You are on page 1of 22

whitepaper

IPSec Virtual Private Networks


Conformance and
Performance Testing
Contents
Abstract .....................................................................................................................................3
Introduction ..............................................................................................................................3
VPNs and IPSec Technology ....................................................................................................3
Benefits of IPSec VPN technology ....................................................................................4
What is IPSec? ..........................................................................................................................5
IPSec security services ......................................................................................................5
How IPSec works ...............................................................................................................5
IPSec VPN Challenges ..............................................................................................................6
Why Test for IPSec Conformance? ..........................................................................................6
Why Test for Scalability and Performance? ............................................................................7
IPSec Testing Challenges .........................................................................................................7
Conformance testing challenges ......................................................................................7
Scalability and performance testing challenges .............................................................8
Test solution requirements ...............................................................................................8
Ixia’s Approach to IPSec Testing .............................................................................................9
IPSec conformance ...........................................................................................................9
IPSec scalability and performance ...................................................................................9
Tunnel capacity testing methodology ..............................................................................9
Tunnel setup rate testing methodology ...........................................................................9
Data performance testing methodology ..........................................................................9
Conclusion ............................................................................................................................. 10
Appendix: IPSec Testing—an Example Test Plan ................................................................. 11
1. IPSec conformance test ............................................................................................. 11
2. Tunnel scalability test ................................................................................................ 13
3. Tunnel setup rate test ............................................................................................... 15
4. Re-key tests ................................................................................................................ 18
5. Data performance test .............................................................................................. 19
Glossary ................................................................................................................................. 21
Acknowledgements ............................................................................................................... 22

Copyright © 1998-2003 Ixia. All rights reserved.


The information in this document is furnished for Ixia
informational use only, is subject to change
26601 W. Agoura Road
without notice, and should not be construed as a
commitment by Ixia. Ixia assumes no Calabasas, CA 91302
responsibility or liability for any errors or Phone: (818) 871-1800
inaccuracies that may appear in this document.
Ixia and the Ixia logo are trademarks of Ixia. All Fax: (818) 871-1805
other companies, product names, and logos are Email: info@ixiacom.com
trademarks or registered trademarks of their
respective holders. Internet: www.ixiacom.com

2 November 2003 Copyright © Ixia, 2003 IPSec VPNs: Conformance and Performance Testing
IPSec Virtual Private Networks: Conformance and Performance Testing

Abstract With IPSec VPN technology, organizations can use the public Internet as the backbone for
their communications network infrastructure, achieving global reach and significant cost
savings, while maintaining the security of internal communications. However, successful
IPSec product development and implementation present specific challenges: maintaining
IPSec protocol conformance and managing the effect of IPSec VPNs on network
performance. These challenges are best addressed by an appropriate testing
methodology, as demonstrated by Ixia’s approach to IPSec conformance and performance
testing.

Introduction Organizations invest significantly in their This accelerating cost has fueled the
communications and information search for an alternative to privately owned
infrastructures, and for good reason. communications infrastructures. At the
Advanced network applications and same time, the Internet’s rapid growth
globalization now enable, and require, offers tantalizing potential as the
these infrastructures to support complex backbone of such an alternative.
world-wide networks for enterprise Organizations that have traditionally
businesses, governments, and the military. maintained private, closed systems, have
The cost of maintaining and upgrading begun to look at the potential of the
these infrastructures continues to grow, Internet as a ready made resource. The
driven by: Internet is inexpensive, and globally
• The need for pervasiveness: world- pervasive: every phone jack on earth is a
wide organizations require global potential terminus. What the Internet has
access to their networks. lacked as a business network is security.
• The need to maintain the security, IPSec virtual private network technology
privacy, and reliable performance of surmounts that obstacle, and has proved
communications across the growing an increasingly popular way for
network. organizations to leverage the Internet
infrastructure, and to use that resource
securely.

VPNs and IPSec For an organization, internal logical constructs, created using
Technology communication must be private—reliably encryption, security standards, and
and demonstrably so. The Internet is, of protocols.
course, anything but private.
As these standards and protocols have
Virtual private networks, or VPNs, create continued to evolve, various VPN
secure connections, called tunnels, technologies have emerged. IPSec VPNs
through public shared communication are at the forefront of current secure VPN
infrastructures like the Internet. These technologies.
tunnels are not physical entities, but

IPSec VPNs: Conformance and Performance Testing Copyright © Ixia, 2003 November 2003 3
Figure 1. IPSec VPNs establish secure tunnels through the public Internet.
Benefits of IPSec VPN technology • Home-office workers, telecommuters,
and in-the-field sales and service
Secure IPSec VPN connections through the
workers can access the corporate
Internet result in tremendous savings over
network resources securely and
the cost of a private WAN connection,
economically with IPSec VPN remote
leased lines, or long distance phone
access through the public Internet.
charges. IPSec VPNs can also increase an
organization’s productivity. • Global, economical access to an
organization’s network extends the
• Through an IPSec VPN, an organization
organization’s reach to markets
can grant restricted network access to
formerly too remote or small to target
business partners, customers, or
or service profitably.
vendors, dramatically increasing the
efficiency and speed of business-to- These benefits have made IPSec VPN
business communications, sales and solutions increasingly popular with global
order processing, and customer organizations. This represents a growing,
service management. and potentially huge market for
manufacturers and providers of VPN-
related products and services.

4 November 2003 Copyright © Ixia, 2003 IPSec VPNs: Conformance and Performance Testing
What is IPSec? IPSec is a set of open standards and (IKE) protocol is used to set up the security
protocols for creating and maintaining associations needed for secure
secure communications over IP networks. communication through an IPSec VPN.
IPSec VPNs use these standards and
In the negotiation process, one IPSec
protocols to ensure the privacy and
endpoint acts as an initiator and the other
integrity of data transmission and
as a responder. The initiator offers the set
communications across public networks
of authentication, encryption and other
like the Internet.
parameters that it is ready to use with the
IPSec security services other endpoint. The responder tries to
match this list against its own list of
IPSec establishes standards for a range of
supported techniques. If there is any
services to address security risks for all IP
overlap, it responds with the common
traffic across the public network:
subset. The initiator chooses one
• Confidentiality. Encryption protects the combination of techniques from the
privacy of communications even if they responder and they proceed with the
are intercepted. negotiated setting. IKE negotiation has two
• Access control. Access to IPSec VPN phases:
private communications is restricted to • Phase 1 allows two security gateways
authorized users. to authenticate each other and
• Authentication. Authentication verifies establish communication parameters
the source of received data (data for Phase 2 communications. At the
origin authentication), and confirms end of Phase 1, a Phase 1 Security
that the original IP packet was not Association (IKE SA) is established.
modified in transit (connectionless • Phase 2 allows two security gateways
data integrity). to agree on IPSec communications
• Rejection of replayed packets. An anti- parameters on behalf of their
replay service counters a replay attack respective hosts. At the end of Phase
based on an attacker's intercepting a 2, an IPSec SA is established.
series of packets and then replaying
IPSec uses two protocols to establish
them.
security services -- the Authentication
• Limited traffic flow confidentiality. Inner Header (AH) and Encapsulating Security
IP headers can be encrypted to Payload (ESP).
conceal the identities of the traffic
source and destination (beyond the AH. The Authentication Header provides
security gateways). connectionless data integrity and data
origin authentication for IP packets. It
How IPSec works includes a cryptographic checksum over
Before two devices can establish an IPSec the entire packet. The receiver uses this
VPN tunnel and communicate securely checksum to verify that the packet has not
through it, they must agree on the security been tampered with.
parameters to use during communication, ESP. The Encapsulating Security Payload
establishing what is called a security provides confidentiality for IP traffic
association (SA). The SA specifies the through encryption. Current standard
authentication and encryption algorithms IPSec encryption algorithms include the
to be used, the encryption keys to be used Triple Data Encryption Standard (3DES),
during the session, and how long the keys and the Advanced Encryption Standard
and the security association itself are (AES).
maintained. The Internet Key Exchange

IPSec VPNs: Conformance and Performance Testing Copyright © Ixia, 2003 November 2003 5
Besides confidentiality, ESP also provides AH and ESP may be used separately or
authentication and anti-replay capabilities. together. How they are used depends on
Unlike AH, the authentication services of the IPSec mode: Transport mode or Tunnel
ESP do not protect the IP header of the mode. Client-to-LAN connections typically
packet. Most IPSec VPN implementations use Transport mode, while LAN-to-LAN
today use ESP. connections typically use Tunnel mode.

IPSec VPN As discussed earlier, cost savings and growing needs of the IPSec VPN industry.
Challenges ubiquitous access make a compelling case
Managed service providers and network
for IPSec VPNs. The IPSec market has
managers must deal with the impact of
grown rapidly in the last few years and
IPSec VPNs on the performance of
promises to grow even more rapidly.
applications across the network, and with
However, for the vendors of IPSec VPN
the interoperability of network elements
equipment, for service providers, and for
and services in a multi-vendor
organizations deploying IPSec VPNs,
environment.
significant technical issues remain.
These issues need to be adequately
To begin with, the dynamic nature of IPSec
addressed by the IPSec community to
implementations requires IPSec gateway
ensure rapid growth. The IETF is in the
vendors to continually verify their
process of updating some of the protocols
implementations’ compliance with
used with IPSec VPNs (for instance, a
standards to ensure correctness and
newer version of IKE — called IKEv2).
interoperability. Performance and
These present new and ongoing
scalability must also be constantly
challenges to the IPSec community.
upgraded and verified to satisfy the

Why Test for IPSec While the IETF has specified the IPSec the product development — catching a bug,
Conformance? protocol standards for several years, early or correcting a design upstream in the
implementations were not completely development cycle, can have a huge effect
standards-based and did not interoperate. on the product’s ultimate profitability.
For implementers of IPSec VPN services
For service providers and network
this is no longer acceptable.
managers, a multi-vendor environment is
From the IPSec gateway vendor’s the reality, a reality that is unmanageable
perspective, service providers and network without standards-based implementations.
managers require conformance to Since they also upgrade their IPSec VPNs
standards, often verifying this themselves periodically, ensuring that upgrades don’t
to ensure interoperability. In a competitive break an existing service becomes very
market, vendors cannot afford to be important.
proven wrong by their customers. Beyond
Not all conformance requirements are
ensuring interoperability, conformance
specific to IPSec, but the addition of IPSec
testing provides vendors with significant
protocols to the network increases the
benefits that are often overlooked.
complexity of conformance testing, and the
Conformance testing not only ensures the
need for it.
quality of the product, but also accelerates

6 November 2003 Copyright © Ixia, 2003 IPSec VPNs: Conformance and Performance Testing
Why Test for Scalability: IPSec requires that tunnels be computational overhead means that the
Scalability and set up between sites or clients and throughput through an IPSec tunnel is
Performance? gateways before data can be sent. The limited by the encryption and decryption
number of users or sites the IPSec VPN capabilities of the gateways. In addition,
service can scale to depends on how many encryption and decryption can add
of these tunnels the gateway can support. significant latency.
The maximum number of tunnels
For IPSec gateway vendors, scalability and
supported, or tunnel capacity, is a crucial
performance are competitive advantages
metric vendors use to differentiate their
that need to be measured. The move
products from the competition. A related,
toward hardware-based, high performance
but often-overlooked metric, is tunnel
systems makes these metrics more
setup rate, or the number of tunnels per
important than ever.
second a device can establish. Tunnel
capacity and setup rate are particularly For service providers and network
important for large carrier-grade IPSec managers, scalability and performance top
gateways with many sites or users. the list of vendor selection criteria,
because they directly affect the quality of
Performance: Increased security comes at a
service. The increased latencies and
performance cost, and security and
decreased throughput resulting from IPSec
performance are often traded off in IPSec
implementation may disrupt a network’s
implementations. IPSec can add latency
current applications and reduce network
and reduce throughput.
performance in general.
After the tunnels are set up, the IPSec
To summarize, the key metrics derived
gateways encrypt outbound traffic and
from performance testing of IPSec systems
decrypt traffic coming into the network.
are tunnel capacity and setup rates,
Encryption and decryption are by nature
latency, and throughput.
computationally intensive — this is partly
why encrypted data stays secure. However,

IPSec Testing As noted in the previous two sections, correctness of implementations on an


Challenges conformance, scalability, and performance almost daily basis.
testing are important for IPSec gateway
Multiple RFCs define the IPSec protocol
vendors and users alike. For development
suite, including IKE, AH, and ESP and
test and quality assurance groups, this
several associated protocols and options.
presents difficult challenges.
To achieve adequate test coverage, a
Conformance testing challenges conformance test needs to create several
hundred test cases, and these test cases
IPSec implementations are dynamic.
need to be updated constantly. Since the
Several vendors are upgrading their early
test cycles are very frequent (daily in some
software-based implementations for
cases), they need to be completely
higher performance and scalability. At the
automated with a scripting interface. And
same time, they are updating their feature
because the device under test (DUT) needs
set to the latest standards and protocol
to be re-configured for each of the
options. This, combined with aggressive
hundreds of test cases, there is also a
project schedules, means that
need to script the configuration of the DUT
development test and quality assurance
and batch the tests.
groups need an efficient way to verify the

IPSec VPNs: Conformance and Performance Testing Copyright © Ixia, 2003 November 2003 7
To address these challenges, most becoming important. The test tool should
vendors use a third-party product that is support these new IPSec options.
maintained and supported by a dedicated
It should create a mixture of IPSec options
third-party team.
easily. Most IPSec gateways support a
Scalability and performance testing challenges variety of encryption algorithms (3DES,
AES), several Diffie-Hellman algorithms
First generation IPSec gateways were not
(DH2, DH5, etc.) and several hash
designed for scalability or high
algorithms (MD5, SHA-1). The test tool
performance, so basic functional testing
should allow the user to easily configure
and small-scale emulation — often with a
tunnels with a mix of all these algorithms
PC — was adequate. However, as the scale
to test for border conditions. For example,
of the testing has increased, performance
the user may want to create 100,000
testing with a PC has become both
tunnels — say, 50 different combinations,
unmanageable and too expensive.
with 2,000 tunnels for each combination.
Another testing approach is to have two
It should provide detailed per-phase and per-
IPSec gateways back-to-back and use
tunnel statistics. A key issue in performance
traffic generators on either side. This
testing is the granularity of the results.
approach also suffers from a number of
Aggregate statistics do not provide
inadequacies. With a back-to-back setup
adequate information to isolate a problem.
or with PC-based testing, accurate latency
Latencies should be reported on a per-
measurements are difficult, especially
phase basis: latency for IKE SA creation as
when the testing involves per-tunnel, per-
well as latency for IPSec SA creation.
stage timing information. Back-to-back
Similarly, statistics need to be collected on
tests do not point out interoperability and
a per-tunnel basis to isolate problems with
timing problems that may exist with
certain tunnels.
respect to other IPSec gateways.
It should be able to send stateful traffic over
To address these issues, an IPSec-aware
testing solution is required. To be really the tunnels. Once the tunnels are created,
useful, this test tool needs the following encryption and decryption latency need to
characteristics. be measured separately to verify that each
is within acceptable limits: the encryption
Test solution requirements and decryption performance of a DUT may
Basic requirements. The test tool should be differ. To measure this, the testing solution
able to emulate gateways and hosts, act as should be able to both encrypt and decrypt
the IPSec initiator, and establish tunnels the data. For enterprise users of IPSec
with the device under test (DUT). It should VPNs, the testing solution needs to
be able to measure capacity and rates emulate the various enterprise
accurately. applications over the IPSec tunnels, to
ensure that the additional overhead is not
The test solution should be highly scalable.The disrupting the applications.
higher end of the current generation IPSec
gateways require a single test system to It should be automated. Because complex
scale to hundreds to thousands of tunnels, test scenarios need to be repeated
establish hundreds of tunnels per second, frequently, with every update to the DUT,
and send Gigabits of encrypted data per automation is extremely important. Of
second. course, in a manufacturing environment,
automation is a must.
It should support all important IPSec options.
Algorithms like AES 256 are increasingly

8 November 2003 Copyright © Ixia, 2003 IPSec VPNs: Conformance and Performance Testing
Ixia’s Approach to IPSec conformance IPSec secure gateways — each with unique
IPSec Testing Ixia has addressed the challenges of
Source IP and MAC addresses — creating
realistic scenarios.
protocol conformance testing by
developing the industry standard IxVPN makes it very easy to configure a
conformance test suite, IxANVL (Ixia large number of tunnels with varying IPSec
Automated Network Validation Library). parameters. Users can assign a
The IxANVL IPSec suite contains over 500 percentage distribution to each option,
test cases that include tests for IKE, AH and the application will automatically
and ESP, and supports a wide range of create the corresponding mix of IPSec
encryption and authentication algorithms, tunnels.
including 3DES, AES, Blowfish, MD5, and
Tunnel capacity testing methodology
SHA. IxANVL provides positive as well as
negative test cases. To measure the tunnel capacity, the IxVPN
initiator ports request tunnels sequentially
IxANVL performs its tests as a dialog: it
until a user-defined number of tunnels fail.
sends packets to the device being tested,
receives the packets sent in response, and Tunnel setup rate testing methodology
analyzes the response to determine the Tunnel setup rate is measured by sending
next action to take. This allows IxANVL to a user-definable number of simultaneous
test complicated situations or reactions in tunnel requests. As more tunnels are set
a much more intelligent and flexible way up, the rate is measured as a function of
than can be done by simple packet the number of tunnels already established.
generation and capture devices.
All statistics, including capacity and tunnel
IxANVL can be completely automated using setup rates, are presented in real-time at a
a command-line interface. IxANVL source fine granularity. Performance statistics are
code is also available to users for measured on a per-phase per tunnel basis.
customization allowing for greater To assist users in initial troubleshooting,
flexibility. IxVPN also provides protocol message level
IPSec scalability and performance debug information — again, on a per-tunnel
basis.
Ixia developed its IxVPN product as a
solution for VPN performance testing. Data performance testing methodology
IxVPN uses Ixia’s purpose-built hardware Once the tunnels are established, stateful
and provides an extremely extensible application data is sent over the tunnels
solution for validating the scalability and using Chariot. The Chariot software mimics
performance of the next generation of the traffic patterns of over 125 popular
IPSec devices and networks. enterprise transactions. This gives a
IxVPN emulates IPSec gateways initiating definitive assessment of how the
tunnels on one side of the DUT and hosts deployment of IPSec will affect mission-
on the other side, as shown in Figure 2. critical applications.
Each Ixia port can emulate thousands of

IPSec VPNs: Conformance and Performance Testing Copyright © Ixia, 2003 November 2003 9
Figure 2. IxVPN network model.

Conclusion With IPSec VPN technology, the public latencies that can disrupt networked
Internet can serve as the backbone of an applications. IPSec implementations must
organization’s communications also conform to standards, to ensure that
infrastructure, enabling the organization to IPSec network elements and applications
realize significant savings and productivity interoperate in a multivendor environment.
gains. The growing popularity of IPSec
To manage the impact of IPSec, the impact
VPNs establishes an important market for
must be measured. For network managers
vendors of IPSec-related products and
and for vendors of IPSec-related products
services.
and services, a comprehensive and well
However, in practice, IPSec technology is designed conformance and performance
successful only if the impact of IPSec on testing solution is crucial to the success of
network performance is managed. IPSec IPSec VPN technology.
affects network throughput and adds

10 November 2003 Copyright © Ixia, 2003 IPSec VPNs: Conformance and Performance Testing
Appendix: IPSec This appendix contains a brief plan for Methodology: IxANVL tests interpret the
Testing—an Example IPSec testing with specific examples IPSec RFCs and present a number of
Test Plan showing how Ixia’s solutions address the scenarios to test the DUT.
challenges of IPSec testing. 1. Select a set of test cases to run in
1. IPSec conformance test IxANVL.
2. Configure the DUT with the
Objective: To characterize the DUT’s
corresponding IPSec parameters and
compliance to IETF standards
IP addressing using a set of scripts.
Test setup: IxANVL IPSec test suite running 3. Run IxANVL in a batch mode with the
a set of positive and negative test cases scripts re-configuring the DUT
against the DUT. between tests to match the IxANVL
test setup.
Results: Number of tests passed/failed.

Figure 3. IxANVL — configuring the device under test for conformance testing.

IPSec VPNs: Conformance and Performance Testing Copyright © Ixia, 2003 November 2003 11
Figure 4. IPSec conformance testing in IxANVL — test cases.

missing header packet

incorrect packet fragmentation

Figure 5. IPSec conformance testing in IxANVL — journal.

12 November 2003 Copyright © Ixia, 2003 IPSec VPNs: Conformance and Performance Testing
2. Tunnel scalability test requests from a number of peers.
Objective: To determine the maximum 2. In IxVPN, create a mix of IPSec tunnel
number of tunnels a DUT can set up. parameters. Configure the DUT to
match the crypto-parameters for
Test setup: Ixia’s IxVPN product emulates each tunnel that IxVPN will initiate.
secure gateways setting up IPSec tunnels
3. Set up tunnels sequentially against
against the DUT (as shown in Figure 2.)
the DUT until a user-specified
Parameters: Varying IKE and IPSec number of tunnels fail.
protocols including different modes (tunnel 4. Repeat the test for multiple iterations
mode and transport mode), varying Diffie-
5. Repeat the test with various mixes.
Hellman (dh1, dh2, dh5) and encryption
protocols (3DES, AES 128 and AES 256). Result: Maximum number of tunnels that
can be set up by the DUT with varying
Methodology:
parameters (Figure 6 and Figure 7).
1. Configure the DUT to accept tunnel

Figure 6. Tunnel capacity test results.

Figure 7. Tunnel capacity test results, graph view.

IPSec VPNs: Conformance and Performance Testing Copyright © Ixia, 2003 November 2003 13
Creating mixes: example. As shown in all combinations may not be used for a
Figure 8, the user can test a DUT with given deployment, the ability to create
various combinations of IPSec tunnel mixes quickly will be important to test
parameters very quickly with IxVPN. While border conditions.

creating a mix of IPSec tunnel parameters —


in this case, 12 combinations have been
set as roughly equal percentages of the whole

Figure 8. Using IxVPN to set combinations of IPSec parameters for testing.

14 November 2003 Copyright © Ixia, 2003 IPSec VPNs: Conformance and Performance Testing
3. Tunnel setup rate test match the crypto-parameters for
each tunnel IxVPN will initiate.
Objective: To determine the rate at which
the DUT can set up IPSec tunnels under 3. Initiate a number of simultaneous
varying conditions. tunnel requests from IxVPN and
measure setup rates with each set of
Test setup: Ixia’s IxVPN product emulates requests.
secure gateways setting up IPSec tunnels
4. Continue to set up new tunnels with
against the DUT (as shown in Figure 2).
varying number of simultaneous
Parameters: Varying IKE and IPSec tunnel requests until a user specified
protocols (as in the tunnel scalability test), number of tunnels fail (as the DUT
as well as varying numbers of reaches capacity).
simultaneous requests to determine 5. Repeat the test for multiple iterations
behavior under real-world conditions. and with varying mixes.
Methodology: Result: Tunnel setup rate as a function of
1. Configure the DUT to accept tunnels established tunnels on the DUT. As shown
requests from a number of peers. in Figure 9, the rate drops significantly as
2. In IxVPN, create a mix of IPSec tunnel the number of established tunnels
parameters. Configure the DUT to increases.

tunnel setup rate drops as


the number of established
tunnels increases

Figure 9. IxVPN tunnel setup rate test, single iteration.

IPSec VPNs: Conformance and Performance Testing Copyright © Ixia, 2003 November 2003 15
Figure 10. IxVPN tunnel setup rate test, aggregated results.

latency is broken out


by phase, and shown
cumulatively

Figure 11. IxVPN setup rate test, statistics.

16 November 2003 Copyright © Ixia, 2003 IPSec VPNs: Conformance and Performance Testing
data view filters
enable testers to
find problematic
parameters quickly

each row shows statistics


for a single tunnel

message-level detail
for tunnel ixtun0000

Figure 12. IxVPN per-phase, per-tunnel statistics.


Figure 12 shows statistics on a per-phase,
per-tunnel basis. By using the data view
filters, users can quickly see if certain
tunnel parameters are causing
performance problems.

IPSec VPNs: Conformance and Performance Testing Copyright © Ixia, 2003 November 2003 17
4. Re-key tests against the DUT using IxVPN.
Objective: To determine the long-term 2. In IxVPN, configure the lifetime and
stability of the DUT with re-keying, and the re-key intervals to initiate re-keying.
rate at which the DUT can re-key. 3. At the specified re-key interval, IxVPN
will initiate the re-key and measure
Test setup: Ixia’s IxVPN product emulates
any failures and also the rate at
secure gateways setting up IPSec tunnels
which the re-key is done by the DUT.
against the DUT (as shown in Figure 2).
4. Repeat the test for multiple iterations
Parameters: Varying tunnel lifetimes and re- and varying re-key intervals and
key intervals with various IKE and IPSec parameters
protocol.
Results: Number of re-key failures and re-
Methodology: key rate.
1. Establish a number of tunnels

re-keying statistics
and latencies

Figure 13. IxVPN re-keying test options and report.

18 November 2003 Copyright © Ixia, 2003 IPSec VPNs: Conformance and Performance Testing
5. Data performance test parameters.
Objective: To determine encryption and 2. Set up Chariot end points on both the
decryption performance of the DUT so that public and private side of the DUT.
the impact of IPSec on application 3. Using the Chariot console, send data
performance can be assessed. Key metrics over each of the tunnels from the
are encryption and decryption throughput, emulated gateway side as well as
latency, and loss. from the host side to measure
encryption and decryption
Test setup: Once the tunnels are set up
performance.
using IxVPN, the Chariot product is used to
send data over the tunnels in a variety of 4. Repeat the test with varying packet
traffic types. sizes and IPSec parameters.

Parameters: Varying application and Results: Encryption and decryption


transport protocols and packet sizes. throughput, latency, and loss. Chariot
reports before and after establishment of
Methodology: IPSec tunnels, showing the impact of IPSec
1. Set up a number of tunnels against overhead on application traffic (Figure 14).
the DUT using IxVPN with various

IPSec VPNs: Conformance and Performance Testing Copyright © Ixia, 2003 November 2003 19
addition of IPSec overhead
reduces throughput

Figure 14. Chariot data performance test: before and after addition of IPSec traffic.

20 November 2003 Copyright © Ixia, 2003 IPSec VPNs: Conformance and Performance Testing
Glossary
Advanced Encryption Standard (AES) A new, faster, and more secure standard
encryption algorithm, defined by the National
Institute of Standards and Technology (NIST).
Authentication Header (AH) IPSec uses two protocols to establish security
services -- the Authentication Header (AH) and
Encapsulating Security Payload (ESP). The AH is
security protocol, defined in RFC 2402, which
provides data authentication and optional anti-replay
services. AH ensures the integrity and data origin
authentication of the IP datagram as well as the
invariant fields in the outer IP header.
see also Encapsulating Security Payload (ESP).
Data Encryption Standard (DES) The Data Encryption Standard (DES) is a standard
for a 56-bit encryption key; an older standard, it
can be susceptible to brute force attacks.
see also Triple Data Encryption Standard,
Advanced Encryption Standard.
Diffie-Hellman Developed by two mathematicians (Diffie and
Hellman), this is a class of algorithms that
implements public-private key cryptography.
Encapsulating Security Payload (ESP) IPSec uses two protocols to establish security
services -- the Authentication Header (AH) and
Encapsulating Security Payload (ESP). The ESP is a
security protocol, defined in RFC 2406, which
provides confidentiality, data origin
authentication, connectionless integrity, an anti-
replay service and limited traffic flow
confidentiality. The set of services provided
depends on options selected at the time of
security association (SA) establishment and on
the location of the implementation in a network
topology. ESP authenticates only headers and
data after the IP header.
see also Authentication Header, Security
Association.
Hash Algorithm A hash algorithm produces a unique fixed-length
value from a variable-length message. Used to
calculate a checksum as part of IPSec encryption
process.

IPSec VPNs: Conformance and Performance Testing Copyright © Ixia, 2003 November 2003 21
Internet Key Exchange (IKE) The Internet Key Exchange (IKE) protocol is used
to set up the security associations needed for
secure communication through an IPSec VPN. IKE
provides authentication of the IPsec peers,
negotiates IPsec security associations, and
establishes IPsec keys. Note that IKE is an optional
protocol within the IPsec framework and keys can
also be manually configured.

Security Association (SA) Before two machines can establish an IPSec VPN
tunnel and communicate securely through it, they
must agree on the security parameters to use
during communication, establishing what is called
a security association (SA).
Security Gateway An intermediate system, such as a router or
firewall, that implements IPSec protocols for a
device or network.
Triple Data Encryption Standard The current encryption key standard for most
(Triple DES, or 3DES) business use, 3DES encrypts data three times
with up to three different keys.

Acknowledgements Authors: Sunil Kalidindi, Elliott Stewart

22 November 2003 Copyright © Ixia, 2003 IPSec VPNs: Conformance and Performance Testing