Skip to main content
SpringerLink
Log in

IPSec Database Query Acceleration

  • Conference paper
E-business and Telecommunications (ICETE 2007)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 23))

Included in the following conference series:

Abstract

IPSec is a suite of protocols that adds security to communications at the IP level. Protocols within IPSec make extensive use of two databases, namely the Security Policy Database (SPD) and the Security Association Database (SAD). The ability to query the SPD quickly is fundamental as this operation needs to be done for each incoming or outgoing IP packet, even if no IPSec processing needs to be applied on it. This may easily result in millions of query per second in gigabit networks.

Since the databases may be of several thousands of records on large secure gateways, a dedicated hardware solution is needed to support high throughput and to prevent denial of service attacks. In this paper we discuss an architecture for these query units, we propose different query methods for the two databases, and we compare them through simulation. Two different versions of the architecture are presented: the first is a serial architecture that is able to perform up to 7.5 million queries per second; the second is a multithreaded architecture that can perform up to 11 million queries per second.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Kent, S., Atkinson, R.: Security Architecture for the Internet Protocol – RFC2401. IETF RFC (1998)

    Google Scholar 

  2. Kent, S., Atkinson, R.: IP Authentication Header – RFC2402. IETF RFC (1998)

    Google Scholar 

  3. Kent, S., Atkinson, R.: IP Encapsulating Security Payload (ESP) – RFC2406. IETF RFC (1998)

    Google Scholar 

  4. Harkins, D., Carrell, D.: The Internet Key Exchange (IKE) – RFC2409. IETF RFC (1998)

    Google Scholar 

  5. Kent, S.: IP Authentication Header – RFC4302. IETF RFC (2005)

    Google Scholar 

  6. Kent, S.: IP Encapsulating Security Payload (ESP) – RFC4303. IETF RFC (2005)

    Google Scholar 

  7. Shacham, A., Monsour, R., Pereira, R., Thomas, M.: IP Payload Compression Protocol (IPComp) – RFC2393. IETF RFC (1998)

    Google Scholar 

  8. Feghhi, J., Feghhi, J.: Secure Networking with Windows 2000 and Trust Services. Addison-Wesley, Reading (2001)

    Google Scholar 

  9. Yuan, R., Strayer, W.T.: Virtual Private Networks. Addison-Wesley, Reading (2001)

    Google Scholar 

  10. Miltchev, S., Ioannidis, S., Keromytis, A.D.: A Study of the Relative Costs of Network Security Protocols. In: USENIX Annual Technical Program, Monterey, CA (2002)

    Google Scholar 

  11. Ariga, S., Nagahashi, K., Minami, M., Esaki, H., Murai, J.: Performance Evaluation of Data Transmission Using IPSec Over IPv6 Networks. In: INET, Yokohama, Japan (2000)

    Google Scholar 

  12. Ferrante, A., Piuri, V., Owen, J.: IPSec Hardware Resource Requirements Evaluation. In: NGI 2005, Rome, Italy, EuroNGI (2005)

    Google Scholar 

  13. Ferrante, A., Piuri, V.: High-level Architecture of an IPSec-dedicated System on Chip. In: NGI 2007, Trondheim, Norway. IEEE Computer Society Press, Los Alamitos (2007)

    Google Scholar 

  14. Friend, R.: Making the Gigabit IPSec VPN Architecture Secure. IEEE Computer 37, 54–60 (2004)

    Article  Google Scholar 

  15. Pagiamtzis, K.: CAM Primer (n.a.), http://www.eecg.toronto.edu/pagiamt/cam/camintro.html

  16. Pagiamtzis, K., Sheikholeslami, A.: Pipelined Match-lines and Hierarchical Search-lines for Low-power Content-addressable Memories. In: IEEE Custom Integrated Circuits Conference, pp. 383–386 (2003)

    Google Scholar 

  17. Chandra, P., Lakshmanamurty, S., Yavatkar, R.: Intel Corporation – Intel IXP2400 Network Processor: A Second-Generation Intel NPU. In: Crowley, P., Franklin, M.A., Hadimioglu, H., Onufryk, P.Z. (eds.) Network Processor Design, vol. 1, pp. 259–275. Morgan Kaufmann, San Francisco (2003)

    Google Scholar 

  18. Tzeng, H.H.-Y., Przygienda, T.: On Fast Address-Lookup Algorithms. IEEE Journal on Selected Areas in Communications 17, 1067–1082 (1999)

    Article  Google Scholar 

  19. Hennessy, J., Patterson, D.: Computer Architecture: a Quantitative Approach, 3rd edn. Morgan Kaufmann Publishers, San Francisco (2002)

    MATH  Google Scholar 

  20. SystemC Official Website (n.a.), http://www.systemc.org/

  21. The Internet Traffic Archive (n.a.), http://ita.ee.lbl.gov/

  22. TCPDUMP Public Repository (n.a.), http://www.tcpdump.org/

  23. Ferrante, A., Piscopo, G., Scaldaferri, S.: Application-driven Optimization of VLIW Architectures: a Hardware-Software Approach. In: Real-Time and Embedded Technology Applications, pp. 128–137. IEEE Computer Society, Los Alamitos (2005)

    Google Scholar 

  24. Jouppi, N., Reinman, G., Shivakumar, P., Wilton, S.: CACTI (n.a.), http://research.compaq.com/wrl/people/jouppi/CACTI.html

Download references

Author information

Authors and Affiliations

  1. ALaRI, Faculty of Informatics, University of Lugano, Via Buffi, 13, 6904, Lugano, Switzerland

    Alberto Ferrante & Satish Chandra

  2. DTI, University of Milano, Via Bramante, 65, 26013, Crema, Italy

    Vincenzo Piuri

Authors
  1. Alberto Ferrante
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Satish Chandra
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vincenzo Piuri
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Polytechnic Institute of Setúbal – INSTICC,, Av. D. Manuel I, 27A - 2. Esq., 2910-595, Setúbal, Portugal

    Joaquim Filipe

  2. Department of Computer Science, Monmouth University, West Long Branch, NJ 07764, U.S.A.

    Mohammad S. Obaidat

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ferrante, A., Chandra, S., Piuri, V. (2008). IPSec Database Query Acceleration. In: Filipe, J., Obaidat, M.S. (eds) E-business and Telecommunications. ICETE 2007. Communications in Computer and Information Science, vol 23. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88653-2_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-88653-2_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-88652-5

  • Online ISBN: 978-3-540-88653-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation