Generating synthetic VoIP traffic for analyzing redundant OpenBSD-Firewalls

Abstract

Voice over IP, short VoIP, is among the fastest growing broadband technologies in the private and commercial sector. Compared to the Plain Old Telephone System (POTS), Internet telephony has reduced availability, measured in uptime guarantees per a given time period. This thesis makes a contribution towards proper quantitative statements about network availability when using two redundant, state synchronized computers, acting as firewalls between the Internet (WAN) and the local area network (LAN). First, methods for generating adequate VoIP traffic volumes for loading a Gigabit Ethernet link are examined, with the goal of using a minimal set of hardware, namely one regular desktop computer. pktgen, the Linux kernel UDP packet generator, was chosen for generating synthetic/artificial traffic, reflecting the common VoIP packet characteristics packet size, changing sender and receiver address, as well as typical UDP-port usage. pktgen’s three main parameters influencing the generation rate are fixed inter-packet delay, packet size and total packet count. It was sought to relate these to more user-friendly values of amount of simultaneous calls, voice codec employed and call duration. The proposed method fails to model VoIP traffic accurately, mostly due to the currently unstable nature of pktgen. However, it is suited for generating enough packets for testing the firewalls. Second, the traffic forwarding limit and failover behavior of the redundant, state-synchronized firewalls was examined. The firewalls were running OpenBSD 3.8 and used the Common Address Redundancy Protocol (CARP) and the packet filter state synchronization protocol (pfsync) for achieving redundancy, with one acting as master, and the other as backup. Empirical measurements show that the upper limit for unidirectional traffic is at about 125,000 packets per second, independent of packet sizes typical for VoIP media packets (less than 220 bytes). This is far below the traffic capacity of Gigabit Ethernet, and is caused by a “receive livelock”: full system load due to non-optimized interrupt handling. The obtained measurements allow for questioning the suitability of a default OpenBSD installation for firewalls in high packet rate networks.. The network connectivity glitch in failover situations was measured at: when turning CARP off administratively while processing circa 80,000 packets per second, the maximum glitch was in the magnitude of 300 milliseconds. When power-cycling the master firewall, maximum connectivity interruptions of circa 3,000 milliseconds occurred. In all cases, series with much lower values were measured, but may not be representative.