Transcript ppt
Virtual Private Networks: An Overview with Performance Evaluation Shashank Khanvilkar and Ashfaq Khokhar, University of Illinois at Chicago Presented by: Abe Murray CS577: Advanced Computer Networks Outline • • • • Abstract / Intro VPN Basics VPN Software Architecture VPN Characterization – Network Performance – Features and Functionality – Operational Concerns • Experiments • Results – Network Performance – Features and Functionality – Operational Concerns • Closing CS577: Advanced Computer Networks Abstract • Virtual Private Network (VPN) – Have become popular – Multitude of Proprietary, and Open-Source solutions – Authors compared a number of open-source linuxbased VPN solutions (OSLVs) • UDP tunnels have 50% less overhead, 80% greater bandwidth utilization, and 40-60% less latency CS577: Advanced Computer Networks VPN Basics • A VPN is a TCP/IP stack modification – Adds a VPN daemon, and a Virtual Network Interface (VNI) – Control plane (TCP): • Peer authentication • Session keys • IP mapping to subnetworks – Data plane (TCP or UDP): • Serial pipeline with encryption • Authentication, compression CS577: Advanced Computer Networks VPN Software Architecture 1. VPN packet arrives at eth1, routed to VNI 2. VPN packet arrives at VNI, handed to VPN daemon 3. VPN packet is compressed/encrypted, then handed to transport layer Subsequently, handled and routed like any other packet, with the exception that its contents are encrypted with the session key CS577: Advanced Computer Networks VPN Characterization: Network Performance • Overhead – 75% header/trailers, compressible – 25% encryption, padding, not compressible • Bandwidth Utilization – Overhead reduces goodput – Latency makes default TCP window insufficient – TCP stacking results in degradation • Latency/Jitter – Longer packet data path – Additional processing due to encryption – Additional data copies due to user-space VPN CS577: Advanced Computer Networks VPN Characterization: Features and Functionality • Code Modularity – Flexibility of OSLV regarding plugins • Cryptos • Routing • Security updates • Routing – Required for transport among VPN participants, must be shared among VPN participants. – Manual? Automated? CS577: Advanced Computer Networks VPN Characterization: Operational Concerns • Security (relative, subjective) – Proprietary? (security through obscurity) – Open Standard Protocol? (published) – Open Non-Standard Protocol? (published but obscure) • Scalability – Memory utilization per VPN tunnel – Processor utilization per VPN tunnel – Configuration and management (order of magnitude) CS577: Advanced Computer Networks Experiments Private Net 1 Private Net 2 VPN Tunnel RedHat 9 Server Assorted OSLV types P4 2 GHz 512 MB RAM RedHat 8 Workstation PII 400 MHz 128 MB RAM Private Network PC Private Network PC Network Experiments Network Experiments • All links 100 Mbps • Test Tools: – ethereal - overhead – iperf – bandwidth and jitter – ping – latency CS577: Advanced Computer Networks Results: Network Performance CS577: Advanced Computer Networks Results: Features and Functionality CS577: Advanced Computer Networks Results: Operational Concerns - Security CS577: Advanced Computer Networks Results: Operational Concerns - Scalability CS577: Advanced Computer Networks Conclusions • Tunnel over UDP! • Where did they present the memory/CPU utilization results? • OSLVs are present and useable CS577: Advanced Computer Networks