Speed up VoIP over VPNs
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
More and more companies are finding that connecting remote offices with VPNs across the Internet is a very cost-effective solution compared to point-to-point data circuits. But they're also finding it puts a major kink in their VoIP plans. One of those challenges is the delay caused by encrypting the VPN tunnel. Unfortunately, with common security protocols such as IPSec using DES or 3DES, the level of security varies proportionally with the delay. That is, the longer your key-length, the longer it takes to encrypt and decrypt.
One possible solution to this problem is to simply not encrypt your voice traffic. Offhand, you might think sending unencrypted voice traffic over the Internet is very insecure, but it's arguably much more secure than traditional, unencrypted telephony, since it takes some fairly sophisticated and expensive equipment to intercept, capture and decode VoIP, but telephone tapping equipment is very cheap and requires little skill.
For a more appropriate solution, remember that VPNs don't actually have to use encryption. For instance, if you're using Cisco routers to connect to the Internet at each office, you could create a second tunnel and configure it with IPSec with just the Authentication Header (AH) such as MD5 or SHA, but without ESP. Then use access-lists to specify that only VoIP uses the 2nd tunnel, while all other data traffic uses the primary, encrypted tunnel. This would allow you to maintain connectivity between your branches using private IP addresses and also allow you to retain the benefits of authentication without the expense of encrypting each packet.
As always, there are a few caveats:
First, dual paths create the possibility of routing loops. Any modern routing protocol should prevent that, but you may want to manually configure routing across the tunnels anyways.
Second, make sure you implement some prioritization scheme to prevent the main data tunnel from degrading the voice tunnel.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.
Did you like this tip? Why not let us know? Send an email and sound off.
Voice Over Packet Networks
Author : David Wright
Publisher : John Wiley & Sons
Published : Aug 2000