Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4984
Views
7
Helpful
8
Replies

GET VPN Overhead

Go to solution
anasubra_2
Level 1
Level 1

‎01-03-2008 08:44 PM - edited ‎02-21-2020 03:27 PM

Hi All,

We are looking for overhead accounted because of GET VPN.Is there any comparison chart or value .

Thanks

Regards

Anantha Subramanian Natarajan

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ajagadee
Cisco Employee
Cisco Employee
In response to anasubra_2

‎01-09-2008 07:12 PM

Anantha,

As mentioned by Lloyd, in GETVPN the new IP Header is a copy of the Original IP Header. So, that is going to be 20 bytes (without options). Keep in mind that the size of the packet may vary due to encryption and authentication options such as AES, SHA, etc. Roughly, around 52 to 56 bytes. So, with new IP Header you are looking at 72 to 76 bytes.

I would refer the ESP RFC 4303 for details.

I have not seen a specific GET VPN performance document on cisco.com. But, Since the Original IP Header is copied and placed in front of the ESP instead of a New IP Header like the traditional IPSEC, I dont think there is going to be much of a difference in the encryption performance between Traditional and GET VPNs.

I hope it helps.

Regards,

Arul

View solution in original post

0 Helpful

Go to solution
gjstem
Level 1
Level 1
In response to anasubra_2

‎01-09-2008 07:17 PM

Packet overhead is identical to tunnel mode IPsec.

The only variation that will typically occur will be due to algorithims being used for encryption/authentication but that also applies to standard IPsec.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
lloyd_andrew
Level 1
Level 1

‎01-09-2008 11:06 AM

The original IP header is copied as the new IP header and placed in front of the ESP header.

http://www.cisco.com/en/US/products/ps6635/products_data_sheet0900aecd80582067.html

-lloyd

Go to solution
anasubra_2
Level 1
Level 1
In response to lloyd_andrew

‎01-09-2008 11:14 AM

Thanks Lloyd..........So the overhead is the additional header(Which is the fixed size irrespective of data size) ....

Once again thanks

Regards

Anantha Subramanian Natarajan

0 Helpful

Go to solution
ajagadee
Cisco Employee
Cisco Employee
In response to anasubra_2

‎01-09-2008 07:12 PM

Anantha,

As mentioned by Lloyd, in GETVPN the new IP Header is a copy of the Original IP Header. So, that is going to be 20 bytes (without options). Keep in mind that the size of the packet may vary due to encryption and authentication options such as AES, SHA, etc. Roughly, around 52 to 56 bytes. So, with new IP Header you are looking at 72 to 76 bytes.

I would refer the ESP RFC 4303 for details.

I have not seen a specific GET VPN performance document on cisco.com. But, Since the Original IP Header is copied and placed in front of the ESP instead of a New IP Header like the traditional IPSEC, I dont think there is going to be much of a difference in the encryption performance between Traditional and GET VPNs.

I hope it helps.

Regards,

Arul

0 Helpful

Go to solution
anasubra_2
Level 1
Level 1
In response to ajagadee

‎01-09-2008 07:22 PM

Arul,Thank you very much -------The explanation is quite descriptive and helpful

0 Helpful

Go to solution
gjstem
Level 1
Level 1
In response to ajagadee

‎01-09-2008 07:38 PM

Just to add to the discussion on performance.

I have seen some performance numbers and they do seem to be comparable from what I remember. AIM-VPN/SSL-2 card is required to fully implement IPsec header preservation in hardware. The way I look at it, GET should substantially outperform any traditional Ipsec deployment either way, including DMVPN because because each router particpating in the GET domain really only fundamentally needs a single SA installed to exchange encrypted traffic with any peer in the network, regardless of size. That in itself allows the router to scale to much higher levels as compared to the same router in a traditional deployment. A traditional deployment of the same type may require 25+ tunnels to provide the same level of connectivity thus increasing the overhead on the router and substantially lowering the overall Ipsec throughput available on that platform since it is also a function of the # of tunnels in use.

Go to solution
gjstem
Level 1
Level 1
In response to anasubra_2

‎01-09-2008 07:17 PM

Packet overhead is identical to tunnel mode IPsec.

The only variation that will typically occur will be due to algorithims being used for encryption/authentication but that also applies to standard IPsec.

0 Helpful

Go to solution
gjstem
Level 1
Level 1
In response to anasubra_2

‎01-09-2008 07:21 PM

Packet overhead is identical to tunnel mode IPsec.

The only variation that will typically occur will be due to algorithims being used for encryption/authentication but that also applies to standard IPsec.

0 Helpful

Go to solution
anasubra_2
Level 1
Level 1
In response to gjstem

‎01-09-2008 07:23 PM

Thanks gistem.....

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents