800 1200 1600 2000 2400 2800 3200 3600 4000 4400. Delay (ms). Number of Packets ... Authors would like to thank Enterasys Networks and Nokia. Institute of ...
Can I Add a Secure VoIP Call? Arlen Nascimento, Alexandre Passito, Edjair Mota Edson Nascimento, Leandro Carvalho Computer Science Department Federal University of Amazonas Manaus, Amazonas - Brazil Email: {aon1,passito,edjair,edson,galvao}@dcc.ufam.edu.br
Abstract— Voice over IP is a major trend in applications for wireless networks, but even so it is not immune to the risks usually related with IP networks. Proposed solutions for VoIP security are already in the market, but these solutions must take into account the real-time constraint of voice service and their mechanisms should address possible attacks and overhead associated with it. One of these solutions is to use IETF IPSec to guarantee confidentiality in order to address security design holes of wireless VoIP networks. This article performs an experimental comparison of the impact of encryption mechanisms on voice speech quality in widely deployed wireless technologies: 802.11 and Bluetooth. Evaluates the upper bound on number of simultaneous VoIP calls which can be placed in a single cell of both networks when security is applied and uses the computational model E-Model to assess quantitatively the quality of service.
I. I NTRODUCTION Wireless local (WLAN) and wireless personal (WPAN) area networks are being used progressively to implement VoIP services. The main motivation for using these architectures are user mobility, setup flexibility, increasing transmission rate and low costs, despite this convergence depends on the answers of several technical problems [1]. Supporting realible real-time service is one of the major concerns for widely deployment of VoIP in these wireless IPbased networks and security is now receiving the attention of researchers. The problem of offering security to WLAN and WPAN is that security does not come for free and, security and efficience are conflicting requirements. The introduction of a security mechanism such as the IPSec encryption-engine to overcome these issues impacts directly in the speech quality of established calls and in the channel capacity. Moreover, largely deployed radio technology standards as IEEE 802.11 and Bluetooth used to achieve wireless connectivity have several constraints when delivering real-time traffic, as transmission errors at the channel, introducing delay and loss which with security mechanisms impact can lead to low quality VoIP calls. Although these technologies offer some security mechanisms (e.g. RC4, E0 stream cipher), they have some flaws which need to be addressed by an additional level of security. In this paper we focus on the IPSec protocol to achieve the data confidentiality due to its widely deployment and implementation of many encryption algorithms. An IEEE 802.15.1 Bluetooth Wireless Personal Area Network is developed and the nodes are connected to an Ethernet
backbone by means of a Network Access Point (NAP). An IEEE 802.11b WLAN is also implemented and extensive experiments with VoIP calls are carried out in both networks. In order to achieve the real impact of security and validate the reliability of WPAN and WLAN to carry voice content we used a measurement tool based on the computational model E-Model. The output of the E-Model can be converted to MOS (Mean Opinion Score) rating that evaluates speech quality in a scale from 1 (poor quality) up 5 (excellent). An evaluation of 802.11 network capacity supporting VoIP calls was conducted in [1], [2], [3]. It was concluded that channel capacity is a function strongly dependent of the choice of VoIP codec and the length of the audio payload. This paper does a deeper analysis than the preliminar results in [4] that evaluated VoWLAN, and extends the experiments to Bluetooth networks assessing VoIP calls quality impact introduced by IPSec and quantifying the number of VoIP calls connections which can be made in both technologies. The paper is organized as follows: section II presents conducted experiments. Section III presents measurements results. Section IV exposes final remarks. II. E XPERIMENTS The experiments were carried out above the scenario described in Fig. 1. This scenario is composed by one BSS and one PICONET interconnected by a fixed backbone.
Fig. 1.
Proceedings of the 2006 International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM'06) 0-7695-2593-8/06 $20.00 © 2006 IEEE
BSS and PICONET scenarios for wireless VoIP.
Fig. 2 presents the average MOS score obtained for each combination of IPSec for both scenarios. As we can see in this figure, the speech quality is up to 4.25 when VoIP traffic is not protected by IPSec in both scenarios. When the encryption with IPSec is applied to the traffic, the speech quality decreases to a value down to 4.0 if AES is used and 3.9 in the case of 3DES. If we take a look at the rightmost bar in Fig. 2, we can observe that for the scenario using BSS the MOS score for 3DES is 3.39, which is a value under the least score assignable required for a good speech quality (3.5). In order to evaluate the channel capacity impact when using the IPSec we deployed several experiments establishing simultaneous calls between mobile stations in the scenarios with BSS and PICONET using Callgen323. These results are summarized in Fig. 3 and Fig. 4. The results presented in Fig. 3 and Fig. 4, including the differences between implementations with and without IPSec
Bluetooth Scenario 802.11b Scenario
4.5 4 3.5 3 2.5 2 1.5 1 0.5 0
Without IPSec
Fig. 2.
AES−CBC
Without Security AES−CBC 3DES−CBC
4.5 MOS Score Average
3DES−CBC
MOS average score for BSS and PICONET.
5
4 3.5 3 2.5 2 1.5 1
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Number of Calls
Fig. 3.
Maximum number of connections for BSS
can be explained based on constraints related to security overhead, as packet size expansion, ciphering latency and a lack of QoS urgency in the cryptographic engine. 5
Without Security AES−CBC 3DES−CBC
4.5 MOS Score Average
III. R ESULTS AND D ISCUSSION
5
MOS Score Average
The BSS was deployed using a 802.11b access point and two mobile hosts with attached wireless cards. These wireless cards were configured with a fixed bit-rate at 11 Mbps and infrastructured operation mode. The PICONET contained two active slaves and two parked slaves. A Bluetooth access point (master) was configured to offer connectivity to all nodes. In both scenarios, mobile stations were configured with VoIP software. Since we used the H.323 platform to implement voice service, the clients used the Ohphone softphone from Open H.323 Project to receive calls in one side and Callgen323 to generate calls in the other side. The Callgen is a call generator which uses a pre-recorded audio file as input and send it as a phone call to another VoIP client. The voice extracted from the pre-recorded file was coded by G.711 μ-Law codec, in frames of 30 ms per packet. The G.711 bit-rate is 64kbps, without headers. RTP, UDP and IP headers sums a total of 40 bytes. The bandwidth required by each voice channel was about 75kbps. Each mobile station was upgraded with the speech quality evaluation tool. In the first scenario using the BSS, the channel (Mobile host1 to Mobile host2) was implemented with IPSec using Linux kernel version 2.6.8. The same was done for the second scenario in the PICONET and the channel (Active slave1 to Active slave2). During the experiments we alternately switched IPSec (tunnel mode and ESP) on and off between measurements, in order to compare speech quality with and without IPSec. Two encryption algorithms were used when IPSec was on, Advanced Encryption Standard (AES) and triple - Data Encryption Standard (3DES), both with 192 key length. Our first step was to establish calls between the indicated mobile stations in the BSS and the PICONET. Callgen323 generates voice traffic in one side and sent it to the destination. We collected a set of 100 samples of 3 minutes calls for both scenarios. After, we also evaluated the impact of simultaneous connections in sense of MOS degradation.
4 3.5 3 2.5 2 1.5 1
2
Fig. 4.
3
4
5
6 7 8 Number of Calls
9
10
11
12
13
Maximum number of connections for PICONET.
There are two factors in E-Model which can be used to analyze the results. The first one is the Ie factor. When the IPSec in tunnel mode is applied, the ESP header is added to the voice packet. This increases the ratio of header size to payload size, reducing the effective bandwidth. Observing the established calls we notice an increase of the packet loss related with and without IPSec due to this new packet size. This packet loss influenced negatively in the computation of the Ie impairment factor.
Proceedings of the 2006 International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM'06) 0-7695-2593-8/06 $20.00 © 2006 IEEE
The second parameter in E-Model that can sense the IPSec overhead is the Id impairment factor. This factor is derived from all delays in the VoIP system. The higher the total delay, the higher Id value, leading to lower MOS values. When IPSec is applied each small voice packet must be encrypted and decrypted. This encryption-engine process is very time consuming and this latency introduces a severe bottleneck and affects the final speech quality in the receiver. If we want to improve the quality we must choose a computationally simple algorithm that can achieve a better throughput and reduce latency. But there is a trade-off between speed and security, because must of the lighter algorithms are not considered secure. Fig. 5 presents the diffences of the delay introduced by encryption-engine. The graphic shows that 3DES introduced a higher delay while the scenario without IPSec stayed in an acceptable value. 300
200 Delay (ms)
TABLE I OVERVIEW OF CHANNEL CAPACITY 802.11b
Without Security AES−CBC 3DES−CBC
250
150 100 50 0
IPSec overhead strongly decreases this number if compared with calls established without security. This is due the factors presented early about delay and packet size expansion. Table I summarizes the maximum number of VoIP connections in both scenarious. Notice that despite the Bluetooth PICONET achieved better performance with MOS scores average, as presented in Fig. 2, the number of maximum connections was very reduced compared with the BSS performance.
0
400
Fig. 5.
800 1200 1600 2000 2400 2800 3200 3600 4000 4400 Number of Packets
Delay related with each packet in a whole call.
If we add different background traffics in this scenario, there will be a severe problem with the encryption-engine scheduler. These schedulers do not have any manner to give priority to VoIP traffic, which can impose a greater delay if there is already another different data traffic in the FIFO queue of the encryption scheduler. Fig. 6 presents an ilustration of the absense of packet type selection and the FIFO implementation in the encryption-engine. The values D1 and D2 represents the delays added to the voice packets in the encryption and with packet packet header reconstruction. D1 Voice
D2
Data
Encrypted Encryption Engine
Fig. 6.
New IP Header
Encrypted
Bluetooth protocol stack
This problem can lead to an even worst performance of both algorithms and a better performance of the 3DES than AES, because it takes less time to encrypt packets. The time needed to build the new headers (IP and ESP header) is also computed as an additional delay by the Id impairment factor. As expected, the average MOS decreases as the number of simultaneous calls is increased, but we can notice that the
Bluetooth
Without IPSec
10
6
AES-CBC
8
4
3DES-CBC
6
4
IV. C ONCLUSION We concluded that a QoS tool based on E-Model is an efficient and objective manner to evaluate the impact of the IPSec on the traffic VoIP. This tool can be easily used in a BSS or PICONET environment, where the measurement of speech quality is specialy required due to the wireless channel behavior. Future works should investigate the implementation of an evaluation tool not only using H323 project, but the SIP (Session Initiation Protocol). Another ideia could be the implementation of evaluating agents, which could be used to select more appropriate security parameters for the network. ACKNOWLEDGMENT Authors would like to thank Enterasys Networks and Nokia Institute of Technology. R EFERENCES [1] W.Wang and S.Liew and V.Li, Solutions to Performance problems in VoIP Over a 802.11 Wireless LAN.IEEE Transactions on Vehicular Technology, Vol.54, No.1. 2005. [2] S. Garg and M. Kappes, Can I add a VoIP call? Proceedings of the IEEE International Conference on Communications. Spain, 2003, pp.779 - 783 vol.2. [3] D. Hole and F. Tobagi, Capacity of an IEEE 802.11b wireless LAN supporting VoIP, Proceedings of IEEE International Conference on Communications. 2004, pp. 196-201. [4] A. Passito, et al, Evaluating Voice Speech Quality in 802.11b Networks with VPN/IPSec. Proceedings of the XIII IEEE International Conference on Networks, 2005, pp. 151 - 155 vol.1. [5] R. Barbieri and D. Bruschi and E. Rost, Voice over IPSec: Analysis and Solutions.Proceedings of 18th Annual Computer Security Applications Conference (ACSAC). 2002. [6] A. Passito, et al, Performance evaluation of VoIP traffic using IPSecurity protocol.Proceedings of I Workshop on Computer Science and Information Systems, Brazil, 2004 (in portuguese). [7] ITU-T Recommendation G.107, The E-model, a computational model for use in trasmission planning.Mar. 2003. [8] L. Carvalho, et al, An E-Model implementation for speech quality evaluation in VoIP systems.Proceedings of IX IEEE Symposium on Computers and Communications. Spain, 2005. [9] OpenH323 Project. http://www.openh323.org/
Proceedings of the 2006 International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM'06) 0-7695-2593-8/06 $20.00 © 2006 IEEE
