Scaling and securing VoIP

VoIP vendors say they deliver scalability and security. And InteropLabs (iLabs) testing mostly proved them right in multivendor settings. But testing also revealed some implementation gotchas in both of those areas, and pinpointed a few missing pieces when it comes to key exchange for securing VoIP traffic.

This year’s iLabs VoIP team focused on three areas:

• Scaling and prioritizing VoIP traffic over Wi-Fi links;

• Thwarting attacks against session initiation protocol (SIP) and real-time protocol (RTP) traffic using intrusion-detection and -prevention systems (IDS/IPSs); and,

• Protecting VoIP media traffic using secure RTP (SRTP).

Setting up the VoIP-over-Wi-Fi demonstrations at the hotstage event last month generated the biggest “gee-whiz” reactions among the engineers present because of its sheer size. Test instrument maker VeriWave supplied a massive amount of equipment to stage the scalability demo. In addition to its WaveTest traffic generator/analyzers, VeriWave also contributed 16 radio frequency (RF) chambers, each about 1 cubic foot, to house access points from seven vendors.

VeriWave also custom-developed software that displays two analog speedometer dials showing concurrent call count and R-value, a measure of voice quality. The display also uses a slider that will allow show attendees who visit the iLabs booth on the Interop show floor this week in Las Vega (No. 122) to trade off call volume and call quantity in real time.

The vendors contributing wireless gear were Aruba Networks, D-Link, Extreme Networks, HP, Juniper, Motorola and Trapeze Networks. During the hotstage, VeriWave engineers set up 500 calls through these vendors’ access points and planned to do more at the show.

This testing showed that 802.11a networks deliver higher call quality than 802.11b or 802.11g networks. While 802.11a is far less subject to interference than the 802.11b/g/n frequencies, the biggest difference in call quality turned out to be rate synchronization.

When 802.11a or 802.11g radios tried to communicate at different rates, R-values fell by around 10 points, enough to make a difference between excellent and barely acceptable sound quality. With the VeriWave and access point radios locked in at the same rate, 802.11a still scored higher than 802.11g, but only by a couple of R-value points.

The lessons for network managers are to seek out handsets that support 802.11a where possible, and regardless of radio type, choose equipment and network designs that keep rate adaptation to a minimum (see graphic below).

VoIP Do's and Don’ts Tips from iLabs VoIP security and wireless testing Use 802.11a where possible when building wireless networks. Although handset support is limited, our demo suggested 802.11a networks consistently deliver higher call quality than 802.11b or 802.11g. The 802.11a spectrum also is free from interference from microwave ovens, Bluetooth devices, cordless phones, and other noise sources that clutter up the band used by 802.11b, 802.11g, and forthcoming 802.11n devices. Define a security policy that balances availability with protection. Some intrusion-detection and -prevention systems may go into "fail closed" mode when under attack, which might pose problems when high availability is a requirement. Develop a key exchange plan for securing VoIP traffic. It’s possible today to encrypt both signaling and media traffic, but doing so requires an understanding of public-key infrastructure (PKI) concepts. Further, VoIP security standardization is at an early stage.

Click to see: VoIP Do's and Don'ts