swinster
join:2006-05-30
UK
| [Equipment] Understanding QoS for VoIP and VPN's
3 Remote office Network |
We are looking at implement 3 ZyXEL Prestige 652H/HW at three office locations (see diagram). Each office location needs to be connected via permanent VPN through the Internet. The Internet connections at each site with use ADSL MAX (RADSL) (8Mbit down/800Kbit up). Each office will have its own PBX telephony system that can use IP to transfer calls between sites. The telephony equipment itself will come from Alcatel.
The network therefore needs to provide secure transport for both data and voice IP traffic and provide a Quality of Service (QoS) for the voice packets.
With regard to the VPN tunnels, VoIP and QoS, can voice traffic be routed through the VPN tunnel to provide a secure method of voice data transfer AND can the router still maintain a QoS (i.e. how does the VPN process alter the packet information with regards to voice tagged data packets)? Or does it mean that voice data should be sent on a separate route and secured in a different manner?
Swin |
|
B
Premium,MVM
join:2000-10-28
| What a great post! Not often we see a question this meaty.
First off, and you probably know this, you're not getting any QoS at all once the traffic hits the Internet (VPN or not). All the QoS will do, if it's maintained, is give priority to YOUR voice traffic over YOUR data traffic as it traverses the VPN WAN.
Second, I understand that may implementors decide not to tunnel the VoIP traffic at all, because (a) it adds complexity and (b) it can slow communications due to the encapsulation overhead. (It also makes it easier for the Voice guys to point fingers at the Data guys.)
Third, if you wish to secure the VoIP on its own path you might investigate using SIP's inherent S/MIME encryption options or whatever tweaked protocols are available from Alcatel.
As to your first question I don't believe the VPN encapsulation will mangle the QoS tags at all, but it also won't necessarily respect them! You have to use QoS tagging that's understood and respected by your firewall/VPN endpoint appliances. There's a ZyXel forum here that may be of assistance.
-- B |
|
swinster
join:2006-05-30
UK
1 edit | Thanks - and I thought I was just being dumb asking this question! I understand a fair bit but not exactly how packets are altered or affected on their routes from end to end.
I have posted this question in the ZyXEL forum as well as approach ZyXEL direct so I will see what happens. It maybe worthwhile, however judging from your response, to route VoIP traffic differently to the data traffic outside of a VPN. The only way I can see of doing this is to get the PBX into the DMZ and assign it a public IP address. This should not be a problem as the ADSL package will include an 8 IP address range. I will look into the Alcatel product info (not my specialty by any means) and see how they implement SIP.
One other point of interest, the ISP that we will be using for these sites apparently provides a QoS for its network. Not that this will gain us anything because as far as I understand it, QoS is really only important in the last mile where bandwidth is truly restricted (especially on the up path of a DSL connection). |
|
B
Premium,MVM
join:2000-10-28
| No, not quite. QoS is desirable from end to end if at all possible (otherwise it's of very limited value). It doesn't really relate to "bandwidth" at all, but to contention for delivery priority among different packet streams on the same pipe. If your ISP does do this (MPLS?) then you may be in luck.
You should probably have a professional Alcatel integrator and/or some folks from your ISP involved in this plan.
Good luck...
-- B |
|
swinster
join:2006-05-30
UK
| The Alcatel partner I am working with hasn't done this kind of implementation before. I myself have be brought in from a networking/computing background but as the two technologies collide head on, we some how have to get our heads around all the issues involved.
Interesting to know about QoS. As a networking guy looking at VoIP this is a new area for me. The ISP we are using in the UK is Griffin. They were quite proud to announce to us that they were one of the few ISP's that support QoS across their network. |
|
DracoFelis
Premium
join:2003-06-15
| said by swinster  :The ISP we are using in the UK is Griffin. They were quite proud to announce to us that they were one of the few ISP's that support QoS across their network. One thing to keep in mind about QoS at the ISP level, is that the ISP can only make QoS decisions based upon the info available to them. And since the whole point of a VPN is to "hide" the data that is in the VPN, the ISP will not be able to make any QoS decisions for data that is within the VPN tunnel, because it all looks like one encrypted VPN tunnel to the ISP.
This means that if you use the VPN approach for your VoIP, the best that the ISP could (even in theory do), is give your VPN tunnel higher priority (it would NOT be able to give your VoIP traffic priority, because the ISP would not be able to isolate your VoIP traffic from any other VPN traffic you are doing)! So from a practical standpoint, you will lose (ISP level) QoS if/when you use a VPN.
NOTE:
You really do have a "trade off" decision to make between "security" and "voice quality" with your VoIP. And which solution you eventually decide upon, will depend upon which factors you consider most important to your business.
For example, if "security" is most important to you, you probably do want to run your VoIP via your VPN tunnels. One reason for this, is that someone would first have to break your VPN, in order to "tap your phones" while the data is traveling over the internet! And running your VoIP via your VPN, also "hides" your VoIP traffic within the VPN tunnels (so that it looks to the outside world like any other data traffic in the VPN). This makes the entire setup much more secure IMHO.
OTOH the VPN approach has the (potential) VoIP quality problems already mentioned (i.e. loses QoS info, potentially greater "latency" and "jitter" due to the VPN, etc). So for the best sound quality, you would want to have your VoIP outside your VPN. But if you do that, than only the encryption (if any) built into the VoIP equipment itself would be available (to your VoIP). So while you may get better sound quality (both due to avoiding the VPN overhead, and also due to your ISP's QoS), it is none-the-less a lot easier to "hack into" your VoIP equipment in this setup. So while you gain something in performance (by exposing your VoIP equipment directly to the internet), you lose something in security.
And so you really have to ask yourself, if the security built into your VoIP equipment "good enough" (for the security/privacy needs of your company)? If the answer is "yes", you might as well put the VoIP equipment outside the VPN (thereby exposing your VoIP equipment to the internet), for the better performance that will give. However, if the answer is "No, I need more security", than I would recommend having the VoIP equipment go via the VPN (and thereby using the VPN security to also protect your VoIP), and just live with the sound quality issue that may result due to the VPN. |
|
B
Premium,MVM
join:2000-10-28
| In my opinion they'd be foolish not to take advantage of the QoS granted by Griffin's MPLS network.
Here's a good piece on the subject: »www.lightreading.com/document.as···number=6
Keep in mind that, even without encryption, these voice flows are "hackable" only to someone that has penetrated the user's network or the ISP's network. (If someone's on a shared segment assigned to that organization or ISP and is sniffing voice traffic with Cain and Abel, VOMIT, Oreka, etc. then there's a human resources and physical security problem.)
I certainly WOULD try to turn on S/MIME or something similar, but I don't see a major exposure without it, unless they're doing highly classified and/or government work. (And if they are they should hire someone very capable to engineer it.)
Also, as the ISP has engineered their network for exactly this purpose, they may be more than willing to provide appropriate encryption (possibly for a fee).
-- B |
|
swinster
join:2006-05-30
UK
4 edits | reply to DracoFelis
I recieved this post back from the ZyXEL forum.
said by dslpartner :What the VPN does with the packets depends on wether or not you use AH or ESP. Since AH in general is bad if there is any NAT somewhere and it does not encrypt you the data, it just makes it tamper proof, then ESP is usually what people endup with using. ESP basically encapsulates the old IP packet inside an new one and the old packet is also encrypted. Tags set on the packets from the IPPBX is be transfered encrypted and show up again when the packet is decrypted. Wether any QoS tags etc will be copied to new IP headers and will they be obeyed by the internet routers, my educated guess is no! We had some discussion here as to whether the VPN encryption routine mangled the original packet or just altered the headers. As we also tend to use ESP, you can see that we will not be able to set up the VPN and implement QoS. However, it may be that a IPSEC VPN using AH tunnels may well work with QoS, but then the data is unencrypted.
I expect that the S/MIME encryption built into SIP would be adequate for our purpose.
They are a bunch of soliciters, so as long as they don't sue me, I'll be happy.
WRT the ISP, I have just found this document on their site ("http://www.griffin.com/news/Griffin Supports VoIP Partners.pdf") indicating that they offer a private L2TP VPN tunnel, which may do away with the need for our own VPN equipment. |
|
