IntroductionIPSec OverviewTest Environment setupTest resultConclusionReference:Performance analysis for FreeSWAN and Cisco IPSec implementation Ban Ly ECE 646 project report Abstract IPSec allows network design engineer to design sophisticated Virtual Private Network (VPN). This paper will compare IPSec implementation between a public domain IPSec (FreeSWAN) and CiscoIntroduction .......................................................................................................................... 3 IPSec Overview..................................................................................................................... 3 Test-bed setup....................................................................................................................... 5 Experimental result................................................................................................................ 7 Conclusion............................................................................................................................ 7 Reference:............................................................................................................................. 8Introduction Over the past couple years, Virtual Private Network (VPN) has moved from a very sound concept to a practical technology. VPN, which is based on IPSec, allows company to expand their Intranet securely and cost effectively. FreeSWAN is an open source IPSec technology that can be used for VPN implementation. This paper will evaluate FreeSWAN performance against Cisco. The reason Cisco is chosen for comparison because Cisco is the most widely deployed router for Internet connection. IPSec Overview Internet Protocol Security (IPSec), developed by Internet Engineer Task Force (IETF), provides security protections such as authentication, confidentiality, and data integrity for IP communication between peers through the use of Authentication Header (AH) and Encapsulating Security Payload (ESP) and Internet Key Exchange (IKE). AH encrypts IP header as well as IP payload and offers data authentication with HMAC-MD5 or HMAC-SHA1. ESP is very similar to AH except that ESP only encrypts IP payload, as the name implies and also offers data confidentiality. IKE is for key management and automatic keying. IPSec currently supports the following encryption algorithm: DES, Triple DES, IDEA, Blowfish and AES in the future). However, vendor IPSec implementation varies greatly, with DES and manual keying as the common factors. Today, Cisco only supports DES and 3DES with either manual or automatic keying in their IOS. IPSec is a mandatory part for the new IP version 6 and an optional extension for IP version 4. IPSec perform encryption at network layer under OSI model, which is independent of software application and media transmission. This independence allows greater flexibility for software development and network implementation. IPSec offers two modes of operation,namely transport and tunnel mode. In transport mode, there is no encryption performs for IP header, only IP payload is encrypted. This mode is used for a host-to-host encrypted communication. In tunnel mode, both the IP header and payload are encrypted and a new IP header is added to form a new IP packet. Hence, bandwidth is conserved under transport with the sender IP address exposed as the tradeoff. Tunnel mode is often is the choice for VPN implementation. Transport Mode: Host A Host B DataAH Header DataIP HeaderESP Header IP Header Figure 1 AH HeaderIP Header IP Header Data ESP HeaderData Host A Original IP Header Host B Tunnel Mode: Figure 2Test Environment setup The test bed contains the following equipment: • A PIII 450 Windows 2000 workstation. This machine is configured to act as a FTP Server • A PII 450 and PII 333 PCs will be configured as IPSec gateways with FreeSWAN. Linux 7 will be running on these gateways • A Pentium 200 running Linux 7 will be used as a FTP client • 2 Cisco 4000 and a 2501 routers • A 10BaseT Bay switch • Triple DES is used for all IPSec gateways/routers. All IPSec peers are configured as tunnel mode. • All devices are interconnected through the Bay switch with VLAN enable for each network segment • A 80MB file is used for all FTP sessions First, a baseline FTP transaction will be established between the Linux and the Windows machine. Cisco2501Linux GatewayLinux Gateway LinuxWin2000 Figure 3Second, FreeSWAN IPSec will be introduced by placing the two gateways interconnected by Cisco 2501 between the Linux and the Windows machine. The Cisco 2501 does not have IPSec enable and it will only act as a interconnect router. Perform the same FTP. Win2000 Gateway Gateway 25014 Figure CiscoLinux IPSec Linux IPSec Linux Third, replace the two FreeSWAN gateways by 2 Cisco 4000 route. The Cisco 4000 will be running IPSec and interconnect with the same 2501 router. Perform the same FTP. Compare the result with the second experiment. Cisco 4000 IPSec IPSec 25015 CiscoCisco 4000 Figure Win2000 LinuxTest result Test 1 Test 2 Test 3 660 KB/s 138 KB/s 187 KB/s 653 KB/s 126 KB/s 190 KB/s 660 KB/s 122 KB/s 184 KB/s Average: 658 KB/s (5.2Mb/s) 128 KB/s (1.0Mb/s) 187 KB/s (1.49Mb/s) The reason that the throughput in the base line testing (test 1) is only half of the 10BaseT are because of the PC gateways. As mention in the test environment, they are PII 400s machines and equipped with some of the older network interface card (NIC). I believe that the throughput can be improved with faster machine and better NICs. Conclusion From the test result, we see that IPSec reduce the throughput tremendously. This reduction is largely due to IPSec encryption. For comparison, Cisco has better performance. However, as mention above, these gateways throughput can be improved with better-equipped machines.Reference: J. Pike, Cisco Network Security, Upper Saddle River, NJ, 2002 Linux IPSec – FreeSWAN project: FreeSWAN documentation. Available: http://www.freeswan.org/doc.html C. Gysin, S. Zwahlen. Installation and Configuration guide. Available: http://www.strongsec.com/freeswan/install.htm IETF IPSec. Available: http://www.ietf.org/html.charters/ipsec-charter.html Cisco – Deploying IPSec Virtual Private Network. Available: http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/depip_wp.htm Cisco – Configuring IPSec Network Security. Available:
View Full Document
Unlocking...