Design And Implementation Of An IPSec VPN Architecture Based On Combination Of Software And Hardware Encryption

The network technology is developed at a tremendous pace, and the data transporting on the network is faster and faster. As a consequence, the VPN(Virtual Private Network) devices, which ensure the security of the data transported in the network, with higher performance, usability and extensibility are in urgent demand.Thus a new parallel architecture which combines soft-encryption and encrypt-cards is proposed. This system introduce a new scheduling algorithm for packets, and a paralleling mechanism is proposed for the encrypting units. The process of packets is separated into several steps, and software interrupts are used to realize the asynchronism of these steps. Therefore the performance of the IPSec VPN is greatly improved.The scheduling algorithm judges the capacity and the number of the pacekets in the import queue of each encrypt-card, then prefers the unit with least waiting time to take care of the packet which is waiting for dealing.This can reduce the average waiting time likewise the average processing time.Meanwhile, the balance of the soft-encryption and the encrypt-cards is considered: when the CPU is overloading,a particular parameter is chosen so that less packets would be scheduled to the soft-encryption unit, vice versa.The asynchronous paralleling mechanism is improved on traditional IPSec VPN processing course.Receiving and sending buffers are introduced and the process of packets is separated into pretreatment,encryption and posttreatment so that each part could be processed asynchronously and the system's performance would be highly improved.Optimizations are adopted so that our system can fit different situations. Sliding window is introduced to the scheduling algorithm of packets. Many small packets, which belong to a same sliding window and have the same identity, are binded into a larger one before sent. This change makes the system much more efficient when the packets are small.The performance of the system is presented and analysed lastly. The result illuminates the efficiency of the algorithm and the feasibility of the system.