@conference {54.FePi07, title = {High-level Architecture of an IPSec-dedicated System on Chip}, booktitle = {proceedings of NGI 2007}, year = {2007}, month = {May}, publisher = {IEEE Press}, organization = {IEEE Press}, address = {Trondheim, Norway}, abstract = {IPSec is a suite of protocols which adds security to communications at the IP level. Protocols within the IPSec suite make extensive use of cryptographic algorithms. Since these algorithms are computationally very intensive, some hardware acceleration is needed to support high throughput. In this paper we propose a high level architecture of a System on Chip (SoC) which implements IPSec. This SoC has been thought to be placed on the main data path of the host machine (flow-through architecture), thus allowing for transparent processing of IPSec traffic. The functionalities of the different blocks and their interactions, along with an estimation of the internal memory size, are also shown.}, keywords = {accelerator, IPSec, priority, quality of service (QoS), security, system-on-chip (SoC), SystemC}, author = {Ferrante, Alberto and Piuri, Vincenzo} } @conference {58.FeChPi07, title = {A Query Unit for the IPSec Databases}, booktitle = {SECRYPT 2007}, year = {2007}, month = {07/2007}, address = {Barcelona, Spain}, abstract = {IPSec is a suite of protocols that adds security to communications at the IP level. Protocols within IPSec make extensive use of two databases, namely the Security Policy Database (SPD) and the Security Association Database (SAD). The ability to query the SPD quickly is fundamental as this operation needs to be done for each incoming or outgoing IP packet, even if no IPSec processing needs to be applied on it. This may easily result in millions of query per second in gigabit networks. Since the databases may be of several thousands of records on large secure gateways, a dedicated hardware solution is needed to support high throughput. In this paper we discuss an architecture for these query units, we propose different query methods for the two databases, and we compare them through simulation. Two different versions of the architecture are presented: the basic version is modified to support multithreading. As shown by the simulations, this technique is very effective in this case. The architecture that supports multithreading allows for 11 million queries per second in the best case.}, keywords = {accelerator, database, IPSec, security, security association database (SAD), security policy database (SPD), system-on-chip (SoC), SystemC}, author = {Ferrante, Alberto and Chandra, Satish and Piuri, Vincenzo} } @conference {41.TaFePi2006, title = {Scheduling Small Packets in IPSec-based Systems}, booktitle = {CCNC}, year = {2006}, month = {January 8}, address = {Las Vegas, NV, USA}, abstract = {IPSec is a suite of protocols that adds security to communications at the IP level. Protocols within the IPSec suite make extensive use of cryptographic algorithms. Since these algorithms are computationally very intensive, some hardware acceleration is needed to support high throughput. IPSec accelerator performance may heavily depend on the dimension of the packets to be processed. When packets are small, the time needed to transfer data and to set up the accelerator may exceed the one to process the packets (e.g. to encrypt) by software. In this paper, we propose a solution for this problem. High-level simulations and the related results are provided to show the properties of the algorithm.}, keywords = {accelerator, HW/SW co-design, IPSec, scheduling algorithm, security}, doi = {http://dx.doi.org/10.1109/CCNC.2006.1593123}, author = {Taddeo, Antonio Vincenzo and Ferrante, Alberto and Piuri, Vincenzo} }