Industrial IoT Routers & Gateways – Under the Hood of IPsec VPN
At Cisco Live Barcelona 2018, engineers from our Industrial IoT Product Management and Customer Experience team, led a lab on industrial gateways and VPN technologies. While we look forward to repeating this session in future Cisco Live events, let’s discuss the impact of VPN technology on industrial IoT router and gateway design. Smart Grid field area networks and fleets of vehicles in transportation are typical examples (among other industrial routing deployments) that rely on public communications services such as 3G/4G cellular and/or Wi-Fi services. Today, industrial IoT routers and gateways not only connect remote devices and users to central operation centers, they may also process and report data in the context of a fog computing architecture.
What technologies are available to guarantee over the air data integrity, privacy and confidentiality when using public network communications? On Cisco industrial routers and gateways, we suggest configuring IPsec VPN tunnels leveraging scalable technologies such as Dynamic Multipoint VPN (DMVPN) and FlexVPN, but what are some “under the hood” characteristics you should be aware of?
Look for powerful engine – set-up a strong crypto algorithm
Recent progress in advanced quantum computing technologies impact the resistance of cryptographic algorithms, leading to the development and implementation of newer, stronger algorithms and larger key sizes as discussed in Cisco Next Generation Encryption paper. Over the years, Cisco IOS has evolved to integrate the newest and strongest algorithm, while default values may not be set for the latest ones, requiring the end-user to properly edit the configuration. In more recent software releases, it was decided to drop any of the non-quantum resistant encryption algorithms, integrity and PRF ciphers, changing the default value to Group19, which is a lightweight elliptic curve group. Group 19 is available on all Cisco industrial routers and gateways, so make sure to configure it!
Estimate the traffic overhead – good capacity planning
From an expense and performance perspective, it is very important to know how much traffic will be sent over the air, particularly on asymmetric technologies such as 3G/4G. But running IPsec has a cost due to the additional bytes that each packet will transport. Once again, many options are available, so it is important to understand what is required for the use cases when provisioning a device. Figure-1 provides an example of overhead for IPv4 with AH-SHA, ESP-AES and ESP-SHA-512-HMAC, considering different packet sizes, transport modes and the resulting packet size. It may help estimating the IPsec overhead, while for more information, our Customer experience team developed a very useful calculator tool
Turbo! – Hardware crypto acceleration
Knowing that each incoming/outgoing packet from IPsec VPN must go through encryption/decryption before appropriate forwarding, it is obvious that hardware crypto acceleration (as embedded in all Cisco industrial routers and gateways) is key to guarantee the desired performances. IPsec VPN always represents an impact on the overall forwarding capacity. When evaluating the performance of your IoT router or gateway, always consider (and validate) the impact associated with the applied crypto algorithm.
In summary, don’t compromise on security and performances in your Industrial IoT network deployment! Select the most secured algorithms, but also don’t compromise unnecessarily on performances when selecting your equipment vendor.