S 5.136 Quality of service and network management for VoIP

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Head of IT, Administrator

Network management forms an important link in the security chain of a VoIP service. In addition to providing protection against attacks, network management primarily serves to ensure the availability and the quality of the service. Risks, for example a failure due to an overload, can be reduced through network management.

DiffServ and the class of service according to IEEE 802.1p

One important approach to ensuring the quality of service in IP networks is to use services referred to as differentiated services (DiffServ). In the DiffServ approach, individual streams of data are classified according to their quality of service requirements. It is implemented technically using the TOS (Type of Service) field in the IP header of the data packets. Certain values in the TOS field of the IP header are assigned to individual classes. The network node handles the data packet with a priority corresponding to the value of the TOS field.

In order to guarantee the required quality of service in the security layer, the DiffServ marking is mapped to the Class of Service (CoS) field in the Ethernet frame. IEEE standard 802.1p specifies the use of the CoS bits. This additional marking in the Ethernet frame should not influence how the packets are forwarded in layer 2 devices, for example switches, that do not evaluate the IP header (Layer 3).

When using DiffServ, it must be ensured that the data packets are marked with precisely the DiffServ class intended for the particular type of communication. This also means that it must be checked if a certain type of communication is authorised to reserve preferred resources and if the labels of the data packets actually correspond to the class intended in each case (policing).

If the VoIP network supports the differentiated services model, this model must be implemented throughout without any exceptions. For example, if there is no policing in the DiffServ network, applications will be able to mark their data packets with a higher priority without authorisation, with the result that the voice streams may experience massive losses of packets, making voice communication impossible.

The VoIP services in a DiffServ network are not only threatened by intentional intervention. Network components without the proper capacity may lead to the overloading of individual connections or network resources (processors in the routers, and firewalls) and therefore could also bring the operation of a service to a halt.

Overprovisioning

In many cases, the markings in the data stream are not taken into account when using IP telephony. It is assumed that state-of-the-art local networks and WANs have sufficient overcapacity to prevent bottlenecks in queues. This approach is referred to as overprovisioning. When overprovisioning is used, it is necessary to monitor the network continuously for potential bottlenecks. Note, though, that the data rates available in a route do not necessarily determine where the bottlenecks will be in a connection. It could just as well be the CPU performance of a router, the backplane of a switch, or the throughput of a firewall. For this reason, it is essential that all CPU loads and the loads of each connection in the network are monitored continuously and that periodic analyses, for example with the help of active measurements of the one-way delays, are performed.

When applying overprovisioning, it must be noted that no absolute guarantees can be provided in terms of the quality of the voice applications. Instead, such guarantees are based on statements and estimates gained from experience in the past. The response of the network may change completely due to the introduction of new applications such as video conferencing or grid computing. VoIP applications can be severely affected when the large streams of data are transmitted, especially when using overprovisioning.

MPLS

MPLS (MultiProtocol Label Switching) can be used in wide area networks to isolate channels with guaranteed bandwidth for voice connections from the rest of the network traffic. This means the principle of overprovisioning can be applied to individual MPLS channels. Since VoIP traffic exhibits fewer fluctuations in the data rate than most other IP traffic, it must be assumed that VoIP channels can be operated closer to their capacity than the channels where the VoIP traffic is transmitted together with the rest of the data traffic.

It must be taken into account that the main advantages of MPLS are in regards the quality of service, but it can only provide a low level of protection for the confidentiality and integrity of the data transmission. An additional header is added to the data packets in the MPLS channels, similar to VLAN tagging, and is transmitted in unencrypted form with the rest of the traffic. In the same manner as Ethernet traffic, it is therefore possible to listen in on such channels on certain components of the network and to possibly change data using a suitable sniffer program.

Traffic shaping

Traffic shaping is used in gateways located between local and wide-area networks to reduce the data rate of certain types of traffic that generally have lower priority. Examples of such traffic include data transmissions such as FTP connections in which delays can be tolerated. Experience has shown, though, that these safeguards are relatively easy to bypass when only the port numbers of the data packets are used as the criteria for traffic shaping.

Resource Reservation Protocol (RSVP)

The Resource Reservation Protocol (RSVP) is used for end-to-end signalisation of the quality of service for individual data streams. Originally, RSVP was designed to implement so-called integrated services (IntServ) in IP networks, which is capable of guaranteeing end-to-end quality of service as opposed to DiffServ. To use RSVP in its original form, all network nodes, operating systems, and applications need to support the protocol. At the present time, support in the operating systems as well as in the applications is inadequate or not available at all. RSVP and IntServ should not be considered for VoIP at the current time for this reason.

Review questions:

© Federal Office for Information Security. All rights reserved.