Encrypting the Local Network
Summary
Our WaveSEC solutions are prototype solutions for encrypting the LAN. They are really prototypes, and you should set aside a couple of days to get the code working in your setup. Even if you do not end up using any of the WaveSEC-specific code, you can use it as a starting point to secure your wireless network for Linux and Windows machines. In the near future, Xelerance hopes to find the time and resources to build on this prototype to make it into a turn-key offering that people can use to easily secure their wireless network.
254
11
Enterprise Implementation
Integrating VPNs into an existing large enterprise can be quite difficult. This chapter looks at the hardware and software limitations, network topology issues, and methods of obtaining enterprisegrade reliability from your Openswan VPN. The following key topics will be covered:
•Speed and Performance
•Integration into large existing networks
•Optimizations for dealing with large numbers of tunnels
•Use of GRE to create Super Tunnels
•Dynamic routing (OSPF and BGPv4)
•Fail-over between Openswan nodes to create High Availability IPsec
Many administrators are concerned about the speed and performance of devices on their network—especially if the device carries out cryptographic work. However, the single largest limitation you will run into on modern machines is network bandwidth, not processor speed. Usually your IPsec gateway will be able to encrypt and decrypt faster than your ISP can move your traffic.
Cipher Performance
A 2.8 GHz x86 class processor can saturate a 100 Mbps network link using 3DES, and sustain 300 Mbps using AES without hardware acceleration. Note that these benchmarks were performed without any additional requirements. Most notably, no firewall rules were defined. If you do need to deploy firewall rules, there are a few rules of thumbs that will help you optimize.
Try to branch often, so that you traverse through less firewall rules. Do not use a single top-down list of rules.
Use the related keyword somewhere at the top of your ruleset, so those connections that do not need to traverse the whole tree (again) are accepted.
Put those types of packets that you get most of at the top of your rulesets. Depending on the server, this could be ESP packets, UDP 4500/500 packets, HTTP packets, FTP packets, DNS packets, or even database packets.
Enterprise Implementation
Optimizing your firewall is outside the scope of this book, but you should realize it could impact heavily on the performance of your VPN gateway.
We have included two tables for those interested in sizing their IPsec gateways. Both are calculated using B * # = C, where B is bandwidth, # is a constant indicating the speed of the algorithm, and C is the CPU speed required.
The following table shows performance of 3DES on the x86 architecture. In this case, the value for # in the above rule is 25.
Topology |
Speed |
CPU Needed |
|
|
|
Cable modem/DSL |
1 Mbps |
25 MHz |
Ethernet |
10 Mbps |
250 MHz |
Fast Ethernet |
100 Mbps |
2.5 GHz |
ATM OC3 |
155 Mbps |
3.8 GHz |
Gigabit Ethernet |
1000 Mbps |
22.5 GHz |
|
|
|
This table shows performance of AES on the x86 architecture. The value for # is now 9.
Topology |
Speed |
CPU Needed |
|
|
|
Ethernet |
10 Mbps |
90 MHz |
Fast Ethernet |
100 Mbps |
900 MHz |
ATM OC3 |
155 Mbps |
1.4 GHz |
Gigabit Ethernet |
1000 Mbps |
9 GHz |
|
|
|
On x86 architectures, assembler code is used directly for 3DES and AES. On non-x86 architectures, compiled C code is used for these ciphers, which is not as optimal and therefore will be slower. For example the Linksys WRT54g (v1) which has a 100 MHz MIPS CPU can only do 7 to 8 Mbps on AES, which is less than the 10 Mbps that the 90 MHz x86-based chip can do.
With NETKEY, the CryptoAPI ciphers are used, only some of which have been written in assembler. Check the latest kernel source to see if the cipher you desire is in C or assembler.
If more performance is required, there are several crypto accelerator cards on the market from vendors such as Hifn, Cavium, and SafeNet. Support for these cards on Linux is practically nonexistent, so verify this with the vendor before you purchase a product. Many vendors promise 1000 Mbps speeds for their PCI cards.
256