Vector packet encapsulation: the case for a scalable IPsec encryption protocol
Authors: 
Michael Pfeiffer, Franz Girlich, Michael Rossberg, and Guenter SchaeferAuthors Info & Claims
Michael Pfeiffer, Franz Girlich, Michael Rossberg, and Guenter SchaeferAuthors Info & ClaimsARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security
August 2020
Article No.: 11, Pages 1 - 10
Abstract
The IPsec protocol family, although not always undisputed, has shown to be extremely reliable over the last two decades. However, given the fact that communication networks evolved tremendously since ESP was standardized, this paper proposes changes to the security protocol to accommodate for the needs of modern wide area and data center networks. In particular it addresses optimizations for high-speed software implementations as well as use cases in data center networks. The evaluation shows that rather small yet targeted changes are sufficient to allow for more flexible and scalable implementations.
References
[1]
Tom Barbette, Cyril Soldani, and Laurent Mathy. 2015. Fast Userspace Packet Processing. In ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS). IEEE, Piscataway, NJ, USA, 5--16.
[2]
Elaine Barker, Quynh Dang, Sheila Frankel, Karen Scarfone, and Paul Wouters. 2019. Guide to IPsec VPNs. Special Publication 800-77 Rev. 1 (Draft). National Institute of Standards and Technology.
[3]
Microsoft Corporation. 2018. [MS-SSTP]: Secure Socket Tunneling Protocol. https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SSTP/%5bMS-SSTP%5d.pdf
[4]
Jason A. Donenfeld. 2017. WireGuard: Next Generation Kernel Network Tunnel. In Network and Distributed System Security Symposium. Internet Society, Reston, VA, USA, 20. https://www.ndss-symposium.org/wp-content/uploads/2017/09/ndss2017_04A-3_Donenfeld_paper.pdf
[5]
Niels Ferguson and Bruce Schneier. 2003. A Cryptographic Evaluation of IPsec. (2003). https://www.schneier.com/academic/archives/2003/12/a_cryptographic_eval.html
[6]
Osamu Honda, Hiroyuki Ohsaki, Makoto Imase, Mika Ishizuka, and Junichi Murayama. 2005. Understanding TCP over TCP: Effects of TCP Tunneling on End-to-End Throughput and Latency. In Performance, Quality of Service, and Control of Next-Generation Communication and Sensor Networks III, Mohammed Atiquzzaman and Sergey I. Balandin (Eds.). SPIE, Bellingham, WA, USA, 138--146.
[7]
IEEE. 2018. Media Access Control (MAC) Security. Standard 802.1AE-2018. IEEE.
[8]
OpenVPN Inc. 2020. OpenVPN. https://openvpn.net/
[9]
Intel. 2020. Multi-Buffer Crypto for IPsec Library. https://github.com/intel/intel-ipsec-mb
[10]
Phil Karn, Perry Metzger, and William Allen Simpson. 1995. The ESP DES-CBC Transform. RFC 1829. RFC Editor.
[11]
Charlie Kaufman, Paul Hoffman, Yoav Nir, Pasi Eronen, and Tero Kivinen. 2014. Internet Key Exchange Protocol Version 2 (IKEv2). RFC 7296. RFC Editor.
[12]
Stephen Kent. 2005. Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation (DOI) for Internet Security Association and Key Management Protocol (ISAKMP). RFC 4304. RFC Editor.
[13]
Stephen Kent. 2005. IP Authentication Header. RFC 4302. RFC Editor.
[14]
Stephen Kent. 2005. IP Encapsulating Security Payload (ESP). RFC 4303. RFC Editor.
[15]
Stephen Kent and Karen Seo. 2005. Security Architecture for the Internet Protocol. RFC 4301. RFC Editor.
[16]
Mallik Mahalingam, Dinesh G. Dutt, Kenneth Duda, Puneet Agarwal, Lawrence Kreeger, T. Sridhar, Mike Bursell, and Chris Wright. 2017. Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks. RFC 7348. RFC Editor.
[17]
David A. McGrew and Brian Weis. 2010. Using Counter Modes with Encapsulating Security Payload (ESP) and Authentication Header (AH) to Protect Group Traffic. RFC 6054. RFC Editor.
[18]
Jinli Meng, Xinming Chen, Zhen Chen, Chuang Lin, Beipeng Mu, and Lingyun Ruan. 2010. Towards High-Performance IPsec on Cavium OCTEON Platform. In INTRUST 2010: International Conference on Trusted Systems. Springer, Berlin, Heidelberg, Germany, 37--46.
[19]
Daniel Migault, Tobias Guggemos, and Yoav Nir. 2019. Implicit IV for Counter-based Ciphers in Encapsulating Security Payload (ESP). Internet-Draft draft-ietf-ipsecme-implicit-iv-11. RFC Editor. https://tools.ietf.org/html/draft-ietf-ipsecme-implicit-iv-11
[20]
Yoav Nir. 2015. ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec. RFC 7634. RFC Editor.
[21]
Kenneth G. Paterson and Arnold K.L. Yau. 2006. Cryptography in Theory and Practice: The Case of Encryption in IPsec. In Advances in Cryptology - EUROCRYPT 2006, Serge Vaudenay (Ed.). Springer, Berlin, Heidelberg, Germany, 12--29.
[22]
DPDK Project. 2020. Data Plane Development Kit. The Linux Foundation. https://www.dpdk.org/
[23]
DPDK Project. 2020. IPsec Security Gateway Application. The Linux Foundation. https://doc.dpdk.org/guides/sample_app_ug/ipsec_secgw.html
[24]
Eric Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. RFC Editor.
[25]
John Viega and David A. McGrew. 2005. The Use of Galois/Counter Mode in IPsec Encapsulating Security Payload. RFC 4106. RFC Editor.
[26]
Mao-Yin Wang and Cheng-Wen Wu. 2010. A Mesh-Structured Scalable IPsec Processor. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 18, 5 (2010), 725--731.
[27]
Brian Weis, Sheela Rowles, and Thomas Hardjono. 2011. The Group Domain of Interpretation. RFC 6407. RFC Editor.
[28]
Paul Wouters, Daniel Migault, John Mattsson, Yoav Nir, and Tero Kivinen. 2017. Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH). RFC 8221. RFC Editor.
[29]
Tatu Ylonen and Chris Lonvick. 2006. The Secure Shell (SSH) Protocol Architecture. RFC 4251. RFC Editor.
Index Terms
- Vector packet encapsulation: the case for a scalable IPsec encryption protocol
Recommendations
Impact of employing different security levels on QoS parameters in virtual private networks
PDCN'06: Proceedings of the 24th IASTED international conference on Parallel and distributed computing and networksThe Virtual Private Networks (VPN) employs IPSec/IKE protocols for secure data transfer over any public network. The Internet Protocol Security (IPSec) suite of protocols, which operate at network layer (layer 3), provides security services through the ...
Performance impact of data compression on virtual private network transactions
LCN '00: Proceedings of the 25th Annual IEEE Conference on Local Computer NetworksVirtual private networks (VPNs) allow two or more parties to communicate securely over a public network. Using cryptographic algorithms and protocols, VPNs provide security services such as confidentiality, host authentication and data integrity. The ...
Comments
Information & Contributors
Information
Published In
August 2020
1073 pages
Copyright © 2020 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 25 August 2020
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- secunet Security Networks
Conference
ARES 2020
ARES 2020: The 15th International Conference on Availability, Reliability and Security
August 25 - 28, 2020
Virtual Event, Ireland
Acceptance Rates
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 95Total Downloads
- Downloads (Last 12 months)12
- Downloads (Last 6 weeks)0
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in