Bachelor thesis: VoIP performance differences RTP / SRTP

Hi,
I am currently writing a bachelor’s thesis about VoIP security. As an empirical part, I imagined an experiment where I would measure the performance differences between RTP and SRTP.
I use a RaspberryPi 4 with FreePBX 15 as a server.

So I would like to generate 10 RTP calls for example and then 10 SRTP calls and then compare the server performance. Then always increase by 10 calls.

However, I cannot make SRTP calls. I think that’s because I have problems creating a Lets Encryt certificate. (Test environment: LAN without internet)

Are there any free scripts or programs available (StarTrinity only lasts up to 50 calls)?

Thanks for your help

You don’t need an external certifying authority if you have a closed system. Any SIP phone intended for business use should be able to accept enterprise certificates.

1 Like

Oh thank you. Unfortunately I could only use softphones and if I set up everything for SRTP on the FreePBX Webinterface and on PhonerLite I could still listen to the RTP packets using Wireshark.

Windows will definitely allow you to install enterprise certificates.

This is the wrong forum for questions relating to the FreePBX web interface.

Oh ok I’m sorry. but I have already considered installing Asterisk without the web interface.

But can someone help me with the call simulations. Are there any free software or a script to use?

You can use sipp

1 Like

You can use Asterisk (with originate or call files)!

1 Like

Are you looking at this based on performance of a B2BUA vs a Proxy/Switch? Because there will be a difference. Are you only looking at encrypted media/SDP (SRTP) or are you looking at full on TLS based calling where the media and the signalling are TLS encrypted? There can be cases where the signaling is still UDP but the media is SRTP. Again, these are all factors in the testing. Along with what you are actually using, a RasPi is going to have worse performance then a full blown server (VM or hardware).

Inherently TLS/SRTP is going to require more resources than standard UDP. Each request has to be decrypted, processed and encrypted for the reply or to forward/relay the request to the next destination (if TLS as well). As well a B2BUA, which treats both sides as a single leg (thus 2 per call) will require more resources than a Proxy/Switch which treats it as a single leg.

Of course all the above is based on per calls only. That doesn’t account for any other services/functionality running on the system. If this is based on a PBX system then you need to look at PBX features that could impact performance. IVRs, Music on Hold, Parking Lots, Queues these are all things that would be playing media files for music, announcements, greetings, etc. That’s going to impact performance. Call Recordings will also impact performance.

1 Like

Thank you for such a detailed answer! :slightly_smiling_face:

No, I just want to use one type.
but in the meantime both sides would be interesting :thinking:

So I wanted to measure 3 types: RTP without TLS, SRTP with TLS, SRTP without TLS.

Yes, I am aware of that. Unfortunately I don’t have access to good hardware.

In the meantime, I’m not sure anymore what to measure exactly.

I am also aware of this, the question of my work is:, how much is the difference exactly.
Based on this work, you should see the differences in how much is it to switch to VoIP-Security.

Actually, with Enterprise Certificates, self-signed certificates are meant. I am not a big fan of those because using a public-known certificate is already complicated enough. That link explains how to configure many of those (soft) phones out there.

You can create the certificate on an online machine and then copy it over to an offline machine. Alternatively, you can go for a paid certificate, like RapidSSL via GoGetSSL. That should give the broadest compatibility (not everyone trusts DST Root CA X3) without too much hassle.

By the way, are you about signaling=SIP-over-TLS with media=
a) SDES-sRTP or
b) DTLS-sRTP?
Or is your supervisor just about sRTP in general?

1 Like

I hope that isn’t true. Otherwise, I’m going to have to revoke Lets Encrypt’s authority to authenticate web servers.

The reason that certificates were invented was to prove that the person to which you have the connection is the person you intended to have it to, not some spy in the middle.

Nope. You can do with that certificate (and your private key) what ever you want. The certificate authority just signs that the domain (or E-mail for S/MIME) belongs to to. If you turn off host-name validation in the client, the client is going to accept that certificate then. Otherwise, you set up a personal DNS server so the the client is happy in case you cannot turn-off host-name validation. When somebody else gets your private key, then, yes it is time for revoking. However, when it comes to your machines, you can copy and paste as long as you like.

If you turn of common name checking, you are basically removing the protection that the certificate provides. There are key exchange options that don’t use certificates, but the reason that certificates are the norm is that they prove that the other end of the encrypted link is entity with the name on the certificate, not someone relaying the connection, and eavesdropping.

I’ve already asked myself this question. I only noticed last week that there are two types.
Which version is newer?

Nope. Because you do not ask any questions, I do not know which puzzle pieces are missing in your knowledge. Please, open up a new thread, ask questions, and then I can explain this to you. If you think you are more clever than me and do not need that, then I am of no help. Chazz needs a TLS connection to negotiate the sRTP keys, and I provided him one way to go. Again, even with an offline computer (and/or a lab scenario) you are able to use a public know certificates even with host-name validation. If he wants to use Let’s Encrypt, the trick is to copy the certificate over and install a custom DNS server on his offline computer. If he is able to turn off host-name validation in his SIP phones, disabling part of the authentication, he even does not need that DNS server. In any case, he gets encryption this way.

Mhm. I guess, this is part of your research then. In short, newer does not matter.

Some starters: sRTP are just encrypted (and optionally authenticated) data packets. The problem is how both communication partners know about the keys used for encryption. For this, a plethora of standards exist, like DTLS-sRTP, SDES-sRTP, and ZRTP-sRTP. Much more standards exist but those three are the ones I see in current SIP phones. Those are part of the bill (processor cycles), when it comes to setup a sRTP connection. For example, SDES-sRTP requires SIP-over-TLS because otherwise the keys for sRTP are transmitted in clear text. DTLS-sRTP requires SIP-over-TLS (not because of the standard but because of the implementations) and requires DTLS. However, this is a one-time, call-setup operation. Depending on your research, this might not be interesting. Depending on your research, this might be crucial.

Therefore, when you researched that, you should contact your supervisor if he wants that part of the bill as well. BlazeStudios mentioned that shortly: With some SIP phones you can do SDES-sRTP without SIP-over-TLS (although this is gives no protection at all). At my link above, you find a video and white paper which tackles this a bit.

I would go into two directions: Try to setup a phone call with sRTP (practical part). My link above should help with that, especially when it comes to configure the clients. On the other hand research the various sRTP key negotiations (theoretical part). When you have done that, sync with your supervisor whether to combine those or concentrate on sRTP.

When you setup a call with sRTP, you have the options your SIP phone provides: SDES-, DTLS-, or ZRTP-sRTP. For the start, I would go for SDES-sRTP. Then you have two options: Go with SIP-over-TLS or not, depends again on your SIP phone. If you go for SIP-over-TLS, you have again two options: Go with authentication or not. The best documented path is to go for authenticated SIP-over-TLS with SDES-sRTP. That works with ‘every’ SIP phone but is the most work to setup.

Again, at my link above, you find a practical tutorial to setup an Asterisk in such a way. Go through that, and if you have questions ask them here, or via private mail.

2 Likes

Thank you so much, for your generous help. :+1: :+1:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.