[VOIPSEC] Softphones and VPN's
Rubino, Mark (Mark)
mrubino at avaya.com
Wed Apr 5 09:20:51 CDT 2006
I have seen many IPSec Client/Softphone applications deployed with
pretty good success. A typical 'road warrior' scenario. Once encrypted
the VoIP stream RTP DSCP is no longer visible to the network equipment
but most deployments of this type involve communications via generic
internet access and QoS wouldn't be applied anyway. Once the traffic has
been de-encrypted back at the central site you can have the local
switch/router apply the proper vlan tag for local network traffic
isolation.
Depending on access rates and other unknowns in the provider network
VoIP quality can range from acceptable to non-existent. You can provide
a reasonable expectation of security with IPSec but because of the QoS
issues (or lack of QoS) no guarantee of acceptable VoIP quality.
Regards,
Mark R
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Voipsec-request at voipsa.org
Sent: Tuesday, April 04, 2006 8:23 PM
To: Voipsec at voipsa.org
Subject: Voipsec Digest, Vol 16, Issue 5
Send Voipsec mailing list submissions to
Voipsec at voipsa.org
To subscribe or unsubscribe via the World Wide Web, visit
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
or, via email, send a message with subject or body 'help' to
Voipsec-request at voipsa.org
You can reach the person managing the list at
Voipsec-owner at voipsa.org
When replying, please edit your Subject line so it is more specific than
"Re: Contents of Voipsec digest..."
Today's Topics:
1. IPSec and VoIP Security (Alexandre Passito)
2. Re: softphones and VPNs (Michael Reilly)
3. Re: IPSec and VoIP Security (Porter, Thomas (Tom))
4. worldwide DB of Premium Nos (jayr111 at yahoo.com)
5. Re: worldwide DB of Premium Nos (Tom Harney)
6. Re: IPSec and VoIP Security (Gupta, Sachin)
7. Re: IPSec and VoIP Security (Randell Jesup)
8. Re: worldwide DB of Premium Nos (Randell Jesup)
9. Re: IPSec and VoIP Security (Mark Baugher)
----------------------------------------------------------------------
Message: 1
Date: Tue, 4 Apr 2006 17:50:00 -0300
From: "Alexandre Passito" <alexandre.passito at gmail.com>
Subject: [VOIPSEC] IPSec and VoIP Security
To: Voipsec at voipsa.org
Message-ID:
<6916dea20604041350y2ea3b592v8cb8ab7f0d32e32a at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi ALL,
I'd like to start a discussion about using IPSec for end-to-end security
in VoIP Systems. I have read some papers about the subject and it seens
that IPSec is not completely suitable for this kind of task due to two
reasons:
damage to some QoS metrics and the problem with management (key sharing,
user permissions and etc). I'd like to hear some ideas about it, future
trends and if there are well deployed solutions being tested.
Best regards,
Passito
--
--
Alexandre Passito - Estudante de Mestrado Universidade Federal do
Amazonas (UFAM) Departamento de Ci?ncia da Computa??o (DCC)
--
Alexandre Passito - M.Sc. Student
Federal University of Amazonas (UFAM)
Computer Science Department (DCC)
--
E-mail: passito at dcc.ufam.edu.br
Web: www.dcc.ufam.edu.br/~passito
Manaus - AM - Brasil
------------------------------
Message: 2
Date: Tue, 04 Apr 2006 13:57:54 -0700
From: Michael Reilly <michaelr at cisco.com>
Subject: Re: [VOIPSEC] softphones and VPNs
To: "Graham, Doug" <dgraham at businessedge.com>
Cc: Voipsec at voipsa.org
Message-ID: <4432DDD2.8050807 at cisco.com>
Content-Type: text/plain; charset=ISO-8859-1
Cisco devices would be able to do this also. In fact using some VPN
gateway devices (both Cisco and non-Cisco) you can switch traffic onto a
specified vlan based on any distinguishing characteristic - destination
address, source/destination port, type of service, etc. So the trick is
to determine a characteristic which clearly distinguishes VoIP traffic
from other traffic coming from the laptop (after it is de-capsulated
from the VPN) and use that to switch the traffic.
michael
Graham, Doug wrote:
> I'm confident you could do this with a Juniper Netscreen. I think you
> can define sub-interfaces or separate physical interfaces and assign
> them to separate VLANS. Add the Netscreen Remote client to the PC and
> then use routes and policies in the Netscreen to route, permit and
> deny traffic on an interface by interface basis. I would probably
> define a separate security zone for voice and data and build policies
> on that basis.
>
> I'm not as familiar with the Cisco product line, but I would be
> surprise if you can't do it with that also.
>
> Doug Graham
> CISSP, GSEC, JNCIS-FWV
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
> On Behalf Of Craig
> Sent: Tuesday, April 04, 2006 10:22 AM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] softphones and VPNs
>
>
> All, I'm hoping someone can help out with some configuration and/or
> solution suggestions. I am on the design team of a VoIP project. The
> solution we are designing has two separate VLANs, one for voice and
> one for data. The only traffic allowed to travel between VLANs is
> DNS, DHCP, SNMP and NTP. The customer is interested in using
> softphones remotely (business trips, for example) on laptops only.
> What we would like to do is make it as simple for the user as
> possible. What we would
>
> like to do is set up a VPN solution where the customer establishes one
> VPN back to the corporate network to check email and make phone calls.
> The VPN server would be attached to both VLANs and distribute the
> traffic to the correct VLAN.
>
> Does anyone know of a VPN server that will do this? Another solution?
>
> Thanks In Advance.
>
--
---- ---- ----
Michael Reilly michaelr at cisco.com
Cisco Systems, California
------------------------------
Message: 3
Date: Tue, 4 Apr 2006 17:06:48 -0400
From: "Porter, Thomas \(Tom\)" <tporter at avaya.com>
Subject: Re: [VOIPSEC] IPSec and VoIP Security
To: "Alexandre Passito" <alexandre.passito at gmail.com>,
<Voipsec at voipsa.org>
Message-ID:
<8CF6BADC9848C943850E44BA5A4B80E709AB9D4C at nj7460avexu1.global.avaya.com>
Content-Type: text/plain; charset="iso-8859-1"
As a starting point here are some numbers for encryption speeds:
An AES encryption, without hardware acceleration, takes about 50
microseconds, for instance. But the key generation and exchange process
can last up to 500ms, which is unacceptable for a real-time VoIP
application. Overall, establishing a security association with IPSec
requires anywhere
from 2 to 10 seconds. TLS achieves better performance, but it still
needs approximately 1.5 seconds to form a security association. IIRC,
these figures are from TI.
Best, Tom
Thomas Porter, PHD | Senior Security Architect - Business Communications
Consulting | Contact Center Practice | Consulting & Systems Integration
| Avaya Global Services | Office: 919-967-2909 | [Mobile - USA]
919-593-3130 | [Mobile - DE] +49-0163-5050427 | [SIP]
s00227694 at voicepulse.com | [IM] AvayaTPorter | Email: tporter at avaya.com
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Alexandre Passito
Sent: Tuesday, April 04, 2006 10:50 PM
To: Voipsec at voipsa.org
Subject: [VOIPSEC] IPSec and VoIP Security
Hi ALL,
I'd like to start a discussion about using IPSec for end-to-end security
in VoIP Systems. I have read some papers about the subject and it seens
that IPSec is not completely suitable for this kind of task due to two
reasons:
damage to some QoS metrics and the problem with management (key sharing,
user permissions and etc). I'd like to hear some ideas about it, future
trends and if there are well deployed solutions being tested.
Best regards,
Passito
--
--
Alexandre Passito - Estudante de Mestrado Universidade Federal do
Amazonas (UFAM) Departamento de Ci?ncia da Computa??o (DCC)
--
Alexandre Passito - M.Sc. Student
Federal University of Amazonas (UFAM)
Computer Science Department (DCC)
--
E-mail: passito at dcc.ufam.edu.br
Web: www.dcc.ufam.edu.br/~passito
Manaus - AM - Brasil
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
------------------------------
Message: 4
Date: Tue, 4 Apr 2006 14:14:50 -0700 (PDT)
From: <jayr111 at yahoo.com>
Subject: [VOIPSEC] worldwide DB of Premium Nos
To: Voipsec at voipsa.org
Message-ID: <20060404211450.72527.qmail at web51905.mail.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1
I am imlementing VOIP one of the control obj is to
ensure that no premium number is dialled for Sex chats
etc.. Is there anyone who has a complied list for majo
countries in US, EU and the ROW?
Tks
JC
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------
Message: 5
Date: Tue, 4 Apr 2006 17:28:22 -0400
From: "Tom Harney" <tom.harney at gmail.com>
Subject: Re: [VOIPSEC] worldwide DB of Premium Nos
To: "jayr111 at yahoo.com" <jayr111 at yahoo.com>
Cc: Voipsec at voipsa.org
Message-ID:
<35b414360604041428l64899480s9bc3531bb358b469 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
I may be mistaken, but shouldn't you be able to specify which prefixes
aren't allowed in the dialing plan? For example, one exclusion would
be an area code of 900 if calling within the United States or Canada.
Are you referring to a list of prefixes? region codes? etc? Or are
you referring to a list of complete telephone numbers? I think it
would be highly inefficient to store every number you wish to exclude.
Tom
On 4/4/06, jayr111 at yahoo.com <jayr111 at yahoo.com> wrote:
> I am imlementing VOIP one of the control obj is to
> ensure that no premium number is dialled for Sex chats
> etc.. Is there anyone who has a complied list for majo
> countries in US, EU and the ROW?
> Tks
> JC
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
------------------------------
Message: 6
Date: Tue, 4 Apr 2006 16:31:07 -0500
From: "Gupta, Sachin" <s-gupta2 at ti.com>
Subject: Re: [VOIPSEC] IPSec and VoIP Security
To: "Porter, Thomas \(Tom\)" <tporter at avaya.com>, "Alexandre
Passito"
<alexandre.passito at gmail.com>, <Voipsec at voipsa.org>
Message-ID:
<772F5D89C5E0734B8A86D85DFC6A202402EA77A4 at dlee03.ent.ti.com>
Content-Type: text/plain; charset="iso-8859-1"
For Media encryption , IPSec, unlike SRTP, has much more header
overhead.
NAT with IPSec adds more header overhead. This might not be acceptable
particularly if you are using the Low Bit rate codecs.
Sachin
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Porter, Thomas (Tom)
Sent: Tuesday, April 04, 2006 5:07 PM
To: Alexandre Passito; Voipsec at voipsa.org
Subject: Re: [VOIPSEC] IPSec and VoIP Security
As a starting point here are some numbers for encryption speeds:
An AES encryption, without hardware acceleration, takes about 50
microseconds, for instance. But the key generation and exchange process
can last up to 500ms, which is unacceptable for a real-time VoIP
application. Overall, establishing a security association with IPSec
requires anywhere from 2 to 10 seconds. TLS achieves better performance,
but it still needs approximately 1.5 seconds to form a security
association. IIRC, these figures are from TI.
Best, Tom
Thomas Porter, PHD | Senior Security Architect - Business Communications
Consulting | Contact Center Practice | Consulting & Systems Integration
| Avaya Global Services | Office: 919-967-2909 | [Mobile - USA]
919-593-3130 | [Mobile - DE] +49-0163-5050427 | [SIP]
s00227694 at voicepulse.com | [IM] AvayaTPorter | Email: tporter at avaya.com
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Alexandre Passito
Sent: Tuesday, April 04, 2006 10:50 PM
To: Voipsec at voipsa.org
Subject: [VOIPSEC] IPSec and VoIP Security
Hi ALL,
I'd like to start a discussion about using IPSec for end-to-end security
in VoIP Systems. I have read some papers about the subject and it seens
that IPSec is not completely suitable for this kind of task due to two
reasons:
damage to some QoS metrics and the problem with management (key sharing,
user permissions and etc). I'd like to hear some ideas about it, future
trends and if there are well deployed solutions being tested.
Best regards,
Passito
--
--
Alexandre Passito - Estudante de Mestrado Universidade Federal do
Amazonas (UFAM) Departamento de Ci?ncia da Computa??o (DCC)
--
Alexandre Passito - M.Sc. Student
Federal University of Amazonas (UFAM)
Computer Science Department (DCC)
--
E-mail: passito at dcc.ufam.edu.br
Web: www.dcc.ufam.edu.br/~passito
Manaus - AM - Brasil
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
------------------------------
Message: 7
Date: Tue, 04 Apr 2006 19:31:22 -0400
From: Randell Jesup <rjesup at wgate.com>
Subject: Re: [VOIPSEC] IPSec and VoIP Security
To: "Porter, Thomas \(Tom\)" <tporter at avaya.com>
Cc: Voipsec at voipsa.org
Message-ID: <ybuek0cncj9.fsf at jesup.eng.wgate.com>
Content-Type: text/plain; charset=us-ascii
"Porter, Thomas \(Tom\)" <tporter at avaya.com> writes:
>As a starting point here are some numbers for encryption speeds:
>
>An AES encryption, without hardware acceleration, takes about 50
>microseconds, for instance. But the key generation and exchange process
>can last up to 500ms, which is unacceptable for a real-time VoIP
>application.
50us and 500ms - on what? 3.0GHz P4? 400MHz PIII? 12MHz 80286?
150MHz
ARM? 600MHz DSP? PDA? To talk encryption performance, you have to
specify what your target hardware (minimum!) is. 50us on a 3GHz PC
might
be 1ms or more on a low-end hardphone - or it might be less than 50us.
> Overall, establishing a security association with IPSec
>requires anywhere from 2 to 10 seconds. TLS achieves better
performance,
>but it still needs approximately 1.5 seconds to form a security
>association. IIRC, these figures are from TI.
For what processor? Mikey in various non-preshared-key/non-PKI modes
would
probably be similar (I think) to TLS (anyone know?)
I agree security startup to avoid excessive delays in accepting calls
is a BIG issue with various public-key-based algorithms.
--
Randell Jesup, Worldgate (developers of the Ojo videophone), ex-Amiga OS
team
rjesup at wgate.com
"The fetters imposed on liberty at home have ever been forged out of the
weapons
provided for defence against real, pretended, or imaginary dangers from
abroad."
- James Madison, 4th US president (1751-1836)
------------------------------
Message: 8
Date: Tue, 04 Apr 2006 19:34:00 -0400
From: Randell Jesup <rjesup at wgate.com>
Subject: Re: [VOIPSEC] worldwide DB of Premium Nos
To: "Tom Harney" <tom.harney at gmail.com>
Cc: Voipsec at voipsa.org
Message-ID: <ybu4q18ncev.fsf at jesup.eng.wgate.com>
Content-Type: text/plain; charset=us-ascii
"Tom Harney" <tom.harney at gmail.com> writes:
>On 4/4/06, jayr111 at yahoo.com <jayr111 at yahoo.com> wrote:
>> I am imlementing VOIP one of the control obj is to
>> ensure that no premium number is dialled for Sex chats
>> etc.. Is there anyone who has a complied list for majo
>> countries in US, EU and the ROW?
>I may be mistaken, but shouldn't you be able to specify which prefixes
>aren't allowed in the dialing plan? For example, one exclusion would
>be an area code of 900 if calling within the United States or Canada.
>
>Are you referring to a list of prefixes? region codes? etc? Or are
>you referring to a list of complete telephone numbers? I think it
>would be highly inefficient to store every number you wish to exclude.
Not to mention effectively impossible to keep accurate, especially
across
many countries. This is an aspect of voice gateways generally, not SIP
endpoints.
--
Randell Jesup, Worldgate (developers of the Ojo videophone), ex-Amiga OS
team
rjesup at wgate.com
"The fetters imposed on liberty at home have ever been forged out of the
weapons
provided for defence against real, pretended, or imaginary dangers from
abroad."
- James Madison, 4th US president (1751-1836)
------------------------------
Message: 9
Date: Tue, 4 Apr 2006 17:22:47 -0700
From: Mark Baugher <mbaugher at cisco.com>
Subject: Re: [VOIPSEC] IPSec and VoIP Security
To: "Porter, Thomas \(Tom\)" <tporter at avaya.com>
Cc: Voipsec at voipsa.org
Message-ID: <CCFBD87A-B7E7-4CD5-8C8B-A456D273B022 at cisco.com>
Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed
Tom,
You need to distinguish three types of performance epochs. The
first is when the device starts. The second is when a session/call
begins. The third is when a packet arrives.
Mark
On Apr 4, 2006, at 2:06 PM, Porter, Thomas ((Tom)) wrote:
> As a starting point here are some numbers for encryption speeds:
>
> An AES encryption, without hardware acceleration, takes about 50
> microseconds, for instance. But the key generation and exchange
> process can last up to 500ms, which is unacceptable for a real-time
> VoIP application. Overall, establishing a security association with
> IPSec requires anywhere
> from 2 to 10 seconds. TLS achieves better performance, but it still
> needs approximately 1.5 seconds to form a security association.
> IIRC, these figures are from TI.
>
> Best, Tom
>
> Thomas Porter, PHD | Senior Security Architect - Business
> Communications Consulting | Contact Center Practice | Consulting &
> Systems Integration | Avaya Global Services | Office: 919-967-2909
> | [Mobile - USA] 919-593-3130 | [Mobile - DE] +49-0163-5050427 |
> [SIP] s00227694 at voicepulse.com | [IM] AvayaTPorter | Email:
> tporter at avaya.com
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-
> bounces at voipsa.org] On Behalf Of Alexandre Passito
> Sent: Tuesday, April 04, 2006 10:50 PM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] IPSec and VoIP Security
>
> Hi ALL,
>
> I'd like to start a discussion about using IPSec for end-to-end
> security in VoIP Systems. I have read some papers about the subject
> and it seens that IPSec is not completely suitable for this kind of
> task due to two reasons:
> damage to some QoS metrics and the problem with management (key
> sharing, user permissions and etc). I'd like to hear some ideas
> about it, future trends and if there are well deployed solutions
> being tested.
>
> Best regards,
>
> Passito
>
> --
> --
> Alexandre Passito - Estudante de Mestrado Universidade Federal do
> Amazonas (UFAM) Departamento de Ci?ncia da Computa??o (DCC)
> --
> Alexandre Passito - M.Sc. Student
> Federal University of Amazonas (UFAM)
> Computer Science Department (DCC)
> --
> E-mail: passito at dcc.ufam.edu.br
> Web: www.dcc.ufam.edu.br/~passito
> Manaus - AM - Brasil
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
------------------------------
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
End of Voipsec Digest, Vol 16, Issue 5
**************************************
More information about the Voipsec
mailing list