Hardware-and-software-based security architecture for broadband router (short paper)

Implementing IP security in broadband router without sacrificing the performance is main work we focused on. To meet the need of protecting wire speed forwarding data passing through fast path of the router, security module implemented with encryption chip was adopted; to protect non real time data passing through slow path of the router, the scheme of implementing IP security inside kernel of Master control module with software was introduced. Security architecture and several testing architectures were finely designed and depicted in the paper. Testing of security architecture was undergone in SR1880s router, which was developed by National Digital Switching System Engineering & Technological R&D Center of China (NDSC). Testing results show that the two schemes work well together.

[1]  Yufeng Li,et al.  Sizing Buffers for Pipelined Forwarding Engine , 2006, 2006 International Conference on Communications, Circuits and Systems.

[2]  Jing Qu,et al.  CISOQ: A Practical High-Performance Packet Switch Architecture for the Support of Multicast Traffic , 2005, Sixth International Conference on Parallel and Distributed Computing Applications and Technologies (PDCAT'05).

[3]  Yue Chen,et al.  A packet-order-keeping-demultiplexer in parallel-structure router based on flow classification , 2003, 2003 International Conference on Computer Networks and Mobile Computing, 2003. ICCNMC 2003..

[4]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[5]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[6]  Carlos Maziero,et al.  A framework for protecting Web services with IPsec , 2004 .

[7]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[8]  Jonathan T. Trostle,et al.  Techniques for improving the security and manageability of IPsec policy , 2004, International Journal of Information Security.