[Asterisk-Users] Re: IAX/IAX2 encryption?
Richard Scobie
r.scobie at clear.net.nz
Mon Nov 10 22:42:05 MST 2003
Louis-David Mitterrand wrote:
Snip
> The main problem with ipsec packets is the lack of TOS support: data and
> voice traffic are agregated in one stream which is opaque to external
> routers.
This is not the case with FreeS/WAN, below is an excerpt from the website:
Can I use Quality of Service routing with FreeS/WAN?
From project technical lead Henry Spencer:
> Do QoS add to FreeS/WAN?
> For example integrating DiffServ and FreeS/WAN?
With a current version of FreeS/WAN, you will have to add hidetos=no to
the config-setup section of your configuration file. By default, the TOS
field of tunnel packets is zeroed; with hidetos=no, it is copied from the
packet inside. (This is a modest security hole, which is why it is no
longer the default.)
DiffServ does not interact well with tunneling in general. Ways of
improving this are being studied.
Copying the TOS (type of service) information from the encapsulated
packet to the outer header reveals the TOS information to an
eavesdropper. This does not tell him much, but it might be of use in
traffic analysis. Since we do not have to give it to him, our default is
not to.
Even with the TOS hidden, you can still:
* apply QOS rules to the tunneled (ESP) packets; for example, by
giving ESP packets a certain priority.
* apply QOS rules to the packets as they enter or exit the tunnel
via an IPsec virtual interface (eg. ipsec0).
See ipsec.conf(5) for more on the hidetos= parameter.
Regards,
Richard
More information about the asterisk-users
mailing list