[vpn] metrics for vpn sessions

Wouter Slegers wouter at yourcreativesolutions.nl
Wed Apr 3 10:01:00 EST 2002 

On Tue, Mar 26, 2002 at 05:35:38PM -0800, Phil McGarr wrote:
> Thanks for the clarification! So would it be correct to say that the number
> of concurrent sessions (2 tunnels) is primarily a matter of bandwidth and
> RAM and secondly a matter of encryption processing power?
There is one other potentially large cost with multiple tunnels
(actually: multiple session keys): switching encryption keys in
encryption hardware can be timeconsuming. There is a timecost for
loading/retrieving the keys from the encryption engine and (if on board
memory is limited) storing it on the hostcomputer (with an optional
encryption to prevent the hostcomputer from obtaining the session keys).

> My goal is to get the primary metrics that users should be aware of
> when choosing a VPN solution. What is going to be the bottleneck
> that's going to restrict the number of simultaneous users?
There are several potential bottlenecks, just which is the smallest
depends on the specific situation. Most likely the bottleneck is going
to be the capability of the VPN device to concurrently store sessions
keys and switch promptly between them.

On hardware devices, this is usually determined by the amount of memory
on the device (more is expensive) and the speed of switching (which IMHO
is a measure of the quality of the design). Next is the speed with which
the device can handle many relatively small packets, the setup-time in
communication frequently dominates the performance. For low-end hardware
devices, the total throughput of the device can also become a bottleneck.

In software, the additional costs of more sessions are much less. There
the costs are usually dominated by the setup costs (RSA et al), which is
the rate at which new users/connections are established (plus usually 1
renewal per hour per connection).

So for hardware the maximum amount of concurrent sessions is usually
determined by the money put into the chip, for software this is more of
a marketing/pricing strategy.

With kind regards,
Wouter Slegers

-- 
Wouter Slegers
Your Creative Solutions
"Security solutions you can trust and verify."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/vpn/attachments/20020403/d45449a3/attachment.pgp

More information about the VPN mailing list