Một giải pháp quản lý kết nối mật cho IPSec trên FPGA
DOI:
https://doi.org/10.54654/isj.v1i13.142Keywords:
IPSec, IKE, FPGA, ESP, Encapsulating Security PayloadTóm tắt
Tóm tắt—IPSec (Internet Protocol Security) là bộ giao thức an toàn nhằm bảo vệlưu lượng dữ liệu qua mạng Internet. Mỗi kết nối mật trong mô hình triển khai IPSec có một bộ thuật toán, tham số bảo mật riêng. Để đảm bảo các kết nối mật hoạt động ổn định trong môi trường truyền tin với băng thông lớn, việc quản lý nhiều kết nối mật đồng thời trên thiết bị IPSec đóng vai trò vô cùng quan trọng. Do tính phức tạp của quá trình quản lý, thông thường vấn đề này được thực hiện bằng phần mềm trên hệđiều hành. Giải pháp này bị hạn chế do quá trình trao đổi dữ liệu giữavi mạch Field Programmable Gate Array (FPGA) và bộ vi xử lý. Trong bài viết này, nhóm tác giả đưa ra một giải pháp tổ chức, quản lý kết nối mật sau khi sử dụng giao thức Internet Key Exchange (IKE) để trao đổi khóa cho IPSec trên FPGA sử dụng ngôn ngữ mô tả phần cứng, nhằm đáp ứng yêu cầu tốc độ cao với nhiều kết nối.
Abstract—IPSec (Internet Protocol Security) is a secure protocol aiming to protect data traffic via the Internet. There is a separate set of algorithms and security parameters in each secure connection in the IPSec deployment model. In order to ensure stable connections in high-bandwidth environments, managing multiple secure connections simultaneously on IPSec devices holds a significant role. Due to the complexity of the management process, this is commonly done by software on the operating system. This solution is restricted due to data exchange between field-programmable gate array (FPGA) and microprocessor. In this article, a solution was proposed to organize and manage a confidential connection after using Internet Key Exchange (IKE) to exchange keys for IPSec directly using hardware description language on FPGA, aiming to meet high-speed requirements with many connections.
Downloads
References
Altera Corp (2016), “Triple-Speed Ethernet MegaCore Function User Guide – Altera". [17-3-2021]. url: https://www.altera.com/literature/-ug/ug_ethernet.pdf.
RFC 4303, “IP Encapsulating Security Payload (ESP)”.10/2005.
RFC 7296, “Internet Key Exchange Protocol Version 2 (IKEv2)”. 10/2014.
FIPS PUB 198-1, “The Keyed-Hash Message Authentication Code (HMAC)”. 07/2008.
RFC 4634 “US Secure Hash Algorithms (SHA and HMAC-SHA)”.7/2006.
H.E.Michail, A.P.Kakarountas, E.Fotopoulou, C. E.Goutis, “High-Speed and Low-Power Implementation of Hash Message Authentication Code through Partially Unrolled Techniques”, Proceedings of the 5th WSEAS Int. Conf. on multimedia, internet and video technologies, Corfu, Greece, 17-19/8/2005, pp. 130-135.
Mateusz Korona, Krzysztof Skowron, Mateusz Trzepinski, Mariusz Rawski, “High-performance FPGA Architecture for Data Streams Processing on Example of IPsec Gateway”, Intl journal of electronics and telecommunications, 2018, Vol. 64, No. 3, pp. 351-356.
Muzaffar Rao, Joseph Coleman and Thomas Newe “An FPGA based reconfigurable IPSec ESP core suitable for IoT applications” Conference: 2016 10th International Conference on Sensing Technology, 11-13/11/2016.
Helion Technology Limited, IPsec ESP IP Core for FPGA – Product Brief, http://www.heliontech.com/ipsec.htm. (Truy cập 17/3/2021).
Sangjin Han, Keon Jang, Kyoung Soo Park, Sue Moon, PacketShader, “A GPU-accelerated Software Router”, http://shader.kaist.edu/packetshader, 2010 (Truy cập 17/3/2021).
Ky Phan Van, Thang Tran Van, Phuc La Huu, “A solution for packet security 1 Gbps on layer 2 with technology FPGA”, Journal of Science and Technology on Information security, ISSN 2615-9570, Vol. 08, No.02, 2018, pp. 19-24.
Downloads
Published
How to Cite
Issue
Section
License
Proposed Policy for Journals That Offer Open Access
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
Proposed Policy for Journals That Offer Delayed Open Access
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication, with the work [SPECIFY PERIOD OF TIME] after publication simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
