[VOIPSEC] IPSec and VoIP Security

Jon-Olov Vatn vatn at kth.se
Thu Apr 6 02:46:03 CDT 2006 

Hi,

Alexandre Passito wrote:

>Hi ALL,
>
>If IPSec must be used in IPv6 networks, to deploy this solution now for VoIP
>security is not to avoid problems in the near future?
>In an ongoing research that I am doing here we are using IPSec in Bluetooth
>communications for VoIP and the results seens good, despite we are having
>some problems with our ARM-based platforms. Is the solution  an optimized
>version of IPSec? Like encryption-engine packet priority for VoIP? So on....
>
>Best regards
>
>Passito
>  
>
Note, the measurements I quoted were not relating to per packet 
encryption, rather the
time to establish and install the needed security associations for IPSec 
as part of a
SIP call setup.
For more information about what IPSec implementation that was used, I 
refer to Joachim
Orrblad's master thesis (Alternatives to MIKEY/SRTP to secure VoIP), see
http://www.minisip.org/publications/Thesis_Orrblad_050330.pdf.

In section 5.4 of his thesis he writes:
"The implementation in this thesis make use of the native Linux IPSEC 
support available
in kernel versions ≥2.5.47 and and 2.6.* and has been tested in this 
thesis on Linux kernel
2.6.7, 2.6.8 and 2.6.10. An implementation of PF_KEY [RFC 2367] called 
libipsec is
used to manage the IPSEC kernel. Libipsec is part of the ipsectools 
[tools] released for
Linux. Ipsectools is a port from KAME's [KAME] IPSEC utilities."

BW J-O

>2006/4/5, Jon-Olov Vatn <vatn at kth.se>:
>  
>
>>Hi,
>>
>>You can find call setup measurements for the use of MIKEY/SRTP and
>>MIKEY/IPSec-ESP (with MIKEY signed Diffie-Hellman for keying)
>>in Bilien et al. "Secure VoIP: call establishment and media protection",
>>see
>>http://www.minisip.org/publications.html for an online version.
>>
>>These measurements were done with minisip running on
>>500 MHz Pentium 3 laptops with a Linux 2.6 kernel.
>>With the way "key generation time" is defined in this paper, that took
>>about 130 ms, both for SRTP and IPSec-ESP. However, for IPSec-ESP
>>we found a delay of around 660 ms to update the SA and policy DB,
>>a delay which we at that time were not able give a good explanation
>>for. (It should not relate to any cryptographic processing, rather it
>>ougth
>>to depend on the interaction between (or internals of) minisip and the
>>Linux IPSec support we were using.)
>>
>>BW J-O
>>
>>Randell Jesup wrote:
>>
>>    
>>
>>>"Porter, Thomas \(Tom\)" <tporter at avaya.com> writes:
>>>
>>>
>>>      
>>>
>>>>As a starting point here are some numbers for encryption speeds:
>>>>
>>>>An AES encryption, without hardware acceleration, takes about 50
>>>>microseconds, for instance. But the key generation and exchange process
>>>>can last up to 500ms, which is unacceptable for a real-time VoIP
>>>>application.
>>>>
>>>>
>>>>        
>>>>
>>>50us and 500ms - on what?  3.0GHz P4?  400MHz PIII?  12MHz 80286?  150MHz
>>>ARM?  600MHz DSP?  PDA?  To talk encryption performance, you have to
>>>specify what your target hardware (minimum!) is.  50us on a 3GHz PC might
>>>be 1ms or more on a low-end hardphone - or it might be less than 50us.
>>>
>>>
>>>
>>>      
>>>
>>>>Overall, establishing a security association with IPSec
>>>>requires anywhere from 2 to 10 seconds. TLS achieves better performance,
>>>>but it still needs approximately 1.5 seconds to form a security
>>>>association. IIRC, these figures are from TI.
>>>>
>>>>
>>>>        
>>>>
>>>For what processor?  Mikey in various non-preshared-key/non-PKI modes
>>>      
>>>
>>would
>>    
>>
>>>probably be similar (I think) to TLS (anyone know?)
>>>
>>>I agree security startup to avoid excessive delays in accepting calls
>>>is a BIG issue with various public-key-based algorithms.
>>>
>>>
>>>
>>>      
>>>
>>_______________________________________________
>>Voipsec mailing list
>>Voipsec at voipsa.org
>>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>>    
>>
>
>
>
>--
>--
>Alexandre Passito - Estudante de Mestrado
>Universidade Federal do Amazonas (UFAM)
>Departamento de Ciência da Computação (DCC)
>--
>Alexandre Passito - M.Sc. Student
>Federal University of Amazonas (UFAM)
>Computer Science Department (DCC)
>--
>E-mail: passito at dcc.ufam.edu.br
>Web: www.dcc.ufam.edu.br/~passito
>Manaus - AM - Brasil
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>  
>

More information about the Voipsec mailing list