Services Using V Services Using Voice over IP oice over IP

6.3.4 Services Using VServices Using Voice over IPoice over IP

This section presents a discussion on how voice over IP can help a service pro- vider in creating new services and reducing operational costs. By offering voice

6.3

170

170 CHAPTER 6CHAPTER 6 Quality of Service in IP-Based Services

and data services over a single network, service providers can reduce the costs of managing two networks. Voice over IP can also help service providers to augment their portfolio with add-on services that will provide customers with single network connectivity for both voice and data services.

Merging Voice and Data Networks Merging Voice and Data Networks

Voice over a packet network uses less transmission bandwidth than conventional voice because the digitized signal is compressed before it is transmitted. This allows more traffic to be carried on a given connection in a packet network as compared to a conventional voice network. Where telephony requires as many as 64,000 bits per second, packet voice often needs fewer than 10,000. For many companies, there is sufficient reserve capacity on national and international data networks to transport considerable voice traffic, making voice essentially “free.” A packet/data network can deliver voice traffic using less bandwidth. Given a certain amount of bandwidth, more voice traffic can be transported using an IP network compared to a voice network.

Voice over IP is an excellent solution that can help to carry both voice and data traffic using the same IP network (see Figure 6.9). An IP network connects two remote sites, Site A and Site B. Voice (telephone) and data applications are connected to the router at each site. The router is also the gateway for the voice over IP application. X1234 and X5678 are the telephone numbers of Site A and

Setup Connect V PSTN/ private voice V PSTN/ private voice Signaling Bearer or media IP network

POTS/PSTN call setup: ringing, answer . . .

Capabilities exchange

Open logical channel

Open logical channel acknowledged

RTP stream RTP stream RTCP stream H.245 (TCP) RTP/RTCP address negotiation Media (UDP) H.225 (TCP)

Q.931-derived call setup

FIGURE 6.8 FIGURE 6.8

Site B, respectively. The IP network transports both voice and data packets. The same network connection between Site A and Site B is used to transport both voice and data traffic. Merging voice and data onto one network can help reduce the cost of maintaining two networks both in terms of infrastructure and the staff- ing required to maintain the networks. The challenge lies in ensuring that the IP network can guarantee the quality required for delivering voice traffic. (Section 6.1 provided details about how to overcome some of these challenges.)

Toll Bypass Toll Bypass

Toll bypass will be the most common application that corporations will look toward for deploying voice over IP networks. It allows corporations to replace the tie lines that currently hook up their PBX-to-PBX networks and route voice calls across their existing data infrastructures (see Figure 6.10). Corporations will also use voice over IP to replace smaller key systems at remote offices while maintaining larger-density W voice over IP equipment at the sites with larger voice needs. Another benefit to using voice over IP is that real-time fax relay can be used on an interoffice basis, an advantage since a large portion of long-distance minutes is fax traffic.

X1234 X5678 S Siitte e A A BB SiitSte e Voice R1 Data Data Data packet Voice packet Data packet Voice packet IP network Voice R2 FIGURE 6.9 FIGURE 6.9

Merging voice and data networks using voice over IP.

IP, FR, ATM, WAN PBX Router/GW Toll bypass (tie trunk) PBX Router/GW V V FIGURE 6.10 FIGURE 6.10

Toll bypass using voice over IP.

6.3

172

172 CHAPTER 6CHAPTER 6 Quality of Service in IP-Based Services

6.4

6.4 IP SECURITY IP SECURITY

IP security(known as IPsec ) provides interoperable, high-quality, cryptographi- cally based security for IPv4 and IPv6. The security services offered by IPsec include:

■ Access controls (connectionless integrity ensuring data is transmitted

without alteration)

■ Data srcin authentication (knowing received data is the same as sent

data and who sent the data)

■ Protection against replays and partial sequence integrity ■ Confidentiality (encryption)

■ Limited traffic flow confidentiality

One of the most common ways of breaching the security of a network is to capture some genuine data and then play it back to gain access. Therefore, IPsec provides a means of securing against this data capture and replay. While it is good to know whether data has been tampered with, a priority for most customers is that they do not want their data read by unwanted parties. The most common way of preventing the wrong people from reading data is encryption. This not only protects data but also provides limited traffic flow confidentiality, as it can hide the identities of the sender and receiver.

The IPsec protocol suite comprises a set of standards that are used to provide privacy and authentication services at the IP layer. The current IPsec standards include three algorithm-independent base specifications that are currently standards-track RFCs. These three RFCs, listed next, are in the process of being revised, and the revisions will account for numerous security issues with current specifications.

RFC 2401, the IP security architecture: Defines the overall architecture and specifies elements common to both the IP authentication header and the IP encapsulating security payload.

RFC 2402, the IP authentication header (AH):Defines an algorithm-independent mechanism for providing exportable cryptographic authentication without encryption to IPv4 and IPv6 packets.

RFC 2406, the IP encapsulated security payload (ESP):Defines an algorithm- independent mechanism for providing encryption to IPv4 and IPv6 packets. RFC 2408, the Internet security association and key management protocol

(ISAKMP):Defines the procedures for authenticating a communicating peer, creation and management of security associations, key-generation techniques, and threat mitigation (e.g., denial of service and replay attacks). All of these are necessary to establish and maintain secure communications (via IP Security Service or any other security protocol) in an Internet environment.

RFC 2409, the Internet key exchange (IKE): Describes a protocol using part of the Oakley key-determination protocol and part of the secure key-exchange mechanism (SKEME) in conjunction with ISAKMP to obtain authenticated keying material for use with ISAKMP and for other security associations, such as AH and ESP.