Lightweight Ipsec Design And Implementation Of Embedded Systems

Along with the successful implement of networking technology in embedded systems, more and more embedded devices have been connected to the Internet. Due to limit of resources of embedded systems, however, many light-weight TCP/IP protocol stacks used in low-end embedded devices, which are widely used, have had little security measures incorporated into them, thus exposing the whole system to security threats. Obviously it is necessary and urgent to apply IPsec security protocols to those embedded devices connected to Internet.Given that the low-end embedded systems are used most in the field of control, which do not usually involve large amount of data transmission, and that many embedded platforms are not quite demanding the speed of network data transmission, it is feasible to implement IPsec on embedded systems to achieve network security.This thesis concentrates on the implement of lightweight IPsec protocol stacks on low-end embedded platforms, to add the stacks to existing network devices, or to have them embedded into new embedded devices. In this thesis, lwIP is used as TCP/IP protocol stacks, based on which, standard IPsec is tailored. In designing the SPD and SAD database query, static addition scheme is used; in memory management, zero-copy technology and dynamic adjusting data-pack size scheme is employed. In order to improve code execution and memory usage efficiency, in-place program is used in algorithm design. Finally, IPsec simulation approach is adopted to embed the whole code into the existing software system to ensure it can be applied to the existing devices.The whole system has achieved ESP and AH data packet encapsulation method under IPsec tunnel mode and supplies SHA1, MD5 authentication algorithm, and DES, 3DES encrypt algorithm, with the size of the whole IPsec code block being smaller than 120KB. Subsequently the system is tested on the embedded platforms, of which the CPU are S3C2440 (ARM9 core) and PIC16F877(16 bit MCU) and OS is ucOSIIV2.80. The Ethernet connection being 10Mbps, CPU clock set at 20M, the round-trip time (RTT, max data being 1280 byte) is within 120ms with AH packet encapsulation and within 1000ms with ESP encapsulation, thus satisfying the needs for data processing and transmitting of some embedded devices.Based on the discussion above, the IPsec designed in this thesis can be embedded into some existing embedded systems and applied to some new embedded devices and work for their networking security, and thus partly solving the network security issue in embedded network systems.