Performance Evaluation of IPsec on Embedded Systems

Hsu, Chun-chiao

22 August 2006

In recent years, more and more embedded devices are connected to the Internet. Users of embedded devices could obtain necessary services or updates from the World Wide Web. The benefits of having embedded devices connected to the Internet are tremendous; however, the requirement of secure transmission may slow down the performance of the embedded device. For example, if users download files to their own embedded devices from the Internet, the packets must be encrypted/authenticated for secure transmission, and the cost to pay is to slow down the performance of the system. Thus, it is necessary to find ways that can provide a secure connection while at the same time not slowing down the performance of the system. IPsec (Internet Protocol Security) is a standard for securing Internet Protocol (IP) communications by encrypting and/or authenticating all IP packets. Although IPsec is optional for IPv4, it is required for IPv6. However, IPsec is not wildly used on embedded systems compared to SSL/TLS. In this thesis, we describe the details of how we port IPsec to a platform running embedded Linux which does not support IPsec. Openswan is an open source implementation of IPsec for the Linux operating system. We use Openswan to set up a Virtual Private Network (VPN) tunnel between a PC and the embedded system platform and use various encryption/authentication algorithms and services provided by IPsec to do a performance analysis.

openswan

ipsec

Tunnel comparison between Generic Routing Encapsulation (GRE) and IP Security (IPSec)

Akinola, Azeez Paul, chong, zhang

January 2012

Since the introduction of networks, they have been used amongst home users, companies and organizations and most damage on the network is due to inappropriate security configurations. To secure networks, a protocol suite can be used to encrypt and authenticate all IP packets of a session. Therefore, this report will include the advantages and possible solution of some techniques used to offer increased network security such as scalability and data confidentiality. Captures of traffic sent using the two security techniques, IPSec/VPN and GRE-Tunnel will be monitored. The objective behind this project is to configure a network with these two different tunneling techniques and compare the security and network performance. The report also describes the security problems encountered by networks such as the ignorance of network users, vulnerabilities and the security of the devices.IPSecis a standard security protocol solution for TCP/IP, and it provides security through authentication, encryption and data integrity. GRE encapsulates packets and create a logical hub-and spoke topology of virtual point-to-point connections. The Jperf-tool is used to measure network performance and show specific details while another tool, Wireshark is used to analyze the information captured during transmission of data sent using IPSEC and GRE. The comparison further finds that IPSec-tunnel technique makes data transfers very secure but causes network performance disadvantages in comparison to a GRE solution.

IPSec

VPN

GRE

TUNNEL

Ανάλυση και βελτιστοποίηση της απόδοσης της υλοποίησης του πρωτοκόλλου IPsec σε Linux

Ιατρού, Μιχαήλ

20 October 2009

Το IPsec είναι ένα σύνολο πρωτοκόλλων με σκοπό να παρέχονται υπηρεσίες ασφάλειας σε επίπεδο πακέτων IP και εμπίπτει στη κατηγορία των εφαρμογών VPN. Το Linux είναι ένα σύγχρονο λειτουργικό σύστημα, ανοιχτού κώδικα με μεγάλη ευελιξία για χρήση σε διαφο- ρετικές αρχιτεκτονικές και εξαιρετική απόδοση σε πρωτόκολλα δικτύων. Αυτή η εργασία είναι προσανατολισμένη στην μελέτη της απόδοσης της υλοποίησης του IPsec σε Linux. Ορίζουμε τα μεγέθη που είναι σημαντικά για την αξιολόγηση της απόδοσης του IPsec, την μεθοδολογία των μετρήσεων, καθώς και τις παραμέτρους που καθορίζουν την απόδοση και στις οποίες μπορούμε να επέμβουμε με σκοπό να τη βελτιώσουμε. Μελετάμε τη συμπεριφορά σε διαφορετικά υπολογιστικά συστήματα και συγκρίνουμε την απόδοση με αυτή μια εναλλακτικής τεχνολογίας VPN, το OpenVPN. / IPsec is a suite of protocols that provides security services on IP layer, in a VPN fashion. Linux is a modern UNIX-like, Open Source operating system. It is suitable for a variety of applications, althought server oriented and exceptional performance on networking. We study the performance of the implementation of IPsec in Linux kernel. We define the performance measurements and criteria as well as the available options we cant fine-tune. We also study the aspect of performance on different achitectures. Finally we compare IPsec performance with OpenVPN, an alternative VPN solution.

004.678

Linux

IPsec

Enhancing the IKE preshared key authentication method

Bani-Hani, Raed M.,

January 2006

Thesis (Ph. D.) University of Missouri-Columbia, 2006. / The entire dissertation/thesis text is included in the research.pdf file; the official abstract appears in the short.pdf file (which also appears in the research.pdf); a non-technical general description, or public abstract, appears in the public.pdf file. Title from title screen of research.pdf file (viewed on July 31, 2007) Includes bibliographical references.

IPSec (Computer network protocol).

Řešení virtuální privátní sítě v podnikovém informačním systému

Vichta, Lubomír

January 2008

No description available.

Certifikáty; L2TP; IPSec

An IPsec Compatible Implementation of DBRA and IP-ABR

Sherwood, Nicholas

05 May 2005

Satellites are some of the most difficult links to exploit in a Quality of Service (QoS) sensitive network, largely due to their high latency, variable-bandwidth and low-bandwidth nature. Central management of shared links has been shown to provide efficiency gains and enhanced QoS by effectively allocating resources according to reservations and dynamic resource availability. In a modern network, segregated by secure gateways and tunnels such as provided by IPsec, central management appears impossible to implement due to the barriers created between a global Dynamic Bandwidth Resource Allocation (DBRA) system and the mediators controlling the individual flows. This thesis explores and evaluates various through-IPsec communications techniques aimed at providing a satellite-to-network control channel, while maintaining data security for all communications involved.

satellite

networks

IPsec

DBRA

IP-ABR

Analysis of the PPTP and IPSec protocols in Virtual Private Networks

Tryggvason, Thorir

January 2000

<p>Today increasing numbers of individuals are working away from the ordinary workplace while still requiring access to the server located at the workplace. New technology is meeting this demand allowing for safe and secure transmission of the data over the Internet. The aim of this project is to analyse two protocols that are used within the Virtual Private Network (VPN) structure today, with the focus on installation, transmission speed on both Local Area Networks (LAN) and via telephone line and security aspects of the protocols.</p><p>The results show that it is quite complicated to setup a VPN network and to get operational. The results also show that there are security compromises within the VPN structure that indicate that if proper precaution is not taken it may give a false sense of security, where the user believes that it is a secure communication when in reality it is not.</p>

VPN

IPSec

PPTP

Encryption

Computer science

Datalogi

Contribution à l'étude de la qualité de service pour les protocoles sécurisés de télécommunications application à IPSec /

Van, Quang Đao Dupeyrat, Gérard Wei-Liu, Anne

January 2005

Thèse de doctorat : Informatique : Paris 12 : 2005. / Titre provenant de l'écran-titre. Bibliogr. : 81 réf.

Building mobile L2TP/IPsec tunnels

Xu, Chen, chen8002004@hotmail.com

January 2010

Wireless networks introduce a whole range of challenges to the traditional TCP/IP network, especially Virtual Private Network (VPN). Changing IP address is a difficult issue for VPNs in wireless networks because IP addresses are used as one of the identifiers of a VPN connection and the change of IP addresses will break the original connection. The current solution to this problem is to run VPN tunnels over Mobile IP (MIP). However, Mobile IP itself has significant problems in performance and security and that solution is inefficient due to double tunneling. This thesis proposes and implements a new and novel solution on simulators and real devices to solve the mobility problem in a VPN. The new solution adds mobility support to existing L2TP/IPsec (Layer 2 Tunneling Protocol/IP Security) tunnels. The new solution tunnels Layer 2 packets between VPN clients and a VPN server without using Mobile IP, without incurring tunnel-re-establishment at handoff, without losing packets during handoff, achieves better security than current mobility solutions for VPN, and supports fast handoff in IPv4 networks. Experimental results on a VMware simulation showed the handoff time for the VPN tunnel to be 0.08 seconds, much better than the current method which requires a new tunnel establishment at a cost of 1.56 seconds. Experimental results with a real network of computers showed the handoff time for the VPN tunnel to be 4.8 seconds. This delay was mainly caused by getting an IP address from DHCP servers via wireless access points (4.6 seconds). The time for VPN negotiation was only 0.2 seconds. The experimental result proves that the proposed mobility solution greatly reduces the VPN negotiation time but getting an IP address from DHCP servers is a large delay which obstructs the real world application. This problem can be solved by introducing fast DHCP or supplying an IP address from a new wireless access point with a strong signal while the current Internet connection is weak. Currently, there is little work on fast DHCP and this may open a range of new research opportunities.

VPN

IPsec

L2TP

PPP

Mobile IP

VMware

Virtual Private Networks: : A feasibility study of secure communications between remote locations.

Wikström, Alexander, Thomson, Mark, Mageramova, Lolita

January 2014

Virtual Private Networks (VPNs) are an integral part of protecting company communications from unauthorized viewing, replication or manipulation. In order for employees to remotely conduct business in an effective and secure manner from a branch location or while traveling, Virtual Private Networks can be viewed as an absolute necessity.   Starting with a certain set of network communication requirements, our project's hypothesis was that the most suitable VPN implementation for Cheap Flats (a fictitious company we created) would be an IPSec client VPN. Included in the report are basic definitions, implementations and tests for three different types of VPNs that were used to confirm this hypothesis: 1) Site-to-site: Tunnel mode connection between VPN gateways. The process of encrypting and transferring data between networks is transparent to end-users. [1] 2) IPSec client: Network Layer VPN for both network-to-network and remote-access deployments. End-users will need to run either Cisco or Open Source VPN software on their PCs. 3) Clientless SSL: “Remote-access VPN technology that provides Presentation Layer encryption services for Applications through local redirection on the client.” [2] VPN communications are established using a browser rather than specific software installed on the end-user’s device.   The test results from the above VPN implementations have been published and comparisons were made between the different types of VPNs regarding the time taken to apply network device/end-user configurations, expenses incurred in procuring additional equipment/software to implement the VPN (if any), impact on end-users, scalability and lastly, the overall functionality of the VPN solution as it relates to the day-to-day business operations.   Following the testing phase, a discussion of the merits and drawbacks of each of the VPN implementations was drafted. After which, a final recommendation was presented regarding the VPN solution that best fit the needs of the hypothetical company described in the paper.

VPN

IPsec

SSL

Computer Engineering

Datorteknik