Parallelizing IPsec: switching SMP to On is not even half the way
|
|
- Kerry Gregory
- 6 years ago
- Views:
Transcription
1 Parallelizing IPsec: switching SMP to On is not even half the way Steffen Klassert secunet Security Networks AG Dresden June
2 Table of contents Some basics about IPsec About the IPsec performance issues Parallelizing IPsec Some IPsec throughput benchmarks
3 Some basics about IPsec The IPsec protocols Every IPsec implementation must support two protocols.
4 Some basics about IPsec The IPsec protocols Every IPsec implementation must support two protocols. IP - Authentication (AH) AH builds a cryptographic checksum over the payload and parts of the header of a network packet. This checksum is appended to the network packet and is used to ensure authenticity of this network packet.
5 Some basics about IPsec The IPsec protocols Every IPsec implementation must support two protocols. IP - Authentication (AH) AH builds a cryptographic checksum over the payload and parts of the header of a network packet. This checksum is appended to the network packet and is used to ensure authenticity of this network packet. IP - Encapsulated Security Payload (ESP) ESP is primary used to encrypt the payload of network packets. A cryptographic checksum can be used to ensure authenticity of the payload, similar to AH.
6 Some basics about IPsec ESP modes The ESP protocol can be used in several modes.
7 Some basics about IPsec ESP modes The ESP protocol can be used in several modes. Transport mode - Pure layer 4 payload encryption. Tunnel mode - Encryption for the whole IP packet (payload + IP header). ESP in IP 4 packet (transport mode) Authenticated Encrypted IP 4 ESP TCP Payload Data ESP Trailer ESP Auth. ESP in IP 4 packet (tunnel mode) Authenticated Encrypted IP 4 ESP orig. IP 4 TCP Payload Data ESP Trailer ESP Auth.
8 Some basics about IPsec The Hardware setup and IPsec scenario The hardware setup is the simplest possible IPsec VPN scenario, consisting of two IPsec gateways and two clients. Client 1 Client 2 IPsec Gateway 1 IPsec Gateway 2 Plain IP IPsec (ESP tunnel mode) Plain IP Packet forwarding from client 1 to client 2, unidirectional traffic, one packet flow.
9 About the IPsec performance issues Plain packet forwarding vs. tunnel mode ESP with cbc-aes192 / hmac-sha1 on a Gbit network.
10 About the IPsec performance issues IPsec throughput: scaling with the number of cpus 494 byte packets (L3) cbc-aes-192 / hmac-sha1
11 About the IPsec performance issues IPsec throughput: scaling with the number of cpus The forward packet path is strictly serialized. I.e. the cpu that drives the interrupt of the receiving NIC does all the work!
12 About the IPsec performance issues IPsec throughput: scaling with the number of cpus The forward packet path is strictly serialized. I.e. the cpu that drives the interrupt of the receiving NIC does all the work! Why?
13 About the IPsec performance issues IPsec throughput: scaling with the number of cpus The forward packet path is strictly serialized. I.e. the cpu that drives the interrupt of the receiving NIC does all the work! Why? The upper layer (L4) protocols rely on a certain packet order. The packets must be received in the same order they where sent. IPsec adds a sequence number to each packet to notify packet replay attacks.
14 About the IPsec performance issues IPsec throughput: scaling with the number of cpus The forward packet path is strictly serialized. I.e. the cpu that drives the interrupt of the receiving NIC does all the work! Why? The upper layer (L4) protocols rely on a certain packet order. The packets must be received in the same order they where sent. IPsec adds a sequence number to each packet to notify packet replay attacks. Distributing the received network packets to multiple cpus leads to packet reordering!
15 Parallelizing IPsec Network parallelization approaches Due to packet reorder problems, parallelization of the network stack is a highly nontrivial task. Several software, as well as hardware based approaches came up during the last years. Multiqueue network devices. Receive packet steering. These techniques do flow based parallelization, i.e. distributing packet flows across the cpus. No parallelization within the flows to preserve the packet order!
16 Parallelizing IPsec Flow based parallelization on IPsec
17 Parallelizing IPsec Flow based parallelization on IPsec Flow based parallelization is only limited useful for tunnel mode ESP.
18 Parallelizing IPsec Flow based parallelization on IPsec (tunnel mode ESP) Client 1 Client 3 1 >4 1 >4 IPsec Gateway A IPsec Gateway B 2 >3 2 >3 Client 2 2 >3 A >B A >B 1 >4 Client 4 2 >3 1 >4 ESP in IP 4 packet (tunnel mode) Authenticated Encrypted IP 4 ESP orig. IP 4 TCP Payload Data ESP Trailer ESP Auth.
19 Parallelizing IPsec Requirements of an IPsec parallelization R1: It should be possible to distribute cpu intensive codepaths to a given set of cpus. R2: It should be possible to parallelize even within a flow. R3: The parallelization framework must preserve the order of the parallelized network packets. E.g. the packets must leave the parallel codepath in the same order as they entered.
20 Parallelizing IPsec A parallel crypto layer Advantages of a parallel crypto layer: The crypto operations are by far the most cpu intensive codepath (R1). The crypto layer does not know about the crypto user (ESP), no need to care about the order of the requests within the crypto layer (R2). We just have to ensure that the crypto requests leave the crypto layer in the same order as they entered (R3).
21 Parallelizing IPsec The gain of a crypto layer parallelization T crypt T crypt T crypt T crypt T sum T par T ser T crypt T crypt T crypt T crypt T sum
22 Parallelizing IPsec The gain of a crypto layer parallelization Large crypto requests (e.g. big network packets) benefit well. Very cpu intensive crypto algorithms benefit well.
23 Parallelizing IPsec The padata/pcrypt framework
24 Parallelizing IPsec The padata/pcrypt framework parallelization function crypto operations serialization function CPU0 round robin +add seqnr# CPU1 serialization CPU2 CPU3 parallelization queue reorder queue serialization queue
25 Parallelizing IPsec The padata/pcrypt framework parallelization function crypto operations serialization function CPU0 round robin +add seqnr# CPU1 serialization CPU2 CPU3 parallelization queue reorder queue serialization queue
26 Some IPsec throughput benchmarks The software test setup Kernel: linux rc7 with two additional patches (padata/pcrypt) picked from the cryptodev-2.6 tree. IPsec: Tunnel mode ESP on IPv4. Encryption/Decryption: cbc-aes-192 (x86 64 optimized version of AES). Authentication: hmac-sha1 (generic C version).
27 Some IPsec throughput benchmarks The hardware test setup IPsec Gateway 1 IPsec Gateway 2 Plain IP IPsec (ESP tunnel mode) Plain IP EXFO FTB 400 Packetblazer
28 Some IPsec throughput benchmarks The hardware test setup IPsec gateway 1 (Apligo Nexom NSA7110): 2 x XEON DP E GHz (2 x quad-core) 2 x 1024 DDR3 ECC 8 x Intel Corporation 82575EB Gbit NIC Intel 5520 and ICH10R Chipset IPsec gateway 2 (SIE XL-1.0): 2 x Intel Xeon X5550 2,66GHz (2 x quad-core) 4 x 1024 DDR3 ECC Intel 4Port Gbit NIC EXPI9404PTL Intel 5520 and ICH10R Chipset Hyperthreading was enabled on both IPsec gateways on all tests, so we had 16 logical cores (8 on each socket) for parallel processing.
29 Some IPsec throughput benchmarks RFC 2544 Benchmarking Methodology Test duration: 60 sec. Throughput test results: Maximal throughput rate without packet loss (60 sec.). latency test results: Latency at Maximal throughput rate without packet loss. Packet sizes RFC 2544 (Layer 2): 64, 128, 256, 512, 1024, 1280, 1518 byte. Used packet sizes (Layer 2): 64, 128, 256, 512, 1024, 1280, 1420 byte. Used packet sizes (Layer 3): 46, 110, 238, 494, 1006, 1262, 1402 byte.
30 Some IPsec throughput benchmarks Maximum theoretical throughput on Layer 3 Client 1 Client 2 IPsec Gateway 1 IPsec Gateway 2 Plain IP IPsec (ESP tunnel mode) Plain IP Wire speed at layer 1: 1000 Mbit/s. IP 4 TCP Payload Data
31 Some IPsec throughput benchmarks Maximum theoretical throughput on Layer 3 Client 1 Client 2 IPsec Gateway 1 IPsec Gateway 2 Plain IP IPsec (ESP tunnel mode) Plain IP IP 4 TCP Payload Data IP 4 (Tunnel) ESP IP 4 TCP Payload Data ESP Trailer ESP Auth.
32 Some IPsec throughput benchmarks Maximum theoretical throughput on Layer 3 IP 4 TCP Payload Data L1 L2 IP 4 (Tunnel) ESP IP 4 TCP Payload Data ESP Trailer ESP Auth. L2 Trailer L1 Trailer 58 byte L3 packet size (S) 38 byte
33 Some IPsec throughput benchmarks Maximum theoretical throughput on Layer 3 IP 4 TCP Payload Data L1 L2 IP 4 (Tunnel) ESP IP 4 TCP Payload Data ESP Trailer ESP Auth. L2 Trailer L1 Trailer 58 byte L3 packet size (S) 38 byte Maximum theoretical throughput on Layer 3: MTT (S) = S 1000 Mbit/s S + 96
34 Some IPsec throughput benchmarks Maximum theoretical throughput on Layer 3 MTT (46) = 324 Mbit/s (1) MTT (110) = 534 Mbit/s (2) MTT (238) = 712 Mbit/s (3) MTT (494) = 837 Mbit/s (4) MTT (1006) = 913 Mbit/s (5) MTT (1262) = 929 Mbit/s (6) MTT (1402) = 932 Mbit/s (7)
35 Some IPsec throughput benchmarks Effective throughput on Layer 3 ET (S) = Measured throughput for packetsize S MTT (S) 0 ET (S) 1
36 Some IPsec throughput benchmarks Unidirectional effective throughput benchmarks
37 Some IPsec throughput benchmarks Unidirectional throughput: plain, IPsec vanilla, IPsec pcrypt
38 Some IPsec throughput benchmarks Unidirectional effective throughput 494 Byte on Layer 3
39 Some IPsec throughput benchmarks Latency with linux rc7 vanilla and pcrypt 16 cores
40 Some IPsec throughput benchmarks Thanks to Apligo for providing me with test hardware!
41 Some IPsec throughput benchmarks Thanks for listening!
IPSec. Overview. Overview. Levente Buttyán
IPSec - brief overview - security associations (SAs) - Authentication Header (AH) protocol - Encapsulated Security Payload () protocol - combining SAs (examples) Overview Overview IPSec is an Internet
More informationThe IPsec protocols. Overview
The IPsec protocols -- components and services -- modes of operation -- Security Associations -- Authenticated Header (AH) -- Encapsulated Security Payload () (c) Levente Buttyán (buttyan@crysys.hu) Overview
More informationIPSec. Slides by Vitaly Shmatikov UT Austin. slide 1
IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues Eavesdropping Modification of packets in transit Identity spoofing (forged source IP addresses) Denial of service
More informationLecture 13 Page 1. Lecture 13 Page 3
IPsec Network Security: IPsec CS 239 Computer Software March 2, 2005 Until recently, the IP protocol had no standards for how to apply security Encryption and authentication layered on top Or provided
More informationVirtual Private Networks (VPN)
CYBR 230 Jeff Shafer University of the Pacific Virtual Private Networks (VPN) 2 Schedule This Week Mon September 4 Labor Day No class! Wed September 6 VPN Project 1 Work Fri September 8 IPv6? Project 1
More informationINTERNET PROTOCOL SECURITY (IPSEC) GUIDE.
INTERNET PROTOCOL SECURITY (IPSEC) GUIDE www.insidesecure.com INTRODUCING IPSEC NETWORK LAYER PACKET SECURITY With the explosive growth of the Internet, more and more enterprises are looking towards building
More informationComparing TCP performance of tunneled and non-tunneled traffic using OpenVPN. Berry Hoekstra Damir Musulin OS3 Supervisor: Jan Just Keijser Nikhef
Comparing TCP performance of tunneled and non-tunneled traffic using OpenVPN Berry Hoekstra Damir Musulin OS3 Supervisor: Jan Just Keijser Nikhef Outline Introduction Approach Research Results Conclusion
More informationLecture 12 Page 1. Lecture 12 Page 3
IPsec Network Security: IPsec CS 239 Computer Software February 26, 2003 Until recently, the IP protocol had no standards for how to apply security Encryption and authentication layered on top Or provided
More informationIP Security. Have a range of application specific security mechanisms
IP Security IP Security Have a range of application specific security mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPS However there are security concerns that cut across protocol layers Would like security
More informationPacketShader: A GPU-Accelerated Software Router
PacketShader: A GPU-Accelerated Software Router Sangjin Han In collaboration with: Keon Jang, KyoungSoo Park, Sue Moon Advanced Networking Lab, CS, KAIST Networked and Distributed Computing Systems Lab,
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Security in Network Layer Implementing security in application layer provides flexibility in security
More informationSecuring Network Traffic Tunneled Over Kernel managed TCP/UDP sockets
Securing Network Traffic Tunneled Over Kernel managed TCP/UDP sockets Sowmini Varadhan(sowmini.varadhan@oracle.com) Agenda Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February
More informationVirtual Private Network
VPN and IPsec Virtual Private Network Creates a secure tunnel over a public network Client to firewall Router to router Firewall to firewall Uses the Internet as the public backbone to access a secure
More informationLANCOM Techpaper Routing Performance
LANCOM Techpaper Routing Performance Applications for communications and entertainment are increasingly based on IP networks. In order to ensure that the necessary bandwidth performance can be provided
More informationInternet security and privacy
Internet security and privacy IPsec 1 Layer 3 App. TCP/UDP IP L2 L1 2 Operating system layers App. TCP/UDP IP L2 L1 User process Kernel process Interface specific Socket API Device driver 3 IPsec Create
More informationCIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec
CIS 6930/4930 Computer and Network Security Topic 8.1 IPsec 1 IPsec Objectives Why do we need IPsec? IP V4 has no authentication IP spoofing Payload could be changed without detection. IP V4 has no confidentiality
More informationPerformance Evaluation of Software Routers with VPN Features
74 Telfor Journal, Vol. 9, No. 2, 2017. Performance Evaluation of Software s with VPN Features Hasan Redžović, Graduate Student Member, IEEE, Aleksandra Smiljanić, Member, IEEE, and Bogdan Savić Abstract
More informationCryptography and Network Security Chapter 16. Fourth Edition by William Stallings
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Chapter 16 IP Security If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death,
More informationCSC 6575: Internet Security Fall 2017
CSC 6575: Internet Security Fall 2017 Network Security Devices IP Security Mohammad Ashiqur Rahman Department of Computer Science College of Engineering Tennessee Tech University 2 IPSec Agenda Architecture
More informationInternet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho
Internet Security - IPSec, SSL/TLS, SRTP - 29th. Oct. 2007 Lee, Choongho chlee@mmlab.snu.ac.kr Contents Introduction IPSec SSL / TLS SRTP Conclusion 2/27 Introduction (1/2) Security Goals Confidentiality
More informationIPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security
IPsec (AH, ESP), IKE Guevara Noubir noubir@ccs.neu.edu Securing Networks Control/Management (configuration) Applications Layer telnet/ftp: ssh, http: https, mail: PGP (SSL/TLS) Transport Layer (TCP) (IPSec,
More informationCONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements
CONTENTS Preface Acknowledgements xiii xvii Chapter 1 TCP/IP Overview 1 1.1 Some History 2 1.2 TCP/IP Protocol Architecture 4 1.2.1 Data-link Layer 4 1.2.2 Network Layer 5 1.2.2.1 Internet Protocol 5 IPv4
More informationJunos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services
Junos Security Chapter 8: IPsec VPNs 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services Chapter Objectives After successfully completing this chapter, you will
More informationProtocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.
P2 Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE 802.11i, IEEE 802.1X P2.2 IP Security IPsec transport mode (host-to-host), ESP and
More informationAnand Raghunathan
ECE 695R: SYSTEM-ON-CHIP DESIGN Module 2: HW/SW Partitioning Lecture 2.26: Example: Hardware Architecture Anand Raghunathan raghunathan@purdue.edu ECE 695R: System-on-Chip Design, Fall 2014 Fall 2014,
More informationLehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec
Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München ilab Lab 8 SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL
More informationCubro Network Security Series
Cubro Security Series PRODUCT REVIEW Security At a glance In order to meet the demands of the operators and fastdeveloping network, Cubro delivers the network secure sockets layer analysis products --
More informationAn Experimental Analysis on Iterative Block Ciphers and Their Effects on VoIP under Different Coding Schemes
An Experimental Analysis on Iterative Block Ciphers and Their Effects on VoIP under Different Coding Schemes Gregory Epiphaniou 1 Carsten Maple 1 Paul Sant 1 Matthew Reeves 2 1 Institute for Research in
More informationIPSec Transform Set Configuration Mode Commands
IPSec Transform Set Configuration Mode Commands The IPSec Transform Set Configuration Mode is used to configure IPSec security parameters. There are two core protocols, the Authentication Header (AH) and
More informationIPsec NAT Transparency
sec NAT Transparency First Published: November 25, 2002 Last Updated: March 1, 2011 The sec NAT Transparency feature introduces support for Security (sec) traffic to travel through Network Address Translation
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 15 Electronic Mail Security Despite the refusal of VADM Poindexter and LtCol North to appear,
More informationNetwork Security - ISA 656 IPsec IPsec Key Management (IKE)
Network Security - ISA 656 IPsec IPsec (IKE) Angelos Stavrou September 28, 2008 What is IPsec, and Why? What is IPsec, and Why? History IPsec Structure Packet Layout Header (AH) AH Layout Encapsulating
More informationIP Security. Cunsheng Ding HKUST, Kong Kong, China
IP Security Cunsheng Ding HKUST, Kong Kong, China Agenda Some attacks against the IP Brief introduction to IPSec Building Block: Security Association Building Block: Security Association Database Building
More information8. Network Layer Contents
Contents 1 / 43 * Earlier Work * IETF IP sec Working Group * IP Security Protocol * Security Associations * Authentication Header * Encapsulation Security Payload * Internet Key Management Protocol * Modular
More informationIPSECv6 Peach Pit User Guide. Peach Fuzzer, LLC. v3.7.50
IPSECv6 Peach Pit User Guide Peach Fuzzer, LLC v3.7.50 Copyright 2015 Peach Fuzzer, LLC. All rights reserved. This document may not be distributed or used for commercial purposes without the explicit consent
More informationOpen Source Traffic Analyzer
Open Source Traffic Analyzer Daniel Turull June 2010 Outline 1 Introduction 2 Background study 3 Design 4 Implementation 5 Evaluation 6 Conclusions 7 Demo Outline 1 Introduction 2 Background study 3 Design
More informationIP Security IK2218/EP2120
IP Security IK2218/EP2120 Markus Hidell, mahidell@kth.se KTH School of ICT Based partly on material by Vitaly Shmatikov, Univ. of Texas Acknowledgements The presentation builds upon material from - Previous
More informationIPSec Transform Set Configuration Mode Commands
IPSec Transform Set Configuration Mode Commands The IPSec Transform Set Configuration Mode is used to configure IPSec security parameters. There are two core protocols, the Authentication Header (AH) and
More informationThe Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,
1 The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME, PGP), client/server (Kerberos), Web access (Secure Sockets
More informationLecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005
Firewalls Lecture 33 Security April 15, 2005 Idea: separate local network from the Internet Trusted hosts and networks Intranet Firewall DMZ Router Demilitarized Zone: publicly accessible servers and networks
More informationExecutive Summary. Introduction. Test Highlights
Executive Summary Today, LTE mobile operators typically deploy All-IP and flat network architectures. This elegant and flexible solution requires deployment of an adequate security infrastructure. One
More informationVPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009
VPN and IPsec Network Administration Using Linux Virtual Private Network and IPSec 04/2009 What is VPN? VPN is an emulation of a private Wide Area Network (WAN) using shared or public IP facilities. A
More informationHigh-Speed IP/IPsec Processor LSIs
High-Speed IP/IPsec Processor LSIs V Tomokazu Aoki V Teruhiko Nagatomo V Kazuya Asano (Manuscript received November, 25) In recent years, we have seen an increase in the speed of Internet access lines
More informationThe case for ubiquitous transport-level encryption
1/25 The case for ubiquitous transport-level encryption Andrea Bittau, Michael Hamburg, Mark Handley, David Mazières, and Dan Boneh Stanford and UCL November 18, 2010 Goals 2/25 What would it take to encrypt
More informationCSE543 Computer and Network Security Module: Network Security
CSE543 Computer and Network Security Module: Network Security Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 2 Communication Security Want to establish a secure channel
More informationshow crypto group summary, page 1 show crypto ikev2-ikesa security-associations summary spi, page 2
This chapter includes the command output tables. group summary, page 1 ikev2-ikesa security-associations summary, page 2 ikev2-ikesa security-associations summary spi, page 2 ipsec security-associations,
More informationScaling Acceleration Capacity from 5 to 50 Gbps and Beyond with Intel QuickAssist Technology
SOLUTION BRIEF Intel QuickAssist Technology Scaling Acceleration Capacity from 5 to 5 Gbps and Beyond with Intel QuickAssist Technology Equipment manufacturers can dial in the right capacity by choosing
More informationPre-Fragmentation for IPSec VPNs
Pre-Fragmentation for IPSec VPNs Feature History Release 12.1(11b)E 12.2(13)T 12.2(14)S Modification This feature was introduced. This feature was integrated into Cisco IOS Release 12.2(13)T. This feature
More informationNetwork Encryption 3 4/20/17
The Network Layer Network Encryption 3 CSC362, Information Security most of the security mechanisms we have surveyed were developed for application- specific needs electronic mail: PGP, S/MIME client/server
More informationDPDK Intel Cryptodev Performance Report Release 18.08
DPDK Intel Cryptodev Performance Report Test Date: August 7th 2018 Author: Intel DPDK Validation team Revision History Date Revision Comment August 7th, 2018 1.0 Initial document for release 2 Contents
More informationCSE509: (Intro to) Systems Security
CSE509: (Intro to) Systems Security Fall 2012 Invited Lecture by Vyas Sekar IPSec 2005-12 parts by Matt Bishop, used with permission Security in Real Life: Motivation Site SF Company X $$$ Site NY Site
More informationCOSC4377. Chapter 8 roadmap
Lecture 28 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7
More informationCSC 4900 Computer Networks: Security Protocols (2)
CSC 4900 Computer Networks: Security Protocols (2) Professor Henry Carter Fall 2017 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message Integrity 8.4 End point Authentication
More informationFundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,
Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin, ydlin@cs.nctu.edu.tw Chapter 1: Introduction 1. How does Internet scale to billions of hosts? (Describe what structure
More informationSet Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers
Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers Objective A Virtual Private Network (VPN) is a private network that is used to virtually
More informationSecure channel, VPN and IPsec. stole some slides from Merike Kaeo
Secure channel, VPN and IPsec stole some slides from Merike Kaeo 1 HTTP and Secure Channel HTTP HTTP TLS TCP TCP IP IP 2 SSL and TLS SSL/TLS SSL v3.0 specified
More informationTime Synchronization Security using IPsec and MACsec
Time Synchronization using IPsec and MACsec Appeared in ISPCS 2011 Tal Mizrahi Israel ing Seminar May 2012 Time Synchronization Time synchronization is used for various applications. Securing the time
More informationHow to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT
How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT Table of Contents TABLE OF CONTENTS 1 INTRODUCTION 2 AWS Configuration: 2 Forcepoint Configuration 3 APPENDIX 7 Troubleshooting
More informationTransport Level Security
2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,
More informationDPDK Intel Cryptodev Performance Report Release 17.11
DPDK Intel Cryptodev Performance Report Test Date: Nov 20th 2017 Author: Intel DPDK Validation team Revision History Date Revision Comment Nov 20th, 2017 1.0 Initial document for release 2 Contents Audience
More informationIPsec NAT Transparency
The feature introduces support for IP Security (IPsec) traffic to travel through Network Address Translation (NAT) or Port Address Translation (PAT) points in the network by addressing many known incompatibilities
More informationIPSec Site-to-Site VPN (SVTI)
13 CHAPTER Resource Summary for IPSec VPN IKE Crypto Key Ring Resource IKE Keyring Collection Resource IKE Policy Resource IKE Policy Collection Resource IPSec Policy Resource IPSec Policy Collection Resource
More informationSecure Networking with NAT Traversal for Enhanced Mobility
Secure Networking with NAT Traversal for Enhanced Mobility Lubomir Cvrk 1, Vit Vrba 1 1 Brno University of Technology, Dept. of Telecommunications, Purkynova 118, 61200 Brno, Czech Republic {cvrk, vrba}@westcom.cz
More informationHow to abstract hardware acceleration device in cloud environment. Maciej Grochowski Intel DCG Ireland
How to abstract hardware acceleration device in cloud environment Maciej Grochowski Intel DCG Ireland Outline Introduction to Hardware Accelerators Intel QuickAssist Technology (Intel QAT) as example of
More informationVPN, IPsec and TLS. stole slides from Merike Kaeo apricot2017 1
VPN, IPsec and TLS stole slides from Merike Kaeo apricot2017 1 Virtual Private Network Overlay Network a VPN is built on top of a public network (Internet)
More informationIPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43
0/43 IPsec and SSL/TLS Applied Cryptography 0 Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, 2016 Cryptography in the TCP/IP stack application layer transport layer network layer data-link
More informationHow to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP
How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP If you are using the Amazon Virtual Private Cloud, you can transparently extend your local network to the cloud by connecting both networks
More informationIBM i Version 7.2. Security Virtual Private Networking IBM
IBM i Version 7.2 Security Virtual Private Networking IBM IBM i Version 7.2 Security Virtual Private Networking IBM Note Before using this information and the product it supports, read the information
More informationHow to Create a TINA VPN Tunnel between F- Series Firewalls
How to Create a TINA VPN Tunnel between F- Series Firewalls As the TINA protocol offers significant advantages over IPsec, it is the main protocol that is used for VPN connections between F-Series Firewalls.
More informationConfiguration of an IPSec VPN Server on RV130 and RV130W
Configuration of an IPSec VPN Server on RV130 and RV130W Objective IPSec VPN (Virtual Private Network) enables you to securely obtain remote access to corporate resources by establishing an encrypted tunnel
More informationChapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,
Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls 32.1 Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 32.2 Figure 32.1 Common structure
More informationIPsec Anti-Replay Window Expanding and Disabling
IPsec Anti-Replay Window Expanding and Disabling Cisco IP security (IPsec) authentication provides anti-replay protection against an attacker duplicating encrypted packets by assigning a unique sequence
More informationSFO17-406: IPsec Full Offload Support in OpenDataPlane. Bill Fischofer
SFO17-406: IPsec Full Offload Support in OpenDataPlane Bill Fischofer Credits The work described in this session represents the collaborative contribution of the LNG ODP team, particularly: Petri Savolainen,
More informationINF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang
INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture
More informationConfiguring IPSec tunnels on Vocality units
Configuring IPSec tunnels on Vocality units Application Note AN141 Revision v1.4 September 2015 AN141 Configuring IPSec tunnels IPSec requires the Security software (RTUSEC) at VOS07_44.01 or later and
More informationHow to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP
How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP If you are using the Amazon Virtual Private Cloud, you can transparently extend your local network to the cloud by connecting both networks
More informationVPN Overview. VPN Types
VPN Types A virtual private network (VPN) connection establishes a secure tunnel between endpoints over a public network such as the Internet. This chapter applies to Site-to-site VPNs on Firepower Threat
More informationChapter 5: Network Layer Security
Managing and Securing Computer Networks Guy Leduc Mainly based on Network Security - PRIVATE Communication in a PUBLIC World C. Kaufman, R. Pearlman, M. Speciner Pearson Education, 2002. (chapters 17 and
More informationVirtual Private Networks
Chapter 12 Virtual Private Networks Introduction Business has changed in the last couple of decades. Companies now have to think about having a global presence, global marketing, and logistics. Most of
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 20 IP Security If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with
More informationConfiguring VPN from Proventia M Series Appliance to Proventia M Series Appliance
Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance January 13, 2004 Overview Introduction This document describes how to configure a VPN tunnel from one Proventia M series
More informationIntel 10Gbe status and other thoughts. Linux IPsec Workshop Shannon Nelson Oracle Corp March 2018
Intel 10Gbe status and other thoughts Linux IPsec Workshop 2018 Shannon Nelson Oracle Corp March 2018 2 Summary 10Gbe Niantic and family have IPsec HW offload Initial driver support came out in v4.15 Approx
More informationInt ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28
Int ernet w orking Internet Security Literature: Forouzan: TCP/IP Protocol Suite : Ch 28 Internet Security Internet security is difficult Internet protocols were not originally designed for security The
More informationCS 356 Internet Security Protocols. Fall 2013
CS 356 Internet Security Protocols Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5
More informationTable of Contents 1 IKE 1-1
Table of Contents 1 IKE 1-1 IKE Overview 1-1 Security Mechanism of IKE 1-1 Operation of IKE 1-1 Functions of IKE in IPsec 1-2 Relationship Between IKE and IPsec 1-3 Protocols 1-3 Configuring IKE 1-3 Configuration
More informationPacket Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI
Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI Topology Addressing Table R1 R2 R3 Device Interface IP Address Subnet Mask Default Gateway Switch Port G0/0 192.168.1.1 255.255.255.0
More informationDistributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013
Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive
More informationLighting the Blue Touchpaper for UK e-science - Closing Conference of ESLEA Project The George Hotel, Edinburgh, UK March, 2007
Working with 1 Gigabit Ethernet 1, The School of Physics and Astronomy, The University of Manchester, Manchester, M13 9PL UK E-mail: R.Hughes-Jones@manchester.ac.uk Stephen Kershaw The School of Physics
More informationHow to Configure an IPsec VPN to an AWS VPN Gateway with BGP
How to Configure an IPsec VPN to an AWS VPN Gateway with BGP If you are using the Amazon Virtual Private Cloud, you can transparently extend your local network to the cloud by connecting both networks
More informationA ULE Security Approach for Satellite Networks on PLATINE Test Bed
A ULE Security Approach for Satellite Networks on PLATINE Test Bed L. Liang, L. Fan, H. Cruickshank, and Z. Sun Centre of Communication System Research, University of Surrey, Guildford, Surrey, UK C. Baudoin
More informationBCA III Network security and Cryptography Examination-2016 Model Paper 1
Time: 3hrs BCA III Network security and Cryptography Examination-2016 Model Paper 1 M.M:50 The question paper contains 40 multiple choice questions with four choices and student will have to pick the correct
More informationOptimizing your virtual switch for VXLAN. Ron Fuller, VCP-NV, CCIE#5851 (R&S/Storage) Staff Systems Engineer NSBU
Optimizing your virtual switch for VXLAN Ron Fuller, VCP-NV, CCIE#5851 (R&S/Storage) Staff Systems Engineer NSBU fuller@vmware.com VXLAN Protocol Overview Ethernet in IP overlay network Entire L2 frame
More informationChapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS
Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces. 2017 Cisco and/or its affiliates. All rights
More informationPerformance of Host Identity Protocol on Lightweight Hardware
Performance of Host Identity Protocol on Lightweight Hardware Andrey Khurri, Ekaterina Vorobyeva, Andrei Gurtov Helsinki Institute for Information Technology MobiArch'07 Kyoto,
More informationGPGPU introduction and network applications. PacketShaders, SSLShader
GPGPU introduction and network applications PacketShaders, SSLShader Agenda GPGPU Introduction Computer graphics background GPGPUs past, present and future PacketShader A GPU-Accelerated Software Router
More informationLecture 9: Network Level Security IPSec
Lecture 9: Network Level Security IPSec CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, and Tony Barnard HW3 being graded Course Admin HW4 will
More informationVirtual Private Networks
EN-2000 Reference Manual Document 8 Virtual Private Networks O ne of the principal features of routers is their support of virtual private networks (VPNs). This document discusses transmission security,
More informationChapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University
Chapter 6 IP Security Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University +91 9426669020 bhargavigoswami@gmail.com Topic List 1. IP Security Overview 2. IP Security Architecture 3.
More informationAbout FIPS, NGE, and AnyConnect
About FIPS, NGE, and AnyConnect, on page 1 Configure FIPS for the AnyConnect Core VPN Client, on page 4 Configure FIPS for the Network Access Manager, on page 5 About FIPS, NGE, and AnyConnect AnyConnect
More informationCloudBridge :31:07 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement
CloudBridge 1.1 2013-06-30 04:31:07 UTC 2013 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Contents CloudBridge 1.1... 3 CloudBridge... 4 About the CloudBridge...
More information