Friday, April 7, 2006

VPN Overhead


Q13: How does the use of encryption affect
the performance of a network connection?

The use of encryption adds some additional overhead to a session.
Most VPN devices, whether hardware or software based, will be able to process
encryption for connections up to 10baseT speeds. On a lower speed connection
like a modem, VPN processing is much faster than delays introduced by the limited
bandwidth availability.

Often performance is potentially affected more by packet loss
and latency on bad Internet connections than by the encryption overhead.


Which means that performance is most affected by the quality of your internet connection.  The ISP you choose is very important for packet loss.  Some ISP's will shape (slow) traffic to block VOIP if it competes with their own and some will block any and all business class traffic.

Who do you use for your ISP?

Another note for Cisco VPN's



After making a VPN Client connection, some traffic types no longer work. Specifically applications that send large packets like SMTP, HTTP, and SSH.

The 2.6.4 Kernel enabled a feature of certain Ethernet cards that discards packets larger than the configured MTU. Since the VPN Client lowers the MTU visible to the applications in order to add its overhead without exceeding the original MTU, the resulting packets are bigger than the newly configured MTU. Therefore the card throws out the large encrypted packets.



To get a rough estimate of what kind of overhead the VPN will have on your
traffic, you can use the ttcp command and compare throughput.

Using VTun as an example, we first measure the normal throughput. We will
send some data (in this case, the Linux kernel sources) over and measure its
performance. First, we test the connection between the two VPN machines, Bears
and Falcons, using their public IP addresses. This tests the actual connection
of the machines without any of the VPN overhead. The non-VPN IP addresses we are
using are and

bears# ./ttcp -t < ../linux-2.4.12.tar.bz2
ttcp-t: buflen=8192, nbuf=2048, align=16384/0, port=5001 tcp ->
ttcp-t: socket
ttcp-t: connect

ttcp-t: 21508430 bytes in 26.00 real seconds = 807.94 KB/sec +++

The last line of the output gives us a throughput of 807.94 KB/s. Next, we
run the same tests but use the VPN IP addresses this time, and By using these addresses, we will be sending data over the VPN.

bears# ./ttcp -t < ../linux-2.4.12.tar.bz2
ttcp-t: buflen=8192, nbuf=2048, align=16384/0, port=5001 tcp ->
ttcp-t: socket
ttcp-t: connect

ttcp-t: 21508430 bytes in 29.59 real seconds = 709.78 KB/sec +++

As you can see, the throughput this time is 709.78 KB/s. There is a
throughput loss of almost 100 KB/s due to VPN overhead. The numbers you receive
in your testing will vary, but you get the idea. You can get ttcp from