{"id":883,"date":"2010-04-27T16:59:30","date_gmt":"2010-04-27T15:59:30","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=883"},"modified":"2015-02-21T09:20:20","modified_gmt":"2015-02-21T09:20:20","slug":"voice-packet-overhead","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=883","title":{"rendered":"Voice &#8211; Packet Overhead"},"content":{"rendered":"<p>Planning for Voice over IP requires an understanding of the various headers added when transporting packetised voice, espcially over an IPSec VPN:<!--more--><\/p>\n<div id=\"attachment_887\" style=\"width: 568px\" class=\"wp-caption aligncenter\"><a href=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/voice-packet-overhead-encapsulation.jpg\"><img aria-describedby=\"caption-attachment-887\" loading=\"lazy\" class=\"size-full wp-image-887\" title=\"voice-packet-overhead-encapsulation\" src=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/voice-packet-overhead-encapsulation.jpg\" alt=\"Voice overhead as a result of encapsulation\" width=\"558\" height=\"245\" srcset=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/voice-packet-overhead-encapsulation.jpg 558w, http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/voice-packet-overhead-encapsulation-300x131.jpg 300w\" sizes=\"(max-width: 558px) 100vw, 558px\" \/><\/a><p id=\"caption-attachment-887\" class=\"wp-caption-text\">Voice overhead as a result of encapsulation<\/p><\/div>\n<p><strong> <\/strong><\/p>\n<p><strong>Packet Size\u2014IPSec Encrypted G.729<\/strong><\/p>\n<p>The Layer 3 data rate for a G.729 call (50 pps) is 24 Kbps. Encrypting that packet using IPSec Tunnel mode for IP GRE increases that rate to approximately 56 Kbps (in each direction). The calculation is as follows:<\/p>\n<ul>\n<li>136 bytes per packet at 50 packets per second = 6,800 bytes or 54,400 bits per second<\/li>\n<\/ul>\n<div id=\"attachment_886\" style=\"width: 512px\" class=\"wp-caption aligncenter\"><a href=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/Packet-Size\u2014IPSec-Encrypted-G729.jpg\"><img aria-describedby=\"caption-attachment-886\" loading=\"lazy\" class=\"size-full wp-image-886   \" title=\"Packet Size\u2014IPSec Encrypted G729\" src=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/Packet-Size\u2014IPSec-Encrypted-G729.jpg\" alt=\"Packet Size\u2014IPSec Encrypted G729\" width=\"502\" height=\"221\" \/><\/a><p id=\"caption-attachment-886\" class=\"wp-caption-text\">Packet Size\u2014IPSec Encrypted G729<\/p><\/div>\n<p><strong>Packet Size\u2014IPSec Encrypted G.711<\/strong><\/p>\n<p>The Layer 3 data rate for a G.711 call (50 pps) is 80 Kbps. Encrypting that packet using IPSec Tunnel mode for IP GRE increases that rate to approximately 112 Kbps (in each direction). The calculation is as follows:<\/p>\n<ul>\n<li>280 bytes per packet at 50 packets per second = 14,000 bytes or 112,000 bits per second<\/li>\n<\/ul>\n<div id=\"attachment_885\" style=\"width: 491px\" class=\"wp-caption aligncenter\"><a href=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/Packet-Size\u2014IPSec-Encrypted-G7111.jpg\"><img aria-describedby=\"caption-attachment-885\" loading=\"lazy\" class=\"size-full wp-image-885  \" title=\"Packet Size\u2014IPSec Encrypted G711\" src=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/Packet-Size\u2014IPSec-Encrypted-G7111.jpg\" alt=\"Packet Size\u2014IPSec Encrypted G711\" width=\"481\" height=\"203\" srcset=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/Packet-Size\u2014IPSec-Encrypted-G7111.jpg 668w, http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/Packet-Size\u2014IPSec-Encrypted-G7111-300x126.jpg 300w\" sizes=\"(max-width: 481px) 100vw, 481px\" \/><\/a><p id=\"caption-attachment-885\" class=\"wp-caption-text\">Packet Size\u2014IPSec Encrypted G711<\/p><\/div>\n<p><strong>IPSec and GRE Tunnel Design Considerations<\/strong><\/p>\n<p>There are currently three recommended design options for a site-to-site IPSec VPN:<\/p>\n<ol>\n<li>IPSec Tunnel mode\u2014no IP GRE tunnel<\/li>\n<li>IPSec Transport mode encrypting an IP GRE tunnel<\/li>\n<li>IPSec Tunnel mode encrypting an IP GRE tunnel (primary recommendation)<\/li>\n<\/ol>\n<p>IPSec Tunnel mode is the default configuration option. To configure Transport mode, it must be specified under the transform set:<\/p>\n<blockquote><p>!<\/p>\n<p>crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac<\/p>\n<p>mode transport<\/p>\n<p>!<\/p><\/blockquote>\n<p>The advantages, disadvantages and features and limitations of these options are as follows:<\/p>\n<p><strong>IPSec Tunnel mode\u2014no IP GRE tunnel. <\/strong><br \/>\nThis does not utilise a GRE tunnel. IPSec encrypts IP unicast traffic only, IP Multicast traffic cannot be transported between the IPSec peers without configuring an IP GRE tunnel. This configuration might be sufficient to support the application requirements and its advantage lies in less CPU overhead (primarily at the head-end router) to maintain a IP GRE tunnel to each remote location and a routing protocol&#8217;s hello and update packets. IPSec security associations are created for each access list line matched. An access list must be specified in the crypto map to designate packets that are to be encrypted. The access list (when encrypting an IP GRE tunnel) is only one line, a match on protocol 47 (GRE) and the source and destination IP address of the GRE endpoints.<br \/>\n<strong><br \/>\nIPSec Transport mode encrypting an IP GRE tunnel. <\/strong><\/p>\n<p>This option is commonly implemented; for a G.729 packet it saves 16 bytes per packet over IP GRE tunnels with IPSec Tunnel mode, as an additional IPSec IP header is not required. IPSec Transport mode saves link bandwidth, but it does not provide any reduction in packets per second switched by the router. In most instances, packets per second, not packet size, is the limiting factor of a router&#8217;s main CPU performance.<\/p>\n<p><em>Configuring IPSec Transport mode to encrypt an IP GRE tunnel provides all the advantages of using IP GRE\u2014it supports IP Multicast, routing protocols and multi-protocol support.<\/em><\/p>\n<p><strong>IPSec Tunnel mode encrypting an IP GRE tunnel. <\/strong><\/p>\n<p>This option is implemented in this design guide and in the associated lab testing. It incurs the greatest header overhead of the three options, but it is capable of supporting IP Multicast and the ability to run a dynamic routing protocol within the IP GRE tunnel for failover to an alternative path. It supports Pre-fragmentation for IPSec VPNs. This option was selected for lab testing as it provides the greatest features and flexibility as well as the worst-case scenario in our performance testing in regards to bandwidth consumption.<\/p>\n<div id=\"attachment_888\" style=\"width: 551px\" class=\"wp-caption aligncenter\"><a href=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/IPSec-Transport-versus-Tunnel-Mode-for-G729-Packets.jpg\"><img aria-describedby=\"caption-attachment-888\" loading=\"lazy\" class=\"size-full wp-image-888 \" title=\"IPSec Transport versus Tunnel Mode for G729 Packets\" src=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/IPSec-Transport-versus-Tunnel-Mode-for-G729-Packets.jpg\" alt=\" IPSec Transport vs. Tunnel Mode for G.729 Packets \" width=\"541\" height=\"124\" srcset=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/IPSec-Transport-versus-Tunnel-Mode-for-G729-Packets.jpg 676w, http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2010\/04\/IPSec-Transport-versus-Tunnel-Mode-for-G729-Packets-300x68.jpg 300w\" sizes=\"(max-width: 541px) 100vw, 541px\" \/><\/a><p id=\"caption-attachment-888\" class=\"wp-caption-text\"> IPSec Transport vs. Tunnel Mode for G.729 Packets <\/p><\/div>\n<p>When configured with a routing protocol running within an IP GRE tunnel, the routing protocol&#8217;s hello packets maintain the security associations between both (assuming a redundant configuration) head-end routers. There is no need to create a security association to a back-up head-end peer upon failure of the primary peer.<\/p>\n<p>Also, routing protocol hello timers (5 seconds by default for EIGRP) can be tuned lower than the hello interval of Internet Security Association and Key Management Protocol (ISAKMP) keepalives\u2014the minimum value is 10 seconds.<\/p>\n<p>Detection of a failed head-end peer is quicker when using a routing protocol verses crypto isakmp keepalive 10\u2014the dead interval for ISAKMP keepalive is 3 times the keepalive value, or 30 seconds. EIGRP has a default dead interval of three times the hello value of 5 seconds, or 15 seconds.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Planning for Voice over IP requires an understanding of the various headers added when transporting packetised voice, espcially over an IPSec VPN:<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[27,76,41],"tags":[36,21,38],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/883"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=883"}],"version-history":[{"count":6,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/883\/revisions"}],"predecessor-version":[{"id":903,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/883\/revisions\/903"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=883"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=883"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=883"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}