CC BY
9
Discrete & Continuous Models
#& Applied Computational Science 2021, 29 (3) 221-229
ISSN 2658-7149 (online), 2658-4670 (print) http://journals-rudn-ru/miph
Research article
UDC 519.872
DOI: 10.22363/2658-4670-2021-29-3-221-229
Evaluation of the firewall influence on the session initiation by the SIP multimedia protocol
Anatoly Y. Botvinko1, Konstantin E. Samouylov1,2
1 Peoples' Friendship University of Russia (RUDN University) 6, Miklukho-Maklaya St., Moscow, 117198, Russian Federation 2 Research Center "Computer Science and Control" of the Russian Academy of Sciences 44-2, Vavilov St., Moscow, 119333, Russian Federation
(received: August 4, 2021; accepted: September 9, 2021)
Firewalls is one of the major components to provide network security. By using firewalls, you can solve such problems as preventing unauthorized access, and deleting, modifying and/or distributing information under protection. The process of information flows filtration by a firewall introduces additional time delays, thus possibly leading to disruption of stable operation of the protected automated system or to inaccessibility of the services provided by the system. Multimedia services are particularly sensitive to service time delays. The main purpose of the work presented in this paper is to evaluate the influence of the firewall on the time delays in data transmission process in the automated system with multimedia data transmission protocols. The evaluation is provided by the queuing theory methods while a session is initiated between two users by the Session Initiation Protocol (SIP) with firewall message filtration. A firewall is a local or functional distributing tool that provides control over the incoming and/or outgoing information in the automated system (AS), and ensures the protection of the AS by filtering the information, i.e., providing analysis of the information by the criteria set and making a decision on its distribution.
Key words and phrases: SIP, firewall, session initiation, queuing system, filtering time, automated system
1. Introduction
Currently, one of the necessary conditions to provide information security of automated systems is to use software and hardware systems that filter incoming and outgoing traffic. Firewalls increase the time delays for information flows while they are checked in the AS. For multimedia protocols, significant time delays can adversely affect QoE and QoS quality indicators [1] and lead to inability of using the multimedia services provided. Therefore, the evaluation of the firewall influence on the time delays in the data transmission process in the AS with multimedia data transmission protocols is an urgent and demanded task.
© Botvinko A.Y., Samouylov K.E., 2021
This work is licensed under a Creative Commons Attribution 4.0 International License http://creativecommons.org/licenses/by/4.0/
To evaluate the firewall influence on the data transmission delay in the AS, the most delay-sensitive service has been selected, i.e., the session initiation by the Session Initiation Protocol (SIP). The script is the initiation of a session between two users with proxy servers and firewall packet filtration.
This paper has the following structure. The process of the session initiation by the SIP protocol is described in Section 2. A method for evaluation of temporal characteristics of the session initiation by the SIP protocol is given in Section 3. The results of the evaluation of the firewall influence on the session initiation time and the session request delay are presented in Section 4. The Conclusion contains the main aspects of the study.
2. Session initiation by the SIP protocol in the presence
of firewall
The SIP protocol, developed by the MMUSIC group of the IETF committee, provides for three main types of scripts for initiating a connection: by proxy servers, by a redirecting server, and directly between user [2]-[4]. The main difference in these scenarios is the way of searching and inviting the user. These operations are assigned either to the proxy server, or to the redirecting server, or directly to the user if he knows the address of the called subscriber.
To evaluate the firewall influence on the connection initiation by the SIP protocol, without limiting the generality of the approach, the script for initiating a connection between two users with two proxy servers and one firewall located in the middle of the chain has been considered. The network segment with the client's equipment of the 1st user (User 1) is considered to be the AS under protection — this segment is protected by the firewall. The firewall introduces an additional time delay while checking the compliance of the network packet parameters with the filtration rules specified in the AS under protection.
Figure 1. Arrangement of the elements when the SIP session is initiated
The figure 1 shows the elements participating in the connection establishment: user's equipment — User 1, User 2; proxy servers — Proxy-1, Proxy-2; firewall and IP/MPLS main transmission network.
Let's describe the session initiation algorithm, i.e., the sequence of requests and responses of the session initiation process for the script under consideration in accordance with the figure 1.
Session initiation on the equipment of User 1 is Invite message containing the information about the address of the called user — User 2. The message
passes through the elements of the firewall and the proxy server, and the element simulating the IP/MPLS network, and the User 2 element. After successful message processing (message retransmission isn't considered), the equipment of User 2 responds with the message 100 Trying. This means that the request is being processed. Then, the equipment of User 2 sends a 180 Ringing message to the User 1. That means that the incoming call signal has been received and the location of the called user has been detected. After processing the Invite request, User 2 generates a 200 Ok response. This response to the Invite request contains the information indicating that the user has agreed to participate in the communication session. The session initiation algorithm is completed by sending the Ack message indicating that the response to the Invite request has been accepted.
Consideration of this session initiation algorithm allows to evaluate the following temporal characteristics of the SIP session initiation service: average session initiation time Ts and average session request delay (SRD) TSRD [5]. Ts is considered from sending the Invite message to the start of the data transmission process. TSRD is considered from the moment the session has been initiated until the first subscriber receives a 180 Ringing response.
The sequence of transmitted signaling messages in the described algorithm of session initiation by SIP protocol is presented in the figure 2 [6].
3. Evaluation of the temporal characteristics of the service of session initiation by SIP protocol in the presence of firewall
To evaluate the firewall influence on the Ts and TSRD times, a mathematical model in the form of an open exponential queuing network (EQN) is proposed [7]. The residence time in the EQN will be equal to the session initiation time [8].
EQN consists of six nodes, each of them modeling a corresponding functional element in the session initiation process. The blocks — User 1, User 2, IP/MPLS — are modeled by the queuing system (QS) M|M|ix), and the rest of the blocks — by the QS M|M|1|ix). Let's introduce the following designation: A0 is the intensity of the SIP message flow in the EQN, and is the service intensity in the i-th node.
So, the condition for the existence of a stationary mode is [9], [10]:
Ao < min (f ). (1)
Taking into account that the Ts and TSRD times consist of the time of message processing by the functional elements and the waiting time in the queue, and considering the approach given in [5], [8], [9], [11]-[14], we determine the TSRD and Ts times as follows:
Tsrd = + -+ -+ 2RT1 + -^-y- + V-1; (2)
Ts = +-+-+ S^-1 +-+ 2^. (3)
5a0 5a0 4A0
Figure 2. Message sequence when the SIP session is initiated
The residence time in the 2nd block will be equal to the time of the signal message filtration by the firewall:
F V2— 5Ao ( )
Using formulas (2)-(4), we determine the indicators of the firewall influence on the session initiation time and the session request delay:
2 x 100%
M - _^2 5^0_. (5)
^TF_TSRD - 2 2 -, 2 -, . (5) + -+ -— + 2^-! + -— +
5A0 5A0 4A0
3 x 100%
m —_^2_SAo_
1 F_TS = 2 it1 + 3 , 3 + + 3 + • (6) 1 — 5Ao ^3— 5A0 4 — 4A0 6
4. Evaluation of the firewall influence on the session initiation time and the session request delay
To evaluate the firewall influence on the session initiation time and the session request delay, the following Cisco equipment has been selected: the Cisco ASA 5500-X firewall with the SSP-10 module, and the Cisco Sun Fire V120 proxy server. The initial data and their designations are given in Table 1.
Table 1
Initial data
Functional element User 1 Firewall Proxy-1 IP/MPLS Proxy-2 User 2
Designation 1 -
Service time, msec. 0.1 0.5 0.4 50 0.4 0.1
The results of the evaluation are presented in the form of graphs showing the dependence of the Ts and TSRD times on the intensity of incoming requests (see the figure 3).
The figure 3 shows that the condition for the existence of the stationary mode (1) makes it possible to provide evaluation at the A0 intensity values up to 400 requests per second. The Ts and TSRD values obtained in the presence of the firewall meet the requirements of the international standards for the perception quality indicators. The value of the session initiation time Ts is less than 2 seconds [5], [15]-[18]. At the intensity level A0 — 380 requests per second, the average session initiation time is Ts — 0.2 [s], and Tsrd —0.15.
The evaluation of the indicators of the firewall influence on the session initiation time and the session request delay is presented in the figure 4.
The firewall residence time for signal messages is less than 10% at the intensity level A0 — 370 [requests/sec].
5. Conclusion
A mathematical model for the SIP session initiation with message filtration by the firewall is presented in this paper. The evaluation of the average session initiation time and the average session request delay indicates the advisability of reducing the residence time that requests spent in the firewall, which can lead to the reduction of the values of QoE and QoS indicators.
400
350
„300 o
CD CO
— 250
CD
E
200
150
100
- Ts ~ "'"sRD
j/ l ( f j / /
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
Intensity of incoming messages AQ [msec-1]
Figure 3. Temporal characteristics when initiating the session with one firewall
Figure 4. Evaluation of the percentage of the firewall filtering time when initiating
the session
References
[1] "Recommendation ITU T G.107. The E model: a computational model for use in transmission planning. Series G: Transmission Systems And Media, Digital Systems And Networks International Telephone Connections And Circuits — Transmission Planning And the E-model," approved in 2015-06-29.
[2] J. Rosenberg, H. Schulzrinne, G. Camarillo, et al., "RFC 3261 SIP: Session Initiation Protocol," 2002.
[3] A. Johnston, S. Donovan, R. Sparks, et al., "RFC 3665 SIP. Session Initiation Protocol (SIP) Basic Call Flow Examples," 2003.
[4] A. B. Goldstein and B. S. Goldstein, Softswitch. Saint Petersburg: BHV Publishing House Petersburg, 2006, p. 368.
[5] D. Malas and A. Morton, "RFC 6076. Basic Telephony SIP End to End Performance Metrics," 2011.
[6] K. V. Ivanov and P. I. Tutubalin, Markov models of protection of automated control systems for special purposes [Markovskie modeli zash-hity' avtomatizirovanny'x sistem upravleniya special'nogo naznacheniya]. Kazan: Publishing house of GBU Republican center for monitoring the quality of education Publ., 2012, p. 216, in Russian.
[7] F. Baskett, K. M. Chandy, R. R. Muntz, and F. G. Palacios, "Open, closed and mixed networks of queues with different classes of customers," Journal of the ACM, pp. 248-260, 1975. DOI: 10.1145/321879.321887.
[8] K. E. Samouylov, M. V. Luzgachev, and O. N. Plaksina, "Modelling SIP Connections with Open Multiclass Queueing Networks [Razrabotka veroyatnostnoj modeli dlya analiza pokazatelej kachestva protokola iniciirovaniya seansov svyazi]," Bulletin of Peoples' Friendship University of Russia. Series Mathematics. Information Sciences. Physics, no. 3, pp. 53-63, 2007, in Russian.
[9] Y. V. Gaidamaka and E. R. Zaripova, "Session Setup Delay Estimation Methods for IMS Based IPTV Services," Lecture Notes in Computer Science, vol. 8638, pp. 408-418, 2014. DOI: 10.1007/978-3-319-10353-2_36.
[10] V. M. Vishnevsky, Polling systems: theory and application in broadband wireless networks [Sistemy pollinga: teoriya i primenenie v shirokopolosnyh besprovodnyh setyah]. Moscow: Technosphere Publishing House, 2007, p. 312, in Russian.
[11] Ali Raad Abdo Mohammed, "Development of a method for evaluating the probabilistic and temporal characteristics of IPTV services when they are controlled by the IMS multimedia subsystem [Razrabotka metoda otsenki veroyatnostno-vremennykh kharakteristik uslug IPTV pri ikh upravlenii mul'timediynoy podsistemoy IMS]," in Russian, Ph.D. dissertation, Moscow technical university of communications and informatics, 2013.
[12] K. E. Samouylov, Methods of analysis and calculation of ACS networks [Metody analiza i rascheta setey OKS]. Moscow: Publishing RUDN, 2002, p. 292, in Russian.
[13] I. Buzyukova, Y. Gaidamaka, and G. Yanovsky, "Estimation of QoS parameters in intelligent network," Lecture Notes in Computer Science, vol. 5764, pp. 143-153, 2009. DOI: 10.1007/978-3-642-04190-7_14.
[14] K. E. Samouylov, E. S. Sopin, A. V. Chukarin, and A. Y. Botvinko, "Evaluation of the characteristics of signal traffic in the communication network based on the subsystem [Ocenka harakteristik signal'nogo trafika v seti svyazi na baze podsistemy]," T-Comm — Telecommunications and Transport, no. 7, pp. 8-13, 2010, in Russian.
[15] "Recommendation ITU T Y.1530. Call processing performance for voice service in hybrid IP networks. Series y: global information infrastructure, internet protocol aspects and next generation networks internet protocol aspects and next-generation networks," approved in 2007-11-13.
[16] "Recommendation ITU T Y.1531. SIP based call processing performance. Series Y: Global Information Infrastructure, Internet Protocol Aspects And Next Generation Networks Internet Protocol Aspects — Quality Of Service And Network Performance," approved in 2007-11-13.
[17] "Recommendation ITU T Y.1541. Network performance objectives for IP based services. Series y: global information infrastructure, internet protocol aspects and next generation networks internet protocol aspects — quality of service and network performance," approved in 2011-12-14.
[18] "DSL Forum, Technical Report-126, Triple-play Services Quality of Experience (QoE) Requirements," 2006.
For citation:
A. Y. Botvinko, K. E. Samouylov, Evaluation of the firewall influence on the session initiation by the SIP multimedia protocol, Discrete and Continuous Models and Applied Computational Science 29 (3) (2021) 221-229. DOI: 10.22363/2658-4670-2021-29-3-221-229.
Information about the authors:
Botvinko, Anatoly Y. — postgraduate of Department of Applied Probability and Informatics (e-mail: botviay@sci. pfu.edu.ru, ORCID: https://orcid.org/0000-0003-1412-981X,
Scopus Author ID: 57222085424)
Samouylov, Konstantin E. — Doctor of Technical Sciences, Professor, Head of Department of Applied Probability and Informatics (e-mail: samuylov-ke@ rudn.ru, ORCID: https://orcid.org/000-0002-6368-9680,
ResearcherID: E-9966-2014, Scopus Author ID: 14009785000)
УДК 519.872
DOI: 10.22363/2658-4670-2021-29-3-221-229
Оценка влияния межсетевого экрана на инициирование сеанса по мультимедийному
протоколу SIP
A. Ю. Ботвинко1, К. Е. Самуйлов1,2
1 Российский университет дружбы народов ул. Миклухо-Маклая, д. 6, Москва, 117198, Россия 2 Федеральный исследовательский центр «Информатика и управление» РАН ул. Вавилова, д. 44, корп. 2, Москва, 119333, Россия
Межсетевые экраны — один из основных компонентов обеспечения сетевой безопасности. Используя межсетевые экраны, можно решить такие проблемы, как предотвращение несанкционированного доступа, а также удаление, изменение и/или распространение информации, находящейся под защитой. Процесс фильтрации информационных потоков межсетевым экраном вносит дополнительные задержки по времени, что может привести к нарушению стабильной работы защищаемой автоматизированной системы или недоступности сервисов, предоставляемых системой. Мультимедийные услуги особенно чувствительны к задержкам обслуживания. Основная цель исследования, представленного в статье, — оценить влияние межсетевого экрана на временные задержки в процессе передачи данных в автоматизированной системе с протоколами передачи мультимедийных данных. Оценка обеспечивается методами теории очередей, в то время как сеанс между двумя пользователями инициируется протоколом инициации сеанса (SIP) с фильтрацией сообщений межсетевого экрана. Межсетевой экран — это локальный или функциональный инструмент распределения, который обеспечивает контроль над входящей и/или исходящей информацией в автоматизированной системе (AS) и защиту системы путем фильтрации информации, т.е. гарантирует возможность анализа информации по заданным критериям и принятие решения о её распространении.
Ключевые слова: SIP, межсетевой экран, инициирование сеанса, система очередей, время фильтрации, автоматизированная система
