Bo Ji,Jinfang Zhou,Junda Zhu,Liping Qian

DOI: https://doi.org/10.1049/cp:20061251

2006-01-01

Abstract:Networks, along with the explosive growth of the Internet, developed quickly and make our lives more convenient and efficient. However, at the same time, people will face much more network security problems such as illegal observation, modification, IP Spoofing, etc. This article proposes a novel type of universal software architecture named Fastpath which is purposely designed and optimized for Network Element (NE) in the Next Generation Networks (NGN), under Linux. Furthermore, it illustrates the experience in developing IPSec-based VPN gateway over IXP425, and offloading IPSec processing to NPEs and coprocessors by using APIs of software AccessLibrary through Open Crypto Framework (OCF). Finally, we investigate the performance issues both internally and externally. Through the benchmarks, we analyze the performance of the system and identify that Fastpath and network processor together can construct a universal and high-functional platform for NE which focuses on network processing.

Yan Shen,Qi-fei Zhang,Ling-di Ping,Yan-Fei Wang,Wen-juan Li

DOI: https://doi.org/10.1109/trustcom.2012.41

2012-01-01

Abstract:In the existing large-scale performance test of IPsec tunnel, it often needs special software and hardware. To solve the problem, this article proposed a new method, in which packet was encapsulated in user space, and a multi-tunnel controller was designed and implemented with the method of FSM(finite state machine), which controlled the negotiation and establishment of multiple tunnel, including L2tp, IKEv1, IKEv2, IKEv2+EAP and L2tp Over IPsec. Libpcap was used as the bottom layer driver of package, and the application of zero copy technique had reduced system cost immensely. At last, the result of the experiment verified the performance of the IKEv1 tunnel on Tunnel-mode and Transport-mode.

Song Wang,Hongbing Lv

DOI: https://doi.org/10.1109/iccps.2011.6089933

2011-01-01

Abstract:In the existing IPSec architecture, in which tunnel is built in kernel, the number of concurrent tunnels is restricted by IP address configured on the machine and user can not control the process of establishing tunnel. This brings inconvenience when we use personal computer to measure the performance parameters of VPN Gateway (e.g. the maximum number of concurrent tunnels and the maximum rate of the new tunnels built). In order to solve this problem, this paper presents a novel IPSec multi-tunnels concurrent architecture which uses distributed objects to build tunnels in user space. The architecture privodes one Console which are used to control all AgentNodes and multiple AgentNodes which are used to build tunnels. In AgentNode, the negotiation processing of tunnels, the IPSec processing of packets and the protocol processing of TCP/IP are all completed in user space by objects. Meanwhile, AgentNode uses virtual IP address instead of local IP address to negotiate tunnel and the number of concurrent tunnels will be unlimited (only limited by memory). Moreover, based on distributed architecture, the number of AgentNode can be arbitrarily extended. Therefore, the system has a great deal of flexibility on the number of concurrent tunnels and the rate of tunnel establishment, which helps to accurately measure the performance parameters of VPN Gateway.

陆敏锋,平玲娣,李卓

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.03.051

2010-01-01

Abstract:Aiming at the problem that the IPSec-based VPN product, this paper designs and achieves a IPSec-based VPN test system running on the Linux platform. This paper introduces the IPSec protocol and its architecture, and presents the design and achievement of the test system through analyzing the principle of the IPSec protocol. Experiment result shows that this test system is feasible and effective.

HU Ning,WANG Yongjun

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.05.035

2006-01-01

Abstract:This article summarizes the implementation framework of the IPSec protocol,and then describes the main mechanism of network processor such as tree search engine.Finally,it discusses the IPSec protocol key component’s implementation using network processor and gives a conclusion.

ZHANG Ling-ling,PAN Xue-zeng,CUI Yu-zeng

2005-01-01

Abstract:Comparing the difference between IKEv2 and IKE,the advantages of IKEv2 on the complex of the implementation and the low delay were analyzed.The message exchange and the generation of various keys of IKEv2 was introduced, an implementation approach of IKEv2 using the security coprocessor were proposed.This implementation can accelerate the process of key generation,message encryption and integrity verify check.

ge qingeng,wang haihang,tan chengxiang

DOI: https://doi.org/10.3321/j.issn:1002-8331.2002.10.055

2002-01-01

Abstract:As one main research focus of network security,VPN puts forward a new solution of network-layer security architecture,and VPN based on the IPSec become more and more popular.In this paper,IPSec protocol architecture and Linux kernel structure are studied carefully.Then the paper presents the scheme of designing and implementing IPSec on the Linux-making changes to TCP/IP stack of Linux and implementing IPSec there.Also the key technique to accomplish this system is discussed in the paper in detail.

Liang CHEN,Jian WANG,Yong ZHAO

DOI: https://doi.org/10.3778/j.issn.1002-8331.1606-0006

2017-01-01

Abstract:In order to meet the security requirements of modern high bandwidth Internet application environment, an IPSec VPN architecture based on Tilera GX36 multi-core network processor is proposed, and program function modules of control plane and data plane are designed according to SDN architecture to achieve flexible security control on network traffic. To meet the security strategy retrieval performance requirement, a three-level security policy flow-table structure based on Hash algorithm is put forward, and a security policy search method is designed using security association flow-table cached on tile CPUs as fast retrieval data source. The test results show that the system can achieve the processing performance in 40 Gb/s Internet applications under the typical short, medium and long package-length circumstance.

Zhao Da-yuan,Jiang Yi-xin,Lin Chuang,Li Yan-xi

DOI: https://doi.org/10.1007/bf02828626

2005-01-01

Wuhan University Journal of Natural Sciences

Abstract:We mainly explore two problems when combining IPSec module into TCP/IP stack by porting the famous IPSec software (FreeS/WAN) into a security gateway. One is how to implement the IPSec module based on Netfilter in Linux 2.4. x kernel. The other problem is the performance evaluation. We test the throughput of our security gateway before and after applying IPSec with different encryption/decryption algorithms, including the software-based and hardware-based method. With these testing data, we analyze further system performance bottleneck. In the end, we also infer the quantitative relation between the system throughput and the speed of encryption/decryption algorithm and propose some valuable conclusions for improving performance.

Hang Liu

2007-01-01

Abstract:After analyzing the principles of IPSec data processing, a proposal that the control plane tasks in IPSec was processed by host processor, as well as the data plane tasks by slave processor was put forward. Based on S3C2510 network processor and μCLinux operating system, the embedded IPSec VPN gateway system was also implemented.

吴越,疏朝明,卜勇华,胡爱群,毕光国

DOI: https://doi.org/10.3321/j.issn:1000-436x.2003.08.025

2003-01-01

Abstract:This paper has an overall research on security communication mechanism for IPSec based Virtual Private Network,discusses fundamental principles of various security service such as data origin authentication,integrity protection,anti-replay protection and their software implementation,illustrates the details of the security key exchange mechanism on non-secure public IP based network through a set of parameters negotiation,then presents a software implementation of Client/Server model WN key exchange upon LINUX operation system ,at last it gives IPSec security analysis and prospective view of the future research.

Zhitang Li,Ren Jie-lin,Tu Fan

2006-01-01

Abstract:Because the traditional architecture of IPSec was deficient in the performance, a paralleled architecture of IPSec based on CompactPCI with more than one computer and a single card was proposed. After analyzing the paralleled architecture of CompactPCI, the encrypting algorithms of multi-cards and load balance of multi-host, a new design of IPsec paralled architecture on CompactPCI was implemented. At last,the performance of transferring data using paralleled architecture of IPSec were introduced and analyzed.

YAO Jun-Xi,LIANG Gang,GONG Xun,HAN Zhong-Qiu

DOI: https://doi.org/10.3969/j.issn.0490-6756.2010.02.010

2010-01-01

Abstract:Requirements for a high-quality Intrusion Prevention System(IPS)are becoming more and more demanding with the wide use of high speed Ethernet and increasing complexity of network intrusion. By the analysis of the working principles in the traditional IPS,a improved IPS based on the multicore processor is designed and implemented.In this system,multicore processing units are divided into groups among which the data can be transmitted by building shared cache queues.In this way,IPS can work parallelized with a multicore processor.The results of our experiments demonstrate that the efficiency is greatly enhanced and that the packet loss ratio decreases.

XU Ming-liang,TAN Cheng-xiang,WANG Hai-hang

DOI: https://doi.org/10.3969/j.issn.1671-0428.2007.11.014

2007-01-01

Abstract:Virtual Private Network(VPN) is an important technique transfer private information under public networks. It can set up a temporary but safe connection to a public network (normally an internet) by data packing and encrypted transferring, and then achieve the aim of transferring private information on public network. Recently, two technologies are mainly used by enterprise to set up internal VPN: IPSec VPN and SSL VPN. This paper introduces the concept of IPSec technique and describes IPSec protocol architecture, communication steps, and finally discusses implementation of VPN based on IPSec by Openswan in detail.

Jinli Meng,Xinming Chen,Zhen Chen,Chuang Lin,Beipeng Mu,Lingyun Ruan

DOI: https://doi.org/10.1007/978-3-642-25283-9_3

2011-01-01

Abstract:Providing secure, reliable communications is a big challenge to guarantee confidentiality, integrity, and anti-replay protection, especially between endpoints in current Internet. As one of the popular secure communication protocol, IPsec usually limits the throughput and increases the latency due to its heavy encryption/decryption processing. In this paper, we propose a hardware solution to accelerate it. To achieve high performance processing, we have successfully designed and implemented IPsec on Cavium OCTEON 5860 multi-core network processor platform. We also compare the performance under different processing mechanisms and discover that pipleline works better than run-to-completion for different sizes of packets in our experiments. In order to achieve the best performance, we select different encryption algorithms and core numbers. Experimental results on 5860 processors show that our work achieves 20 Gbps throughput with AES128 encryption, 16 cores for 512-byte packet traffic.

Jing Tao,Baosheng Wang

DOI: https://doi.org/10.1109/IMIS.2011.110

2011-01-01

Abstract:IPSec is a protocol commonly used in Internet, and in fact it has been the standard for secure communication in Internet-based communications. Therefore, it is very important to design and implement the IPSec protocol in network systems. However, in challenged networks, it is challenging to implement practical IPSec protocols. In this paper, we propose VCI, a framework to implement IPSec over Challenged networks. We discuss the two key techniques in VCI, namely channel virtualization and packet fragment/assembling. As an instance, we also provide the implementation details for VCI in lwIP, a lightweight TCP/IP suite commonly used in embedded systems.

Xiang Wang,Yaxuan Qi,Baohua Yang,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/icpads.2009.109

2009-01-01

Abstract:Network intrusion prevention system (NIPS) becomes more complex due to the rapid growth of network bandwidth and requirement of network security. However existing solutions, either hardware-based or software-based cannot obtain a good tradeoff between performance and flexibility. In this paper, we propose a parallel NIPS architecture using emerging network services processor. To resolve the problems and bottlenecks of high-speed processing, we investigate the main design aspects which have dramatic impacts on most parallel network security system implementations: efficient and flexible pipeline and parallel processing, flow-level packet-order preserving, and latency hiding of deep packet inspection. To these key points, we address several optimizations and modifications with an architecture-aware design principle to guarantee high performance and flexibility of the NIPS on a network services processor implementation. Performance evaluation shows that, our prototype NIPS on Cavium OCTEON3860 processor can reach line-rate stateful inspection and multi-Gbps deep inspection performance.

Tiantian Cai,Lin Fan,Siliang Suo,Hao Yao,Ganyang Jian,W. Xi

DOI: https://doi.org/10.1109/ITNEC.2019.8729305

2019-03-15

Abstract:The target of security protection of the power distribution automation system (the distribution system for short) is to ensure the security of communication between the distribution terminal (terminal for short) and the distribution master station (master system for short). The encryption and authentication gateway (VPN gateway for short) for distribution system enhances the network layer communication security between the terminal and the VPN gateway. The distribution application layer encryption authentication device (master cipher machine for short) ensures the confidentiality and integrity of data transmission in application layer, and realizes the identity authentication between the master station and the terminal. All these measures are used to prevent malicious damage and attack to the master system by forging terminal identity, replay attack and other illegal operations, in order to prevent the resulting distribution network system accidents. Based on the security protection scheme of the power distribution automation system, this paper carries out the development of multi-chip encapsulation, develops IPSec Protocols software within the security chip, and realizes dual encryption and authentication function in IP layer and application layer supporting the national cryptographic algorithm.

Engineering,Computer Science

YANG Li-bin,MU De-jun,CAI Xiao-yan,LIU Hang

DOI: https://doi.org/10.3321/j.issn:1002-8331.2007.04.037

2007-01-01

Computer Engineering and Applications Journal

Abstract:With increasing requirements of network applications,software data encryption/decryption for VPN gateway becomes bottleneck of the processing speeds.In this paper,a novel architecture for embedded VPN Gateway based on network processor,coupled with Cryptography card is proposed.The main idea is that the significant and computing intensive portion of the computation,such as encryption/decryption and hash calculation of IPSec data,are implemented by the hardware Cryptography card,while the network processor is dedicated to encapsulating IPSec data.The experimental results show that the architecture can work steadily and has a good performance in high speed.

王作芬,王芙蓉,黄本雄

DOI: https://doi.org/10.3969/j.issn.1000-3428.2001.06.050

2001-01-01

Abstract:IPSec is the key technology of VPN. Based on security, the paper first describes the basic conception of VPN, then analyzes the IPSec tunneling technology in detail, and presents its architecture and implementation approach. Finally we discuss its application on VPN and some key technologies in future.