IPSec Virtual Private Networks Conformance and Performance Testing Sample Test Plans



Similar documents
Testing Packet Switched Network Performance of Mobile Wireless Networks IxChariot

NATed Network Testing IxChariot

Virtual Private LAN Service (VPLS) Conformance and Performance Testing Sample Test Plans

Denial of Service (DOS) Testing IxChariot

Mail Gateway Testing. Test Plan W. Agoura Rd. Calabasas, CA (Toll Free US) FOR.IXIA (Int'l) (Fax)

MPLS Layer 2 VPNs Functional and Performance Testing Sample Test Plans

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

VoIP Testing IxChariot

HOWTO: How to configure IPSEC gateway (office) to gateway

Border Gateway Protocol (BGP) Conformance and Performance Testing

00:00:40 00:01:00 00:01:20 00:01:40 00:02:00

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm

Cisco Which VPN Solution is Right for You?

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

Chapter 4 Virtual Private Networking

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

TrustNet CryptoFlow. Group Encryption WHITE PAPER. Executive Summary. Table of Contents

VPNC Interoperability Profile

Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks

This section provides a summary of using network location profiles to identify network connection types. Details include:

GNAT Box VPN and VPN Client

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Cisco Integrated Services Routers Performance Overview

Implementing and Managing Security for Network Communications

The BANDIT Products in Virtual Private Networks

LinkProof And VPN Load Balancing

CCNA Security 1.1 Instructional Resource

VPN Quick Configuration Guide. Astaro Security Gateway V8

TrustNet Group Encryption

Advanced IPSec with GET VPN. Nadhem J. AlFardan Consulting System Engineer Cisco Systems

VPN Wizard Default Settings and General Information

BUY ONLINE AT:

VPN. VPN For BIPAC 741/743GE

Lab Testing Summary Report

Configuring a VPN between a Sidewinder G2 and a NetScreen

Server Load Balancer Testing

Case Study for Layer 3 Authentication and Encryption

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

Chapter 8 Virtual Private Networking

Cyberoam IPSec VPN Client Configuration Guide Version 4

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Mesh VPN Link Sharing (MVLS) Solutions

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

Cisco Group Encrypted Transport VPN: Tunnel-less VPN Delivering Encryption and Authentication for the WAN

Site2Site VPN Optimization Solutions

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Testing L7 Traffic Shaping Policies with IxChariot IxChariot

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

Magnum Network Software DX

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

IxNetwork TM MPLS-TP Emulation

Architecture de Réseaux et Dimensionnement du Trafic

Lab Configure a PIX Firewall VPN

Server Load Balancing (SLB) Testing IxLoad

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Integrated Services Router with the "AIM-VPN/SSL" Module

A Performance Analysis of Gateway-to-Gateway VPN on the Linux Platform

IxLoad-Attack: Network Security Testing

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Qualifying SDN/OpenFlow Enabled Networks

Advanced Network Security Testing. Michael Jack

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

VPN R Administration Guide. 15 October Classification: [Protected]

Introduction. Technology background

WHITE PAPER. How To Compare Virtual Devices (NFV) vs Hardware Devices: Testing VNF Performance

White Paper. SSL vs. IPSec. Streamlining Site-to-Site VPN Deployments

McAfee Firewall Enterprise 8.2.1

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Monitoring Remote Access VPN Services

McAfee Firewall Enterprise 8.3.1

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

Demonstrating the high performance and feature richness of the compact MX Series

IPSec Pass through via Gateway to Gateway VPN Connection

Group Encryption. The key to protecting data in motion BLACK BOX blackbox.com

Cisco Cisco 3845 X X X X X X X X X X X X X X X X X X

Building VPNs. Nam-Kee Tan. With IPSec and MPLS. McGraw-Hill CCIE #4307 S&

IP Office Technical Tip

Why Choose Integrated VPN/Firewall Solutions over Stand-alone VPNs

Integrated Services Router with the "AIM-VPN/SSL" Module

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May New Features and Enhancements. Tip of the Day

Internet Protocol Security IPSec

IxChariot Virtualization Performance Test Plan

Site to Site Virtual Private Networks (VPNs):

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

Gateway to Gateway VPN Connection

Connecting Remote Offices by Setting Up VPN Tunnels

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

Evaluating Wireless Broadband Gateways for Deployment by Service Provider Customers

Network Security Part II: Standards

Configuring Security Solutions

VPN Tracker for Mac OS X

Introduction to Security and PIX Firewall

Transcription:

IPSec Virtual Private Networks Conformance and Performance Testing Sample Test Plans

Contents 1. IPSec Conformance Test...3 2. Tunnel Scalability Test...5 3. Tunnel Setup Rate Test...7 4. Re-Key Tests... 10 5. Data Performance Test... 11 Copyright 2004 Ixia. All rights reserved. The information in this document is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by Ixia. Ixia assumes no responsibility or liability for any errors or inaccuracies that may appear in this document. Ixia and the Ixia logo are trademarks of Ixia. All other companies, product names, and logos are trademarks or registered trademarks of their respective holders. Ixia 26601 W. Agoura Road Calabasas, CA 91302 Phone: (818) 871-1800 Fax: (818) 871-1805 Email: info@ixiacom.com Internet: www.ixiacom.com 2 Copyright Ixia, 2004 IPSec VPNs: Conformance and Performance Testing, Sample Test Plans

IPSec Virtual Private Networks: Conformance and Performance Testing Sample Test Plans 1. IPSec Conformance Test Objective: To characterize the DUT s compliance to IETF standards Test setup: IxANVL IPSec test suite running a set of positive and negative test cases against the DUT. Methodology: IxANVL tests interpret the IPSec RFCs and present a number of scenarios to test the DUT. 1. Select a set of test cases to run in IxANVL. 2. Configure the DUT with the corresponding IPSec parameters and IP addressing using a set of scripts. 3. Run IxANVL in a batch mode with the scripts re-configuring the DUT between tests to match the IxANVL test setup. Results: Number of tests passed/failed. Figure 1. IxANVL configuring the device under test for conformance testing. IPSec VPNs: Conformance and Performance Testing, Sample Test Plans Copyright Ixia, 2004 3

Figure 2. IPSec conformance testing in IxANVL test cases. missing header packet incorrect packet fragmentation Figure 3. IPSec conformance testing in IxANVL journal. 4 Copyright Ixia, 2004 IPSec VPNs: Conformance and Performance Testing, Sample Test Plans

2. Tunnel Scalability Test Objective: To determine the maximum number of tunnels a DUT can set up. Test setup: Ixia s IxVPN product emulates secure gateways setting up IPSec tunnels against the DUT. Parameters: Varying IKE and IPSec protocols including different modes (tunnel mode and transport mode), varying Diffie-Hellman (dh1, dh2, dh5) and encryption protocols (3DES, AES 128 and AES 256). Methodology: 1. Configure the DUT to accept tunnel requests from a number of peers. 2. In IxVPN, create a mix of IPSec tunnel parameters. Configure the DUT to match the crypto-parameters for each tunnel that IxVPN will initiate. 3. Set up tunnels sequentially against the DUT until a user-specified number of tunnels fail. 4. Repeat the test for multiple iterations 5. Repeat the test with various mixes. Result: Maximum number of tunnels that can be set up by the DUT with varying parameters (Figure 4 and Figure 5). Figure 4. Tunnel capacity test results. Figure 5. Tunnel capacity test results, graph view. IPSec VPNs: Conformance and Performance Testing, Sample Test Plans Copyright Ixia, 2004 5

Creating mixes: example. As shown in Figure 6, the user can test a DUT with various combinations of IPSec tunnel parameters very quickly with IxVPN. While all combinations may not be used for a given deployment, the ability to create mixes quickly will be important to test border conditions. creating a mix of IPSec tunnel parameters in this case, 12 combinations have been set as roughly equal percentages of the whole Figure 6. Using IxVPN to set combinations of IPSec parameters for testing. 6 Copyright Ixia, 2004 IPSec VPNs: Conformance and Performance Testing, Sample Test Plans

3. Tunnel Setup Rate Test Objective: To determine the rate at which the DUT can set up IPSec tunnels under varying conditions. Test setup: Ixia s IxVPN product emulates secure gateways setting up IPSec tunnels against the DUT. Parameters: Varying IKE and IPSec protocols (as in the tunnel scalability test), as well as varying numbers of simultaneous requests to determine behavior under real-world conditions. Methodology: 1. Configure the DUT to accept tunnels requests from a number of peers. 2. In IxVPN, create a mix of IPSec tunnel parameters. Configure the DUT to match the crypto-parameters for each tunnel IxVPN will initiate. 3. Initiate a number of simultaneous tunnel requests from IxVPN and measure setup rates with each set of requests. 4. Continue to set up new tunnels with varying number of simultaneous tunnel requests until a user specified number of tunnels fail (as the DUT reaches capacity). 5. Repeat the test for multiple iterations and with varying mixes. Result: Tunnel setup rate as a function of established tunnels on the DUT. As shown in Figure 7, the rate drops significantly as the number of established tunnels increases. tunnel setup rate drops as the number of established tunnels increases Figure 7. IxVPN tunnel setup rate test, single iteration. IPSec VPNs: Conformance and Performance Testing, Sample Test Plans Copyright Ixia, 2004 7

Figure 8. IxVPN tunnel setup rate test, aggregated results. latency is broken out by phase, and shown cumulatively Figure 9. IxVPN setup rate test, statistics. 8 Copyright Ixia, 2004 IPSec VPNs: Conformance and Performance Testing, Sample Test Plans

data view filters enable testers to find problematic parameters quickly each row shows statistics for a single tunnel message-level detail for tunnel ixtun0000 Figure 10. IxVPN per-phase, per-tunnel statistics. Figure 10 shows statistics on a per-phase, per-tunnel basis. By using the data view filters, users can quickly see if certain tunnel parameters are causing performance problems. IPSec VPNs: Conformance and Performance Testing, Sample Test Plans Copyright Ixia, 2004 9

4. Re-Key Tests Objective: To determine the long-term stability of the DUT with re-keying, and the rate at which the DUT can re-key. Test setup: Ixia s IxVPN product emulates secure gateways setting up IPSec tunnels against the DUT. Parameters: Varying tunnel lifetimes and rekey intervals with various IKE and IPSec protocol. Methodology: 1. Establish a number of tunnels against the DUT using IxVPN. 2. In IxVPN, configure the lifetime and re-key intervals to initiate re-keying. 3. At the specified re-key interval, IxVPN will initiate the re-key and measure any failures and also the rate at which the re-key is done by the DUT. 4. Repeat the test for multiple iterations and varying re-key intervals and parameters Results: Number of re-key failures and rekey rate. re-keying statistics and latencies Figure 11. IxVPN re-keying test options and report. 10 Copyright Ixia, 2004 IPSec VPNs: Conformance and Performance Testing, Sample Test Plans

5. Data Performance Test Objective: To determine encryption and decryption performance of the DUT so that the impact of IPSec on application performance can be assessed. Key metrics are encryption and decryption throughput, latency, and loss. Test setup: Once the tunnels are set up using IxVPN, the Chariot product is used to send data over the tunnels in a variety of traffic types. Parameters: Varying application and transport protocols and packet sizes. Methodology: 1. Set up a number of tunnels against the DUT using IxVPN with various parameters. 2. Set up Chariot end points on both the public and private side of the DUT. 3. Using the Chariot console, send data over each of the tunnels from the emulated gateway side as well as from the host side to measure encryption and decryption performance. 4. Repeat the test with varying packet sizes and IPSec parameters. Results: Encryption and decryption throughput, latency, and loss. Chariot reports before and after establishment of IPSec tunnels, showing the impact of IPSec overhead on application traffic (Figure 12). IPSec VPNs: Conformance and Performance Testing, Sample Test Plans Copyright Ixia, 2004 11

addition of IPSec overhead reduces throughput Figure 12. Chariot data performance test: before and after addition of IPSec traffic. 12 Copyright Ixia, 2004 IPSec VPNs: Conformance and Performance Testing, Sample Test Plans

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information