A Clustering and Traffic-Redistribution Scheme for High-Performance IPsec VPNs

  • Pan-Lung Tsai
  • Chun-Ying Huang
  • Yun-Yin Huang
  • Chia-Chang Hsu
  • Chin-Laung Lei
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3769)


CPE-based IPsec VPNs have been widely used to provide secure private communication across the Internet. As the bandwidth of WAN links keeps growing, the bottleneck in a typical deployment of CPE-based IPsec VPNs has moved from the last-mile connections to the customer-edge security gateways. In this paper, we propose a clustering scheme to scale the throughput as required by CPE-based IPsec VPNs. The proposed scheme groups multiple security gateways into a cluster using a transparent self-dispatching technique and allows as many gateways to be added as necessary until the resulting throughput is again limited by the bandwidth of the last-mile connections. It also includes a flow-migration mechanism to keep the load of the gateways balanced. The results of the performance evaluation confirm that the clustering technique and the traffic-redistribution mechanism together create a transparent, adaptive, and highly scalable solution for building high-performance IPsec VPNs.


Medium Access Control Virtual Private Network Network Processor Medium Access Control Address Ethernet Interface 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ortiz Jr., S.: Virtual private networks: Leveraging the Internet. IEEE Computer 30, 18–20 (1997)Google Scholar
  2. 2.
    Kent, S., Atkinson, R.: Security architecture for the Internet protocol. RFC 2401 (1998)Google Scholar
  3. 3.
    Knight, P., Lewis, C.: Layer 2 and 3 virtual private networks: Taxonomy, technology, and standardization efforts. IEEE Communications Magazine 42, 124–131 (2004)CrossRefGoogle Scholar
  4. 4.
    Elkeelany, O., Matalgah, M.M., Sheikh, K.P., Thaker, M., Chaudhry, G., Medhi, D., Qaddour, J.: Performance analysis of IPSec protocol: Encryption and authentication. In: Proceedings of 2002 IEEE International Conference on Communications (ICC 2002), vol. 2, pp. 1164–1168 (2002)Google Scholar
  5. 5.
    Lin, J.C., Chang, C.T., Chung, W.T.: Design, implementation and performance evaluation of IP-VPN. In: Proceedings of 17th International Conference on Advanced Information Networking and Applications (AINA 2003), pp. 206–209 (2003)Google Scholar
  6. 6.
    Khanvilkar, S., Khokhar, A.: Virtual private networks: An overview with performance evaluation. IEEE Communications Magazine 42, 146–154 (2004)CrossRefGoogle Scholar
  7. 7.
    Kettler, D., Kafka, H., Spears, D.: Driving fiber to the home. IEEE Communications Magazine 38, 106–110 (2000)CrossRefGoogle Scholar
  8. 8.
    Metz, C.: The latest in virtual private networks: Part I. IEEE Internet Computing 7, 87–91 (2003)CrossRefGoogle Scholar
  9. 9.
    Metz, C.: The latest in virtual private networks: Part II. IEEE Internet Computing 8, 60–65 (2003)CrossRefGoogle Scholar
  10. 10.
    Carugi, M., De Clercq, J.: Virtual private network services: Scenarios, requirements and architectural constructs from a standardization perspective. IEEE Communications Magazine 42, 116–122 (2004)CrossRefGoogle Scholar
  11. 11.
    De Clercq, J., Paridaens, O.: Scalability implications of virtual private networks. IEEE Communications Magazine 40, 151–157 (2002)CrossRefGoogle Scholar
  12. 12.
    Devlin, B., Gray, J., Laing, B., Spix, G.: Scalability terminology: Farms, clones, partitions, and packs: RACS and RAPS. Technical Report MS-TR-99-85, Microsoft Research (1999)Google Scholar
  13. 13.
    Hodjat, A., Verbauwhede, I.: High-throughput programmable cryptocoprocessor. IEEE Micro 24, 34–45 (2004)CrossRefGoogle Scholar
  14. 14.
    Ha, C.S., Lee, J.H., Leem, D.S., Park, M.S., Choi, B.Y.: ASIC design of IPSec hardware accelerator for network security. In: Proceedings of 2004 IEEE Asia-Pacific Conference on Advanced System Integrated Circuits (AP-ASIC 2004), pp. 168–171 (2004)Google Scholar
  15. 15.
    Friend, R.: Making the gigabit IPsec VPN architecture secure. IEEE Computer 37, 54–60 (2004)Google Scholar
  16. 16.
    Lin, Y.N., Lin, C.H., Lin, Y.D., Lai, Y.C.: VPN gateways over network processors: Implementation and evaluation. In: Proceedings of 11th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS 2005), pp. 480–486 (2005)Google Scholar
  17. 17.
    The Tolly Group, Inc.: Intel IXP425 network processors: Performance analysis of VPN devices. Document No. 204132 (2004)Google Scholar
  18. 18.
    Han, M., Kim, J., Sohn, S.: Network processor for IPSec. In: Proceedings of 6th International Conference on Advanced Communication Technology (ICACT 2004), vol. 1, pp. 485–487 (2004)Google Scholar
  19. 19.
    Comer, D.E.: Network Systems Design Using Network Processors. Pearson Prentice Hall, Inc., London (2003)Google Scholar
  20. 20.
    IEEE Standards Association: IEEE standard for local and metropolitan area networks: Media access control (MAC) bridges. IEEE 802.1D-2004 (2004)Google Scholar
  21. 21.
    Seifert, R.: The Switch Book: The Complete Guide to LAN Switching Technology. John Wiley & Sons, Inc., Chichester (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Pan-Lung Tsai
    • 1
  • Chun-Ying Huang
    • 1
  • Yun-Yin Huang
    • 1
  • Chia-Chang Hsu
    • 1
  • Chin-Laung Lei
    • 1
  1. 1.Department of Electrical EngineeringNational Taiwan UniversityTaipeiTaiwan

Personalised recommendations