[VOIPSEC] IPSec and VoIP Security
Alexandre Passito
alexandre.passito at gmail.com
Wed Apr 5 08:23:34 CDT 2006
Hi ALL,
If IPSec must be used in IPv6 networks, to deploy this solution now for VoIP
security is not to avoid problems in the near future?
In an ongoing research that I am doing here we are using IPSec in Bluetooth
communications for VoIP and the results seens good, despite we are having
some problems with our ARM-based platforms. Is the solution an optimized
version of IPSec? Like encryption-engine packet priority for VoIP? So on....
Best regards
Passito
2006/4/5, Jon-Olov Vatn <vatn at kth.se>:
>
> Hi,
>
> You can find call setup measurements for the use of MIKEY/SRTP and
> MIKEY/IPSec-ESP (with MIKEY signed Diffie-Hellman for keying)
> in Bilien et al. "Secure VoIP: call establishment and media protection",
> see
> http://www.minisip.org/publications.html for an online version.
>
> These measurements were done with minisip running on
> 500 MHz Pentium 3 laptops with a Linux 2.6 kernel.
> With the way "key generation time" is defined in this paper, that took
> about 130 ms, both for SRTP and IPSec-ESP. However, for IPSec-ESP
> we found a delay of around 660 ms to update the SA and policy DB,
> a delay which we at that time were not able give a good explanation
> for. (It should not relate to any cryptographic processing, rather it
> ougth
> to depend on the interaction between (or internals of) minisip and the
> Linux IPSec support we were using.)
>
> BW J-O
>
> Randell Jesup wrote:
>
> >"Porter, Thomas \(Tom\)" <tporter at avaya.com> writes:
> >
> >
> >>As a starting point here are some numbers for encryption speeds:
> >>
> >>An AES encryption, without hardware acceleration, takes about 50
> >>microseconds, for instance. But the key generation and exchange process
> >>can last up to 500ms, which is unacceptable for a real-time VoIP
> >>application.
> >>
> >>
> >
> >50us and 500ms - on what? 3.0GHz P4? 400MHz PIII? 12MHz 80286? 150MHz
> >ARM? 600MHz DSP? PDA? To talk encryption performance, you have to
> >specify what your target hardware (minimum!) is. 50us on a 3GHz PC might
> >be 1ms or more on a low-end hardphone - or it might be less than 50us.
> >
> >
> >
> >>Overall, establishing a security association with IPSec
> >>requires anywhere from 2 to 10 seconds. TLS achieves better performance,
> >>but it still needs approximately 1.5 seconds to form a security
> >>association. IIRC, these figures are from TI.
> >>
> >>
> >
> >For what processor? Mikey in various non-preshared-key/non-PKI modes
> would
> >probably be similar (I think) to TLS (anyone know?)
> >
> >I agree security startup to avoid excessive delays in accepting calls
> >is a BIG issue with various public-key-based algorithms.
> >
> >
> >
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
--
--
Alexandre Passito - Estudante de Mestrado
Universidade Federal do Amazonas (UFAM)
Departamento de Ciência da Computação (DCC)
--
Alexandre Passito - M.Sc. Student
Federal University of Amazonas (UFAM)
Computer Science Department (DCC)
--
E-mail: passito at dcc.ufam.edu.br
Web: www.dcc.ufam.edu.br/~passito
Manaus - AM - Brasil
More information about the Voipsec
mailing list