Yan Shen,Qi-fei Zhang,Ling-di Ping,Yan-Fei Wang,Wen-juan Li

DOI: https://doi.org/10.1109/trustcom.2012.41

2012-01-01

Abstract:In the existing large-scale performance test of IPsec tunnel, it often needs special software and hardware. To solve the problem, this article proposed a new method, in which packet was encapsulated in user space, and a multi-tunnel controller was designed and implemented with the method of FSM(finite state machine), which controlled the negotiation and establishment of multiple tunnel, including L2tp, IKEv1, IKEv2, IKEv2+EAP and L2tp Over IPsec. Libpcap was used as the bottom layer driver of package, and the application of zero copy technique had reduced system cost immensely. At last, the result of the experiment verified the performance of the IKEv1 tunnel on Tunnel-mode and Transport-mode.

Bo Ji,Jinfang Zhou,Junda Zhu,Liping Qian

DOI: https://doi.org/10.1049/cp:20061251

2006-01-01

Abstract:Networks, along with the explosive growth of the Internet, developed quickly and make our lives more convenient and efficient. However, at the same time, people will face much more network security problems such as illegal observation, modification, IP Spoofing, etc. This article proposes a novel type of universal software architecture named Fastpath which is purposely designed and optimized for Network Element (NE) in the Next Generation Networks (NGN), under Linux. Furthermore, it illustrates the experience in developing IPSec-based VPN gateway over IXP425, and offloading IPSec processing to NPEs and coprocessors by using APIs of software AccessLibrary through Open Crypto Framework (OCF). Finally, we investigate the performance issues both internally and externally. Through the benchmarks, we analyze the performance of the system and identify that Fastpath and network processor together can construct a universal and high-functional platform for NE which focuses on network processing.

Yunhe Zhang,Zhitang Li,Song Mei,Cai Fu

DOI: https://doi.org/10.1109/MUE.2009.89

2009-01-01

Abstract:IPSec VPN is commonly used to implement secure communications between different branch intranets over public networks. Multi-link aggregate IPSec VPN can make better use of multiple physical links of corporation. On the basis of analysis on the insufficiency of packet-based scheduling, a session-based tunnel scheduling model for multi-link aggregate IPSec VPN is proposed. The new model can distribute IPSec traffics over multiple tunnels negotiated on different physical links in unit of session. A prototype system of the new model which adopts Netfilter mechanism is implemented on Linux platform. Analysis on the test result for the prototype system shows that the new model can work effectively, the cost of scheduling is controllable and the performance of model is acceptable.

Haichun Gao

2004-01-01

Abstract:The constant development of VPN service brings a lot of challenge toVPN management,this paper presents one kind of computer techniques-multi-agent technique to manage VPN. The technique possesses features of intelligence,cooperation,flexibility and expansion etc. It can solve problems of different network architectures and different network service providers. Both client and service provider will win together. This multi-agent based computer technique is very important for solving these problems.

Weiming Li,Zhitang Li,Yunfeng Xie

DOI: https://doi.org/10.1117/12.688171

2006-01-01

Abstract:IPSec (IP Security) provides a standard, robust, and extensible mechanism in which to provide security to IP and upper-layer protocols. But the encryption and message authentication services provided by IPsec require significant computation time. Consequently, IPsec can degrade performance obviously. The paper presents a parallel hardware structure of high performance IPSec VPN gateway to speed up the IPSec packets process, and introduces the IPSec software design in detail includes modified FreeS/WAN IPSec implementation and extended Internet Key Exchange protocol. The result of network performance test proves that the structure can fulfill the need of gigabit fast network. The paper also proposes multiple small packets assembling algorithm which is used to accelerate small packets process. The algorithm significantly improves the performance of small packets.

Yun-he Zhang,Zhi-tang Li,Mei-zhen Wang,Ling Xiao

DOI: https://doi.org/10.1109/etcs.2009.639

2009-01-01

Abstract:Internet has become the universal information communications infrastructure. VPN is commonly used to implement communications over different branch intranets. IPSec is a suit of protocols that adds security to communications at the IP layer, and it is a popular technology to implement VPN. On the basis of analysis on the insufficiency of traditional IPSec systems, a multi-link aggregate IPSec model is proposed. The new model can negotiate multiple groups of security policies on different physical links for same branch intranet pair, and distribute IPSec traffics over multiple links. A prototype system of the new model which is based on Netfilter mechanism is implemented on Linux platform. Analysis on the test result from the prototype system shows that the new model can work better under the environment of multi-link, and can enhance the capability and reliability of VPN application.

YANG Xin,LI Hui,QUE Jianming,MA Zhentai,LI Gengxin,YAO Yao,WANG Bin,JIANG Fuli

DOI: https://doi.org/10.11896/jsjkx.220600265

2023-01-01

Abstract:Traditional IP-based Internet offers an end-to-end data transport service and has developed rapidly in the past half-century.However,serious security incidents emerged from attacks based on traditional networks.Traditional security mechanisms(e.g.,firewalls,intrusion detection systems) enhance security.However,most of them only provide some remedial strategies rather than solve the address-security problem radically due to the lack of change in network design.The overall in-depth security of the networked system cannot be guaranteed without a fundamental change.In order to meet the development requirements of the next generation of an endogenous security network,one of the future networks,the multi-identifier network(MIN),is introduced as our research background.This paper proposes an efficient scheme in hieratical architecture that provides comprehensive protection by addressing the security aspects pertaining to the network and application layers.At the network layer,the proposed architecture develops a multi-identifier routing scheme with embedded identity-based authentication and packet signature mechanisms to provide data tamper-resistance and traceability.At the application layer,the proposed architecture designs a mimic defensive scheme combined with weighted network centrality measures.This scheme focuses on protecting the core components of the whole network to improve the service's robustness and efficiently resist potential attacks.This paper tests and evaluates the proposed scheme from a theoretical and practical perspective.An analytical model is built based on the random walk for theoretical evaluation.In experiments,the proposed scheme is developed in MIN as MIN-VPN.Then considering IP-VPN as a baseline,anti-attack tests are conducted on IP-VPN and MIN-VPN.The results of theoretical evaluations and experiments show that the proposed scheme provides excellent transmission performance and successful defense against various TCP/IP-based attacks with acceptable defensive cost,demonstrating this security mechanism's effectiveness.In addition,after long-period penetration testing in three international elite security contests,the proposed method is effectively immune to all TCP/IP-based attacks from thousands of professional teams,thus verifying its strong security.

MEI Song,LI Zhi-tang

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.06.012

2007-01-01

Abstract:This paper first discusses the classic methods of covering communication to traverse the firewall devices which control the networking communication. And based on the analysis of IPSec protocol architecture, that the limitation of network compatibility of IPSec is got. So the new protocol of IPSec over Http based on IPSec tunnel and Http tunnel is exposed with its structure and procedure. The structure of FreeSWAN is improved and the performance test data are presented in order to validate this new protocol. Finally, the performance of the new system is analysed detailedly.

Jingli Zhou,Hongtao Xia,Xiaofeng Wang,Jifeng Yu

DOI: https://doi.org/10.1109/fcst.2006.4

2006-01-01

Abstract:Conventional SSL tunnel of SSL-based virtual private network is symmetric, in which the data must be encrypted at one end and decrypted at the other end, or contrariwise for the reverse direction. Because all data flows of VPN are relayed by VPN server via SSL tunnels, those symmetric SSL tunnels cause a lot of computational load concentrated in VPN server, and make it the bottleneck of VPN. This paper proposes a cheap solution to eliminate that bottleneck for larger scale SSL VPNs: The VPN based on asymmetric SSL tunnels (AST). It is coupled with two algorithms: IP packet engrafting and UDP diffusing. In this solution, portion of computational load is distributed to disengaged internal application servers. Experiment shows that the overall throughput of VPN can be greatly improved by adopting AST solution

Yuanqiao Wen,Shengsheng Yu,Jingli Zhou,Liwen Huang

DOI: https://doi.org/10.1007/978-3-540-30501-9_49

2004-01-01

Abstract:This paper presents an efficient and scalable approach to solve global optimization problem by distributed parallel tunneling using mobile agents.To use the parallel and concurrent characteristic of the tunneling algorithms and increase the speed of the computing, we use mobile agents as a tool for parallel implementation in a distributed environment. The experimental results demonstrate the feasibility and the potential of the proposed method.

ZHAO A-qun,JI Yi,GU Guan-qun

DOI: https://doi.org/10.3321/j.issn:1000-436x.2000.06.016

2000-01-01

Abstract:Tunneling technique is the key technique to implement VPN In this paper,we first perform a comparative research on the existing tunneling protocols including GRE,L2TP,IPSec and IP/IP Then we propose an integrated scheme of tunneling mechanism to support VPN under current condition In this scheme,we use“tunneling”mode IPSec as the basic data encapsulation method and the security guarantee of the tunnels,make use of Internet Key Exchange protocol as the signal protocol for tunnel establishment,and refer to the “soft state”mechanism in IP/IP protocol to implement tunnel maintenance and management At last we give the implementation architecture of the scheme in the VPN gateway

Jun Luo

2008-01-01

Abstract:VPN(Virtual Private Network)is a technique that uses encryption and communication protocols to construct secure data transmission channels in public networks.Nowadays,it is the main choice to build secure VPNs using the SSL protocol.This paper analyses the internal working mechanism of tunnel-based SSL VPN,and presents a new SSL VPN solution which is based on the distributed tunnel model according to its performance bottleneck.By introducing the P2P technology,this solution uses the computing power of edge nodes to share the server's data transmission task.As a result,it does not only improve the performance of point-to-point transmission,but also enhance the whole throughput of a VPN system.

Hung-Min Sun,Shih-Ying Chang,Yao-Hsin Chen,Bing-Zhe He,Cheng-Kai Chen

DOI: https://doi.org/10.1109/tencon.2007.4429003

2007-01-01

Abstract:IPSec has been popularly used in protecting data over IP network; however, how to detect and avoid policy conflicts is a big challenge. Under current architecture, user- space process can directly manipulate security associations database (SADB) or security policies database (SPDB) causing inter-application conflict, lack of access control, lack of conflict avoiding and recovering, and conflict diffusion. Previous proposed algorithms can only detect conflicts afterward instead of preventing them in advance. Therefore we propose a new architecture to avoid conflicts and provide recovery mechanism. Finally, we implement these functionalities and the evaluation of performance shows that this architecture is realistic and practical.

朱昌盛,余冬梅,王庆梅,谢鹏寿,包仲贤

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.11.041

2002-01-01

Abstract:The advent of VPN makes it possible for enterprises to transform private confidential massage securely and economically through the Internet. Security tunneling technology is the core technology of VPN, while L2TP IPSec are two tunneling technologies most widely used at present. As the two main accesses to IP network, the combination of L2TP IPSec can share the advantage of L2TP's low cost, initiative, mutual-communication and IPSec's high security, reliability，learn from others' strong points to offset one's weakness, to a great extent, to construct a secure, reliable and low-cost VPN.

Chunle Fu,Bailing Wang,Wei Wang,Ruichao Mu,Yunxiao Sun,Guodong Xin,Yongzheng Zhang

DOI: https://doi.org/10.3390/electronics13112031

IF: 2.9

2024-05-24

Electronics

Abstract:Virtual private network (VPN) gateways are widely applied to provide secure end-to-end remote access and to relay reliable interconnected communication in cloud computing. As network convergence nodes, the performance of VPN gateways is limited by traditional methods of packet receiving and sending, the kernel protocol stack and the virtual network interface card. This paper proposes a generic high-performance architecture (GHPA) for VPN gateways in consideration of its generality and performance. In terms of generality, we redesign a generic VPN core framework by modeling a generic VPN communication model, formulating generic VPN core technologies and presenting corresponding core algorithms. In terms of performance, we propose a three-layer GHPA for VPN gateways by designing a VPN packet processing layer based on a data plane development kit (DPDK), implementing a user space basic protocol stack and applying our proposed generic VPN core framework. On the basis of the research work above, we implement a high-performance VPN (HP-VPN) and a traditional VPN (T-VPN) that complies with GHPA and traditional methods, respectively. Experimental results prove that the performance of HP-VPN based on GHPA is superior to T-VPN and other common VPNs in RTT, system throughput, packet forwarding rate and jitter. In addition, GHPA is extensible and applicable for other VPN gateways to improve their performance.

engineering, electrical & electronic,computer science, information systems,physics, applied

David Isaac Wolinsky,Linton Abraham,Kyungyong Lee,Yonggang Liu,Jiangyan Xu,P. Oscar Boykin,Renato Figueiredo

DOI: https://doi.org/10.48550/arXiv.1001.2575

2010-01-15

Abstract:Centralized Virtual Private Networks (VPNs) when used in distributed systems have performance constraints as all traffic must traverse through a central server. In recent years, there has been a paradigm shift towards the use of P2P in VPNs to alleviate pressure placed upon the central server by allowing participants to communicate directly with each other, relegating the server to handling session management and supporting NAT traversal using relays when necessary. Another, less common, approach uses unstructured P2P systems to remove all centralization from the VPN. These approaches currently lack the depth in security options provided by other VPN solutions, and their scalability constraints have not been well studied. In this paper, we propose and implement a novel VPN architecture, which uses a structured P2P system for peer discovery, session management, NAT traversal, and autonomic relay selection and a central server as a partially-automated public key infrastructure (PKI) via a user-friendly web interface. Our model also provides the first design and implementation of a P2P VPN with full tunneling support, whereby all non-P2P based Internet traffic routes through a trusted third party and does so in a way that is more secure than existing full tunnel techniques. To verify our model, we evaluate our reference implementation by comparing it quantitatively to other VPN technologies focusing on latency, bandwidth, and memory usage. We also discuss some of our experiences with developing, maintaining, and deploying a P2P VPN.

Networking and Internet Architecture,Distributed, Parallel, and Cluster Computing

王作芬,王芙蓉,黄本雄

DOI: https://doi.org/10.3969/j.issn.1000-3428.2001.06.050

2001-01-01

Abstract:IPSec is the key technology of VPN. Based on security, the paper first describes the basic conception of VPN, then analyzes the IPSec tunneling technology in detail, and presents its architecture and implementation approach. Finally we discuss its application on VPN and some key technologies in future.

Yunhe Zhang,Zhitang Li,Song Mei,Ling Xiao,Meizhen Wang

DOI: https://doi.org/10.1109/MINES.2009.151

2009-01-01

Abstract:IPSec VPN is widely used to secure communications between different branch intranets over Internet, and its performance is becoming more and more important now. Traditional IPSec accelerating approaches are mostly based on hardware and have low cost performance. In this paper, we propose a software approach based on IPSec Thumbnail Protocol (ITP) to accelerate IPSec communication. By caching data segments of the original IP packet and constructing ITP Thumbnail packet to transfer, IPSec communication can be accelerated. We implement an ITP prototype system on Linux platform and evaluate it in our test environment. The experimental results show that the ITP protocol is effective and the overall IPSec communication performance is improved obviously.

XU Ming-liang,TAN Cheng-xiang,WANG Hai-hang

DOI: https://doi.org/10.3969/j.issn.1671-0428.2007.11.014

2007-01-01

Abstract:Virtual Private Network(VPN) is an important technique transfer private information under public networks. It can set up a temporary but safe connection to a public network (normally an internet) by data packing and encrypted transferring, and then achieve the aim of transferring private information on public network. Recently, two technologies are mainly used by enterprise to set up internal VPN: IPSec VPN and SSL VPN. This paper introduces the concept of IPSec technique and describes IPSec protocol architecture, communication steps, and finally discusses implementation of VPN based on IPSec by Openswan in detail.

Yan Jiang,Jing Huang,Yunsong Fan,Xiaobin Zhu

DOI: https://doi.org/10.13052/jcsm2245-1439.1345

2024-06-14

Journal of Cyber Security and Mobility

Abstract:With the development of Internet of Things technology, the security threats faced by the industrial control field are increasing, and strengthening the security protection capabilities of intelligent systems on IoT highways is becoming increasingly important. IPSec VPN tunneling technology can achieve identity authentication and encrypted data transmission, and is an important means to achieve secure data transmission in intelligent systems on Expressway intelligent tunnel system. The commonly used IPSec VPN gateway uses a traditional Linux protocol stack-based approach for data capture, which requires multiple data copies and context switching, resulting in low efficiency of IPSec services. In addition, the commonly used IPSec VPN security gateway is implemented on the basis of the open-source IPSec framework, using internationally recognized algorithms for encryption and decryption, which poses security risks. This article is based on the IPSec protocol, and studies the high-speed network packet capture framework PFRING technology, the fusion technology of national secret algorithm and IPSec protocol. It designs and implements an IPSec VPN IoT security gateway based on national secret algorithm. After experimental verification, the IPSec VPN gateway system constructed in this article has complete functions and better performance than the common open-source IPSec frameworks OpenSwan and strongSwan, and can meet the application requirements of IoT data encryption transmission.