Performance IPSec vs. MPLS

Answered Question
Sep 25th, 2008

Imagine user in San Francisco connects to New York via IPsec tunnel (Internet):

a) If I go via a MPLS network instead, is the latency about the same than the IPSec?

b) How about average performance? How many % performance decrease in applications should I consider when compared to MPLS given the encryption demanded by the IPsec tunnel?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 2 months ago

Marlon

This is a difficult question to answer precisely. What can be said is that there are no preformance guarantees on the Internet whereas with MPLS you will have some sort of SLA's with your service provider.

Other thing to bear in mind when comparing MPLS to Internet is availability.

As for performance, there will always be an additional overhead when using IPSEC but it can be somewhat alleviated by having a dedicated hardware module for the VPN encryption/decryption.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 09/25/2008 - 12:19

Marlon

This is a difficult question to answer precisely. What can be said is that there are no preformance guarantees on the Internet whereas with MPLS you will have some sort of SLA's with your service provider.

Other thing to bear in mind when comparing MPLS to Internet is availability.

As for performance, there will always be an additional overhead when using IPSEC but it can be somewhat alleviated by having a dedicated hardware module for the VPN encryption/decryption.

Jon

Joseph W. Doherty Sun, 09/28/2008 - 12:15

As Jon notes, this is difficult because in any one instance, one might be better than the other.

In general, IPSec will add some latency for actual encryption and decryption, but with hardware it's usually little, but this also assumes that addition fragmentation isn't incurred because of IPSec. (Even then, IPSec with hardware performs well, but the platforms might not with general fragmentation.)

The two big factors for actual latency is overall distance (how the traffic actually physically flows end-to-end) and actual congestion.

In a place like the US, the latency is often very close although because of typical MPLS SLAs, MPLS latency is often less variable.

In a place far, far out, like some remote jungle, surprisingly Internet IPSec often performs better because there's more demand for Internet locally than private WAN. (I.e. the physical Internet build out is often better.)

Actions

This Discussion