應用叢集式架構的高速網路IPsec閘道器

Abstract

由於希望在網際網路上能安全通訊的需求愈來愈多，在眾多提供子網路內所有機器都能安全通訊的方法之中，IPsec閘道器也逐漸地頗為大眾所使用。在此網路架構下，IPsec閘道器的處理速度將會是整體網路速度的關鍵所在。為了加快IPsec閘道器的效能及可靠性，叢集式設計的IPsec閘道器在近年被提出來。傳統的叢集式技術必須要有一台中央集權的分配器來處理所有進出的網路封包。當此分配器故障而無法提供服務時，將會造成整個閘道器都無法運作。同樣地，假若該分配器的運算能力不足以處理所有流經的封包時，該分配器反而成為此閘道器的瓶頸所在。在本篇論文裡，我們提出了另一種叢集式架構，隨著增加叢集內機器數量，它的效能也幾乎能呈線性成長。如同實驗數據所顯示的，我們所提出的架構不僅能解決叢集內各機器同步化的問題，也能有較佳的效能。

Due to the increasing demand of secure communications over the Internet, IPsec gateway becomes one of the popular methods to provide security services to all clients in a protected subnet. The processing speed of an IPsec gateway is critical to the overall network throughput. To accelerate processing speed and improve reliability, cluster technology was inherently applied to the design of a modern IPsec gateway. Traditional dispatcher/master-based cluster technique must have a centralized dispatcher to handle all incoming and outgoing messages. The failure of single point, that is the dispatcher, will cause the crash of the entire gateway. The dispatcher will also become the bottleneck if its computation power cannot handle all messages. With the proposed clustered architecture, the speed of IPsec gateway increases drastically and almost linearly. As the experiment results showed, the proposed clustered architecture provides better performance and can scale up easily.