PDF下载 分享
[1]廖 煊,刘 苗,李金珂.基于改进RPS技术的IPSEC VPN网关设计[J].成都信息工程大学学报,2020,35(05):542-546.[doi:10.16836/j.cnki.jcuit.2020.05.011]
 LIAO Xuan,LIU Miao,LI Jinke.Design of IPSEC VPN Gateway based on Improved RPS Technology[J].Journal of Chengdu University of Information Technology,2020,35(05):542-546.[doi:10.16836/j.cnki.jcuit.2020.05.011]
点击复制

基于改进RPS技术的IPSEC VPN网关设计

成都信息工程大学学报[ISSN:1006-6977/CN:61-1281/TN] 卷: 35 期数: 2020年05期 页码: 542-546 栏目: 电子信息科学与技术 出版日期: 2020-10-15
Title:
Design of IPSEC VPN Gateway based on Improved RPS Technology
文章编号:
2096-1618(2020)05-0542-05
作者:
廖 煊 刘 苗 李金珂
(电信科学技术第五研究所,四川 成都 610062)
Author(s):
LIAO Xuan LIU Miao LI Jinke
(The Fifth Research Institute of Telecommunications Technology,Chengdu 610062,China)
关键词:
信息安全 安全网关 RPS/RFS 负载均衡 FT1500A/16平台 IPSEC VPN
Keywords:
information security security gateway RPS/RFS load balancing FT1500A / 16 platform IPSEC VPN
分类号:
TN918
DOI:
10.16836/j.cnki.jcuit.2020.05.011
文献标志码:
A
摘要:
基于strongswan和多核IPSEC并行技术,设计并实现一种多核IPSEC VPN网关。针对网卡收发数据时sk_buff结构体分配(释放)消耗系统资源问题,提出了一种sk_buff重用队列,提高sk_buff结构体利用率和报文处理效率; 针对host-to-host模式下,单队列网卡将数据流分配一个CPU核处理而导致其负载过高和处理性能低下问题,改进RPS技术中hash算法,使其根据报文序列号而不是原有四元组进行分流,充分利用FT1500A/16平台多核优势,实现了指定4个CPU核间负载均衡,使IPSEC报文处理速率在千兆网络下最高达到958Mbps。
Abstract:
Based on StrongSwan and multi-core IPSEC parallel technology, a multi-core IPSEC VPN gateway was designed and implemented. For the problem of sk buff struct distributes and consumes the system resource while network card sends and receives data, An Sk_buff reuse queue is proposed to increase the utilization rate of sk_buff and the processing efficiency of packet. For host-to-host mode, single queue network card will distribute data flow a CPU core that it will lead to high load and poor process performance,we improve the technology of RPS hash algorithm, make it conducts diversion according to the serial number of the message instead of the original quad shunt, we make full use of multi-core power FT1500A / 16 platform, realize the specified load balance between four CPU cores, make the IPSEC packet processing rates under the gigabit network up to 958 Mbps.

参考文献/References:

[1] Elkeelany O,Matalgah M,Sheikh K,et al.Performance analysis of IPSEC protocol:encryption and authentication[J].Computer Applications and Industrial Electronics,2002,12(3):116-168.
[2] Zaharuddin M,Rahman R,Kassim M.Technical comparison analysis of encryption algorithm on site-to-site IPSEC VPN[J].Computer Applications and Industrial Electronics,2018:641-645.
[3] Agrawal H,Dutta Y,Malik S.Performance analysis of offloading IPSEC processing to hardware based accelerators[J].Electronic System Design,2012:291-294.
[4] Y Z Da,X J Yi,L Chuang,et al. Implementation and performance evaluation of IPSEC VPN based on netfilter[J].Telecommunications Forum,2015,10(1):98-102.
[5] Lackovic D,Tomic M.Performance analysis of virtualized IPSEC VPN endpoints[J].Information and Communication Technology,Electronics and Microelectronics,2017:466-471.
[6] Redovic H,Smiljanic A,Savic B.Performance evaluation of software routers with VPN features[J].Telecommunications Forum,2016(24):1-4.
[7] Iatrou M G,Voyiatzis A G,Serpanos D N.Optimizations for high performance IPSEC execution[J].International Conference on E-Business and Telecommunications,2009:199-211.
[8] Park J,Jung W,Lee I,et al.Practical ipsec gateway on embed-ded apus[C].Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security,ACM,2016:1255-1267.
[9] 李辉.移动VPN技术综述[J].中国电子科学研究院学报,2019,14(9):903-912.
[10] 张娜.基于IPSEC的VPN网络安全的实现[J].中国新通信,2016,18(19):83-86.
[11] Lopez D,Lopez E,Dunbar L.Framework for Interface to Network Security Functions[J].Computer Applications and Industrial Electronics,2018,10(6):53-56.
[12] Driessen B,Güneysu T,Kavun E B,et al. Ipsecco:a lightweight and reconfigurableIPSEC core[J].Reconfigurable Computing and FPGAs,2012:1-7.
[13] Vajaranta M,Kannisto J,Harju J.IPSEC and IKE as functions in SDN controlled network[J].Network and System Security,2017:521-530.
[14] Kourtis M A.,Xilouris G,Riccobene V,et al.Enhancing VNF performance by exploiting SR-IOV and DPDK packet processing acceleration[J].Network Function Virtualization & Software Defined Network,2016:4-7.

相似文献/References:

[1]王 恺,吴 震,杜之波,等.SM4算法前四轮约减轮故障注入分析[J].成都信息工程大学学报,2019,(05):457.[doi:10.16836/j.cnki.jcuit.2019.05.002]
 WANG Kai,WU Zheng,DU Zhibo,et al.Analysis of the First Four Rounds of Reduction Wheel Fault Injection in SM4 Algorithm[J].Journal of Chengdu University of Information Technology,2019,(05):457.[doi:10.16836/j.cnki.jcuit.2019.05.002]

备注/Memo

收稿日期:2020-06-14

更新日期/Last Update: 2020-10-15