An ipsec VPN single tunnel software encryption and decryption performance extension method

Abstract

The invention discloses an IPsec VPN single tunnel software encryption and decryption performance extension method. The message forwarding engine supports multi-CPU parallel processing of message forwarding services. If the current CPU utilization rate exceeds 90%, and the existing utilization rate is lower than 50% CPU, obtain the first CPU that does not exceed 50%, and send the message to the shared queue of the destination CPU as the destination CPU, and encrypt the plaintext message; if the hash of the plaintext does not belong to the message of the CPU , the encrypted packet is sent to the shared queue of the original CPU, and the encrypted packet is obtained from the shared queue of the CPU. The present invention realizes pure software, and when one of the CPUs has too high an IPsec VPN message encryption and decryption load, the encryption and decryption message pointer is transferred to other idle CPUs for encryption and decryption processing, thereby achieving the purpose of improving the performance of a single IPsec VPN tunnel.

Description

technical field [0001] The invention belongs to the field of data communication, and in particular relates to a software encryption and decryption performance extension method for an IPsec VPN single tunnel. Background technique [0002] Traditional data forwarding equipment, such as gateway equipment such as routers and firewalls, is mainly in the form of software and hardware. The software and hardware are bound together, so the performance is fixed. Customers need to purchase products according to their own performance parameters during the purchase process. model. As the core function of the gateway device, the performance of IPsec VPN is also an important consideration for customers to choose this product. IPSec VPN refers to a VPN technology that uses the IPSec protocol to realize remote access. IPSec is called Internet Protocol Security. It is a security standard framework defined by the Internet Engineering Task Force (IETF). End-to-end encryption and authenticatio...

AI Technical Summary

Problems solved by technology

[0008] However, the first method implements hardware encryption and decryption through hardware. The advantage of this solution is that it can make full use of the high efficiency of hardware to achieve high encryption and decryption performance, but its cost is high, and the hardware has certain customization, so not a universal solution

The second is to use encryption and decryption as an independent processing unit on the software, and start multiple corresponding software processing units to achieve performance expansion of encryption and decryption. However, as a processing unit of the packet forwarding engine, it needs to be deployed during the deployment process. Occupies CPU resources alone. If there is no ipsec VPN-related business, the processing unit occupies resources but does not do any processing, which is a serious waste of resources.

Images