Enhance NanoSec IKE capabilities
This section outlines methods to enhance the capabilities of NanoSec IKE, focusing on improving performance for high-load environments and large-scale deployments. Strategies include implementing multi-threading to handle more sessions in parallel, optimizing IKE_SA
table lookups, and leveraging timers for efficient session management. Additionally, guidance is provided for integrating NanoSec IKE as both an EAP supplicant and authenticator, with detailed instructions for using specific compilation flags and API settings.
Optimize NanoSec IKE for performance enhancement
This section describes how to optimize the NanoSec IKE build to achieve better performance, such as tunnel setup rate and scalability, on systems with high load such as large number of IKE sessions.
Multi-threading
The default global locking scheme in NanoSec IKE serializes packet processing and prevents the code from processing packets in parallel. With the optional compilation flag __IKE_MULTI_THREADED__
enabled, granular locks are provided to improve IKE performance, most noticeably on a symmetric multi-processor (SMP) platform.
The upper layer integration must ensure strict association between an IKE session and a worker thread. The mechanism to implement is up to the integrator’s discretion and outside the scope of the NanoSec IKE code.
End user integration requirements
For detailed API documentation about the functions and callouts, see NanoSec API Reference. For a sample multi-threaded integration, refer to file ike_example.c
in the src/examples
directory.
The end-user integration requirements are as follows:
The design of a front-end packet steering mechanism that uses a hash function (e.g., based on the initiator cookie in the IKE message) to associate an IKE session with a unique thread. Additionally, the following callout setting must be implemented and assigned accordingly:
IKE_ikeSettings()->funcPtrIkeGetThreadId()
The design of a queuing mechanism for each thread to consume external packets or internal events. On receiving an external IKE packet, the packet must be relayed to the associated thread. Additionally, the following callout setting must be implemented and assigned for NanoSec IKE to relay internal events to the desired threads.
IKE_ikeSettings()->funcPtrIkeThreadSend()
In the context of a given thread, one of IKE_msgRecv()
, IKE2_msgRecv()
or IKE_dpcRecv()
can be called to process the packets or events.
Hash tables
To improve IKE_SA table lookup in the presence of a large number of concurrent IKE sessions, NanoSec IKE can be built to use hash tables to reduce latency. The following compilation macros should be defined accordingly.
#define IKE_SA_CKY_HASH_TABLE_SIZE_MASK 511 /* must be (2^n - 1) */ #define IKE_SA_ADDR_HASH_TABLE_SIZE_MASK 511 /* must be (2^n - 1) */
Timers
For housekeeping such as re-transmissions and session expiration, NanoSec IKE can be built to perform such tasks by using timers instead of traversing the entire IKE_SA table periodically. With the compilation flag __IKE_UPDATE_TIMER__
enabled, individual IKE sessions are updated only when certain tasks are due.
NanoSec IKE EAP supplicant
This section provides guidelines on extra steps and requirements needed to integrate NanoSec IKE as an EAP supplicant.
For a sample integration of IKE EAP supplicant, refer to the ike_example.c file in the src/examples directory. Note that this feature is applicable in IKEv2 only.
IKE configuration
To configure NanoSec IKE as an EAP supplicant:
Configure the following settings (after the call to IKE_init):
IKE_ikeSettings()->eapIdentity = <EAP_IDENTITY_STRING>; IKE_ikeSettings()->eapProtoPeer = <EAP_METHOD>;
The supported EAP methods are as follows:
EAP_PROTO_AKA
EAP_PROTO_GTC
EAP_PROTO_LEAP
EAP_PROTO_MD5
EAP_PROTO_MSCHAPv2
EAP_PROTO_PSK
EAP_PROTO_SIM
EAP_PROTO_SRP
Implement the following IKE callout setting and assign it accordingly:
IKE_ikeSettings()->funcPtrGetToken()
Compilation flags
The following additional compilation flags are required to build the IKE EAP supplicant:
__ENABLE_MOCANA_EAP_GTC__
__ENABLE_MOCANA_EAP_LEAP__
__ENABLE_MOCANA_EAP_MD5__
__ENABLE_MOCANA_EAP_MSCHAPv2__
__ENABLE_MOCANA_EAP_PEER__
__ENABLE_MOCANA_EAP_PSK__
__ENABLE_MOCANA_EAP_SIM__
__ENABLE_MOCANA_EAP_SRP__
__ENABLE_MOCANA_MD4__
NanoSec IKE EAP authenticator
This section provides guidelines on extra steps and the requirements needed to integrate NanoSec IKE as an EAP authenticator.
For a sample integration of IKE EAP authenticator, refer to the ike_example.c file in the src/examples directory. Note that this feature is applicable in IKEv2 only.
IKE configuration
Configure the following setting (after the call to IKE_init) to set up the EAP method to use:
IKE_ikeSettings()->eapProtoAuth = <EAP_METHOD>;
The supported EAP methods are as follows:
EAP_PROTO_AKA
EAP_PROTO_GTC
EAP_PROTO_LEAP
EAP_PROTO_MD5
EAP_PROTO_MSCHAPv2
EAP_PROTO_PSK
EAP_PROTO_SIM
EAP_PROTO_SRP
Implement the following IKE callout settings and assign them accordingly:
IKE_ikeSettings()->funcPtrIkeVerifyPassword() /* EAP-GTC only */ IKE_ikeSettings()->funcPtrIkeLookupSecret() IKE_ikeSettings()->funcPtrIkeReleaseSecret()
Compilation flags
The following additional compilation flags are required to build the IKE EAP authenticator:
__ENABLE_MOCANA_EAP_AUTH__
__ENABLE_MOCANA_EAP_GTC__
__ENABLE_MOCANA_EAP_LEAP__
__ENABLE_MOCANA_EAP_MD5__
__ENABLE_MOCANA_EAP_MSCHAPv2__
__ENABLE_MOCANA_EAP_PSK__
__ENABLE_MOCANA_EAP_SIM__
__ENABLE_MOCANA_EAP_SRP__
__ENABLE_MOCANA_MD4__
NanoSec IKE EAP-TTLS authenticator
This section provides guidelines on extra steps required to integrate NanoSec IKE as EAP-TTLS authenticator. It is presumed that a backend RADIUS is available to handle legacy EAP methods (i.e., not EAP-TTLS).
Specifically, the handshake phase in EAP-TTLS is handled internally by NanoSec IKE via the NanoSSL Server, where the data phase carrying legacy EAP protocols is delegated to the backend RADIUS server via the NanoRADIUS Client.
For a sample integration of IKE EAP-TTLS authenticator, refer to the ike_example.c file in the src/examples directory. Note that this feature is applicable in IKEv2 only.
The end-user integration requirements are covered in this section.
IKE configuration
Configure the following settings (after the call to IKE_init):
IKE_ikeSettings()->eapProtoAuth = EAP_PROTO_TTLS; IKE_ikeSettings()->bDoEapOnly = TRUE;
NanoRADIUS client
Because NanoSec IKE is dependent on the NanoRADIUS client for communication with the RADIUS server, end-users must also integrate NanoRADIUS client into their target applications.
The relevant end-user integration requirements are as follows:
After the call to IKE_init, initialize the NanoRADIUS client:
RADIUS_init();
Implement the following IKE callout setting and assign it accordingly, based on the end-user’s NanoRADIUS client configuration:
IKE_ikeSettings()->funcPtrIkeGetRadSvrId()
Receive responses from the RADIUS server.
Process RADIUS responses by calling the following function:
IKE_radRecv();
After the end-user application has exited, shut down the NanoRADIUS client:
RADIUS_shutdown();
NanoSSL server
Because NanoSec IKE is dependent on the NanoSSL server for the handshake phase in EAP-TTLS, end-users must also integrate NanoSSL Server into their target applications.
The relevant end-user integration requirements are as follows:
After the call to IKE_init, initialize NanoSSL Server:
SSL_ASYNC_init(IKE_SA_MAX*2, 0);
Implement the following IKE callout setting and assign it accordingly:
IKE_ikeSettings()->funcPtrIkeGetTlsCertStore()
After the end-user application has existed, shut down the NanoSSL server:
SSL_releaseTables(); SSL_shutdownStack();
Compilation flags
The following compilation flags that are also required to build the IKE EAP-TTLS authenticator:
__ENABLE_IKE_EAP_ONLY__
__ENABLE_MOCANA_EAP_AUTH__
__ENABLE_MOCANA_EAP_MD5__
__ENABLE_MOCANA_EAP_MSCHAPv2__
__ENABLE_MOCANA_EAP_RADIUS__
__ENABLE_MOCANA_EAP_TLS__
__ENABLE_MOCANA_EAP_TTLS__
__ENABLE_MOCANA_MD4__
__ENABLE_MOCANA_RADIUS_CLIENT__
__ENABLE_MOCANA_SSL_ASYNC_API_EXTENSIONS__
__ENABLE_MOCANA_SSL_ASYNC_CLIENT_API__
__ENABLE_MOCANA_SSL_ASYNC_SERVER_API__
__ENABLE_MOCANA_SSL_KEY_EXPANSION__
__ENABLE_RFC3576__