Voice over IP, short VoIP, is among the fastest growing broadband technologiesin the private and commercial sector. Compared to the Plain Old TelephoneSystem (POTS), Internet telephony has reduced availability, measured in uptimeguarantees per a given time period. This thesis makes a contribution towardsproper quantitative statements about network availability when using two redundant,state synchronized computers, acting as firewalls between the Internet(WAN) and the local area network (LAN).First, methods for generating adequate VoIP traffic volumes for loading aGigabit Ethernet link are examined, with the goal of using a minimal set ofhardware, namely one regular desktop computer. pktgen, the Linux kernelUDP packet generator, was chosen for generating synthetic/artificial traffic,reflecting the common VoIP packet characteristics packet size, changing senderand receiver address, as well as typical UDP-port usage. pktgen’s three mainparameters influencing the generation rate are fixed inter-packet delay, packet sizeand total packet count. It was sought to relate these to more user-friendly valuesof amount of simultaneous calls, voice codec employed and call duration. Theproposed method fails to model VoIP traffic accurately, mostly due to the currentlyunstable nature of pktgen. However, it is suited for generating enoughpackets for testing the firewalls.Second, the traffic forwarding limit and failover behavior of the redundant,state-synchronized firewalls was examined. The firewalls were runningOpenBSD 3.8 and used the Common Address Redundancy Protocol (CARP)and the packet filter state synchronization protocol (pfsync) for achieving redundancy,with one acting as master, and the other as backup. Empirical measurementsshow that the upper limit for unidirectional traffic is at about 125,000packets per second, independent of packet sizes typical for VoIP media packets(less than 220 bytes). This is far below the traffic capacity of Gigabit Ethernet,and is caused by a “receive livelock”: full system load due to non-optimizedinterrupt handling. The obtained measurements allow for questioning thesuitability of a default OpenBSD installation for firewalls in high packet rate networks..The network connectivity glitch in failover situations was measured at:when turning CARP off administratively while processing circa 80,000 packetsper second, the maximum glitch was in the magnitude of 300 milliseconds. When power-cycling the master firewall, maximum connectivity interruptionsof circa 3,000 milliseconds occurred. In all cases, series with much lower valueswere measured, but may not be representative.
展开▼
