[VOIPSEC] IPSec and VoIP Security

Wed Apr 5 08:36:39 CDT 2006

Hi, 

> Hi ALL,
> 
> If IPSec must be used in IPv6 networks, to deploy this 
> solution now for VoIP
> security is not to avoid problems in the near future?

There is a difference between MUST implement and MUST use. 
There is no MUST use requirement from IPv6 point of view. 

There is also a difference between IPsec protection of a wireless link or the usage of IPsec for a VPN and IPsec usage for end-to-end media traffic security. 

Ciao
Hannes

> In an ongoing research that I am doing here we are using 
> IPSec in Bluetooth
> communications for VoIP and the results seens good, despite 
> we are having
> some problems with our ARM-based platforms. Is the solution  
> an optimized
> version of IPSec? Like encryption-engine packet priority for 
> VoIP? So on....
> 
> Best regards
> 
> Passito
> 
> 2006/4/5, Jon-Olov Vatn <vatn at kth.se>:
> >
> > Hi,
> >
> > You can find call setup measurements for the use of MIKEY/SRTP and
> > MIKEY/IPSec-ESP (with MIKEY signed Diffie-Hellman for keying)
> > in Bilien et al. "Secure VoIP: call establishment and media 
> protection",
> > see
> > http://www.minisip.org/publications.html for an online version.
> >
> > These measurements were done with minisip running on
> > 500 MHz Pentium 3 laptops with a Linux 2.6 kernel.
> > With the way "key generation time" is defined in this 
> paper, that took
> > about 130 ms, both for SRTP and IPSec-ESP. However, for IPSec-ESP
> > we found a delay of around 660 ms to update the SA and policy DB,
> > a delay which we at that time were not able give a good explanation
> > for. (It should not relate to any cryptographic processing, 
> rather it
> > ougth
> > to depend on the interaction between (or internals of) 
> minisip and the
> > Linux IPSec support we were using.)
> >
> > BW J-O
> >
> > Randell Jesup wrote:
> >
> > >"Porter, Thomas \(Tom\)" <tporter at avaya.com> writes:
> > >
> > >
> > >>As a starting point here are some numbers for encryption speeds:
> > >>
> > >>An AES encryption, without hardware acceleration, takes about 50
> > >>microseconds, for instance. But the key generation and 
> exchange process
> > >>can last up to 500ms, which is unacceptable for a real-time VoIP
> > >>application.
> > >>
> > >>
> > >
> > >50us and 500ms - on what?  3.0GHz P4?  400MHz PIII?  12MHz 
> 80286?  150MHz
> > >ARM?  600MHz DSP?  PDA?  To talk encryption performance, 
> you have to
> > >specify what your target hardware (minimum!) is.  50us on 
> a 3GHz PC might
> > >be 1ms or more on a low-end hardphone - or it might be 
> less than 50us.
> > >
> > >
> > >
> > >>Overall, establishing a security association with IPSec
> > >>requires anywhere from 2 to 10 seconds. TLS achieves 
> better performance,
> > >>but it still needs approximately 1.5 seconds to form a security
> > >>association. IIRC, these figures are from TI.
> > >>
> > >>
> > >
> > >For what processor?  Mikey in various 
> non-preshared-key/non-PKI modes
> > would
> > >probably be similar (I think) to TLS (anyone know?)
> > >
> > >I agree security startup to avoid excessive delays in 
> accepting calls
> > >is a BIG issue with various public-key-based algorithms.
> > >
> > >
> > >
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> 
> 
> 
> --
> --
> Alexandre Passito - Estudante de Mestrado
> Universidade Federal do Amazonas (UFAM)
> Departamento de Ciência da Computação (DCC)
> --
> Alexandre Passito - M.Sc. Student
> Federal University of Amazonas (UFAM)
> Computer Science Department (DCC)
> --
> E-mail: passito at dcc.ufam.edu.br
> Web: www.dcc.ufam.edu.br/~passito
> Manaus - AM - Brasil
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 