Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: VoIP over IPsec

  • From: tedawson
  • Date: Mon Feb 17 18:38:33 2003

Comments inline:
At 01:34 PM 2/17/2003 -0500, Charles Youse wrote:

>So do you suppose that in my scenario, I'd be better off leaving the VoIP out 
>of the encrypted tunnels and use a separate [cleartext] path for them?

Oh goodness no. VoIP (SIP specifically) has no real security in it. Call 
hijacking for example is a matter of sending a pair of spoofed UDP packets to 
each phone and having the voice streams arrive at the attackers machine. Not 
pretty, and I do this trick (and worse) daily. (in a lab as part of work of 
course)

>I'm worried about the security implications, not because I feel there is a 
>huge security risk but because I'm sure the topic will be brought up. 
>(Communicating over one provider's 
>backbone provides little opportunity for third parties to snoop packets 
>between points, of course.) 
See above, SIP security sucks and H323 isn't much better.


>Has the issue of VoIP security ever been addressed? 

Not really.
There are two parts to VoIP, the signalling and the bearer channel (actual RTP 
streams with the voice). 
The signalling channel is by far the easiest to abuse so if you are worried 
about security, go after this first. Encrypting the itty bitty RTP packets is a 
challenge that has yet to be entirely overcome, but encrypting the signalling 
is about 90% of the battle (according to me YMMV). So if you want this done 
without buying any new toys, and just using the Cisco's you have in place. 
Simply place a GRE tunnel between the two sites and just IPSec UDP port 5060 
(SIP), and leave all other traffic alone (your phones are on separate subnets 
right???????). This will encrypt the signalling (SIP is the assumption here) 
but leave the RTP alone so that you dont have the jitter issues (as much at 
least). 


If you are really serious about doing VoIP then look into the products from 
InGate and NetRake, and others.
The InGate supports NAT/PAT (which is useful since some phones basically 
require a public IP address UGH), but more importantly it supports TLS. This 
encrypts the packets, but doesn't suffer from the keying issues of IPSec nor 
the overhead, so tiny little SIP packets can be encrypted without wait, but I 
am not clear on the RTP packets (they aren't encrypted as far as I know). Plus 
you get a registrar, proxy, etc, etc etc server along with it. They are 
relatively cheap.
Netrake is for carriers, but is kinda cool to look at.

As far as QoS, don't worry about it unless you are short on bandwidth, and even 
then it doesn't seem to make much difference (in my experience YMMV).
Hope this helps

I speak for me and me alone. Do not hold my employer liable for my rantings.





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.