Study, Analysis and Modeling of IP Multimedia systems on next generation networks providing mobile and fixed multimedia services

Not availabl

Secure Service Provisioning (SSP) Framework for IP Multimedia Subsystem (IMS)

Mit dem Erscheinen mobiler Multimediadienste, wie z. B. Unified Messaging, Click-to-Dial-Applikationen, netzwerkübergeifende Multimedia-Konferenzen und nahtlose Multimedia-Streming-Dienste, begann die Konvergenz von mobilen Kommunikationsetzen und Festnetzen, begleitet von der Integration von Sprach- und Datenkommunikations-Übertragungstechnik Diese Entwicklungen bilden die Voraussetzung für die Verschmelzung des modernen Internet auf der einen Seite mit der Telekommunikation im klassischen Sinne auf der anderen. Das IP Multimedia-Subsystem (IMS) darf hierbei als die entscheidende Next-Generation-Service-Delivery-Plattform in einer vereinheitlichten Kommunikationswelt angesehen werden. Seine Architektur basiert auf einem modularen Design mit offenen Schnittstellen und bietet dedizierte Voraussetzungen zur Unterstützung von Multimedia-Diensten auf der Grundlage der Internet-Protokolle. Einhergehend mit dieser aufkommenden offenen Technologie stellen sich neue Sicherheits-Herausforderungen in einer vielschichtigen Kommunikationsinfrastruktur, im Wesentlichen bestehend aus dem Internet Protokoll (IP), dem SIP-Protokoll (Session Initiation Protocol) und dem Real-time Transport Protokoll (RTP). Die Zielsetzung des Secure Service Provisioning-Systems (SSP) ist, mögliche Angriffsszenarien und Sicherheitslücken in Verbindung mit dem IP Multimedia Subsystem zu erforschen und Sicherheitslösungen, wie sie von IETF, 3GPP und TISPAN vorgeschlagen werden, zu evaluieren. Im Rahmen dieser Forschungsarbeit werden die Lösungen als Teil des SSP-Systems berücksichtigt, mit dem Ziel, dem IMS und der Next-Generation-SDP einen hinreichenden Schutz zu garantieren. Dieser Teil, der als Sicherheitsschutzstufe 1 bezeichnet wird, beinhaltet unter anderem Maßnahmen zur Nutzer- und Netzwerk-Authentifizierung, die Autorisierung der Nutzung von Multimediadiensten und Vorkehrungen zur Gewährleistung der Geheimhaltung und Integrität von Daten im Zusammenhang mit dem Schutz vor Lauschangriffen, Session-Hijacking- und Man-in-the-Middle-Angriffen. Im nächsten Schritt werden die Beschränkungen untersucht, die für die Sicherheitsschutzstufe 1 charakteristisch sind und Maßnahmen zu Verbesserung des Sicherheitsschutzes entwickelt. Die entsprechenden Erweiterungen der Sicherheitsschutzstufe 1 führen zu einem Intrusion Detection and Prevention-System (IDP), das Schutz vor Denial-of-Service- (DoS) / Distributed-Denial-of-Service (DDoS)-Angriffen, missbräuchlicher Nutzung und Täuschungsversuchen in IMS-basierten Netzwerken bietet. Weder 3GPP noch TISPAN haben bisher Lösungen für diesen Bereich spezifiziert. In diesem Zusammenhang können die beschriebenen Forschungs- und Entwicklungsarbeiten einen Beitrag zur Standardisierung von Lösungen zum Schutz vor DoS- und DDoS-Angriffen in IMS-Netzwerken leisten. Der hier beschriebene Ansatz basiert auf der Entwicklung eines (stateful / stateless) Systems zur Erkennung und Verhinderung von Einbruchsversuchen (Intrusion Detection and Prevention System). Aus Entwicklungssicht wurde das IDP in zwei Module aufgeteilt: Das erste Modul beinhaltet die Basisfunktionen des IDP, die sich auf Flooding-Angriffe auf das IMS und ihre Kompensation richten. Ihr Ziel ist es, das IMS-Core-Netzwerk und die IMS-Ressourcen vor DoS- und DDoS-Angriffen zu schützen. Das entsprechende Modul basiert auf einer Online Stateless-Detection-Methodologie und wird aktiv, sobald die CPU-Auslastung der P-CSCF (Proxy-Call State Control Function) einen vordefinierten Grenzwert erreicht oder überschreitet. Das zweite Modul (IDP-AS) hat die Aufgabe, Angriffe, die sich gegen IMS Application Server (AS) richten abzufangen. Hierbei konzentrieren sich die Maßnahmen auf den Schutz des ISC-Interfaces zwischen IMS Core und Application Servern. Das betreffende Modul realisiert eine Stateful Detection Methodologie zur Erkennung missbräuchlicher Nutzungsaktivitäten. Während der Nutzer mit dem Application Server kommuniziert, werden dabei nutzerspezifische Zustandsdaten aufgezeichnet, die zur Prüfung der Legitimität herangezogen werden. Das IDP-AS prüft alle eingehenden Requests und alle abgehenden Responses, die von IMS Application Servern stammen oder die an IMS Application Server gerichtet sind, auf ihre Zulässigkeit im Hinblick auf die definierten Attack Rules. Mit Hilfe der Kriterien Fehlerfreiheit und Processing Delay bei der Identifikation potenzieller Angriffe wird die Leistungsfähigkeit der IDP-Module bewertet. Für die entsprechenden Referenzwerte werden hierbei die Zustände Nomallast und Überlast verglichen. Falls die Leistungsfähigkeit des IDP nicht unter den Erwartungen zurückbleibt, wird ein IDP-Prototyp zur Evaluation im Open IMS Playground des Fokus Fraunhofer 3Gb-Testbeds eingesetzt, um unter realen Einsatzbedingungen z. B. in VoIP-, Videokonferenz- , IPTV-, Presence- und Push-to-Talk-Szenarien getestet werden zu können.With the emergence of mobile multimedia services, such as unified messaging, click to dial, cross network multiparty conferencing and seamless multimedia streaming services, the fixed–mobile convergence and voice–data integration has started, leading to an overall Internet–Telecommunications merger. The IP Multimedia Subsystem (IMS) is considered as the next generation service delivery platform in the converged communication world. It consists of modular design with open interfaces and enables the flexibility for providing multimedia services over IP technology. In parallel this open based emerging technology has security challenges from multiple communication platforms and protocols like IP, Session Initiation Protocol (SIP) and Real-time Transport Protocol (RTP). The objective of Secure Service Provisioning (SSP) Framework is to cram the potential attacks and security threats to IP Multimedia Subsystem (IMS) and to explore security solutions developed by IETF, 3GPP and TISPAN. This research work incorporates these solutions into SSP Framework to secure IMS and next generation Service Delivery Platform (SDP). We define this part as level 1 security protection which includes user and network authentication, authorization to access multimedia services, providing confidentiality and integrity protection etc. against eavesdropping, session hijacking and man-in-the middle attacks etc. In the next step, we have investigated the limitations and improvements to level 1 security and proposed the enhancement and extension as level 2 security by developing Intrusion Detection and Prevention (IDP) system against Denial-of-Service (DoS)/Distributed DoS (DDoS) flooding attacks, misuses and frauds in IMS-based networks. These security threats recently have been identified by 3GPP and TISPAN but no solution is recommended and developed. Therefore our solution may be considered as recommendation in future. Our approach based on developing both stateless and stateful intrusion detection and prevention system. From development point of view, we have divided the work into two modules: the first module is IDP-Core; addressing and mitigating the flooding attacks in IMS core. Its objective is to protect the IMS resources and IMS-core entities from DoS/DDoS flooding attacks. This module based on online stateless detection methodology and activates when CPU processing load of P-CSCF (Proxy-Call State Control Function) reaches or crosses the defined threshold limit. The second module is IDP-AS; addressing and mitigating the misuse attacks facing to IMS Application Servers (AS). Its focus is to secure the ISC interface between IMS Core and Application Servers. This module is based on stateful misuse detection methodology by creating and comparing user state (partner) when he/she is communicating with application server to check whether user is performing legitimate or illegitimate action with attacks rules. The IDP-AS also compared the incoming request and outgoing response to and from IMS Application Servers with the defined attacks rules. In the performance analysis, the processing delay and attacks detection accuracy of both Intrusion Detection and Prevention (IDP) modules have been measured at Fraunhofer FOKUS IMS Testbed which is developed for research purpose. The performance evaluation based on normal and overload conditions scenarios. The results showed that the processing delay introduced by both IDP modules satisfied the standard requirements and did not cause retransmission of SIP REGISTER and INVITE requests. The developed prototype is under testing phase at Fraunhofer FOKUS 3Gb Testbed for evaluation in real world communication scenarios like VoIP, video conferencing, IPTV, presence, push-to-talk etc

Linking session based services with transport plane resources in IP multimedia subsystems.

The massive success and proliferation of Internet technologies has forced network operators to recognise the benefits of an IP-based communications framework. The IP Multimedia Subsystem (IMS) has been proposed as a candidate technology to provide a non-disruptive strategy in the move to all-IP and to facilitate the true convergence of data and real-time multimedia services. Despite the obvious advantages of creating a controlled environment for deploying IP services, and hence increasing the value of the telco bundle, there are several challenges that face IMS deployment. The most critical is that posed by the widespread proliferation ofWeb 2.0 services. This environment is not seen as robust enough to be used by network operators for revenue generating services. However IMS operators will need to justify charging for services that are typically available free of charge in the Internet space. Reliability and guaranteed transport of multimedia services by the efficient management of resources will be critical to differentiate IMS services. This thesis investigates resource management within the IMS framework. The standardisation of NGN/IMS resource management frameworks has been fragmented, resulting in weak functional and interface specifications. To facilitate more coherent, focused research and address interoperability concerns that could hamper deployment, a Common Policy and Charging Control (PCC) architecture is presented that defines a set of generic terms and functional elements. A review of related literature and standardisation reveals severe shortcomings regarding vertical and horizontal coordination of resources in the IMS framework. The deployment of new services should not require QoS standardisation or network upgrade, though in the current architecture advanced multimedia services are not catered for. It has been found that end-to-end QoS mechanisms in the Common PCC framework are elementary. To address these challenges and assist network operators when formulating their iii NGN strategies, this thesis proposes an application driven policy control architecture that incorporates end-user and service requirements into the QoS negotiation procedure. This architecture facilitates full interaction between service control and resource control planes, and between application developers and the policies that govern resource control. Furthermore, a novel, session based end-to-end policy control architecture is proposed to support inter-domain coordination across IMS domains. This architecture uses SIP inherent routing information to discover the routes traversed by the signalling and the associated routes traversed by the media. This mechanism effectively allows applications to issue resource requests from their home domain and enable end-to-end QoS connectivity across all traversed transport segments. Standard interfaces are used and transport plane overhaul is not necessary for this functionality. The Common PCC, application driven and session based end-to-end architectures are implemented in a standards compliant and entirely open source practical testbed. This demonstrates proof of concept and provides a platform for performance evaluations. It has been found that while there is a cost in delay and traffic overhead when implementing the complete architecture, this cost falls within established criteria and will have an acceptable effect on end-user experience. The open nature of the practical testbed ensures that all evaluations are fully reproducible and provides a convenient point of departure for future work. While it is important to leave room for flexibility and vendor innovation, it is critical that the harmonisation of NGN/IMS resource management frameworks takes place and that the architectures proposed in this thesis be further developed and integrated into the single set of specifications. The alternative is general interoperability issues that could render end-to-end QoS provisioning for advanced multimedia services almost impossible

Toward a fully cloudified mobile network infrastructure

Cloud computing enables the on-demand delivery of resources for a multitude of services and gives the opportunity for small agile companies to compete with large industries. In the telco world, cloud computing is currently mostly used by mobile network operators (MNO) for hosting non-critical support services and selling cloud services such as applications and data storage. MNOs are investigating the use of cloud computing to deliver key telecommunication services in the access and core networks. Without this, MNOs lose the opportunities of both combining this with over-the-top (OTT) and value-added services to their fundamental service offerings and leveraging cost-effective commodity hardware. Being able to leverage cloud computing technology effectively for the telco world is the focus of mobile cloud networking (MCN). This paper presents the key results of MCN integrated project that includes its architecture advancements, prototype implementation, and evaluation. Results show the efficiency and the simplicity that a MNO can deploy and manage the complete service lifecycle of fully cloudified, composed services that combine OTT/IT- and mobile-network-based services running on commodity hardware. The extensive performance evaluation of MCN using two key proof-of-concept scenarios that compose together many services to deliver novel converged elastic, on-demand mobile-based but innovative OTT services proves the feasibility of such fully virtualized deployments. Results show that it is beneficial to extend cloud computing to telco usage and run fully cloudified mobile-network-based systems with clear advantages and new service opportunities for MNOs and end-users

Infrastructure sharing of 5G mobile core networks on an SDN/NFV platform

When looking towards the deployment of 5G network architectures, mobile network operators will continue to face many challenges. The number of customers is approaching maximum market penetration, the number of devices per customer is increasing, and the number of non-human operated devices estimated to approach towards the tens of billions, network operators have a formidable task ahead of them. The proliferation of cloud computing techniques has created a multitude of applications for network services deployments, and at the forefront is the adoption of Software-Defined Networking (SDN) and Network Functions Virtualisation (NFV). Mobile network operators (MNO) have the opportunity to leverage these technologies so that they can enable the delivery of traditional networking functionality in cloud environments. The benefit of this is reductions seen in the capital and operational expenditures of network infrastructure. When going for NFV, how a Virtualised Network Function (VNF) is designed, implemented, and placed over physical infrastructure can play a vital role on the performance metrics achieved by the network function. Not paying careful attention to this aspect could lead to the drastically reduced performance of network functions thus defeating the purpose of going for virtualisation solutions. The success of mobile network operators in the 5G arena will depend heavily on their ability to shift from their old operational models and embrace new technologies, design principles and innovation in both the business and technical aspects of the environment. The primary goal of this thesis is to design, implement and evaluate the viability of data centre and cloud network infrastructure sharing use case. More specifically, the core question addressed by this thesis is how virtualisation of network functions in a shared infrastructure environment can be achieved without adverse performance degradation. 5G should be operational with high penetration beyond the year 2020 with data traffic rates increasing exponentially and the number of connected devices expected to surpass tens of billions. Requirements for 5G mobile networks include higher flexibility, scalability, cost effectiveness and energy efficiency. Towards these goals, Software Defined Networking (SDN) and Network Functions Virtualisation have been adopted in recent proposals for future mobile networks architectures because they are considered critical technologies for 5G. A Shared Infrastructure Management Framework was designed and implemented for this purpose. This framework was further enhanced for performance optimisation of network functions and underlying physical infrastructure. The objective achieved was the identification of requirements for the design and development of an experimental testbed for future 5G mobile networks. This testbed deploys high performance virtualised network functions (VNFs) while catering for the infrastructure sharing use case of multiple network operators. The management and orchestration of the VNFs allow for automation, scalability, fault recovery, and security to be evaluated. The testbed developed is readily re-creatable and based on open-source software

A vulnerability assesment framework for the IMS

Includes bibliography.With multimedia services being made available via more and more devices to end users, it is no longer feasible to develop a delivery platform for each new type of service. The IP multimedia subsystem (IMS) aims to provide a unified service delivery platform capable of supporting a wide range of multimedia, data and voice services. It has been developed with a focus on content delivery and rich communications, and has already begun to replace existing legacy GSM network components. The IMS is intended to be an access agnostic platform, capable of providing services over both mobile and fixed networks using a multi-access all-IP platform. By providing a feature-rich all IP platform, operators are able to deploy open IP-based networks, allowing for easy deployment and development of new, rich multimedia centric communication services. With the IMS in place, an operator may take the role of a service broker, providing them with far more revenue generating opportunities than just traditional voice and data. Application services may leverage the functionality provided by the IMS to create new services quickly while allowing them to be easily integrated into the network infrastructure. With the IMS gaining more and more attention from telecoms operators, and already being adopted by some, the ability to assess the security of the system becomes critical to the success of the IMS platform. While the 3GPP has placed emphasis on security throughout the development of the IMS, implementation is left up to vendors looking to create their own IMS systems. Implementation specific vulnerabilities may be missed by standard quality assurance testing, as they may be triggered only by boundary or near boundary conditions, or non-standard or unexpected state transitions

A structural and functional specification of a SCIM for service interaction management and personalisation in the IMS

The Internet Protocol Multimedia Subsystem (IMS) is a component of the 3G mobile network that has been specified by standards development organisations such as the 3GPP (3rd Generation Partnership Project) and ETSI (European Telecommunication Standards Institute). IMS seeks to guarantee that the telecommunication network of the future provides subscribers with seamless access to services across disparate networks. In order to achieve this, it defines a service architecture that hosts application servers that provide subscribers with value added services. Typically, an application server bundles all the functionality it needs to execute the services it delivers, however this view is currently being challenged. It is now thought that services should be synthesised from simple building blocks called service capabilities. This decomposition would facilitate the re-use of service capabilities across multiple services and would support the creation of new services that could not have originally been conceived. The shift from monolithic services to those built from service capabilities poses a challenge to the current service model in IMS. To accommodate this, the 3GPP has defined an entity known as a service capability interaction manager (SCIM) that would be responsible for managing the interactions between service capabilities in order to realise complex services. Some of these interactions could potentially lead to undesirable results, which the SCIM must work to avoid. As an added requirement, it is believed that the network should allow policies to be applied to network services which the SCIM should be responsible for enforcing. At the time of writing, the functional and structural architecture of the SCIM has not yet been standardised. This thesis explores the current serv ice architecture of the IMS in detail. Proposals that address the structure and functions of the SCIM are carefully compared and contrasted. This investigation leads to the presentation of key aspects of the SCIM, and provides solutions that explain how it should interact with service capabilities, manage undesirable interactions and factor user and network operator policies into its execution model. A modified design of the IMS service layer that embeds the SCIM is subsequently presented and described. The design uses existing IMS protocols and requires no change in the behaviour of the standard IMS entities. In order to develop a testbed for experimental verification of the design, the identification of suitable software platforms was required. This thesis presents some of the most popular platforms currently used by developers such as the Open IMS Core and OpenSER, as well as an open source, Java-based, multimedia communication platform called Mobicents. As a precursor to the development of the SCIM, a converged multimedia service is presented that describes how a video streaming application that is leveraged by a web portal was implemented for an IMS testbed using Mobicents components. The Mobicents SIP Servlets container was subsequently used to model an initial prototype of the SCIM, using a mUlti-component telephony service to illustrate the proposed service execution model. The design focuses on SIP-based services only, but should also work for other types of IMS application servers as well

Designing and prototyping WebRTC and IMS integration using open source tools

WebRTC, or Web Real-time Communications, is a collection of web standards that detail the mechanisms, architectures and protocols that work together to deliver real-time multimedia services to the web browser. It represents a significant shift from the historical approach of using browser plugins, which over time, have proven cumbersome and problematic. Furthermore, it adopts various Internet standards in areas such as identity management, peer-to-peer connectivity, data exchange and media encoding, to provide a system that is truly open and interoperable. Given that WebRTC enables the delivery of multimedia content to any Internet Protocol (IP)-enabled device capable of hosting a web browser, this technology could potentially be used and deployed over millions of smartphones, tablets and personal computers worldwide. This service and device convergence remains an important goal of telecommunication network operators who seek to enable it through a converged network that is based on the IP Multimedia Subsystem (IMS). IMS is an IP-based subsystem that sits at the core of a modern telecommunication network and acts as the main routing substrate for media services and applications such as those that WebRTC realises. The combination of WebRTC and IMS represents an attractive coupling, and as such, a protracted investigation could help to answer important questions around the technical challenges that are involved in their integration, and the merits of various design alternatives that present themselves. This thesis is the result of such an investigation and culminates in the presentation of a detailed architectural model that is validated with a prototypical implementation in an open source testbed. The model is built on six requirements which emerge from an analysis of the literature, including previous interventions in IMS networks and a key technical report on design alternatives. Furthermore, this thesis argues that the client architecture requires support for web-oriented signalling, identity and call handling techniques leading to a potential for IMS networks to natively support these techniques as operator networks continue to grow and develop. The proposed model advocates the use of SIP over WebSockets for signalling and DTLS-SRTP for media to enable one-to-one communication and can be extended through additional functions resulting in a modular architecture. The model was implemented using open source tools which were assembled to create an experimental network testbed, and tests were conducted demonstrating successful cross domain communications under various conditions. The thesis has a strong focus on enabling ordinary software developers to assemble a prototypical network such as the one that was assembled and aims to enable experimentation in application use cases for integrated environments

Towards a scalable video interactivity solution over the IMS

Includes bibliographical references (leaves 72-76).Rapid increase in bandwidth and the interactive and scalability features of the Internet provide a precedent for a converged platform that will support interactive television. Next Generation Network platforms such as the IP Multimedia Subsystem (IMS) support Quality of Service (QoS), fair charging and possible integration with other services for the deployment of IPTV services. IMS architecture supports the use of the Session Initiation Protocol (SIP) for session control and the Real Time Streaming Protocol (RTSP) for media control. This study aims to investigate video interactivity designs over the Internet using an evaluation framework to examine the performance of both SIP and RTSP protocols over the IMS over different access networks. It proposes a Three Layered Video Interactivity Framework (TLVIF) to reduce the video processing load on a server