[Asterisk-Users] Re: IAX/IAX2 encryption?

[Louis-David Mitterrand]

On Mon, Nov 10, 2003 at 03:26:06PM -0500, Brian J. Schrock wrote:
> 
> I second that, and I think I remember hearing Mark talking about it too. But.....
> 
> What type of encryption can you do that does not introduce latency? 
> 
> That said, I would like it to support hardware encryption cards.
> 
> I have done work with FreeS/WAN and it works, and yes it adds about
> 30-100ms of latency depending on what else is going on. I think it has
> something to do with keying.

Ipsec with Freeswan does _not_ add 30-100ms of latency, try a handful of
ms:

styx:/# ping 192.168.0.3
PING 192.168.0.3 (192.168.0.3): 56 data bytes
64 bytes from 192.168.0.3: icmp_seq=0 ttl=62 time=60.5 ms
64 bytes from 192.168.0.3: icmp_seq=1 ttl=62 time=64.2 ms
64 bytes from 192.168.0.3: icmp_seq=2 ttl=62 time=63.8 ms
64 bytes from 192.168.0.3: icmp_seq=3 ttl=62 time=62.2 ms
64 bytes from 192.168.0.3: icmp_seq=4 ttl=62 time=60.7 ms
64 bytes from 192.168.0.3: icmp_seq=5 ttl=62 time=73.0 ms

styx:/# ping my.ipsec.gateway.com
PING my.ipsec.gateway.com (85.89.188.89): 56 data bytes
64 bytes from 85.89.188.89: icmp_seq=0 ttl=57 time=57.5 ms
64 bytes from 85.89.188.89: icmp_seq=1 ttl=57 time=60.4 ms
64 bytes from 85.89.188.89: icmp_seq=2 ttl=57 time=57.5 ms
64 bytes from 85.89.188.89: icmp_seq=3 ttl=57 time=60.1 ms
64 bytes from 85.89.188.89: icmp_seq=4 ttl=57 time=59.2 ms
64 bytes from 85.89.188.89: icmp_seq=5 ttl=57 time=59.1 ms

The first ping goes through a remote Ipsec gateway to reach an internal
host (192.168.0.3) and the second one is directly to that Ipsec
gateway's public IP.

So latency is clearly not the issue.

The main problem with ipsec packets is the lack of TOS support: data and
voice traffic are agregated in one stream which is opaque to external
routers. 

On further reflexion, either with separate IP addresses or ipsec nat
traversal, a specialized voice ipsec tunnel could be setup with packets
marked with the low-latency bit. That should work.