On the Deployment Approach of IPSec and IP Filter in Routers

IPSec and IP Filter are among the most important security modules of IPv6 routers. Similar to the function of IP Filter, the security-association query engine of IPSec also needs filtering and matching the IP packages. The IP packages flowing inside the router could be filtered by IP Filter and IPSec for more than once. Thus, the method of deployment between the two modules will have direct influence on the processing performance of IP packages. In this work, the inter-relationship between the two security modules is given in a perspective of router global security. Moreover, a novel deployment approach is proposed. Compared with the open-source IPv6 protocol stack KAME, the improved processing performance of IPSec is obtained and the negative influence of IP Filter on the IPSec is reduced. Meanwhile, the duplicated IP package filtering within the routers is reduced to improve the processing performance of IP package.