Testing Multiplay Networks - Ixia Network|Security ... · • Security – SSL, TLS, IPSec Figure...
Transcript of Testing Multiplay Networks - Ixia Network|Security ... · • Security – SSL, TLS, IPSec Figure...
Enabling a Converged World™
915-1743-01 Rev A July 2011
TestingMultiplayNetworks
P/N 915-1743-01 Rev A April, 2008
Testing Multiplay Networks
ContentsTesting Multiplay Networks ...................................................................... 2
Ixia’s Approach to Multiplay Testing ..........................................................5
How Does IxLoad Work? .......................................................................... 6
Voice Testing with IxLoad .......................................................................... 9
IPTV Testing with IxLoad ......................................................................... 10
Testing Peer-to-Peer with IxLoad ............................................................. 12
Data and Infrastructure Testing with IxLoad ............................................ 13
Testing Application-Aware Devices with IxLoad ....................................... 14
Testing Security with IxLoad ....................................................................15
IxLoad – All-in-One Solution .................................................................... 16
2
Testing Multiplay Networks Service providers are increasingly looking to deliver differentiated multiplay services to business and digital homes over converged IP networks. 2007 revenues for all service providers topped $1.54 trillion, with $284 billion in equipment purchases.
As the Internet evolves, a wider variety of multiplay services are carried from broadly distributed sources to a large and varied audience of consumers. Services of all types that use a range of protocols are seen in modern multiplay networks, including:
•Data – HTTP, HTTPS, FTP, E-mail•Voice over IP – SIP, MGCP, RTP•IPTV – RTSP, IGMP•Peer-to-peer – BitTorrent, eDonkey, Gnutella•Infrastructure – DHCP, DNS, RADIUS•Security – SSL, TLS, IPSec
Figure 1. Distribution of Internet Traffic
P2P32.2%
Web39.1%
Download5.0%
VoIP0.5%
Gaming1.0%
IM0.5%
Email0.4%
Streaming7.7%
Other13.60%
Source: IDC, 2007
Figure 1 shows the breakdown of U.S. Internet traffic for 2006. Each service has its own require-ments, as shown in Figure 2. To the consumer, however, quality of experience (QoE) must simply “feel right.” VoIP calls must sound as good as land-line service; IPTV must be absent of blockiness, blurring, or frozen frames; and high-speed Internet services must appear responsive. Special care must be taken by service providers to satisfy all service requirements – all at the same time!
Balancing of service requirements is essential in order to minimize capital expenditure (CAPEX). Services must be delivered with the proper amount of networking equipment and bandwidth.
3
High-speed Internet:not real timevariable bandwidthnot latency sensitiveno QoE expectation
Business:other services +securityhigh SLA requirements
Gaming:real timevariable bandwidthlatency sensitivehigh QOE expectation
Peer-to-peer:not real timevery high bandwidthnot latency sensitiveno QoE expectation
Mobility andMobile Services:real timemoderate bandwidthlatency sensitivemoderate QoE expectation
IPTV:IPTV:real time high bandwidthlatency sensitivehigh QoE expectation
Voice:real timelow bandwidthlatency sensitivehigh QoE expectation
Figure 2. Application Traffic Requirements
More and more specialized, application-specific networking devices will continue to emerge as new services gain traction. In contrast, larger and more powerful networking devices are integrat-ing functions of the separate devices. As a result, an increasingly large and diverse range of net-work devices must be carefully tuned to interoperate correctly and to produce maximized results. Table 1 is a breakdown of some of the modern devices used in multiplay networks.
Web Voice Video Data Commonload balancers proxy servers video head-ends e-mail gateway firewalls
web servers registration servers access devices e-mail servers VPN gateways
web caches session border controllers
set-top boxes anti-spam servers routers
IMS devices content inspection devices (DPI)
intrustion detection systems
infrastructure servers
Table 1. Internet Multiplay Devices
4
This blizzard of general and specialized devices is used in different combinations at multiple loca-tions within LANs and throughout the Internet. In order to ensure that devices and systems have matched capacities and capabilities and that they interoperate correctly, it’s necessary that testing occur at multiple system levels of network integration: individual components, network subsystems and complete networks. In particular, subsystems must be tested at their major network demarca-tion points, as shown in Figure 3.
Figure 3. Major Network Demarcation Points
Back Office Aggregation and Access NetworkCore Network Customer Premises
IP DSLAM
OLT
Core
ONU
PON/FTTH
ResidentialGateway
Metro
Voice Server
Video Server
Web Server • • •
Service verification is never a one-time thing. Every networking component and system is subject to a continuous stream of updates, upgrades and expansion. Testing at every juncture is essential in order to ensure continued proper operation, capacity and performance.
Today’s networking devices and protocol servers in multiplay networks are highly intelligent, dig-ging deep into packet contents to separate protocols, identify sessions and inspect contents. This information is used in complex algorithms that prioritize traffic so as to meet the QoE requirements of each service type.
This sophistication calls for an equal sophistication in network test equipment. In particular, test facilities must offer:
•Multiservice subscriber emulation – to test multiplay devices and networks, test equip-ment must assume the roles of the end-user and protocol server.
•Protocol coverage – to test the broad range of devices listed in Table 1, test equipment must emulate a wide range of voice, video and data protocols.
•City scale – networks must be pushed to their limits and beyond to properly determine capacities and test quality of service and admission policy enforcement.
•Flexibility – as the Internet matures, usage will morph to take advantage of new, con-verged applications. Test equipment must be easy to program and to modify in order to keep up with a changing environment.
5
Ixia’s Approach to Multiplay TestingIxia offers a complete, all-in-one hardware/software solution. Ixia’s chassis, interface modules and applications provide a complete, integrated system for testing all types of multiplay devices and networks. All running on the same chassis, Ixia test applications cover the full gamut from con-formance test, to layer 2-3 and layer 4-7 performance testing, to full automation and regression testing. The back of this brochure describes the range of Ixia’s test applications.
IxLoad™, in particular, was designed from the ground up to test layer 4-7 network devices, subsys-tems and networks of all sizes through an extensive set of protocol emulations. IxLoad is used by a wide range of device and chip developers, network equipment manufacturers, service providers, proof-of-concept test labs, and enterprises of all sizes. IxLoad offers all types of testing:
•Scalability – determine the maximum number of users and sessions that can be supported. •Performance – measure per-protocol maximum data rates.•Interoperability – ensure that devices conform to published and de-facto standards in the
same manner.•Security – guarantee that security devices fend off attacks and that other devices are not
vulnerable.
•Realism – ensures that testing closely matches real-world conditions, with protocol client/server emulations and service traffic over established routing planes.
The bottom-line benefits of using IxLoad are:
•Maximize profit – IxLoad minimizes testing time, allowing you to get to market sooner.•Minimize OPEX – thoroughly tested devices and networks exhibit fewer problems, reduc-
ing OPEX.•Minimize CAPEX – the ability to measure capacity and performance in real-world sce-
narios allows you to properly provision your networks without unnecessary overcapacity. Capacity needed for future expansion can be accurately determined.
6
How Does IxLoad Work?In general, a device, subsystem or network is connected to other network devices and computers that request or supply services, as shown in Figures 2 and 3.
Ixia’s test hardware and IxLoad work together to test the central device or network, referred to as a system under test (SUT). They do this by providing protocol emulations for the service subscribers and servers connected to the SUT. Where the SUT is a self-sufficient server, only subscribers need be emulated. Figure 4 shows how the Ixia chassis and interfaces connect to the SUT.
Figure 4. Ixia Emulations used During Test
Device or System Under Test
(SUT)
Ixia Server Emulations
Ixia’s architecture makes it easy to scale to city-size emulation of subscriber communities. Depend-ing on the scale of the SUT, as few as two ports and as many as several hundred ports can be used. Each interface port contains a dedicated, high-performance computer with substantial memory. Using the protocol emulations performed on each port’s CPU, IxLoad can simulate large numbers of subscribers using different services, such as HTTP, FTP, VoIP, IPTV and E-mail. Table 2 lists IxLoad’s complement of protocol emulations. Table 3 indicates how many sessions of particu-lar types are available from Ixia’s most popular interfaces.
7
Ixia Protocol EmulationsData •HTTP,HTTPS •FTP •SMTP,POP3,IMAP •Peer-to-peer •CIFS
Voice •SIP •MGCP •RTP
Video •IGMP,MLD •VideoonDemand •RSTP,RTP •MSIPTV
Infrastructure •Telnet •DNS •DHCP •LDAP •RADIUS,DIAMETER
Table 2. IxLoad Protocol Emulations
Each Ixia interface is capable of emulating large numbers of voice, video, and data subscribers while generating near line-rate traffic, as shown in Table 3. The ASM1000XMV12X load module, in particular, is a powerful and flexible card. It contains twelve 1G Ethernet interfaces that can be completely or partially aggregated into a single 10G Ethernet interface, producing line-rate 10G stateful application traffic.
Ixia Interface Card Ports/ Card
HTTP IPTV Voice
10/100/1G Ethernet (LSM1000XMV16)
16 190,000 / 36,480,000
2,000 / 384,000
900 / 172,800
10G Ethernet (LSM10GXM3)
3 60,000 / 2,1600,000
250 / 9,000
10/100/1G/10G Ethernet (AMS1000XMV12X)
12-1G / 1-10G
2,200,000 / 26,400,000
24,000 / 288,000
10,800 / 19,600
Table 3. IxLoad Emulation Capacities
True Subscriber Modeling
Although testing SUTs with large numbers of protocol sessions is useful, it is not a very accurate model of the real world. Specifically, it misses the effects of:
•Upload and download bandwidth restrictions•Differing Internet usage by different communities•Service provider levels of service
8
To closely model real-world device and network load, IxLoad uses a unique approach called sub-scriber modeling. Named groups of subscribers are associated with usage patterns and network restrictions, including:
•Application usage – which voice, video and data applications are used and in what proportions.
•Usage details – particular web sites visited, e-mail servers used, transfer sizes, protocol options, etc.
•Bandwidth limitations – upload/download bandwidth limitations imposed by the service provider.
For example, with IxLoad, sets of subscriber groups can be defined, as shown below.
Group Time Usage Profile
Usage Distribution
Teen
GenY
Telecommuter
Corporation
Figure 5. Subscriber Modeling
IxLoad’s powerful and easy-to-use graphical interface provides an intuitive and straightforward method of connecting subscriber groups to voice, video, and data servers. A specific test is shown in Figure 5, in which three subscriber groups: “Home network”, “Gold Subscribers” and “Ultra Subscribers” are connected to servers on a “Data network” and “Video head end”.
9
The results of IxLoad test runs are complete and easily customizable. Results include:
•Raw capacity and performance •Maximum number of sessions supported•Maximum session establishment rate•Quality of experience metrics, including latency, jitter, loss, along with specialized voice
and video metrics
Ixia’s unique subscriber modeling provides a highly accurate mechanism for layer 4-7 device and network testing than the simplistic methods used by competing products. Subscriber modeling provides a powerful and flexible means of measuring device/network performance so that you can compete, plan, and scale.
In the following sections, we’ll look at how IxLoad is used for specific voice, video, and data applications.
Voice Testing with IxLoadVoIP has moved beyond being a transit network technology to being an integral part of home and enterprise telephony. However, transporting real-time data like voice over the same network used for all other data traffic presents challenges for service quality. Verifying VoIP performance under conditions of high data stress is important to ensure expected results.
IxLoad’s VoIP feature provides:
•High-level SIP MGCP and RTP emulations•Flexible SIP and RTP emulation allowing full state machine and message control•Cisco SCCP protocol support•A large complement of CODECs, including G.711, G.723, G.726, G.729A, G.729B and
AMR in a number of bit rates. •Full call setup control•MOS quality scoring•Playback of recorded audio files for real-world repeatable results•IP video phone support
With IxLoad you can quantify the affect on users’ quality of experience versus:
•Number of sessions•Session setup rate•Voice traffic volume•Advanced call scenarios
10
IPTV Testing with IxLoadIPTV usage is making steady inroads as telecom operators seek to complete with cable operators. IPTV traffic includes both broadcast and video on demand services. Using IP networks, broadcast IPTV is sent to all subscribers watching a particular channel. As subscribers change channels, they leave one group and join another. Broadcast IPTV requires substantial bandwidth – 2 Mbps for a standard-definition stream to 6 Mbps for a high-definition stream. Video viewing is very sensitive to loss and jitter; set-top boxes often provide buffering to aid in this regard. A key advantage of using multicast networks is that bandwidth use is optimized in the service provider’s network.
Video-on-demand services are quite different from broadcast IPTV. Separate streams are individu-ally sent to each viewer. Immediate response to pause, rewind, and fast forward controls is also expected. Bandwidth requirements are also very high – unicast streams equate to a linear increase in bandwidth as more subscribers use video on demand services.
Video viewing is very sensitive to loss and jitter; set-top boxes often provide buffering to aid in this regard. Some of the key challenges in validating IPTV service include response times, channel change performance, and excellent picture quality.
The technologies used in IPTV deployments are shown in Figure 6.
Figure 6. Broadcast and Video-on-Demand Technologies
Metro MetroCore
Data
VideoVoice
Data
VideoVoice
Data
Voice
Video(Broadband TV,
Video-on-Demand)
UDP/RTP
UDP/RTP UDP/RTP UDP/RTP
UDP
IGMP
UDPUDP
Video-on-Demand Media StreamUDP/RTP
Multicast BroadcastUDP
Request to Join BroadcastIGMP
Broadcast IPTV uses the IGMP protocol to enroll subscribers in the multicast groups that correspond to the channels that they are watching. Video channel contents are sent as UDP multicast streams from the service provider’s head-end to all enrolled subscribers. Channel change occurs when the consumer’s set-top box uses IGMP to switch multicast group enrollment and then waits for new video to arrive. VoD handling utilizes RTSP to request programs and RTP over UDP to deliver con-tent. All traffic is unicast.
11
Because of the nature and complexity of IPTV handling, four distinct network subsystems need to be tested individually and in combination:
•Super video head-end (SVHE) – takes the video content from multiple sources and processes it for delivery to the IP network.
•Video transport network – includes national and regional networks that serve to con-nect the SVHE to access/broadband networks.
•Access/broadband network – consists of distributed multipurpose devices that provide access control, multicast handling and last-mile termination.
•Infrastructure components – provide addressing, name resolution, authentication and customer premise equipment (CPE) management functions.
IxLoad provides all of the emulations required to test each of these functions individually and in combination. These include:
•Emulation of IGMP and MLD (for IPv6) for broadcast IPTV•Emulation of RTSP and RTP for video on demand•Advanced QoE measurements using MDI and TVQM•MPEG-2 and MPEG-4 compression algorithms•Support for simple program and multiprogram transport streams•A wide range of supported CODECs•Video capture and playback for real-world repeatable results•Multiple channel change profiles to simulate rapid channel change (channel zapping) and
direct channel change
With IxLoad’s IPTV testing features, you can:
•Benchmark video head-end performance while delivering any mix of broadcast and VoD channels
•Measure QoE under a wide variety of usage scenarios•Measure channel change performance•Ensure proper capacity when adding video to a provider’s network
12
Testing Peer-to-Peer with IxLoadSince the inception of peer-to-peer applications in the late 1990s, P2P applications have multiplied and evolved to represent a formidable component of Internet traffic. Service providers estimate that P2P traffic will constitute 60% of network traffic over the next two years. Furthermore, there is a strong possibility that increased IP video content will drive this percentage higher.
Some of the more popular P2P applications in use today include BitTorrent, Gnutella, Fasttrack, eDonkey, Livewire, KaZaA and WinMx. All types of data are transported within P2P connections: data files, programs, pictures, and voice and video streams.
P2P protocols are particularly problematic due to the mix of delay-sensitive and delay-insensitive traffic that they carry. With all types of data carried over the same session, it’s not always easy to identify sensitive voice and video data. The bandwidth-hungry nature of P2P usage makes it criti-cal, however, that traffic types are identified for proper prioritization. IxLoad’s P2P testing features:
•Support for BitTorrent, eDonkey and Gnutella, with more protocols to come soon.•An extensive library of predefined P2P flows•Detailed measurement statistics and real-time graphs•Very high scale
With IxLoad’s P2P testing features, you can:
•Test QoS enforcement with P2P and multiplay traffic•Benchmark deep packet inspection performance•Verify DPI classification mechanism accuracy
13
Data and Infrastructure Testing with IxLoadDespite the excitement over new voice and video applications, web-based and other data traffic still consumes most of the Internet’s capacity. Included in this category are a number of protocols:
•Web – HTTP, HTTPS•E-mail – SMTP, POP3, IMAP•File transfer – FTP•Business-specific protocols – protocols used within business applications, often
proprietary
There are also a number of essential infra structure protocols that support the Internet and local networks. These include:
•Name resolution – DNS•Management – Telnet•Authentication – RADIUS, 802.1x, EAP, NAC•Directory services – LDAP•Address management – DHCP •File sharing – CIFS•Security – SSL, SSH, IPSec
Depending on the intended placement of the SUT – within a LAN, inside a provider’s network or available on the Internet – a protocol’s usage pattern will vary. IxLoad’s subscriber modeling is ideally suited to model home and office users, occasional and heavy users, and naïve and sophis-ticated users.
IxLoad covers testing of the full range of protocols listed above, with:
•Client and server emulation•Proxy server support•Think times and transaction aborts for user realism•Retrieved page/file/file size specification•Compatibility with all major web and FTP servers•SSL and TLS support within HTTPS•Generation of unique user IDs and passwords•Use of prepared data for all tests•Configurable TOS and DHCP bits•Distributed denial of service (DDoS) and vulnerability security attacks
14
Testing Application-Aware Devices with IxLoadPrioritization of multiplay traffic requires that traffic forwarding devices perform deep packet inspection (DPI) so as to correctly identify traffic streams, as shown in Figure 7. DPI also allows proper application of security mechanisms. The requirement to prioritize voice, video, and data traffic while applying security precautions is a substantial task for application-aware devices, as shown in Figure 8.
The requirements for testing application-aware devices are as complex, if not more complex, than those associated with traffic forwarding itself. Since the DPI that these devices perform recognizes complete sessions and keys off protocol interchange messages, they need to be tested with stateful application traffic that follows protocol rules.
Devices need to be exercised at their limits and beyond to ensure that they will function at optimum levels and properly apply quality of service and admission policies. This type of testing involves the use of a wide range of multiplay traffic.
Figure 7.
Application LayerL7
Email (SMTP, POP3, IMAP)Web (HTTP/S)
File Xfer (FTP, Gopher)
Instant MessagingPeer-to-Peer Applications
Directory Services
Header Layers
Deep Packet Inspection
L2
EthernetInternetProtocol
(IP)
TransportLayer
(TCP/UDP)
L3 L4
Deep Packet Inspection
Figure 8.
• Application signatures• Virus signatures• Hacker intrusion signatures• Spam signatures
Application-awareDevice
Data
Voice
IPTV& Video Packet Classification
& Prioritized Queuing
SignatureDatabase
QoSPolicy Server
Application Aware Operation
15
Testing Security with IxLoadMost security devices are deployed at the edge of the network to filter legitimate traffic, and can be deployed in the core of the network to further supplement and protect the capability of the network and the application running over the network to deliver required services to the end user.
Firewalls and other security devices have become increasingly complex, evolving from simplistic filtering to application-aware processing of a wide range of Internet protocols. Security devices have become a platform for next-generation application-aware inspection capabilities:
•Web security – intelligent HTTP/URL and content inspection to defend against buffer over-flow attacks, viruses, spyware, phishing attacks, and to validate protocol compliance by ensuring properly formed packets. Secure web connections are supported through HTTPS, which utilizes the SSL and TLS protocols
•IPSec VPNs – secure, encrypted, and authenticated traffic between security gateways•E-mail security – protection from spam, viruses, and phishing attacks that can overwhelm
networks with wasteful traffic•Network security – application-aware content inspection, access control enforcement
with IPSec, 802.1x, RADIUS, intrusion prevention capabilities and DDoS attack mitigation•Next-generation – support for IPv6, quality-of-service, voice and video streaming
As the industry moves further towards unified network security, network edge devices are provid-ing better security services. One of the fastest growing security services running on these devices is virus and spam protection for e-mail messages delivered over industry-standard protocols, including SMTP and POP3. Indeed, the growth of such protection is directly related to the rapid rise of virus and spam e-mails, estimated to comprise 60-80% of all e-mails.
One of the drawbacks to offering several stateful, application-aware services in a single device is the potential for degradation of the device’s performance characteristics. To fully characterize the performance of such devices, real-world conditions must be closely matched by incrementally enabling application-aware inspection engines.
IxLoad provides facilities for checking security devices’ resistance to attacks:
•Distributed denial of service – extreme load can be placed on the SUT using multiple Ixia interfaces. This type of testing is used to ensure that the SUT resists DDoS attacks and continues to pass legal traffic
•Vulnerability attacks – a very wide range of attacks, based on the well-known Nessus® library, can be used to determine SUT vulnerabilities
•Security protocols – secure web and IPSec encapsulated traffic is used to characterize SUT performance while performing encryption operations
16
IxLoad – All-in-One SolutionIxia’s IxLoad is the industry-leading product for layer 4 through 7 performance testing of all types of devices and networks. With IxLoad, developers, equipment manufacturers, service providers, and enterprises can:
•Get to market faster – with efficient and flexible testing. Product development is accel-erated through IxLoad’s powerful and intuitive GUI. It’s flexible interactive and automation programming allow complete testing at all development and deployment stages.
•Minimize test equipment CAPEX – with an all-in-one solution. All types of testing can be performed with IxLoad and Ixia’s other test applications. One hardware/software solu-tion tests your devices and networks from development, through staging, through fielding, to network support.
•Minimize network OPEX – with early and frequent testing. Testing at the development, staging, and provisioning levels ensures that devices and networks operate correctly and with sufficient capacity. IxLoad’s flexibility and speed allow this to be done frequently – ini-tially and then for each and every product update, upgrade and expansion.
•Minimize network CAPEX – with real-world characterization. IxLoad’s ability to accu-rately model the run-time environment of networks enables accurate tuning and capacity measurements. This, in turn, allows networks to be provisioned without unnecessary over-capacity.
These advantages are enabled by IxLoad’s best-in-class features:
•A highly scalable, integrated test solution•Real-world subscriber-based modeling – with emulation of multiplay clients and servers•Highest traffic rate – the only solution with
10 Gbps, line-rate traffic•All-in-one test solution – covering all device testing needs, with triple-play, infrastructure,
security, and router components•Widest protocol coverage – with the full range of voice, video, data, security, and infrastruc-
ture protocols•Ease of use – IxLoad’s sophisticated GUI is the ultimate in productivity, quickly moving from
small-scale setup to large-scale testing.
The Ixia test platform provides an all-in-one system for all of your IP testing needs, from confor-mance tests, to layer 2-3 routing and switching, to layer 4-7 application service testing.
17
Ixia applications also offer the fastest path to automation, generating automation scripts with the push of a button – that may be coordinated by the Test Conductor™ regression tool to create and run complete regression suites. Ixia platforms have forward and backward compatibility, guaran-teeing the long-term benefits of your investment.
For more information on IxLoad and other Ixia platform and test applications, visit us at http://www.ixiacom.com or call one of the sales offices listed on the back of this brochure.
Ixia Worldwide Headquarters
26601 Agoura Rd. Calabasas, CA 91302
(Toll Free North America) 1.877.367.4942
(Outside North America) +1.818.871.1800
(Fax) 818.871.1805 www.ixiacom.com
Other Ixia ContactsInfo: [email protected]
Investors: [email protected] Public Relations: [email protected] Renewals: [email protected]
Sales: [email protected] Support: [email protected] Training: [email protected]