RV: [Openswan Users] voip over ipsec
Elias Valea Peri
Elias at jjec.com
Thu May 5 11:03:42 CEST 2005
I've done it many times, according my experience pay attenmption to the next
things :
Latency :
The most important parameter is latency, ever must be under 150ms (100ms or
less recommended), so before using ipsec investigate your expected latency
at network transport.
Ok, if your latency is acceptable, you must know that when you apply ipsec
it's normal that a couple of ms will be added to latency, because
encrypt/decrypt calculation, hashing, and key/SA renegotiation wates CPU
time (specially on server side), so many times is needed to reduce security
a lot by using b.ex DES+MD5+aggressive mode (worst case), to save CPU and
not increase latency.
Bandwidth :
Depending on the codecs you're using, and of course the sampling
rate/quality, i'll need from 20kbits/s to 90kbits/s per voice channel. In
most cases 20-30kbits/s is sufficient. Ipsec will add a bit of bandwidth,
usually not representative, but depends on your config (you must sniff
network data to take a measurement).
Protocols for VoIP :
I prefer to use SIP, not ITU family, because is easier to control at
transport layer (less port/protocols), and has a less dependency on TCP
transport.
Which hard/soft are you planning to use for VoIP?
QoS, yes, use it, but if you encapsulate the packets inside a
tunnel/transport, you'll need to establish a resource reservation policy for
encrypted traffic too.
Elias
-----Mensaje original-----
De: users-bounces at openswan.org [mailto:users-bounces at openswan.org] En nombre
de Abdul-Wahid Paterson
Enviado el: miércoles, 04 de mayo de 2005 22:19
Para: OpenSwan List
Asunto: [Openswan Users] voip over ipsec
Hi,
Has anyone got any thoughts or experience in using VoIP over IPSec? Is
the performance to much of a hit for the VoIP to work properly. What
about packet sizes etc?
Also, under a 2.6 Kernel with no ipsec0 virtual interface, would it be
a good strategy to mark VoIP packets in the PREROUTING chain of the
mangle table to that I can then assign them to the appropriate QoS
queue before the packets are encrypted?
Any thoughts welcomed.
Abdul-Wahid
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3018 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20050505/8082ee14/smime.bin
More information about the Users
mailing list