IPSec VPN并行体系结构的关键技术研究
|
摘要
随着网络技术的发展,网络传输的速度已经大幅度的提高,对作为保障网络数据安全传输的VPN设备的高性能、高可用性、可扩展性等方面提出了更高的要求。
为此,提出了一种基于IPSec的高性能VPN系统的并行体系结构,称为并行IPSec VPN(Parallel IPSec VPN,简称PVPN)。PVPN采用流水线并行处理算法,实现了系统的多加密卡并行处理;采用CompactPCI硬件平台,构建多机并行体系,大幅度提高了IPSec VPN的处理性能。
流水线并行处理算法将CPU与加密卡分为两个功能部件,通过使两个功能部件重叠运行,流水作业,从而实现时间上的并行操作。同时,设置多个加解密部件,依靠这些加解密部件的同时工作来提高对多个报文的批处理速度,从而实现空间上的并行操作。用排队论的方法分析了流水线并行处理算法的性能;并对流水线并行处理算法进行了仿真以及性能测试,并对测试结果进行了理论分析。
负载均衡技术是集群系统的关键技术。针对IPSec VPN工作机制的特点,设计了一个适用于PVPN系统的负载均衡算法。它能够有效的将加解密报文均匀分发到CPU处理板上;将属于同一报文的IPSec分片报文发往一块CPU处理板上,使得报文能够顺利重组、处理。实验表明PVPN的负载均衡算法达到了设计的目标。
PVPN是一个集群系统,发生单点故障的概率比传统的IPSec VPN高。PVPN使用集群互备模式,防止CPU处理板发生故障;使用双机热备份模式,防止交换板发生故障。从而,实现了整个系统的高可用性。
最后,对PVPN进行了仿真以及性能测试,并用实际的测试结果说明了系统设计的可行性、合理性。
The speed of transmitting data on network has been greatly increased with the development of network technology. As an equipment to ensure secure transmission on network, VPN must be high-powered, available and scalable.
The article brings forward a high-powered parallel architecture of VPN on IPSec which is called IPSec VPN. PVPN adopts the pipelining parallel algorithm to achieve multi-cards parallel management, meanwhile largely improves the capability of VPN equipments on the basis of the hardware platform of CompactPCI.
Pipeline parallel algorithm separates CPU and encrypt card into two functional parts. Overlapping and pipelining the two components can carry out parallel operations on time. At the same time, setting several encrypt components and decrypt components can enhance the speed of wholesale management to achieve parallel operations on space. The article analyzes the performance of pipelining parallel algorithm by queueing theory, then emulates the algorithm, tests and analyzes the performance the algorithm.
Load balancing technology is the key technology of the cluster system. Pointed to the characteristics of mechanism of IPSec VPN, the article designs a load balancing measure applied to PVPN. The load balancing design can hand out packets evenly and efficiently, send IPSec fragment packets attributed to the same packets to the identical CPU processing board to recompose them successfully. The experiment verifies the implementation. PVPN is a cluster system and the probability of it's single point is higher than the traditional IPSec VPN. The article puts up profound research on high-powered PVPN.
PVPN use cluster backup mode to prevent the fault of the CPU managing board and hotbak mode to avoid the fault of switching board. All these means safeguard the high availability of the whole system.
At the end of the article, a large number of experiments emulate PVPN and test the performance of the system. The results of the tests indicate the resolution.
为此,提出了一种基于IPSec的高性能VPN系统的并行体系结构,称为并行IPSec VPN(Parallel IPSec VPN,简称PVPN)。PVPN采用流水线并行处理算法,实现了系统的多加密卡并行处理;采用CompactPCI硬件平台,构建多机并行体系,大幅度提高了IPSec VPN的处理性能。
流水线并行处理算法将CPU与加密卡分为两个功能部件,通过使两个功能部件重叠运行,流水作业,从而实现时间上的并行操作。同时,设置多个加解密部件,依靠这些加解密部件的同时工作来提高对多个报文的批处理速度,从而实现空间上的并行操作。用排队论的方法分析了流水线并行处理算法的性能;并对流水线并行处理算法进行了仿真以及性能测试,并对测试结果进行了理论分析。
负载均衡技术是集群系统的关键技术。针对IPSec VPN工作机制的特点,设计了一个适用于PVPN系统的负载均衡算法。它能够有效的将加解密报文均匀分发到CPU处理板上;将属于同一报文的IPSec分片报文发往一块CPU处理板上,使得报文能够顺利重组、处理。实验表明PVPN的负载均衡算法达到了设计的目标。
PVPN是一个集群系统,发生单点故障的概率比传统的IPSec VPN高。PVPN使用集群互备模式,防止CPU处理板发生故障;使用双机热备份模式,防止交换板发生故障。从而,实现了整个系统的高可用性。
最后,对PVPN进行了仿真以及性能测试,并用实际的测试结果说明了系统设计的可行性、合理性。
The speed of transmitting data on network has been greatly increased with the development of network technology. As an equipment to ensure secure transmission on network, VPN must be high-powered, available and scalable.
The article brings forward a high-powered parallel architecture of VPN on IPSec which is called IPSec VPN. PVPN adopts the pipelining parallel algorithm to achieve multi-cards parallel management, meanwhile largely improves the capability of VPN equipments on the basis of the hardware platform of CompactPCI.
Pipeline parallel algorithm separates CPU and encrypt card into two functional parts. Overlapping and pipelining the two components can carry out parallel operations on time. At the same time, setting several encrypt components and decrypt components can enhance the speed of wholesale management to achieve parallel operations on space. The article analyzes the performance of pipelining parallel algorithm by queueing theory, then emulates the algorithm, tests and analyzes the performance the algorithm.
Load balancing technology is the key technology of the cluster system. Pointed to the characteristics of mechanism of IPSec VPN, the article designs a load balancing measure applied to PVPN. The load balancing design can hand out packets evenly and efficiently, send IPSec fragment packets attributed to the same packets to the identical CPU processing board to recompose them successfully. The experiment verifies the implementation. PVPN is a cluster system and the probability of it's single point is higher than the traditional IPSec VPN. The article puts up profound research on high-powered PVPN.
PVPN use cluster backup mode to prevent the fault of the CPU managing board and hotbak mode to avoid the fault of switching board. All these means safeguard the high availability of the whole system.
At the end of the article, a large number of experiments emulate PVPN and test the performance of the system. The results of the tests indicate the resolution.
引文
[1] Casey Wilson, Peter Doak. 虚拟专用网的创建与实现. 钟鸣, 魏允韬译. 北京: 机械工业出版社, 2000. 6~9
[2] R.Venkateswaran. Virtual private networks. Potentials, IEEE, 2001, 20(1): 11~15
[3] R.Cohen. On the establishment of an access VPN in broadband access networks. Communications Magazine, IEEE, 2003, 41(2): 156~163
[4] 尹恒. 基于 IPSec 的安全传输平台的研究: [硕士学位论文]. 保存地点:华中科技大学图书馆, 2002
[5] 梅松. 基于 IPSec 的虚拟专用网的设计与改进: [硕士学位论文]. 保存地点:华中科技大学图书馆, 2001
[6] R.Friend. Making the gigabit IPSec VPN architecture secure. Computer, 2004, 37(6): 54~60
[7] S.Kent, R.Atkinson. Security Architecture for the Internet Protocol. RFC2401. Nov 1998: 3~66
[8] E.Crawley, R.Nair, B.Rajagopalan et al. A Framework for QoS-based Routing in the Internet. RFC2386. Aug 1998: 1~37
[9] W.S.Marcus. An architecture for QoS analysis and experimentation. Networking, IEEE/ACM Transactions on, 1996, 4(4): 597~603
[10] D.Maughan, M.Schertler, M.Schneider et al. Internet Security Association and Key Management Protocol (ISAKMP). RFC2408. Nov 1998: 1~82
[11] H.Orman. The OAKLEY Key Determination Protocol. RFC2412. Nov 1988: 1~55
[12] D.Harkins, D.carrel. The Internet Key Exchange (IKE). RFC2409. Nov 1998: 1~41
[13] K.Hamzeh, G.Pall, W.Verthein et al. Point-to-Point Tunneling Protocol (PPTP). RFC2637. Jul 1999: 3~57
[14] Valencia, M.Littlewood, T.Kolar. Cisco Layer Two Forwarding (Protocol) “L2F”.RFC2341. May 1998: 3~29
[15] W.Townsley. Layer Two Tunneling Protocol (L2TP). RFC2661. Aug 1999: 3~80
[16] E.Rosen, Y.Rekhter. BGP/MPLS VPNs. RFC2547. Mar 1999: 2~25
[17] K.Muthukrishnan, A. Malis. A Core MPLS IP VPN Architecture. RFC2917. Sep 2000: 1~16
[18] S.Kent, R.Atkinson. IP Authentication Header (AH). RFC2402. Nov 1998: 1~22
[19] S.Kent, R.Atkinson. IP Encapsulating Security Payload (ESP). RFC2406. Nov 1998:1~22
[20] 王刚, 吴斌, 郝荣荣, 陈永海, 赵江海. CompactPCI 总线技术及系统设计. 现代电子技术, 2005, (16):92~94
[21] 陈建生, 李芬, 杨品. PCI 总线接口芯片的应用研究. 小型微型计算机系统, 2002, 23(12): 1517~1521
[22] 李之棠, 任杰麟, 涂凡. 基于 CompactPCI 的 IPSec 并行体系结构的研究与实现. 计算机应用, 2006, 26(4): 963~965
[23] 李振刚, 南波, 高传善. Linux 下使用 Netfilter 实现 IPSec 协议. 微型电脑应用, 2003, 19(7): 43~45
[24] 曹利峰, 陈性元, 杜学绘. 基于 Netfilter 框架的 VPN 网关的一体化设计. 计算机工程与应用, 2006, (2): 128~130
[25] 毛德操, 胡希明. Linux内核源代码情景分析(下册). 杭州: 浙江大学出版社, 2001. 607~662
[26] 盛友招. 排队论及其在计算机通信中的应用. 北京: 北京邮电大学出版社, 1998. 57~78
[27] J.Kuri, A.Kumar. Optimal control of arrivals to queues with delayed queue length information. Automatic Control, IEEE Transactions on, 1995, 40(8): 1444~1450
[28] Chang Cheng-Shang. Stability, queue length, and delay of deterministic and stochastic queueing networks. Automatic Control, IEEE Transactions on, 1994 39(5): 913~931
[29] Yang Miin-Shen, Wu Kuo-Lung. A similarity-based robust clustering method. PatternAnalysis and Machine Intelligence, IEEE Transactions on, 2004, 26(4): 434~448
[30] Ramaswamy Lakshmish, B.Gedik, L.Liu. A distributed approach to node clustering in decentralized peer-to-peer networks. Parallel and Distributed Systems, IEEE Transactions on, 2005, 16(9): 814~829
[31] Zhang Qi, A.Riska, W.Sun, E.Smirni, G.Ciardo. Workload-aware load balancing for clustered Web servers. Parallel and Distributed Systems, IEEE Transactions on, 2005, 16(3): 219~233
[32] T.Miwa, N.Nishihara, K.Yamamoto. Automated stepper load balance allocation system. Semiconductor Manufacturing, IEEE Transactions on, 2005, 18(4): 510~516
[33] Pinar, B.Hendrickson. Improving load balance with flexibly assignable tasks. Parallel and Distributed Systems, IEEE Transactions on, 2005, 16(10): 956~965
[34] Kim Chonggun, H.Kameda. An algorithm for optimal static load balancing in distributed computer systems. Computers, IEEE Transactions on, 1992, 41(3): 381~384
[35] W Richard Stevens. TCP/IP 详解卷 1:协议. 范建华, 光辉, 张涛译. 北京: 机械工业出版社, 2000. 111~116
[36] John L.hennessy, David A.pattersom. Computer Architecture: A Quantitative. 北京: 机械工业出版社, 2002. 509~513
[37] 罗娟. 曹阳, 郑刚等. 高可用性软件的设计与实现. 计算机工程, 2004, 30(8): 19~20
[38] 张小芳, 胡正国, 郑继川等. 高可用性集群技术的研究和应用. 计算机工程, 2003, 29(4): 26~27
[39] 李江昀, 童朝南, 彭开香. 基于 Linux 平台的过程控制双机热备综合解决方案. 计算机工程与应用, 2005, (30): 218~220
[40] 尹康凯, 王明伟, 李善平. 高可用性集群中多个节点的心跳模型研究. 计算机工程, 2005, 31(15): 102~103
[41] A.Huttunen, B.Swander, V.Volpe et al. UDP Encapsulation of IPSec ESP Packets.RFC3948. Jan 2005: 2~15
[42] S.Deering, R.Hinden. Internet Protocol, Version 6 (IPv6) Specification. RFC2460. Dec 1998: 2~39
[2] R.Venkateswaran. Virtual private networks. Potentials, IEEE, 2001, 20(1): 11~15
[3] R.Cohen. On the establishment of an access VPN in broadband access networks. Communications Magazine, IEEE, 2003, 41(2): 156~163
[4] 尹恒. 基于 IPSec 的安全传输平台的研究: [硕士学位论文]. 保存地点:华中科技大学图书馆, 2002
[5] 梅松. 基于 IPSec 的虚拟专用网的设计与改进: [硕士学位论文]. 保存地点:华中科技大学图书馆, 2001
[6] R.Friend. Making the gigabit IPSec VPN architecture secure. Computer, 2004, 37(6): 54~60
[7] S.Kent, R.Atkinson. Security Architecture for the Internet Protocol. RFC2401. Nov 1998: 3~66
[8] E.Crawley, R.Nair, B.Rajagopalan et al. A Framework for QoS-based Routing in the Internet. RFC2386. Aug 1998: 1~37
[9] W.S.Marcus. An architecture for QoS analysis and experimentation. Networking, IEEE/ACM Transactions on, 1996, 4(4): 597~603
[10] D.Maughan, M.Schertler, M.Schneider et al. Internet Security Association and Key Management Protocol (ISAKMP). RFC2408. Nov 1998: 1~82
[11] H.Orman. The OAKLEY Key Determination Protocol. RFC2412. Nov 1988: 1~55
[12] D.Harkins, D.carrel. The Internet Key Exchange (IKE). RFC2409. Nov 1998: 1~41
[13] K.Hamzeh, G.Pall, W.Verthein et al. Point-to-Point Tunneling Protocol (PPTP). RFC2637. Jul 1999: 3~57
[14] Valencia, M.Littlewood, T.Kolar. Cisco Layer Two Forwarding (Protocol) “L2F”.RFC2341. May 1998: 3~29
[15] W.Townsley. Layer Two Tunneling Protocol (L2TP). RFC2661. Aug 1999: 3~80
[16] E.Rosen, Y.Rekhter. BGP/MPLS VPNs. RFC2547. Mar 1999: 2~25
[17] K.Muthukrishnan, A. Malis. A Core MPLS IP VPN Architecture. RFC2917. Sep 2000: 1~16
[18] S.Kent, R.Atkinson. IP Authentication Header (AH). RFC2402. Nov 1998: 1~22
[19] S.Kent, R.Atkinson. IP Encapsulating Security Payload (ESP). RFC2406. Nov 1998:1~22
[20] 王刚, 吴斌, 郝荣荣, 陈永海, 赵江海. CompactPCI 总线技术及系统设计. 现代电子技术, 2005, (16):92~94
[21] 陈建生, 李芬, 杨品. PCI 总线接口芯片的应用研究. 小型微型计算机系统, 2002, 23(12): 1517~1521
[22] 李之棠, 任杰麟, 涂凡. 基于 CompactPCI 的 IPSec 并行体系结构的研究与实现. 计算机应用, 2006, 26(4): 963~965
[23] 李振刚, 南波, 高传善. Linux 下使用 Netfilter 实现 IPSec 协议. 微型电脑应用, 2003, 19(7): 43~45
[24] 曹利峰, 陈性元, 杜学绘. 基于 Netfilter 框架的 VPN 网关的一体化设计. 计算机工程与应用, 2006, (2): 128~130
[25] 毛德操, 胡希明. Linux内核源代码情景分析(下册). 杭州: 浙江大学出版社, 2001. 607~662
[26] 盛友招. 排队论及其在计算机通信中的应用. 北京: 北京邮电大学出版社, 1998. 57~78
[27] J.Kuri, A.Kumar. Optimal control of arrivals to queues with delayed queue length information. Automatic Control, IEEE Transactions on, 1995, 40(8): 1444~1450
[28] Chang Cheng-Shang. Stability, queue length, and delay of deterministic and stochastic queueing networks. Automatic Control, IEEE Transactions on, 1994 39(5): 913~931
[29] Yang Miin-Shen, Wu Kuo-Lung. A similarity-based robust clustering method. PatternAnalysis and Machine Intelligence, IEEE Transactions on, 2004, 26(4): 434~448
[30] Ramaswamy Lakshmish, B.Gedik, L.Liu. A distributed approach to node clustering in decentralized peer-to-peer networks. Parallel and Distributed Systems, IEEE Transactions on, 2005, 16(9): 814~829
[31] Zhang Qi, A.Riska, W.Sun, E.Smirni, G.Ciardo. Workload-aware load balancing for clustered Web servers. Parallel and Distributed Systems, IEEE Transactions on, 2005, 16(3): 219~233
[32] T.Miwa, N.Nishihara, K.Yamamoto. Automated stepper load balance allocation system. Semiconductor Manufacturing, IEEE Transactions on, 2005, 18(4): 510~516
[33] Pinar, B.Hendrickson. Improving load balance with flexibly assignable tasks. Parallel and Distributed Systems, IEEE Transactions on, 2005, 16(10): 956~965
[34] Kim Chonggun, H.Kameda. An algorithm for optimal static load balancing in distributed computer systems. Computers, IEEE Transactions on, 1992, 41(3): 381~384
[35] W Richard Stevens. TCP/IP 详解卷 1:协议. 范建华, 光辉, 张涛译. 北京: 机械工业出版社, 2000. 111~116
[36] John L.hennessy, David A.pattersom. Computer Architecture: A Quantitative. 北京: 机械工业出版社, 2002. 509~513
[37] 罗娟. 曹阳, 郑刚等. 高可用性软件的设计与实现. 计算机工程, 2004, 30(8): 19~20
[38] 张小芳, 胡正国, 郑继川等. 高可用性集群技术的研究和应用. 计算机工程, 2003, 29(4): 26~27
[39] 李江昀, 童朝南, 彭开香. 基于 Linux 平台的过程控制双机热备综合解决方案. 计算机工程与应用, 2005, (30): 218~220
[40] 尹康凯, 王明伟, 李善平. 高可用性集群中多个节点的心跳模型研究. 计算机工程, 2005, 31(15): 102~103
[41] A.Huttunen, B.Swander, V.Volpe et al. UDP Encapsulation of IPSec ESP Packets.RFC3948. Jan 2005: 2~15
[42] S.Deering, R.Hinden. Internet Protocol, Version 6 (IPv6) Specification. RFC2460. Dec 1998: 2~39