Transcript ppt
Virtual Private Networks:
An Overview with Performance Evaluation
Shashank Khanvilkar and Ashfaq Khokhar,
University of Illinois at Chicago
Presented by: Abe Murray
CS577: Advanced Computer Networks
Outline
•
•
•
•
Abstract / Intro
VPN Basics
VPN Software Architecture
VPN Characterization
– Network Performance
– Features and Functionality
– Operational Concerns
• Experiments
• Results
– Network Performance
– Features and Functionality
– Operational Concerns
• Closing
CS577: Advanced Computer Networks
Abstract
• Virtual Private Network (VPN)
– Have become popular
– Multitude of Proprietary, and Open-Source
solutions
– Authors compared a number of open-source linuxbased VPN solutions (OSLVs)
• UDP tunnels have 50% less overhead, 80%
greater bandwidth utilization, and 40-60%
less latency
CS577: Advanced Computer Networks
VPN Basics
• A VPN is a TCP/IP stack modification
– Adds a VPN daemon, and a Virtual
Network Interface (VNI)
– Control plane (TCP):
• Peer authentication
• Session keys
• IP mapping to subnetworks
– Data plane (TCP or UDP):
• Serial pipeline with encryption
• Authentication, compression
CS577: Advanced Computer Networks
VPN Software Architecture
1.
VPN packet arrives at eth1, routed to VNI
2.
VPN packet arrives at VNI, handed to VPN
daemon
3.
VPN packet is compressed/encrypted, then
handed to transport layer
Subsequently, handled and routed like any
other packet, with the exception that its
contents are encrypted with the session key
CS577: Advanced Computer Networks
VPN Characterization:
Network Performance
• Overhead
– 75% header/trailers, compressible
– 25% encryption, padding, not compressible
• Bandwidth Utilization
– Overhead reduces goodput
– Latency makes default TCP window insufficient
– TCP stacking results in degradation
• Latency/Jitter
– Longer packet data path
– Additional processing due to encryption
– Additional data copies due to user-space VPN
CS577: Advanced Computer Networks
VPN Characterization:
Features and Functionality
• Code Modularity
– Flexibility of OSLV regarding plugins
• Cryptos
• Routing
• Security updates
• Routing
– Required for transport among VPN
participants, must be shared among VPN
participants.
– Manual? Automated?
CS577: Advanced Computer Networks
VPN Characterization:
Operational Concerns
• Security (relative, subjective)
– Proprietary? (security through obscurity)
– Open Standard Protocol? (published)
– Open Non-Standard Protocol? (published but
obscure)
• Scalability
– Memory utilization per VPN tunnel
– Processor utilization per VPN tunnel
– Configuration and management
(order of magnitude)
CS577: Advanced Computer Networks
Experiments
Private Net 1
Private Net 2
VPN Tunnel
RedHat 9 Server
Assorted OSLV types
P4 2 GHz
512 MB RAM
RedHat 8 Workstation
PII 400 MHz
128 MB RAM
Private Network PC
Private Network PC
Network Experiments
Network Experiments
• All links 100 Mbps
• Test Tools:
– ethereal - overhead
– iperf – bandwidth and jitter
– ping – latency
CS577: Advanced Computer Networks
Results:
Network Performance
CS577: Advanced Computer Networks
Results:
Features and Functionality
CS577: Advanced Computer Networks
Results:
Operational Concerns - Security
CS577: Advanced Computer Networks
Results:
Operational Concerns - Scalability
CS577: Advanced Computer Networks
Conclusions
•
Tunnel over UDP!
•
Where did they present the
memory/CPU utilization results?
•
OSLVs are present and useable
CS577: Advanced Computer Networks