進階搜尋


下載電子全文  
系統識別號 U0026-1508201215381500
論文名稱(中文) IPsec資料庫查詢單元之軟硬體協同設計
論文名稱(英文) Hardware and Software Co-design of IPsec Database Query
校院名稱 成功大學
系所名稱(中) 電腦與通信工程研究所
系所名稱(英) Institute of Computer & Communication
學年度 100
學期 2
出版年 101
研究生(中文) 羅聖心
研究生(英文) Sheng-Hsin Lo
學號 q36994265
學位類別 碩士
語文別 中文
論文頁數 69頁
口試委員 指導教授-陳中和
口試委員-黃穎聰
口試委員-黃英哲
口試委員-朱元三
口試委員-張大緯
中文關鍵字 資料庫查詢  電子系統層級設計  IPsec  軟硬體協同設計 
英文關鍵字 database query  electronic system level design  IPsec  software/hardware co-design 
學科別分類
中文摘要 隨著網路普及,人們對網路隱密性也越來越重視。因此IETF提出了IP Security (IPsec) 網路傳輸協定,在不更改目前網路架構下,提供加解密與認證的服務。開啟IPsec後,每個傳送或接收的封包皆須進入IPsec資料庫作查詢,當網路速度越來越快,用軟體搜尋便無法達到需求。

本篇論文中,我們針對IPsec資料庫搜尋流程分析,提出了針對SPD與SAD特性設計之軟體演算法,並對其資料結構與搜尋流程作了詳盡的介紹與分析。為了達到網路加速的效果,我們以硬體加速的方式配合軟體搜尋,在此我們提出了Scratchpad Memory、Hardware Cache與Software Cache三種硬體架構。

我們在ESL設計平台上,以SystemC語言實現我們的設計,配合ARM處理器,在Platform Architect上實現,並且提供一個On-line Verification的環境,與真實Linux進行驗證。Software Cache在對SP Policy具有256個Policy的情況下,可提升83.54%的效能增益,Hardware Cache可以提升85.89%的效能增進,Scratchpad Memory則可達到83.87%的效能增進,Software Cache既可擁有近似Hardware Cache的效能,且不必消耗太多硬體設計成本。
英文摘要 With the popularity of the Internet, confidentiality requirements for the Internet have become more critical. The IEFT has proposed IP security to provide services of encryption/decryption and authentication without changing current network architecture. After enabling IPsec, every transmitted or received packet must query the IPsec database. As the speed of network increases, software searching of the IPsec database may become the critical path.

The purpose of this thesis is to describe and analyze a database structure as well as its querying flow for IPsec and propose a database searching algorithm for Security Policy Database and Security Association Database. In order to accelerate the speed of IPsec Database querying, the application of hardware acceleration together with software searching is used. We evaluate three designs: scratchpad memory, hardware cache and software cache.

We use SystemC language to implement our design in ESL virtual platform with the ARM processor. The design proposed in this work is implemented in Platform Architect and provides an on-line verification environment. Compare to software searching with 256 security policies, the software cache can reduce 83.54% querying time, hardware cache can reduce 85.89% querying time and scratchpad memory can reduce 83.87% querying time. We found that the efficiency of software cache is nearly equal to hardware cache and consumes less cost.
論文目次 摘要 I
Abstract II
誌謝 III
目錄 IV
圖目錄 VII
第1章 序論 1
1.1 研究動機 1
1.2 研究貢獻 3
1.3 內容編排 3
第2章 背景知識與相關研究 4
2.1 Internet Protocol Security (IPsec) 4
2.1.1 Security Association (SA) 5
2.1.2 AH通訊協定 10
2.1.3 ESP通訊協定 11
2.1.4 Transport Mode 12
2.1.5 Tunnel Mode 14
2.2 設計環境 16
2.2.1 電子層級系統設計(Electronic Level System Design) 16
2.2.2 SystemC語言與CoWare Platform Architect平台 17
2.3 相關研究 17
第3章 IPsec資料庫的軟體設計 23
3.1 SPD與SAD軟體搜尋流程 23
3.1.1 接收端 23
3.1.2 傳送端 24
3.2 接收端的SPD軟體設計方案 25
3.3 接收端的SAD軟體設計方案 29
3.4 傳送端的SPD軟體設計方案 33
3.5 傳送端的SAD軟體設計方案 34
第4章 IPsec資料庫的軟硬體協同設計 36
4.1 IPsec Processor系統架構 36
4.2 軟硬體協同設計 38
4.2.1 Software Cache 38
4.2.2 Scratchpad Memory (SPM) 40
4.2.3 Hardware Cache 42
4.3 Hardware Cache設計 43
4.3.1 接收端之SPD 43
4.3.2 接收端之SAD 46
4.3.3 傳送端 50
第5章 實作與實驗結果 55
5.1 設計環境 55
5.1.1 IPsec Processor開發流程與驗證平台 55
5.2 功能性驗證 58
5.3 實驗結果 59
5.3.1 SPD 59
5.3.2 傳送端SAD 61
5.3.3 接收端SAD 62
第6章 結論與未來發展 64
6.1 結論 64
6.2 未來發展 64
參考文獻 66
參考文獻 [1]S. Kent and K. Seo, “Security Architecture for the Internet Protocol,” IETF Netw. Working Group, RFC 4301, Dec. 2005 [Online].
Available: http://www.rfc-editor.org/rfc/pdfrfc/rfc4301.txt.pdf
[2]V. Manral, “Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH),” IETF Netw. Working Group, RFC 4835, Apr. 2007 [Online]. Available: http://www.rfc-editor.org/rfc/pdfrfc/rfc4835.txt.pdf
[3]N. R. Potlapally, S. Ravi, A. Raghunathan, R. B. Lee, and N. K. Jha, “Impact of Configurability and Extensibility on IPSec Protocol Execution on Embedded Processors,” Proceedings of the 19th International Conference on VLSI Design (VLSID 06), Jan. 2006.
[4]M.-Y. Wang and C.-W. Wu, “A Mesh-Structured Scalable IPsec Processor,” IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 18, no. 5, pp. 725-731, May 2010.
[5]C.-S. Ha, J. H. Lee, D.-S. Leem, M.-S. Park, and B.-Y. Choi, “ASIC Design of IPsec Hardware Accelerator for Network Security,” Proceedings of 2004 IEEE Asia-Pacific Conference on Advanced System Integrated Circuits (AP-ASIC 04), pp. 168–171, Aug. 2004.
[6]C.-C. Wang and C.-H. Chen, “An Optimized Cryptographic Processing Unit for IPsec Processors,” 26th IEEE International Technical Conference on Circuits/Systems, Computers and Communications (ITC-SCSS 11), Gyeongju, Korea, Jun. 2011.
[7]J. P. Degabriele and K. G. Paterson, “On the (In)Security of IPsec in MAC-then-encrypt Configurations,” Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 10), pp. 493-504, Chicago, Illinois, USA, Oct. 2010.
[8]S. Kent, “IP Authentication Header – RFC4302,” IETF RFC, 2005.[Online] http://www.ietf.org/rfc.html
[9]S. Kent, “IP Encapsulating Security Payload(ESP) – RFC4303,” IETF RFC, 2005.[Online] http://www.ietf.org/rfc.html
[10]L. Cai and D. Hajski, “Transaction Level Modeling: an Overview,” International Conference on HW/SW Codesign and System Synthesis (CODESS 03), pp.19-24, Newport Beach, California, USA, Oct. 2003.
[11]B. Bailey, G.Martin, and A. Piziali, “ESL Design and Verification: a Prescription for Electronic System Level Methodology,” Morgan Kaufmann/Elsevier, 2007.
[12]Open SystemC Initiative, “IEEE Standard 1666-2011: SystemC Language Reference Manual,” IEEE Computer Society, Sept. 2011
[13]A. Ferrante and V. Piuri, “High-level Architecture of an IPsec-dedicated System on Chip,” 3rd EuroNGI Conference on Next Generation Internet Networks, pp. 159-166, May 2007.
[14]N.-N. Liu, H.-C. Zhou, K.-H. Dong, and H.-K. Zhang, “Optimized Design of SPD for NGI,” First International Conference on Future Information Networks (ICFIN 09), pp. 209-212, Oct. 2009.
[15]F. Castanier, A. Ferrante, and V. Piuri, “A Packet Scheduling Algorithm for IPsec Multi-Accelerator Based Systems,” Proceedings of the 15th IEEE International Conference on Application-Specific Systems, Architectures and Processors (ASAP 04), pp. 387-397, Sept. 2004.
[16]A. Ferrante, V. Piuri, and F. Castanier, “A QoS-enabled Packet Scheduling Algorithm for IPSec Multi-Accelerator Based Systems,” Proceedings of the 2nd Conference on Computing Frontiers (CF 05), pp. 221-229, Ischia, Italy, May 2005.
[17]A.V. Taddeo, A. Ferrante, and V. Piuri, “Scheduling Small Packets in IPSec-based Systems,” IEEE Consumer Communications and Networking Conference (CCNC 06), vol. 2, pp. 676-680, Jan. 2006.
[18]A.V. Taddeo and A. Ferrante, “Scheduling Small Packets in IPSec Multi-accelerator Based Systems,” Journal of Communications (JCM 07), vol. 2, no. 2, pp. 53-60, Mar. 2007.
[19]L. Dadda, A. Ferrante, and M. Macchetti, “A Memory Unit for Priority Management in IPSec Accelerators,” IEEE International Conference on Communications (ICC 07), pp. 1533-1538, Jun. 2007.
[20]A. Ferrante and S. Chandra, “A Query Unit for the IPsec Database,” International Conference on Security and Cryptography (SECRYPT 07), pp. 133-139, 2007.
[21]R. Friend, "Making the Gigabit IPsec VPN Architecture Secure," IEEE Computer, vol. 37, no. 6, pp. 54–60, Jun. 2004.
[22]R. Banakar, S. Steinke, B.-S. Lee, M. Balakrishnan, and P. Marwedel, “Scratchpad Memory: A Design Alternative for Cache On-chip Memory in Embedded Systems,” Proceedings of the Tenth International Symposium on Hardware/Software Codesign (CODES 02), pp. 73-78, Estes Park, Colorado, USA, May 2002.
[23]“IPsec-Tools home page,” http://ipsec-tools.sourceforge.net/, Available online.
[24]C.-C. Wang, S.-H. Lo, Y.-N. Liu, and C.-H. Chen, “NetVP: A System-Level NETwork Virtual Platform for Network Accelerator Development,” IEEE International Symposium on Circuits and Systems (ISCAS 12), pp. 249-252, Seoul, Korea, May 2012.
論文全文使用權限
  • 同意授權校內瀏覽/列印電子全文服務,於2015-09-10起公開。
  • 同意授權校外瀏覽/列印電子全文服務,於2015-09-10起公開。


  • 如您有疑問,請聯絡圖書館
    聯絡電話:(06)2757575#65773
    聯絡E-mail:etds@email.ncku.edu.tw