IPSec: Performance Analysis and Enhancements

Internet protocol security (IPSec) is a widely deployed mechanism for implementing Virtual Private Networks (VPNs). In previous work, we examined the overheads incurred by an IPSec server in a single client setting. In this paper, we extend that work by examining the scaling of a VPN server in a multiple client environment and by evaluating the effectiveness of connection credential caching. Motivated by the potential benefits of caching, we also propose a cryptographically secure cache resumption protocol for IPSec connections to reduce the connection establishment overheads.

[1]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[2]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[3]  Pawel Chodowiec,et al.  Hardware implementation of IPSec cryptographic transformations , 2001 .

[4]  Craig Shue,et al.  Analysis of IPSec overheads for VPN servers , 2005, 1st IEEE ICNP Workshop on Secure Network Protocols, 2005. (NPSec)..

[5]  Angelos D. Keromytis,et al.  Efficient, DoS-Resistant, Secure Key Exchange for Internet Protocols , 2001, Security Protocols Workshop.

[6]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[7]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[8]  Scott F. Midkiff,et al.  IPSec overhead in wireline and wireless networks for Web and email applications , 2003, Conference Proceedings of the 2003 IEEE International Performance, Computing, and Communications Conference, 2003..

[9]  Angelos D. Keromytis,et al.  Efficient, DoS-resistant, secure key exchange for internet protocols , 2001, CCS '02.

[10]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[11]  Angelos D. Keromytis,et al.  A Study of the Relative Costs of Network Security Protocols , 2002, USENIX Annual Technical Conference, FREENIX Track.

[12]  Bernard P. Zajac Applied cryptography: Protocols, algorithms, and source code in C , 1994 .

[13]  Bruce Schneier,et al.  AES Key Agility Issues in High-Speed IPsec Implementations , 2000 .

[14]  Michael Thomas,et al.  Kerberized Internet Negotiation of Keys (KINK) , 2006, RFC.

[15]  Naganand Doraswamy,et al.  Ipsec: the new security standard for the internet , 1999 .

[16]  Stephen T. Kent,et al.  IP Authentication Header , 1995, RFC.