T 4.57 Interferences relating to the use of VoIP over VPNs
To make a telephone call using VoIP, both the signalisation information as well as the actual media stream need to be transmitted over a data network. There are protection mechanisms in the protocol level to secure the transport of this data, but they are not supported by all manufacturers and devices. The method used to protect the actual voice communication is generally negotiated by the devices involved. The Secure Real-time Transport Protocol (SRTP) can be used for this purpose, for example.
If not all devices support encrypted protocols and telephone calls will be transmitted over insecure networks, then Virtual Private Networks (VPNs) can provide this protection. VPNs are used in practice to connect individual employees or to connect an entire network to a public network. When using VPNs, selected packets or all packets are encrypted by a VPN gateway and transmitted to a remote VPN gateway according to a routing table. This gateway decrypts the packets and transmits them to the recipient. Another result of this is that the sender and receiver are located in the same subnetwork even though they may be several hundred kilometres apart.
Using VPNs, both the signalisation and media streams for VoIP, as well as all other information such as e-mails, can be protected. Some hardphones support VPNs directly. If an encrypted media transport protocol, for example SRTP, is used, it is sufficient if only the signalisation stream is protected by the VPN.
The use of VPNs in connection with VoIP often leads to problems, though.
In networks that transmit other information in addition to the VoIP data, VoIP messages are often given priority on the routers and switches. This method is intended to prevent disruptions in the quality such as interruptions or jitter. Even though there is a separate field in the IP header for this purpose in IPv4 (to specify the type of service), this field is seldom used in practice. Instead, the routers prioritise the packets based on their contents. However, when the contents are encrypted, this becomes impossible. As a result, disruptions in the transmission quality can occur more frequently when transmitting VoIP over VPNs when the network load is too high.
The use of Hiding NAT (Network Address Translation or Masquerading) can also lead to problems. In contrast to static NAT, not every internal IP address is assigned exactly one public IP address, and it is possible instead for several internal addresses to share one public IP address at the same time. To use this method, the NAT gateway not only has to change the internal IP addresses, but also the port numbers in the IP packets. These changes mean that the checksum generated by the VPN gateway is not correct any more for the new packet. Encrypting all IP communication can also lead to problems.
The packets used to transmit VoIP content are usually very small. If the system waits to transmit the packets until a certain number of bytes have been collected, then there may be a large delay in transmission. The actual useful data in the IP packets is generally between 10 and 40 bytes in size. If the IP packets are to be protected by a VPN, then a VPN header must also be taken into account. The additional VPN information represents a significant amount of overhead for small IP packets. The amount of VoIP data increases dramatically as a result of activating the VPN security mechanism. This can lead to overloading of the LAN or of the WAN.
The encryption and decryption of the information transmitted also requires resources. If the system performing the encryption or decryption is not designed to handle this task, then a delay in transmission can arise here as well. Such an increase in the response time can lead to interruptions or other problems with the quality.
Many encryption architectures for VPN use X.509 certificates or pre-shared secrets. For the certificate-based solution in particular, many manufacturers currently use proprietary methods that are incompatible with each other. If VoIP connections to external partners are to be established, you will either not be able to call these partners using these solutions or the calls will not be encrypted.