Internet Protocol Security (IPSec) is a protocol suite of cryptographic security services commonly used to secure and protect Internet Protocol (IP) communications between a pair of two peers/parties by authenticating and encrypting data packets exchanged between them during a secured communication session. IPSec is an end-to-end security scheme operating in the Internet Layer of the IP Suite. IPSec includes protocols for establishing mutual authentication between the parties at the beginning of the session and negotiation of cryptographic keys to be used during the session. Here, IPSec can be used in protecting data packets exchanged between, for non-limiting examples, a pair of hosts (host-to-host), a pair of security gateways (network-to-network), web services running on hosts and client devices (host-to-client), or between a security gateway and a host (network-to-host).
Internet Key Exchange (IKE or IKE v2) is a protocol used to set up a security association (SA) in the IPSec protocol suite. IKE uses authentication certificates (e.g., X.509) to set up a shared secret for the session between the parties from which cryptographic keys can be derived. In addition, a security policy for every party in the session can be manually maintained. Most IPSec implementations include an IKE daemon that runs in the user space and an IPSec stack in the kernel that processes the actual data packets. The user-space daemon has access to a storage containing configuration information of the session, such as information identifying the IPSec endpoint addresses and ports of the parties, keys and certificates, and the type of IPSec tunnel has been created between the parties. The IPSec stack in the kernel, in turn, intercepts the relevant IP packets exchanged between the parties during the session, and if and where appropriate, performs encryption/decryption operations on the data packets as required.
IPSec and IKE can typically be implemented on a host (e.g., a host that provides web-based services) that initiates the secured communication with a client device using software solutions. Since IPSec and IKE perform network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption/decryption), and replay protection, implementing IPSec and IKE in software may consume tremendous amount of CPU processing power on the host. It is thus desirable to be able to offload the IPSec and IKE operations to an external hardware accelerator.
The foregoing examples of the related art and limitations related therewith are intended to be illustrative and not exclusive. Other limitations of the related art will become apparent upon a reading of the specification and a study of the drawings.