Efficient asymmetric IPsec for secure iSCSI

In this paper we propose a new asymmetric IPsec scheme to enhance the security of data at the remote end, while simultaneously improving the overall performance. The idea is to apply IPsec encryption/decryption in a segmented manner on the iSCSI traffic, such that the user data remains encrypted after leaving the sender, and is decrypted only when it is retrieved by the sender. A dual key cryptographic scheme is proposed where the private key is used to encrypt the iSCSI payload at the sender and traditional IPsec is modified to encrypt/decrypt only on the TCP/iSCSI headers. A development test bed was built using UserMode-Linux virtual machines for developing and debugging the asymmetric IPsec software and running as the sender and receiver to verify the functionality and security features of the proposed design. A benchmark test bed was built with two real PCs where the asymmetric IPsec modules can be dynamically loaded. The performance results show that the existing implementation of the proposed asymmetric IPsec scheme reduces the IPsec processing time by about 25%.