Networking.com

Managing VPN bandwidth requirements, speed and overhead

By Terry Slattery

Internet VPNs are an essential tool for companies that need to connect remote staffers to corporate resources and applications. But, before deploying these VPNs, companies need to answer two important questions: How much VPN bandwidth is possible on the internet? And, when procuring circuits for internet connectivity at remote sites, how much bandwidth should you specify? To answer these questions, let's examine the driving factors.

For this article, we are only considering IPsec VPNs, which are true VPNs that are configured to connect hosts or networks to a private network. VPN connections using Transport Layer Security are not considered because TLS is generally used to protect specific application sessions.

IPsec VPN overhead

The IPsec VPN overhead depends on whether tunnel mode or transport mode is selected. Tunnel mode provides better security at a slightly higher overhead by encapsulating the original IP header. It is the method that is commonly used for site-to-site VPNs, so we are using it for our analysis.

Another consideration is the quality of the internet connection. The speed of ISP connections continues to climb around the world. Of course, the actual speed that's delivered depends on local connectivity and possible congestion, regardless of the speed of the physical link. Well-connected parts of the world experience multimegabit speeds. Cellular connectivity, on the other hand, frequently yields only low megabit speeds -- or even less -- depending on signal levels and congestion.

Let's examine the VPN overhead for several different packet sizes and the effect on a 10 Mbps Ethernet connection to an ISP. It's easy to scale the 10 Mbps figures up or down to match available ISP link speeds.

• 1 byte of application data. The worst case is transporting 1 byte of application data, such as in Telnet or Secure Socket Shell The resulting TCP/IP packet is 41 bytes in length. The IPsec VPN overhead on this packet is an additional 84 bytes, resulting in a total packet size of 128 bytes, an increase of 200%. A 10 Mbps Ethernet link can handle approximately 8,845 packets per second at this packet size. Fortunately, applications that transfer a single byte at a time are infrequently used and function at slow speeds.
• 160 bytes of application data. A more realistic case is a VoIP 711 wideband codec, running 50 packets per second with a payload of 160 bytes each. The User Datagram Protocol/IP header is 28 bytes, resulting in a 188 byte packet before entering the VPN. The encrypted IPsec packet size is 272 bytes, an increase of about 50%. A 10 Mbps Ethernet link can handle approximately 4,032 packets per second, or 80 concurrent phone calls.
• 1,328 bytes of application data. The maximum safe packet size on an IPsec VPN is 1,328 bytes. Most internet links are limited to packets no larger than 1,500 bytes, and the difference enables IPsec and other frequently used protocol headers. Add the TCP/IP header of 40 bytes for an unencrypted packet size of 1,368. The IPsec packet size is then 1,456 bytes, an increase of 6%. A 10 Mbps Ethernet link can handle approximately 836 packets per second. An understanding of the applications is then needed to determine the bandwidth that is required.

Putting VPN bandwidth data to use

You can now apply your understanding of the IPsec VPN overhead to internet link sizing. You will need to understand the characteristics of the applications that will be used over the IPsec VPN to estimate the required bandwidth to meet service expectations. An application's packet sizes, their volume and frequency are key factors.

It is common to find several common packet sizes in use on a link. Voice will use 250 byte packets, while file transfer or graphic viewers will use the largest packet sizes. Web applications will tend to use a variety of packet sizes, some small and some large, depending on the operation being performed.

In practice, application vendors are seldom able to provide the necessary data. Packet captures of an application in use may be necessary to understand the mix of packet sizes the link should support. That information is combined with the number of users at a site and the applications they are expected to use to arrive at a proper link bandwidth.

Of course, it helps to oversize the link speed somewhat to allow for peak usage that was not observed in the packet captures or to allow for growth and new applications.

Note that, even if you have the internet link appropriately sized, there may be congestion within the ISP that limits throughput. You may need to deploy application performance monitoring and active path testing tools to measure path throughput. Service-level agreements with your ISP carriers may also help avoid unmet expectations when assessing the proper VPN bandwidth needed.