Abstract
Cloud service providers usually offer IPsec VPN services to tenants by deploying the software IPsec gateway on the virtual machine. However, the current software IPsec gateway solutions cannot make full use of the allocated multi-core virtual machine resources and unable to meet the performance requirement of tenants. In order to optimize the IPsec gateway performance, the flow processing load must be properly allocated to multi-cores considering the multiple dimensions of load to improve the throughput of IPsec gateway. In this paper, we propose an optimizing scheme which separates the encryption and decryption computation from the packet forwarding process in the IPsec gateway, and implements fine-grained network flows scheduling in parallel processors. Furthermore, we present an adaptive load balancing algorithm based on quantifying the load of each processing core in real-time. Experimental results show that the performance of the IPsec gateway has significant improvement.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Lacković, D., Tomić, M.: Performance analysis of virtualized VPN endpoints. In: 2017 40th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 466–471 (2017)
Shue, C., Shin, Y., Gupta, M., Choi, J.Y.: Analysis of IPSec overheads for VPN servers. In: 1st IEEE ICNP Workshop on Secure Network Protocols, 2005 (NPSec), pp. 25–30 (2005)
Gandhi, R., et al.: Duet: cloud scale load balancing with hardware and software. ACM SIGCOMM Comput. Commun. Rev. 44(4), 27–38 (2015)
Patel, P., et al.: Cloud scale load balancing. ACM SIGCOMM. Comput. Commun. Rev. 43(4), 207–218 (2013)
Eisenbud, D.E., et al.: Maglev: a fast and reliable software network load balancer. In: NSDI, pp. 523–535 (2016)
Tan, K., Wang, P., Gan, Z., Moon, S.: Protego: cloud-scale multitenant IPsec gateway (2017)
Openstack Homepage. https://www.openstack.org/. Accessed 29 May 2018
Li, W., Lin, F., Sun, G.: SDIG: Toward software-defined IPsec gateway. In: 2016 IEEE 24th International Conference on Network Protocols (ICNP), pp. 1–8 (2016)
Vajaranta, M., Kannisto, J., Harju, J.: IPsec and IKE as functions in SDN controlled network. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds.) NSS 2017. LNCS, vol. 10394, pp. 521–530. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-64701-2_39
Nelms, T., Ahamad, M.: Packet scheduling for deep packet inspection on multi-core architectures. In: ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS) 2010, pp. 1–11 (2010)
Hanford, N., et al.: Characterizing the impact of end-system affinities on the end-to-end performance of high-speed flows. In: Proceedings of the Third International Workshop on Network-Aware Data Management, p. 1 (2013)
Dobrescu, M., et al.: RouteBricks: exploiting parallelism to scale software routers. In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, pp. 15–28 (2009)
Gallenmüller, S., Emmerich, P., Wohlfart, F., Raumer, D., Carle, G.: Comparison of frameworks for high-performance packet IO. In: Proceedings of the Eleventh ACM/IEEE Symposium on Architectures for Networking and Communications Systems, pp. 29–38 (2015)
Linux Foundation Project. DPDK. http://dpdk.org/. Accessed 29 May 2018
Rizzo, L.: Netmap: a novel framework for fast packet I/O. In: 21st USENIX Security Symposium (USENIX Security 12), pp. 101–112 (2012)
PF_RING. http://www.ntop.org/products/packet-capture/pf_ring/pf_ring-zc-zero-copy/. Accessed 29 May 2018
Jiang, H., Xie, G., Salamatian, K.: Load balancing by ruleset partition for parallel IDS on multi-core processors. In: International Conference on Computer Communications and Networks, ICCCN (2013)
Park, J., Jung, W., Jo, G., Lee, I., Lee, J.: PIPSEA: a practical IPsec gateway on embedded APUs. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1255–1267 (2016)
Meng, J., Chen, X., Chen, Z., Lin, C., Mu, B., Ruan, L.: Towards high-performance IPsec on Cavium OCTEON platform. In: Chen, L., Yung, M. (eds.) INTRUST 2010. LNCS, vol. 6802, pp. 37–46. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25283-9_3
Emmerich, P., Gallenmüller, S., Raumer, D., Wohlfart, F., Carle, G.: Moongen: a scriptable high-speed packet generator. In: Proceedings of the 2015 Internet Measurement Conference, pp. 275–287 (2015)
StrongSwan. https://www.strongswan.org/. Accessed 29 May 2018
Krawczyk, H.: New hash functions for message authentication. In: Guillou, Louis C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 301–310. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-49264-X_24
Acknowledgments
This work is supported in part by the National Key Research and Development Program of China (Grant No. 2016YFB1000304) and National Natural Science Foundation of China (Grant No. U1636208).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Li, W., Hu, S., Sun, G., Li, Y. (2018). Adaptive Load Balancing on Multi-core IPsec Gateway. In: Vaidya, J., Li, J. (eds) Algorithms and Architectures for Parallel Processing. ICA3PP 2018. Lecture Notes in Computer Science(), vol 11334. Springer, Cham. https://doi.org/10.1007/978-3-030-05051-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-05051-1_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-05050-4
Online ISBN: 978-3-030-05051-1
eBook Packages: Computer ScienceComputer Science (R0)