Abstract
CPE-based IPsec VPNs have been widely used to provide secure private communication across the Internet. As the bandwidth of WAN links keeps growing, the bottleneck in a typical deployment of CPE-based IPsec VPNs has moved from the last-mile connections to the customer-edge security gateways. In this paper, we propose a clustering scheme to scale the throughput as required by CPE-based IPsec VPNs. The proposed scheme groups multiple security gateways into a cluster using a transparent self-dispatching technique and allows as many gateways to be added as necessary until the resulting throughput is again limited by the bandwidth of the last-mile connections. It also includes a flow-migration mechanism to keep the load of the gateways balanced. The results of the performance evaluation confirm that the clustering technique and the traffic-redistribution mechanism together create a transparent, adaptive, and highly scalable solution for building high-performance IPsec VPNs.
This work was supported in part by the Taiwan Information Security Center, National Science Council under the grant NSC 94-3114-P-001-001-Y.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ortiz Jr., S.: Virtual private networks: Leveraging the Internet. IEEE Computer 30, 18–20 (1997)
Kent, S., Atkinson, R.: Security architecture for the Internet protocol. RFC 2401 (1998)
Knight, P., Lewis, C.: Layer 2 and 3 virtual private networks: Taxonomy, technology, and standardization efforts. IEEE Communications Magazine 42, 124–131 (2004)
Elkeelany, O., Matalgah, M.M., Sheikh, K.P., Thaker, M., Chaudhry, G., Medhi, D., Qaddour, J.: Performance analysis of IPSec protocol: Encryption and authentication. In: Proceedings of 2002 IEEE International Conference on Communications (ICC 2002), vol. 2, pp. 1164–1168 (2002)
Lin, J.C., Chang, C.T., Chung, W.T.: Design, implementation and performance evaluation of IP-VPN. In: Proceedings of 17th International Conference on Advanced Information Networking and Applications (AINA 2003), pp. 206–209 (2003)
Khanvilkar, S., Khokhar, A.: Virtual private networks: An overview with performance evaluation. IEEE Communications Magazine 42, 146–154 (2004)
Kettler, D., Kafka, H., Spears, D.: Driving fiber to the home. IEEE Communications Magazine 38, 106–110 (2000)
Metz, C.: The latest in virtual private networks: Part I. IEEE Internet Computing 7, 87–91 (2003)
Metz, C.: The latest in virtual private networks: Part II. IEEE Internet Computing 8, 60–65 (2003)
Carugi, M., De Clercq, J.: Virtual private network services: Scenarios, requirements and architectural constructs from a standardization perspective. IEEE Communications Magazine 42, 116–122 (2004)
De Clercq, J., Paridaens, O.: Scalability implications of virtual private networks. IEEE Communications Magazine 40, 151–157 (2002)
Devlin, B., Gray, J., Laing, B., Spix, G.: Scalability terminology: Farms, clones, partitions, and packs: RACS and RAPS. Technical Report MS-TR-99-85, Microsoft Research (1999)
Hodjat, A., Verbauwhede, I.: High-throughput programmable cryptocoprocessor. IEEE Micro 24, 34–45 (2004)
Ha, C.S., Lee, J.H., Leem, D.S., Park, M.S., Choi, B.Y.: ASIC design of IPSec hardware accelerator for network security. In: Proceedings of 2004 IEEE Asia-Pacific Conference on Advanced System Integrated Circuits (AP-ASIC 2004), pp. 168–171 (2004)
Friend, R.: Making the gigabit IPsec VPN architecture secure. IEEE Computer 37, 54–60 (2004)
Lin, Y.N., Lin, C.H., Lin, Y.D., Lai, Y.C.: VPN gateways over network processors: Implementation and evaluation. In: Proceedings of 11th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS 2005), pp. 480–486 (2005)
The Tolly Group, Inc.: Intel IXP425 network processors: Performance analysis of VPN devices. Document No. 204132 (2004)
Han, M., Kim, J., Sohn, S.: Network processor for IPSec. In: Proceedings of 6th International Conference on Advanced Communication Technology (ICACT 2004), vol. 1, pp. 485–487 (2004)
Comer, D.E.: Network Systems Design Using Network Processors. Pearson Prentice Hall, Inc., London (2003)
IEEE Standards Association: IEEE standard for local and metropolitan area networks: Media access control (MAC) bridges. IEEE 802.1D-2004 (2004)
Seifert, R.: The Switch Book: The Complete Guide to LAN Switching Technology. John Wiley & Sons, Inc., Chichester (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tsai, PL., Huang, CY., Huang, YY., Hsu, CC., Lei, CL. (2005). A Clustering and Traffic-Redistribution Scheme for High-Performance IPsec VPNs. In: Bader, D.A., Parashar, M., Sridhar, V., Prasanna, V.K. (eds) High Performance Computing – HiPC 2005. HiPC 2005. Lecture Notes in Computer Science, vol 3769. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11602569_45
Download citation
DOI: https://doi.org/10.1007/11602569_45
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-30936-9
Online ISBN: 978-3-540-32427-0
eBook Packages: Computer ScienceComputer Science (R0)