Академический Документы
Профессиональный Документы
Культура Документы
Dipak Ghosal
Department of Computer Science
University of California at Davis
1
Outline
History
Network Architecture
SS7 Protocol
Routing
Media Stimulated Focused Overload
Overview of Telephony Research
Current Efforts
15 November 2005 2
History
Pre-1984
AT&T
1980’s saw rapid deployment of digital
technology in the core network
1984
Breakup of AT&T into
7 RBOCs (Regional Bell Operating Companies),
AT&T, and others
Local area carriers (LECs) serving LATA were
regulated
Long distance carrier (IXC) service was opened
15 November 2005 3
History (2)
Post 1984
New Telecom Act in 1996
Further deregulation of LECs (ILECs and CLECS)
Local area and long distance markets opened
Local Number Portability
Break-up of AT&T
AT&T
Lucent (Bell-Labs)
Mergers of RBOCs and CLECs
15 November 2005 4
Outline
History
Network Architecture
SS7 Protocol
Routing
Media Stimulated Focused Overload
Overview of Telephony Research
Current Efforts
15 November 2005 5
A Typical Regional POTS Network
15 November 2005 6
Network Architecture
15 November 2005 7
Circuit Network
Central Offices (End Offices)
Local aggregation points for phone lines
Wire-pair (local loop) to each telephone
Tandems
Hubs interconnecting Central Offices
Connecting to IXCs
15 November 2005 8
Circuit Network (2)
Hierarchical organization
End office
Toll Center
Primary Center
Sectional Center
Regional Center
15 November 2005 9
End Office
15 November 2005 10
Signaling Network
Signaling network is the brain
Circuit network forms the the muscles
All nodes in the signaling network are
called signaling points
SSP -> Service Switching Points
STP -> Signaling Transfer Point
SCP -> Service Control Point
15 November 2005 11
Service Switching Point
This is the local exchange in the telephone
network
Interfaces both the circuit network and
signaling network
Generate SS7 messages from signals from the
voice network
Generate SS7 query messages for non-circuit
related messages
LNP has significantly altered the traffic
mix
15 November 2005 12
Signaling Transfer Point
Routers in the SS7 network
Route messages between SSPs
Support Global Title Translation for
non-circuit related messages
These can be separate stand alone
nodes or adjuncts to a voice switch
Many tandems used to act as STPs
Deployed as a mated pair
15 November 2005 13
Signaling Transfer Point (2)
Hierarchy of STPs
Local and Regional STPs
International STPs
Gateway STPs
Interconnect different networks including cellular
networks
Very important node in the SS7 network
Many other functions including measurements
and data mining
15 November 2005 14
Service Control Point
Interfaces to databases
800/900 databases
HLR/VLR databases
LIDB (Line Information Databases) for
calling cards
Local Number Portability Database
New Advanced Intelligent Network
(AIN) services.
15 November 2005 15
Types of Signaling Links
15 November 2005 16
Types of Signaling Links (2)
A-Links are access links between SSP and STP or
SCP and STP
B-Links are bridge links that connect mated STP
pairs in the same hierarchy
C-Links are cross links between an STP and its mat
D-Links are diagonal links between STPs at
different levels of the hierarchy
E-Links a extended links to connect to remote STP
pairs
F-links are fully associated links
15 November 2005 17
Types of Signaling Links (3)
Link sets are group of links with the same
adjacent nodes
Route is a collection of link sets required
to reach a destination
Route set is a collection of routes
Routing is hop-by-hop
A signaling point needs to know which linkset to
use towards the destination
15 November 2005 18
Addressing
Each signaling point has a address and it is
referred to as the Point Code
It is a 24-bit address
8 bits network identifier
8 bits cluster identifier
8 bits node identifier
Full point code routing
Partial point code routing
Cluster routing or network routing
15 November 2005 19
Requirements
Availability objective: an unavailability of
no more than 10 minutes downtime between
two SPs
Lost message probability: 1 in 10**7
Message Out-of-sequence probability: 1 in
10**10
Performance objectives:
Maximum link utilization must be less than 40%
Various other requirements on various processing delay
Maximum message processing delay at an SP is 200ms
15 November 2005 20
Outline
History
Network Architecture
SS7 Protocol
Routing
Media Stimulated Focused Overload
Overview of Telephony Research
Current Efforts
15 November 2005 21
Protocol Stack
15 November 2005 22
ISDN User Part (ISUP)
15 November 2005 23
ISDN User Part (ISUP)
IAM – Initial Address Message
Message type, Called party number, calling party
category, forward call indicators, nature of connection
identifier, user service information
ACM – Acknowledge Message
ANM –Answer Message
REL – Release Message
RLC – Release Clear Message
All these message have a associated circuit
identification code (CIC)
15 November 2005 24
Database Query (TCAP)
15 November 2005 25
Signaling Connection Control
Part (SCCP)
Additional functions over MTP (network)
layer to support connectionless and
connection oriented services
Very similar to transport layer
Address Translations
Dialed digits to destination point codes
Particularly important for non-routable
numbers such as 800/900.
GTT functionality is supported in the STP
to determine which database will provide
the translation.
15 November 2005 26
Message Transfer Part
(MTP) Layer 3
Network Management
Link management
Traffic management
Route Management
Message discrimination
Message distribution
Message routing
15 November 2005 27
MTP Layer 3 (2)
Message discrimination
Determine if the message is destined to
the receiving node
If yes apply message distribution to
distributed it to the appropriate
application
Else, route it to the destination using
the most direct route (I.e., fewest
number of hops)
15 November 2005 28
MTP Layer 3 (3)
Traffic management
Link failures
Route failures
Congestion
15 November 2005 29
Transient A-Link Failure
STP1
Level3 Level3 L2
STP2
L2 L2 L2
Link
Failure
SP1 SP2 SPn
15 November 2005 30
Link Failure
Level-2 processor sends a link failure
message to the Level-3 processor
Level-3 processor updates its own routing
table
Level-3 processor sends out routing table
update message to other Level-3
processors within the STP
15 November 2005 31
Link Failure (2)
Send out Traffic Restricted (TFR) messages to all
the SPs
Send out Traffic Prohibited (TFP) message to the
mate-STP via the C-link
Send change-over message to the corresponding
SP
Sends changeover signal to the Level-2 processor
to re-routes messages via the C-link
15 November 2005 32
Congestion
STP1
Level3 Level3 L2
STP2
L2 L2 L2
TFC
Messages
15 November 2005 33
STP Architecture
15 November 2005 34
Key Design Issue
What is the best cluster size?
Centralized architecture have few Level-3 processors
Fewer number of routing tables hence quicker update
15 November 2005 36
Network Model
1, 8, 16, 24 A-link
failures
All failures to a
single STP
Simultaneous
recovery after 11
seconds
15 November 2005 37
Call Throughput
15 November 2005 38
Key Results
A clustered architecture with 8/16
Level-2 processors per Level-3
processor performed the best
Priority of tasks was a very important
factor
Dynamic priority inversion
15 November 2005 39
Outline
History
Network Architecture
SS7 Protocol
Routing
Media Stimulated Focused Overload
Overview of Telephony Research
Current Efforts
15 November 2005 40
Routing in Circuit Network
Dynamic Routing
Some part of the routing changes over
time
Adaptive Routing
Some part of the routing is a function of
the network state at the time the
decision is made
15 November 2005 41
Alternate Routing
An ordered set of routes from which the
choice is made
Fixed alternate routing
A small subset of fixed route is used
The set of alternate route is scanned in some
predetermined order and the call is connected
on the first free path that is found
There are different methods on how the
routing control is propagated
15 November 2005 42
Alternate Routing (2)
There are different methods on how
the routing control is propagated
Originating-office control
Spill-forward control
Crankback
15 November 2005 43
Fixed Hierarchical Routing
Hierarchical organization of switches
End office
Toll Center
Primary Center
Sectional Center
Regional Center
There are specific hierarchical fan
rules of how switches are connected
15 November 2005 44
Dynamic Nonhierarchical
Routing
Deployed in mid 1980s
A day is divided in to 10 traffic periods
All switches are same – no hierarchy
Routing is alternate type with the provision
that alternate paths are limited to atmost
two links
Long paths can result in “knock-on” effect
and make the system highly sensitive to
overloads
Uses crankback
15 November 2005 45
Adpative Routing
Residual capacity adaptive routing
(RCAR)
Uses occupancy information of all trunk
groups periodically updated by
measurements
DCR – sends calls to paths with the
largest expected number of free trunks
Trunk Status Map Routing
Adaptive DNHR
15 November 2005 46
Outline
History
Network Architecture
SS7 Protocol
Routing
Media Stimulated Focused Overload
Overview of Telephony Research
Current Efforts
15 November 2005 47
The Problem
Media events may stimulate a large number
of calls to a single number in a very short
time interval
Mass Call-Ins cause focused overloads,
denying service to customers trying to reach
other numbers
Outages may persist for long period
15 November 2005 49
Choke Network
Special exchange which serves many
clients (e.g., radio stations) that
regularly generate call-ins
Small number of trunk to this
exchange
Not suitable for clients that would
like to have large number of calls
completed (ticket sales)
15 November 2005 50
Manual Call Gaps
STP
SSP SSP
15 November 2005 51
TFC Congestion Control
STP Congestion
Detected
TFC
SSP SSP
Call
Attempt Block all calls
to target DPC
15 November 2005 52
Other Methods
Automatic Congestion Control (ACC)
Method by which a switch can protect
itself if overloaded
Curtails a percentage of call request on a
per trunk-group basis
Code Blocks
Blocks a percentage of calls to specific
numbers
15 November 2005 53
Call Processing and Signaling
Normal Call
Caller
IAM ACM REL RLC
ANM
Callee
IAM carries called number
Conversation
Callee
Release-Busy
15 November 2005 54
Key Ideas
15 November 2005 55
Example of Mass Callin
15 November 2005 56
Algorithm
15 November 2005 58
Simulation Results
15 November 2005 59
Simulation Results (Detail)
15 November 2005 60
Operator Utilization (10 Operators)
15 November 2005 61
Operator Utilization (100 Operators)
15 November 2005 62
Summary
• Unanticipated Mass Call-In events can be
effectively and efficiently controlled by a simple
detection method
• Fast Call Gaps would reduce the effect of Call-In
overloads to almost unnoticeable levels
• Slow Call Gaps would provide an effective method
for controlling Call-In events without the necessity
of modification of existing switches
15 November 2005 63
Outline
History
Network Architecture
SS7 Protocol
Routing
Media Stimulated Focused Overload
Overview of Telephony Research
Current Efforts
15 November 2005 64
Research Summary
Security
B. Reynolds and Dipak Ghosal. STEM: Secure Telephony Enabled Middlebox.
IEEE Communications Magazine Special Issue on Security in Telecommunication
Networks. October 2002.
B. Reynolds and Dipak Ghosal, “Secure IP Telephony Using Multi-Layer
Protection,” to appear in Network and Distributed Systems Security
(NDSS03), San Diego, February 2003.
Resource Management
M. C. Caesar, D. Ghosal, and R. Katz, ``Resource Management for IP Telephony
Networks,'' International Workshop of Quality of Service (IWQoS), Miami,
May 2002.
Node Architectures
Dipak Ghosal, “A Comparative Analysis of STP Architectures Under Transient
Failure and Overload Conditions,” IEEE International Conference on
Perfromance and Dependable Systems, June 1999.
15 November 2005 65
Research Summary (2)
Pricing
Matthew Caesar, Sujatha Balaraman and Dipak Ghosal, "A Comparative Study of
Pricing Strategies for IP Telephony", IEEE Globecom 2000, Global Internet
Symposium, San Francisco, USA, -- I presented my work on Nov. 29, 2000.
Traffic Issues
J. Burns and D. Ghosal, ``Automatic Detection and Control of Media
Stimulated Focused Overloads,'' Proceedings of the International
Teletraffic Congress, Washington D.C., June 1997, pp.889-900. To
appear in Telecommunication Systems
A. Mukherjee and D. Ghosal, ``The Impact of Background Traffic on
the Effectiveness of FEC for Audio over Internet,''
InternationalTeletraffic Congress, Edinburgh, UK 1999.
15 November 2005 66
Research Summary (3)
Enhanced Signaling Network
Architecture
•J Abramson, Xiao-yan Fang, and D. Ghosal. Analysis of an
Enhanced Signaling Network for Scalable Mobility Management
in Next Generation Wireless Networks. IEEE Globecom. Taiwan,
ROC, November 2002.
T. Sinclair and D. Ghosal, An Enhanced Signaling Network
Architecture for Replicated HLR – Prototype Implementation
and Performance Analysis, ICC 1999, Vancouver
15 November 2005 67
Outline
History
Network Architecture
SS7 Protocol
Routing
Media Stimulated Focused Overload
Overview of Telephony Research
Current Efforts
15 November 2005 68
Overview
Security
Security architecture for IP Telephony
Sensors to detect DoS attacks
Detection algorithm
Recovery algorithms
Preliminary results from simulation analysis
Future work
Resource Management in IP Telephony
Routing
15 November 2005 69
Enterprise Network
Softphone IP Phone
DNS Web
Server Server
Enterprise Internet
PSTN LAN
Edge
Media / Route
Interna
Signal Externa r
l SIP SIP
Gateway l
Firewal Registrar / Redirect
l Firewall
Authenticatio Location Proxy
n Server Server
Enterprise DMZ
15 November 2005 70
Call Setup – Net-to-Net
Media Transport
Destination device returns
SIP IP Phone its IP Address to the
originating device and a
media connection is
opened
15 November 2005 71
Call Setup – PSTN-to-Net
15 November 2005 72
Comparison of Solutions
Method Advantage Disadvantage
15 November 2005 73
Vulnerability Analysis
Property oriented approach
Access control to use IP telephony
service
Integrity and authenticity of IP
telephony signaling messages
Resource availability and fairness in
providing IP telephony service
Confidentiality and accountability
15 November 2005 74
Access Control
Deny unauthorized users access to IP
telephony service
Central authentication servers
E.g.: RADIUS server
Enable various network elements to
query authentication server
15 November 2005 75
Integrity and Authenticity of
Signaling Messages
Call Based Denial of Service
CANCEL messages, BYE message, Unavailable
responses
Call Redirection
Re-registering with bogus terminal address,
15 November 2005 76
Payload Encryption
15 November 2005 77
Resource Fairness and Availability
Flood based attacks
Network bandwidth between enterprise
and external network
Server resources at control points
SIP Proxy Server
Voice ports in Media/Signaling Gateway
Signaling link between Media/Signaling
Gateway and PSTN
End user
15 November 2005 78
Internet Originated Attack
Enterprise network connection can be
flooded using SYN flooding
Resources in the SIP proxy server
can be exhausted by a large flood of
incoming call request
End user can be targeted with a
large number of SIP INVITE
requests in a brief period of time
15 November 2005 79
PSTN Originated Attack
15 November 2005 80
Security Architecture
Softphone IP Phone
DNS Web
Server Server
Enterprise Internet
PSTN LAN
Application Transpor Edge
Media / Application Layer t Layer Route
Interna
Signal Layer Attack Attack Externa r
l SIP SIP
Gateway Attack Sensor Sensor l
Firewal Registrar / Redirect
Sensor Firewall
Authenticatio l Location Proxy
n Server Server
Enterprise DMZ
15 November 2005 81
Application Layer Attack Sensor
(ALAS)
Monitors the number of SIP INVITE
requests and the SIP OK (call acceptance)
responses
URI level monitor
Aggregate level monitor
Detection Algorithm
Response Algorithm
Proxy or M/S gateway returns temporally busy
messages
15 November 2005 82
Transport Layer Attack Sensor
(TLAS)
Monitors the number of TCP SYN and ACK
packets
Traffic is monitored at an aggregate level
Upon detection of an attack, throttling is
applied by perimeter devices (e.g. firewall)
If attack persists, traceback technologies can
be used to drop malicious traffic at an
upstream point
15 November 2005 83
RTP Stream Attack Sensor (RSAS)
To detect malicious RTP and RTCP streams
Parameters of the RTP streams are known
at connection setup time
Police individual streams
Statistical techniques to determine large flows
Packets corresponding to the malicious
streams are dropped at the firewall
Need cooperation of upstream routers to
mitigate link saturation
15 November 2005 84
Detection Algorithm for
TLAS
Monitoring the volume of connection
attempts vs. volume of complete
connection handshakes can be used to
detect an attack
Based on the sequential change point
detection method proposed by Wang,
Zhang and Shin (Infocom 2002) to
detect TCP SYN attacks
15 November 2005 85
Algorithm
All connection setup attempts and complete
handshakes are counted during the observation
period
During each sampling period the difference is
computed and normalized
Under normal operation, the resulting value should
be very close to 0
In the presence of an attack, the result is a large
positive number
Apply a cumulative sum method to detect short
high volume attacks as well as longer low volume
attacks
15 November 2005 86
Recovery Algorithm
Linear Recovery
This is the default behavior of the detection
algorithm
Exponential Recovery
The cumulative sum decreases multiplicatively
once the attack has ceased
Reset after Timeout
The cumulative sum decays linearly decays until
a timer expires at which point it is reset to 0
15 November 2005 87
Preliminary Results
Types of attack
Limited DoS attack
Single user targeted by one or more attackers
Stealth DoS attack
Multiple users targeted by one or more attackers
each with a low volume of call requests
Aggressive DoS attack
Multiple users targeted with moderate call requests
Ability to detect both aggregate level
attacks as well as attack to individual URIs
15 November 2005 88
Preliminary Results
15 November 2005 89
Preliminary Results
15 November 2005 90
Preliminary Results
15 November 2005 91
Results
15 November 2005 92
Future Work
Detailed analysis
Tradeoff between detection time and
false alarm rate
Formal vulnerability analysis
Additional vulnerabilities with ENUM
Routing layer issues
Vulnerabilities of multihomed networks
15 November 2005 93
Resource Management in
IP Telephony Networks
94
Motivation
What is IP Telephony?
Packetized voice over IP
PSTN access through Internet Telephony Gateway (ITG)
Benefits:
Improved network utilization
Next generation services (POTS Æ PANS)
Growth:
Revenues $1.7 billion in 2001, 6% of international traffic
was over IP, growing [Frost 2002] [Telegeography 2002]
Standardized, deployed protocols (TRIP, SIP, H.323)
Æ Requires scalable architecture to limit
congestion.
15 November 2005 95
Goals
High quality, economically efficient
telephony over the Internet.
Low blocking probability
Provide preferential treatment, high QoS
Questions:
How to perform call admission control?
How best to route calls through converged
network?
15 November 2005 96
Approach
Mechanisms
ITG selection
Congestion sensitive *
call admission
* *
Distance
control
Techniques * * *
Awareness of ITG *
congestion
Utilization
Path quality between
important points in
network
15 November 2005 97
Overview
IP Telephony Networks
Pricing-based Admission Control
Redirection Techniques
Experimental Design
Results
Future Work
15 November 2005 98
System Architecture
ITG
ITG
LS LS 6
ITG
5 LS
3
ITG
LS
4
1 2
ITG
LS
ITG
LS
15 November 2005 99
Scope of Study
1. All calls are net-to-phone
2. ADs cooperate to provide service.
3. Use IETF’s TRIP architecture to
support interoperability.
4. Disregard degradation in access
network.
5. Prices determined at start of call.
6. ITGs offer equal PSTN reachability.
15 November 2005 100
Pricing
PSTN
distance pricing
time of day pricing
IP Telephony
richer user interface
allows for more dynamic pricing schemes
Baseline: Flat-rate Admission Control
(FAC)
0.8
0.8
0.7 0.7
0.6 0.6
0.5 0.5
0.4 0.4
0.3 0.3
0.2 0.2
0.1 0.1
0 0
0 10 20 30 40 50 60
0
1510November
20
2005
Utilization
30 40
[voice ports]
50 60
Utilization [voice ports] 104
Redirection
Problem: finding the “best” ITG
Approach: tradeoffs between quality and load
Method: LS maintains
Average measured path quality
Number voice ports in use
Algorithms:
Random Redirection (RR) (baseline)
QoS Sensitive Redirection (QR)
Congestion Sensitive Redirection (CR)
Hybrid Scheme (CQR)
0.5
BlockingProbability
0.4
0.3
QR+FAC
0.2 QR+CAC
0.1
0
0 0.2 0.4 0.6 0.8 1
Offered Load
CQR+NAC k=1
VarianceinUtilization[ports/sec]
250
CQR+NAC k=3
150
100
50
0
0 0.2 0.4 0.6 0.8 1
β
Beta
4
QoS[MOS]
3
CQR+NAC Beta=0
2 CQR+NAC Beta=0.9
CQR+NAC Beta=1
1
RR+NAC
0
0 1 2 3 4 5
Background Traffic Multiplier
117
Problem:
Finding suitable Gateway to balance
resource, enhance QoS.
Select best path to lower blocking
probability, decrease delay.