Computer Networks LECTURE 23 Network Security …...Multimedia Networking 9-29 Multimedia: audio...
Transcript of Computer Networks LECTURE 23 Network Security …...Multimedia Networking 9-29 Multimedia: audio...
1
Computer Networks
LECTURE 23
Network Security and
Multimedia Networking
Tamal Biswas
Department of Computer Science University of Rochester
Securing Wireless LANs
WEP design goals
Wired Equivalent Privacy
symmetric key crypto• confidentiality
• end host authorization
• data integrity
self-synchronizing: each packet separately encrypted• given encrypted packet and key, can decrypt; can
continue to decrypt packets when preceding packet was lost (unlike Cipher Block Chaining (CBC) in block ciphers)
Efficient
• implementable in hardware or software8-3Security
Review: symmetric stream ciphers
combine each byte of keystream with byte of plaintext to get ciphertext:
• m(i) = ith unit of message
• ks(i) = ith unit of keystream
• c(i) = ith unit of ciphertext
• c(i) = ks(i) m(i) ( = exclusive or)
• m(i) = ks(i) c(i)
WEP uses RC4
keystream
generatorkey keystream
8-4Security
2
Stream cipher and packet independence
recall design goal: each packet separately encrypted
if for frame n+1, use keystream from where we left off for frame n, then each frame is not separately encrypted
• need to know where we left off for packet n
WEP approach: initialize keystream with key + new IV for each packet:
keystream
generatorKey+IVpacket keystreampacket
8-5Security
WEP encryption (1) sender calculates Integrity Check Value (ICV, four-byte
hash/CRC over data
each side has 104-bit shared key
sender creates 24-bit initialization vector (IV), appends to key: gives 128-bit key
sender also appends keyID (in 8-bit field)
128-bit key inputted into pseudo random number generator to get keystream
data in frame + ICV is encrypted with RC4:• bytes of keystream are XORed with bytes of data & ICV
• IV & keyID are appended to encrypted data to create payload
• payload inserted into 802.11 frame
encrypted
data ICVIV
MAC payload
Key
ID
8-6Security
WEP encryption (2)
IV
(per frame)
KS: 104-bit
secret
symmetric
key k1
IV k2IV k3
IV … kNIV kN+1
IV… kN+1IV
d1 d2 d3 … dN
CRC1 … CRC4
c1 c2 c3 … cN
cN+1 … cN+4
plaintext
frame data
plus CRC
key sequence generator
( for given KS, IV)
802.11
header IV
&
WEP-encrypted data
plus ICV
Figure 7.8-new1: 802.11 WEP protocol new IV for each frame
8-7Security
WEP decryption overview
receiver extracts IV
inputs IV, shared secret key into pseudo random generator, gets keystream
XORs keystream with encrypted data to decrypt data + ICV
verifies integrity of data with ICV
• note: message integrity approach used here is different from MAC (message authentication code) and signatures (using PKI).
encrypted
data ICVIV
MAC payload
Key
ID
8-8Security
3
End-point authentication w/ nonce
Nonce: number (R) used only once –in-a-lifetime
How to prove Alice “live”: Bob sends Alice nonce, R. Alice
must return R, encrypted with shared secret key
“I am Alice”
R
K (R)A-B
Alice is live, and only
Alice knows key to
encrypt nonce, so it
must be Alice!
8-9Security
WEP authentication
authentication request
nonce (128 bytes)
nonce encrypted shared key
success if decrypted value equals nonce
Notes: not all APs do it, even if WEP is being used
AP indicates if authentication is necessary in beacon frame
done before association
8-10Security
Breaking 802.11 WEP encryption
security hole: 24-bit IV, one IV per frame, -> IV’s eventually reused
IV transmitted in plaintext -> IV reuse detected
attack:• Trudy causes Alice to encrypt known plaintext d1 d2 d3 d4
…
• Trudy sees: ci = di XOR kiIV
• Trudy knows ci di, so can compute kiIV
• Trudy knows encrypting key sequence k1IV k2
IV k3IV …
• Next time IV is used, Trudy can decrypt!
8-11Security
802.11i: improved security
numerous (stronger) forms of encryption possible
provides key distribution
uses authentication server separate from access point
8-12Security
4
AP: access point
AS:Authentication
server
wired
network
STA:client station
1 Discovery of
security capabilities
STA and AS mutually authenticate, together
generate Master Key (MK). AP serves as “pass through”2
33 STA derives
Pairwise Master
Key (PMK)
AS derives
same PMK,
sends to AP
4 STA, AP use PMK to derive
Temporal Key (TK) used for message
encryption, integrity
802.11i: four phases of operation
8-13Security
Operational security: firewalls
and IDS
Firewalls
isolates organization’s internal net from larger Internet,
allowing some packets to pass, blocking others
firewall
administered
network
publicInternet
firewalltrusted “good guys” untrusted “bad guys”
8-15Security
Firewalls: why
prevent denial of service attacks:
SYN flooding: attacker establishes many bogus TCP
connections, no resources left for “real” connections
prevent illegal modification/access of internal data
e.g., attacker replaces CIA’s homepage with something else
allow only authorized access to inside network
set of authenticated users/hosts
three types of firewalls:
stateless packet filters
stateful packet filters
application gateways
8-16Security
5
Stateless packet filtering
internal network connected to Internet via router firewall
router filters packet-by-packet, decision to forward/drop packet based on:
• source IP address, destination IP address
• TCP/UDP source and destination port numbers
• ICMP message type
• TCP SYN and ACK bits
Should arriving
packet be allowed in?
Departing packet let
out?
8-17Security
Stateless packet filtering: example
example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23
• result: all incoming, outgoing UDP flows and telnet connections are blocked
example 2: block inbound TCP segments with ACK=0.
• result: prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.
8-18Security
Policy Firewall Setting
No outside Web access. Drop all outgoing packets to any IP
address, port 80
No incoming TCP connections,
except those for institution’s
public Web server only.
Drop all incoming TCP SYN packets
to any IP except 130.207.244.203,
port 80
Prevent Web-radios from eating
up the available bandwidth.
Drop all incoming UDP packets -
except DNS and router broadcasts.
Prevent your network from being
used for a smurf DoS attack.
Drop all ICMP packets going to a
“broadcast” address (e.g.
130.207.255.255).
Prevent your network from being
tracerouted
Drop all outgoing ICMP TTL expired
traffic
Stateless packet filtering: more examples
8-19Security
actionsource
address
dest
addressprotocol
source
port
dest
port
flag
bit
allow 222.22/16outside of
222.22/16TCP > 1023 80
any
allow outside of
222.22/16
222.22/16TCP 80 > 1023 ACK
allow 222.22/16outside of
222.22/16UDP > 1023 53 ---
allow outside of
222.22/16
222.22/16UDP 53 > 1023 ----
deny all all all all all all
Access Control Lists
ACL: table of rules, applied top to bottom to incoming packets:
(action, condition) pairs: looks like OpenFlow forwarding (Ch. 4)!
8-20Security
6
Stateful packet filtering stateless packet filter: heavy handed tool
• admits packets that “make no sense,” e.g., dest port = 80, ACK bit set, even though no TCP connection established:
actionsource
address
dest
addressprotocol
source
port
dest
port
flag
bit
allow outside of
222.22/16
222.22/16TCP 80 > 1023 ACK
stateful packet filter: track status of every TCP connection
• track connection setup (SYN), teardown (FIN): determine
whether incoming, outgoing packets “makes sense”
• timeout inactive connections at firewall: no longer admit
packets
8-21Security
actionsource
address
dest
addressproto
source
port
dest
port
flag
bit
check
conxion
allow 222.22/16outside of
222.22/16TCP > 1023 80
any
allow outside of
222.22/16
222.22/16TCP 80 > 1023 ACK
x
allow 222.22/16outside of
222.22/16UDP > 1023 53 ---
allow outside of
222.22/16
222.22/16UDP 53 > 1023 ----
x
deny all all all all all all
Stateful packet filtering
ACL augmented to indicate need to check connection state table
before admitting packet
8-22Security
Application gateways
filter packets on application data as well as on IP/TCP/UDP fields.
example: allow select internal users to telnet outside
1. require all telnet users to telnet through gateway.
2. for authorized users, gateway sets up telnet connection to
dest host. Gateway relays data between 2 connections
3. router filter blocks all telnet connections not originating
from gateway.
application
gateway
host-to-gateway
telnet session
router and filter
gateway-to-remote
host telnet session
8-23Security
Limitations of firewalls, gateways
IP spoofing: router can’t know if data “really”comes from claimed source
if multiple app’s. need special treatment, each has own app. gateway
client software must know how to contact gateway.
• e.g., must set IP address of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff: degree of communication with outside world, level of security
many highly protected sites still suffer from attacks
8-24Security
7
Intrusion detection systems
packet filtering:• operates on TCP/IP headers only
• no correlation check among sessions
IDS: intrusion detection system• deep packet inspection: look at packet contents (e.g.,
check character strings in packet against database of known virus, attack strings)
• examine correlation among multiple packets
• port scanning
• network mapping
• DoS attack
8-25Security
Webserver FTP
server
DNSserver
Internet
demilitarized
zone
firewall
IDS
sensors
Intrusion detection systems
multiple IDSs: different types of checking at different locations
internal
network
8-26Security
Network Security (summary)
basic techniques…...• cryptography (symmetric and public)
• message integrity
• end-point authentication
…. used in many different security scenarios• secure email
• secure transport (SSL)
• IP sec
• 802.11
operational security: firewalls and IDS
8-27Security
Multimedia Networking
8
Multimedia: audio
analog audio signal sampled at constant rate
• telephone: 8,000 samples/sec
• CD music: 44,100 samples/sec
each sample quantized, i.e., rounded
• e.g., 28=256 possible quantized values
• each quantized value represented by bits, e.g., 8 bits for 256 values
time
au
dio
sig
na
l am
plit
ud
e
analog
signal
quantized
value of
analog value
quantization
error
sampling rate
(N sample/sec)
9-29Multimedia Networking
Multimedia: audio
example: 8,000 samples/sec, 256 quantized values: 64,000 bps
receiver converts bits back to analog signal:
• some quality reduction
example rates CD: 1.411 Mbps
MP3: 96, 128, 160 kbps
Internet telephony: 5.3 kbps and up
time
au
dio
sig
na
l am
plit
ud
e
analog
signal
quantized
value of
analog value
quantization
error
sampling rate
(N sample/sec)
9-30Multimedia Networking
video: sequence of images displayed at constant rate
• e.g., 24 images/sec
digital image: array of pixels
• each pixel represented by bits
coding: use redundancy within and between images to decrease # bits used to encode image
• spatial (within image)
• temporal (from one image to next)
Multimedia: video
……………………...…
spatial coding example: instead
of sending N values of same
color (all purple), send only two
values: color value (purple) and
number of repeated values (N)
……………………...…
frame i
frame i+1
temporal coding example:
instead of sending
complete frame at i+1,
send only differences from
frame i
9-31Multimedia Networking
Multimedia: video
……………………...…
spatial coding example: instead
of sending N values of same
color (all purple), send only two
values: color value (purple) and
number of repeated values (N)
……………………...…
frame i
frame i+1
temporal coding example:
instead of sending
complete frame at i+1,
send only differences from
frame i
CBR: (constant bit rate): video encoding rate fixed
VBR: (variable bit rate): video encoding rate changes as amount of spatial, temporal coding changes
examples:
• MPEG 1 (CD-ROM) 1.5 Mbps
• MPEG2 (DVD) 3-6 Mbps
• MPEG4 (often used in Internet, < 1 Mbps)
9-32Multimedia Networking
9
Multimedia networking: 3 application types
streaming, stored audio, video• streaming: can begin playout before downloading entire
file
• stored (at server): can transmit faster than audio/video will be rendered (implies storing/buffering at client)
• e.g., YouTube, Netflix, Hulu
conversational voice/video over IP • interactive nature of human-to-human conversation
limits delay tolerance
• e.g., Skype
streaming live audio, video• e.g., live sporting event (futbol)
9-33Multimedia Networking
Multimedia networking: outline
9.1 multimedia networking applications
9.2 streaming stored video
9.3 voice-over-IP
9.4 protocols for real-time conversationalapplications
9.5 network support for multimedia
9-34Multimedia Networking
Streaming stored video:
1. video
recorded
(e.g., 30
frames/sec)
2. video
sent
streaming: at this time, client
playing out early part of video,
while server still sending later
part of video
network delay
(fixed in this
example)time
3. video received,
played out at client
(30 frames/sec)
9-35Multimedia Networking
Streaming stored video: challenges
continuous playout constraint: once client playout
begins, playback must match original timing
• … but network delays are variable (jitter), so will need client-side buffer to match playout requirements
other challenges:
• client interactivity: pause, fast-forward, rewind,
jump through video
• video packets may be lost, retransmitted
9-36Multimedia Networking
10
constant bit
rate video
transmission
time
variable
network
delay
client video
receptionconstant bit
rate video
playout at client
client playout
delayb
uffe
red
vid
eo
client-side buffering and playout delay: compensate for network-added delay, delay jitter
Streaming stored video: revisited
9-37Multimedia Networking
Client-side buffering, playout
variable fill
rate, x(t)
client application
buffer, size B
playout rate,
e.g., CBR r
buffer fill level,
Q(t)
video server
client
9-38Multimedia Networking
Client-side buffering, playout
variable fill
rate, x(t)
client application
buffer, size B
playout rate,
e.g., CBR r
buffer fill level,
Q(t)
video server
client
1. Initial fill of buffer until playout begins at tp
2. playout begins at tp,
3. buffer fill level varies over time as fill rate x(t) varies
and playout rate r is constant9-39Multimedia Networking
playout buffering: average fill rate (x), playout rate (r): x < r: buffer eventually empties (causing freezing of video
playout until buffer again fills)
x > r: buffer will not empty, provided initial playout delay is large enough to absorb variability in x(t)
• initial playout delay tradeoff: buffer starvation less likely with larger delay, but larger delay until user begins watching
variable fill
rate, x(t)
client application
buffer, size B
playout rate,
e.g., CBR r
buffer fill level,
Q(t)
video server
Client-side buffering, playout
9-40Multimedia Networking
11
Streaming multimedia: UDP
server sends at rate appropriate for client
• often: send rate = encoding rate = constant rate
• transmission rate can be oblivious to congestion levels
short playout delay (2-5 seconds) to remove network jitter
error recovery: application-level, time permitting
RTP [RFC 2326]: multimedia payload types
UDP may not go through firewalls
9-41Multimedia Networking
Streaming multimedia: HTTP
multimedia file retrieved via HTTP GET
send at maximum possible rate under TCP
fill rate fluctuates due to TCP congestion control, retransmissions (in-order delivery)
larger playout delay: smooth TCP delivery rate
HTTP/TCP passes more easily through firewalls
variable
rate, x(t)
TCP send
buffer
video
fileTCP receive
buffer
application
playout buffer
server client
9-42Multimedia Networking
Multimedia networking: outline
9.1 multimedia networking applications
9.2 streaming stored video
9.3 voice-over-IP
9.4 protocols for real-time conversationalapplications
9.5 network support for multimedia
9-43Multimedia Networking
Voice-over-IP (VoIP)
VoIP end-end-delay requirement: needed to maintain “conversational” aspect• higher delays noticeable, impair interactivity
• < 150 msec: good
• > 400 msec bad
• includes application-level (packetization, playout), network delays
session initialization: how does callee advertise IP address, port number, encoding algorithms?
value-added services: call forwarding, screening, recording
emergency services: 911
9-44Multimedia Networking
12
VoIP characteristics
speaker’s audio: alternating talk spurts, silent periods.
• 64 kbps during talk spurt
• pkts generated only during talk spurts
• 20 msec chunks at 8 Kbytes/sec: 160 bytes of data
application-layer header added to each chunk
chunk+header encapsulated into UDP or TCP segment
application sends segment into socket every 20 msec during talkspurt
9-45Multimedia Networking
VoIP: packet loss, delay
network loss: IP datagram lost due to network congestion (router buffer overflow)
delay loss: IP datagram arrives too late for playout at receiver• delays: processing, queueing in network; end-system
(sender, receiver) delays
• typical maximum tolerable delay: 400 ms
loss tolerance: depending on voice encoding, loss concealment, packet loss rates between 1% and 10% can be tolerated
9-46Multimedia Networking
constant bit
rate
transmission
time
variable
network
delay
(jitter)
client
receptionconstant bit
rate playout
at client
client playout
delay
bu
ffe
red
da
ta
Delay jitter
end-to-end delays of two consecutive packets: difference can be more or less than 20 msec (transmission time difference)
9-47Multimedia Networking
VoIP: fixed playout delay
receiver attempts to playout each chunk exactly qmsecs after chunk was generated.
• chunk has time stamp t: play out chunk at t+q
• chunk arrives after t+q: data arrives too late for playout: data “lost”
tradeoff in choosing q:
• large q: less packet loss
• small q: better interactive experience
9-48Multimedia Networking
13
packets
time
packets
generated
packets
received
loss
r
p p'
playout schedule
p' - r
playout schedule
p - r
sender generates packets every 20 msec during talk spurt.
first packet received at time r
first playout schedule: begins at p
second playout schedule: begins at p’
VoIP: fixed playout delay
9-49Multimedia Networking
Adaptive playout delay (1)
goal: low playout delay, low late loss rate
approach: adaptive playout delay adjustment:• estimate network delay, adjust playout delay at
beginning of each talk spurt
• silent periods compressed and elongated
• chunks still played out every 20 msec during talk spurt
adaptively estimate packet delay: (EWMA -exponentially weighted moving average, recall TCP RTT estimate):
di = (1-a)di-1 + a (ri – ti)
delay estimate
after ith packetsmall constant,
e.g. 0.1time received - time sent
(timestamp)
measured delay of ith packet
9-50Multimedia Networking
also useful to estimate average deviation of delay, vi :
estimates di, vi calculated for every received packet, but used only at start of talk spurt
for first packet in talk spurt, playout time is:
remaining packets in talkspurt are played out periodically
vi = (1-b)vi-1 + b |ri – ti – di|
playout-timei = ti + di + Kvi
Adaptive playout delay (2)
9-51Multimedia Networking
VoiP: recovery from packet loss (1)
Challenge: recover from packet loss given small tolerable delay between original transmission and playout
each ACK/NAK takes ~ one RTT
alternative: Forward Error Correction (FEC)
• send enough bits to allow recovery without retransmission (recall two-dimensional parity in Ch. 5)
simple FEC for every group of n chunks, create redundant chunk by
exclusive OR-ing n original chunks
send n+1 chunks, increasing bandwidth by factor 1/n
can reconstruct original n chunks if at most one lost chunk from n+1 chunks, with playout delay
9-52Multimedia Networking
14
another FEC scheme: “piggyback lower
quality stream” send lower resolution
audio stream as
redundant information
e.g., nominal
stream PCM at 64 kbps
and redundant stream
GSM at 13 kbps
non-consecutive loss: receiver can conceal loss
generalization: can also append (n-1)st and (n-2)nd low-bit rate
chunk
VoiP: recovery from packet loss (2)
9-53Multimedia Networking
interleaving to conceal loss: audio chunks divided into
smaller units, e.g. four 5 msec units per 20 msec audio chunk
packet contains small units from different chunks
if packet lost, still have mostof every original chunk
no redundancy overhead, but increases playout delay
VoiP: recovery from packet loss (3)
9-54Multimedia Networking
supernode overlay
network
Voice-over-IP: Skype
proprietary application-layer protocol (inferred via reverse engineering)
• encrypted msgs
P2P components:
Skype clients (SC)
clients: Skype peers connect directly to each other for VoIP call
super nodes (SN):Skype peers with special functions
overlay network: among SNs to locate SCs
login server
Skype login server supernode (SN)
9-55Multimedia Networking
P2P voice-over-IP: Skype
Skype client operation:
1. joins Skype network by contacting SN (IP address cached) using TCP
2. logs-in (username, password) to centralized Skype login server
3. obtains IP address for callee from SN, SN overlayor client buddy list
4. initiate call directly to callee
Skype login server
9-56Multimedia Networking
15
problem: both Alice, Bob are behind “NATs”• NAT prevents outside peer
from initiating connection to insider peer
• inside peer can initiate connection to outside
relay solution:Alice, Bob maintain open connection to their SNs• Alice signals her SN to connect
to Bob• Alice’s SN connects to Bob’s
SN• Bob’s SN connects to Bob over
open connection Bob initially initiated to his SN
Skype: peers as relays
9-57Multimedia Networking
Multimedia networking: outline
9.1 multimedia networking applications
9.2 streaming stored video
9.3 voice-over-IP
9.4 protocols for real-time conversationalapplications: RTP, SIP
9.5 network support for multimedia
9-58Multimedia Networking
Real-Time Protocol (RTP)
RTP specifies packet structure for packets carrying audio, video data
Presentation on November 28, 2016 by Yuxuan Wang
9-59Multimedia Networking
SIP: Session Initiation Protocol [RFC 3261]
long-term vision:
all telephone calls, video conference calls take place over Internet
people identified by names or e-mail addresses, rather than by phone numbers
can reach callee (if callee so desires), no matter where callee roams, no matter what IP device callee is currently using
9-60Multimedia Networking
16
Example: setting up call to known IP address
Alice’s SIP invite message
indicates her port number,
IP address, encoding she
prefers to receive (PCM
mlaw)
Bob’s 200 OK message
indicates his port number, IP
address, preferred encoding
(GSM)
SIP messages can be sent
over TCP or UDP; here sent
over RTP/UDP
default SIP port number is
5060
time time
Bob's
terminal rings
Alice
167.180.112.24
Bob
193.64.210.89
port 5060
port 38060
m Law audio
GSMport 48753
INVITE [email protected]=IN IP4 167.180.112.24m=audio 38060 RTP/AVP 0port 5060
200 OK
c=IN IP4 193.64.210.89
m=audio 48753 RTP/AVP 3
ACKport 5060
9-61Multimedia Networking
Setting up a call (more)
codec negotiation:• suppose Bob doesn’t
have PCM mlaw encoder
• Bob will instead reply with 606 Not Acceptable Reply, listing his encoders. Alice can then send new INVITE message, advertising different encoder
rejecting a call• Bob can reject with
replies “busy,” “gone,”“payment required,”“forbidden”
media can be sent over RTP or some other protocol
9-62Multimedia Networking
Example of SIP message
INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 167.180.112.24
From: sip:[email protected]
To: sip:[email protected]
Call-ID: [email protected]
Content-Type: application/sdp
Content-Length: 885
c=IN IP4 167.180.112.24
m=audio 38060 RTP/AVP 0
Notes:
HTTP message syntax
sdp = session description protocol
Call-ID is unique for every call
Here we don’t know
Bob’s IP address
• intermediate SIP
servers needed
Alice sends, receives
SIP messages using
SIP default port 506
Alice specifies in
header that SIP
client sends, receives
SIP messages over
UDP
9-63Multimedia Networking
Name translation, user location
caller wants to call callee, but only has callee’s name or e-mail address.
need to get IP address of callee’s current host:• user moves around
• DHCP protocol
• user has different IP devices (PC, smartphone, car device)
result can be based on:• time of day (work,
home)
• caller (don’t want boss to call you at home)
• status of callee (calls sent to voicemail when callee is already talking to someone)
9-64Multimedia Networking
17
SIP registrar
REGISTER sip:domain.com SIP/2.0
Via: SIP/2.0/UDP 193.64.210.89
From: sip:[email protected]
To: sip:[email protected]
Expires: 3600
one function of SIP server: registrar
when Bob starts SIP client, client sends SIP REGISTER
message to Bob’s registrar server
register message:
9-65Multimedia Networking
SIP proxy
another function of SIP server: proxy
Alice sends invite message to her proxy server• contains address sip:[email protected]
• proxy responsible for routing SIP messages to callee, possibly through multiple proxies
Bob sends response back through same set of SIP proxies
proxy returns Bob’s SIP response message to Alice • contains Bob’s IP address
SIP proxy analogous to local DNS server plus TCP setup
9-66Multimedia Networking
SIP example: [email protected] calls [email protected]
1
1. Jim sends INVITE
message to UMass
SIP proxy.
2. UMass proxy forwards request
to Poly registrar server
2 3. Poly server returns redirect response,
indicating that it should try [email protected]
5. eurecom
registrar
forwards INVITE
to 197.87.54.21,
which is running
keith’s SIP
client
5
4
4. Umass proxy forwards request
to Eurecom registrar server
86
7
6-8. SIP response returned to Jim
9
9. Data flows between clients
UMass
SIP proxy
Poly SIP
registrar
Eurecom SIP
registrar
197.87.54.21
128.119.40.186
9-67Multimedia Networking
Multimedia networking: outline
9.1 multimedia networking applications
9.2 streaming stored video
9.3 voice-over-IP
9.4 protocols for real-time conversationalapplications
9.5 network support for multimedia
9-68Multimedia Networking
18
Network support for multimedia
9-69Multimedia Networking
Dimensioning best effort networks
approach: deploy enough link capacity so that congestion doesn’t occur, multimedia traffic flows without delay or loss• low complexity of network mechanisms (use current “best
effort” network)
• high bandwidth costs
challenges:• network dimensioning: how much bandwidth is “enough?”
• estimating network traffic demand: needed to determine how much bandwidth is “enough” (for that much traffic)
9-70Multimedia Networking
Providing multiple classes of service
thus far: making the best of best effort service• one-size fits all service model
alternative: multiple classes of service• partition traffic into classes
• network treats different classes of traffic differently (analogy: VIP service versus regular service)
0111
granularity: differential
service among multiple
classes, not among
individual connections
history: ToS bits
9-71Multimedia Networking
Multiple classes of service: scenario
R1R2
H1
H2
H3
H41.5 Mbps linkR1 output
interface
queue
9-72Multimedia Networking
19
Scenario 1: mixed HTTP and VoIP
example: 1Mbps VoIP, HTTP share 1.5 Mbps link. • HTTP bursts can congest router, cause audio loss
• want to give priority to audio over HTTP
packet marking needed for router to distinguish
between different classes; and new router policy to
treat packets accordingly
Principle 1
R1R2
9-73Multimedia Networking
Principles for QOS guarantees (more)
what if applications misbehave (VoIP sends higher than declared rate)• policing: force source adherence to bandwidth allocations
marking, policing at network edge
provide protection (isolation) for one class from others
Principle 2
R1 R2
1.5 Mbps link
1 Mbps
phone
packet marking and policing
9-74Multimedia Networking
allocating fixed (non-sharable) bandwidth to flow: inefficient use of bandwidth if flows doesn’t use its allocation
while providing isolation, it is desirable to use
resources as efficiently as possible
Principle 3
R1R2
1.5 Mbps link
1 Mbps
phone
1 Mbps logical link
0.5 Mbps logical link
Principles for QOS guarantees (more)
9-75Multimedia Networking
Scheduling and policing mechanisms
packet scheduling: choose next queued packet to send on outgoing link
previously covered in Chapter 4:
• FCFS: first come first served
• simply multi-class priority
• round robin
• weighted fair queueing (WFQ)
queue
(waiting area)
packet
arrivalspacket
departureslink
(server)
9-76Multimedia Networking
20
Policing mechanisms
goal: limit traffic to not exceed declared parameters
Three common-used criteria:
(long term) average rate: how many pkts can be sent per unit time (in the long run)• crucial question: what is the interval length: 100 packets
per sec or 6000 packets per min have same average!
peak rate: e.g., 6000 pkts per min (ppm) avg.; 1500 ppm peak rate
(max.) burst size: max number of pkts sent consecutively (with no intervening idle)
9-77Multimedia Networking
Policing mechanisms: implementation
token bucket: limit input to specified burst size and average rate
bucket can hold b tokens
tokens generated at rate r token/sec unless bucket full
over interval of length t: number of packets admitted less than or equal to (r t + b)
9-78Multimedia Networking
Policing and QoS guarantees
token bucket, WFQ combine to provide guaranteed upper bound on delay, i.e., QoS guarantee!
WFQ
token rate, r
bucket size, b
per-flow
rate, R
D = b/Rmax
arriving
traffic
arriving
traffic
9-79Multimedia Networking
Multimedia networking: outline
9.1 multimedia networking applications
9.2 streaming stored video
9.3 voice-over-IP
9.4 protocols for real-time conversationalapplications
9.5 network support for multimedia
9-80Multimedia Networking
21
http://www.resnickdistributors.com/assets/1
/15/Happy-Thanksgiving.jpg?3645
Disclaimer
Parts of the lecture slides contain original work of James Kurose and Keith Ross. The slides are intended for the sole purpose of instruction of computer networks at the University of Rochester. All copyrighted materials belong to their original owner(s).