6Sense: Generating New Possibilities in the New Internet.
Produced by: IPv6 Summit, Inc.

Triple Play or Triple Delay?
By John Nakulski
Agilent Technologies

Agilent

Voice, Video and Data over IPv6: Unproven?
Service Providers are scrambling to offer voice, video, data, and innovative services such as gaming, interactive TV and messaging on a single pipe. At the same time, network equipment is being upgraded to IPv6. To support these "multi-play" services, application-aware devices such as firewalls, session border controllers (SBCs) and content delivery systems need to filter and switch at layer 7. Taking firewalls as an example, vendors only recently added support for VoIP and video application filtering and IPv6 - so the intersection of these technologies, "triple play over IPv6," is relatively unproven.

Real-Time IPv6 Security Hurts Performance!
IP network equipment now carries Internet telephony and streamed video. However, most firewalls, routers and VPN concentrators were designed in the days when HTTP dominated the Internet. Today's network devices have new requirements:

  • Application intelligence - the rapid inspection of SIP, H.323 and RTSP packets, and the prompt opening and shutting of "pinholes" to allow the passage of valid Real Time Protocol (RTP) traffic;
  • Real-time performance - Minimization of RTP packet latency and latency variation to reduce voice and video delay and jitter;
  • Application QoS - Prioritization of voice and video application traffic over data traffic;
  • Application scalability - the ability to forward phone and video services to thousands of real users at the same time;

...and all with the added burden of mixed IPv6 and IPv4 processing.

If you configure a firewall to enable application filtering and IPv6, then application performance (measured by real VoIP, video and data application traffic) can drop by a staggering 90% or more compared to best-case IPv4 results.

3 Nasty Surprises - DoSv6, P2Pv6 and IPsecv6
Both equipment manufacturers and providers of Triple Play services over IPv6 and IPv4 need to address three additional challenges that will impact network device performance:

  • DoSv6 - New types of Denial of Service attacks must be filtered, including traditional layer 3-4 attacks (such as TCP SYN flood) ported to IPv6; ICMPv6 attacks; layer 3-4 attacks that target VoIP, RTSP and RTP port numbers; and application-layer attacks (such as SIP setup/teardown flood and RTP stream insertion). Application attacks are particularly effective because they sap the CPU performance of any device with application awareness, including the security devices that are expected to mitigate such attacks.
  • P2Pv6 - Peer-to-Peer file sharing traffic now dominates the Internet. Several firewalls and other network devices can now block or rate-limit P2P traffic. These devices must be upgraded to recognize P2P traffic encapsulated within IPv6 packets. Service providers need to ensure that traffic from P2P and other data applications does not impact the performance of real-time VoIP and Video services.
  • IPsecv6 - IP Security (IPsec) over IPv6 can hurt real-time performance and scalability. VPN devices require rapid IPsecv6 tunnel establishment to minimize VoIP call setup time, as well as fast IPsecv6 data encryption to limit voice and video packet latency.

Triple Play and VoIP over IPv6 - Making Customers Happy
Network operators can no longer rely on raw TCP and HTTP over IPv4 published performance numbers, and equipment vendors must look beyond two-year-old benchmarking methodologies. A new approach is needed to ensure that network security devices do not become IPv6 network bottlenecks:

  1. Real-time Application Performance - Measure VoIP and video application performance and device scalability (such as maximum SIP call setup rate and RTSP transfer rate) over IPv6 and IPv4 using real application traffic.
  2. Application Traffic Mix - Emulate a realistic mix of traffic, using real voice, video and data applications simultaneously on the same interface. Quantify the impact of data application traffic (such as HTTP and SMTP) on VoIP and video performance and scalability.
  3. Proprietary applications - Introduce traffic from P2P, messaging, gaming and other proprietary applications using session capture-replay. Unlike legacy capture-replay techniques, session capture-replay recreates TCP and UDP (new sessions using real sockets) to enable the use of access protocols (such as DHCP and IPsec) and to enable scalability testing (multiplied traffic with distinct addresses).
  4. IPsec and IPsecv6 - Send mixed application traffic over VPN tunnels to measure the impact of tunnel setup and encryption on application performance and scalability.
  5. DoS attacks - Add DoS attacks over IPv6 and IPv4, including SIP setup-teardown attacks. Quantify the reduction in application performance.

Using this test methodology to verify performance and scalability, IPv6 device vendors and network operators can be confident that the quality of service experienced by triple play and VoIP customers will meet their expectations.

Agilent Technologies N4190A NetworkTester and N2X Test Solutions
Agilent Technologies was first to market with a VoIPv6 (VoIP over IPv6) and VoIPsecv6 (VoIP over IPsec over IPv6) test solution that is fully integrated with stateful emulation of data application and video traffic. To find out more about how to test IPv6 and IPv4 network devices, visit http://www.agilent.com/comms/networktester and http://www.agilent.com/comms/n2x or look for Agilent Technologies at the IPv6 Summit.