Patton electronic SmartNode 4110 Series ユーザーズマニュアル
Encrypted Voice - Performance considerations
375
SmartWare Software Configuration Guide
32 • VPN configuration
In addition to the monitors there are also show commands, which display current information about IKE and
IPSEC.
IPSEC.
show ike policy <policy-name>
•
Displays information about the configuration options of specific policy as well as an indication, if the policy
is valid or not. A policy might be invalid, if one or more configuration option is missing.
is valid or not. A policy might be invalid, if one or more configuration option is missing.
show ike status
•
Displays information about the state of current IKE main and quick modes.
show ipsec security-associations
•
Displays information about currently established IPSEC security associations including SPIs, peer IP
addresses and security association lifetime.
addresses and security association lifetime.
Encrypted Voice - Performance considerations
Firmware versions that support IKE allow encrypting and decrypting locally generated voice data streams
(RTP). However, because enabling support for RTP encryption has a performance impact for the system even
if RTP packets are not encrypted, this feature must be enabled manually on a per interface basis.
(RTP). However, because enabling support for RTP encryption has a performance impact for the system even
if RTP packets are not encrypted, this feature must be enabled manually on a per interface basis.
Performance considerations
Because encryption/decryption of RTP streams causes a very high workload on the systems CPU, this feature
cannot be used on all systems without limitation. However several newer systems contain a dedicated crypto-
graphic accelerator hardware, which does these computationally intensive tasks for the main CPU. On such
systems RTP encryption has almost no impact on the overall system performance. You can see using the com-
mand ‘show crypto offload’, whether your systems contains the cryptographic accelerator or not.
cannot be used on all systems without limitation. However several newer systems contain a dedicated crypto-
graphic accelerator hardware, which does these computationally intensive tasks for the main CPU. On such
systems RTP encryption has almost no impact on the overall system performance. You can see using the com-
mand ‘show crypto offload’, whether your systems contains the cryptographic accelerator or not.
Systems without the crEncrptedyptographic accelerator hardware will display the following line:
Crypto offload capabilities: None
Systems containing the cryptographic accelerator hardware will display the following line:
Crypto offload capabilities: DES, 3DES, AES, MD5, SHA1
On systems, which do not contain the cryptographic accelerator hardware, concurrent routing of data traffic
and RTP streams through an IPSEC connection, can cause excessive jitter of the RTP packets. Therefore con-
current routing of data and RTP streams through IPSEC tunnels should be avoided on systems without the
cryptographic accelerator hardware. Note that the CPU usage percentage does not give an indication about the
introduced jitter, because the jitter stems form short CPU usage peaks, which are filtered out by the time aver-
aging of the CPU workload calculation algorithm.
and RTP streams through an IPSEC connection, can cause excessive jitter of the RTP packets. Therefore con-
current routing of data and RTP streams through IPSEC tunnels should be avoided on systems without the
cryptographic accelerator hardware. Note that the CPU usage percentage does not give an indication about the
introduced jitter, because the jitter stems form short CPU usage peaks, which are filtered out by the time aver-
aging of the CPU workload calculation algorithm.
Enabling RTP encryption support
The following command can be used to enable/disable RTP encryption support for an IP interface. If this is
enabled, RTP streams can be selected for encryption like any other data traffic using the ACL. Note that RTP
encryption must be enabled on every interface, which shall be used to send or receive encrypted RTP streams.
enabled, RTP streams can be selected for encryption like any other data traffic using the ACL. Note that RTP
encryption must be enabled on every interface, which shall be used to send or receive encrypted RTP streams.