Skip to main content
SpringerLink
Log in

IPsec and IKE as Functions in SDN Controlled Network

  • Conference paper
  • First Online:
Network and System Security (NSS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10394))

Included in the following conference series:

Abstract

Currently IPsec performance in high-speed networks is problematic. Traditionally the connections are established between some multifunction network devices which are typically inefficient already in 10 Gbps packet delivery and do not have high-availability nor scalability features. In the Software-Defined Networking, packets only travel through the desired dedicated networking devices. However, few high-speed stand-alone IPsec solutions exists that can be hooked up with the SDN. In this paper we propose a design which will utilize the IPsec in SDN fashion by separating IKE and packet encryption. Experimental results show that high-availability and scalability goals are reached and per-client throughput is increased. The IPsec protocol suite can thus face the on-going need for faster packet processing rate.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)

    Article  Google Scholar 

  2. Nunes, B.A.A., Mendonca, M., Nguyen, X.N., Obraczka, K., Turletti, T.: A survey of software-defined networking: past, present, and future of programmable networks. IEEE Commun. Surv. Tutorials 16(3), 1617–1634 (2014)

    Article  Google Scholar 

  3. Mijumbi, R., Serrat, J., Gorricho, J.L., Bouten, N., De Turck, F., Boutaba, R.: Network function virtualization: state-of-the-art and research challenges. IEEE Commun. Surv. Tutorials 18(1), 236–262 (2016)

    Article  Google Scholar 

  4. Kent, S., Seo, K.: Security architecture for the internet protocol. RFC 4301, RFC Editor, December 2005. http://www.rfc-editor.org/rfc/rfc4301.txt

  5. Kaufman, C., Hoffman, P., Nir, Y., Eronen, P.: Internet key exchange protocol version 2 (ikev2). RFC 5996, RFC Editor, September 2010

    Google Scholar 

  6. Nir, Y.: Ipsec cluster problem statement. RFC 6027, RFC Editor, October 2010

    Google Scholar 

  7. Fayazbakhsh, S.K., Chiang, L., Sekar, V., Yu, M., Mogul, J.C.: Enforcing network-wide policies in the presence of dynamic middlebox actions using flowtags. NSDI 14, 533–546 (2014)

    Google Scholar 

  8. Qazi, Z.A., Tu, C.C., Chiang, L., Miao, R., Sekar, V., Yu, M.: SIMPLE-fying middlebox policy enforcement using SDN. ACM SIGCOMM Comput. Commun. Rev. 43(4), 27–38 (2013)

    Article  Google Scholar 

  9. Qazi, Z., Tu, C.C., Miao, R., Chiang, L., Sekar, V., Yu, M.: Practical and incremental convergence between SDN and middleboxes. Open Network Summit, Santa Clara, CA (2013)

    Google Scholar 

  10. Gember, A., Prabhu, P., Ghadiyali, Z., Akella, A.: Toward software-defined middlebox networking. In: Proceedings of the 11th ACM Workshop on Hot Topics in Networks, pp. 7–12. ACM (2012)

    Google Scholar 

  11. Bremler-Barr, A., Harchol, Y., Hay, D., Koral, Y.: Deep packet inspection as a service. In: Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies, pp. 271–282. ACM (2014)

    Google Scholar 

  12. Scott-Hayward, S., O’Callaghan, G., Sezer, S.: SDN security: a survey. In: 2013 IEEE SDN for Future Networks and Services (SDN4FNS), pp. 1–7. IEEE (2013)

    Google Scholar 

  13. Tafreshi, V.H.F., Ghazisaeedi, E., Cruickshank, H., Sun, Z.: Integrating IPsec within openflow architecture for secure group communication. ZTE Commun. 1, 41 (2014)

    Google Scholar 

  14. Li, W., Lin, F., Sun, G.: SDIG: Toward software-defined IPsec gateway. In: 2016 IEEE 24th International Conference on Network Protocols (ICNP), pp. 1–8. IEEE (2016)

    Google Scholar 

  15. Wood, T., Ramakrishnan, K., Hwang, J., Liu, G., Zhang, W.: Toward a software-based network: integrating software defined networking and network function virtualization. IEEE Netw. 29(3), 36–41 (2015)

    Article  Google Scholar 

  16. Han, B., Gopalakrishnan, V., Ji, L., Lee, S.: Network function virtualization: challenges and opportunities for innovations. IEEE Commun. Mag. 53(2), 90–97 (2015)

    Article  Google Scholar 

  17. Hutchison, G.T., Nemat, A.B.: MACsec implementation. US Patent 7,814,329, 12 Oct 2010

    Google Scholar 

  18. Feilner, M.: OpenVPN: Building and Integrating Virtual Private Networks. Packt Publishing Ltd, Birmingham (2006)

    Google Scholar 

  19. Darde, D., Vidhya Sankaran, H.: Cs5413 project final report. Analysis of performance of intel DPDK on physical and virtual machines

    Google Scholar 

  20. Park, J., Jung, W., Jo, G., Lee, I., Lee, J.: PIPSEA: A practical IPsec gateway on embedded APUs. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1255–1267. ACM (2016)

    Google Scholar 

  21. Meng, J., Chen, X., Chen, Z., Lin, C., Mu, B., Ruan, L.: Towards high-performance IPsec on cavium OCTEON platform. In: Chen, L., Yung, M. (eds.) INTRUST 2010. LNCS, vol. 6802, pp. 37–46. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25283-9_3

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Tampere University of Technology, Korkeakoulunkatu 1, 30720, Tampere, Finland

    Markku Vajaranta, Joona Kannisto & Jarmo Harju

Authors
  1. Markku Vajaranta
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Joona Kannisto
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jarmo Harju
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Markku Vajaranta .

Editor information

Editors and Affiliations

  1. Xidian University, Xi’an, China

    Zheng Yan

  2. Eurecom, Sophia Antipolos, Valbonne, France

    Refik Molva

  3. Warsaw University of Technology, Warsaw, Poland

    Wojciech Mazurczyk

  4. Aalto University, Espoo, Finland

    Raimo Kantola

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Vajaranta, M., Kannisto, J., Harju, J. (2017). IPsec and IKE as Functions in SDN Controlled Network. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. https://doi.org/10.1007/978-3-319-64701-2_39

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64701-2_39

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64700-5

  • Online ISBN: 978-3-319-64701-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation