In this section, we describe the related basic concepts of mVoIP, voice over long-term evolution (VoLTE), security aspects, and service quality in VoIP, Docker lightweight virtualization with CI/CD to implement a secure mobile VoIP, 5G, and Cisco Application Centric Infrastructure (ACI).
mVoIP, PBX SW Asterisk, and VoLTE
VoIP [4] is a methodology that combines technologies to deliver voice communication and multimedia sessions over the Internet (Internet protocol (IP) networks). VoIP systems employ signaling protocols and session controls to control the voice signaling, setup, and tear down of the communication calls (Fig. 1). It transports an audio stream over IP networks using special media delivery protocols to encode voice, audio, video with specific audio codecs, and video codecs as digital streamable media. The various codecs exist to optimize the media streaming based on the application requirements and network bandwidth; some of the implementations rely on narrowband and compressed speech, while others support high-fidelity stereo codecs. VoIP is available on smartphones, PCs, and other Internet-enabled devices. However, due to the current political and social situation, eavesdropping security incidents are on the rise. In particular, the US NSA has been suspected of tapping the German Chancellor’s phone for more than 10 years, and it has recently been confirmed that the Chinese leaders have also been the target of eavesdropping. To support secure voice communication using VoIP, we examine the ways of guaranteeing the quality of service (QoS) of VoIP and surveying security issues associated with VoIP. The minimum response strategy and network tuning for specific parameters (e.g., packet loss, packet delay in transmission, jitter, and others) are required to guarantee the QoS of voice communication over the IP network. mVoIP is an extension of VoIP with mobility support [5]. Two types of communication are generally supported: (i) short-range or campus communication with cordless/digital enhanced cordless telecommunications (DECT)/physical coding sublayer (PCS) protocols where all base stations are linked into the same local area network (LAN) and (ii) wide-area communications using 3G/4G/5G protocols.
There are several methodologies that allow a mobile handset to be integrated into a VoIP network. One implementation turns the mobile device into a standard session initiation protocol (SIP) client, which uses a data network to send and receive SIP messaging and the real-time transport protocol (RTP) for the voice traffic. This methodology requires minimum support from a mobile handset and high-speed IP communication. The standard VoIP protocols (typically SIP) can be used over any broadband IP-capable wireless network connection. Lastly, Asterisk [6] is a SW implementation of a telephone PBX; it allows attached telephones to make calls to one another and to connect to other telephone services, such as the public switched telephone network (PSTN) and VoIP services. Its name is inspired by the asterisk symbol “*.”
VoLTE is a network-based IP Multimedia Subsystem (IMS) with specific profiles for the control plane and media plane of a voice service on LTE as defined by the GSMA in PRD IR.92 [7]. The result of this approach is voice service (control and media planes) delivery as a flow of data within the LTE data bearer. This means that there is no dependency on (or, ultimately, requirement for) maintaining the legacy circuit-switched voice network. VoLTE has a greater capacity for voice and data, up to a factor of 3 compared with 3G universal mobile telecommunications systems (UMTS), and up to a factor of 6 compared with 2G global systems for mobile communications (GSM). Furthermore, it saves bandwidth because VoLTE’s packet headers are smaller than in unoptimized VoIP/LTE [8].
Security issues and service quality of VoIP
Ruck [9] and the National Institute of Standards and Technology (NIST) [10] published documents on the security and QoS of VoIP. They noted 10 security issues relating to VoIP security as follows.
-
Issue 1: VoIP traffic might be Internet bound.
-
Issue 2: Gateway security options for VoIP are limited.
-
Issue 3: Patching problems.
-
Issue 4: VoIP security is only as reliable as the underlying network security.
-
Issue 5: Many call-processing systems run on common operating systems (OSs), and they have their own security issues to worry about.
-
Issue 6: DoS takes down telephony.
-
Issue 7: Eavesdropping on calls using VOMIT or SipTap.
-
Issue 8: Spam over IP telephony (SPIT).
-
Issue 9: More ports open means more ports to secure.
-
Issue 10: Wireless phones require advanced wireless security.
NIST summarized these problems into seven items for QoS issues in VoIP: latency, jitter, packet loss, bandwidth and effective bandwidth, throughput speed, power failure and backup systems, and QoS implementations for security.
With regard to VoIP security, in this study, we focus on eavesdropping (issue 7) and DoS attacks (issue 6). Eavesdropping is secretly listening to the private conversations of others without their consent. DoS attacks are an attempt to make a machine or network resource become unavailable to its intended users, such as temporarily or indefinitely interrupting or suspending the services of a host connected to the Internet.
Docker lightweight virtualization technology and CI/CD
Docker [11] is an open-source project that automates the integration and deployment of applications inside software containers by providing an additional layer of abstraction and automation of OS-level virtualization on Linux. To avoid overhead from starting and maintaining virtual machines, Docker uses the resource isolation features of the Linux kernel such as cgroups and kernel namespaces, and a union-capable filesystem such as aufs and others to allow independent “containers” to run within a single Linux instance. The Linux kernel’s namespaces support mostly isolates an application’s view of the operating environment, (e.g., user IDs, process trees, network, and mounted file systems), while the kernel’s cgroups provide resource limiting (e.g., CPU, memory, block I/O, and network). Recently, there has been a trend to replace the hypervisor [12] with Docker for virtualization. Figure 2 illustrates the differences between hypervisor and Docker.
CI means that whenever a developer checks in code to the source repository, a build is automatically triggered as shown in Fig. 3. If the build and automated unit tests are successful, CD takes this one step further by automatically deploying the application to an environment for more in-depth testing.
Figure 4 presents the registration step, payment step, key distribution step, and deployment step from the secure mVoIP service. It is shown that user A registers their information and makes a payment (see Fig. 4 (1)). The key distribution system sends the public key of user A to the storage server and the private key to user A (see Fig. 4 (2) and (3), respectively). Note that secure shell (SSH) with a session based on public key cryptography is used in the registration step. Figure 4 also presents the deployment of PBX using Docker virtualization. User A accesses the storage server using the private key and downloads the Docker-based PBX container as SaaS (see Fig. 4 (4) and (5)). Then, user A sets up the downloaded PBX container (see Fig. 4 (6)), and finally, user A sends the mVoIP app to user B (see Fig. 4 (7)) to enable the secure voice communication.
5G wireless systems and Cisco ACI
The 5G technology [13, 14] will provide further services and added benefits to the world compared with 4G. It will provide very high bandwidth, which the user will not have experienced previously. It also has many advanced features which makes it a powerful tool for wireless communication. By pushing 5G into VoIP-enabled devices, users will experience a level of data transmission and call volume as never before. Moreover, 5G technology will offer high QoS in many fields such as product engineering, Internet of Things (IoT), Internet of Everything (IoE), All to One (AtO), Industrial IoT (I2oT), and electronic transactions (e-payments, e-tickets, and e-transactions).
IT departments and the associated businesses are looking for cloud automation tools and software-defined networking (SDN) [15] architectures to:
Cisco Application Centric Infrastructure (ACI) [16] is a comprehensive SDN-based architecture. The policy-based automation solution of Cisco ACI supports a business-relevant application policy language and provides greater scalability through a distributed enforcement system and greater network visibility. These benefits are realized through the integration of physical and virtual environments under one policy model for networks, servers, storage, services, and security.