Patton electronic SmartNode 4110 Series manual Encrypted Voice Performance considerations

In addition to the monitors there are also show commands, which display current information about IKE and

IPSEC.

show ike policy <policy-name>

•Displays information about the configuration options of specific policy as well as an indication, if the policy is valid or not. A policy might be invalid, if one or more configuration option is missing.

show ike status

•Displays information about the state of current IKE main and quick modes.

show ipsec security-associations

•Displays information about currently established IPSEC security associations including SPIs, peer IP addresses and security association lifetime.

Encrypted Voice - Performance considerations

Firmware versions that support IKE allow encrypting and decrypting locally generated voice data streams (RTP). However, because enabling support for RTP encryption has a performance impact for the system even if RTP packets are not encrypted, this feature must be enabled manually on a per interface basis.

Performance considerations

Because encryption/decryption of RTP streams causes a very high workload on the systems CPU, this feature cannot be used on all systems without limitation. However several newer systems contain a dedicated crypto- graphic accelerator hardware, which does these computationally intensive tasks for the main CPU. On such systems RTP encryption has almost no impact on the overall system performance. You can see using the com- mand ‘show crypto offload’, whether your systems contains the cryptographic accelerator or not.

Systems without the crEncrptedyptographic accelerator hardware will display the following line:

Crypto offload capabilities: None

Systems containing the cryptographic accelerator hardware will display the following line:

Crypto offload capabilities: DES, 3DES, AES, MD5, SHA1

On systems, which do not contain the cryptographic accelerator hardware, concurrent routing of data traffic and RTP streams through an IPSEC connection, can cause excessive jitter of the RTP packets. Therefore con- current routing of data and RTP streams through IPSEC tunnels should be avoided on systems without the cryptographic accelerator hardware. Note that the CPU usage percentage does not give an indication about the introduced jitter, because the jitter stems form short CPU usage peaks, which are filtered out by the time aver- aging of the CPU workload calculation algorithm.

Enabling RTP encryption support

The following command can be used to enable/disable RTP encryption support for an IP interface. If this is enabled, RTP streams can be selected for encryption like any other data traffic using the ACL. Note that RTP encryption must be enabled on every interface, which shall be used to send or receive encrypted RTP streams.