North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: VoIP over IPsec
Comments inline: At 01:34 PM 2/17/2003 -0500, Charles Youse wrote: >So do you suppose that in my scenario, I'd be better off leaving the VoIP out >of the encrypted tunnels and use a separate [cleartext] path for them? Oh goodness no. VoIP (SIP specifically) has no real security in it. Call hijacking for example is a matter of sending a pair of spoofed UDP packets to each phone and having the voice streams arrive at the attackers machine. Not pretty, and I do this trick (and worse) daily. (in a lab as part of work of course) >I'm worried about the security implications, not because I feel there is a >huge security risk but because I'm sure the topic will be brought up. >(Communicating over one provider's >backbone provides little opportunity for third parties to snoop packets >between points, of course.) See above, SIP security sucks and H323 isn't much better. >Has the issue of VoIP security ever been addressed? Not really. There are two parts to VoIP, the signalling and the bearer channel (actual RTP streams with the voice). The signalling channel is by far the easiest to abuse so if you are worried about security, go after this first. Encrypting the itty bitty RTP packets is a challenge that has yet to be entirely overcome, but encrypting the signalling is about 90% of the battle (according to me YMMV). So if you want this done without buying any new toys, and just using the Cisco's you have in place. Simply place a GRE tunnel between the two sites and just IPSec UDP port 5060 (SIP), and leave all other traffic alone (your phones are on separate subnets right???????). This will encrypt the signalling (SIP is the assumption here) but leave the RTP alone so that you dont have the jitter issues (as much at least). If you are really serious about doing VoIP then look into the products from InGate and NetRake, and others. The InGate supports NAT/PAT (which is useful since some phones basically require a public IP address UGH), but more importantly it supports TLS. This encrypts the packets, but doesn't suffer from the keying issues of IPSec nor the overhead, so tiny little SIP packets can be encrypted without wait, but I am not clear on the RTP packets (they aren't encrypted as far as I know). Plus you get a registrar, proxy, etc, etc etc server along with it. They are relatively cheap. Netrake is for carriers, but is kinda cool to look at. As far as QoS, don't worry about it unless you are short on bandwidth, and even then it doesn't seem to make much difference (in my experience YMMV). Hope this helps I speak for me and me alone. Do not hold my employer liable for my rantings.