Security In Carrier VoIP Applications
BY DEBASHISH "RON" NAG & SOPHIA SCOGGINS,
The advancements in VoIP technology ï¿½ such as performance, cost
reduction, and feature support ï¿½ make VoIP a compelling proposition for
service providers who are trying to create new revenue streams based on data
while still offering traditional phone services. In light of such interest,
security is a critical feature for service providers to provide a carrier
The importance of stringent security is one that cannot be overlooked
because it is easier to probe into voice information on a packet network
than to physically tap into the circuit switched network. Inherent security
issues with packet-based communications are: voice ï¿½tappingï¿½ by sniffing
packets, unpaid service usage by falsification of network ID, and service
disruption by packet manipulation. Subscriber account and equipment fraud
can be committed by accessing network databases and IP addresses. Hackers
can breach the integrity of a network, modify the databases, or replicate
the equipment, resulting in a shutdown, ï¿½jamï¿½ or takeover of the voice
Other security threats pose privacy threats to the end user. New security
challenges include intercepting and modifying the call control (such as SIP)
packets, and subsequently altering the packet destination or the call
connection. Additionally, packet network performance may not be up to par
with the circuit switched network.
As carriers are beginning to announce VoIP services, service providers
can protect their services and associated revenues by implementing security
and safeguards to prevent various threats.
Internet Security For Telephony
The existence of these security threats does not mean that the
deployment of VoIP networks and services by carriers will be hindered in any
way. A variety of security features can be implemented to address these
challenges. The security functions for VoIP applications are taken from the
IP network and there are various levels of security features that are
required by the carrier, such as authentication, encryption, and firewall.
The IETF RFC 2401 Internet Security (IPSec) is a popular security protocol
and provides authentication and encryption functions. In order to encrypt
and decrypt, end points must establish a security association (SA) and
The Network Architecture For VoIP Security
In a VoIP network, there are three types of packets to be considered:
voice, signals, and data. In some situations, video packets are also
transported over the internet. The signaling packets are used to set up a
virtual connection between two end points, e.g., two IP phones, over a
connectionless IP network. The signaling packets are transmitted between an
IP phone and a call server or proxy server.
Once the virtual connection is set up, the voice packets can be
transmitted over different paths between two IP phones. Data packets may
come from the same device or another device connecting to it (such as a PC
connecting to an IP phone) as the voice packets, but can travel in the same
or different paths.
Delay Due To Security Association (SA)/Key Exchange
Signaling packets, voice packets, and data packets take different paths,
therefore there will be a different security association (SA) for each type
of packet. Each time a SA is established, the security key information must
be exchanged, which can add significant delay, often several seconds. In a
store and forward data network, delay is not a problem.
Delay is a threat to call setup and voice quality for real-time voice
processing. If the setup delay for the signaling packets is greater than 300
ms in a PSTN, the call will be abandoned. In the VoIP network, the setup
delay is often greater than 300 ms. If the delay for voice packets is
greater than 300 ms, there will be a long silence to the user. During the
call, voice will chirp or difficult to comprehend. Therefore, the delay in
establishing a SA for signals and voice should be minimized.
Each IP phone has only one primary call server. It is optimal to
establish the SA with the primary call server one time for all calls
originating from a given IP phone. However, the SA has a short lifetime.
Therefore, it is necessary to set up the SA on a per call basis. The short
lifetime of the SA posts another issue to the voice quality. If the SA
becomes expired during a call, then the call must be torn down and
re-established. During these processes, there will be visible silence to the
The solution is to expand the lifetime of the SA for the voice
applications. For a long call, if the SA has expired, there are two options.
A valid, but less than ideal option, is to take down the call and
re-establish the SA. In this scenario, the users will have to be alerted so
that they donï¿½t assume the call disconnected. A more transparent option is
to leave the call in place and re-establish the SA. Though the latter
suggestion does not follow call processing procedure, it is less disruptive
and for some, a preferred solution.
The delay of establishing the SA has less impact to data packets, as they
are stored and forwarded. The data applications shall be able to establish a
SA with another end point, independent to the signaling and voice
applications in most cases. In some cases, data packets can only be sent
between two end points after the virtual connection is established.
Delay Due To Encryption
The encryption protocol Advanced Encryption Standard (AES) requires
about the same amount of time as voice packetization. That means the total
delay will be double. In the cases of Data Encryption Standard (DES), the
delay is even greater. Triple Data Encryption Standard (3DES), which has
about three times more delay than the one for DES, is considered
unacceptable for voice encryption. Many voice applications choose to use
Secured Real-time Transport Protocol (SRTP), which uses AES, instead of
IPSEC. One reason is for performance and another is for end-to-end security.
VPN And Encryption
A Virtual Private Network (VPN) is a virtual connection between an end
point and its VPN server. Carriers can offer IP telephony service as part of
a VPN service offering. In this offering IPSec is a popular security
protocol for VPNs where several different models can be applied.
Multiple-VPN Pipe Model
In this model, there is one VPN for each type of packet. For signaling
packets and data packets, IPSEC with encryption will be used. For voice
packets, either SRTP or IPSEC encryption is used, but not both. This reduces
encryption delay and requires multiple VPNs and therefore, multiple IP
addresses. In addition, there will be more synchronization effort among
different VPNs for a call.
VPN Model With Encryption
In this case, there is only one VPN with encryption for all packets. The
VPN terminates the IPSEC, and there is no security after the VPN server in a
corporate or ISP network. Because of this, SRTP is often used for voice
encryption to provide end-to-end security. This means the voice will be
encrypted and decrypted by both IPSec and SRTP. Although this can produce
some delays, the network connection between the phone and VPN can be done
once at setup, thus mitigating the extent of the delays. The advantage of
this model is to minimize the number of IP addresses and call processing
synchronization efforts. Therefore, this method is recommended.
VPN Model Without Encryption
In this case, there is one VPN without encryption for all packets.
Encryption can be done outside the VPN pipe. In this model, the signaling
packets and data packets can use IPSEC encryption, while the voice packets
can use SRTP encryption before entering the VPN pipe. Since the VPN is not
encrypted, it is less secure.
Network Address Translation And Call Controls
The Network Address Translation (NAT) protocol effectively uses a public IP
address and maps it to many private LAN addresses. For an outgoing call, the
VoIP application has to register its RTP port, UDP/TCP port, and IP address
with the NAT unit. For an incoming packet with unknown originating or
destination IP address, the packets will be blocked by the NAT unit.
Therefore, the NAT unit serves as a firewall. This creates a problem for
incoming calls. One solution is to register the IP address, UDP/TCP port,
and RTP port of a device with a Universal Plug and Play (uPnP) unit. The NAT
unit then checks with the uPnP unit for any incoming and outgoing packets.
The UDP/TCP port must be always open, so that the VoIP can accept an
incoming call. The RTP port will only be created when there is a call setup.
All VoIP applications, including security must also register with the NAT
unit, so that they wonï¿½t be blocked.
Carriers can offer VoIP services based on the many security protocols
developed for data services. Furthermore, carriers can offer VoIP services
bundled with VPN services. However, there are challenges for VoIP to meet a
carrierï¿½s expectations, such as delay due to key exchange and
encryption/decryption and the lifetime of the SA. Ultimately, the security
mechanism for VoIP needs improvement in order to meet the real-time VoIP
requirements. As new implementations for security emerge, carriers will be
able offer voice service alternatives to PTSN with the reliability and
quality that is expected. c
Debasish ï¿½Ronï¿½ Nag is a Product Manager in the Voice over Packet
business unit at Texas Instruments. Sophia Scoggins, Ph.D., is a Systems
Engineering Manager in the Voice over Packet business unit at Texas
Instruments. Texas Instruments is a world leader in digital signal
processing and analog technologies, the semiconductor engines of the
If you are interested in purchasing reprints of this article (in either
print or HTML format), please visit Reprint Management Services online at
www.reprintbuyer.com or contact a representative via e-mail at
or by phone at 800-290-5460.
To The April 2004 Table Of Contents ]