簡易檢索 / 詳目顯示

回結果列表
研究生: 盧風其
Feng-Chi Lu
論文名稱: 高速率具可擴展性的 IPSec 處理器
High-Throughput Scalable Architecture of the IPSec Processor
指導教授: 黃稚存
Chih-Tsun Huang
口試委員:
學位類別: 碩士
Master
系所名稱: 電機資訊學院 - 資訊工程學系
Computer Science
論文出版年: 2007
畢業學年度: 96
語文別: 英文
論文頁數: 81
中文關鍵詞: 網路協定安全效能可調整架構
外文關鍵詞: IPSec, Throughput, scalable, architecture
相關次數: 點閱:3下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 隨著在網際網路和無線通訊的應用的快速增長,在公共網路傳遞資訊的安全性已成為一個很基礎的課題。網際網路安全協定(IPSec)標準,是由IETF提供的在IP層的安全服務。以軟體的方式來實做IPSec已經不足以應付今日網路應用程式所產生龐大的網路流量。

    在這篇論文中,我們提出一個可調整的IPSec架構。它提供了加密以及驗證的功能。在我們的設計中,密碼學的演算法提供了AES-ECB、AES-CBC、AES-CTR、AES-CCM、HMAC-MD5以及HMAC-SHA1。使用我們的IPSec硬體設計,我們提出的架構在一份硬體架構可以同時處理多個網路封包。為了大量的處理效能需求,這樣多個IPSec處理區塊的架構可以達到超過20 Gbps的處理效能。我們提出的架構是平台式的而且是可以調整的,我們提供了一個架構可以在資料處理量以及實作的代價中衡量得失以及取得平衡。

    另外,一個在我們的架構中衡量整體效能的方式也在論文中提出,根據這個評估的模型,針對不同的網路安全需求,我們可以選擇適當的架構來實做。如果對於加密以及驗證的需求量是不相等的,這樣的評估模型可以提供不同的參數來最大化整體的效能。

    With the rapid growth of applications in Internet and wireless communication, the security for transmitting nformation on public network has become a fundamental issue. The Internet Protocol Security (IPSec) standard is developed by the Internet Engineering Task Force (IETF) to provide the security services at the IP layer. IPSec implemented by software is not sufficient to handle the enormous traffic generated by modern network applications.

    In this thesis, we propose the scalable architecture for IPSec. It provides encryption and authentication services. The cryptographic algorithms supported in our design are
    AES-ECB, AES-CBC, AES-CTR, AES-CCM, HMAC-MD5 and HMAC-SHA-1. The proposed architecture can process multiple packets in parallel using our IPSec processing hardware. For high throughput requirement, the architecture of multi-IPSec processing block can achieve more than 20 Gbps throughput. The proposed architecture is platform based and scalable, which provides tradeoff between performance and cost for a wide range of network applications.

    In addition, a performance evaluation method is provided for the proposed architecture. According to this evaluation model, we can choose the suitable architecture to implement for different requirements in network security. If the requirements of confidentiality and authentication are imbalance, the evaluation model can provide different parameters to maximize the overall throughput.

    Contents 1 Introduction 1 1.1 Issues in Network Security and Performance 1 1.2 Previous Works 2 1.3 Proposed Scalable Architecture 3 1.4 Organization 3 2 IP Security (IPSec) 5 2.1 IP Security Overview 5 2.1.1 Security Services 6 2.2 Seucirty Assoication and Policy 6 2.2.1 Security Policy Database (SPD) 7 2.2.2 Security Association Database (SAD) 8 2.3 IPSec Protocol 9 2.3.1 Encapsulating Security Payload (ESP) 9 2.3.2 Transport Mode and Tunnel Mode 10 2.4 Packet Processing Flow 12 2.4.1 Outbound Processing Flow 12 2.4.2 Inbound Processing Flow 12 3 Proposed Architecture and Performance Analysis 16 3.1 Overall Architecture 16 3.2 Performance Analysis 17 3.2.1 IPSec Header Processing 17 3.2.2 CE Processing 19 3.2.2.1 AES 19 3.2.2.2 HMAC 20 3.2.2.3 Discussion with Different Packets Types 20 3.2.3 Data Transfer 21 3.2.3.1 AHB Bus Interconnection 21 3.2.3.2 Crypto-DMA Interconnection 25 3.2.3.3 Discussion 26 3.2.4 Overall Architecture Analysis 27 3.2.4.1 Packet Selection Method 27 3.2.4.2 Multi-IPSec Processing Block 28 3.2.4.3 Multi-Clock Domain 29 3.2.4.4 Discussion 30 4 Design and Implementation 31 4.1 Overall Architecture 31 4.1.1 Outbound Processing Flow 32 4.1.2 Inbound Processing Flow 33 4.2 Packet Buffer Module 40 4.2.1 Input Packet Buffer 40 4.2.2 Output Packet Buffer 43 4.3 SPD and SAD Module 43 4.4 IPSec Processing Block Module 44 4.4.1 Checksum Module 44 4.4.2 Anti-Replay Module 47 4.4.3 Main Controller Module 47 4.4.4 Flow Table 49 4.4.5 AHB Master Interface 51 4.5 Crypto-Engines (CEs) 54 4.5.1 Address Map 54 4.5.2 AES Engine 54 4.5.3 HMAC Engine 58 4.6 External Block Controller 59 5 Experimental Result 61 5.1 Design Flow 61 5.2 Simulation Flow 61 5.2.1 Source of Packet Information 61 5.2.2 Packet Generator 62 5.3 Simulation Results 62 5.3.1 Performance 63 5.3.2 Area 71 5.4 Analysis and Discussion 73 5.4.1 Analysis 73 5.4.2 Deviation and Improvement 73 5.5 Comparison with Commercial Products 73 6 Conclusion and Future Work 77 6.1 Conclusion 77 6.2 Future Work 78 List of Tables 3.1 Throughput of IPSec header processing19 3.2 The Throughput of AES20 3.3 The Throughput of HMAC21 3.4 The parameters of TSMC 0.13 um process standard cell22 3.5 The calculation result of bus gate delay for different Width and Kslave(ns) 23 3.6 The synthesis result of bus gate delay for different Width and Kslave(ns) 24 3.7 The synthesis result of max frequency for different Width and Kslave(MHz) 25 3.8 The synthesis result of throughput in single-layer bus for different Width and Kslave(Gbps) 25 3.9 The synthesis result of throughput in two-layer bus for different Width and Kslave(Gbps) 25 4.1 IO signals of SAD and SPD module 46 4.2 Signals of flow table 51 4.3 Relations between AHB master interface and packet flow 53 4.4 Address map of CE 55 4.5 Address map of CE (continued) 56 4.6 AES Control Register 57 4.7 HMAC Control Register 58 4.8 IO signals of external block controller 60 5.1 Throughput (Gbps) of simulation results between different MPBs and packets type 67 5.2 Area reduction and throughput reduction in different memory architectures 72 5.3 Comparison of throughput (Mbps) with BCM5841 for different packet sizes 74 5.4 Comparison of throughput (Mbps) with BCM5841 for different packet sizes (HMAC double version) 75 List of Figures 2.1 ESP packet format 10 2.2 IP packets protected by ESP in transport mode and tunnel mode 11 2.3 Outbound packet processing flow chart 13 2.4 Inbound packet processing flow chart 14 3.1 Proposed architecture for IPSec 16 3.2 Cycles of outbound and inbound processing 18 3.3 The overall CE throughput in best case 22 3.4 The overall CE throughput in worst case 22 3.5 Single-layer AHB interconnection method in proposed architecture 23 3.6 Two-layer AHB interconnection method in proposed architecture 24 3.7 Crypto-DMA interconnection method in proposed architecture 26 3.8 AHB data transfer throughput for different percentage of various packet types 27 3.9 Multi-IPSec processing block architecture 28 3.10 Overall architecture in multi-clock domain 29 4.1 Overall architecture 33 4.2 Outbound processing flow of Pre CE processing 34 4.3 Outbound processing flow of CE(AES) processing 34 4.4 Outbound processing flow of CE(HMAC) processing 35 4.5 Outbound processing flow of Post CE processing 35 4.6 Inbound processing flow of Pre CE 1 processing 37 4.7 Inbound processing flow of Pre CE 2 processing 37 4.8 Inbound processing flow of CE(HMAC) processing 38 4.9 Inbound processing flow of CE(AES) processing 38 4.10 Inbound processing flow of Post CE 1 processing 39 4.11 Inbound processing flow of Post CE 2 processing 39 4.12 Data structure of s packet (stored packet) module 41 4.13 Block diagram of input buffer module 41 4.14 Flow chart of packet selection method 42 4.15 Data structure of output buffer 43 4.16 Block diagram of output buffer module 44 4.17 Block diagram of SAD and SPD module 45 4.18 Block diagram of Checksum module 47 4.19 Block diagram of Anti-Replay module 48 4.20 Block diagram of Main Controller module 48 4.21 Finite State Machine (part1) of Main Controller module 49 4.22 Finite State Machine (part2) of Main Controller module 50 4.23 Finite state machine of AHB Master interface 52 4.24 Block diagram of AHB Master interface 52 4.25 Multi-layer AHB-Lite bus interface 53 4.26 External block controller 59 4.27 Round-Robin method graph 60 5.1 Simulation flow 62 5.2 Packet input format 63 5.3 Waveform that number of MPB is 1 64 5.4 Waveform that number of MPB is 8 64 5.5 Console screen of execution results 65 5.6 Console screen of execution results 65 5.7 Multi-clock domain in overall architecture 66 5.8 Simulation results between different number of MPBs and packets type 68 5.9 Performance of evaluation model for different packet type 68 5.10 Performance of simulation results for different packet type 69 5.11 Percentage of CEs block status 70 5.12 Graph of Percentage of CEs block status 70 5.13 Original memory architecture 71 5.14 SA sharing memory architecture 72 5.15 Comparison between BCM5841 for different packet sizes (HMAC double version) 75 5.16 SafeXcel-1842 Architecture Overview 76

    Bibliography
    [1] R. Thayer R. Thayer and R. Glenn, IP Security Document Roadmap, IETF Network Working Group, 1998, RFC 2411.
    [2] J. Postel, Intenet Protocol, DARPA Internet Program Protocol Specification, 1981, RFC 791.
    [3] S. Deering and R. Hinden, Intenet Protocol, Version 6 (IPv6) Specification, IETF Network Working Group, 1988, RFC 2460.
    [4] C.-Y. Hsieh, “A Scalable Architecture for IP security(IPSec) Hardware Accelerator”, Master Thesis, Dept. Electrical Engineering, National Tsing Hua University, Hsinchu, Taiwan, 2006.
    [5] Broadcom Corporation, “BCM5840 Product Brief”, http://www.broadcom.com, 2004.
    [6] Broadcom Corporation, “BCM5841 Product Brief”, http://www.broadcom.com, 2004.
    [7] Broadcom Corporation, “BCM586X Product Brief”, http://www.broadcom.com, 2006.
    [8] SafeNet Inc., “Safexcel-1842 Product Brief”, http://www.safenet-inc.com, 2005.
    [9] Hifn Inc., “Hipp III Security Processor Product Brief”, http://www.hifn.com, 2003.
    [10] S.-Y. Lin, “Design of a high-throughput low-power aes cipher for network applications”,
    Master Thesis, Dept. Computer Science, National Tsing Hua University, Hsinchu, Taiwan,2006.79
    [11] M.-Y. Wang, C.-P. Su, C.-T. Huang, and C.-W. Wu, “An HMAC processor with integrated SHA-1 and MD5 algorithms”, in Proc. Asia and South Pacific Design Automation
    Conf. (ASP-DAC), Yokohama, Jan. 2004, pp. 456–458.
    [12] S. Kent and R. Atkinson, IP Authentication Header, IETF Network Working Group, 1998, RFC 2402.
    [13] S. Kent and R. Atkinson, IP Encapsulating Security Payload (ESP), IETF Network Working Group, 1998, RFC 2406.
    [14] Inc. ARM Components, AMBA Specification Rev2.0, May 1999.
    [15] ARM Components, Inc., Multi-Layer AHB, 2001.
    [16] Chen-Hsing Wang, Chih-Yen Lo, Min-Shenq Lee, Jen-Chieh Yeh, Chih-Tsun Huang, Cheng-Wen Wu, and Shi-Yu Huang, “A Network Security Processor Design Based on an Integrated SOC Design and Test Platform”, in Proc. Design Automation Conference (DAC), 2006, pp. 490–495.
    [17] R.Braden and D.Borman, “Computing the internet checksum”, RFC 1071, 1988.
    [18] C. Madson and R. Glenn, “The use of HMAC-MD5-96 within ESP and AH”, RFC 2403, the Internet Society, Nov. 1998.
    [19] C. Madson and R. Glenn, “The use of HMAC-SHA-1-96 within ESP and AH”, RFC 2404, the Internet Society, Nov. 1998.
    [20] ACM SIGCOMM, “The internet traffic archive”, http://ita.ee.lbl.gov/index.html, 2000.
    [21] M. Schneider D. Maughan, M. Schertler and J. Turner, Internet Security Association and Key Management Protocol (ISAKMP), IETF Network Working Group, 1998, RFC 2408. 80
    [22] D. Harkins and D. Carrel, The Internet Key Exchange (IKE), IETF Network Working Group, 1998, RFC 2409.
    [23] H. Orman, The OAKLEY Key Determination Protocol, IETF Network Working Group, 1998, RFC 2412.

    無法下載圖示 全文公開日期 本全文未授權公開 (校內網路)
    全文公開日期 本全文未授權公開 (校外網路)

    QR CODE