[VOIPSEC] IPSec and VoIP Security

Jon-Olov Vatn vatn at kth.se
Wed Apr 5 02:53:41 CDT 2006 

Hi,

You can find call setup measurements for the use of MIKEY/SRTP and
MIKEY/IPSec-ESP (with MIKEY signed Diffie-Hellman for keying)
in Bilien et al. "Secure VoIP: call establishment and media protection", 
see
http://www.minisip.org/publications.html for an online version.

These measurements were done with minisip running on
500 MHz Pentium 3 laptops with a Linux 2.6 kernel.
With the way "key generation time" is defined in this paper, that took
about 130 ms, both for SRTP and IPSec-ESP. However, for IPSec-ESP
we found a delay of around 660 ms to update the SA and policy DB,
a delay which we at that time were not able give a good explanation
for. (It should not relate to any cryptographic processing, rather it ougth
to depend on the interaction between (or internals of) minisip and the
Linux IPSec support we were using.)

BW J-O

Randell Jesup wrote:

>"Porter, Thomas \(Tom\)" <tporter at avaya.com> writes:
>  
>
>>As a starting point here are some numbers for encryption speeds: 
>>
>>An AES encryption, without hardware acceleration, takes about 50
>>microseconds, for instance. But the key generation and exchange process
>>can last up to 500ms, which is unacceptable for a real-time VoIP
>>application.
>>    
>>
>
>50us and 500ms - on what?  3.0GHz P4?  400MHz PIII?  12MHz 80286?  150MHz
>ARM?  600MHz DSP?  PDA?  To talk encryption performance, you have to
>specify what your target hardware (minimum!) is.  50us on a 3GHz PC might
>be 1ms or more on a low-end hardphone - or it might be less than 50us.
>
>  
>
>>Overall, establishing a security association with IPSec
>>requires anywhere from 2 to 10 seconds. TLS achieves better performance,
>>but it still needs approximately 1.5 seconds to form a security
>>association. IIRC, these figures are from TI.
>>    
>>
>
>For what processor?  Mikey in various non-preshared-key/non-PKI modes would
>probably be similar (I think) to TLS (anyone know?)
>
>I agree security startup to avoid excessive delays in accepting calls
>is a BIG issue with various public-key-based algorithms.
>
>  
>

More information about the Voipsec mailing list