Improving Authentication Performance of Distributed SIP Proxies

The performance of SIP proxies is critical for the robust operation of many applications. However, the use of even light-weight authentication schemes can significantly degrade throughput in these systems. In particular, systems in which multiple proxies share a remote authentication database can experience reduced performance due to latency. In this paper, we investigate how the application of parallel execution and batching can be used to maximize throughput while carefully balancing demands for bandwidth and call failure rates. Through the use of a modified version of OpenSER, a high-performance SIP proxy, we demonstrate that the traditional recommendation of simply launching a large number of parallel processes not only incurs substantial overhead and increases dropped calls, but can actually decrease call throughput. An alternative technique that we implement, request batching, similarly fails to achieve high proxy throughput. Through a carefully selected mix of batching and parallelization, we reduce the bandwidth required to maximize authenticated signaling throughput by the proxy by more than 75 percent. This mix also keeps the call loss rates below 1 percent at peak performance. In addition, we demonstrate that the delay introduced by batching is acceptable for VoIP applications. As a result, our technique significantly reduce the cost and increase the throughput of authentication for large-scale networks supporting SIP applications.

[1]  Henning Schulzrinne,et al.  Failover and Load Sharing in SIP Telephony , 2004 .

[2]  Wei Hu,et al.  Scalability in the XFS File System , 1996, USENIX Annual Technical Conference.

[3]  Mike Hibler,et al.  An integrated experimental environment for distributed systems and networks , 2002, OPSR.

[4]  Henning Schulzrinne,et al.  SIPstone: Benchmarking SIP Server Performance , 2002 .

[5]  Miguel Castro,et al.  Farsite: federated, available, and reliable storage for an incompletely trusted environment , 2002, OPSR.

[6]  Henning Schulzrinne,et al.  Predicting Internet Telephony Call Setup Delay , 2000 .

[7]  Jongsung Kim,et al.  On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (Extended Abstract) , 2006, SCN.

[8]  Erich M. Nahum,et al.  Evaluating SIP server performance , 2007, SIGMETRICS '07.

[9]  Henning Schulzrinne,et al.  Reliable, scalable and interoperable internet telephony , 2006 .

[10]  Doubletree Hotel San Jose,et al.  The World's Most Popular Open Source Database , 2003 .

[11]  Henry H. Liu Applying queuing theory to optimizing the performance of enterprise software applications , 2006, Int. CMG Conference.

[12]  Henning Schulzrinne,et al.  Session Initiation Protocol (SIP) Server Overload Control: Design and Evaluation , 2008, IPTComm.

[13]  Luca Veltri,et al.  SIP security issues: the SIP authentication procedure and its processing load , 2002, IEEE Netw..

[14]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[15]  W. Marsden I and J , 2012 .

[16]  Mauricio Cortes,et al.  On SIP performance , 2004, Bell Labs Technical Journal.

[17]  John Black,et al.  A Study of the MD5 Attacks: Insights and Improvements , 2006, FSE.

[18]  Mauricio Cortes,et al.  Towards Stateless Core: Improving SIP Proxy Scalability , 2006 .

[19]  Mudhakar Srivatsa,et al.  SERvartuka: Dynamic Distribution of State to Improve SIP Server Scalability , 2008, 2008 The 28th International Conference on Distributed Computing Systems.

[20]  Hovav Shacham,et al.  Improving SSL Handshake Performance via Batching , 2001, CT-RSA.

[21]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[22]  Henning Schulzrinne,et al.  One Server Per City: Using TCP for Very Large SIP Servers , 2008, IPTComm.