[VOIPSEC] Running VoIP over SSL VPNs? (Network World article)

[Lee Dilkie]

Volker Tanger wrote:
> Greetings!
>
> On Tue, 21 Feb 2006 14:30:49 -0500
> dan_york at Mitel.com wrote:
>
>   
>> Network World came out with an article yesterday that detailed 
>> their tests on running VoIP over SSL VPNs:
>>    http://www.networkworld.com/reviews/2006/022006-ssl-voip-test.html
>>     
>
>   
> Actually you are asking about 3-4 VPN techniques here:
>
>    1. IPSec
>    2. SSL-style over UDP
>    3. SSL over TCP
>  ( 4. Plain HTTPS web portal - marketing-hyped SSL accelerator )
>
> The first is the VPN technique used "everywhere" when you get near
> firewall-based VPNs.
>
>
>   
Just because something is possible, doesn't mean it makes sense. Heck, I 
could run VoIP over SMTP if I cared to deal with the latency and jitter 
but it's hardly a reasonable thing to do. Of all the VPN technologies, 
IPsec is the only one that makes sense. And even IPsec is deemed a 
suboptimal fit for RTP due to bandwidth considerations. This is the 
reason SRTP was developed. It's a very good fit for the constraints of 
securing VoIP voice (RTP).

Running RTP over tcp (SSL or not) is just not practical in a real 
network (ie. internet) as it's not the latency but the jitter introduced 
by re-transmission that'd kill you. And if network conditions got at all 
poor, it'd fall apart a lot faster than RTP on UDP would. Voice can 
tolerate reasonable loss a lot better than it can handle network jitter. 
A good portion of the MOS score is latency-derived.

SSL-over-UDP is a newly proposed beast. I'm not sure how much traction 
it's getting but it seems like a good solution for SIP signaling to me 
but I wouldn't use it for securing RTP as it also suffers considerable 
packet overhead. But I'd pick VPN-over-SSL-over-UDP (if/when such a 
beast exists) over tcp. (is there too many "over"s in that last statement?)

Regards,

Lee Dilkie

-Yes, Dan York and I work for the same company, but I'm the good looking 
one ;)