Methodology for Benchmarking IPsec Gateways

Full Text (PDF, 1310KB), PP.1-9

Views: 0 Downloads: 0


Adam Tisovsky 1,* Ivan Baronak 1

1. Department of Telecommunications, Slovak University of Technology, Bratislava, Slovakia

* Corresponding author.


Received: 5 Jan. 2012 / Revised: 11 Apr. 2012 / Accepted: 3 Jun. 2012 / Published: 8 Aug. 2012

Index Terms

IPsec, benchmarking, throughput, offered load, forwarding rate, CPU utilization


The paper analyses forwarding performance of IPsec gateway over the rage of offered loads. It focuses on the forwarding rate and packet loss particularly at the gateway's performance peak and at the state of gateway's overload. It explains possible performance degradation when the gateway is overloaded by excessive offered load. The paper further evaluates different approaches for obtaining forwarding performance parameters – a widely used throughput described in RFC 1242, maximum forwarding rate with zero packet loss and us proposed equilibrium throughput. According to our observations equilibrium throughput might be the most universal parameter for benchmarking security gateways as the others may be dependent on the duration of test trials. Employing equilibrium throughput would also greatly shorten the time required for benchmarking. Lastly, the paper presents methodology and a hybrid step/binary search algorithm for obtaining value of equilibrium throughput.

Cite This Paper

Adam Tisovský, Ivan Baroňák, "Methodology for Benchmarking IPsec Gateways", International Journal of Computer Network and Information Security(IJCNIS), vol.4, no.9, pp.1-9, 2012. DOI:10.5815/ijcnis.2012.09.01


[1]S. Kent, K. Seo, "RFC 4301 - Security Architecture for the Internet Protocol", IETF RFC, 2005
[2]G. Waters, K. Stammberger, "Understanding Crypto Performance in Embedded Systems," Mocana design article, 2009. Available at:
[3]S. Bradner, "RFC 1242 - Benchmarking Terminology for Network Interconnection Devices", IETF RFC, 1991
[4]S. Bradner, "RFC 2544 - Benchmarking Methodology for Network Interconnect Devices", IETF RFC, 1999
[5]M. Kaeo, T. Van Herck, M. Bustos, "Terminology for Benchmarking IPsec Devices: draft-ietf-bmwg-ipsec-term-12", IETF Draft, 2009
[6]M. Kaeo, "Methodology for Benchmarking IPsec Devices", IETF Draft, 2009
[7]NLANR/DAST, "Iperf", open-source project. Available at:
[8]R. Jones, "Netperf". Available at:
[9]B. Huang, M. Bauer, M. Katchabaw, "Hpcbench - a Linux-based network benchmark for high performance networks," High Performance Computing Systems and Applications, 2005. HPCS 2005. 19th International Symposium, pp. 65- 71, ISSN: 1550-5243, 15-18 May 2005
[10]A. Botta, A. Dainotti, A. Pescapè, "Multi-protocol and multi-platform traffic generation and measurement", INFOCOM 2007 DEMO Session, May 2007, Anchorage (Alaska, USA), D-ITG tool. Available at:
[11]R.E. Hughes-Jones, "Writeup for udpmon A Network Diagnostic Program", Oct. 2010. Available at:
[12]C. Dovrolis, E. Goldoni, M. Schivi, "End-to-End Available Bandwidth Estimation Tools, an Experimental Comparison", PAM 2010 - Passive and Active Measurement Conference, 2010. Available at:
[13]GNU Bash. Available at:
[14]R. Mandeville, "RFC 2285 - Benchmarking Terminology for LAN Switching Devices", IETF RFC, 1998
[15]M. Castelino, F. Hady, Network Processing Forum, "Tutorial on NPF's IPsec Forwarding Benchmark," 2004. Available at:
[16]M. Zec, M. Mikuc, M. Žagar, "Estimating the Impact of Interrupt Coalescing Delays on Steady State TCP Throughput", Proceedings of the 10th SoftCOM 2002 conference, 2002
[17]M.G. Iatrou, A.G. Voyiatzis, D.N. Serpanos, "Network Stack Optimization for Improved IPsec Performance on Linux", In: SECRYPT 2009, Proceedings of the International Conference on Security and Cryptography, Milan, Italy, pages 83-91, INSTICC Press, 2009, ISBN 978-989-674-005-4, 7-10 July 2009
[18]K. Salah, "Integrated performance evaluating criterion for selecting between interrupt coalescing and normal interruption", International Journal of High Performance Computing and Networking, Volume 3 Issue 5/6, December 2005
[19]B. Hickman et al., "RFC 3511 - Benchmarking Methodology for Firewall Performance", IETF RFC, 2003
[20]A. Tisovsky, I. Baronak, "Analytical Model of IPsec Process Throughput," In: Advances in Electrical and Electronic Engineering (AEEE). ISSN 1336-1376. September 2012
[21]B. Barnett, "Sed - An Introduction and Tutorial". Available at:
[22]J. Dugan, "Iperf Tutorial", JointTechs 2010. Available at: