NETWORK STACK OPTIMIZATION FOR IMPROVED IPSEC PERFORMANCE ON LINUX

Michael G. Iatrou, Artemios G. Voyiatzis, Dimitrios N. Serpanos

Abstract

Virtual Private Network (VPN) connectivity is a necessity in the public Internet, for accessing in a secure fashion private resources from anywhere. Internet Protocol Security (IPsec) is a standardized VPN technology for serving multiple connectivity scenarios. Implementation of cryptography is widely considered as a performance bottleneck and a target for optimization. We present a set of system configuration optimizations for the Linux 2.6 kernel network stack implementation, supported by extensive measurements. These optimizations achieve significant throughput gains. Our work demonstrates that comparable performance between plain IP and IPsec connections is possible without altering the implementation of the cryptographic algorithms.

References

  1. Bellovin, S. (2004). A look back at “security problems in the TCP/IP protocol suite”. In ACSAC 7804: Proceedings of the 20th Annual Computer Security Applications Conference, pages 229-249, Washington, DC, USA. IEEE Computer Society.
  2. Bellovin, S. M. (1996). Problem areas for the IP security protocols. In Proceedings of the Sixth USENIX Security Symposium, pages 205-214.
  3. Bellows, P., Flidr, J., Gharai, L., Perkins, C., Chodowiec, P., and Gaj, K. (2003). IPsec-protected transport of HDTV over IP.
  4. Degabriele, J. P. and Paterson, K. G. (2007). Attacking the IPsec standards in encryption-only configurations. Cryptology ePrint Archive, Report 2007/125.
  5. Eastlake 3rd, D. (2005). Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH). RFC 4305 (Proposed Standard). Obsoleted by RFC 4835.
  6. Elkeelany, O., Matalgah, M., Sheikh, K., Thaker, M., Chaudhry, Medhi, G., and Qaddour, J. D. (2002). Performance analysis of IPSec protocol: encryption and authentication.
  7. Hoffman, P. (2005). Cryptographic Suites for IPsec. RFC 4308 (Proposed Standard).
  8. Jacobson, V., Braden, R., and Borman, D. (1992). TCP Extensions for High Performance. RFC 1323 (Proposed Standard).
  9. Jones, R. (2009). Netperf. Retrieved April 27, 2009 from http://www.netperf.org.
  10. Levon, J. (2008). OProfile - A System Profiler for Linux. Retrieved April 27, 2009 from http://oprofile.sourceforge.net/.
  11. Mathis, M. and Heffner, J. (2007). Packetization Layer Path MTU Discovery. RFC 4821 (Proposed Standard).
  12. Mathis, M., Mahdavi, J., Floyd, S., and Romanow, A. (1996). TCP Selective Acknowledgment Options. RFC 2018 (Proposed Standard).
  13. McDonald, D., Metz, C., and Phan, B. (1998). PF KEY Key Management API, Version 2. RFC 2367 (Informational).
  14. Mogul, J. and Deering, S. (1990). Path MTU discovery. RFC 1191 (Draft Standard).
  15. Postel, J. (1981). Transmission Control Protocol. RFC 793 (Standard). Updated by RFC 3168.
  16. Salim, J. H., Olsson, R., and Kuznetsov, A. (2001). Beyond softnet. In ALS 7801: Proceedings of the 5th annual Linux Showcase & Conference, pages 18-18, Berkeley, CA, USA. USENIX Association.
  17. Shue, C., Shin, Y., Gupta, M., and Choi, J. Y. (2005). Analysis of IPSec overheads for VPN servers. In IEEE ICNPs NPSec Workshop.
  18. Shue, C. A., Gupta, M., and Myers, S. A. (2007). IPSec: Performance Analysis and Enhancements. In IEEE Conference on Communications (ICC).
Download


Paper Citation


in Harvard Style

G. Iatrou M., G. Voyiatzis A. and N. Serpanos D. (2009). NETWORK STACK OPTIMIZATION FOR IMPROVED IPSEC PERFORMANCE ON LINUX . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009) ISBN 978-989-674-005-4, pages 83-91. DOI: 10.5220/0002225600830091


in Bibtex Style

@conference{secrypt09,
author={Michael G. Iatrou and Artemios G. Voyiatzis and Dimitrios N. Serpanos},
title={NETWORK STACK OPTIMIZATION FOR IMPROVED IPSEC PERFORMANCE ON LINUX},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)},
year={2009},
pages={83-91},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002225600830091},
isbn={978-989-674-005-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)
TI - NETWORK STACK OPTIMIZATION FOR IMPROVED IPSEC PERFORMANCE ON LINUX
SN - 978-989-674-005-4
AU - G. Iatrou M.
AU - G. Voyiatzis A.
AU - N. Serpanos D.
PY - 2009
SP - 83
EP - 91
DO - 10.5220/0002225600830091