Behavioral and Performance Characteristics of Ipsec/IKE in Large-scale VPNS

O. Kim and D. Montgomery (USA)


Network Security, IP Security Protocols, Internet Key Exchange and Management, Virtual Private Networks, Performance Analysis, Large-scale Networks.


Cryptographic network security services are essential for providing secure data communication over an insecure public network such as the Internet. Recently there has been tremendous growth in the requirements for, and use of, secure virtual private networks (VPNs) to interconnect enterprises with business partners, traveling staff, and re mote office locations. IPsec tunnels have become one of the most widely adopted means to build secure VPNs between sites and in dividual computers. To date, most IPsec VPNs are stati cally configured and are of moderate scale. To facilitate fu ture, very large VPNs with potentially varied security poli cies and changing memberships, the industry must move to the use of dynamic key management protocols and pol icy management systems to ease the administrative burden associated with VPN instantiation and operation. In this paper we examine the dynamic behavior and relative performance characteristics of large scale VPN en vironments based upon IPsec and IKE version 1 (version 2 of IKE is currently under development by IETF). We use detailed, packet level, simulation models to character ize the performance impact of varying: key management scenarios, security association (SA) policy and manage ment parameters, cryptographicalgorithms, and implemen tation options in IPsec/IKE suites. Our results highlight the significant performance impact of subtle IPsec/IKE im plementation and policy decisions on the overall perfor mance and behavior of TCP based applications in large scale VPNs.

Important Links:

Go Back