Skip to main content
QUICK REVIEW

[Paper Review] P4-IPsec: Implementation of IPsec Gateways in P4 with SDN Control for Host-to-Site Scenarios

Frederik Hauser, Marco Häberle|arXiv (Cornell University)|Jul 8, 2019
Software-Defined Networks and 5G34 references7 citations
TL;DR

P4-IPsec proposes a software-defined IPsec gateway implementation using P4 for host-to-site VPNs, enabling on-demand tunnel creation via an IKE-less controller-based signaling. It demonstrates feasibility and performance across BMv2, NetFPGA SUME, and Edgecore Wedge 100BF-32X targets, achieving high throughput and low latency in experimental evaluations.

ABSTRACT

In this paper we propose P4-IPsec which follows the software-defined networking (SDN) paradigm. It comprises a P4-based implementation of an IPsec gateway, a client agent, and a controller-based, IKE-less signalling between them. P4-IPsec features the Encapsulation Security Payload (ESP) protocol, tunnel mode, and various cipher suites for host-to-site virtual private networks (VPNs). We consider the use case of a roadwarrior and multiple IPsec gateways steered by the same controller. P4-IPsec supports on-demand VPN which sets up tunnels to appropriate resources within these sites when requested by applications. To validate the P4-based approach for IPsec gateways, we provide three prototypes leveraging the software switch BMv2, the NetFPGA SUME card, and the Edgecore Wedge 100BF-32X switch as P4 targets. For the latter, we perform a performance evaluation giving experimental results on throughput and delay.

Motivation & Objective

  • To enable dynamic, controller-managed IPsec gateway operation in software-defined networking (SDN) environments.
  • To eliminate dependency on IKE for IPsec tunnel setup by introducing an IKE-less signaling mechanism.
  • To support tunnel mode with multiple cipher suites for secure host-to-site communication.
  • To enable on-demand VPN tunnel creation based on application requests.
  • To validate the performance and feasibility of P4-based IPsec gateways on diverse P4-capable hardware platforms.

Proposed method

  • Implementing an IPsec gateway in P4 to handle ESP protocol in tunnel mode with configurable cipher suites.
  • Designing a controller-based, IKE-less signaling protocol to manage tunnel setup and configuration.
  • Deploying the P4-IPsec gateway on three hardware targets: BMv2 software switch, NetFPGA SUME FPGA board, and Edgecore Wedge 100BF-32X switch.
  • Using application-level requests to trigger on-demand tunnel creation to appropriate remote sites.
  • Configuring the controller to manage security associations and direct traffic to the correct P4-based gateway.
  • Evaluating performance on the Edgecore Wedge 100BF-32X using throughput and delay measurements.

Experimental results

Research questions

  • RQ1Can P4 be effectively used to implement IPsec gateways with full support for tunnel mode and multiple cipher suites?
  • RQ2How can IKE be eliminated from the IPsec tunnel setup process while maintaining security and scalability?
  • RQ3Can on-demand IPsec tunnel creation be efficiently orchestrated via an SDN controller in a host-to-site scenario?
  • RQ4What performance characteristics does a P4-based IPsec gateway achieve on commodity P4 hardware?
  • RQ5How does the P4-IPsec architecture scale across multiple gateways and roadwarrior clients under dynamic tunnel demands?

Key findings

  • The P4-IPsec implementation successfully supports ESP in tunnel mode with multiple cipher suites across all three hardware platforms.
  • The IKE-less signaling mechanism enables efficient, controller-driven setup of on-demand IPsec tunnels without relying on traditional IKE protocols.
  • Performance evaluation on the Edgecore Wedge 100BF-32X switch shows high throughput and low latency, confirming feasibility for production deployment.
  • The system demonstrates dynamic tunnel provisioning based on application requests, enabling flexible and responsive host-to-site connectivity.
  • The P4-based approach enables consistent and programmable IPsec gateway behavior across diverse P4-capable hardware targets.

Better researchstarts right now

From paper design to paper writing, dramatically reduce your research time.

No credit card · Free plan available

This review was created by AI and reviewed by human editors.