Performance Implications of Instantiating IPsec over BGP Enabled RFC 4364 VPNs

Needs for internetworking private networks over a commonly shared public network have expanded the usage of Virtual Private Networks (VPNs). Customers, through the use of a RFC 4364 VPN, use service provider (SP) backbones to establish private connectivity between geographically disparate networks. As a direct result of SPs migrating towards an Internet Protocol (IP) over a Multi-Protocol Label Switching (MPLS) infrastructure, as observed within the Defense Information Switched Network (DISN) of the Global Information Grid (GIG), SPs have also begun to transition from providing traditional circuit-switched leased permanent virtual circuits through a layer two (L2) protocol (e.g., Asynchronous Transfer Mode (ATM) or Frame Relay (FR) to providing layer three (L3) VPN services. Currently, requirements for securing the GIG control plane traffic are undecided. A potential solution for protecting the GIG control plane includes instantiating Internet Protocol security (IPsec) Encapsulating Security Payload (ESP) Transport Mode across all GIG routers on a router-to-router basis. Although the use of IPsec has been proven to provide effective data confidentiality, data integrity, and authentication to devices operating on the data plane, both routing vendors and SP operators have shared concerns regarding network performance degradation associated with the use of IPsec on the control plane. This paper will investigate the performance implications of applying IPsec ESP Transport Mode to routers participating in 4364 VPNs, given a typical GIG scenario. Testing has been recently completed to determine the impacts of using IPsec protection on 4364 VPNs, specifically in a simulated GIG operating environment.