A Performance Analysis of Gateway- to-Gateway and End-to-Gateway L2TP VPN Author: Rukhsana Rahim...

A Performance Analysis of Gateway-to-Gateway and End-to-Gateway

L2TP VPN

Author:

Rukhsana Rahim Butt

Dec, 2006 COMSATS Institue of Information Technology

2

Abstract

• L2TP Communication Modes behave differently on real and non-real applications.

• Detailed analysis for administrator is needed prior to VPN Mode deployment.

• This study can be beneficial for – Financial growth.– Saving bandwidth.– Client satisfaction.

Dec, 2006 COMSATS Institue of Information Technology

3

Paper Overview

• Paper Goal– Provide basic understanding of communication

Modes , current development and missing aspects/loopholes.

– Effect of these technologies’ on various applications.– How these technologies fit together to provide

today’s VPN solutions.

• Approach– Simulation of L2TP Tunnel and measurement of

capacity using OPNET

Dec, 2006 COMSATS Institue of Information Technology

4

What and Why?

VPNs

Provider Provisioned

VPNs

Customer Provisioned

VPNs

Site-to-SiteRemote Access

Remote Access

Site-to-Site

Compulsory Tunnel

Voluntary Tunnel

L2F PPTP L2TPv2/v3 PPTPL2TPv2/v3 IPSec SSL/TLS

Dec, 2006 COMSATS Institue of Information Technology

5

How L2TP/IPSec Secure WLAN?

• Strong encryption, integrity, user authentication, replay protection, tunnel address assignment, multi-protocol and multi-vendor interoperability.

• Mitigate attacks like – Wireless Packet Sniffer– Unauthorized Access– Network Topology Discovery– Password Attack

Dec, 2006 COMSATS Institue of Information Technology

6

L2TP Communication Modes

• Gateway-to-Gateway Mode– Compulsory Tunnel

• End-to-Gateway Mode– Voluntary Tunnel

H o st

S u b scr ib er

N A S

L A C L N S

G a tew a y C o rp o ra te N etw ork

In tern et C lou d

L 2 T P Tu n n e l

P P P S essio n

H o st

S u b scr ib er

N A S G a tew a y C o rp o ra te N etw o rk

In tern et C lo u d

L 2 T P Tu n n e l

P P P S essio nw ith

IP S ec Tu n n e lo r

L A C o n h o stL N S o n g a tew a y

Dec, 2006 COMSATS Institue of Information Technology

7

L A N R eso u rces

C lien t

C lien t

M o b ile C lien t

E th ern et

V P N S erv er

V P N S erv er /R o u ter

C o m p u lso ry Tu n n el

Vo lu n ta ry Tu n n e l

In tern et

Voluntary Tunnel Vs Compulsory Tunnel

Dec, 2006 COMSATS Institue of Information Technology

8

Current Information

• General Tunnel Setup guideline

• Security breaches against Tunnels

• General Communication Mode Information

Dec, 2006 COMSATS Institue of Information Technology

9

What is Missing?

• Communication Modes’ Behavior vs. Applications– Analysis– Comparison– Suited Communication Mode against

Applications (real & non-real)

Dec, 2006 COMSATS Institue of Information Technology

10

Voice Received Traffic of Voluntary and Compulsory Tunnels (RFC 2764)

H o st

S u b scr ib er

N A S

L A C L N S

G a tew a y C o rp o ra te N etw o rk

In tern et C lo u d

L 2 T P Tu n n e l

P P P S essio n

H o st

S u b scr ib er

N A S G a tew a y C o rp o ra te N etw o rk

In tern et C lo u d

L 2 T P Tu n n e l

P P P S essio nw ith

IP S ec Tu n n e lo r

L A C o n h o stL N S o n g a tew a y

Voice Traffic Received Packets/Sec

0

50

100

150

200

250

300

350

400

0 180 360 540 720 900 1080 1260 1440 1620 1800

Time(Sec)

Pac

ket

CompulsoryTunnel

VoluntaryTunnel

Dec, 2006 COMSATS Institue of Information Technology

11

H o st

S u b scr ib er

N A S

L A C L N S

G a tew a y C o rp o ra te N etw o rk

In tern et C lo u d

L 2 T P Tu n n e l

P P P S essio n

H o st

S u b scr ib er

N A S G a tew a y C o rp o ra te N etw o rk

In tern et C lo u d

L 2 T P Tu n n e l

P P P S essio nw ith

IP S ec Tu n n e lo r

L A C o n h o stL N S o n g a tew a y

Voice Traffic Received Packets/Sec

0

50

100

150

200

250

300

350

400

0 180 360 540 720 900 1080 1260 1440 1620 1800

Time(Sec)

Pac

ket

CompulsoryTunnel

VoluntaryTunnel

Voice Received Traffic of Voluntary and Compulsory Tunnels (RFC 2764)

Dec, 2006 COMSATS Institue of Information Technology

12

Voice Throughput of Voluntary and Compulsory Tunnels (RFC 2764)

H o st

S u b scr ib er

N A S

L A C L N S

G a tew a y C o rp o ra te N etw o rk

In tern et C lo u d

L 2 T P Tu n n e l

P P P S essio n

H o st

S u b scr ib er

N A S G a tew a y C o rp o ra te N etw o rk

In tern et C lo u d

L 2 T P Tu n n e l

P P P S essio nw ith

IP S ec Tu n n e lo r

L A C o n h o stL N S o n g a tew a y

Total Throghput on PPP link

0

100

200

300

400

500

600

700

800

900

0 126 252 378 504 630 756 882 1008 1134 1260 1386 1512 1638 1764

Time(Sec)

Pac

ket

Compulsory Tunnel Voluntary Tunnel

Total Throughput on Tunnel Link

0

100

200

300

400

500

600

700

0 126 252 378 504 630 756 882 1008 1134 1260 1386 1512 1638 1764

Time(Sec)

Pac

ket

Compulsory Tunnel Voluntary Tunnel

Dec, 2006 COMSATS Institue of Information Technology

13

Requirements for Performance Analysis

High End-to-End Delay

Less Receiving Traffic Retrieved

Overall throughput decline on PPP and Tunnel links

Dec, 2006 COMSATS Institue of Information Technology

14

Why Gateway-to-Gateway communication mode not suited for Voice Application?

• Communication Mode is time-takenHigh End-to-End Delay

Less Receiving Traffic

• Tunnel SharingLess throughput on PPP Link

Less throughput on Tunnel Link

Dec, 2006 COMSATS Institue of Information Technology

15

Conclusion

The End-to-Gateway communication mode/ the Voluntary Tunnel of L2TP exposes

better response in case of real applications.

Dec, 2006 COMSATS Institue of Information Technology

16

Future Work

Quantitative Analysis of Wireless LAN Security and Performance via VPN

Technology L2TP/IPSec

Thanks

Any Question ?