[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPsec and bandwidth sensitive applications
Hi
I'm looking for some guidance regarding the use of IPsec on applications that may
be sensitive to packet size overhead, such as that caused by adding IPsec ESP
header, trailer, authenticator, and possibly an outer IP header. Two applications
are my primary concern:
* Wireless, where bandwidth as such as limited and adding e.g. 32 bytes
to each packet would be considered expensive.
* VoIP, where size of packets is so small that even small size overhead
amounts cause a large bandwidth requirement increase percentage-wise.
Even if perhaps irrelevant for end-user systems, centrally located
gateways and servers handling concentrated traffic may find such
overhead significant.
Also, I'd be interested in seeing pointers to existing documents or discussions
regarding
* Relationship of IPsec mechanisms to the simple RTP/RTCP encryption
mechanisms as defined by RFC 1889. Are those mechanisms still
recommended or replaced by the use of IPsec?
* Are there any possibilities for header compression of IPsec? Such
as negotiating away SPI values (something similar as in the L2TP
header compression) and possibly sequence numbers, or perhaps even
IVs (as is done for RTP which apparently can do without IVs
as the data contents already have a random component)?
* Suitability of particular algorithms and cryptographic modes to
these situations? For instance, integrity checking appears to
have a fairly large constant overhead (CPU+bytes) which is bad
for small packets. Are there better mechanisms? What about CBC
vs. OFB etc? Block versus stream ciphers?
* Comparisons of security mechanisms such as IPsec, RTP-encryption,
SSL, application-specific, and others in these contexts?
Thanks,
Jari Arkko
Ericsson