Ixia Speeds Up IPSec Test
Ixia's IxVPN modules were announced in September as the company added IPSec testing to its Automated Network Validation Library (ANVL). Through further testing, Ixia now claims to have validated speeds of a full 1-Gbit/s per port, which would outdo testing rival Spirent Communications. Spirent announced its SmartBits TeraMetrics XD Security Module in November (see Ixia Intros IPSec Test Tools and Spirent Tests SSL, IPSec).
Ixia gave out some specific numbers today, saying the IxVPN module can run each port at its full line rate, 1 Gbit/s, while also encrypting and decrypting traffic.
Speed matters, because encryption is notorious for dragging down packet throughput. "Once you throw in encryption, there's obviously a hit in terms of performance," says Sunil Kalidindi, security product manager at Ixia.
That happens because the math behind most encryption schemes involves ridiculously large integers. General-purpose microprocessors such as the Pentium or PowerPC can do the job, but only to a limited extent. If too many encrypted sessions run at once, or if the system's microprocessor is running too many other features, performance gets hobbled.
Some companies compensate by using specialty-purpose hardware, chips engineered to handle large numbers. Firms such as Hifn Inc. (Nasdaq: HIFN), Cavium Networks Inc., Corrent Corp., and Layer N Networks Inc. were founded just for that purpose.
That's the road Spirent has taken, using specialty hardware alongside its usual microprocessors. "We discovered about 18 months ago that you can't get the performance without hardware accelerators," says Mark Fishburn, Spirent vice president of technical strategy. "We can get on-the-fly [data rates] in the hundreds of megabits per second range, which we think is not possible with general purpose processors."
Spirent says their stuff goes into the "hundreds of megabits per second," so it's not full gigabit. They're skeptical that Ixia can do true 1-Gbit/s with encryption, because encryption slows things down so much.
Ixia says it manages to get by with PowerPC chips. It works because the company uses a lot of them, one for each of the eight ports on its IxVPN module. With that setup, the module can run 8 Gbit/s of traffic using the common 3DES encryption scheme. (Ixia and Spirent both support 3DES as well as its successor, the Advanced Encryption Algorithm, or AES.)
Separate from performance testing, IxVPN also runs conformance testing, running through the requirements of the Internet Engineering Task Force (IETF) RFCs in circulation to make sure the VPN complies. This feature is useful as a regression test for vendors, making sure they didn't break anything in designing the next product generation. It's also useful to carriers, to make sure different vendors' equipment will interoperate, Kalidindi says.
— Craig Matsumoto, Senior Editor, Light Reading