Abstract
Currently IPsec performance in high-speed networks is problematic. Traditionally the connections are established between some multifunction network devices which are typically inefficient already in 10 Gbps packet delivery and do not have high-availability nor scalability features. In the Software-Defined Networking, packets only travel through the desired dedicated networking devices. However, few high-speed stand-alone IPsec solutions exists that can be hooked up with the SDN. In this paper we propose a design which will utilize the IPsec in SDN fashion by separating IKE and packet encryption. Experimental results show that high-availability and scalability goals are reached and per-client throughput is increased. The IPsec protocol suite can thus face the on-going need for faster packet processing rate.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)
Nunes, B.A.A., Mendonca, M., Nguyen, X.N., Obraczka, K., Turletti, T.: A survey of software-defined networking: past, present, and future of programmable networks. IEEE Commun. Surv. Tutorials 16(3), 1617–1634 (2014)
Mijumbi, R., Serrat, J., Gorricho, J.L., Bouten, N., De Turck, F., Boutaba, R.: Network function virtualization: state-of-the-art and research challenges. IEEE Commun. Surv. Tutorials 18(1), 236–262 (2016)
Kent, S., Seo, K.: Security architecture for the internet protocol. RFC 4301, RFC Editor, December 2005. http://www.rfc-editor.org/rfc/rfc4301.txt
Kaufman, C., Hoffman, P., Nir, Y., Eronen, P.: Internet key exchange protocol version 2 (ikev2). RFC 5996, RFC Editor, September 2010
Nir, Y.: Ipsec cluster problem statement. RFC 6027, RFC Editor, October 2010
Fayazbakhsh, S.K., Chiang, L., Sekar, V., Yu, M., Mogul, J.C.: Enforcing network-wide policies in the presence of dynamic middlebox actions using flowtags. NSDI 14, 533–546 (2014)
Qazi, Z.A., Tu, C.C., Chiang, L., Miao, R., Sekar, V., Yu, M.: SIMPLE-fying middlebox policy enforcement using SDN. ACM SIGCOMM Comput. Commun. Rev. 43(4), 27–38 (2013)
Qazi, Z., Tu, C.C., Miao, R., Chiang, L., Sekar, V., Yu, M.: Practical and incremental convergence between SDN and middleboxes. Open Network Summit, Santa Clara, CA (2013)
Gember, A., Prabhu, P., Ghadiyali, Z., Akella, A.: Toward software-defined middlebox networking. In: Proceedings of the 11th ACM Workshop on Hot Topics in Networks, pp. 7–12. ACM (2012)
Bremler-Barr, A., Harchol, Y., Hay, D., Koral, Y.: Deep packet inspection as a service. In: Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies, pp. 271–282. ACM (2014)
Scott-Hayward, S., O’Callaghan, G., Sezer, S.: SDN security: a survey. In: 2013 IEEE SDN for Future Networks and Services (SDN4FNS), pp. 1–7. IEEE (2013)
Tafreshi, V.H.F., Ghazisaeedi, E., Cruickshank, H., Sun, Z.: Integrating IPsec within openflow architecture for secure group communication. ZTE Commun. 1, 41 (2014)
Li, W., Lin, F., Sun, G.: SDIG: Toward software-defined IPsec gateway. In: 2016 IEEE 24th International Conference on Network Protocols (ICNP), pp. 1–8. IEEE (2016)
Wood, T., Ramakrishnan, K., Hwang, J., Liu, G., Zhang, W.: Toward a software-based network: integrating software defined networking and network function virtualization. IEEE Netw. 29(3), 36–41 (2015)
Han, B., Gopalakrishnan, V., Ji, L., Lee, S.: Network function virtualization: challenges and opportunities for innovations. IEEE Commun. Mag. 53(2), 90–97 (2015)
Hutchison, G.T., Nemat, A.B.: MACsec implementation. US Patent 7,814,329, 12 Oct 2010
Feilner, M.: OpenVPN: Building and Integrating Virtual Private Networks. Packt Publishing Ltd, Birmingham (2006)
Darde, D., Vidhya Sankaran, H.: Cs5413 project final report. Analysis of performance of intel DPDK on physical and virtual machines
Park, J., Jung, W., Jo, G., Lee, I., Lee, J.: PIPSEA: A practical IPsec gateway on embedded APUs. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1255–1267. ACM (2016)
Meng, J., Chen, X., Chen, Z., Lin, C., Mu, B., Ruan, L.: Towards high-performance IPsec on cavium OCTEON platform. In: Chen, L., Yung, M. (eds.) INTRUST 2010. LNCS, vol. 6802, pp. 37–46. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25283-9_3
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Vajaranta, M., Kannisto, J., Harju, J. (2017). IPsec and IKE as Functions in SDN Controlled Network. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. https://doi.org/10.1007/978-3-319-64701-2_39
Download citation
DOI: https://doi.org/10.1007/978-3-319-64701-2_39
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64700-5
Online ISBN: 978-3-319-64701-2
eBook Packages: Computer ScienceComputer Science (R0)