Modeling and performance evaluation of transport protocols for firewall control

Firewalls are a crucial building block for securing IP networks. The usage of out-ofband signaling protocols such as SIP for IP telephony and multimedia applications requires a dynamic control of these firewalls and imposes several challenges. Recently, several firewall control architectures and protocols have been developed. The main focus of this paper is the Simple Middlebox Configuration Protocol (SIMCO), which is a new transactionbased firewall control protocol. Due to the impact on call setup delays, firewall signaling requires small end-to-end delays and thus mandates a careful choice of the transport protocol. Therefore, this paper studies SCTP, TCP and UDP-based transport for SIMCO and compares different configurations that allow to optimize the performance. We present an analytical model to quantify the impact of head-of-line blocking in SCTP and TCP and verify it with measurements. Both the model and measurements reveal that SCTP can significantly reduce the SIMCO response times by leveraging transmission over multiple parallel streams. While already a few SCTP streams can almost completely avoid headof-line blocking, our results show that TCPand UDP-based transport may suffer from significantly larger delays.