As the Internet has grown, privacy has progressively become a more significant issue, with sensitive information increasingly being communicated over insecure data networks. There are many different applications requiring privacy and security over the Internet, such as banking, commercial transactions or accessing private company networks remotely. These transactions often involve sending sensitive information over insecure sections of the Internet, requiring such sensitive information to be secured.
The present data communication protocol that is generally used to communicate over the Internet, namely Internet Protocol (IP), is not secure. Consequently, third parties can potentially eavesdrop on transmitted packets, repeat transmitted packets or even divert packets off the network and replace the diverted packets with locally created or forged packets.
In order to protect against this, a method of securing Internet communication packets has been created, and called IP Security, or “IPsec”. IPsec is a complex approach that provides security services for IP packets, thereby providing confidentiality, authentication and protection against “replayed” packets. IPsec is controlled by a set of rules (also known as “Security Policies”) that are created prior to processing network traffic.
Several protocols are used in IPsec, each protocol having headers that must be processed separately to the base IP header. Each IPsec protocol offers a set of services. Examples of IPsec protocols include the Encapsulating Protocol (ESP), the Authentication Header (AH), IP Compression (IPcomp) and Internet Key Exchange (IKE).
Each IPsec protocol uses one or more cryptographic algorithms to provide the services offered by the protocol. Due to the speed bottleneck presented by the cryptographic algorithms, it is difficult to process IPsec packets at faster than network (line) speeds without parallelism and pipelining. These approaches include processing multiple IPsec packets at one point in time, which is difficult to do at high speeds.
A further problem is the unpredictable amount of latency generated from a Security Association Database (SAD) lookup. This latency can be extremely small or large, depending on the type of lookup and the number of Security Associations (SA's) involved.