The Research On The Architecture And Key Technologies Of High Speed Boundary IPSec Router

The popularity of Internet security services has motivated the research on robust network security devices to meet the increasingly challenges on systems and applications. The tendency of employing routers which can process security protocols as boundary equipments to link the fast backbone and the Intranet/Internet makes it important to implement the IPSec protocol in these routers for security considerations. Consequently, enhancing packets- forwarding ability of these routers (defined as High Speed Boundary Router, or HSBR) comes to be the focus of research, especially when the boundary service turns to be a more and more decisive factor to the quality of the interconnection provided by the devices between the components of networks.This dissertation presents a new architecture of HSBR based on centralized IKE negotiation and distributed AH/ESP forwarding: HAIR (Hybrid Architecture of IPSec Router). Composing of three major modules logically decoupling from each other, the HAIR can provide simple and effective management of security database and high speed forwarding of IPSec packets, which makes it applicable for a flexible, high efficient High Speed Boundary Router.Focusing on high speed forwarding of IPSec packets and high capacity storage of security information, the aims of this dissertation are restricted but not limited to the following sub domains and related technologies:1. The construction of the HSBR architecture. The centralized architecture in generic IPSec routers makes it difficult to utilize the capability of distributed procession adequately, and the distributed architecture will bring heavy load to the exchange and refreshment of security information within the system. A hybrid architecture will lend a space to leverage the HSBR to get a more flexible and efficient construction.2. The scheduling mechanism of the centralized IKE negotiation. The centralized IKE negotiation brings congestions to the system. An efficient scheduling mechanism is needed to eliminate these congestions.3. The construction of security database and corresponding management mechanism. A centralized security database can only provide poor efficiency to the system, which makes it necessary to build a new model to manage the database efficiently.4. The optimization of AH/ESP forwarding and the correlative configuration technologies. The forwarding of AH and ESP packets are executed by stages, which makes it convenient to employ pipeline mechanism in the transmissions. Multiple crypto algorithm units also need an intelligent intermediate scheme to cease the conflictions in packets forwarding.This dissertation aims at making followed contributions:1. Proposed a hybrid architecture of the HSBR. Based on the centralized architecture and distributed architecture, a hybrid architecture HAIR using centralized IKE negotiations anddistributed AH/ESP forwarding is introduced to meet the requirements of the HSBR. All the function units of the HAIR are constructed based on the ForCES framework in a formalized description. The HAIR divides the HSBR's functions in planes of forwarding and control efficiently, which ensures the model compatible with different platforms.2. Proposed a security policy management framework SPMF and applied it in the HAIR. The generic management frameworks of IPSec security policy can't provide efficient presentations of different communications between security systems. The SPMF uses gateway discovery, policy discovery and policy release to ensure the system control different policy presentations and communications.3. Proposed a 2-hresholds of queue length scheduling mechanism of the IKE negotiation. The IKE negotiation of the HSBR has the characteristics of pulse and changes continuously. A 2-thresholds of queue length scheduling mechanism studies the characteristic of the negotiation packets and makes the corresponding scheduling, which will eliminate the congestion caused by the IKE negotiations.4. Designed a pipeline structure of AH/ESP forwarding. The staged forwarding makes it convenient to introduce pipelines to the system. The dissertation presents a 5-stage AH/ESP inbound pipeline and a 4-stage outbound pipeline to the AH/ESP forwarding. Performances of these pipelines are evaluated and a corresponding configuration policy of multiple crypto module is also introduced to make the pipeline work more efficiently.5. Implemented a prototype system of HSBR. A prototype router is implemented and the performance, the interoperability and the conformance of the system are tested. The tests have proved the efficiency of the system.Summary can be drawn that the architecture model HAIR based on the ForCES framework can meet the challenges of the HSBR. The centralized IKE negotiation, distributed AH/ESP packets forwarding, and hybrid security database management will ensure the system of line-speed forwarding and high capacity storage. It's believed that the HSBR based on the HAIR will have an abroad foreground. Conclusion can be also drawn that the combination of ASIC, networking and distributed database technologies will play a more and more important role in network research.Because of the complexity of the system and the restriction of the experiment conditions, the work in this dissertation is still a little aspect in the research of network security, which requires persistent passion and unremitting work of us.