Investigation of Media Streaming Service in Secure Access Network Binod Vaidya Institute of Engineering Tribhuvan University Nepal

Introduction With growth of Internet and high-speed access links, Internet users can enjoy large amounts of web content on Internet. At same time, multimedia streaming services are becoming popular over the Internet. Wireless access networks as well as mobile networks are becoming popular for providing IP-based multimedia streaming services. With rise of multimedia and network technologies, multimedia has become indispensable feature on Internet. Animation, voice and video clips become more and more popular on Internet

Introduction Multimedia networking applications such as Internet telephony, Internet TV, video conferencing have appeared on market. Other multimedia products in distance learning, distributed simulation, distributed work groups and other areas. Streaming services, however, present lot of challenges for network engineers. Streaming services require certain amount of bandwidth to ensure bit-rate needed by each media stream and strict delay variation needed to avoid buffer underflow at streaming clients.

Architectural Model Architectural model comprises of service provider, IP backbone network and wireless access networks. Service Provider is meant for multimedia streaming services. IP Backbone network is public network such as Internet Wireless access networks are meant for providing access to mobile users. As service provider provides audio and video streaming services, secure channel such as VPN is created over public IP network.

Architectural Model

Security Issues IP Tunneling Due to interest in emerging scenarios such as wireless access networks and mobile IP environments, some tunneling technologies have been introduced. Currently four primary tunneling protocols relevant to VPNs: Layer 2 Tunneling Protocol (L2TP) Tunnel Layer 2 Forwarding (L2F) Tunnel IP Security (IPSec) Tunnel Generic Route Encapsulation (GRE) Tunnel

Security Issues IPSec IPSec is suite of protocols “designed to provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6”. IPSec provides security services, such as access control, data integrity, authentication, confidentiality (encryption), and replay protection to IP layer as well as layers above. IPSec could protect one or more paths between two pairs of hosts, between pair of security gateways, or between host and security gateway. Security Association (SA) is “simplex connection that affords security services to traffic carried by it”. SA is uniquely identified by Security Parameter Index (SPI), IP destination address, and security protocol.

Security Issues IPSec Authentication Header (AH) and Encapsulating Security Payload (ESP) are secure protocols provided by IPSec to form SAs. AH provides connectionless integrity, data origin authentication, and optional anti-replay service. ESP may provide confidentiality and limited traffic flow confidentiality, as well as all functionality provided by AH. These protocols can be used alone or in combination.

Security Issues IPSec IPSec supports two modes of use: transport mode and tunnel mode. Transport mode provides protection primarily for upper layer protocols, Tunnel mode is used to encapsulate IP packets. If path to protect has in its ends SG then tunnel mode must be used. Transport mode can only be used when communicating host to host. Each SA defines algorithms for encryption, authentication, hash and key exchange (attributes) for protecting a particular path.

Security Issues Generic Route Encapsulation (GRE) GRE tunnels allows any protocol to be tunneled in IP packet. This feature allows Type of Service bits to be copied to tunnel header when router encapsulates packets using GRE. GRE encapsulates traffic with new packet headers to ensure delivery to specific destinations. Network is considered private because traffic normally enters tunnel only at beginning and endpoint of tunnel. Although limiting traffic access in this manner may deem network private, it does not provide message confidentiality or integrity.

Security Issues Generic Route Encapsulation (GRE) Performance Benefits of GRE tunneling: GRE reduces size and complexity of Access Control List (ACL) used for traffic matching. GRE speeds up traffic flow. GRE used with routing protocol can significantly reduce time taken by IPsec keep-alive messages to detect tunnel outage and optionally fail over to using different tunnel. Several benefits of using GRE and IPsec on same router. GRE tunnels do support transporting IP multicast and broadcast packets to other end of GRE tunnel. GRE tunnel packet is IP unicast packet, so GRE packet can be encrypted using IPsec. In this scenario, GRE does tunneling work and IPsec does encryption part of supporting VPN network.

Quality of Service Issues When delivering real-time applications, QoS protocols must be adopted in order to be able to meet requirements on transmission parameters such as transmission delay, delay variation and buffering delay. QoS protocols try to meet imposed requirements using different features such as packet classification, queuing mechanisms, traffic shaping, header compression, congestion avoidance strategies and Resource Reservation protocols. Real-time service will enable IP networks to provide QoS to multimedia applications. It is comprehensive approach to provide applications with the type of service they need and in quality they choose.

Quality of Service Issues Real-time Transport Protocol RTP is IP-based protocol providing support for transport of real-time data such as video and audio streams. Services provided by RTP include time reconstruction, loss detection, security and content identification. RTP can be used for one-way transport such as video- on-demand as well as interactive services such as Internet telephony. RTP is designed to work in conjunction with auxiliary control protocol RTCP to get feedback on quality of data transmission and information about participants in on- going session.

Quality of Service Issues Real-time Transport Protocol RTP provides end-to-end delivery services for data with real-time characteristics, such as interactive audio and video. RTP does not address resource reservation and does not guarantee quality-of-service for real-time services. It can be used over unicast or multicast networks. RTP itself however, does not provide all of functionality required for transport of data and, therefore, applications usually run it on top of transport protocol such as UDP.

Quality of Service Issues Compressed RTP As networks evolve to provide more bandwidth, applications, services and consumers of those applications all compete for that bandwidth. As for wireless networks with their high bit error rates and high latency, it is difficult to attain those high bandwidths required. When all these factors are taken into account it means that the available resources must be used as efficiently as possible. In Voice over IP, interactive games, messaging etc, payload of IP packet is almost of same size or even smaller than header. IP header compression also provides other important benefits, such as reduction in packet loss and improved interactive response time.

Quality of Service Issues Compressed RTP Existing standard for compressing IP/UDP/RTP headers is Compressed Real-time Transport Protocol (CRTP). It compresses headers over single link by maintaining a ‘context’, which is essentially full version of last header transmitted over link, at both ends of link and transmitting only differences between consecutive headers. When packet is lost between compressor and decompressor, context of decompressor is not updated properly, and decompression will fail. To deal with such problems, CRTP has context repair mechanism which relies on signaling. CRTP thus performs very badly when error rates are high as each lost packet is accompanied by several packets being lost due to context mismatch.

Experimental Validation In order to validate conceived architectural model, we have simulated wireless access network scenario using OPNET Modeler, OPNET is discrete event-driven simulator tool capable of modeling both wireless and wireline network.

Scenarios Multimedia services for mobile users using wireless access network over public IP backbone network (i.e. Internet). For experimental purpose, two scenarios have been designed. First scenario is wireless access network with IP tunneling. In order to securely deliver real-time traffics over public IP network, GRE tunnel over IPSec is used. So only designated wireless access network can have access to the Media Service Provider.

Scenarios Second scenario is wireless access network with IP tunneling along with CRTP. As OPNET Modeler does not have module with CRTP, we have modified the router and access point.

Experimental Model

Modified Components Modified Router Modified Access Point

Assumptions For multimedia applications, we have selected two applications: audio and video services. In case of audio application, we have considered Interactive voice using encoder scheme G.711 For video application, we have considered low quality video having frame 128x120x10 frames per sec and TOS– multimedia streaming. In case of tunneling, we have considered GRE tunneling with ESP (transport) for encryption, and AH for integrity and authentication is used to secure channel. For VPN, we have considered following parameters in IPsec: Protocol: Bundle (AH+ESP) Authentication algorithm: HMAC-SHA1; Encryption algorithm: 3DES

Assumptions IP Network is considered such that there is 5% percentage of packet drop and packet latency is 1 sec. Packet size increase has negative effects not only on bandwidth usage but it also impacts on the transmission delay, router internal delays, queuing delay, thus affecting jitter and overall packet delay. Transmission delay increases proportionally with packet size and is constant for every router. Internal router delays are considered in generic IPsec delay. Queuing delay is sensitive to packet size as well and this is evident with low bandwidth links.

Result and Analysis We have considered end-to-end delay and delay variation at mobile end-users for investigation of performance of real-time media streaming services. It has been considered for both scenarios, ie, only IP tunneling and with IP tunneling along with CRTP. It can be seen that in both cases, packet end-to-end delays have been reduced with IP tunneling using CRTP.

Result –Packet end-to-end delay for video streaming and voice streaming are shown above.

Result –Delay variation, ie jitter, for video streaming and voice streaming are shown above

Result and Analysis It can be seen that in both cases, delay variations have been reduced with IP tunneling using CRTP.

CONCLUSION Framework for multimedia streaming through public IP backbone network to wireless access network using IP tunneling. Results of experimental analysis of multimedia streaming over secure communication links implementing GRE tunneling over IPsec. Critical parameters characterizing real-time transmission of voice as well as video over a secured IP network, as well as techniques that could be adopted to overcome some of the limitations of secured network are presented. We present efficient solution for packet header compression, CRTP, for real-time traffic in IP tunneled network using IPsec. Simulation results show that compression scheme significantly reduces overhead of packet headers, thus increasing effective bandwidth used by transmission. Our results show that packet end-to-end delay and delay variations can be reduced using CRTP.

THANK YOU