ABSTRACT
IPSec is a suite of protocols that adds security to communications at the IP level. Protocols within the IPSec suite make extensive use of cryptographic algorithms. Since these algorithms are computationally very intensive, some hardware acceleration is needed to support high throughput. In this paper we discuss a scheduling algorithm for distributing IPSec packet processing over the CPU with a software implementation of the cryptographic algorithms considered and multiple cryptographic accelerators. This algorithm also provides support for quality of service. High-level simulations and the related results are provided to show the properties of the algorithm. Some architectural improvements suitable to better exploit this scheduling algorithm are also presented
- S. Kent and R. Atkinson, "Security Architecture For the Internet Protocol -- RFC2401," IETF RFC, 1998. {Online}. Available: http://www.ietf.org/rfc.html]] Google ScholarDigital Library
- IP Authentication Header -- RFC2402," IETF RFC, 1998. {Online}. Available: http://www.ietf.org/rfc.html]]Google Scholar
- IP Encapsulating Security Payload (ESP) -- RFC2406," IETF RFC, 1998. {Online}. Available: http://www.ietf.org/rfc.html]]Google Scholar
- D. Harkins and D. Carrell, "The Internet Key Exchange (IKE) -- RFC2409," IETF RFC, 1998. {Online}. Available: http://www.ietf.org/rfc.html]] Google ScholarDigital Library
- A. Shacham, R. Monsour, R. Pereira, and M. Thomas, "IP Payload Compression Protocol (IPComp) -- RFC2393," IETF RFC, 1998. {Online}. Available: http://www.ietf.org/rfc.html]] Google ScholarDigital Library
- J. Feghhi and J. Feghhi, Secure Networking with Windows 2000 and Trust Services. Addison Wesley, 2001.]] Google ScholarDigital Library
- R. Yuan and W. T. Strayer, Virtual Private Networks. Addison Wesley, 2001.]] Google ScholarDigital Library
- S. Miltchev, S. Ioannidis, and A. D. Keromytis, "A Study Of the Relative Costs of Network Security Protocols." Monterey, CA: USENIX Annual Technical Program, June 2002.]] Google ScholarDigital Library
- S. Ariga, K. Nagahashi, M. Minami, H. Esaki, and J. Murai, "Performance Evaluation Of Data Transmission Using IPSec Over IPv6 Networks," in INET, Yokohama, Japan, July 2000.]]Google Scholar
- Alberto Ferrante, Vincenzo Piuri, and Jeff Owen, "IPSec Hardware Resource Requirements Evaluation," in NGI 2005, IEEE, Ed. Rome, Italy: EuroNGI, 18 Apr. 2005.]]Google Scholar
- F.T. Hady, T. Bock, M. Cabot, J. Chu, J. Meinecke, K. Oliver, and W. Talarek, "Platform Level Support For High Throughput Edge Applications: the Twin Cities Prototype," IEEE Network, vol. 17, no. 4, pp. 22--27, July 2003.]] Google ScholarDigital Library
- John Freeman, "An Industry Analyst's Perspective on Network Processors," in Network Processor Design, P. Crowley, M. A. Franklin, H. Hadimioglu, and P. Z. Onufryk, Eds. Morgan Kaufmann, 2003, vol. 1, ch. 9, pp. 191--218.]]Google Scholar
- Sean Convery, Internetworking Technologies Handbook. Cisco Press, 19 Apr. 2004, no. ISBN158705115X, ch. 49, pp. 49--1 -- 49--32.]]Google Scholar
- S. Blake, D. Black, M. Carlson, E. Davies, Z. Wang, and W. Weiss, "An Architecture for Differentiated Services -- RFC2475," IETF RFC, Dec. 1998. {Online}. Available: http://www.ietf.org/rfc.html]] Google ScholarDigital Library
- S. Deering and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification -- RFC2460," IETF RFC, Dec. 1998. {Online}. Available: http://www.ietf.org/rfc.html]] Google ScholarDigital Library
- Fabien Castanier, Alberto Ferrante, and Vincenzo Piuri, "A Packet Scheduling Algorithm for IPSec Multi-Accelerator Based Systems," in ASAP 2004, IEEE Computer Society Press, Ed., Galveston (TX), USA, Sept. 2004, pp. 387--397.]] Google ScholarDigital Library
- J. Carpenter, S. Funk, P. Holman, A. Srinivasan, J. Anderson, and S. Baruah, "A Categorization of Real-Time Multiprocessor Scheduling Problems and Algorithms," in Hanbook of Scheduling: Algorithms, Models, and Performance Analysis, Joseph Y. Leung, Ed. CRC Press, 2004, ch. 31.]]Google Scholar
- R. Rajaraman and S. Muthukrishnan, "An Adversarial Model for Distributed Dynamic Load Balancing," in the 10th Annual ACM Symposium on Parallel Algorithms and Architectures, June 1998, pp. 47--54.]] Google ScholarDigital Library
- (2002) PCI comparison, 32 vs. 64-bit and 33MHz vs. 66MHz. {Online}. Available: http://www.buildorbuy.org/pdf/64bitpci.pdf]]Google Scholar
- S. Frankel, R. Glenn, and S. Kelly, "The AES-CBC Cipher Algorithm and Its Use with IPsec - RFC 3602," IETF RFC, Sept. 2003.]] Google ScholarDigital Library
- T. Dierks and C. Allen, "The TLS Protocol Version 1.0 -- RFC 2246," IETF RFC, Jan. 1999. {Online}. Available: http://www.ietf.org/rfc.html]] Google ScholarDigital Library
- "SystemC Official Website." {Online}. Available: http:/www.systemc.org/]]Google Scholar
- (2000) The Internet Traffic Archive. {Online}. Available: http://ita.ee.lbl.gov/]]Google Scholar
- TCPDUMP Public Repository. {Online}. Available: http://www.tcpdump.org/]]Google Scholar
- Srihari Makineni and Ravi Iyer, "Architectural Characterization of TCP/IP Packet Processing on the Pentium M Microprocessor," in Tenth International Symposium on High-Performance Computer Architecture, Feb. 2004, pp. 152--162.]] Google ScholarDigital Library
Index Terms
- A QoS-enabled packet scheduling algorithm for IPSec multi-accelerator based systems
Recommendations
A Packet Scheduling Algorithm for IPSec Multi-Accelerator Based Systems
ASAP '04: Proceedings of the Application-Specific Systems, Architectures and Processors, 15th IEEE International ConferenceIPSec is a suite of protocols that adds security to communications at the IP level. Protocols within the IPSec suite make extensive use of cryptographic algorithms. Since these algorithms are computationally very intensive, some hardware acceleration is ...
Efficient Hardware Accelerator for IPSec Based on Partial Reconfiguration on Xilinx FPGAs
RECONFIG '11: Proceedings of the 2011 International Conference on Reconfigurable Computing and FPGAsIn this paper we present a practical low-end embedded system solution for Internet Protocol Security (IPSec) implemented on the smallest Xilinx Field Programmable Gate Array (FPGA) device in the Virtex 4 family. The proposed solution supports the three ...
Towards high-performance IPsec on cavium OCTEON platform
INTRUST'10: Proceedings of the Second international conference on Trusted SystemsProviding secure, reliable communications is a big challenge to guarantee confidentiality, integrity, and anti-replay protection, especially between endpoints in current Internet. As one of the popular secure communication protocol, IPsec usually limits ...
Comments