IPSec is a suite of protocols that adds security to communications at the IP level. This suite of protocols is becoming more and more important as it is included as mandatory security mechanism in IPv6. In this paper we provide an evaluation of the hardware resources needed for supporting virtual private networking through IPSec. The target system of this study is a home secure gateway, therefore only the tunnel mode is considered. Focus is on ESP protocol, but also some evaluations on AH are provided. We discuss usage of the AES, HMAC-SHA-1, and HMAC-SHA-2 cryptographic algorithms. In this paper we show that enabling IPSec in a 100 Mbit/s network kills its performance in almost every case. In a 10 Mbit/s network the results obtained for performance and CPU usage are much better. An interesting case within this network configuration is that in which IPComp is enabled and used on compressible data: CPU usage grows to 100%, but network throughput rises over the 10 Mbit/s limit, due to data compression. This performance evaluation leads the conclusion that while a hardware crypto-accelerator is really key in reaching high performance, it may also be useful in small, slow systems (e.g. mall embedded systems) where it would help improving performance and security.
IPSec hardware resource requirements evaluation / A. Ferrante, V. Piuri, J. Owen - In: Next Generation Internet Networks, 2005 / [a cura di] R. Sabella. - [s.l] : IEEE, 2005. - ISBN 078038900X. - pp. 240-246 (( Intervento presentato al 1. convegno Conference on Next Generation Internet Networks Traffic Engineering tenutosi a Roma nel 2005.
IPSec hardware resource requirements evaluation
V. Piuri;
2005
Abstract
IPSec is a suite of protocols that adds security to communications at the IP level. This suite of protocols is becoming more and more important as it is included as mandatory security mechanism in IPv6. In this paper we provide an evaluation of the hardware resources needed for supporting virtual private networking through IPSec. The target system of this study is a home secure gateway, therefore only the tunnel mode is considered. Focus is on ESP protocol, but also some evaluations on AH are provided. We discuss usage of the AES, HMAC-SHA-1, and HMAC-SHA-2 cryptographic algorithms. In this paper we show that enabling IPSec in a 100 Mbit/s network kills its performance in almost every case. In a 10 Mbit/s network the results obtained for performance and CPU usage are much better. An interesting case within this network configuration is that in which IPComp is enabled and used on compressible data: CPU usage grows to 100%, but network throughput rises over the 10 Mbit/s limit, due to data compression. This performance evaluation leads the conclusion that while a hardware crypto-accelerator is really key in reaching high performance, it may also be useful in small, slow systems (e.g. mall embedded systems) where it would help improving performance and security.
| File | Dimensione | Formato | |
|---|---|---|---|
|
ngi_2005_ipsec.pdf
accesso riservato
Tipologia:
Publisher's version/PDF
Dimensione
816.46 kB
Formato
Adobe PDF
|
816.46 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
