virtual private networks: an overview with performance evaluation shashank khanvilkar and ashfaq...
TRANSCRIPT
Virtual Private Networks:An Overview with Performance Evaluation
Shashank Khanvilkar and Ashfaq Khokhar, University of Illinois at Chicago
Presented by: Abe Murray
CS577: Advanced Computer Networks
Outline• Abstract / Intro• VPN Basics• VPN Software Architecture• VPN Characterization
– Network Performance– Features and Functionality– Operational Concerns
• Experiments• Results
– Network Performance– Features and Functionality– Operational Concerns
• Closing
CS577: Advanced Computer Networks
Abstract• Virtual Private Network (VPN)
– Have become popular– Multitude of Proprietary, and Open-Source
solutions– Authors compared a number of open-source linux-
based VPN solutions (OSLVs)
• UDP tunnels have 50% less overhead, 80% greater bandwidth utilization, and 40-60% less latency
CS577: Advanced Computer Networks
VPN Basics• A VPN is a TCP/IP stack modification
– Adds a VPN daemon, and a Virtual Network Interface (VNI)
– Control plane (TCP):• Peer authentication• Session keys• IP mapping to subnetworks
– Data plane (TCP or UDP):• Serial pipeline with encryption• Authentication, compression
CS577: Advanced Computer Networks
VPN Software Architecture
1. VPN packet arrives at eth1, routed to VNI
2. VPN packet arrives at VNI, handed to VPN daemon
3. VPN packet is compressed/encrypted, then handed to transport layer
Subsequently, handled and routed like any other packet, with the exception that its contents are encrypted with the session key
CS577: Advanced Computer Networks
VPN Characterization:
Network Performance• Overhead
– 75% header/trailers, compressible– 25% encryption, padding, not compressible
• Bandwidth Utilization– Overhead reduces goodput– Latency makes default TCP window insufficient– TCP stacking results in degradation
• Latency/Jitter– Longer packet data path– Additional processing due to encryption– Additional data copies due to user-space VPN
CS577: Advanced Computer Networks
VPN Characterization:
Features and Functionality• Code Modularity
– Flexibility of OSLV regarding plugins• Cryptos• Routing• Security updates
• Routing– Required for transport among VPN
participants, must be shared among VPN participants.
– Manual? Automated?
CS577: Advanced Computer Networks
VPN Characterization:
Operational Concerns• Security (relative, subjective)
– Proprietary? (security through obscurity)– Open Standard Protocol? (published)– Open Non-Standard Protocol? (published but
obscure)
• Scalability– Memory utilization per VPN tunnel– Processor utilization per VPN tunnel– Configuration and management
(order of magnitude)
CS577: Advanced Computer Networks
Experiments
• All links 100 Mbps• Test Tools:
– ethereal - overhead– iperf – bandwidth and jitter– ping – latency
CS577: Advanced Computer Networks
Private Net 1 Private Net 2
RedHat 9 Server
P4 2 GHz512 MB RAM
RedHat 8 Workstation
PII 400 MHz128 MB RAM
Private Network PC
Network Experiments
Private Network PC
Network Experiments
VPN Tunnel
Assorted OSLV types
Results:
Network Performance
CS577: Advanced Computer Networks
Results:
Features and Functionality
CS577: Advanced Computer Networks
Results:
Operational Concerns - Security
CS577: Advanced Computer Networks
Results:
Operational Concerns - Scalability
CS577: Advanced Computer Networks
Conclusions
CS577: Advanced Computer Networks
• Tunnel over UDP!
• Where did they present the memory/CPU utilization results?
• OSLVs are present and useable