nanog mailing list archives
Re: VoIP over IPsec
From: "Stephen Sprunk" <stephen () sprunk org>
Date: Mon, 17 Feb 2003 12:22:15 -0600
Thus spake "Charlie Clemmer" <cclemmer () nexgennetworks com>
Stephen, I know this is outside of Charles' original inquiry, but I'm not familiar with this "qos pre-classify" feature. Since we would be
encrypting
voice traffic ... at what point would you classify it? If I classify it before it goes into the tunnel and gets encrypted, would that classification last once it's encrypted? If we try to classify after it's been encrypted, how can we tell it's voice traffic? It seems to me that jitter from both the actual encryption process as well as that associated with basic serialization would be the potential death of VoIP in this scenario, but I'm not sure mechanisms available to help resolve that risk.
In the default IOS code path, encryption happens before QOS (and after GRE). Modern IOS versions copy the DSCP when encapsulating/ encrypting packets, so DSCP-based QOS will still work, but IP- and port-based QOS will not. More importantly, encryption is slow; even hardware encryption is significantly slower than the rest of the forwarding process. It's also FIFO by default, meaning that large data packets can get stuck ahead of your VoIP packets, causing jitter. 'qos pre-classify' adds a second QOS stage before encryption, which allows you to classify packets in their unencrypted state and, more importantly, adds PQ capability to the encryption stage. For more information: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos _c/fqcprt1/qcfvpn.htm S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
Current thread:
- VoIP over IPsec Charles Youse (Feb 16)
- Re: VoIP over IPsec Petri Helenius (Feb 16)
- Re: VoIP over IPsec Jared Mauch (Feb 17)
- Re: VoIP over IPsec Stephen Sprunk (Feb 16)
- Re: VoIP over IPsec Steven M. Bellovin (Feb 17)
- Re: VoIP over IPsec Charlie Clemmer (Feb 17)
- Re: VoIP over IPsec Stephen Sprunk (Feb 17)
- Re: VoIP over IPsec Steve Feldman (Feb 17)
- Re: VoIP over IPsec Iljitsch van Beijnum (Feb 17)
- Re: VoIP over IPsec Petri Helenius (Feb 17)
- Re: VoIP over IPsec Iljitsch van Beijnum (Feb 18)
- RE: VoIP over IPsec David Luyer (Feb 18)
- RE: VoIP over IPsec Vadim Antonov (Feb 18)
- Re: VoIP over IPsec Stephen Sprunk (Feb 18)
- Re: VoIP over IPsec Iljitsch van Beijnum (Feb 18)
- Re: VoIP over IPsec Vadim Antonov (Feb 18)
- Re: VoIP over IPsec Iljitsch van Beijnum (Feb 17)
- Re: VoIP over IPsec Petri Helenius (Feb 16)
- Re: VoIP over IPsec Kurt Erik Lindqvist (Feb 18)