IPSec VPN Architectural Considerations for VoIPYou saw in Chapter 5, "IPSec VPN Architectures," various topological options for the deployment of IPSec VPNs. The previous section defined various implications of running voice applications in IPSec. The large-scale introduction of voice applications on a network has serious ramifications for the viability of designing, building, and managing IPSec VPNs. In this section, we will explore the impact of accommodating VoIP in the various VPN architectures. Decoupled VoIP and Data ArchitecturesFirst, you should consider whether VoIP must be encrypted at all. From a routing perspective, it is much easier to treat all VoIP traffic as high priority data traffic over a single routing topology. The converged voice and data topology must simply handle the traffic classes appropriately through the queuing mechanisms discussed previously. Many organizations are evolving their VoIP communication systems to use end-to-end bearer encryption based on Secure Real Time Protocol (SRTP). In this case, encryption of VoIP traffic with IPSec is redundant. Some organizations have chosen to exclude SRTP VoIP traffic from the IPSec topology. There are two common methods for achieving this architecture.The first method uses IPSec proxy policies that exclude VoIP traffic. Recall that the IPSec tunneling methods essentially direct encrypted traffic to the peer gateway. Routing decisions in the backbone for data traffic will be based on the IPSec tunnel addresses, whereas routing decisions for VoIP traffic will be based on the bearer endpoint addresses. Essentially, there are two routing topologies and traffic matricesone for voice flows and the other for data. Figure 8-7 shows the disjointed VoIP and data topologies. Figure 8-7. Decoupled IPSec VoIP and Data Topologies[View full size image] Figure 8-8. Decoupled IPSec-protected GRE Data and GRE VoIP Topology[View full size image] VoIP over IPSec Remote AccessIn the ideal scenario, designers are able to architect the network according to a known set of design constraints. Provided the service provider or backbone operator has adequately characterized the IP network (for example, it may be Multi-Service CPN certified), designing the VoIP topology and QoS control mechanisms is relatively straightforward. Unfortunately, the same cannot be said for remote access networks in which multiple providers are involved and QoS attributes are rarely honored, much less preserved. Clearly, the network between the two IPSec endpoints (the IPSec client and the Concentrator) must be characterized as best-effort and treated as such.Nevertheless, you can mitigate certain problems by controlling the flow of traffic at the IPSec endpoints. One aspect where VoIP call characteristics can be improved is through traffic-shaping techniques. We must assume that the IP path between the two IPSec endpoints has no support for QoS. One critical piece of information is the maximum bandwidth available. For example, a remote access user may have a DSL circuit with a maximum of 640kbps downstream and 384kbps upstream. We can improve our packet loss performance by shaping our VoIP and data stream into the maximum bandwidth available such that we avoid loss. Naturally, you want the VoIP stream to have the highest chance of success. By shaping the combined stream to not exceed 640kbps downstream and 384kbps upstream and prioritizing the VoIP stream over the data stream (preferably prior to encryption), you preclude the low bandwidth remote access network link from indiscriminately discarding voice or data. Figure 8-9 demonstrates the optimal shaping, queuing, and scheduling of the VoIP and IPSec flow on a remote access link. Figure 8-9. Low-Loss Shaped Encrypted Flow on Constrained Bandwidth[View full size image] VoIP over IPSec-Protected GRE ArchitecturesSite-to-site architectures for an IPSec VPN commonly use GRE tunnels protected by IPSec. Applying QoS policies to a tunnel interface that is an abstract interface can be challenging, as it is possible that the encrypted packet flow may be switched out to a high-speed or low-speed link. Obviously, you can assign a queue structure to any of the VPN gateway's physical interfaces, allowing the queues to be defined relative to the physical bandwidth. The tunnel interface QoS structure has no adaptive knowledge of which interface is actually in use; therefore, a hierarchical queue structure is required with explicit bandwidth statements in order to use shaping or bandwidth percentage-based queue structures.Of course, the bandwidth applied to the tunnel interface may not match the physical interface that the tunnel uses to reach the peer. The principle advantage of applying QoS to the tunnel interface is that the packet order for a set of streams to the same peer is defined, scheduled, and queued prior to encryption. Reordering packets on entry into the tunnel interface forces the VoIP traffic to precede the data traffic upon leaving the VPN gateway. Once the data is encrypted, intermediate nodes between the VPN gateways may reorder packets of the tunnel when congestion occurs; therefore, anti-replay drops may still be a factor. This is a principle disadvantage of IPSec over GRE. There is a single IPSec SA defined for the aggregate set of streams in the GRE tunnel. One effective way to mitigate the anti-replay drops is to set the bandwidth of the GRE tunnel's queue structure to the slowest link between the tunnel peers. Example 8-1 shows a configuration model in which the QoS mechanism uses a parent policy to shape the traffic according to the slowest link while prioritizing the VoIP ahead of the data traffic. Example 8-1. Hierarchical Shaping of VoIP and Data Prior to EncryptionYou see that we have two service policies: vpn and gre-qos. The gre-qos service policy is applied to the tunnel interface such that any traffic entering the tunnel conforms to the average bandwidth rate of 1.46Mbps (assuming that the constrained bandwidth available to this site is consistent with a T1). With the traffic shaped to fit inside a T1, we prioritize our VPN traffic such that MultiMedia over IP (mmoip) is scheduled first and set to not exceed 30% of the shaped capacity. We have also guaranteed control traffic, or routing protocols, 5% of the bandwidth with data traffic essentially obtaining the rest. Also, note that we have selected the precedence bits (a component of the DSCP) as the matching criteria. Next, you'll see the implications of QoS when applied to the IPSec architecture. VoIP Hub-and-Spoke ArchitectureChapter 5, "IPSec VPN Architectures," the hub-and-spoke topology is one of the most widely deployed IPSec VPN architectures. In this topology, all spoke-to-spoke communication (including VoIP) transits via the hub. The introduction of a hub transit point to the VoIP bearer stream needs to be accounted for in the traffic engineering and voice delay budget. Having spoke-to-spoke VoIP traffic hair-pinning through the IPSec hub, wherein the hub has to decrypt the VoIP traffic it receives from the spoke and encrypt the traffic again to the spoke the traffic is destined to, may significantly impact the performance of the network. First, the packet size distribution will be radically altered through the IPSec VPN connections. The substantial increase in forwarding requirements for the increased percentage of small packets may consume an inordinate amount of packet processing resources on the IPSec VPN hub. Second, the underlying IP network queue schedulers must be altered to accommodate the traffic engineering of the transient IPSec-protected VoIP stream. Figure 8-10 shows the implications for these two fundamental changes in the network architecture. Figure 8-10. Transient VoIP Traffic through IPSec VPN HubsChapter 6, "Designing Fault-Tolerant IPSec VPNs," outlined the provisioning and operational costs associated with building a full-mesh IPSec VPN. The tradeoff between optimal traffic engineering and IPSec configuration complexity will likely be driven by the probability of VoIP calls being established between branch sites. The complexity of the full-mesh IPSec VPN may not be justified if the percentage of site-to-site calls is rather low. As a result, most enterprises chose to use a hub-and-spoke topology for all communications. VoIP over DMVPN ArchitectureAn alternative to the static full mesh is the DMVPN architecture. The main advantages of the DMVPN architecture are reduced configuration complexity and the ability to build temporary direct spoke-to-spoke connections on demand. The feasibility of using a temporal full mesh may be mitigated by the delay associated with the IKE and IPSec SA establishment between spokes. The transaction delay for establishing the IPSec SA is substantial. Assuming the VoIP call-control follows a different path than the bearer path, you are likely to run into a delayed talk interval following the completion of call setup, but prior to completion of the IPSec SA that carries the bearer. Figure 8-11. Post-dial Delayed Bearer with VoIP over IPSec[View full size image] VoIP Bearer Path Optimization with DMVPNThe DMVPN architecture allows spoke-to-spoke traffic to transit via the hub while waiting for the spoke-to-spoke IPSec process to complete. Doing so avoids the post-dial-delay and dead-talk interval following a call-connect by allowing the traffic to transit the hub. Once the IPSec session is established directly between the spokes, the VoIP flow will transition to direct connection following a more expeditious route. The drawback to this solution is that the jitter buffers in the VoIP endpoints are synchronized with the delay associated with traffic transiting the hub. The completion of the shorter IPSec/GRE path causes VoIP traffic to arrive early at both receivers. The VoIP jitter buffers must advance the play out, causing a glitch in the audio. Fortunately, this scenario only occurs when a VoIP call is causing the spoke-to-spoke connection establishment. If the spoke-to-spoke connection exists prior to call-connect, then the VoIP bearer will take the shortest path at the time of call-connect. VoIP Bearer Path Synchronization with DMVPNThe alternative to transitioning VoIP bearers from the non-optimal path to the optimal path is to force the VoIP to take the optimal path during the call-connection establishment. Post-dial delay may be induced by waiting for an RSVP path reservation to complete via the encrypted bearer path. The RSVP processes kick off the establishment of the IPSec SA prior to allowing the call-connect. The RSVP RESV message requires the direct spoke-to-spoke connection to be established prior to proceeding with the subsequent stages of call-connect. By the time an operator initiates a discussion, the IPSec spoke-to-spoke connection has already been established. This discussion highlights the importance of synchronizing the VoIP call-control and bearer paths with the IPSec VPN topology.NoteAt this time, the Cisco IOS Multipoint GRE interfaces do not allow per-peer QoS policies. The QoS policy associated with the mGRE interface must take into account the aggregate bandwidth required for all sites connected to the mGRE interface. VoIP Traffic Engineering SummaryYou have seen it demonstrated that designing VoIP to operate within an IPSec VPN is certainly possible by accounting for the anomalies created by the IPSec connection model. The usual VoIP bandwidth and delay attributes must be considered while also accommodating IPSec VPN topology, anti-replay windows, and IPSec overhead. |
لطفا منتظر باشید ...
