@conference {54.FePi07, title = {High-level Architecture of an IPSec-dedicated System on Chip}, booktitle = {proceedings of NGI 2007}, year = {2007}, month = {May}, publisher = {IEEE Press}, organization = {IEEE Press}, address = {Trondheim, Norway}, abstract = {IPSec is a suite of protocols which adds security to communications at the IP level. Protocols within the IPSec suite make extensive use of cryptographic algorithms. Since these algorithms are computationally very intensive, some hardware acceleration is needed to support high throughput. In this paper we propose a high level architecture of a System on Chip (SoC) which implements IPSec. This SoC has been thought to be placed on the main data path of the host machine (flow-through architecture), thus allowing for transparent processing of IPSec traffic. The functionalities of the different blocks and their interactions, along with an estimation of the internal memory size, are also shown.}, keywords = {accelerator, IPSec, priority, quality of service (QoS), security, system-on-chip (SoC), SystemC}, author = {Ferrante, Alberto and Piuri, Vincenzo} } @conference {55.DaFeMa, title = {A Memory Unit for Priority Management in IPSec Accelerators}, booktitle = {proceedings of ICC07. Glasgow, Scotland: IEEE Communications Society}, year = {2007}, month = {June 24}, address = {Glasgow, Scotland}, abstract = {This paper introduces a hardware architecture for high speed network processors, focusing on support for Quality of Service in IPSec-dedicated systems. The effort is aimed at defining a secure system on chip environment, where the speed and security requirements are of utmost importance. In particular, a method is devised to introduce and support Quality of Service through priorities at this level. An architecture of a memory system that provides automatic priority management is proposed.}, keywords = {accelerator, IPSec, priority, quality of service (QoS), security, system-on-chip (SoC), SystemC}, doi = {http://dx.doi.org/10.1109/ICC.2007.257}, author = {Dadda, Luigi and Ferrante, Alberto and Macchetti, Marco} } @conference {58.FeChPi07, title = {A Query Unit for the IPSec Databases}, booktitle = {SECRYPT 2007}, year = {2007}, month = {07/2007}, address = {Barcelona, Spain}, abstract = {IPSec is a suite of protocols that adds security to communications at the IP level. Protocols within IPSec make extensive use of two databases, namely the Security Policy Database (SPD) and the Security Association Database (SAD). The ability to query the SPD quickly is fundamental as this operation needs to be done for each incoming or outgoing IP packet, even if no IPSec processing needs to be applied on it. This may easily result in millions of query per second in gigabit networks. Since the databases may be of several thousands of records on large secure gateways, a dedicated hardware solution is needed to support high throughput. In this paper we discuss an architecture for these query units, we propose different query methods for the two databases, and we compare them through simulation. Two different versions of the architecture are presented: the basic version is modified to support multithreading. As shown by the simulations, this technique is very effective in this case. The architecture that supports multithreading allows for 11 million queries per second in the best case.}, keywords = {accelerator, database, IPSec, security, security association database (SAD), security policy database (SPD), system-on-chip (SoC), SystemC}, author = {Ferrante, Alberto and Chandra, Satish and Piuri, Vincenzo} } @article {51.TaFe07, title = {Scheduling Small packets in IPSec Multi-accelerator Based Systems}, journal = {Journal of Communication(JCM) Academy publisher}, volume = {2}, number = {2}, year = {2007}, month = {March}, pages = {53-60}, address = {Stresa, Italy}, abstract = {IPSec is a suite of protocols that adds security to communications at the IP level. Protocols within the IPSec suite make extensive use of cryptographic algorithms. Since these algorithms are computationally very intensive, some hardware acceleration is needed to support high throughput. IPSec accelerator performance may heavily depend on the dimension of the packets to be processed. In fact, when packets are small, the time needed to transfer data and to set up the accelerators may exceed the one to process (e.g. to encrypt) the packets by software. In this paper we present a packet scheduling algorithm that tackles this problem. Packets belonging to the same Security Association are grouped before the transfer to the accelerators. Thus, the transfer and the initialization time have a lower influence on the total processing time of the packets. This algorithm also provides the capability of scheduling grouped packets over multiple cryptographic accelerators. High-level simulations of the scheduling algorithm have been performed and the results for a one-accelerator and for a two-accelerator system are also shown in this paper.}, keywords = {accelerator, HW/SW co-design, IPSec, scheduling algorithm, security}, author = {Taddeo, Antonio Vincenzo and Ferrante, Alberto} } @conference {41.TaFePi2006, title = {Scheduling Small Packets in IPSec-based Systems}, booktitle = {CCNC}, year = {2006}, month = {January 8}, address = {Las Vegas, NV, USA}, abstract = {IPSec is a suite of protocols that adds security to communications at the IP level. Protocols within the IPSec suite make extensive use of cryptographic algorithms. Since these algorithms are computationally very intensive, some hardware acceleration is needed to support high throughput. IPSec accelerator performance may heavily depend on the dimension of the packets to be processed. When packets are small, the time needed to transfer data and to set up the accelerator may exceed the one to process the packets (e.g. to encrypt) by software. In this paper, we propose a solution for this problem. High-level simulations and the related results are provided to show the properties of the algorithm.}, keywords = {accelerator, HW/SW co-design, IPSec, scheduling algorithm, security}, doi = {http://dx.doi.org/10.1109/CCNC.2006.1593123}, author = {Taddeo, Antonio Vincenzo and Ferrante, Alberto and Piuri, Vincenzo} } @conference {26.BoFeDuPi2004, title = {A Methodology for Testing IPSec-based Systems}, booktitle = {SoftCOM 2004}, year = {2004}, month = {October}, pages = {22-26}, address = {Split}, abstract = {{IPSec is a suite of protocols adding security to communications at the IP level. This suite of protocols is becoming more and more important as it is included as mandatory security mechanism in IPv6. This paper focuses on a methodology for testing IPSec implementations. A UML model of the IPSec suite of protocols was developed. Test cases were obtained applying a coverage method on the same model.}}, keywords = {encapsulating security payload (ESP), IPSec, security, testing, unified modeling language (UML)}, author = {Boiko, Uljana and Ferrante, Alberto and Lo Duca, Antonietta and Piuri, Vincenzo} }