[vpn] metrics for vpn sessions

[Stephen Hope]

Phil,

i suspect the answer is still "it depends".

You should design to the throughput and simultaneous user limits you need,
and size box and Internet feed to suit - if you are lucky you will even have
some numbers!

There is no intrinsic limit to the minimum bandwidth used per user or tunnel
- broadband users may be able to hit 1 Mbps instantaneous throughput, but
since most bradband systems have 50:1 contention ratios built in, the
average is likely to be much less. BTW - campus networks have similar design
contention ratios, so this isnt really a remote access specific constraint.

If you are using a hardware encryption engine of some sort, then they
typically have 2 separate sets of limits - CPU + throughput as
"performance", and memory tables etc for each "context" - which equates to
tunnels or user limits.

Often hardware accelerators use unusual versions of memory (which equals
expensive), or have memory built into an ASIC, so this can be a limited
resource that cannot be expanded.

Software based encryption should have less stringent limits on memory, so
CPU performance dominates.

Both limits may be increased by adding hardware - either rack and stack the
boxes (which may be much easier if there are load balancing hooks in the
box), or by allowing multiple hardware encryption engines in a box.

Often you get to choose - ie. in the Cisco VPN 3000 range you can get a
software only box, or 1 which can take up to 4 hardware encryptors, with
0,1,2, or 3 fitted.


regards

Stephen

Stephen Hope C. Eng, Senior Network Consultant,
stephen.hope at energis.com,
Energis UK, WWW: http://www.energis.com
Carrington Business Park, Carrington, Manchester , UK. M31 4ZU
Tel: +44 (0)161 776 4194 Mob: +44 (0)780 002 2626 Fax: +44 (0)161 776
4189


> -----Original Message-----
> From: Phil McGarr [mailto:phil at vpnlabs.org]
> Sent: Wednesday, March 27, 2002 1:36 AM
> To: vpn at securityfocus.com
> Subject: RE: [vpn] metrics for vpn sessions 
> 
> 
> 
> Christopher,
> 
> Thanks for the clarification! So would it be correct to say 
> that the number
> of concurrent sessions (2 tunnels) is primarily a matter of 
> bandwidth and
> RAM and secondly a matter of encryption processing power?
> My goal is to get the primary metrics that users should be 
> aware of when
> choosing a VPN solution. What is going to be the bottleneck 
> that's going to
> restrict the number of simultaneous users?
> 
> 
> cheers,
> 
> Phil
> 
> Phil McGarr
> VPN Labs
> http://www.vpnlabs.org/
> 
> 
> 
> 
> Another point I forgot to mention is the definition of the 
> term 'tunnel'  A
> year or two ago I would see vendors refer to this but it was 
> misleading
> because each VPN Endpoint is comprised of 2 such 'tunnels'.  1 for Key
> Exchange and 1 for the encrypted data stream.  So when XYZ 
> vendor would say
> 10,000 simultaneous tunnels it was in reality 5000 VPN endpoints.
> 
> The other thing I see is 'users'.  This is actually a limit 
> on the number of
> IP addresses that can concurrently have sessions through the 
> VPN device.  A
> perfect example is the NetScreen 5XP.  It is limited to 10 
> IP's.  However,
> for an additional sum of money you can unlock that feature 
> and get what they
> call an ELITE license.
> 
> Generally speaking though the limit on SA's, TCP/UDP sessions, policy
> numbers, routes, etc are memory issues.
> 
> 
> 
> Christopher Gripp
> Systems Engineer
> Axcelerant
> 
> "Impartiality is a pompous name for indifference, which is an 
> elegant name
> for ignorance."  G.K. Chesterton
> 
> > -----Original Message-----
> > From: Christopher Gripp
> > Sent: Tuesday, March 26, 2002 4:20 PM
> > To: Phil McGarr; vpn at securityfocus.com
> > Subject: RE: [vpn] metrics for vpn sessions
> >
> >
> > The number of tunnels isn't necessarily limited by the
> > bandwidth.  However, as with ANY network service, bandwidth
> > is going to impact the performance of those services.
> >
> > Yes.  Some VPN companies limit the # of tunnels, although I
> > wouldn't necessarily say arbitrarily, so they can sell
> > upgraded versions.
> >
> >
> >
> > Christopher Gripp
> > Systems Engineer
> > Axcelerant
> >
> > "Impartiality is a pompous name for indifference, which is an
> > elegant name for ignorance."  G.K. Chesterton
> >
> > > -----Original Message-----
> > > From: Phil McGarr [mailto:phil at vpnlabs.org]
> > > Sent: Tuesday, March 26, 2002 3:46 PM
> > > To: vpn at securityfocus.com
> > > Subject: [vpn] metrics for vpn sessions
> > >
> > >
> > > Greetings,
> > >
> > > I've been asked the following question:
> > > What metrics are companies using when the say "1,000 
> concurrent VPN
> > > tunnels?"
> > >
> > > This spawned some of my own questions:
> > > Is the number of concurrent tunnels possible limited by
> > > bandwidth to the VPN
> > > server rather than some algorithmic restriction?
> > > Are VPN companies arbitrarily restricting the number of
> > > tunnels so that they
> > > can sell upgraded versions when people need to allow more
> > > users onto their
> > > VPN network?
> > >
> > > Any help?
> > >
> > > tia,
> > >
> > > Phil
> > >
> > > Phil McGarr
> > > VPN Labs
> > > http://www.vpnlabs.org/
> > >
> > >
> > > VPN is sponsored by SecurityFocus.com
> > >
> > >
> >
> > VPN is sponsored by SecurityFocus.com
> >
> >
> 
> 
> VPN is sponsored by SecurityFocus.com
> 


********************************************************************************************************
This e-mail is from Energis plc, 50 Victoria Embankment, London, EC4Y 0DE, United 
Kingdom, No: 2630471.

This e-mail is confidential to the addressee and may be privileged. The views 
expressed are personal and do not necessarily reflect those of Energis. If you are not 
the intended recipient please notify the sender immediately by calling our switchboard on 
+44 (0) 20 7206 5555 and do not disclose to another person or use, copy or forward 
all or any of it in any form.

********************************************************************************************************


VPN is sponsored by SecurityFocus.com