![[INET 2000]](/web/20160103040318im_/http://www.isoc.org/inet2000/cdproceedings/inet00sm.gif)
![[ Up ]](/web/20160103040318im_/http://www.isoc.org/inet2000/cdproceedings/up.gif)
![[Prev]](/web/20160103040318im_/http://www.isoc.org/inet2000/cdproceedings/prev.gif)
![[Next]](/web/20160103040318im_/http://www.isoc.org/inet2000/cdproceedings/next.gif)
This paper evaluates the performance of data transmission using the ordinary PC both for large data transmission and for the actual application. Concerning the applications, this paper discusses digital video (DV) transmission because DV will be a common and widely used application by the next generation of Internet users. Also, the video content requires secure and reliable data transmission. For large data transmissions, when we apply the authentication and encryption, the throughput degrades to 1/9 compared with the throughput without authentication or encryption. With authentication and encryption, we obtain about 10 Mbps for UDP data transmission and about 6 Mbps for a simple TCP/IP transmission. As for the DV transmission, the end-to-end throughput was again about 10 Mbps. With 10 Mbps end-to-end throughput, 1/10 of the video information can be successfully transferred from the source node to the destination node to obtain a sufficient quality of DV transmission.
As the Internet moves forward into the next century, it will become an information infrastructure for everyone, not just for scientists or professionals. Therefore, the next generation Internet must achieve scalable and reliable data transmission. The IPv6 (IP version 6) [4] and IP security (IPSec) [1] comprise a core protocol suite for such transmission. IPv6 has a 128-bit address space that is enough to cover all worldwide networks and equipment, and IPSec technology provides essential functions for reliable and secure data exchange over the Internet.
This paper evaluates the performance of data transmission with the IPSec over IPv6 networks using an ordinary PC platform because people want to perform high-speed multimedia communications, such as high-quality video communications, with a low-cost PC platform. Also, at the production level of multimedia services over the Internet, such transmissions must include authentication and encryption to protect the information exchanged.
This paper evaluates the performance of data transmission using the ordinary PC both for large data transmission and for the actual application. Concerning the applications, this paper discusses DV transmission since the secured and reliable DV applications will be commonly used by most of the next generation of Internet users. For large data transmissions, when we apply the authentication header (AH) [2] and encryption (Encapsulating Security Payload, or ESP) [3], the throughput degrades to 1/9 compared with the throughput without AH or ESP. With AH and ESP, we obtain about 10 Mbps for UDP data transmission and about 6 Mbps for a simple TCP/IP transmission. Also, the throughout was compared with the data transmission with IPv4. The degradation of throughput at the end system with the use of IPv6 instead of IPv4 was small.
The performance evaluation in this paper shows the following:
Section 2 gives a rough overview of IPSec; Section 3 describes the performance evaluation of bulk data transmission over TCP and UDP. Section 4 describes the performance evaluation of DV data transmission with IPSec. Finally, Section 5 gives a brief conclusion.
RFC 2401 [1] describes the architecture framework of IPSec. The IPSec protocol suite provides the functional suite for secure and reliable data exchange over the Internet. IPSec has the following two functions: authentication and encryption.
For both IPv4 and IPv6, the IPSec is independent from type of data transmission medium. Also, the application does not care whether the IPSec is applied to or not. For IPv6, IPSec is defined as a mandatory option, i.e., every node has to have the IPSec function.
There is a concern with regard to the performance of IPSec. As is well known, the required processing power for security functions, especially for IPSec, is large. When a very large processing power is required, many users would not have enough throughput for many applications. Special hardware would have to be implemented to handle these security functions. When the ordinary PC platform can provide enough processing power to handle the IPSec for major applications, we can deploy the secure and reliable information infrastructure cost effectively.
In this section, we evaluate the performance of bulk data transmission. The performance was evaluated with the stream data transmission and the request/response data transmission. Regarding the transport protocol, both TCP and UDP were used.
The end-to-end throughput was evaluated using the netperf (http://www.netperf.org/) with the KAME IPv6 protocol stack. The patch for using netperf 2.1pl3 with KAME IPv6 stack is available from ftp://ftp/kame.net/pub/kame/misc/netperf-21pl3-19990824.diff.gz.
Figure 1 shows the system configuration of evaluation system. The end host is connected through the two routers. All nodes have fast Ethernet interfaces. The followings are the specifications of hosts and routers.
Figure 1. Evaluation System
The end-to-end throughput is evaluated in the following cases.
For all cases, the performance is evaluated using both IPv6 and using IPv4. Also, the performance is evaluated with both TCP and UDP transmission. One is stream data transmission, and the other is request/response data transmission. The sender host executes netserver, and the receiver host executes netperf. The data are transmitted for 60 minutes.
Figure 2 shows the end-to-end throughput using IPv4, and Figure 3 shows that using IPv6. Here, the MTU size is 4,096 bytes and the socket size is 57,344 bytes or 32,768 bytes.
Figure 2. IPv4 TCP Stream
Figure 3. IPv6 TCP Stream
The end-to-end throughput is degraded by the processing of IPSec. With the AH, the end-to-end throughput degrades to about 1/2. With the ESP, the end-to-end throughput degrades to about 1/4. With both the AH and the ESP, the end-to-end throughput is slightly less than with ESP only.
Regarding the IP version, the end-to-end throughput with IPv6 is almost the same as that with IPv4.
Figure 4 shows the end-to-end throughput using IPv4, and Figure 5 shows that using IPv6. Here, the MTU size is 4,096 bytes or 1,024 bytes and the socket size is 32,768 bytes.
Figure 4 . IPv4 UDP Stream
Figure 5. IPv6 UDP Stream
The end-to-end throughput is degraded by the processing of IPSec. With the AH, the end-to-end throughput degrades to about 1/3. With the ESP, the end-to-end throughput degrades to about 1/9. With both the AH and the ESP, the end-to-end throughput is slightly less than with ESP only. Also, when the MTU size is larger, the end-to-end throughput is slightly improved. Again, regarding the IP version, the end-to-end throughput with IPv6 is almost the same as that with IPv4.
Figure 6 shows the end-to-end throughput using IPv4, and Figure 7 shows that using IPv6.
Figure 6. IPv4 Request/Response
Figure 7. IPv6 Request/Response
With TCP_RR and UDP_RR.1, the throughput with ESP is larger than the throughput with AH. With UDP_RR.2 (i.e., large message size), the throughput with ESP is smaller than the throughput with AH. And, again, regarding the IP version, the end-to-end throughput with IPv6 is almost the same as that with IPv4.
By the AH and ESP processing at the end hosts, the end-to-end throughput degrades when we use IPSec. AH performs the hash function, and ESP performs encryption.
Without applying IPSec, the end-to-end throughput over TCP is less than the end-to-end throughput over UDP. This is because TCP requires more processing power than UDP does. However, when we use IPSec, the end-to-end throughput over TCP and over UDP is almost the same. This is simple proof that the processing for IPSec is far larger than that for TCP and UDP.
When we compare the end-to-end throughput with AH and ESP, the throughput with AH is about twice the size of that with ESP. This is because with stream data transmission, the packet size is larger than the header length (basic IP header field and AH field) and the required processing for ESP is far larger than that for AH. As shown in Figures 4 and 5, when the MTU size becomes larger, the end-to-end throughput degrades. The degradation with ESP is smaller than with AH, since AH uses only the IP packet header field and ESP uses the whole payload in the IP packet. Also, since the processing for ESP is larger than that for AH, the performance degradation from an ESP-only system to an ESP/AH system is not large.
With the request/response data transmission, the end-to-end throughput degradation by applying the IPSec is less than that with the stream data transmission. This is because the processing overhead for request messages is not significantly small, compared to the processing overhead for IPSec, and because the packet size is not large.
In this section, we evaluate end-to-end DV data transmission over the IPv6 network.
Figure 8 shows the system configuration of evaluation system. The end host is connected through the three routers and wide area high-speed ATM links. Nodes have the fast Ethernet interfaces and the ATM interfaces. The following are the specifications of hosts and routers. In order to send and receive the DV data, we used the DVTS developed by Keio University [6].
Figure 8. System configuration for DV data transmission
The end-to-end throughput is evaluated in the following cases.
In the evaluation system, the ATM link does not have an enough bandwidth to transmit the full rate DV data. Therefore, we did not use the full-rate DV transmission in the evaluation.
Figures 9 and 10 show the end-to-end throughput using the experimental network shown in Figure 8.
Figure 9. Performance of DV data transmission using IPSec (packets)
Figure10. Performance of DV data transmission using IPSec (MBytes)
As for the DV transmission, the end-to-end throughput was about 7 Mbps to 17 Mbps with IPSec. With 10 Mbps, we cannot transmit the full-rate quality of DV data. However, we can transfer the DV data by reducing the sending frame rate. The DVTS, that is DV transmission and receiving software module, can control the frame rate sent out from the sender node. With the evaluation result, 1/10 of video frames are transferred from the source node to the destination node, so as to meet the required bandwidth of around 10 Mbps. Even with 1/10 of the video frame rate, we cannot obtain a fine quality of video transmission. However, we can obtain a sufficient video quality for many applications, such as video conferencing, with this reduced frame rate.
The result above shows that the existing ordinary PC platform could handle high-quality video transmission using DV technology without any special hardware assistance, even when using IPSec technology to provide secure and reliable multimedia communication. The current ordinary PC platform cannot handle the plain DV data with the full-frame rate while applying the IPSec functions. However, because of the fast technological improvement for the PC components (e.g., CPU), it would be expected the ordinary PC platform can handle the full-frame rate DV data without any special hardware.
This paper evaluates the performance of data transmission using the ordinary PC both for large data transmissions and for the actual application over the IPv6 network, using IPSec. The results show that we could deploy cost-effective multimedia Internet using ordinary PCs.
[1] S.Kent, R.Atkinson, "Security Architecture for the Internet Protocol," IETF RFC 2401, November 1998.
[2] S.Kent, R.Atkinson, "IP Authentication Header." IETF RFC 2402, November 1998.
[3] S.Kent, R.Atkinson, "IP Encapsulation Security Payload (ESP)," IETF RFC 2403, November 1998.
[4] S.Deering, R.Hinden, "Internet Protocol version 6 Specification," IETF RFC 2460, November 1998.
[5] J.Postel, "Internet Protocol," IETF RFC 791, September, 1981.
[6] DVTS, http://www.sfc.wide.ad.jp/DVTS/