VPN Performance Issues on Gigabit Routers Steven G. Pennington, Kelly Stump, Joseph B. Evans Information & Telecommunications Technology Center University of Kansas, Lawrence, KS 66045 evans@ittc.ukans.edu Without a doubt, the Internet is a powerful tool for business. As more and more companies build their own national networks over insecure communications links such the Internet, the network manager's need for a "secure" path to the network takes on added significance. In this presentation we will discuss the performance issues in scaling VPNs (virtual private networks) to gigabit speeds, including the architectures to implement them, and some of their limitations. VPNs are an increasingly popular technology that empower users to privately access information on their corporate (internal) network over a public shared network infrastructure. VPNs must be secure, reliable, and offer an acceptable quality of service to the end user. In order to see if today's high end routers can meet the demands of gigabit VPNs, we examined the Cisco 7500 series and the Cisco 12000 series. We connected two similar routers together and created VPNs of various configurations together and then ran performance tests. The preliminary results are as follows: Router No Tunnel GRE Tunnel Encrypted Tunnel ---------------------------------------------------------------- Cisco 7500 93.01 Mb/s 87.04 Mb/s 48.57 Mb/s Cisco 12000 120.40 Mb/s 103.11 Mb/s --- It can be seen from the results that there is a significant amount of overhead in both encapsulation and encryption of VPN data. In order to take advantage of high capacity networks, hardware tunneling and encryption must be implemented. Another unsolved problem encountered in configuring gigabit VPNs is that of providing guaranteed service levels to the end user. If ATM is used as the transport protocol, the ATM VC can be created with whatever QoS parameters are agreed upon by the customer and provider. This provides a solution that is similar to a traditional leased line. In an IP only network, diff-serv could be used to prioritize the packets. The service provider could choose to set all VPN packets at a higher priority than other data in the network, but not all traffic going across the VPN needs this level of service. What is needed is a strategy for mapping the TOS of encapsulated packets within the tunnel to the TOS of the packets transporting the encapsulated data. This would also help to prevent denial of service attacks by making the VPN tunnel traffic have a higher priority than the intruding data stream.