availability, in other
The end to end deadline violation probability can be words current VoIP systems has to put a compromise
bounded by-[2] on these factors. Confidentiality threats include
exposing the contents of conversation between two
𝑃 𝑑 𝑒2𝑒 > 𝑘𝜖𝑅 𝐷𝑘 ≤ 1 − 𝑘𝜖𝑅 (1 − 𝑃{𝑑𝑘 > 𝐷𝑘 }) parties, integrity threats indicate the ability to trust the
identity of a caller, of a message or the identity of the
which depend on the link utilization 𝑢𝑘 , the parameter
recipient or the call record logs. [41] Availability
for voice traffic like burst size 𝜍 and average rate threats impact the ability to initiate a session.
𝜌.The main task of site utilization computation
submodule is to optimize the overall bandwidth Attacks such as the denial of service (DoS) attempted
utilization to sites defined in [2] as- by an attacker will prevent the VoIP system from its
Maximize 𝑅 𝑢𝑅 (overall bandwidth)
T normal operating condition and no user will be able to
receive or make a call. Eavesdropping is leakage of
SR
Subject to 𝑅𝜖𝑘 𝑢𝑅 ≤ 𝑢𝑘 (bandwidth preallocation someone‟s conversations by getting monitored by the
for each pair of site constrained by bandwidth attacker secretly. In this process the attacker can
limitations). collect data from both the parties involved in the call,
IJC
IJCSRTV1IS050073 www.ijcsrt.org 66
International Journal of Computer Science Research & Technology (IJCSRT)
ISSN: 2321-8827
Vol. 1 Issue 5, October - 2013
avoid a trust bottleneck. [26] In [27] they suggest to manipulate the session timer and act both as UAC and
place the nodes with diametrically opposite IDs in the UAS and send SIP INVITES to initiate an attack. The
distributed has tables (DHT) ID space. With proxy servers hold resources according to the session
diametrically opposite IDs the nodes will be placed timer, let the attacker disconnect from the network and
furthest away and attackers will need more resources if timer is longer, the attacker can initiate another
to attack in two positions far apart. session after some time and make further reservation
of resources on the proxy servers. Thus the capacity of
5.2. Loss of Data Integrity the SIP proxy servers to process normal messages are
This is described as insertion of wrong information or hampered severely leading to denial of service. In
corrupted chunk of datas in file sharing application. [30], performing normality tests, the session timer
[27] For file sharing, these corrupted datas will be the sequence has been observed, when under attack the
files themselves which will be publicly available and timer values can hardly be characterized, so they
each user usually looks for thousands of files stored in determine a threshold statistically. If the timer
the DHTs. In real time communication, users register statistics exceed the threshold then the session is
only a limited number of locations at a time and the rejected assuming an attack has been detected. A DoS
overlays use only a portion of the available resources. attack can occur against a particular node by
Attackers need very little to pollute from these limited bombardment of huge amount of queries. To mitigate
locations resulting in significant reliability problem. In this [29] gives a solution where peer nodes vary the
conventional peer-to-peer overlays, protocols as Bit- target nodes used in queries.
Torrent uses moderators to remove bogus files and
uses SHA-1 algorithm to verify the integrity of hash of 5.5. Man in the Middle Attack
each piece of a file.[27, 28] When malicious nodes can return the IDs of other
malicious nodes when queried of a particular ID is
known as man in the middle attack. When the
requester establishes a session with the malicious
IJCSRTV1IS050073 www.ijcsrt.org 67
International Journal of Computer Science Research & Technology (IJCSRT)
ISSN: 2321-8827
Vol. 1 Issue 5, October - 2013
node, it gives a poisoned reply and this can go on and encrypted voice stream with a 50% average accuracy
on.[26] A not so effective approach to solve this is and 90% to certain phrases.
presented in [32] which says to employ iterative
routing and to check the ID of every routing hop and
finally is expected to reach the desired node. 6.Conclusion
5.6. Flooding Attack In this article we basically put a brief survey on two
In [32], it has been explained that the SIP protocol lets factors essential to a VoIP systems- ensuring quality
an incoming request to branch to multiple outgoing of service and ensuring security or confidentiality
requests each for different UASs. Less than ten throughout the end to end communication system.
messages can generate 271 messages occurring Implementation of QoS is moving towards a more and
massive flooding attack with valid SIP requests. [33] more satisfactory level day by day but VoIP
The SIP routing occurs from proxy to proxy servers deployment still faces great challenges regarding
based on the routing headers, but this process malicious attacks and requires numerous counter
possesses vulnerabilities like-[34] measures which has to be a continuous process for
future implementations. Although there are standards
-attackers can manipulate routing headers for VoIP protocols and services, security management
-proxy servers route without call-route or global route of VoIP systems require continued evolution of these
knowledge. services and protocols to tighten security. We
-the HTTP digest based authentication to protect SIP conclude the paper hoping the survey can ease the task
messages is not an end-to-end security model as of conducting further research in VoIP security and
intermediate proxies change certain fields QoS enhancement.
-in this kind of SIP authentication mechanism, few SIP
fields are protected leaving most of them unprotected
T 7. References
along with the messages while they are routing
[1]“One-Way Transmission Time (Recommendation
SR
through proxies.
G.114),” Int’l Telecomm. Union (ITU), 1996.
[2] S. Wang, Z. Mai, D. Xuan and W. Zhao, “Design and
In [32], a language dedicated to attack recognition has Implementation of QoS-Provisioning System for Voice over
been presented called VeTo. VeTo has three features
IJC
IJCSRTV1IS050073 www.ijcsrt.org 68
International Journal of Computer Science Research & Technology (IJCSRT)
ISSN: 2321-8827
Vol. 1 Issue 5, October - 2013
[11]J. Yu, S. Choi and J. Lee, “Enhancement of VoIP over [28] X. Zhang, S. Chen and R. Sandhu, “Enhancing data
IEEE 802.11 WLAN via dual queue strategy, ” In Proc.of aunth- enticity and integrity in P2P systems,”Internet
ICC 2004. Computing,Sep. 2005.
[12]Y. Xiao, “Concatenation and Piggyback Mechanisms for [29] J. Seedorf,”Using cryptographically generated SIP-
the IEEE 802.11 MAC,” IEEE WCNC, 2004 URIs to protect the integrity of content in P2P-SIP, ” VoIP
[13] A.Jain, M. Gruteser, M. Neufeld and D. Grunwald, Security Workshop, Jun. 2006.
”Benefits of packet aggregation in ad-hoc wireless [30]J. Tang,Y Hao,Y.Cheng and C.Zhao,“Detection of
network,”Tech. Rep.CU-CS-960-03, Department of Resource-
Computer Science, University of Colorado at Boulder, 2003. Drained Attacks on SIP Based Wireless VoIP NetWorks,” in
[14] W. Wang, S. C. Liew and O. K. Victor, “Solutions to Proc. IEEE GLobecom 2010.
Performance Problems in VoIP Over a 802.11 [31] W.-K. Poon and R. K. C. Chang, “Robust forwarding in
WirelessLAN, ”IEEE Trans. Vehicular Tech.,vol.54,no.1, structured peer-to-peer overlay networks,” SIGCOMM,
pp366-384, Jan.2005. Aug. 2004.
[15] H. P. Sze, S. C. Liew, J. Y. B. Lee and D. C. S. Yip, [32] ] A, Lahmadi and O. Festor, “VeTo: An Exploit Prevent
“A multiplexing scheme for H. 323 voice over -tion Language from Known Vulnerabilities in SIP Services,
IPapplication,”IEEE J. Sel. Areas Commun, vol. 20, no. ”IEEE/IFP Network Operations and Management
9,pp. 1360-1368, Sep. 2002. Symposium-NOMS 2010. pp.216-223.
[16] J. Kuri and S. K. Kasera, ” Reliable multicast in multi [33] R. Sparks, S. Lawrence, , A. Hawrylyshen and B
Access wireless LANs,” Proc.INFOCOMM ’99, vol. 2, pp. Campen,“Addressing an Amplification Vulnerability in
760-767, Mar. 1999. Session initiation Protocol (SIP) Forking Proxies,”
[17] M.T. Sun, L. Huang, A. Arora and T. H. Lai, “Reliable RFC5393(Proposed Standard),Dec 2008.
MAC layer multicast in IEEE 802.11 wireless [34]D. Schwartz and J. Barkan, “End-to-end route
networks,”Proc.Int. Conf. Parallel Processing, Aug.2002, management in session initiation protocol,
pp.527-536. http://tools.ietf.org/html/draft-schwartz-sip-routing-
[18] K. Tang and M. Gerla, “MAC layer broadcast support management-00, Feb. 2006.
in 802.11 wireless networks,”Proc.MILCOMM’00, vol.1,pp [35]A. Lahmadi and O. Festor, “Secsip: A stateful firewall
T
.544-548, Oct. 2000. for sip-based networks,” In the Proc.of 11th IFIP/IEEE
SR
[19] S. Wang, D. Xuan, R. Bettati and W. Zhao, “Providing International Symposium on Integrated Network
Absolute Differentiated Services for Real-Time Applications Management,IM09, Jun. 2009.
in Static-Priority Scheduling Networks,”IEEE/ACM Trans. [36]A. Lahmadi and O. Festor,”VeTo:Reference Manual.
Networking, vol. 12, no. 2, pp. 326-339, 2004. Technical Report, ” Loria-INRIA Nancy Grand Est.
IJC
[20] J. Davidson et al.,Deploying Cisco Voice over IP Research Center, Jul. 2009.
Solutions. Cisco Press, 2002. [37] M. Baugher, D. McGrew, M. Naslund, E. Carrara and K
[21] R. Baumann, S. Cavin and Schmid, “Voice Over IP- Norman, “The secure real-time transport protocol (SRTP),”
Security & SPIT,” KryptDet Report FU Br 41,Swiss Army, RFC 3711 (Draft Standard), Mar. 2004. [Online] Available:
Aug/Sep.2006. http://www.ietf.org/rfc/rfc3711.txt
[22] Angelos D. Keromytis, “A Comprehensive Survey of [38] T. Takahashi and W. Lee, “An Assessment of VoIP
Voice over IP Security Research,” IEEE Commun.Surveys Covert Channel Threats,” in Proc.3rd International
Tutorials,vol. 14, no. 2, 2012. Conference on Security and Privacy in Communications
[23] I. Stoica, R. Morris, D. Karger, M. F. Kaashoek and H. Networks (Secure Comm,) pp. 371-380, Sep. 2007.
Balakrishnan,”Chord: A scalable peer-to-peer lookup service [39]C. V. Wright, L. Ballard, F. N. Monrose and G. M.
for internet applications,” SIGCOMM, 2001. Masson, “Language Identification of Encrypted VoIP
[24] P. Maymounkov and D. Mazi, “Kademlia: A peer-to- Traffic: Alejandro y Roberto or Alice and Bob?,” in Proc.
peer Information system based on the xor metric,” First 16th USENIX Security Symposium, pp. 1-12, Aug. 2007.
International Workshop on Peer-to-Peer Systems, Mar. [40] C. V. Wright, L. Ballard, F. N. Monrose and G. M.Mass
2002. -on, “Spot Me If You Can: Recovering Spoken Phrases in
[25] A. Rowstron and P. Druschel, “Pastry: Scalable, Encrypted VoIP Conversations,” in Proc.IEEE Symposium
distributed object location and routing for large scale peer- on Security and Privacy, pp. 35-49. May 2008.
to-peer systems,” 18th IFIP/ACM International Conference
on Distribute Systems Platforms (Middleware 2001), Nov
2001.
[26] G. Danezis, C. Lesniewski-Laas, M. F. Kaashoek and
R. Anderson, “Sybil-resistant DHT routing,” Tenth
European Symposium on Research in Computer Security,
vol.3679,Sep. 2005.
[27] D. Chopra, H. Schulzrinne, E. Marocco and E. Ivov,
“Peer-to-Peer Overlays for Real-Time Communication:
Security Issues and Solutions,” IEEE Surveys Tutorials, vol.
11, no. 1, pp.4-12, 2009.
IJCSRTV1IS050073 www.ijcsrt.org 69