Network service providers and enterprise network managers
face the same sticky problem: how to overcome bottlenecks
to increase throughput of information over virtual
private networks (VPNs). Bandwidth bottlenecks typically
occur at points of traffic concentration.
A significant
amount of VPN bandwidth originates either from telecommuters
and mobile workers or from branch offices or business partners.
Sometimes, the bottleneck occurs at a server farm located
at an application or network service provider. But wherever
high concentrations of VPN traffic occur, a significant load
is placed on the processing devices.
Effectively,
the load placed on a networking device or a VPN is the total
amount of IPSec bandwidth needing to be processed. This bandwidth
is the number of traffic packets per second that need to be
encrypted and authenticated and the number of individual user
sessions that need to be maintained. In addition to the total
traffic load, the maintenance of each individual user session
-- for example, for each remote worker -- places an additional
overhead on the system, and contributes overall to the amount
of processing that can be sustained.
The processing
requirements of VPNs are significant relative to traditional
WAN networking, or even IP networking, that doesn't involve
the various functions and technologies of a VPN. The encryption,
packet authentication, and packet compression of a VPN can
entail 50 or even 100 times more work per packet than processing
over a non-VPN WAN (Figure 1). Clearly, then the overall performance
of a system, and in particular, the ability of devices at
the boundaries of a VPN to process the VPN traffic, will be
heavily influenced by their having the horsepower to implement
these computationally intensive functions.
In addition, data compression is a vital element in
VPN services for making data packets as small as possible.
Compression is not a cryptographic function like encryption
and authentication. However, it is highly desirable
for VPNs that use IPsec encryption and/or authentication.
To the
service provider, data compression provides four primary benefits,
which in turn, are passed on to the VPN user.
·
First, compressed packets consume less bandwidth.
· Next, compression reduces the latency of packets
as they traverse the network, since packet length is shorter.
· Thirdly, performance is significantly enhanced.
· And lastly, applying compression to the data before
it is encrypted improves its resistance to cryptanalysis.
Cryptanalysis is the process of attempting to find a shortcut
method, not envisioned by the designer, for decrypting an
encrypted message when the key used to encrypt the message
is not known.
When IP data is being encrypted or authenticated according
to the IPsec standard, header information must be
added to the original IP packet. This increases the
size of the packet and often splits or fragments a
packet into two parts. As will be discussed later
in more detail, enlarged packets, beyond the normal
size of negotiated maximum transmission units (MTU)
can degrade performance because of the additional
header bytes and subsequent packet fragmentation.
On the
other hand, by compressing IP packets, a VPN system can minimize
or avoid this performance loss. However, it is important to
know that once data is encrypted, the ability to compress
it is virtually zero.
Performance
Hits
When
IP security is applied to a data packet, the packet grows
in length. An Ethernet packet, for instance, is 1500 bytes.
Once it is encrypted, it becomes larger than the 1500 bytes.
Once
the packet is enlarged, it is no longer possible to transmit
it through the network. Hence, it is split into two packets,
a process known as IP fragmentation. As shown in Figure 2,
the original packet may be 1490 bytes. It increases to 1544
bytes after new IP and Encapsulation Security Payload (ESP)
headers, trailer information, and MAC value are added, thus
increasing the original packet by 54 bytes. Consequently,
the original packet must be split or fragmented into two packets.
This fragmentation adds complexity and increases the chances
of packet loss since losing a single fragment means losing
the whole packet.
The receiving node collects all
In Hifn's
LZS compression, the repetitive characters must be within
about 2,000 characters (2,048 bytes) of each other. It is
true that if Hifn used a larger chunk of text it would achieve
more compression, but it would also slow down the process.
The strength
of LZS is that it produces an optimum combination of compression
and performance. LZS achieves "lossless compression"
which simply means no data is lost during compression and
decompression. Lossless compression reduces data typically
by about 1/2 - but nothing is ever lost. With LZS, customers
achieve acceleration without deterioration.
*Jonathon
Corgan is VPN Business Staff Consultant, VPNet Technologies,
Inc.
|