[vpn] metrics for vpn sessions

Christopher Gripp cgripp at axcelerant.com
Tue Mar 26 22:16:42 EST 2002 

Because there is more than one way to skin the proverbial cat it is difficult to make a blanket statement regarding what the bottleneck will be. All of the items you listed can become a severe bottleneck in the right environment. 

A couple of thoughts:

In my humble opinion bandwidth is probably the easiest to alleviate due to it's availability and the minimal impact to the VPN if a circuit change is needed. 

Other than PC based VPN solutions I don't know of any that can have their memory or their processors easily upgraded. 

As an example of why I don't think encryption processing is secondary, I have tested various products and have seen latencies vary by up to 20ms between boxes for the same algorithms.

I often see memory limitations affect the # of policies one can build out, the number of routes one can enter, the number of networks that can be defined, etc.



Christopher S. Gripp
Systems Engineer
Axcelerant 



-----Original Message-----
From: Phil McGarr [mailto:phil at vpnlabs.org]
Sent: Tuesday, March 26, 2002 5:36 PM
To: vpn at securityfocus.com
Subject: RE: [vpn] metrics for vpn sessions 



Christopher,

Thanks for the clarification! So would it be correct to say that the number
of concurrent sessions (2 tunnels) is primarily a matter of bandwidth and
RAM and secondly a matter of encryption processing power?
My goal is to get the primary metrics that users should be aware of when
choosing a VPN solution. What is going to be the bottleneck that's going to
restrict the number of simultaneous users?


cheers,

Phil

Phil McGarr
VPN Labs
http://www.vpnlabs.org/




Another point I forgot to mention is the definition of the term 'tunnel'  A
year or two ago I would see vendors refer to this but it was misleading
because each VPN Endpoint is comprised of 2 such 'tunnels'.  1 for Key
Exchange and 1 for the encrypted data stream.  So when XYZ vendor would say
10,000 simultaneous tunnels it was in reality 5000 VPN endpoints.

The other thing I see is 'users'.  This is actually a limit on the number of
IP addresses that can concurrently have sessions through the VPN device.  A
perfect example is the NetScreen 5XP.  It is limited to 10 IP's.  However,
for an additional sum of money you can unlock that feature and get what they
call an ELITE license.

Generally speaking though the limit on SA's, TCP/UDP sessions, policy
numbers, routes, etc are memory issues.



Christopher Gripp
Systems Engineer
Axcelerant

"Impartiality is a pompous name for indifference, which is an elegant name
for ignorance."  G.K. Chesterton

> -----Original Message-----
> From: Christopher Gripp
> Sent: Tuesday, March 26, 2002 4:20 PM
> To: Phil McGarr; vpn at securityfocus.com
> Subject: RE: [vpn] metrics for vpn sessions
>
>
> The number of tunnels isn't necessarily limited by the
> bandwidth.  However, as with ANY network service, bandwidth
> is going to impact the performance of those services.
>
> Yes.  Some VPN companies limit the # of tunnels, although I
> wouldn't necessarily say arbitrarily, so they can sell
> upgraded versions.
>
>
>
> Christopher Gripp
> Systems Engineer
> Axcelerant
>
> "Impartiality is a pompous name for indifference, which is an
> elegant name for ignorance."  G.K. Chesterton
>
> > -----Original Message-----
> > From: Phil McGarr [mailto:phil at vpnlabs.org]
> > Sent: Tuesday, March 26, 2002 3:46 PM
> > To: vpn at securityfocus.com
> > Subject: [vpn] metrics for vpn sessions
> >
> >
> > Greetings,
> >
> > I've been asked the following question:
> > What metrics are companies using when the say "1,000 concurrent VPN
> > tunnels?"
> >
> > This spawned some of my own questions:
> > Is the number of concurrent tunnels possible limited by
> > bandwidth to the VPN
> > server rather than some algorithmic restriction?
> > Are VPN companies arbitrarily restricting the number of
> > tunnels so that they
> > can sell upgraded versions when people need to allow more
> > users onto their
> > VPN network?
> >
> > Any help?
> >
> > tia,
> >
> > Phil
> >
> > Phil McGarr
> > VPN Labs
> > http://www.vpnlabs.org/
> >
> >
> > VPN is sponsored by SecurityFocus.com
> >
> >
>
> VPN is sponsored by SecurityFocus.com
>
>


VPN is sponsored by SecurityFocus.com


VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list