[VOIPSEC] Voipsec Digest, Vol 14, Issue 17
Shrikant Latkar
shri at juniper.net
Wed Feb 22 09:04:50 CST 2006
You don want try and run hard-phones on SSL/VPN connection, because the
whole idea of SSL/VPN is to enable mobile users to get central office
connectivity through any web browser.
Juniper has successfully tested used IPSoftphone using our SSL/VPN
technology. I use it on a regular basis both in the road-warrior mode
(both signaling and RTP are over the IP connection), as well as in the
telecommuter mode (where only control signaling is over the IP
connection and voice traffic is over the PSTN network), and it works
very well.
There is a trend in the marketplace where increasingly companies are
deploying SSL/VPN for their mobile workers, and IPSoftphones are a
perfect fit for such applications.
Shrikant
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Voipsec-request at voipsa.org
Sent: Wednesday, February 22, 2006 4:00 AM
To: Voipsec at voipsa.org
Subject: Voipsec Digest, Vol 14, Issue 17
Send Voipsec mailing list submissions to
Voipsec at voipsa.org
To subscribe or unsubscribe via the World Wide Web, visit
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
or, via email, send a message with subject or body 'help' to
Voipsec-request at voipsa.org
You can reach the person managing the list at
Voipsec-owner at voipsa.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Voipsec digest..."
Today's Topics:
1. Running VoIP over SSL VPNs? (Network World article)
(dan_york at Mitel.com)
2. Re: Running VoIP over SSL VPNs? (Network World article)
(Volker Tanger)
3. Re: Running VoIP over SSL VPNs? (Network World article)
(Lee Dilkie)
4. Re: Running VoIP over SSL VPNs? (Network World article)
(Volker Tanger)
----------------------------------------------------------------------
Message: 1
Date: Tue, 21 Feb 2006 14:30:49 -0500
From: dan_york at Mitel.com
Subject: [VOIPSEC] Running VoIP over SSL VPNs? (Network World
article)
To: voipsec at voipsa.org
Message-ID:
<OFAFFF107B.D16C48FF-ON8525711C.0069D441-8525711C.006B30E9 at mitel.com>
Content-Type: text/plain; charset="us-ascii"
VOIPSEC readers,
Network World came out with an article yesterday that detailed
their tests on running VoIP over SSL VPNs:
http://www.networkworld.com/reviews/2006/022006-ssl-voip-test.html
I'm curious to learn from folks here... are there list subscribers
using VoIP over SSL VPNs? If so, would you care to share your
experiences here? What are you using... softphones? Handsets
with ATAs? Handsets with SSL clients inside? How does the quality
sound? Have you compared using your phone over an SSL VPN to
running the same (hard/soft)phone over an IPSEC VPN?
I will candidly admit that lacking any time/resources to experiment
with SSL VPNs on my own, I've fallen into the "conventional wisdom"
trap that the article author hits in his first sentence ("VoIP is
often written off as an application that will not work well over an
SSL VPN link.") based on some of my earlier reading about latency in SSL
VPNs and also just my own basic understanding of TCP and SSL.
However, I'm always prepared to revisit assumptions in light of new
data, and the article would certainly seem to say that SSL VPNs are
worth evaluating. Anyone have any feedback one way or the other?
I'm just curious more than anything else.
Thanks,
Dan
--
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel Corp. http://www.mitel.com
dan_york at mitel.com +1-613-592-2122
PGP key (F7E3C3B4) available for
secure communication
------------------------------
Message: 2
Date: Wed, 22 Feb 2006 01:07:54 +0100
From: Volker Tanger <vtlists at wyae.de>
Subject: Re: [VOIPSEC] Running VoIP over SSL VPNs? (Network World
article)
To: Voipsec at voipsa.org
Message-ID: <20060222010754.688f2951.vtlists at wyae.de>
Content-Type: text/plain; charset=US-ASCII
Greetings!
On Tue, 21 Feb 2006 14:30:49 -0500
dan_york at Mitel.com wrote:
> Network World came out with an article yesterday that detailed
> their tests on running VoIP over SSL VPNs:
> http://www.networkworld.com/reviews/2006/022006-ssl-voip-test.html
...which does not tell overly much about the *real* setup. IIRC at least
some of the units come with some kind of QoS or load
balancing/equalization between the established VPNs by default (please
correct me - it's been quite some time).
> I'm curious to learn from folks here... are there list subscribers
> using VoIP over SSL VPNs? If so, would you care to share your
> experiences here? What are you using... softphones? Handsets
> with ATAs? Handsets with SSL clients inside? How does the quality
> sound? Have you compared using your phone over an SSL VPN to
> running the same (hard/soft)phone over an IPSEC VPN?
Actually you are asking about 3-4 VPN techniques here:
1. IPSec
2. SSL-style over UDP
3. SSL over TCP
( 4. Plain HTTPS web portal - marketing-hyped SSL accelerator )
The first is the VPN technique used "everywhere" when you get near
firewall-based VPNs.
A prominent candidate of the second one is OpenVPN.
And the fourth is plain marketing garbage.
"SSL-VPNs" (3rd) often do VPNing over TCP - which can lead to timing
problems and resend-races between the inner and the outer TCP stack
whenever packets are lost. Plus encapsulating UDP into TCP can add
*quite* some additional delay over noisy/lossy lines due to
resend/confirmation requests and handshakes. On the other side you won't
have any RTP packets lost as the outer TCP automatically requests
resends. So that actually might "improve" the perceived sound/tone
quality - by sacrifycing delay up to recognizable pauses.
Their main advantage is that tcp/443 plus SSL usually are no problem to
tunnel through corporate firewalls - so an "ideal" solution for
consultants trying "to phone home".
On the other side the implementation sometimes leaves quite a bit to be
optimized (e.g. downloading a monstrous client each and every time the
VPN is being established - yeah, rrrright...).
I've found that the first two do not differ much. VPN is adding its
(small: few ms) share to the total delay, but that's pretty much it -
unless you have to set up the connection while ringing. This will cause
a recognizable delay - during the call setup phase, so not overly
critical (there are exceptions, though). And this is independent wether
soft- or hardphone.
If you have softphone and VPN client on the same system that one needs
enough CPU power for both: the VPN and the voice codecs. That usually is
a problem for PDAs - but current PCs and laptops should handle both with
ease - though the latter quite often have abysmal audio interfaces,
adding noise and colouring/distortion.
But of course you need to "enVPN" the traffic somewhere - and unless
your router is doing the VPN stuff, you probably will run into problems
with hardphones as those usually won't run the often proprietary
Windows-only VPN clients...
One major problem source always to keep in mind when using VoIP over VPN
client: be careful about all routing at *ALL* layers!
Routing all the RTP out to the internet via a proxy/STUN server usually
is not overly compatible with setting up a call from via VPN...
Back to the beginning: all other things equal I did not find any
difference between using VoIP over ("real") VPN or not. There was a
small added delay, but definitely no improvement.
I have not experimented with VoIP over SSL-VPN-over-TCP, but I think
that the suddenly loss-less (or at least less-lossy) RTP (over TCP)
might actually lead to a perceived sound/tone improvement if the delay
is being ignored during that test.
Bye
Volker
--
Volker Tanger http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists at wyae.de PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB
------------------------------
Message: 3
Date: Tue, 21 Feb 2006 23:22:26 -0500
From: Lee Dilkie <lee_dilkie at mitel.com>
Subject: Re: [VOIPSEC] Running VoIP over SSL VPNs? (Network World
article)
To: Voipsec at voipsa.org
Message-ID: <43FBE702.8050201 at mitel.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Volker Tanger wrote:
> Greetings!
>
> On Tue, 21 Feb 2006 14:30:49 -0500
> dan_york at Mitel.com wrote:
>
>
>> Network World came out with an article yesterday that detailed
>> their tests on running VoIP over SSL VPNs:
>> http://www.networkworld.com/reviews/2006/022006-ssl-voip-test.html
>>
>
>
> Actually you are asking about 3-4 VPN techniques here:
>
> 1. IPSec
> 2. SSL-style over UDP
> 3. SSL over TCP
> ( 4. Plain HTTPS web portal - marketing-hyped SSL accelerator )
>
> The first is the VPN technique used "everywhere" when you get near
> firewall-based VPNs.
>
>
>
Just because something is possible, doesn't mean it makes sense. Heck, I
could run VoIP over SMTP if I cared to deal with the latency and jitter
but it's hardly a reasonable thing to do. Of all the VPN technologies,
IPsec is the only one that makes sense. And even IPsec is deemed a
suboptimal fit for RTP due to bandwidth considerations. This is the
reason SRTP was developed. It's a very good fit for the constraints of
securing VoIP voice (RTP).
Running RTP over tcp (SSL or not) is just not practical in a real
network (ie. internet) as it's not the latency but the jitter introduced
by re-transmission that'd kill you. And if network conditions got at all
poor, it'd fall apart a lot faster than RTP on UDP would. Voice can
tolerate reasonable loss a lot better than it can handle network jitter.
A good portion of the MOS score is latency-derived.
SSL-over-UDP is a newly proposed beast. I'm not sure how much traction
it's getting but it seems like a good solution for SIP signaling to me
but I wouldn't use it for securing RTP as it also suffers considerable
packet overhead. But I'd pick VPN-over-SSL-over-UDP (if/when such a
beast exists) over tcp. (is there too many "over"s in that last
statement?)
Regards,
Lee Dilkie
-Yes, Dan York and I work for the same company, but I'm the good looking
one ;)
------------------------------
Message: 4
Date: Wed, 22 Feb 2006 09:06:54 +0100
From: Volker Tanger <vtlists at wyae.de>
Subject: Re: [VOIPSEC] Running VoIP over SSL VPNs? (Network World
article)
To: Voipsec at voipsa.org
Message-ID: <20060222090654.5212080a.vtlists at wyae.de>
Content-Type: text/plain; charset=US-ASCII
Good morning!
On Tue, 21 Feb 2006 23:22:26 -0500
Lee Dilkie <lee_dilkie at mitel.com> wrote:
>
> I could run VoIP over SMTP if I cared to deal with the latency and
> jitter but it's hardly a reasonable thing to do. Of all the VPN
> technologies, IPsec is the only one that makes sense. And even IPsec
> is deemed a suboptimal fit for RTP due to bandwidth considerations.
[...]
> Running RTP over tcp (SSL or not) is just not practical in a real
> network (ie. internet) as it's not the latency but the jitter
> introduced by re-transmission that'd kill you.
IPSec and SSLish UDP (OpenVPN, to name the beast) are more or less equal
with respect to delay and CPU ressources. OpenVPN has a bit more
overhead packet-size-wise of course, but is much easier to handle
with NAT devices (of course).
The main reason to use a standard VPN usually is that the hardphones
used simply don't do SRTP or similar...
;-)
> Voice can tolerate reasonable loss a lot better than it
> can handle network jitter.
...especially with a loss-tolerant codec like iLBC or alike.
Bye
Volker
--
Volker Tanger http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists at wyae.de PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB
------------------------------
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
End of Voipsec Digest, Vol 14, Issue 17
***************************************
More information about the Voipsec
mailing list