Research And Realization Of IPSec VPN System Based On Multi-core Network Processor

Since the 1980's,Internet based on TCP/IP protocol has been developing rapidly,and has increasingly influenced on human work and daily life etc.In recent years,along with growth of Internet users and information,the development of internet towords the direction of diversification and high-speed.The bandwidth of backbone has been generally close to 40 Gbps.However,due to the problem of TCP/IP network protocol itself issue directly threat to network data security during transmission,network security has become an important reason for restricting future network applications.VPN technology is an important means to ensure information security in Internet environment,which connects two remote networks through a public network to establish a secure?dedicated virtual channel.using encryption ? authentication ? integrity verification and access control technology,VPN constitute a logical virtual subnet to ensure the security of data between user connections during transmission.In this paper,with the support of Shaanxi Province industrial research project(2014K05-43)?crossing research projects:<<Security gateway software>>(2015KJ-333),in the context of secure information transmission in high-speed network in a military unit in our country,this paper design and implement a IPSec VPN system based on multi-core network processor.The research work is as follows:1.IPSec VPN system based on Tilera multi-core network processor is designed and implemented.System adopts Tilera Gx36 mulit-core network processor which has a strong performance as the hardware platform,IPSec VPN system consists of the main processor and the decryption coprocessor.As the core module of the system,the main processor can be divided into Control plane and Dataplane,which is responsible for the majority of data business logic processing,Control plane is responsible for IKE negotiation exchange ? contorl the slow path packet processing ? routing table synchronization?equipment configuration,etc.Dataplane is responsible for the fast path packet processing,including policy retrieval?Qo S?IPSec packet encapsulation and decapsulation?high-speed packet forwarding and route table management,etc.the decryption coprocessor is responsible for packet encryption?decryption and Hash verification.2.IP packet encapsulation and high-speed packet forwarding technology research.IP packet encapsulation is responsible for packet encapsulation and decapsulation based on IPSec protocol.In this paper,the ESP tunnel mode encapsulation protocol was adopted.The main processor and decryption coprocessor encapsulate and decapsulate packets while the processor access and transmit data packets.Due to the increasing size of routing table of network equipment,route table lookup speed becomes a bottleneck of high speed packet forwarding.This paper based on prefix length of hash and multi-bit trie,referencing the advantage of prefix length of hash routing lookup algorithm in storage and retrieval,and combined with the query efficiency of multi-bit trie routing lookup algorithm,the routing table access speed and query bit rate have been both further improved.Experimental results show that the size of the load for different packet system can meet the forwarding rate of 40 Gbps.3.Research of IPSec security policy storage and retrieval.The implementation of IPSec protocol typically maintain SPD and SAD database.With the increasing number of the tunnel maintenance of IPSec,SPD and SAD entries stored also increases.SPD and SAD database storage and efficient retrieval directly affects the performance of the system.In this paper,a three-level table based on hash structure used to store the security table entries.policy retrieval method based on flow table which only the first packet of a flow will be sent to the policy retrieval module to query the policy rule table,and then add the retrieval results to flow table.For the other packets of a flow,this module can directly reference to the corresponding rule in flow table to process the packet.This method significantly reduce the number of policy retrieval,improve the speed of the system.IPSec VPN system based on Tilera multi-core network processor which adopt IPSec?encryption technology is responsible for the security of network data packets transmitted over a public network.Lastly,the function and proformance test are proformed,the result shows that the logic business currect and reaches the processing capacity of 40 Gbps,meet the design requirements.