Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

GET VPN Overhead

Hi All,

We are looking for overhead accounted because of GET VPN.Is there any comparison chart or value .

Thanks

Regards

Anantha Subramanian Natarajan

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: GET VPN Overhead

Anantha,

As mentioned by Lloyd, in GETVPN the new IP Header is a copy of the Original IP Header. So, that is going to be 20 bytes (without options). Keep in mind that the size of the packet may vary due to encryption and authentication options such as AES, SHA, etc. Roughly, around 52 to 56 bytes. So, with new IP Header you are looking at 72 to 76 bytes.

I would refer the ESP RFC 4303 for details.

I have not seen a specific GET VPN performance document on cisco.com. But, Since the Original IP Header is copied and placed in front of the ESP instead of a New IP Header like the traditional IPSEC, I dont think there is going to be much of a difference in the encryption performance between Traditional and GET VPNs.

I hope it helps.

Regards,

Arul

New Member

Re: GET VPN Overhead

Packet overhead is identical to tunnel mode IPsec.

The only variation that will typically occur will be due to algorithims being used for encryption/authentication but that also applies to standard IPsec.

8 REPLIES
New Member

Re: GET VPN Overhead

The original IP header is copied as the new IP header and placed in front of the ESP header.

http://www.cisco.com/en/US/products/ps6635/products_data_sheet0900aecd80582067.html

-lloyd

New Member

Re: GET VPN Overhead

Thanks Lloyd..........So the overhead is the additional header(Which is the fixed size irrespective of data size) ....

Once again thanks

Regards

Anantha Subramanian Natarajan

Cisco Employee

Re: GET VPN Overhead

Anantha,

As mentioned by Lloyd, in GETVPN the new IP Header is a copy of the Original IP Header. So, that is going to be 20 bytes (without options). Keep in mind that the size of the packet may vary due to encryption and authentication options such as AES, SHA, etc. Roughly, around 52 to 56 bytes. So, with new IP Header you are looking at 72 to 76 bytes.

I would refer the ESP RFC 4303 for details.

I have not seen a specific GET VPN performance document on cisco.com. But, Since the Original IP Header is copied and placed in front of the ESP instead of a New IP Header like the traditional IPSEC, I dont think there is going to be much of a difference in the encryption performance between Traditional and GET VPNs.

I hope it helps.

Regards,

Arul

New Member

Re: GET VPN Overhead

Arul,Thank you very much -------The explanation is quite descriptive and helpful

New Member

Re: GET VPN Overhead

Just to add to the discussion on performance.

I have seen some performance numbers and they do seem to be comparable from what I remember. AIM-VPN/SSL-2 card is required to fully implement IPsec header preservation in hardware. The way I look at it, GET should substantially outperform any traditional Ipsec deployment either way, including DMVPN because because each router particpating in the GET domain really only fundamentally needs a single SA installed to exchange encrypted traffic with any peer in the network, regardless of size. That in itself allows the router to scale to much higher levels as compared to the same router in a traditional deployment. A traditional deployment of the same type may require 25+ tunnels to provide the same level of connectivity thus increasing the overhead on the router and substantially lowering the overall Ipsec throughput available on that platform since it is also a function of the # of tunnels in use.

New Member

Re: GET VPN Overhead

Packet overhead is identical to tunnel mode IPsec.

The only variation that will typically occur will be due to algorithims being used for encryption/authentication but that also applies to standard IPsec.

New Member

Re: GET VPN Overhead

Packet overhead is identical to tunnel mode IPsec.

The only variation that will typically occur will be due to algorithims being used for encryption/authentication but that also applies to standard IPsec.

New Member

Re: GET VPN Overhead

Thanks gistem.....

2892
Views
7
Helpful
8
Replies
CreatePlease to create content