Carrier-Class IPSec: the Bigger the Better
Managed security services are hot right now, and carriers have plenty of products to choose from. So which boxes are best for building scaleable, managed VPN services?
To find out, Light Reading worked with its testing partners, Network Test Inc. and Spirent Communications, to see which products are ready for the rigors of carrier-grade virtual private network service.
We asked vendors to supply IPSec-based products that would scale to securely support thousands of customers, move traffic into the gigabit range, and offer easy provisioning and management of customer circuits.
Turns out that was a little too tall an order.
We chose IPSec among the various VPN technologies available today because the alternatives simply aren’t suitable for managed security services.
Multiprotocol Label Switching (MPLS)-based VPNs and the Internet Engineering Task Force (IETF)'s MPLS Martini extensions offer a variety of benefits, but security isn’t one of them. Neither provides authentication or encryption, which are bedrock functions required to ensure data integrity and privacy. The Layer 2 Tunneling Protocol (L2TP) does authenticate users, but it’s mainly intended for dial-up links, and it doesn’t offer encryption or verify that data hasn’t been altered in flight.
In contrast, the IETF’s IPSec suite does provide strong security; even so, finding carrier-class products can be a challenge. To begin with, most IPSec gateways are intended for CPE (customer premises equipment) use and these won’t scale anywhere close to carrier-class levels.
Several vendors say they do offer carrier-class gear, but when it came time to put up equipment for testing, most – including Cisco Systems Inc. (Nasdaq: CSCO), Lucent Technologies Inc. (NYSE: LU), and Nortel Networks Corp. (NYSE/Toronto: NT) – proved awfully shy. (See: No Shows.)
In the end, only two vendors were willing to put their carrier-grade boxes to the test: NetScreen Technologies Inc. (Nasdaq: NSCN), a newly minted public company; and Quarry Technologies Inc., a startup.
We put both vendors’ IPSec gateways through a grueling set of tests, and both came up aces. While most vendors were busy hiding, the NetScreen and Quarry devices set new speed records: Both ran at Gigabit Ethernet line rates in at least some of our tests. Both scaled to support thousands of concurrent tunnels. Best of all, both delivered essentially the same performance with one secure tunnel and thousands active.
The throughput results are especially noteworthy, considering most CPE-based IPSec gateways can’t even run one tenth as fast. Even though these devices perform the most highly compute-intensive tasks imaginable, they manage to crank along at line rate while still providing strong security.
Picking a winner wasn’t easy. Quarry’s iQ series gateways delivered higher throughput in most tests, and offer full redundancy of components and an intuitive, powerful management platform. But the Netscreen-5200 is no slouch either. It set up far more concurrent tunnels than Quarry’s iQ, and the configuration we tested costs less. If we had to pick one, we’d give the nod to Quarry’s iQ, but either is up to the task of carrier-grade IPSec service.
The following report provides an in-depth account of what we tested, how, and what the results were. A hyperlinked index follows:
- Inside the CO
- Lies, Damned Lies, and Vendor Specs
- Frames and Fragmentation
- Speed Demons
- Delay Tactics
- Scaling Up
- No Sweat
- Grace Under Pressure
- Management Material
- Keeping Tabs
Network Test Inc. (Westlake Village, Calif.), an independent benchmarking and network design consultancy. Network Test’s clients are end-users (enterprises and service providers), trade publications, and industry consortia; the company does not accept testing commissions from equipment makers.