1. Field of Invention
The present invention relates to packet processing system and method. More particularly, the present invention relates to a synchronous packet processing system that employs a clustered architecture to achieve load balance and thereby increase the speed of packet processing, and a packet processing method using a load balancing mechanism.
2. Description of Related Art
In the field of network communication, many emerging Internet applications have accentuated the need for security mechanisms on the Internet. To relieve software engineers of developing proprietary security protocols, IP (Internet Protocol) security protocol (IPsec) suites provide security services such as authentication, integrity and confidentiality. One application of an IPsec is in the construction of a Virtual Private Network (VPN), which allows two subnets to build secure connections over the public Internet.
An IPsec is an integration of various security techniques. It establishes a safe tunnel between two gateways so that the data transmitted in the tunnel cannot be extracted by anyone unauthorized. The various security techniques include Diffie-Hellman Key Agreement Standard, Data Encryption Standard (DES), Ron's Code 4 (RC4), International Data Encryption Algorithm (IDEA), Message Digest 5 (MD5), Secure Hash Algorithm (SHA) and Digital Signature.
An IPsec is a protocol set composed of several subprotocols, and the subprotocols include: Internet Key Exchange (IKE), IP Authentication Header (IP AH), IP Encapsulating Security Payload (IP ESP). The protocol most frequently used to implement IKE is Internet Security Association Key Management Protocol (ISAKMP). ISAKMP is used to define the procedural environment, such as DES, adopted in the data transmission between two corresponding hosts deploying an IPsec.
The subprotocols of an IPsec are used for data source verification, data completeness verification, and data security verification of the data transmission between two corresponding physical network hosts in a network layer. Data source verification and data completeness verification are achieved through IP AH, whereas data security verification is achieved through IP ESP.
FIG. 1 is a diagram of a simple system architecture employing an IPsec. The above-mentioned procedural environment is defined as a security association (SA), and the SA is established through IKE. Each SA is unidirectional, so if an IPsec is to be applied between two corresponding hosts shown in FIG. 1 a SA from the first host 10 to the second host 11 and a SA from the second host 11 to the first host 10 must be established. For establishing the SA from the first host 10 to the second host 11 through IKE, a unique SA is defined according to a security parameter index (SPI) and the IP address of the first host 10. Under an IPsec, after the first host 10 makes a data packet to be delivered into an encrypted packet having an SPI through IP AH or IP ESP, the encrypted packet is delivered to the second host 11 through the Internet. After receiving the encrypted packet, the second host 11 finds a corresponding SA according to the SPI of the encrypted packet, and the second host 11 processes the encrypted packet in the procedural environment defined by the SA. In addition, when making a data packet to be delivered into an encrypted packet through IP AH, the first host 10 also assigns a sequence number to the packet, so that the second host 11 determines whether the encrypted packet had ever been received or not by recording the sequence number of the encrypted packet. If the second host 11 finds that the encrypted packet had ever been received, the encrypted packet will be discarded by the second host 11 to avoid replay attack.
FIG. 2 is a diagram of another simple system architecture employing an IPsec. In FIG. 2, the first host 10 and the second host 11 are both security gateways. Under this architecture, end user computers 21-28 can use the tunnel mode provided by the IPsec through the first host 10 and the second host 11, so that when data is delivered between end user computers 21-24 and end user computers 25-28 the transmitted data packet will not be extracted or mimicked in the Internet. The transmitted packet according to an IPsec contains at least a non-duplicate sequence number, a SPI, a source address and a destination address. The source address refers to the sending source of the packet, and the destination address refers to the destination of the packet.
Besides, under an IPsec, data packet processing involves a lot of encryption/decryption procedures, and when the number of end user computers increases, the load of security gateways becomes increasingly heavy. When the load of security gateways is excessive normal operations of the security gateways cannot be performed properly, with the result that the whole network communication is slowed down or even interrupted. Therefore, another method or architecture is indeed needed to prevent security gateways from being the bottleneck of the entire network communication. When the security gateways are implemented by adopting clustered architecture, the potential bottleneck due to the security gateways can be avoided, and the problem of network communication interruption due to a single security gateway's failure to operate normally can also be avoided.
In security gateways employing the clustered architecture, a load balancing mechanism is needed in order that encrypted packets to be processed can be distributed evenly to different packet processing devices, thereby increasing the overall speed of processing the encrypted packets. Besides, each packet processing device in the security gateways employing the clustered architecture must in real time acknowledge the SAs established by other packet processing devices, in order that each packet processing device can find the corresponding SA according to the SPI associated with it. Also, during the generation of SAs, a SPI must be correctly associated with a particular SA. Each packet processing device should be able to correctly assign a sequence number to and record a sequence number of an encrypted packet.
Current load balancing mechanisms are, however, suitable for processing packets that are not associated with each other. Under those mechanisms, a SA generated by a packet processing device cannot in real time and synchronously be acknowledged by other packet processing devices, with the result that other packet processing devices cannot find the corresponding SA according to the SPI associated with it. Instead they have to establish another SA, thus the purpose of load balance cannot be effectively achieved. Moreover, due to the way in which packets are processed in current load balancing mechanisms, there exists a problem on the consistency of the correspondence between a SPI and a particular SA. Under current load balancing mechanisms, each packet processing device cannot prevent replay attack by recording the sequence number of an encrypted packet.