Abstract
The requirement for accessing, through the public Internet, private resources in a secure fashion from anywhere has turned Virtual Private Network (VPN) connectivity into a necessity. Internet Protocol Security (IPsec) is the de facto standardized VPN technology with support for multiple connectivity scenarios. The cryptographic transformations of IPsec are widely considered as a performance bottleneck and the usual target for optimization. We present a set of system configuration optimizations on Linux that achieve significant throughput gains, supported by extensive measurements. Our work demonstrates that IPsec performance can be significantly improved without altering the implementation of the cryptographic algorithms.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bellovin, S.: A look back at “security problems in the TCP/IP protocol suite”. In: Proceedings of the 20th Annual Computer Security Applications Conference, ACSAC 2004, Washington, DC, USA, pp. 229–249. IEEE Computer Society, Los Alamitos (2004)
Bellovin, S.M.: Problem areas for the IP security protocols. In: Proceedings of the Sixth USENIX Security Symposium, pp. 205–214 (1996)
Degabriele, J.P., Paterson, K.G.: Attacking the IPsec standards in encryption-only configurations. Cryptology ePrint Archive, Report 2007/125 (2007)
Eastlake 3rd, D.: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH). RFC 4305 (Proposed Standard) (December 2005); Obsoleted by RFC 4835
Hoffman, P.: Cryptographic Suites for IPsec. RFC 4308 (Proposed Standard) (December 2005)
McDonald, D., Metz, C., Phan, B.: PF_KEY Key Management API, Version 2. RFC 2367 (Informational) (July 1998)
Shue, C., Shin, Y., Gupta, M., Choi, J.Y.: Analysis of IPSec overheads for VPN servers. In: IEEE ICNPs NPSec Workshop (2005)
Bellows, P., Flidr, J., Gharai, L., Perkins, C., Chodowiec, P., Gaj, K.: IPsec-protected transport of HDTV over IP (2003)
Shue, C.A., Gupta, M., Myers, S.A.: IPSec: Performance Analysis and Enhancements. In: IEEE Conference on Communications, ICC (2007)
Elkeelany, O., Matalgah, M., Sheikh, K., Thaker, M., Chaudhry, G., Medhi, D., Qaddour, J.D.: Performance analysis of IPSec protocol: encryption and authentication (2002)
Jones, R.: Netperf (2009), http://www.netperf.org (retrieved April 27, 2009)
Levon, J.: OProfile - A System Profiler for Linux (2008), http://oprofile.sourceforge.net/ (retrieved April 27, 2009)
Mogul, J., Deering, S.: Path MTU discovery. RFC 1191 (Draft Standard) (November 1990)
Mathis, M., Heffner, J.: Packetization Layer Path MTU Discovery. RFC 4821 (Proposed Standard) (March 2007)
Jacobson, V., Braden, R., Borman, D.: TCP Extensions for High Performance. RFC 1323 (Proposed Standard) (May 1992)
Mathis, M., Mahdavi, J., Floyd, S., Romanow, A.: TCP Selective Acknowledgment Options. RFC 2018 (Proposed Standard) (October 1996)
Salim, J.H., Olsson, R., Kuznetsov, A.: Beyond softnet. In: Proceedings of the 5th Annual Linux Showcase & Conference, ALS 2001, p. 18. USENIX Association, Berkeley (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Iatrou, M.G., Voyiatzis, A.G., Serpanos, D.N. (2011). Optimizations for High-Performance IPsec Execution. In: Obaidat, M.S., Filipe, J. (eds) e-Business and Telecommunications. ICETE 2009. Communications in Computer and Information Science, vol 130. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-20077-9_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-20077-9_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-20076-2
Online ISBN: 978-3-642-20077-9
eBook Packages: Computer ScienceComputer Science (R0)