Bo Ji,Jinfang Zhou,Junda Zhu,Liping Qian

DOI: https://doi.org/10.1049/cp:20061251

2006-01-01

Abstract:Networks, along with the explosive growth of the Internet, developed quickly and make our lives more convenient and efficient. However, at the same time, people will face much more network security problems such as illegal observation, modification, IP Spoofing, etc. This article proposes a novel type of universal software architecture named Fastpath which is purposely designed and optimized for Network Element (NE) in the Next Generation Networks (NGN), under Linux. Furthermore, it illustrates the experience in developing IPSec-based VPN gateway over IXP425, and offloading IPSec processing to NPEs and coprocessors by using APIs of software AccessLibrary through Open Crypto Framework (OCF). Finally, we investigate the performance issues both internally and externally. Through the benchmarks, we analyze the performance of the system and identify that Fastpath and network processor together can construct a universal and high-functional platform for NE which focuses on network processing.

陆敏锋,平玲娣,李卓

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.03.051

2010-01-01

Abstract:Aiming at the problem that the IPSec-based VPN product, this paper designs and achieves a IPSec-based VPN test system running on the Linux platform. This paper introduces the IPSec protocol and its architecture, and presents the design and achievement of the test system through analyzing the principle of the IPSec protocol. Experiment result shows that this test system is feasible and effective.

Yan Shen,Qi-fei Zhang,Ling-di Ping,Yan-Fei Wang,Wen-juan Li

DOI: https://doi.org/10.1109/trustcom.2012.41

2012-01-01

Abstract:In the existing large-scale performance test of IPsec tunnel, it often needs special software and hardware. To solve the problem, this article proposed a new method, in which packet was encapsulated in user space, and a multi-tunnel controller was designed and implemented with the method of FSM(finite state machine), which controlled the negotiation and establishment of multiple tunnel, including L2tp, IKEv1, IKEv2, IKEv2+EAP and L2tp Over IPsec. Libpcap was used as the bottom layer driver of package, and the application of zero copy technique had reduced system cost immensely. At last, the result of the experiment verified the performance of the IKEv1 tunnel on Tunnel-mode and Transport-mode.

LI Jian-jun,XU Duan-qing,GUO Wei-qing

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.09.068

2005-01-01

Abstract:Combining with living examples and based on IPSEC,the realization of the VPN system was approached in many internet circumstances of remote access(such as gateway,broadband,xDSL etc.),and in view of the deficiency and the hidden troubles of the traditional static password,introduces a working mechanism was introduced which took into consideration both the tokencard two factor authentication and Windows AD,and proveds to be flexible and liable for the single-sign on clients.

顾文婷,潘雪增,楼学庆,郑斯琦

DOI: https://doi.org/10.3778/j.issn.1002-8331.2009.36.023

2009-01-01

Computer Engineering and Applications Journal

Abstract:The complex semantics of IPsec policies increase the difficulty of VPN performance evaluation,lack of framework in performance analysis of IPsec VPN cannot guarantee the effectiveness of evaluation,to solve this issue,a model of VPN performance evaluation based on IPsec security policy is presented.The model constructs a flexible VPN environment,maintains a volume of IPsec security policies which set the measure to VPN performance,compiles statistics in parallel based on concurrency control of multi-thread.At last,experiment is carried on to verify the reliability and the feasibility of this model.

Yan Jiang,Jing Huang,Yunsong Fan,Xiaobin Zhu

DOI: https://doi.org/10.13052/jcsm2245-1439.1345

2024-06-14

Journal of Cyber Security and Mobility

Abstract:With the development of Internet of Things technology, the security threats faced by the industrial control field are increasing, and strengthening the security protection capabilities of intelligent systems on IoT highways is becoming increasingly important. IPSec VPN tunneling technology can achieve identity authentication and encrypted data transmission, and is an important means to achieve secure data transmission in intelligent systems on Expressway intelligent tunnel system. The commonly used IPSec VPN gateway uses a traditional Linux protocol stack-based approach for data capture, which requires multiple data copies and context switching, resulting in low efficiency of IPSec services. In addition, the commonly used IPSec VPN security gateway is implemented on the basis of the open-source IPSec framework, using internationally recognized algorithms for encryption and decryption, which poses security risks. This article is based on the IPSec protocol, and studies the high-speed network packet capture framework PFRING technology, the fusion technology of national secret algorithm and IPSec protocol. It designs and implements an IPSec VPN IoT security gateway based on national secret algorithm. After experimental verification, the IPSec VPN gateway system constructed in this article has complete functions and better performance than the common open-source IPSec frameworks OpenSwan and strongSwan, and can meet the application requirements of IoT data encryption transmission.

ZHANG Ling-ling,PAN Xue-zeng,CUI Yu-zeng

2005-01-01

Abstract:Comparing the difference between IKEv2 and IKE,the advantages of IKEv2 on the complex of the implementation and the low delay were analyzed.The message exchange and the generation of various keys of IKEv2 was introduced, an implementation approach of IKEv2 using the security coprocessor were proposed.This implementation can accelerate the process of key generation,message encryption and integrity verify check.

Hua Jiang,Qingrui Wang,Gang Zhang,Jinpo Fan

DOI: https://doi.org/10.1088/1742-6596/1176/4/042007

2019-03-01

Journal of Physics: Conference Series

Abstract:IPSec VPN is a virtual private network technology implemented using the IPSec protocol. Aiming at the problem that the national secret algorithm is relatively less applied to network security products, a gateway based on Openwrt system equipment is designed. The OpenWRT system includes the complete strongswan software, making it easy to set up a VPN. The design replaces the aes algorithm, the sha256 algorithm and the ECDSA algorithm used in the IPSec VPN in the StrongSwan source code with the SM4, SM3 and SM2 algorithms respectively, and replaces the ECDSA-SHA256 certificate with the SM2-SM3 certificate according to the X509 certificate standard to achieve the national secret standard. The SM4, SM3 and SM2 algorithms are provided by the SSX0912 encryption chip, and the certificate is placed in the SSX0912 encryption chip for dense storage. It is proved that the scheme is completely feasible, and the IPSec VPN that can be realized can run stably for a long time and has high practical value. By setting up the development environment test, the gateway runs stably, has small delay, and has higher security, and the device has high communication speed, small occupation volume, high flexibility, and strong specificity.

沈燕然,张青山,王新,薛向阳

2008-01-01

Abstract:Development of IPv6 networks brought the need of secure communication between private networks and different kind of personal devices.Secure and scalable communication protection scheme is required.While IPSec-VPN is a popular solution,it has several drawbacks such as forced requirement of accessor's knowledge about VPN gateways.In this paper,we proposed a new IPSec-VPN packaging mode-hybrid mode,and gave the implementation of it using Linux kernel netfiltering scheme.Applications show that the hybrid-mode IPSec-VPN works well for different VPN topologies and makes VPN gateways transparent to users.

杜全文,潘雪增,平玲娣

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.09.039

2002-01-01

Abstract:It is necessary to implement IKE protocol when using IPSec protocol to ensure IP security.This paper describes how to implement a typical IKE message exchange by multithread in detail.

Song Wang,Hongbing Lv

DOI: https://doi.org/10.1109/iccps.2011.6089933

2011-01-01

Abstract:In the existing IPSec architecture, in which tunnel is built in kernel, the number of concurrent tunnels is restricted by IP address configured on the machine and user can not control the process of establishing tunnel. This brings inconvenience when we use personal computer to measure the performance parameters of VPN Gateway (e.g. the maximum number of concurrent tunnels and the maximum rate of the new tunnels built). In order to solve this problem, this paper presents a novel IPSec multi-tunnels concurrent architecture which uses distributed objects to build tunnels in user space. The architecture privodes one Console which are used to control all AgentNodes and multiple AgentNodes which are used to build tunnels. In AgentNode, the negotiation processing of tunnels, the IPSec processing of packets and the protocol processing of TCP/IP are all completed in user space by objects. Meanwhile, AgentNode uses virtual IP address instead of local IP address to negotiate tunnel and the number of concurrent tunnels will be unlimited (only limited by memory). Moreover, based on distributed architecture, the number of AgentNode can be arbitrarily extended. Therefore, the system has a great deal of flexibility on the number of concurrent tunnels and the rate of tunnel establishment, which helps to accurately measure the performance parameters of VPN Gateway.

Yun Niu,Liji Wu,Xiangmin Zhang

DOI: https://doi.org/10.4304/jcp.8.2.319-325

2013-01-01

Journal of Computers

Abstract:The IP security protocol (IPSec) is an important and widely used security protocol in the IP layer. But the implementation of the IPSec is a computing intensive work which greatly limits the performance of the high speed network. In this paper, a high performance IPSec accelerator used in a 10Gbps in-line network security processor (NSP) is presented. The design integrates the protocol processing and the cryptographic processing; the transport/tunnel mode of the AH, ESP security protocols and the AES, HMAC-SHA-1 cryptographic algorithms are realized by hardware. An efficient partial crossbar data transfer skeleton with iSLIP scheduling algorithm is adopted to realize the maximum utilization of the computation resources in the accelerator. The number of AH, ESP, AES, HMAC-SHA-1 cores in the design can be configured to meet the different applications. By simulation, with 8 protocol IP-cores and 24 crypto IP-cores connected to the crossbar in the IPSec accelerator, the design gives a peak throughput for the AH protocol transport mode of 11.28Gbps at the average of 512 bytes packet length under a clock rate of 300MHz. The hardware verification is implemented on a Virtex-5 XC5VSX95T based FPGA board. Low power design methods are also used in the design to reduce the power dissipation.

Raik Niemann,Udo Pfingst,Richard Göbel

DOI: https://doi.org/10.48550/arXiv.1502.05487

2015-02-19

Abstract:Since GNU/Linux became a popular operating system on computer network routers, its packet routing mechanisms attracted more interest. This does not only concern 'big' Linux servers acting as a router but more and more small and medium network access devices, such as DSL or cable access devices. Although there are a lot of documents dealing with high performance routing with GNU/Linux, only a few offer experimental results to prove the given advices. This study evaluates the throughput performance of Linux' routing subsystem netfilter under various conditions like different data transport protocols in combination with different IP address families and transmission strategies. Those conditions were evaluated with two different types of netfilter rules for a high number in the rule tables. In addition to this, our experiments allowed us to evaluate two prominent client connection handling techniques (threads and the epoll() facility). The evaluation of the 1.260 different combinations of our test parameters shows a nearly linear but small throughput loss with the number of rules which is independant from the transport protocol and framesize. However, this evaluation identifies another issue concerning the throughput loss when it comes to the address family, i.e. IPv4 and IPv6.

Networking and Internet Architecture

Jinli Meng,Xinming Chen,Zhen Chen,Chuang Lin,Beipeng Mu,Lingyun Ruan

DOI: https://doi.org/10.1007/978-3-642-25283-9_3

2011-01-01

Abstract:Providing secure, reliable communications is a big challenge to guarantee confidentiality, integrity, and anti-replay protection, especially between endpoints in current Internet. As one of the popular secure communication protocol, IPsec usually limits the throughput and increases the latency due to its heavy encryption/decryption processing. In this paper, we propose a hardware solution to accelerate it. To achieve high performance processing, we have successfully designed and implemented IPsec on Cavium OCTEON 5860 multi-core network processor platform. We also compare the performance under different processing mechanisms and discover that pipleline works better than run-to-completion for different sizes of packets in our experiments. In order to achieve the best performance, we select different encryption algorithms and core numbers. Experimental results on 5860 processors show that our work achieves 20 Gbps throughput with AES128 encryption, 16 cores for 512-byte packet traffic.

Haixin Wang,Guoqiang Bai,Hongyi Chen

DOI: https://doi.org/10.1007/s11265-009-0371-2

2009-01-01

Journal of Signal Processing Systems

Abstract:This paper presents a high performance Network Security Processor (NSP) system architecture implementation intended for both Internet Protocol Security (IPSec) and Secure Socket Layer (SSL) protocol acceleration, which are widely employed in Virtual Private Network (VPN) and e-commerce applications. The efficient data transfer skeleton and optimized integration scheme of the parallel crypto engine arrays lead to a Gbps rate NSP, which is programmable with domain specific descriptor-based instructions for Gbps throughput IPSec and SSL applications. The descriptor-based control flow fragments large data packets and distributes them to the parallel crypto engine arrays, which fully utilizes the computation resources and improves the overall system data throughput. A prototyping platform for this NSP design is implemented with Xilinx XC3S5000 based FPGA chip set. Results show that the design gives a peak throughput for the IPSec ESP tunnel mode of 1.851 Gbps with over 1600 full SSL handshakes per second at a clock rate of 150 MHz.

Muhammad Ali Said,Erwid M Jadied,Setyorini ‏‏‎ ‏‏‎ Setyorini‏‏‎

DOI: https://doi.org/10.47065/bits.v4i2.1836

2022-09-22

Abstract:Dynamic Multipoint Virtual Private Network (DMVPN) technology is one of Cisco's solutions to overcome the limitations of VPN scalability. DMVPN has a combination of components: Next hop resolution protocol (NHRP), Multipoint Generic Routing Encapsulation (mGRE) and Routing protocol. This research implements a simple network consisting of Hub, Spoke1, Spoke2, Lan1, Lan2 and Lan3 using the GNS3 simulator. This study compares the performance of IPSec and without IPsec on DMVPN using the BGP Routing protocol on performance parameters namely delay, throughput, jitter and packet loss to evaluate the security impact of the DMVPN network. The results of this study indicate that IPSec DMVPN has an effect on sending UDP packets which have a throughput value without IPSec of 5082.18 kbit/s while IPSec's throughput is 5034.40 kbit/s. The value of packet loss without IPSec has a value of 7.54% while IPSec has a value of 4.79%. The results of the jitter value have the same value. The delay value without IPSec has a value of 0.183s while the IPSec delay value is 0.410s. TCP packet delivery has a throughput value without IPSec is 1139.16 kbit/s while the IPSec throughput value is 1105.20 kbit/s. The results of the packet loss value and the jitter value have the same value. The delay value without IPSec has a value of 0.185s while the IPSec delay value is 0.187s.

LI Kai,XUE Yi-bo,WANG Chun-lu,WANG Dong-sheng

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.09.018

2006-01-01

Abstract:The Gigabit Network IPS(Intrusion Prevention System)is strongly required with the popularization of Gigabit Ethernet and the complication of network intrusion behavior.The key technologies of Gigabit Network IPS are introduced in this paper,and a new total solution of Gigabit Network IPS is addressed,then the detailed design and implementation of a hardware platform for high-speed packet processing is presented,and its work flow is analyzed,finally,the test performance of the system and its performance evaluation is also provided.

Tiantian Cai,Lin Fan,Siliang Suo,Hao Yao,Ganyang Jian,W. Xi

DOI: https://doi.org/10.1109/ITNEC.2019.8729305

2019-03-15

Abstract:The target of security protection of the power distribution automation system (the distribution system for short) is to ensure the security of communication between the distribution terminal (terminal for short) and the distribution master station (master system for short). The encryption and authentication gateway (VPN gateway for short) for distribution system enhances the network layer communication security between the terminal and the VPN gateway. The distribution application layer encryption authentication device (master cipher machine for short) ensures the confidentiality and integrity of data transmission in application layer, and realizes the identity authentication between the master station and the terminal. All these measures are used to prevent malicious damage and attack to the master system by forging terminal identity, replay attack and other illegal operations, in order to prevent the resulting distribution network system accidents. Based on the security protection scheme of the power distribution automation system, this paper carries out the development of multi-chip encapsulation, develops IPSec Protocols software within the security chip, and realizes dual encryption and authentication function in IP layer and application layer supporting the national cryptographic algorithm.

Engineering,Computer Science

周立峰,周昕,金志权

DOI: https://doi.org/10.3969/j.issn.1001-3695.2002.05.021

2002-01-01

Abstract:In this article, we present some rationale and key technology relevant to the im plementation of VPN based on IPSec, then two kinds of typical implementation are described.

CHEN Zhi-xiang,LU Yin,LU Sang-lu,CHEN Dao-xu

2007-01-01

Journal of Computer Applications

Abstract:This paper described the design of a security gateway based on protocol translation in IPv4-IPv6 hybrid network, and implemented a security gateway prototype system based on Linux 2.6 kernel netfilter framework. The prototype system tracks up-layer UDP/TCP connections based on protocol translation and it performs hybrid end-to-end access control policies. Experimental testing results indicate that it has small latency during end-to-end packet transmission and may satisfy the needs of enterprise networking.