Performance analysis of virtualized VPN endpoints

Abstract

Virtual Private Networks (VPN) are an established technology that provides users a way to achieve secure communication over an insecure communication channel, such as the public Internet. It has been widely accepted due to its flexibility and availability on many platforms. It is often used as an alternative to expensive leased lines. In traditional setups, VPN endpoints are set up in hardware appliances, such as firewalls or routers. In modern networks, which utilize Network Functions Virtualization (NFV), VPN endpoints can be virtualized on common servers. Because data encryption and decryption are CPU intensive operations, it is important to investigate limits of such setups so that feasibility of endpoint virtualization can be evaluated. In this paper, we analyze performance of two industry standard VPN implementations - IPSec and OpenVPN. We examine TCP throughput in relation to encryption algorithm used and packet size. Our experiments suggest that moving VPN endpoints from a specialized hardware appliance to a virtualized environment can be a viable and simple solution if traffic throughput requirements are not too demanding. However, it is still difficult to replace high-end appliances with large throughput capabilities.