IPSec: Performance Analysis in IPv4 and IPv6

Authors

  • Prabhu Thiruvasagam NEC India Private Limited, India
  • K. Jijo George NEC India Private Limited, India

DOI:

https://doi.org/10.13052/jicts2245-800X.714

Keywords:

IPSec, Authentication, 3GPP, NDS/IP, LTE/SAE, AES, IPv6

Abstract

Internet Protocol security (IPSec) is an end-to-end security scheme to provide security at the IP network layer, but this comes with performance implications leading to throughput reduction and resource consumption. In this paper we present a throughput performance analysis of IPSec protocol, for both IPv4 and IPv6, using various cryptographic algorithms as recommended in the standards [13]. In this study we have considered only throughput performance for authenticated encryption algorithms AES-GCM and AES-CCM, encryption algorithms AES-CBC, AES-CTR, and 3DES, and authentication algorithms SHA1, SHA2 and XCBC. The result shows that AES-GCM provides better performance compared to the other recommended algorithms.

Downloads

Download data is not yet available.

Author Biographies

Prabhu Thiruvasagam, NEC India Private Limited, India

Prabhu Thiruvasagam received master degree in Communication Systems from Indian Institute of Information Technology, Design and Manufacturing, Kancheepuram, India in 2014. Then, he worked two plus years as research engineer in NEC India Standardization Team at NEC India Pvt Ltd, Chennai. Now, he is pursuing PhD in the department of Computer Science at Indian Institute of Technology Madras, India. Currently, his research interest includes Security and Reliability aspects of NFV, SDN, and SFC paradigms in 5G networks.

K. Jijo George, NEC India Private Limited, India

K. Jijo George received his Bachelors in Computer Science and Engineering from Kurukshetra Institute of Technology and Management, India in 2011. He has over 4 years of experience in research and development of mobile communication networks. He worked as Research Engineer in NEC India Standardization (NIS) Team at NEC Technologies India Private Ltd. Chennai. Prior to joining NECI he was associated with IIIT, Bangalore as Research Associate in Context awareness in mobile applications. At NEC he worked on security aspects of telecom networks and testbed development of next generation mobile networks. His research interest includes Next Generation Networks, Mobile and Network Security and Telecom Security. He is currently pursuing his Masters in Cognitive Technical Systems in Albert Ludwigs University Freiburg, Germany.

References

S. Kent and K. Seo, “Security Architecture for the Internet Protocol,” RFC 4301, Dec. 2005.

D. Harkins and D. Carrel, “The Internet Key Exchange (IKE),” RFC 2409, Nov. 1998.

C. Kaufman et al., “Internet Key Exchange Protocol Version 2 (IKEv2),” RFC 7296, Oct. 2014.

D. Maughan et al., “Internet Security Association and Key Management Protocol (ISAKMP),” RFC 2408, Nov. 1998.

H. Orman, “The OAKLEY Key Determination Protocol,” RFC 2412, Nov. 1998.

S. Kent, “IP Authentication Header,” RFC 4302, Dec. 2005.

S. Kent, “IP Encapsulating Security Payload,” RFC 4303, Dec. 2005.

S. Frankel and S. Krishnan, “IP Security (IPSec) and Internet Key Exchange (IKE) Document Roadmap,” RFC 6071, Feb. 2011.

S. Deering and R. Hinden, “Internet Protocol Version 6 (IPv6),” RFC 2460, Dec. 1998.

S. Deering and R. Hinden, “IP Version 6 Addressing Architecture,” RFC 4291, Feb. 2006.

M. Stevens et al., “Freestart collision for full SHA-1,” Cryptology ePrint Archive, Report 2015/967, 2015.

XiaoyunWangandHongboYu,HowtoBreakMD5andOtherHashFunc-tions, EUROCRYPT (Ronald Cramer, ed.), Lecture Notes in Computer Science, vol. 3494, Springer, 2005, pp. 19–35.

D. Mcgrew and P. Hoffman, “Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH),” RFC 7321 (Obsoletes RFC 4835), Aug. 2014.

3GPP TS 33.210: “3G security; Network Domain Security; IP network layer security,” 2015.

N. Ferguson and B. Schneier, “A Cryptographic Evaluation of IPSec”, 2003. Available: http://www.schneier.com/paper-IPSec.pdf

K.G. Paterson and A.K.L. Yau, “Cryptography in Theory and Practice: The Case of Encryption in IPSec.” In S. Vaudenay (ed.), EUROCRYPT 2006, LNCS Vol. 4004, Springer, 2006, pp. 12–29.

J. L. Degabriele and K. G. Paterson, “On the (In) Security of IPSec in MAC-then-Encrypt Configurations,” In Proc. of the 17th ACM conference on Computer and communications security, 2010, Pages 493–504.

O. Elkeelany et al., “Performance Analysis of IPSec: Encryption and Authentication,” In Proc. IEEE Inter. Conf. on Communications, 2002, pp. 1164–1168.

G. Hadjichristofi et al., “IPSec overhead in wireline and wireless networks for Web and email applications,” In Proc. IEEE Inter. Conf. on Performance, Computing, and Communications, 2003, pp. 543–547.

C. Xenakis, et al., “A generic characterization of the overheads imposed by IPSec and associated cryptographic algorithms,” Computer Networks, Volume 50, Issue 17, 2006, pp. 3225–3241.

C. Shue et al., “Analysis of IPSec overheads for VPN servers,” IEEE ICNP’s NPSec Workshop, 2005.

C. Shue et al., “IPSec: Performance Analysis and Enhancements,” In Proc. IEEE Inter. Conf. on Communications, 2007, 1527–1532.

A. Uskov and H. Avagyan, “The Efficiency of Block Ciphers in Galois/Counter Mode in IPSec-Based Virtual Private Networks,” In Proc. IEEE Inter. Conf. on Electro/Information Technology, 2014, 173–178.

A. Tanveer et al., “Performance Analysis of AES-Finalists along with SHS in IPSec VPN over 1Gpbs Link,” In Proc. IEEE Inter. Bhurban conf. on Applied Sciences and Technology, 2015, pp. 323–332.

L. Lian, and G. Wen-mei, “Building IPSec VPN in IPv6 Based on Openswan,” In Proc. IEEE Inter. Conf. on Network and Parallel Computing Workshops, 2014, 173–178.

J. Schiller, “Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2),” RFC 4307, Dec. 2005.

Strongswan IPSec software tool. Available: https://strongswan.org/

Downloads

Published

2019-01-20

How to Cite

Thiruvasagam, P. ., & George, K. J. . (2019). IPSec: Performance Analysis in IPv4 and IPv6. Journal of ICT Standardization, 7(1), 59–76. https://doi.org/10.13052/jicts2245-800X.714

Issue

2019: Vol 7 Iss 1

Section

Articles