Service Providers are scrambling to offer voice, video, data and
innovative services such as gaming, interactive TV and messaging, on
a single pipe. At the same time, network equipment is being upgraded
to IPV6.But some Real-Time IPV6 Security overwhelms performance due
to the application intelligence which is the rapid inspection of
VoIP signaling SIP, H.323 and audio packets, and the prompt opening
and shutting of "pinholes" to allow the passage of valid voice traffic
over wireless networks.
A firewall enabled for application filtering and IPv6 can drop
application performance by a staggering 90 % or more compared to best
case IPV4 results.
Given methods are used to IPv6 Application performance:
- Emulate real application traffic -data, voice, video over tens of thousands
of clients and/or servers.
- Measure performance and Quality of Experience with Web pages/s, VoIP call
set-up time, FTP file transfer rate and instant message passing with TCP SYN
handshaking signals.
Multiply services over IPv4/v6 must address three additional
challenges that will impact network performance must be handled
following DoS attacks. IPv6 approaches can handle these with
Network tester configurations.
6.2 DoS Attacks
- Must be filtered, including traditional layer 3-4 attacks such as TCP SYN
Flood which is ported to IPv6.
- ICMPv6 attacks
- Application layer attacks (such as SIP setup/teardown flood and RTP stream
Insertion).
- Application attacks are particularly effective because they degrade the
CPU performance.
6.3 VoIP Attack Vulnerability
VoIP attack vulnerability simulates DoS attacks to measure impact
on VoIP with:
- Traditional DoS attacks (TCP SYN flood, ping of Death)
- VoIP voice insertion-simulate rogue RTP streams.
- VoIP DoS simulates bursts of call setups and teardowns on the same addresses
6.4 Performance Challenges
6.4.1
Longer IPv6 addresses:
Firewall rule sets and ACL must work IPv6 addresses. It can degrade
performance.
6.4.2
IPv6 variable-length headers:
Parsing more complex encryption and authentication header sections
must be parsed and filtered and it may also need to perform encryption/decryption or calculation of message authentication
codes to be filter on application-layer headers and content.
6.4.3
IPv6 DoS attacks
IPv6/v4 and IPv4/v6 tunneling can hide application-layer attacks
within complex handcrafted TCP SYN packets.
6.5 Triple-Play Methodology
It is a new approach needed to ensure that application aware devices
do not become bottlenecks:
6.5.1
Real-Time Application Performance.
6.5.2
Add DoS attacks over IPv6 including SIP setup-teardown attacks. Quantify the
reduction in application performance.
Powered by AkoComment! |
