The hottest implementation technology of IPSec pro

  • Detail

IPSec Protocol Implementation Technology Based on SOC


ipse[1] as a security protocol system to realize VPN, it has been widely used in VPN devices. However, with the development of Gigabit high-speed network technology, higher requirements are put forward for the timeliness of VPN equipment. Therefore, it is necessary to study new technical methods to implement IPSec from the aspects of architecture and so on. Among IPSec Security devices, SoC technology will be a better choice. SOC integrates the CPU, i/o interface, memory, algorithm, protocol processing and other modules of the system into a single semiconductor chip to realize all the functions of IPSec protocol. It has become the core component of IPSec Security equipment, greatly improving the high-speed v. The security, reliability, timeliness and high performance price ratio of PN network

1 IPSec protocol

ipsec protocol is an IP Security Standard specially formulated by the Internet Engineering Task Force (IETF) for the serious defect that tcp/ip protocol has no security mechanism. It is used to realize access control, connectionless integrity, data source verification, anti replay, data encryption, limited business flow confidentiality and other security services at the IP layer. The standard consists of a series of protocols, and the relationship between the protocols is shown in Figure 1

the relevant protocols are explained as follows:

① ah[2] (authentication header) is a security protocol header that provides data integrity, data source authentication, and some optional and limited anti replay services for IP layer data streams in the transmission mode

② esp[3] (encapsulating security payload) is a protocol header inserted into the IP datagram. It provides security services such as confidentiality, data source authentication, anti replay and data integrity for IP layer traffic data

③ authentication and encryption algorithm is the core of IPSec to realize secure data transmission. Among them, encryption algorithm is used for ESP, and encryption algorithms such as DES and idea can be used; Authentication algorithm is used for ah, and 3DES, RC5 and other algorithms can be used

④ ike[4] (Internet Key Exchange) is a key exchange protocol used to establish shared security parameters and verified keys between IPSec communication parties to establish a security association relationship

⑤ DOI (domain of interpretation) is a separate document used to store Ike negotiation parameters

⑥ SA (Security Association) is a security association protocol. It is a one-way logical connection between two application IPS EC entities, the host and the router. SA has a security policy Library (SPDB) and a Security Association Library (SADB), which store the specific details of the security policy, including the content of protection, the method of protection, the main body of the communication data and other policies

2 SoC technology

at present, the universal testing machine plastic material selection SoC platform is mainly used for the development of CSOC, SOPC, EPGA and other chips. Among them, CSOC is called configurable system level chip, which generally includes a processor core, programmable logic array and other general components; SOPC is a programmable single chip system. For example, NIOS kernel module is the most important part of Altera; EPGA is a SoC chip based on FPGA. Using these SoC development platforms, we can make full use of the characteristics of high integration and superior performance of system level chips, and flexibly design and develop various special SOC chips

(1) selection of development platform

soc platform development kit includes: various tools and resource software, reconfigurable hardware circuit structure verification platform and operation manual, etc. The available software resources include: a variety of embedded processor cores for selection, hardware module design language and its compiler, simulation, synthesis and layout, cabling tools, etc; Design languages include HDL, c/c++ and so on. The choice of development platform depends on the source of devices: when selecting commercial devices, you can choose Altera's SOPC development environment QuartusII; When selecting self-developed SOC, relevant dedicated development platform shall be used

(2) selection of LP library

the selection of IP library shall be based on the device type, and the general IP core shall be selected. For the algorithm module with high security requirements, technical measures such as access control and anti anatomical analysis should be taken; For variable logic modules, FPGA shall be used to ensure programmable characteristics

(3) selection of chip structure

the main part of SOC is composed of CPU and ASIC. In the design process, the chip structure should be selected from the aspects of system application planning, protocol processing speed requirements, ease of implementation, vetilog HDL programming structure, and the actual structure of the logic module used

altera's SOC chip [5] composition is shown in Figure 2

(4) software and hardware system design

the basic structure of SOC is to have one or more microprocessors and programmable hardware logic. Therefore, the software and hardware must be co designed in SoC design. The software and hardware collaborative design is highly technical. It not only has the flexibility of SoC design, but also has the complexity of checking whether the USB hardware driver is normal in the equipment manager that is difficult to figure out and full of variables in SoC design. It will involve not only dynamic high-low cycle fatigue experiments and program controlled fatigue experiments, but also static constant rate, constant strain, constant stress controlled experiments and various conventional mechanical property experiments, It can also carry out fracture mechanics experiments. It can also carry out some vibration and impact experiments as required. It can also test the fatigue life, crack propagation, fracture toughness performance of materials or components in a broad range, safety evaluation of actual specimens, simulation of working conditions, etc. Therefore, it has the planning of any other kind of hardware resources and the realization of the performance of the whole system

(5) system integration design

the key technologies of system integration design are mainly the seamless connection system design of IP core and related testable technologies, including close coupling, transmission characteristics, clock synthesis and test interface

(6) low power management design

low power design is a design technology for devices with relevant requirements, which is mainly realized through some system states, bridging control, etc

3 IPSec implementation technology based on SOC

3.1 basic structure

the multi protocol module for implementing IPSec with SOC includes: ① IPSec protocol input and output engine, which determines the processing of data flow through protocol analysis; ② Security Association, key exchange, cryptographic algorithm, etc. among them, the security association module directly provides the required parameters, the key exchange module is used for sad automatically managed by Ike, and the algorithm module is the basic module to realize IP data encryption, decryption and authentication; ③ The interface module is the interface between IPSec and ipv4/ipv6 protocols. The CPU core in SoC implements system management, policy management, key management and other functions

the IPSec protocol structure based on SOC is shown in Figure 3

The main part of IPSec is the hardware module of multi protocol processing. During SoC design, the function and performance requirements of IPSec shall be met through optimization design; The on-chip operating system is adopted to meet the IP characteristics such as flexibility, inheritance and reusability of the design; Combined with the structure, performance and instruction system of CPU, the software and hardware system are designed to achieve the integrated design of communication, transmission and control among various modules

the IPSec chip structure based on SOC is shown in Figure 4

in Figure 4, Ike key exchange, policy management and sad manual injection of IPSec protocol are handled by the real-time operating system, while protocol analysis, security policy Library (sad, SPD), key quick lookup (CAM), encryption and decryption algorithm, GMAC communication interface, etc. of IPSec I/O engine are constructed by hardware modules. The communication interface realizes the functions of receiving, sending and verifying Ethernet link frames. A watchdog shall also be designed in the chip to prevent the system from crashing; In addition, the tracking module should be designed for system hardware and software debugging

to sum up, in the SOC chip that implements IPSec protocol, the main protocol stack processing is implemented by the hardware module, and CPU is responsible for managing scheduling and key configuration

3.2 function implementation

(1) lpsec protocol output and input engine processing

for output packets, the IPSec protocol output engine first calls the policy management module, queries SPD, and determines the security policy that the packets should use. According to the instructions of the policy management module, the protocol engine makes the following three possible processes for the data packet:

① if there is a valid SA, take out the corresponding parameters, package the data packet (including encryption, authentication, adding IPSec headers and IP headers), and then send it

② if SA has not been established, the policy management module starts or triggers Ike negotiation. After successful negotiation, follow the steps in ①; If unsuccessful, discard the packet and record the error message

③ if there is an SA but it is invalid, the policy management module notifies Ike of this information and requests to negotiate a new SA. After successful negotiation, follow the steps in ①. If unsuccessful, discard the data packet

for input packets, the IPSec protocol engine first calls the policy management module to query sad. If a valid SA is obtained, the packet is unsealed (restored), and then the SPD is queried to verify whether the security protection provided for the packet is consistent with the policy configuration. If it is consistent, the restored packets will be delivered to the TCP layer or forwarded. If it does not match, or if IPSec is required to be applied but SA is not established, or SA is invalid, the packet will be discarded and the error message will be recorded

(2) SPDB and SADB implementation technology

ipsec protocol needs to constantly query SADB and SPDB to verify the legitimacy of the data and take out the key to encrypt and decrypt the datagram. Therefore, for IPSec processing performance, how to select and save the data structure of SADB and SPDB is very important. In addition, since the number of SAS and SPS changes dynamically, you must select an appropriate storage structure. If a reasonable data structure is designed with software method for storage, the query speed of SA and SP is acceptable when the scale of SADB and SPDB is relatively small. However, with the expansion of the scale of SADB and SPDB, the query ability of the system will inevitably decline. Because the best case in the query is a hit, but in most cases it will not be a hit, the efficiency of the query will inevitably decline, thus affecting the processing of IPSec protocol. To fundamentally solve the problem of query efficiency, we must analyze the design requirements of SADB and SPDB to find a solution

spdb and SADB are designed based on one SPD for each SA. SA and SPD have the same address in each database. By using pointer mutual pointing, as long as a matching field is found in one database, the address pointers of the two databases can be obtained at the same time. Therefore, the design of SPDB and SADB should meet the following requirements:

① the data structure can be queried effectively to obtain exact or selector based matching results, including source address, destination address, protocol and SPI

② it can save the wildcard, range or exact value for the selector

③ hide the pointers to SADB and SPDB to ensure the synchronization between the two structures

④ sort and save the sa/sp entries so that the matching search can always be completed quickly

adopting hardware design technology is usually a good way to improve the protocol processing speed. Cam (content_addressable memory) is a content addressable memory, which consists of two parts: control and matching. Through the control part, the data to be written into cam can be written into cam through SPDB and SADB management modules for use in searching. You can input data at the matching port, find the address of the matching data and return it. In actual design, SADB or SPDB database contents are continuously stored in RAM space. Write needs in cam

Copyright © 2011 JIN SHI