隨著網路普及，人們對網路隱密性也越來越重視。因此IETF提出了IP Security (IPsec) 網路傳輸協定，在不更改目前網路架構下，提供加解密與認證的服務。開啟IPsec後，每個傳送或接收的封包皆須進入IPsec資料庫作查詢，當網路速度越來越快，用軟體搜尋便無法達到需求。

本篇論文中，我們針對IPsec資料庫搜尋流程分析，提出了針對SPD與SAD特性設計之軟體演算法，並對其資料結構與搜尋流程作了詳盡的介紹與分析。為了達到網路加速的效果，我們以硬體加速的方式配合軟體搜尋，在此我們提出了Scratchpad Memory、Hardware Cache與Software Cache三種硬體架構。

我們在ESL設計平台上，以SystemC語言實現我們的設計，配合ARM處理器，在Platform Architect上實現，並且提供一個On-line Verification的環境，與真實Linux進行驗證。Software Cache在對SP Policy具有256個Policy的情況下，可提升83.54%的效能增益，Hardware Cache可以提升85.89%的效能增進，Scratchpad Memory則可達到83.87%的效能增進，Software Cache既可擁有近似Hardware Cache的效能，且不必消耗太多硬體設計成本。

With the popularity of the Internet, confidentiality requirements for the Internet have become more critical. The IEFT has proposed IP security to provide services of encryption/decryption and authentication without changing current network architecture. After enabling IPsec, every transmitted or received packet must query the IPsec database. As the speed of network increases, software searching of the IPsec database may become the critical path.

The purpose of this thesis is to describe and analyze a database structure as well as its querying flow for IPsec and propose a database searching algorithm for Security Policy Database and Security Association Database. In order to accelerate the speed of IPsec Database querying, the application of hardware acceleration together with software searching is used. We evaluate three designs: scratchpad memory, hardware cache and software cache.

We use SystemC language to implement our design in ESL virtual platform with the ARM processor. The design proposed in this work is implemented in Platform Architect and provides an on-line verification environment. Compare to software searching with 256 security policies, the software cache can reduce 83.54% querying time, hardware cache can reduce 85.89% querying time and scratchpad memory can reduce 83.87% querying time. We found that the efficiency of software cache is nearly equal to hardware cache and consumes less cost.

[1]S. Kent and K. Seo, “Security Architecture for the Internet Protocol,” IETF Netw. Working Group, RFC 4301, Dec. 2005 [Online].
Available: http://www.rfc-editor.org/rfc/pdfrfc/rfc4301.txt.pdf
[2]V. Manral, “Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH),” IETF Netw. Working Group, RFC 4835, Apr. 2007 [Online]. Available: http://www.rfc-editor.org/rfc/pdfrfc/rfc4835.txt.pdf
[3]N. R. Potlapally, S. Ravi, A. Raghunathan, R. B. Lee, and N. K. Jha, “Impact of Configurability and Extensibility on IPSec Protocol Execution on Embedded Processors,” Proceedings of the 19th International Conference on VLSI Design (VLSID 06), Jan. 2006.
[4]M.-Y. Wang and C.-W. Wu, “A Mesh-Structured Scalable IPsec Processor,” IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 18, no. 5, pp. 725-731, May 2010.
[5]C.-S. Ha, J. H. Lee, D.-S. Leem, M.-S. Park, and B.-Y. Choi, “ASIC Design of IPsec Hardware Accelerator for Network Security,” Proceedings of 2004 IEEE Asia-Pacific Conference on Advanced System Integrated Circuits (AP-ASIC 04), pp. 168–171, Aug. 2004.
[6]C.-C. Wang and C.-H. Chen, “An Optimized Cryptographic Processing Unit for IPsec Processors,” 26th IEEE International Technical Conference on Circuits/Systems, Computers and Communications (ITC-SCSS 11), Gyeongju, Korea, Jun. 2011.
[7]J. P. Degabriele and K. G. Paterson, “On the (In)Security of IPsec in MAC-then-encrypt Configurations,” Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 10), pp. 493-504, Chicago, Illinois, USA, Oct. 2010.
[8]S. Kent, “IP Authentication Header – RFC4302,” IETF RFC, 2005.[Online] http://www.ietf.org/rfc.html
[9]S. Kent, “IP Encapsulating Security Payload(ESP) – RFC4303,” IETF RFC, 2005.[Online] http://www.ietf.org/rfc.html
[10]L. Cai and D. Hajski, “Transaction Level Modeling: an Overview,” International Conference on HW/SW Codesign and System Synthesis (CODESS 03), pp.19-24, Newport Beach, California, USA, Oct. 2003.
[11]B. Bailey, G.Martin, and A. Piziali, “ESL Design and Verification: a Prescription for Electronic System Level Methodology,” Morgan Kaufmann/Elsevier, 2007.
[12]Open SystemC Initiative, “IEEE Standard 1666-2011: SystemC Language Reference Manual,” IEEE Computer Society, Sept. 2011
[13]A. Ferrante and V. Piuri, “High-level Architecture of an IPsec-dedicated System on Chip,” 3rd EuroNGI Conference on Next Generation Internet Networks, pp. 159-166, May 2007.
[14]N.-N. Liu, H.-C. Zhou, K.-H. Dong, and H.-K. Zhang, “Optimized Design of SPD for NGI,” First International Conference on Future Information Networks (ICFIN 09), pp. 209-212, Oct. 2009.
[15]F. Castanier, A. Ferrante, and V. Piuri, “A Packet Scheduling Algorithm for IPsec Multi-Accelerator Based Systems,” Proceedings of the 15th IEEE International Conference on Application-Specific Systems, Architectures and Processors (ASAP 04), pp. 387-397, Sept. 2004.
[16]A. Ferrante, V. Piuri, and F. Castanier, “A QoS-enabled Packet Scheduling Algorithm for IPSec Multi-Accelerator Based Systems,” Proceedings of the 2nd Conference on Computing Frontiers (CF 05), pp. 221-229, Ischia, Italy, May 2005.
[17]A.V. Taddeo, A. Ferrante, and V. Piuri, “Scheduling Small Packets in IPSec-based Systems,” IEEE Consumer Communications and Networking Conference (CCNC 06), vol. 2, pp. 676-680, Jan. 2006.
[18]A.V. Taddeo and A. Ferrante, “Scheduling Small Packets in IPSec Multi-accelerator Based Systems,” Journal of Communications (JCM 07), vol. 2, no. 2, pp. 53-60, Mar. 2007.
[19]L. Dadda, A. Ferrante, and M. Macchetti, “A Memory Unit for Priority Management in IPSec Accelerators,” IEEE International Conference on Communications (ICC 07), pp. 1533-1538, Jun. 2007.
[20]A. Ferrante and S. Chandra, “A Query Unit for the IPsec Database,” International Conference on Security and Cryptography (SECRYPT 07), pp. 133-139, 2007.
[21]R. Friend, "Making the Gigabit IPsec VPN Architecture Secure," IEEE Computer, vol. 37, no. 6, pp. 54–60, Jun. 2004.
[22]R. Banakar, S. Steinke, B.-S. Lee, M. Balakrishnan, and P. Marwedel, “Scratchpad Memory: A Design Alternative for Cache On-chip Memory in Embedded Systems,” Proceedings of the Tenth International Symposium on Hardware/Software Codesign (CODES 02), pp. 73-78, Estes Park, Colorado, USA, May 2002.
[23]“IPsec-Tools home page,” http://ipsec-tools.sourceforge.net/, Available online.
[24]C.-C. Wang, S.-H. Lo, Y.-N. Liu, and C.-H. Chen, “NetVP: A System-Level NETwork Virtual Platform for Network Accelerator Development,” IEEE International Symposium on Circuits and Systems (ISCAS 12), pp. 249-252, Seoul, Korea, May 2012.