01-03-2008 08:44 PM - edited 02-21-2020 03:27 PM
Hi All,
We are looking for overhead accounted because of GET VPN.Is there any comparison chart or value .
Thanks
Regards
Anantha Subramanian Natarajan
Solved! Go to Solution.
01-09-2008 07:12 PM
Anantha,
As mentioned by Lloyd, in GETVPN the new IP Header is a copy of the Original IP Header. So, that is going to be 20 bytes (without options). Keep in mind that the size of the packet may vary due to encryption and authentication options such as AES, SHA, etc. Roughly, around 52 to 56 bytes. So, with new IP Header you are looking at 72 to 76 bytes.
I would refer the ESP RFC 4303 for details.
I have not seen a specific GET VPN performance document on cisco.com. But, Since the Original IP Header is copied and placed in front of the ESP instead of a New IP Header like the traditional IPSEC, I dont think there is going to be much of a difference in the encryption performance between Traditional and GET VPNs.
I hope it helps.
Regards,
Arul
01-09-2008 07:17 PM
Packet overhead is identical to tunnel mode IPsec.
The only variation that will typically occur will be due to algorithims being used for encryption/authentication but that also applies to standard IPsec.
01-09-2008 11:06 AM
The original IP header is copied as the new IP header and placed in front of the ESP header.
http://www.cisco.com/en/US/products/ps6635/products_data_sheet0900aecd80582067.html
-lloyd
01-09-2008 11:14 AM
Thanks Lloyd..........So the overhead is the additional header(Which is the fixed size irrespective of data size) ....
Once again thanks
Regards
Anantha Subramanian Natarajan
01-09-2008 07:12 PM
Anantha,
As mentioned by Lloyd, in GETVPN the new IP Header is a copy of the Original IP Header. So, that is going to be 20 bytes (without options). Keep in mind that the size of the packet may vary due to encryption and authentication options such as AES, SHA, etc. Roughly, around 52 to 56 bytes. So, with new IP Header you are looking at 72 to 76 bytes.
I would refer the ESP RFC 4303 for details.
I have not seen a specific GET VPN performance document on cisco.com. But, Since the Original IP Header is copied and placed in front of the ESP instead of a New IP Header like the traditional IPSEC, I dont think there is going to be much of a difference in the encryption performance between Traditional and GET VPNs.
I hope it helps.
Regards,
Arul
01-09-2008 07:22 PM
Arul,Thank you very much -------The explanation is quite descriptive and helpful
01-09-2008 07:38 PM
Just to add to the discussion on performance.
I have seen some performance numbers and they do seem to be comparable from what I remember. AIM-VPN/SSL-2 card is required to fully implement IPsec header preservation in hardware. The way I look at it, GET should substantially outperform any traditional Ipsec deployment either way, including DMVPN because because each router particpating in the GET domain really only fundamentally needs a single SA installed to exchange encrypted traffic with any peer in the network, regardless of size. That in itself allows the router to scale to much higher levels as compared to the same router in a traditional deployment. A traditional deployment of the same type may require 25+ tunnels to provide the same level of connectivity thus increasing the overhead on the router and substantially lowering the overall Ipsec throughput available on that platform since it is also a function of the # of tunnels in use.
01-09-2008 07:17 PM
Packet overhead is identical to tunnel mode IPsec.
The only variation that will typically occur will be due to algorithims being used for encryption/authentication but that also applies to standard IPsec.
01-09-2008 07:21 PM
Packet overhead is identical to tunnel mode IPsec.
The only variation that will typically occur will be due to algorithims being used for encryption/authentication but that also applies to standard IPsec.
01-09-2008 07:23 PM
Thanks gistem.....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide