Beruflich Dokumente
Kultur Dokumente
Abstract—VPN software implementations provide high two or more VPN gateways which have private networks
flexibility and low cost of development. There are different behind them. The VPN gateway is usually a router with VPN
approaches for VPN software implementations. One type of VPN features that can be realized as hardware or software solution.
software solution utilizes built-in kernel implementation of AH VPN hardware solutions are provided by several vendors such
and ESP protocols. The second approach are software VPN as Cisco, Nortel, IBM, and Checkpoint. Their advantages with
solutions that use full user-space IPsec implementation. In this
paper, we analyze these two approaches and compare their
respect to software solutions are better performance and lower
performances on 10Gbps links. energy consumption achieved by the specialized hardware [2].
On the other hand, software solutions are highly flexible. It is
Index Terms— IPsec protocol; strongSwan; Rockhopper VPN; easier and faster to build and test new features in software
performance evaluation; software VPN. environment. In this paper we evaluate performance of two
different approaches for implementation of VPNs using IPsec
protocol:
I. INTRODUCTION
• VPN software solutions that use kernel implementation
A virtual private network (VPN) extends a private network of AH and ESP protocols. The examples are:
across public network, such as the Internet. VPN enables strongSwan, Openswan, Libreswan;
users to send and receive data across unsecured public
networks as if their computing devices were connected to the • Full user-space IPsec implementation. Open source
same cohesive private network. VPNs provide benefit for software Rockhopper VPN implements IKE and ESP
everyone who wants to communicate without a fear of protocol in user space.
disclosing private information. VPN can be implemented with
Our focus is on strongSwan [3] and Rockhopper VPNs [4]
various protocols which operate at different levels of OSI
as these are two most commonly used software solutions.
model. IP layer VPN implementation using Internet Protocol
StrongSwan is open source IPsec based VPN solution with
security (IPsec) [1] protocol provides protection for all user-
many different features. StrongSwan runs on Linux 2.6, 3.x
space applications using particular routes. IPsec protocol
and 4.x kernels, Android, Maemo, FreeBSD and Mac OS X.
comprises a set of security protocols which have different
Rockhopper VPN is IPsec/IKEv2-based VPN software that
functionalities:
provide simple and intuitive interfaces for fast and easy VPN
• Internet Key Exchange (IKE) - handles authentication configuration. In addition, Rockhopper VPN provides a large
and periodical exchange of symmetric keys. It provides variety of functions: Virtual Ethernet (Ethernet over IPsec),
different methods of authentication such as Pre-Shared Routing-based VPN, Role-based ID management and
Key and X.509 certificates; configuration, AJAX-based (Comet) Web management
interface for configuring and monitoring, and so on.
• Authentication Header (AH) - provides data integrity; Linux kernel generally cannot achieve I/O speeds of
• Encapsulating Security Payload (ESP) - provides data 10Gbps for IP packet smaller than 512 bytes. Implementation
integrity and confidentiality. of IPsec protocol have additional negative impact on
performance. Our tests of strongSwan and Rockhopper will
IPsec protocol works in two modes: transport and tunnel. show extent of the performance degradation due to processing
Transport mode protects only IP payload, and tunnel mode associated with VPN functionalities. AH and ESP protocols
protects entire IP packet which includes IP header and were implemented in kernel to achieve better performance
payload. The common way to implement VPN is to connect comparing to the user-space implementations. When IPsec is
implemented in user space, IP packet must travel full path
Hasan Redžović is with the Innovation Center of School of Electrical
Engineering, University of Belgrade, 73 Bulevar kralja Aleksandra, 11020 through kernel network stack before being processed by VPN
Belgrade, Serbia (e-mail: hasanetf@live.com). software and transformed into IPsec packet.
Aleksandra Smiljanić is with the School of Electrical Engineering, Kernel ESP/AH protocol implementation is advantageous
University of Belgrade, 73 Bulevar kralja Aleksandra, 11020 Belgrade, Serbia
(e-mail: aleksandra@etf.rs). with respect to performance, but implementing security
Slavko Gajin is with the School of Electrical Engineering, University of functions in kernel space is intricate as it needs to fit
Belgrade, 73 Bulevar kralja Aleksandra, 11020 Belgrade, Serbia (e-mail: coherently resource management and protection functions
slavko.gajin@etf.bg.ac.rs).
provided by limited kernel environment. Moreover, AH and ESP defined by IPsec both add frames to the
developing modules in kernel space, such as device drivers, TCP/IP packet itself, ESP also adds an Initialization Vector
generally requires more complicated debugging steps than (IV) and a trailer. The size of this additional data depends on
implementing applications in user space. the IPsec protocol and used mode. Fig. 2 shows ESP protocol
Software solutions, like netmap [5] and Intel DPDK [6], overhead for tests that we conducted.
bypass kernel network stack and provide network interfaces
directly to the user space applications. These platforms Outer IP
ESP header IP packet ESP trailer
improve system I/O performance as they achieve 10Gbps line header
speeds for minimal sized packets. These software tools will be 20 Bytes 16 Bytes 42 - 1500 Bytes 14 - 45 Bytes
used to determine capabilities of IPsec packet processing.
The paper is organized as follows. Impact of the IPsec Fig. 2. IPsec overhead with ESP protocol in tunnel mode.
overhead on performance is examined in Section 2. Sections 3
and 4 describe main features of strongSwan and Rockhopper ESP provides confidentiality protection of different
VPN solutions. Section 5 presents testing environment, and encryption algorithms. In our tests we used AES (Advanced
Section 6 presents results of the performance evaluation. Encryption Standard) algorithm with 256 bits long cipher
Finally, Section 7 concludes the paper. blocks. For every packet, ESP trailer is expanding to a size
that fits the AES cipher block size.
II. IPSEC PROTOCOL OVERHEAD
IPsec protocol encapsulates IP packet with AH or ESP
fields which imposes additional overhead in 10Gbps data
transfers. In this section, we analyse the influence of this
overhead on the transfer rates of IP packets.
Physical
layer
← 68 – 1530 Bytes →
VII. CONCLUSION
We looked how IPsec overhead affects maximal packet
throughputs on 10Gbps links. IPsec protocol overhead
depends on used protocols (AH or ESP) and encryption
algorithms. We presented and tested two different types of
VPN software implementations, strongSwan and Rockhopper.
These two IPsec softwars comprise a complete set of IPsec
algorithms and options, and can be used in practice. The
extent of performance degradation caused by IPsec
functionality of strongSwan and Rockhopper was analyzed.
Fig. 7. StrongSwan and Rockhopper Gbps values for 4 data flows, together Both protocols have unacceptably low performance for
with the maximal possible throughput shortest packets which is less than 0.5Mpps. However,
strongSwan can achieve 4Gbps for largest packets.
The throughputs of Fig.6 measured in Gbps are presented in
StrongSwan has much better performance than Rockhopper as
Fig.7. StrongSwan minimal and maximal data rates are
it is implemented in kernel. Performance of Rockhopper
0.9Gbps for 64B packet size and 4.2Gbps for 1500, packet
which is implemented in user space, might be improved by
size respectively. Rockhopper minimal and maximal data
bypassing of kernel with softwares such as DPDK and
rates are 0.01Gbps for 64B packet size, and 0.64Gbps for
netmap, and by utilization of different encryption algorithms
1500 packet size respectively. The maximal network kernel
optimization mechanisms.
performance degradation caused by strongSwan is 84.5 %,
and the maximal degradation caused by Rockhopper is 98.7%.
ACKNOWLEDGMENT
The encryption algorithms used in IPsec protocol require
intensive processing, and many commercial IPsec routers use This work was supported by the Serbian Ministry of
hardware acceleration modules to achieve required speeds. Science and Education (project TR-32022), and companies
Also, there are software routers that use IPsec optimization Telekom Srbija, and Informatika.
with GPU cards which are well suited for cryptographic
processing [7]. Paper [8] explores PacketShader, a high- REFERENCES
performance software router framework, in combination with [1] "RFC4301: Security Architecture for the Internet Protocol," Network
massively-parallel processing power of GPU to address the Working Group of the IETF, 2005. [Online]. Available:
http://tools.ietf.org/html/rfc4301#page-4. [Accessed 2016].
CPU bottleneck in current software routers. The results of [2] E. Guillen, A. M. Sossa and E. P. Estupiñán, "Performance Analysis
initial tests with CPU-only IPsec packet processing with over Software Router vs. Hardware Router: A Practical Approach," in
optimized RouteBricks software framework is 1.9Gbps for World Congress on Engineering and Computer Science WCECS, San
Francisco, 2012.
64B and 6.1Gbps [9]. They were able to outperform [3] A. Steffen, "strongSwan," Institute for Internet Technologies and
RouteBricks by factor of 3.5 regardless of packet sizes. Paper Applications, 2005. [Online]. Available: https://www.strongswan.org/.
[10] proposed exploiting parallelism to scale RouteBricks [Accessed 2016].
[4] T. Hanada, "Rockhopper VPN," 2011. [Online]. Available:
software router, and achieved 1.4Gbps for 64B on a single http://rockhoppervpn.sourceforge.net/. [Accessed 2016].
RouteBricks router. In all these cases, simplified IPsec [5] L. Rizzo, "netmap: a novel framework for fast packet I/O," in USENIX
processing was assumed, and it was shown that it demands Annual Technical Conference, 2012.
[6] "DPDK - Data Plane Development Kit," Intel, 2011. [Online].
large computing resources, so that CPU becomes a bottleneck Available: http://dpdk.org/. [Accessed 2016].
in packet processing path through system.
StrongSwan uses AH and ESP protocol that are
[7] O. Harrison and J. Waldron, "Practical Symmetric Key Cryptography on [10] M. Dobrescu, N. Egi and K. Argyraki, "RouteBricks: Exploiting
Modern Graphics Hardware," in USENIX Security Symposium, Dublin, Parallelism To Scale Software Routers," Intel Labs Berkeley, Lausanne,
2009. 2008.
[8] S. Han, K. Jang, K. Park and S. Moon, "PacketShader: a GPU- [11] "Intel® Data Protection Technology with AES-NI and Secure Key,"
Accelerated Software Router," in SIGCOMM, New Delhi, 2010. Intel Corporation, 2016. [Online]. Available: http://goo.gl/N6lsPi.
[9] "RouteBricks," 2009. [Online]. Available: http://routebricks.org/. [Accessed 2016].
[Accessed 2016].