Design & Implementation Of Security Module In Security Router

The security of IP layer has been a hotspot for a long time. If without certain security safeguard, public networks or enterprise private networks are hard to defend network attacks or illegal inbreaks. Based on the realization thought of IPSec, and joint with the structure of IPV6 router, this thesis realizes an interface scheme of security module which supports high-speed ESP transmission style, and this module is implemented on high-speed cipher chip SSXII. This paper presents measures to solve the high-speed operation of packages handling, table-searching ,and the contradiction of table-searching with complex management of SA entries. These measures are proved accurate and reliable by realization in this project. The contents of this thesis include:Based on the analysis of IPSec realization principle and joint with the structure of IPV6 router, gives the design scheme of router security module bases on high-speed cipher algorithm chip SSX II. The function of each module is detailed and high-speed validating system of cipher chip is developed successfully, then presents the application example of such chip, which shows the practicality of it.This thesis analyses the realization difficulty of security module's high-speed handling and large-scale SA entries management. To realize the high-speed handle of data plane, parallel handling and pipeline technologies are introduced to the design of security module, which realizes parallel pipeline high-speed handling structure based on FPGA and high-speed encapsulation/decapsulation of IP data packages on the data plane.According to the handling complexity of control panel, this thesis proposes distributed storage and the C/S SAD (Security Association Database) control construction of central management. According to concrete apparatus limits and the requirement put on SA by IPSec, presents the concrete storage style of SAD in security module, and gives out the realization by the cooperative work of software and hardware.Combined with the project, discusses the reliability of system and analyses the apparatus limits of system performance. Proves the correctness and feasibility of this design scheme through the system test. In the system test, security module is tested in the delay time to packages with different length and handling ability.