Behavioral and Performance Characteristics of IPsec/IKE in Large-Scale VPNs

Cryptographic network security services are essential for providing secure data communication over an insecure public network such as the Internet. Recently there has been tremendous growth in the requirements for, and use of, secure virtual private networks (VPNs) to interconnect enterprises with business partners, traveling staff, and remote office locations. IPsec tunnels have become one of the most widely adopted means to build secure VPNs between sites and individual computers. To date, most IPsec VPNs are statically configured and are of moderate scale. To facilitate future, very large VPNs with potentially varied security policies and changing memberships, the industry must move to the use of dynamic key management protocols and policy management systems to ease the administrative burden associated with VPN instantiation and operation. In this paper we examine the dynamic behavior and relative performance characteristics of large scale VPN environments based upon IPsec and IKE version 1 (version 2 of IKE is currently under development by IETF). We use detailed, packet level, simulation models to characterize the performance impact of varying: key management scenarios, security association (SA) policy and management parameters, cryptographic algorithms, and implementation options in IPsec/IKE suites. Our results highlight the significant performance impact of subtle IPsec/IKE implementation and policy decisions on the overall performance and behavior of TCP based applications in large scale VPNs.