IPSec VPN加速技术的研究与实现

发布时间：2018-04-10 09:40

本文选题：IPSec　切入点：异步加密　出处：《西安电子科技大学》2014年硕士论文

【摘要】：随着网络技术的飞速发展,网络传输速度不断提高,系统对关键网络设备的处理速度要求不断提高。IPSec VPN作为数据转发的安全平台,很容易成为网络系统的瓶颈。传统的IPSec VPN存在加解密模块性能低,没有充分利用多核系统优势等问题。本文主要对IPSec VPN的加速技术进行了深入细致的研究。针对目前广泛应用的IPSec VPN技术性能低的弱点,通过分析IPSec VPN加解密模块以及多核下网络协议并行,提出了两种IPSec VPN加速技术:多加密卡异步并行加密技术和多核系统下IPSec协议并行。基于提出的多加密卡异步并行加速技术,本文实现了一种用于IPSec VPN系统的多加密卡异步并行加密模型。该模型利用加密卡代替CPU做计算密集的加解密运算,以此来释放CPU,从而提高IPSec VPN系统的加解密的性能。在实现的多加密卡异步并行加密模型中,本文利用Linux提供的工作队列机制,改进了传统IPSec VPN系统的同步加密方式,使得加密卡以异步的方式并行工作。同时,在该模型中设计并实现了用于多加密卡加密任务调度的最小等待时间算法,使得数据包加解密处理所等待的时间最小化。多加密卡异步并行加密技术通过改进IPSec VPN系统的加解密模块的方式,提高了IPSec VPN系统的整体性能。基于多核IPSec协议并行技术,本文设计并实现了一种多核IPSec协议的并行模型。该模型利用了多队列网卡,CPU亲和性以及Linux软中断等机制,实现了基于数据包多核并行处理的IPSec VPN系统。针对Linux内核为每个数据包都分配与回收sk_buffer结构,造成的内存管理模块效率不高的问题,本文提出的多核IPSec协议的并行模型中设计并实现了一种数据包队列重用算法,并详细介绍了在多核处理器环境下该重用队列算法的实现方法。本文对所提出的两种加速技术进行了实现和测试。测试结果表明,两种加速技术对IPSec VPN系统有显著的加速效果。最后,根据实验结果对两种加速技术进行了深入的分析。
[Abstract]:With the rapid development of network technology, the speed of network transmission is increasing, and the processing speed of the system to the key network equipment is increasing. IPSec VPN as the security platform for data forwarding is easy to become the bottleneck of the network system.The traditional IPSec VPN has some problems such as low performance of encryption and decryption module and insufficient utilization of the advantages of multi-core system.In this paper, the acceleration technology of IPSec VPN is studied in detail.Aiming at the weakness of IPSec VPN technology which is widely used at present, this paper analyzes IPSec VPN encryption and decryption module and network protocol parallelism under multi-core.This paper presents two kinds of IPSec VPN acceleration techniques: asynchronous parallel encryption for multi-encryption cards and parallel IPSec protocol for multi-core systems.Based on the multi-encryption card asynchronous parallel acceleration technology proposed, this paper implements a multi-encryption card asynchronous parallel encryption model for IPSec VPN system.The model uses encryption card instead of CPU to do computationally intensive encryption and decryption operations, so as to release CPU and improve the performance of IPSec VPN system in encryption and decryption.In the implementation of the asynchronous parallel encryption model of multi-encryption cards, this paper improves the synchronous encryption mode of traditional IPSec VPN system by using the work queue mechanism provided by Linux, which makes the encryption cards work in parallel in an asynchronous manner.At the same time, a minimum waiting time algorithm for multi-encryption card encryption task scheduling is designed and implemented in this model, which minimizes the waiting time of data packet encryption and decryption processing.Multi-encryption card asynchronous parallel encryption technology improves the overall performance of IPSec VPN system by improving the encryption and decryption module of IPSec VPN system.Based on the parallel technology of multi-core IPSec protocol, a parallel model of multi-core IPSec protocol is designed and implemented in this paper.In this model, IPSec VPN system based on multi-core parallel processing is implemented by using the mechanism of multi-queue network card CPU affinity and Linux soft interrupt.To solve the problem that the Linux kernel allocates and reclaims the sk_buffer structure for each packet, the memory management module is inefficient. In this paper, a packet queue reuse algorithm is designed and implemented in the parallel model of the multi-core IPSec protocol.The implementation method of the reuse queue algorithm in multi-core processor environment is introduced in detail.In this paper, two kinds of acceleration techniques are implemented and tested.The test results show that the two acceleration techniques have significant acceleration effect on IPSec VPN system.Finally, based on the experimental results, two acceleration techniques are analyzed.
【学位授予单位】：西安电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【相似文献】