IPsec acceleration
openwet base IPsec
This picture show how IPsec in our scenarios.
IPSec中AH协议和ESP协议的联系与区别
There are 2 phase: IKE negotiation and Ipsec setup.
The IKE SA negotiation can be considered as control plane. In our sdewan, it is controlled by StrongSwan in user space, and StrongSwan support openssl plugin.
Asymmetric encryption will be in this phase. It will be generate IPsec SA to help setup IPsec tunnel/transport.
REF: https://wiki.archlinux.org/index.php/StrongSwan
And IPsec SA connection can be considered as data plane. In our sdewan, it is supported by xfrm in kernel space. And we use ESP to setup tunnel.
IMHO, the ESP and AH will co-exist for their Pros and Cors.
Symmetric encryption will be in this phase. It will be generate IPsec SA. Also there will be HMAC verification and DES(By default) as encrypt, it can be a function chain offload to HW.
The network data package size will be random, the package size maybe big or small.
REF:
For more information about IPSec.
|
RFC |
内容 |
|
2401 |
IPSec体系结构https://tools.ietf.org/html/rfc2401 |
|
2402 |
AH协议 |
|
2403 |
HMAC-MD5-96在AH和ESP中的应用 |
|
2404 |
HMAC-SHA-1-96在AH和ESP中的应用 |
|
2405 |
DES-CBC在ESP中的应用 |
|
2406 |
|
|
2407 |
IPSec DOI |
|
2408 |
ISAKMP协议 |
|
2409 |
|
|
2410 |
NULL加密算法及其在IPSec中的应用 |
|
2411 |
IPSec文档路线图https://tools.ietf.org/html/rfc2411 |
|
2412 |
OAKLEY协议 |
XFRM -- IPsec协议的内核实现框架
Xfrm receive flow:
Xfrm send flow:
