SSL VPN is a popular technology for providing remote access to an enterprise or even home network. Voice over IP (VoIP) is a very popular technology for providing low cost voice services to the enterprise and home user. It stand to reason that one would like to use VoIP services over SSL VPN while they are connect to the remote network.
While this might seems great in theory it is generally not a good idea as the voice will sound garbled. This is due to the jitter induced by the stream being encapsulated in TCP. TCP is a protocol that provide reliable transport, which, at first thought, might seem like a good thing. However, for delay sensitive VoIP applications, the results are disastrous. Real time applications are one area where the “spray and pray” nature of UDP is quite desirable. A classic essay “Why TCP over TCP is a Bad Idea" covers the negative properties of stacking a protocol on top of TCP.
Fortunately, a solution to this problem exists and it is called Datagram Transport Layer Security (DTLS). Nagendra Modadugu and Eric Rescorla have modified the existing TLS protocol to accommodate datagrams and DTLS is currently on the Proposed Standards Track at the IETF]. Modadgu and Rescorla’s paper “The Design and Implementation of Datagram TLS” is worth reading. Some excepts:
A number of applications have emerged over recent years that use datagram transport. These applications include real time video conferencing, Internet telephony, and online games such as Quake and StarCraft. These applications are all delay sensitive and use unreliable datagram
transport. Applications that are based on reliable transport can be secured using TLS, but no compelling alternative exists for securing datagram based applications…
DTLS is a modified version of TLS that functions properly over datagram transport. This approach has two major advantages over the alternatives. First, since DTLS is very similar to TLS, pre-existing protocol infrastructure and implementations can be reused.
The basic design principle of DTLS is “bang for the buck.” We wished to minimize both our design and implementation effort and that of the designers and implementers who are potential DTLS users.
Currently, I am aware of only a few of solutions that support DTLS – OpenSSL and Cisco’s Adaptive Security Appliance (ASA).
