By David Le Goff – 6WIND Product Marketing Manager
IP network security challenges
IP Security (IPsec) was developed to integrate security into IP networks which did not provide any native support for security. IPsec provides authentication (session management) and data confidentiality (encryption/decryption) at Layer 3.
IPsec is actually a suite of protocols, including IKE (Internet Key Exchange), AH (Authentication Header) and ESP (Encapsulating Security Payload) amongst others and the IPsec standard defines how these protocols communicate.
In applications such as subnet-based security setup for a Virtual Private Network (VPN), IPsec can significantly process overhead that impacts the overall cost-performance of the networking equipment.
Multi-vendor crypto engine solution management for IPsec tunnel
3DES, SHA1 and MD5 are all resource-hungry algorithms used for authentication and encryption that are increasingly offloaded to specialized hardware-based engines. This maximizes the availability of CPU resources for running applications, rather than security. Given the large variety of available processor platforms, supporting the appropriate crypto engine is not a simple task and requires a processor-agnostic approach for optimum efficiency.
6WIND addresses this by integrating support for the most widely-used crypto accelerators within the 6WINDGate packet processing software:
- Intel Cave Creek (crypto hardware acceleration);
- Cavium Nitrox PX family security accelerator (crypto hardware acceleration);
- Cavium Nitrox III
- Intel Multi-buffer IPsec acceleration (crypto software)
- On-chip crypto engines in Broadcom XLR, XLS, XLP
- Crypto software in Tilera’s TilePro64 based on their mesh architecture CPU
Optimized architecture enhances IKE authentication performance
6WINDGate includes an enhanced IPsec solution which supports multiple instances of IKE daemons, thereby increasing the tunnel establishment rate.
The Security Association (SA) look-up mechanism is based on a 16-bit hash table and the Security Policy (SP) mechanism can switch from a linear switch to a trie-based algorithm depending on a preconfigured threshold.
Furthermore, 6WINDGate supports open, standard Linux-based APIs, enabling the SA and SP databases to be configured by 3rd party IKE control plane modules. In order to minimize the latency of the system, both SPD and SAD are located in shared memory as shown in the figure below.
With the support of IKEv1, IKEv2 and Anti Replay features for security re-enforcement and the NAT traversal feature for enabling IPsec in E2E and/or complex networks, the 6WIND IPsec module addresses common use cases.
Combined with the IPsec SVTI module, networking equipment manufacturers can provide logical point to point interfaces for IPsec tunnels with (virtual) routing capabilities.
Thanks to this optimized architecture, 6WINDGate delivers the following IPsec performance on a Broadcom XLP processor platform:
- 200K static IPsec tunnels
- 40K dynamic tunnels with IKE session management
- 25 Gbps per XLP core for 1420 bytes
- Over 100Gbps IPsec crypto throughput on a XLP platform
Already deployed with a large panel of security equipment
As a result of its open architecture as well as its high IPsec performance, the 6WINDGate IPsec protocol is is widely used for VPNs in security equipment such as LTE gateways (femto gateway, security gateway, GGSN etc.) as well as in broadband access devices (WiFi access points and service controllers). It is also used in data centers and enterprise networking equipment, in security applications such as IPS systems, ADCs and firewalls.