Performance Impact of Data Compression on Virtual Private Network Transactions

Virtual private networks (VPNs) allow two or more parties to communicate securely over a public network. Using cryptographic algorithms and protocols, VPNs provide security services such as confidentiality, host authentication and data integrity. The computation required to provide adequate security, however, can significantly degrade performance. In this paper, we characterize the extent to which data compression can alleviate this performance degradation. More specifically, we study the performance obtained when combining the IP Payload Compression Protocol (IPComp) with the IP Security Protocol (IPsec). We evaluate performance using 3 system models; each of these models consists of some or all of the computation and transmission operations required to support VPN transactions. Using speedup equations that describe the performance impact of compression in the system models, we derive inequalities that specify the conditions required for data compression to improve performance. We also gather and analyze empirical performance results by simulating packet transmission over several network types and by timing the execution of IPComp and IPsec procedures on a 367 MHz HP PA-8500 processor. The results indicate that the performance depends on the compressibility of the payload data, on the throughput of the cryptographic and compression algorithms, and on the network speed. We find that compression usually improves performance when using 10 Mbps or slower networks, but compression only improves performance in systems with 100 Mbps or 1 Gbps networks when encryption is being used. 1.0 Introduction As Internet usage grows exponentially and computing devices become increasingly interconnected, network security issues become increasingly important. Many Internet applications such web browsers and distributed databases require private communication over public networks. Using a virtual private network (VPN), multiple hosts can communicate securely over a public network. The details of VPN protocols vary, but most consist of two major steps: a handshake and bulk data encryption/authentication. The VPN is established during the handshake step. This step involves protocol and algorithm negotiation, authentication of hosts, and secret key exchanges between the hosts. The hosts can then communicate privately by encrypting and authenticating all of the data that travels over the public network. The IP Security Protocol (IPsec) can be used to implement virtual private networks in a vendor-independent, application-invisible manner. IPsec provides a variety of security services at the IP layer for both IPv4 and IPv6 [12]. VPN bulk data encryption and authentication is supported in IPsec using the Encapsulating Security Payload and Authentication Header protocols. The Encapsulating Security Payload (ESP) provides for confidentiality of the IP packet payload, and both ESP and the Authentication Header (AH) ensure the authenticity as well as the integrity of the IP packet payload [10], [11]. The encryption and authentication provided by ESP and AH, however, require significant computational time and therefore can degrade performance when compared to unsecured transmissions. In past work, researchers have improved the performance of secure network transactions using a variety of techniques. By adding new instructions to conventional instruction set architectures, multiple-instruction operations in implementations of cryptographic algorithms can be replaced with a single RISC or CISC instruction [17]. For example, fast bitwise permutation instructions can significantly improve the performance of DES, and support for arithmetic in Galois fields can accelerate the throughput of elliptic curve cryptosystems [17], [24]. In addition, the computation associated with many cryptographic protocols is highly parallelizable. When performing encryption, a multiprocessor system can achieve nearly linear speedup by assigning individual packets or connections to single