| dc.description.abstract | Voice over IP, short VoIP, is among the fastest growing broadband technologies
in the private and commercial sector. Compared to the Plain Old Telephone
System (POTS), Internet telephony has reduced availability, measured in uptime
guarantees per a given time period. This thesis makes a contribution towards
proper quantitative statements about network availability when using two redun-
dant, state synchronized computers, acting as firewalls between the Internet
(WAN) and the local area network (LAN).
First, methods for generating adequate VoIP traffic volumes for loading a
Gigabit Ethernet link are examined, with the goal of using a minimal set of
hardware, namely one regular desktop computer. pktgen, the Linux kernel
UDP packet generator, was chosen for generating synthetic/artificial traffic,
reflecting the common VoIP packet characteristics packet size, changing sender
and receiver address, as well as typical UDP-port usage. pktgen’s three main
parameters influencing the generation rate are fixed inter-packet delay, packet size
and total packet count. It was sought to relate these to more user-friendly val-
ues of amount of simultaneous calls, voice codec employed and call duration. The
proposed method fails to model VoIP traffic accurately, mostly due to the cur-
rently unstable nature of pktgen. However, it is suited for generating enough
packets for testing the firewalls.
Second, the traffic forwarding limit and failover behavior of the redun-
dant, state-synchronized firewalls was examined. The firewalls were running
OpenBSD 3.8 and used the Common Address Redundancy Protocol (CARP)
and the packet filter state synchronization protocol (pfsync) for achieving re-
dundancy, with one acting as master, and the other as backup. Empirical mea-
surements show that the upper limit for unidirectional traffic is at about 125,000
packets per second, independent of packet sizes typical for VoIP media packets
(less than 220 bytes). This is far below the traffic capacity of Gigabit Ethernet,
and is caused by a “receive livelock”: full system load due to non-optimized
interrupt handling. The obtained measurements allow for questioning the
suitability of a default OpenBSD installation for firewalls in high packet rate net-
works.. The network connectivity glitch in failover situations was measured at:
when turning CARP off administratively while processing circa 80,000 packets
per second, the maximum glitch was in the magnitude of 300 milliseconds.
When power-cycling the master firewall, maximum connectivity interruptions
of circa 3,000 milliseconds occurred. In all cases, series with much lower values
were measured, but may not be representative. | nor |