A High-Throughput Hardware Implementation of NAT Traversal For IPSEC VPN

Main Article Content

Tran Sy Nam
Hoang Van Thuc
Nguyen Van Long

Abstract

In this paper, we present a high-throughput FPGA implementation of IPSec core. The core supports both NAT and non-NAT mode and can be used in high speed security gateway devices. Although IPSec ESP is very computing intensive for its cryptography process, our implementation shows that it can achieve high throughput and low lantency. The system is realized on the Zynq XC7Z045 from Xilinx and was verified and tested in practice. Results show that the design can gives a peak throughput of 5.721 Gbps for the IPSec ESP tunnel mode in NAT mode and 7.753 Gbps in non-NAT mode using one single AES encrypt core. We also compare the performance of the core when running in other mode of encryption.

Article Details

How to Cite
Nam, T. S., Thuc, H. V., & Long, N. V. (2022). A High-Throughput Hardware Implementation of NAT Traversal For IPSEC VPN. International Journal of Communication Networks and Information Security (IJCNIS), 14(1). https://doi.org/10.17762/ijcnis.v14i1.5260 (Original work published April 12, 2022)
Section
Research Articles

References

A. Bhimani, “Securing the commercial Internet,” Communications of the ACM, vol. 39, June 1996.

S. Kent, and R. Atkinson, “Security architecture for the internet protocol”, IETF network working group, RFC2401, 1998.

S. Kent, and K. Seo, “Security architecture for the internet protocol”, IETF network working group, RFC4301, 2005.

Stephen Kent. IP Authentication Header. RFC 4302, 12 2005.

Stephen Kent. IP Encapsulating Security Payload (ESP). RFC 4303, 12 2005.

FREESWAN. [Online]: http://www.freeswan.org.

KAME. [Online]: http://www.kame.net.

OPENBSD. [Online]: http://www.openbsd.org

Mendez, Alejandro & Fernandez, Pedro & López, Rafael & Martinez Perez, Gregorio & Skarmeta, Antonio & Taniuchi, Kenichi. (2010). “OpenIKEv2: Design and implementation of an IKEv2 solution. IEICE Transactions on Information and Systems”. E91D. 10.1093/ietisy/e91-d.5.1319.

STRONGSWAN.[Online]:https://www.strongswan.org/

Rockhopper[Online]:http://rockhoppervpn.sourceforge.net/

Intel AES-NI. [Online] https://www.intel.de/content/

www/de/de/architecture-and-technology/advanced-encryption-standard-aes/data-protection-aes-general-technology.html.

Algotronix AES IP-Cores. [Online]. http://www.algotronix-store.com/AES_IP_Cores_s/20.htm.

Chang-Soo Ha, Jong Hyoung Lee, Duck Soo Leem, Myoung-Soo Park, and Byeong-Yoon Choi. “ASIC Design of IPsec Hardware Accelerator for Network Security”. In IEEE Asia-Pacific Conference on Advanced System Integrated Circuits (APASIC), pages 168–171, 2004.

W. Vander, K. Benkrid, “High-Performance Computing Using FPGAs”, Springer book, ISBN: 978-1-4614-1790-3.

François-Xavier Standaert, Gael Rouvroy, Jean-Jacques Quisquater, Jean-Didier Legat, "A Methodology to Implement Block Ciphers in Reconfigurable Hardware and its Application to Fast and Compact AES RIJNDAEL", 2003.

Disha Yadav, Arvind Rajawat, "Area and Throughput Analysis of Different AES Architectures for FPGA Implementations", 2016 IEEE International Symposium on Nanoelectronic and Information Systems.

K. Rahimunnisa1 , P. Karthigaikumar1 , Soumiya Rasheed, J. Jayakumar, S. SureshKumar, "FPGA implementation of AES algorithm for high throughput using folded parallel architecture", Wiley Online Library, 2012.

Soufiane Oukili, Seddik Bri, " High throughput FPGA Implementation of Advanced Encryption Standard Algorithm ", TELKOMNIKA, Vol.15, No.1, 2017, pp. 494~503.

C. Xiao-hui and D. Jian-zhi, "Design of SHA-1 Algorithm Based on FPGA," 2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing, Wuhan, China, 2010, pp. 532-534, doi: 10.1109/NSWCTC.2010.131.

Michail, Harris & Athanasiou, George & Kelefouras, Vasilios & Theodoridis, George & Stouraitis, Thanos & Goutis, Costas. (2015). Area-Throughput Trade-Offs for SHA-1 and SHA-256 Hash Functions’ Pipelined Designs. Journal of Circuits, Systems and Computers. 25. 1650032. 10.1142/S0218126616500328.

H. Michail, G. Athanasiou, A. Kritikakou, C. Goutis, A. Gregoriades and V. Papadopoulou, "Ultra high speed SHA-256 hashing cryptographic module for IPSec hardware/software codesign" 2010 International Conference on Security and Cryptography (SECRYPT), Athens, Greece, 2010, pp. 1-5.

Jing Lu and John Lockwood. “IPSec Implementation on Xilinx Virtex-II Pro FPGA and Its Application”. In Proceedings of the 19th IEEE International Parallel and Distributed Processing Symposium – IPDPS’05, page 158.2. IEEE, 2005.

A. Salman, M. Rogawski, and J.-P. Kaps, “Efficient Hardware Accelerator for IPSec Based on Partial Reconfiguration on Xilinx FPGAs,” in Proceedings of the 2011 International Conference on Reconfigurable Computing and FPGAs, ser. RECONFIG ’11. Washington, DC, USA: IEEE Computer Society, 2011, pp. 242–248.

Wolkerstorfer, Johannes & Szekely, Alexander & Lorünser, Thomas. (2008). “IPsec Security Gateway for Gigabit Ethernet”. Conference: Austrochip 2008.

J. Brelet and L. Gopalakrishnan. Using Virtex-II Block RAM for High Performance Read/Write CAMs.

Zheng, Kai & Hu, Chengchen & Lu, Hongbin & Liu, Bin. (2006). A TCAM-based distributed parallel IP lookup scheme and performance analysis. Networking, IEEE/ACM Transactions on. 14. 863 - 875. 10.1109/TNET.2006.880171.

Prithwiraj Das, Ria Pathak, P. Augusta Sophy Beulet. Low Power Implementation Of Ternary Content Addressable Memory (TCAM), International Journal of Engineering and Advanced Technology (IJEAT) ISSN: 2249 – 8958, Volume-9 Issue-1S3, December 2019

L. H. Crockett, R. A. Elliot, M. A. Enderwitz and R. W. Stewart, The Zynq Book: “Embedded Processing with the ARM CortexA9 on the Xilinx Zynq-7000 All Programmable SoC”, First Edition, Strathclyde Academic Media, 2014.

Xilinx, “7 Series FPGAs Configurable Logic Block”, User Guide https://www.xilinx.com/support/documentation

/user_guides/ug474_7Series_CLB.pdf

Housley, R., "Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)", RFC 3686, January 2004.

Viega, J. and D. McGrew, "The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC 4106, June 2005.

A. Huttunen, B. Swander, V. Volpe, L. DiBurro und M. Stenberg. UDP Encapsulation of IPsec ESP Packets. RFC 3948, 2005.

J. Rosenberg. A Bound End-to-End Tunnel (BEET) mode for ESP. RFC draft 09, 2008.

J. Rosenberg. A Protocol for Network Address Translator (NAT) Traversal forOffer/Answer Protocols. RFC 5245, 2010.

Niu, Y., Wu, L. and Zhang, X. (2013) ‘An IPSec accelerator design for a 10Gbps in-line security network processor’, Journal of Computers, Feb. 2013, Vol. 8, No. 2, pp.319–325.

Muzaffar Rao, Thomas Newe, Edin Omerdic, Gerard Dooly, Elfed Lewis, Daniel Toal. “An efficient implementation of FPGA based high speed IPSec (AH/ESP) core”. International Journal Of Internet Protocol Technology, Inderscience Enterprises, 2018.

H. Michail, G. Athanasiou, A. Kritikakou, C. Goutis, A. Gregoriades and V. Papadopoulou, "Ultra high speed SHA-256 hashing cryptographic module for IPSec hardware/software codesign" 2010 International Conference on Security and Cryptography (SECRYPT), 2010, pp. 1-5.