Answers to your Questions
IPsec Technology Basics
Testing IPsec
IPsec Technology Basics
What is IPsec?
IPsec is a framework of open standards for ensuring secure
communications over IP networks. Originally designed into
the IPv6 implementation, it is also available as an optional
protocol suite for IPv4.
Where can I find the
IPsec standards?
The IPsec protocol suite is specified in several IETF Request
For Comments (RFC) documents. The core RFCs are:
RFC 2401: Security Architecture for the Internet Protocol
RFC 2402: IP Authentication Header
RFC 2403: The Use of HMAC-MD5 within ESP and AH
RFC 2404: The Use of HMAC-SHA-1 within ESP and AH
RFC 2405: The ESP DES-CBC Cipher Algorithm With Explicit IV
RFC 2406: IP Encapsulating Security Payload (ESP)
RFC 2407: The Internet IP Security Domain of Interpretation
for ISAKMP
RFC 2408: Internet Security Association and Key Management
Protocol (ISAKMP)
RFC 2409: The Internet Key Exchange (IKE)
RFC 2410: The NULL Encryption Algorithm and Its Use With IPsec
RFC 2411: IP Security Document Roadmap
RFC 2412: The OAKLEY Key Determination Protocol
RFC 2411 provides an overview of the documents used to describe
the IPsec protocol suite.
What services does IPsec
provide?
IPsec was designed to provide the following security services:
- Authentication - The need to ensure the sending/receiving
users and devices are known and trusted by one another.
- Data Integrity - Confirmation that the data received was
in fact the data transmitted. Reliable and robust detection
of data tampering and corruption is required.
- Data Confidentiality - Protection of user data being transmitted,
i.e. utilizing data encryption to avoid sending actual data
in 'cleartext'.
- Replay Protection - Prevention of replay attacks, a type
of denial of service (DoS) attack where an attacker intercepts
a series of packets and resends them to cause the recipient
to waste CPU cycles processing them.
- Automated Key Management - An automated process to manage
the periodic exchange and generation of new keys, which
are used by encryption and authentication algorithms.
- Non-repudiation - A method to guarantee that a message
received from a user, cannot later be denied as being sent
by that user.
Where is IPsec used?
IPsec is the technology most widely used to implement Virtual
Private Networks (VPNs) - a method to provide private corporate
communications over a public network, like the Internet. Some
of the benefits for deploying VPNs are:
- Cost savings - Using Internet Service Provider (ISP) connectivity
is much less expensive than dedicated WAN circuits and leased
lines.
- Security - Encryption and authentication algorithms keep
enterprise data private and secure as it traverses the public
Internet.
- Scalability - Adding new users and sites via a VPN connections
is quick and cost-effective.
What kind of VPNs can
IPsec be used to create?
IPsec is used to create all types of VPNs, including:
- Remote Access VPNs - Individual users, such as mobile
employees, telecommuters and day-extenders, accessing the
corporate network via traditional ISP dial-up or broadband
connections.
- Intranet VPNs - Connectivity between the corporate headquarters
and their remote and branch offices.
- Extranet VPNs - Corporate network access to the business
partners, suppliers and customers of an enterprise.
Testing IPsec
How do I verify that
my VPN network design will scale to meet my requirements?
It is critical to test that each of the devices in your planned
network (such as VPN concentrators and firewalls) can easily
satisfy your capacity and performance needs - based on the
number of users, the mix of applications or services that
they will use, and their estimated traffic profiles.
What are the key metrics
for testing VPN concentrators and other IPsec-capable devices?
- IPsec
Maximum Active Tunnels - The maximum number of IPsec
tunnels the device can establish and keep active.
- IPsec
Tunnel Setup Rate & Time - The maximum rate at which
the device can establish IPsec tunnels, and the time taken
to establish tunnels, while carrying stateful application
traffic over the tunnels.
- IPsec
State Traffic Throughput - The maximum throughput of
stateful traffic that the device can
forward over encrypted IPsec tunnels.
Why is it important to
test IPsec with stateful traffic?
It is possible to test
IPsec performance in isolation by verifying that the device
can set up many IPsec tunnels rapidly. However, to test that
the IPsec tunnels have been correctly established and activated,
it is vital to send and verify the forwarding of bi-directional
traffic through each tunnel.
It is preferable to use real stateful traffic (using a mix
of application protocols such as HTTP, SMTP and NFS) to better
simulate real network conditions, and because many devices
(such as firewalls and integrated security gateways) are "application
aware". If the device must inspect each packet up to
the application layer ("deep packet inspection"),
its real performance can only be accurately assessed by using
a mix of stateful application traffic.
For more information on IPsec test challenges and testing
with stateful traffic, download our White
Paper.
Should I test stateful
packet inspection and IPsec simultaneously?
Yes. Many security services, such as IPsec VPN support, intrusion
detection/prevention, firewall stateful packet inspection,
and virus scanners are being integrated into the one security
device. Verifying these devices can simultaneously support
these services as required in a real-world scenario, is an
important test.
What should I look for
in a test tool for testing IPsec device performance?
- Client and server emulation in a single test application,
providing quick, efficient and easy configuration of multiple
client and server resources.
- The ability to send a mix of stateful application protocol
traffic (such as HTTP, SMTP and NFS) over IPsec tunnels,
to test real-world performance and scenarios.
- IPsec tunnel setup integrated into the test software,
to enable rapid configuration of traffic over IPsec.
- Optional hardware acceleration for increased IPsec encryption/decryption
throughput, and the ability to stress the device and measure
its performance limits.
- A powerful, flexible graphical user interface that allows
rapid creation of any test scenario
without the need for scripting.
See our Application
Note for more information.
How do I test IPsecv6
(IPsec for IPv6)?
- Use the same test scenarios as for IPsecv4.
- Select a test
tool with integrated support for IPv6 and IPsecv6.
Agilent recently helped vendors and network operators become
IPv6-ready during the Moonv6
phase 2 test event.
See our Journal of Internet
Test Methodologies for other IPv6 test scenarios.
|
Network Services 
