Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN. Berry Hoekstra Damir Musulin OS3 Supervisor: Jan Just Keijser Nikhef

Similar documents
Parallelizing IPsec: switching SMP to On is not even half the way

IPSec. Overview. Overview. Levente Buttyán

Enabling High Performance Bulk Data Transfers With SSH

Scaling Acceleration Capacity from 5 to 50 Gbps and Beyond with Intel QuickAssist Technology

LANCOM Techpaper Routing Performance

SSL Accelerating Test Bench SSL accelerating Test Method

Virtual Private Networks (VPN)

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

VPNS BY RICK FREY.

Anand Raghunathan

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

REMOTE ACCESS SSL BROWSER & CLIENT

Cisco VPN Internal Service Module for Cisco ISR G2

Lecture 13 Page 1. Lecture 13 Page 3

Pre-Fragmentation for IPSec VPNs

PureVPN's OpenVPN Setup Guide for pfsense (2.3.2)

An Experimental Analysis on Iterative Block Ciphers and Their Effects on VoIP under Different Coding Schemes

Hillstone IPSec VPN Solution

1. Ultimate Powerful VPN Connectivity

Configuring OpenVPN on pfsense

Analysis of VPN Protocols

SSH Bulk Transfer Performance. Allan Jude --

CSCE 715: Network Systems Security

Comparison of SSL/TLS libraries based on Algorithms/languages supported, Platform, Protocols and Performance. By Akshay Thorat

Authentication, Encryption, Transport, IP Version and VPN Routing

Performance Evaluation of Software Routers with VPN Features

PacketShader: A GPU-Accelerated Software Router

In the event of re-installation, the client software will be installed as a test version (max 10 days) until the required license key is entered.

The case for ubiquitous transport-level encryption

Transport Level Security

How to Create a TINA VPN Tunnel between F- Series Firewalls

The IPsec protocols. Overview

IPSec Transform Set Configuration Mode Commands

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

VIRTUAL PRIVATE NETWORK

Lecture 12 Page 1. Lecture 12 Page 3

NCP Secure Enterprise macos Client Release Notes

Cubro Network Security Series

Data Sheet. NCP Secure Enterprise Linux Client. Next Generation Network Access Technology

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

Performance Analysis of iscsi Middleware Optimized for Encryption Processing in a Long-Latency Environment

IPSec Transform Set Configuration Mode Commands

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

Securing Network Traffic Tunneled Over Kernel managed TCP/UDP sockets

Security Policy Document Version 3.3. Tropos Networks

Fast packet processing in the cloud. Dániel Géhberger Ericsson Research

double split driver model

Setting an OpenVPN on Linux and MikroTik to securely access a web server. Teddy Yuliswar MikroTik Certified Trainer #TR0442

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Virtual Private Network

IPSec. Dr.Talal Alkharobi. IPsec (IP security)

Authentication, Encryption, Transport, and VPN Routing

Sophos Firewall Configuring SSL VPN for Remote Access

Release Notes. NCP Secure Enterprise VPN Server. 1. New Features and Enhancements. 2. Improvements / Problems Resolved

Hardware Acceleration for Cryptographic Functions

NCP Secure Managed Android Client Release Notes

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

SATELLAR and VPN. 2/2017 SATEL technical bulletin SATELLAR

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

Release Notes. NCP Secure Enterprise VPN Server. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

FAQ about Communication

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

A Security Solution For Wireless IP Networks

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Data Sheet. NCP Secure Entry Mac Client. Next Generation Network Access Technology

May 22 12:44:19 miniupnpd[688]: Listening for NAT-PMP/PCP traffic on port 5351

VPN Overview. VPN Types

Kernel level AES Acceleration using GPUs

NCP Secure Entry macos Client Release Notes

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Exploring Alternative Routes Using Multipath TCP

Findings for

Release Notes. NCP Android Secure Managed Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Internet security and privacy

Tunnel within a network

Index. Numerics 3DES (triple data encryption standard), 21

OpenVPN protocol. Restrictions in Conel routers. Modified on: Thu, 14 Aug, 2014 at 2:29 AM

Firewalls, Tunnels, and Network Intrusion Detection

Efficient Securing of Multithreaded Server Applications

Configuration of an IPSec VPN Server on RV130 and RV130W

Best Practice - VPN Performance Testing

Wireless Terminal Emulation Advanced Terminal Session Management (ATSM) Device Management Stay-Linked

FIPS Crypto In the IoT. Chris Conlon ICMC17, May 16-19, 2017 Westin Arlington Gateway Washington DC

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Gigabit SSL VPN Security Router

Cloud Simulation. Connectivity Guide

Configuring L2TP over IPsec

Configuring Tunnel Interfaces on Cisco IOS XR Software

Scalability Considerations

Juniper SD-WAN Alexandre Cezar Consulting Systems Engineer, Security/Cloud

Virtual Private Networks.

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

ARISTA: Improving Application Performance While Reducing Complexity

Benchmarking results of SMIP project software components

NCP Secure Enterprise macos Client Release Notes

DPDK Roadmap. Tim O Driscoll & Chris Wright Open Networking Summit 2017

G-NET: Effective GPU Sharing In NFV Systems

How to use OpenVPN Server/Client on

Transcription:

Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN Berry Hoekstra Damir Musulin OS3 Supervisor: Jan Just Keijser Nikhef

Outline Introduction Approach Research Results Conclusion Questions?

Introduction Virtual Private Networks Secure connection over an insecure network SSL, IPsec, PPTP and L2TP are the most popular VPN solutions Packets are encapsulated into packets on a lower layer OpenVPN SSLv3/TLSv1 based VPN solution Able to saturate 100 Mbps Performance issues with 1 Gbps Not much documented research available OpenSSL for encryption TUN/TAP driver for tunneling

Research Question "What are the causes of the network performance loss when using OpenVPN at Gigabit speed?" Sub-questions: What is the effect of using different encryption and authentication methods or parameters in OpenVPN? Is the same performance hit found on other OpenSSLbased tunnel solutions? Is the same performance hit found on other operating systems (e.g. FreeBSD)? What are the possibilities to mitigate slow OpenVPN network performance?

Problem definition Unable to saturate 1 Gbps over a VPN tunnel Even with no encryption and signing with default settings Suspected culprits: Inefficient cryptographic functions OS context switching TUN/TAP driver overhead Context switching

OpenVPN packet flow

Methodology (1) Perform throughput measurements using Iperf Using a control script On different infrastructures Perform OpenSSL speed tests What are the effects in throughput when: Using different parameters Using a different OpenSSL version On a different infrastructure On a different operating system Compare against similar VPN solutions Vtun Source code analysis OpenVPN / OpenSSL functionality TUN/TAP driver

Lab setup Dell R210 Intel Xeon L3426 4/8 cores @ 1.87 GHz 8GB memory 2x Broadcom NIC Setup 1: Endpoint to endpoint Setup 2: Client to client

Methodology (2) Ciphers Blowfish-128-CBC (default) AES-128-CBC AES-256-CBC HMAC signing SHA-1 vs. MD5 Increasing TUN MTU sizes Increases the block size towards OpenSSL Encryption is done more efficient OpenVPN fragmentation options Disabled, fragmentation is done at kernel level Increases throughput! (between endpoints)

Results (1) Different ciphers: BF +150%, AES +30%-80%

Results (2) HMAC disabled +10%-20% Fragmentation disabled + ~40%

Results (3) Crypto impact on AES-256-CBC

Results (4) CentOS vs. FreeBSD: +50%-60%!

Results (5) OpenVPN vs. other OpenSSL solution: Vtun

Conclusions (1) OpenSSL is not capable to encrypt at 1 Gbps BF-128 ~500, AES-128 ~800, AES-256 ~700 Mbps OpenVPN results show inefficient handling Even with the internal fragmentation disabled BF-128 ~400, AES-128 ~200, AES-256 ~155 Mbps OpenVPN needs high TUN MTU values for most efficient handling TUN/TAP driver plays a role in causing more overhead Context switching Mitigated by running in kernel space like IPsec

Conclusions (2) Tunnel performance can be optimized Only on endpoint to endpoint setups Hard to improve performance on routed setup Clients deliver packets with a small MTU to endpoints Fragmentation options matters Only for endpoint to endpoint setups FreeBSD shows a throughput increase of ~80% Due to inefficient FIPS version of OpenSSL on CentOS Fixed in OpenSSL 1.0.0 (default in Fedora) Against CentOS, FreeBSD still outperforms with 50% to 60% Using the same OpenSSL version

Conclusions (3) "What are the causes of the network performance loss when using OpenVPN at Gigabit speed?" There is a relation between the OpenSSL version and OpenVPN throughput Encryption routines of OpenVPN are inefficient OpenVPN fragmentation options cause a lot of overhead Calculation, reassemble, and sequence no. administration Different performance measured on different operating systems OpenVPN source code contains a lot of branching if {..} else {..} if {..} else {..} if {..} else {..} if {..} else {..} Performance hit on CPU

Future work Hardware acceleration AES-NI instruction set Graphics cards Cryptographic cards Kernel Mode Linux Eliminate context switching TAP-Win32 driver Profiler Low level Linux performance counters Steap learning curve CPU affinity No multi-socket hardware available 10 Gbps performance measurements TCP Tuning is needed to get near-linespeed Look into UDP offloading

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback