Feasibility of FPGA accelerated IPsec on cloud

Abstract Hardware acceleration for famous VPN solution, IPsec, has been widely researched already. Still it is not fully covered and the increasing latency, throughput, and feature requirements need further evaluation. We propose an IPsec accelerator architecture in an FPGA and explain the details that need to be considered for a production ready design. This research considers the IPsec packet processing without IKE to be offloaded on an FPGA in an SDN network. Related work performance rates in 64 byte packet size for throughput is 1–2 Gbps with 0.2 ms latency in software, and 1–4 Gbps with unknown latencies for hardware solutions. Our proposed architecture is capable to host 1000 concurrent tunnels and have 10 Gbps throughput with only 10 µs latency in our test network. Therefore the proposed design is efficient even with voice or video encryption. The architecture is especially designed for data centers and locations with vast number of concurrent IPsec tunnels. The research confirms that FPGA based hardware acceleration increases performance and is feasible to integrate with the other server infrastructure.

[1]  John W. Lockwood,et al.  IPSec implementation on Xilinx Virtex-II Pro FPGA and its application , 2005, 19th IEEE International Parallel and Distributed Processing Symposium.

[2]  Srinivas Devadas,et al.  FPGA-Based True Random Number Generation Using Circuit Metastability with Adaptive Feedback Control , 2011, CHES.

[3]  Saeed Sharifian,et al.  An ultra-high throughput and fully pipelined implementation of AES algorithm on FPGA , 2015, Microprocess. Microsystems.

[4]  Xiangmin Zhang,et al.  An IPSec Accelerator Design for a 10Gbps In-Line Security Network Processor , 2013, J. Comput..

[5]  Jarmo Harju,et al.  IPsec and IKE as Functions in SDN Controlled Network , 2017, NSS.

[6]  Jaejin Lee,et al.  PIPSEA: A Practical IPsec Gateway on Embedded APUs , 2016, CCS.

[7]  George Theodoridis,et al.  High-Speed FPGA Implementation of Secure Hash Algorithm for IPSec and VPN Applications , 2006, The Journal of Supercomputing.

[8]  Weirong Jiang Scalable Ternary Content Addressable Memory implementation using FPGAs , 2013, Architectures for Networking and Communications Systems.

[9]  Darshan Jetly,et al.  High Performance UDP/IP 40Gb Ethernet Stack for FPGAs , 2018, ARC.

[10]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[11]  Tim Güneysu,et al.  IPSecco: A lightweight and reconfigurable IPSec core , 2012, 2012 International Conference on Reconfigurable Computing and FPGAs.

[12]  Jens-Peter Kaps,et al.  Efficient Hardware Accelerator for IPSec Based on Partial Reconfiguration on Xilinx FPGAs , 2011, 2011 International Conference on Reconfigurable Computing and FPGAs.

[13]  John Viega,et al.  The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP) , 2005, RFC.

[14]  Li Wang,et al.  A Configurable IPSec Processor for High Performance In-Line Security Network Processor , 2011, 2011 Seventh International Conference on Computational Intelligence and Security.

[15]  Al Morton IMIX Genome: Specification of Variable Packet Sizes for Additional Testing , 2013, RFC.

[16]  Chuang Lin,et al.  Towards High-Performance IPsec on Cavium OCTEON Platform , 2010, INTRUST.

[17]  Zahid Ullah,et al.  FPGA Implementation of SRAM-based Ternary Content Addressable Memory , 2012, 2012 IEEE 26th International Parallel and Distributed Processing Symposium Workshops & PhD Forum.

[18]  Mariusz Rawski,et al.  FPGA implementation of IPsec protocol suite for multigigabit networks , 2017, 2017 International Conference on Systems, Signals and Image Processing (IWSSIP).

[19]  Timo Hämäläinen,et al.  Feasibility of FPGA Accelerated IPsec on Cloud , 2018, 2018 21st Euromicro Conference on Digital System Design (DSD).

[20]  Kris Gaj,et al.  Experimental Testing of the Gigabit IPSec-Compliant Implementations of Rijndael and Triple DES Using SLAAC-1V FPGA Accelerator Board , 2001, ISC.

[21]  Tina Tsou,et al.  IPsec Anti-Replay Algorithm without Bit Shifting , 2012, RFC.

[22]  Fan Zhao,et al.  Analysis and improvement on IPSec anti-replay window protocol , 2003, Proceedings. 12th International Conference on Computer Communications and Networks (IEEE Cat. No.03EX712).

[23]  Hongyi Chen,et al.  A Gbps IPSec SSL Security Processor Design and Implementation in an FPGA Prototyping Platform , 2010, J. Signal Process. Syst..

[24]  David A. Maltz,et al.  Network traffic characteristics of data centers in the wild , 2010, IMC '10.

[25]  Pekka Savola,et al.  MTU and Fragmentation Issues with In-the-Network Tunneling , 2006, RFC.