| The VPN gateway based on tunnel model can be successfully fulfilled through inserting some hook functions in the key points of TCP/IP protocols provided by Linux2.4.18 kernel's Netfilter mechanism. The system satisfies IPSec protocol with the functions of encapsulation, encryption, decryption and authentication. In order to increase performance Encrypting card is employed in the system.System makes use of kernel thread to drive the encrypting card in the environment of 100M. With the special scheduling mechanism, kernel thread can't be preempted by other processes while treating with network packets. In this way, kernel thread occupies the majority of CPU time. Kernel thread with SCHED_FIFO policy will be scheduled prior to other processes. Bottom half routines are used to drive the encrypting card when the network card owns 1000M performance. NET_RX_SOFTIRQ has same priority to encrypting card's BH routines. This prevents kernel thread from holding too little CPU time which will inevitably be a bottleneck of VPN gateway. System deals with data of IKE prior to NET_RX_SOFTIRQ to guarantee IKE negotiates timely and delivers the key to IPSec module. System allocates memory space according to the maximum array length in advance during the period of IPSec's initialization and bypasses memory management while system is running. System increases memory of recomposing array to decrease the number of discarded packets. IPSec modules sends ICMP messages to remote sources host which means destination unreachable resulting from fragment. Local host decreases MTU according to encrypting regulation. Both aims at decreasing the occurrence of packet slice.VPN employs two encrypting cards to parallel dispose of packets adopting FIFO policy. The increase of cache enhances the degree of parallel. The test data proves that the VPN can arrive at high performance applying appropriate driving methods in 100M or 1000M environments. |
PDF Full Text Request