Bo Ji,Jinfang Zhou,Junda Zhu,Liping Qian

DOI: https://doi.org/10.1049/cp:20061251

2006-01-01

Abstract:Networks, along with the explosive growth of the Internet, developed quickly and make our lives more convenient and efficient. However, at the same time, people will face much more network security problems such as illegal observation, modification, IP Spoofing, etc. This article proposes a novel type of universal software architecture named Fastpath which is purposely designed and optimized for Network Element (NE) in the Next Generation Networks (NGN), under Linux. Furthermore, it illustrates the experience in developing IPSec-based VPN gateway over IXP425, and offloading IPSec processing to NPEs and coprocessors by using APIs of software AccessLibrary through Open Crypto Framework (OCF). Finally, we investigate the performance issues both internally and externally. Through the benchmarks, we analyze the performance of the system and identify that Fastpath and network processor together can construct a universal and high-functional platform for NE which focuses on network processing.

Yun Niu,Liji Wu,Xiangmin Zhang

DOI: https://doi.org/10.4304/jcp.8.2.319-325

2013-01-01

Journal of Computers

Abstract:The IP security protocol (IPSec) is an important and widely used security protocol in the IP layer. But the implementation of the IPSec is a computing intensive work which greatly limits the performance of the high speed network. In this paper, a high performance IPSec accelerator used in a 10Gbps in-line network security processor (NSP) is presented. The design integrates the protocol processing and the cryptographic processing; the transport/tunnel mode of the AH, ESP security protocols and the AES, HMAC-SHA-1 cryptographic algorithms are realized by hardware. An efficient partial crossbar data transfer skeleton with iSLIP scheduling algorithm is adopted to realize the maximum utilization of the computation resources in the accelerator. The number of AH, ESP, AES, HMAC-SHA-1 cores in the design can be configured to meet the different applications. By simulation, with 8 protocol IP-cores and 24 crypto IP-cores connected to the crossbar in the IPSec accelerator, the design gives a peak throughput for the AH protocol transport mode of 11.28Gbps at the average of 512 bytes packet length under a clock rate of 300MHz. The hardware verification is implemented on a Virtex-5 XC5VSX95T based FPGA board. Low power design methods are also used in the design to reduce the power dissipation.

Li Wang,Yun Niu,Liji Wu,Xiangmin Zhang

DOI: https://doi.org/10.1109/ICSICT.2010.5667343

2010-01-01

Abstract:Design of an IPSec (Internet Protocol Security) IP-Core for 10 Gigabit Ethernet Security Processor is presented in this paper. The highest data throughput of one IPSec IP-Core can achieve 1.5Gbps. With parallel 8 IP-Cores, this design can achieve 10Gbps data process and fulfill a Gigabit Ethernet Security Processor requirement. The low power dissipation is also used in the IP-Core to reduce power dissipation.

Jinli Meng,Xinming Chen,Zhen Chen,Chuang Lin,Beipeng Mu,Lingyun Ruan

DOI: https://doi.org/10.1007/978-3-642-25283-9_3

2011-01-01

Abstract:Providing secure, reliable communications is a big challenge to guarantee confidentiality, integrity, and anti-replay protection, especially between endpoints in current Internet. As one of the popular secure communication protocol, IPsec usually limits the throughput and increases the latency due to its heavy encryption/decryption processing. In this paper, we propose a hardware solution to accelerate it. To achieve high performance processing, we have successfully designed and implemented IPsec on Cavium OCTEON 5860 multi-core network processor platform. We also compare the performance under different processing mechanisms and discover that pipleline works better than run-to-completion for different sizes of packets in our experiments. In order to achieve the best performance, we select different encryption algorithms and core numbers. Experimental results on 5860 processors show that our work achieves 20 Gbps throughput with AES128 encryption, 16 cores for 512-byte packet traffic.

Yun Niu,Liji Wu,Li Wang,Xiangmin Zhang,Jun Xu

DOI: https://doi.org/10.1109/cis.2011.154

2011-01-01

Abstract:A configurable IPSec processor for a high performance in-line network security processor that integrates two embedded 32-bit CPU cores, and an IPSec protocol processor on a SoC is presented. The IPSec processor can implement the transport/tunnel mode AH and ESP protocol of the IPSec, and support AES-128/192/256, HMAC-SHA-1 algorithm. The number of AH, ESP, AES, HMAC-SHA-1 IP-cores in the design can be configured for different use such as 10 Gigabit Ethernet and Gigabit Ethernet, even for the next generation 40/100G Network. Low power is also considered in the design. In the IPSec processor, crossbar switch architecture for multi-core data transfer is adopted. With four parallel AH, ESP, AES, HMAC-SHA-1 IP-cores separately connected to an 8x8 crossbar switch in the IPSec processor, a throughput of 1.5Gbps at 200MHz is achieved and hardware verification is implemented by FPGA. By simulation, the IPSec protocol operation can achieve 10Gbps wire speed with 32 IPSec protocol IP-cores and cryptographic IP-cores configured in the IPSec processor.

Liang CHEN,Jian WANG,Yong ZHAO

DOI: https://doi.org/10.3778/j.issn.1002-8331.1606-0006

2017-01-01

Abstract:In order to meet the security requirements of modern high bandwidth Internet application environment, an IPSec VPN architecture based on Tilera GX36 multi-core network processor is proposed, and program function modules of control plane and data plane are designed according to SDN architecture to achieve flexible security control on network traffic. To meet the security strategy retrieval performance requirement, a three-level security policy flow-table structure based on Hash algorithm is put forward, and a security policy search method is designed using security association flow-table cached on tile CPUs as fast retrieval data source. The test results show that the system can achieve the processing performance in 40 Gb/s Internet applications under the typical short, medium and long package-length circumstance.

王海欣,白国强,陈弘毅

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2010.01.034

2010-01-01

Abstract:This paper presents a high performance Network Security Processor (NSP) system architecture implementation intended for both IPSec and SSL protocol acceleration. The efficient data transfer skeleton and optimized integration scheme of the parallel crypto engine arrays lead to a Gb/s rate NSP, which is programmable with domain specific descriptor-based instructions. The descriptor-based control flow fragments large data packets and distributes them to the parallel crypto engine arrays to fully utilize the computation resources and improve the overall system data throughput. The design synthesized with SMIC 0.13 μm CMOS technology gives a peak throughput for the IPSec ESP tunnel mode of 1.651 Gb/s with over 1000 s-1 full SSL handshakes at a clock rate of 200 MHz.

Yun Niu,Li-ji Wu,Yang Liu,Xiang-min Zhang,Hong-yi Chen

DOI: https://doi.org/10.1631/jzus.c1200370

2013-01-01

Journal of Zhejiang University SCIENCE C

Abstract:This paper deals with an in-line network security processor (NSP) design that implements the Internet Protocol Security (IPSec) protocol processing for the 10 Gbps Ethernet. The 10 Gbps high speed data transfer, the IPSec processing including the crypto-operation, the database query, and IPSec header processing are integrated in the design. The in-line NSP is implemented using 65 nm CMOS technology and the layout area is 2.5 mm×3 mm with 360 million gates. A configurable crossbar data transfer skeleton implementing an iSLIP scheduling algorithm is proposed, which enables simultaneous data transfer between the heterogeneous multiple cores. There are, in addition, a high speed input/output data buffering mechanism and design of high performance hardware structures for modules, wherein the transfer efficiency and the resource utilization are maximized and the IPSec protocol processing achieves 10 Gbps line speed. A high speed and low power hardware look-up method is proposed, which effectively reduces the area and power dissipation. The post simulation results demonstrate that the design gives a peak throughput for the Authentication Header (AH) transport mode of 10.06 Gbps with the average test packet length of 512 bytes under the clock rate of 250 MHz, and power dissipation less than 1 W is obtained. An FPGA prototype is constructed to verify the function of the design. A test bench is being set up for performance and function verification.

Haixin Wang,Guoqiang Bai,Hongyi Chen

DOI: https://doi.org/10.1007/s11265-009-0371-2

2009-01-01

Journal of Signal Processing Systems

Abstract:This paper presents a high performance Network Security Processor (NSP) system architecture implementation intended for both Internet Protocol Security (IPSec) and Secure Socket Layer (SSL) protocol acceleration, which are widely employed in Virtual Private Network (VPN) and e-commerce applications. The efficient data transfer skeleton and optimized integration scheme of the parallel crypto engine arrays lead to a Gbps rate NSP, which is programmable with domain specific descriptor-based instructions for Gbps throughput IPSec and SSL applications. The descriptor-based control flow fragments large data packets and distributes them to the parallel crypto engine arrays, which fully utilizes the computation resources and improves the overall system data throughput. A prototyping platform for this NSP design is implemented with Xilinx XC3S5000 based FPGA chip set. Results show that the design gives a peak throughput for the IPSec ESP tunnel mode of 1.851 Gbps with over 1600 full SSL handshakes per second at a clock rate of 150 MHz.

Weiming Li,Zhitang Li,Yunfeng Xie

DOI: https://doi.org/10.1117/12.688171

2006-01-01

Abstract:IPSec (IP Security) provides a standard, robust, and extensible mechanism in which to provide security to IP and upper-layer protocols. But the encryption and message authentication services provided by IPsec require significant computation time. Consequently, IPsec can degrade performance obviously. The paper presents a parallel hardware structure of high performance IPSec VPN gateway to speed up the IPSec packets process, and introduces the IPSec software design in detail includes modified FreeS/WAN IPSec implementation and extended Internet Key Exchange protocol. The result of network performance test proves that the structure can fulfill the need of gigabit fast network. The paper also proposes multiple small packets assembling algorithm which is used to accelerate small packets process. The algorithm significantly improves the performance of small packets.

Xiang Wang,Yaxuan Qi,Baohua Yang,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/icpads.2009.109

2009-01-01

Abstract:Network intrusion prevention system (NIPS) becomes more complex due to the rapid growth of network bandwidth and requirement of network security. However existing solutions, either hardware-based or software-based cannot obtain a good tradeoff between performance and flexibility. In this paper, we propose a parallel NIPS architecture using emerging network services processor. To resolve the problems and bottlenecks of high-speed processing, we investigate the main design aspects which have dramatic impacts on most parallel network security system implementations: efficient and flexible pipeline and parallel processing, flow-level packet-order preserving, and latency hiding of deep packet inspection. To these key points, we address several optimizations and modifications with an architecture-aware design principle to guarantee high performance and flexibility of the NIPS on a network services processor implementation. Performance evaluation shows that, our prototype NIPS on Cavium OCTEON3860 processor can reach line-rate stateful inspection and multi-Gbps deep inspection performance.

BAI Jun-feng,DENG Zu-pu

DOI: https://doi.org/10.3969/j.issn.1000-3428.2011.04.093

2011-01-01

Abstract:Considering the difficulties for traditional IPSec Virtual Private Dial-Up Network(VPDN) to handle new network applications,this paper proposes a novel implementation of IPSec VPDN within the multi-core system framework.By performing load balancing among multiple processors and improving the compatibility of executable codes,it can further enhance the processing capacity of IPSec VPDN.Experimental results demonstrate the efficient implementation.

YAO Jun-Xi,LIANG Gang,GONG Xun,HAN Zhong-Qiu

DOI: https://doi.org/10.3969/j.issn.0490-6756.2010.02.010

2010-01-01

Abstract:Requirements for a high-quality Intrusion Prevention System(IPS)are becoming more and more demanding with the wide use of high speed Ethernet and increasing complexity of network intrusion. By the analysis of the working principles in the traditional IPS,a improved IPS based on the multicore processor is designed and implemented.In this system,multicore processing units are divided into groups among which the data can be transmitted by building shared cache queues.In this way,IPS can work parallelized with a multicore processor.The results of our experiments demonstrate that the efficiency is greatly enhanced and that the packet loss ratio decreases.

Haixin Wang,Guoqiang Bai,Hongyi Chen

DOI: https://doi.org/10.1109/asap.2008.4580160

2010-01-01

International Journal of Electronics

Abstract:The last few years have seen many significant progresses in the field of application-specific processors. One exemplar is Network Security Processors (NSPs) that perform various cryptographic operations specified by network security protocols and help to offload the computation intensive burdens from Network Processors (NPs). This paper proposes a high-performance NSP intended for both IPSec and SSL protocols acceleration. With a programmable descriptor-based instruction set architecture, the novel design of system architecture leads to a Gbps rate NSP named Zodiac, which is programmable with domain specific instructions for Gbps throughput IPSec and SSL applications. Synthesized with a 0.18 mum CMOS technology, the peak throughput of IPSec ESP tunnel mode can reach up to 1.651 Gbps and over 1000 full SSL handshakes per second are attainable.

Zhitang Li,Ren Jie-lin,Tu Fan

2006-01-01

Abstract:Because the traditional architecture of IPSec was deficient in the performance, a paralleled architecture of IPSec based on CompactPCI with more than one computer and a single card was proposed. After analyzing the paralleled architecture of CompactPCI, the encrypting algorithms of multi-cards and load balance of multi-host, a new design of IPsec paralled architecture on CompactPCI was implemented. At last,the performance of transferring data using paralleled architecture of IPSec were introduced and analyzed.

ZHOU Jie,MU De-jun,SONG Li-jun

DOI: https://doi.org/10.3969/j.issn.1000-8829.2011.09.016

2011-01-01

Abstract:An improved hardware unit based on field programmable gate array(FPGA) is proposed to promote processing speed.The mixcolumn module is optimized based on the analysis of AES and the system hardware resources are reduced.Moreover,two-stage pipeline is built.Therefore,key route is shortened further.The simulation and test results show that AES core could operate stably at 100 MHz and throughout rate increases by 50%,reaching 1.24 Gb/s.Processing speed of the IPSec is improved greatly,which can meet data transmitting requirement on Gigabit Ethernet.

Rourab Paul,Amlan Chakrabarti,Ranjan Ghosh

DOI: https://doi.org/10.48550/arXiv.1410.7560

2014-10-28

Abstract:In this paper a pipelined architecture of a high speed network security processor (NSP) for SSL,TLS protocol is implemented on a system on chip (SOC) where hardware information of all encryption, hashing and key exchange algorithms are stored in flash memory in terms of bit files, in contrary to related works where all are actually implemented in hardware. The NSP finds applications in e-commerce, virtual private network (VPN) and in other fields that require data confidentiality. The motivation of the present work is to dynamically execute applications with stipulated throughput within budgeted hardware resource and power. A preferential algorithm choosing an appropriate cipher suite is proposed, which is based on Efficient System Index (ESI) budget comprising of power, throughput and resource given by the user. The bit files of the chosen security algorithms are downloaded from the flash memory to the partial region of field programmable gate array (FPGA). The proposed SOC controls data communication between an application running in a system through a PCI and the Ethernet interface of a network. Partial configuration feature is used in ISE14.4 suite with ZYNQ 7z020-clg484 FPGA platform. The performances

Hardware Architecture

Yang Xiang,Daxin Tian

DOI: https://doi.org/10.4018/978-1-60566-661-7.ch037

2010-01-01

Abstract:Network security applications such as intrusion detection systems (IDSs), firewalls, anti-virus/spyware systems, anti-spam systems, and security visualisation applications are all computing-intensive applications. These applications all heavily rely on deep packet inspection, which is to examine the content of each network packet’s payload. Today these security applications cannot cope with the speed of broadband Internet that has already been deployed, that is, the processor power is much slower than the bandwidth power. Recently the development of multi-core processors brings more processing power. Multi-core processors represent a major evolution in computing hardware technology. While two years ago most network processors and personal computer microprocessors had single core configuration, the majority of the current microprocessors contain dual or quad cores and the number of cores on die is expected to grow exponentially over time. The purpose of this chapter is to discuss the research on using multi-core technologies to parallelize deep packet inspection algorithms, and how such an approach will improve the performance of deep packet inspection applications. This will eventually provide a security system the capability of real-time packet inspection thus significantly improve the overall status of security on current Internet infrastructure.

Wenzhong Guo

2008-01-01

Computer Science

Abstract:VPN gateway is important in high-speed network security.To resolve the problem that is low-speed or low-flexibility based on X86 CPU and ASIC,proposed high-speed IPSec VPN design based on IXP2400.The simulation environment experiment proved that the new VPN gateway is high-speed over 1.0Gbps.And it supplies a new approach to design high-speed VPN gateway system.

Yang Liu,Liji Wu,Yun Niu,Xiangmin Zhang,Zhiqiang Gao

DOI: https://doi.org/10.1109/CIS.2012.60

2012-01-01

Abstract:10Gbps Ethernet Security Processor is very important in future network telecommunication. In order to meet the performance of ultra high throughput of 10Gbps ESP, An architecture of multiple SHA-1 IP cores paralleled based crossbar switch are proposed in this paper. Firstly, An ultra high throughput, low power consumption SHA-1 algorithm IP-core are designed, then, an effective scheduling architecture with SHA-1 IP cores are proposed in this paper. In our simulation with SMIC 65nm, the throughput of single IP core could reach to 4.27Gbps in the frequency of 400Mhz. Verification are based on Xilinx Virtex FPGA, 1943 slices LUTs are used for each SHA-1 IP core. By using this crossbar architecture, the number of SHA-1 IP cores used in 10Gbps Network Security Processor could decrease to four, which decrease the total area and power consumption of Network Security Processor significantly.