The impact of TLS on SIP server performance

Securing Voice over IP (VoIP) is a crucial requirement for its successful adoption. A key component of this is securing the signaling path, which is performed by the Session Initiation Protocol (SIP). Securing SIP can be accomplished by using Transport Layer Security (TLS) instead of UDP as the transport protocol. However, using TLS for SIP is not yet widespread, perhaps due to concerns about the performance overhead. This paper studies the performance impact of using TLS as a transport protocol for SIP servers. We evaluate the cost of TLS experimentally using a testbed with OpenSIPS, OpenSSL, and Linux running on an Intel-based server. We analyze TLS costs using application, library, and kernel profiling and use the profiles to illustrate when and how different costs are incurred. We show that using TLS can reduce performance by up to a factor of 17 compared to the typical case of SIP-over-UDP. The primary factor in determining performance is whether and how TLS connection establishment is performed due to the heavy costs of RSA operations used for session negotiation. This depends both on how the SIP proxy is deployed and what TLS operation modes are used. The cost of symmetric key operations such as AES, in contrast, tends to be small. Network operators deploying SIP-over-TLS should attempt to maximize the persistence of secure connections and will need to assess the server resources required. To aid them, we provide a measurement-driven cost model for use in provisioning SIP servers using TLS. Our cost model predicts performance within 15% on average.

[1]  Xiping Wang,et al.  A programmable message classification engine for session initiation protocol (SIP) , 2007, ANCS '07.

[2]  Mudhakar Srivatsa,et al.  SERvartuka: Dynamic Distribution of State to Improve SIP Server Scalability , 2008, 2008 The 28th International Conference on Distributed Computing Systems.

[3]  D Keromytis Angelos,et al.  VOICE OVER IP: RISKS, THREATS AND VULNERABILITIES , 2009 .

[4]  Eun-Chul Cha,et al.  Evaluation of Security Protocols for the Session Initiation Protocol , 2007, 2007 16th International Conference on Computer Communications and Networks.

[5]  Alan L. Cox,et al.  Explaining the Impact of Network Transport Protocols on SIP Proxy Performance , 2008, ISPASS 2008 - IEEE International Symposium on Performance Analysis of Systems and software.

[6]  Vesselin Tzvetkov,et al.  Service Provider Implementation of SIP Regarding Security , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[7]  Omar Cherkaoui,et al.  Performance Study of COPS over TLS and IPsec Secure Session , 2002, DSOM.

[8]  Rudra Dutta,et al.  Comparative Study of Secure vs. Non-secure Transport Protocols on the SIP Proxy Server Performance: An Experimental Approach , 2010, 2010 International Conference on Advances in Recent Technologies in Communication and Computing.

[9]  Xuxian Jiang,et al.  Voice pharming attack and the trust of VoIP , 2008, SecureComm.

[10]  Christian Huitema,et al.  Session Initiation Protocol (SIP) Extension for Instant Messaging , 2002, RFC.

[11]  Erich M. Nahum,et al.  SIP server performance on multicore systems , 2010, IBM J. Res. Dev..

[12]  Ahmed Abdelal,et al.  Engineering Task Force (IETF) , 2022 .

[13]  Krishna Kant,et al.  Architectural impact of secure socket layer on Internet servers , 2012, ICCD.

[14]  Eric Rescorla,et al.  SSL and TLS: Designing and Building Secure Systems , 2000 .

[15]  Debanjan Saha,et al.  Transport layer security: how much does it really cost? , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[16]  Henning Schulzrinne,et al.  Session Initiation Protocol (SIP) Server Overload Control: Design and Evaluation , 2008, IPTComm.

[17]  Henning Schulzrinne,et al.  The Impact of TLS on SIP Server Performance: Measurement and Modeling , 2010, IEEE/ACM Transactions on Networking.

[18]  Volker Hilt,et al.  Controlling overload in networks of SIP servers , 2008, 2008 IEEE International Conference on Network Protocols.

[19]  Henning Schulzrinne,et al.  RTP: A Transport Protocol for Real-Time Applications , 1996, RFC.

[20]  Simon Heron,et al.  Encryption: Advanced Encryption Standard (AES) , 2009 .

[21]  Laxmi N. Bhuyan,et al.  Anatomy and Performance of SSL Processing , 2005, IEEE International Symposium on Performance Analysis of Systems and Software, 2005. ISPASS 2005..

[22]  Vijay K. Gurbani,et al.  Domain Certificates in the Session Initiation Protocol (SIP) , 2010, RFC.

[23]  Dan S. Wallach,et al.  Performance analysis of TLS Web servers , 2006, TOCS.

[24]  Yoojae Won,et al.  Implementation and Evaluation of SIP-Based Secure VoIP Communication System , 2008, 2008 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing.

[25]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[26]  Henning Schulzrinne,et al.  SIPstone: Benchmarking SIP Server Performance , 2002 .

[27]  Eun-Chul Cha,et al.  Evaluation of Security Protocols for the Session Initiation Protocol , 2007 .

[28]  Erich M. Nahum,et al.  Evaluating SIP server performance , 2007, SIGMETRICS '07.

[29]  Vijay K. Gurbani,et al.  Cryptographically Transparent Session Initiation Protocol (SIP) Proxies , 2007, 2007 IEEE International Conference on Communications.

[30]  Luca Veltri,et al.  SIP security issues: the SIP authentication procedure and its processing load , 2002 .

[31]  Mauricio Cortes,et al.  On SIP performance , 2004, Bell Labs Technical Journal.

[32]  Jinhua Guo,et al.  Security Challenge and Defense in VoIP Infrastructures , 2007, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[33]  Henning Schulzrinne,et al.  On TCP-based SIP server overload control , 2010, IPTComm.

[34]  Erich M. Nahum,et al.  Evaluating SIP Proxy Server Performance , 2007 .

[35]  Henning Schulzrinne,et al.  One Server Per City: Using TCP for Very Large SIP Servers , 2008, IPTComm.

[36]  Eric Rescorla,et al.  Datagram Transport Layer Security , 2006, RFC.

[37]  Eric Noel,et al.  Novel overload controls for SIP networks , 2009, 2009 21st International Teletraffic Congress.

[38]  Patrick Traynor,et al.  Proxychain: Developing a Robust and Efficient Authentication Infrastructure for Carrier-Scale VoIP Networks , 2010, USENIX Annual Technical Conference.

[39]  Ahmed Abdelal,et al.  Signal-Based Overload Control for SIP Servers , 2010, 2010 7th IEEE Consumer Communications and Networking Conference.

[40]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[41]  Joachim Fabini,et al.  "IMS in a Bottle": Initial Experiences from an OpenSER-based Prototype Implementation of the 3GPP IP Multimedia Subsystem , 2006, 2006 International Conference on Mobile Business.

[42]  Vijay K. Gurbani,et al.  Connection Reuse in the Session Initiation Protocol (SIP) , 2010, RFC.

[43]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[44]  Donald E. Eastlake,et al.  US Secure Hash Algorithm 1 (SHA1) , 2001, RFC.

[45]  Patrick Traynor,et al.  Improving Authentication Performance of Distributed SIP Proxies , 2011, IEEE Trans. Parallel Distributed Syst..