Skip to main content

Enhance NanoSec IKE capabilities

This section outlines methods to enhance the capabilities of NanoSec IKE, focusing on improving performance for high-load environments and large-scale deployments. Strategies include implementing multi-threading to handle more sessions in parallel, optimizing IKE_SA table lookups, and leveraging timers for efficient session management. Additionally, guidance is provided for integrating NanoSec IKE as both an EAP supplicant and authenticator, with detailed instructions for using specific compilation flags and API settings.

Optimize NanoSec IKE for performance enhancement

This section describes how to optimize the NanoSec IKE build to achieve better performance, such as tunnel setup rate and scalability, on systems with high load such as large number of IKE sessions.

Multi-threading

The default global locking scheme in NanoSec IKE serializes packet processing and prevents the code from processing packets in parallel. With the optional compilation flag __IKE_MULTI_THREADED__ enabled, granular locks are provided to improve IKE performance, most noticeably on a symmetric multi-processor (SMP) platform.

The upper layer integration must ensure strict association between an IKE session and a worker thread. The mechanism to implement is up to the integrator’s discretion and outside the scope of the NanoSec IKE code.

End user integration requirements

For detailed API documentation about the functions and callouts, see NanoSec API Reference. For a sample multi-threaded integration, refer to file ike_example.c in the src/examples directory.

The end-user integration requirements are as follows:

  • The design of a front-end packet steering mechanism that uses a hash function (e.g., based on the initiator cookie in the IKE message) to associate an IKE session with a unique thread. Additionally, the following callout setting must be implemented and assigned accordingly:

    IKE_ikeSettings()->funcPtrIkeGetThreadId()
    
  • The design of a queuing mechanism for each thread to consume external packets or internal events. On receiving an external IKE packet, the packet must be relayed to the associated thread. Additionally, the following callout setting must be implemented and assigned for NanoSec IKE to relay internal events to the desired threads.

    IKE_ikeSettings()->funcPtrIkeThreadSend()
    

In the context of a given thread, one of IKE_msgRecv(), IKE2_msgRecv() or IKE_dpcRecv() can be called to process the packets or events.

Hash tables

To improve IKE_SA table lookup in the presence of a large number of concurrent IKE sessions, NanoSec IKE can be built to use hash tables to reduce latency. The following compilation macros should be defined accordingly.

#define IKE_SA_CKY_HASH_TABLE_SIZE_MASK 511 /* must be (2^n - 1) */

#define IKE_SA_ADDR_HASH_TABLE_SIZE_MASK 511 /* must be (2^n - 1) */

Timers

For housekeeping such as re-transmissions and session expiration, NanoSec IKE can be built to perform such tasks by using timers instead of traversing the entire IKE_SA table periodically. With the compilation flag __IKE_UPDATE_TIMER__ enabled, individual IKE sessions are updated only when certain tasks are due.

NanoSec IKE EAP supplicant

This section provides guidelines on extra steps and requirements needed to integrate NanoSec IKE as an EAP supplicant.

For a sample integration of IKE EAP supplicant, refer to the ike_example.c file in the src/examples directory. Note that this feature is applicable in IKEv2 only.

IKE configuration

To configure NanoSec IKE as an EAP supplicant:

  • Configure the following settings (after the call to IKE_init):

    IKE_ikeSettings()->eapIdentity = <EAP_IDENTITY_STRING>;
    
    IKE_ikeSettings()->eapProtoPeer = <EAP_METHOD>;
    

The supported EAP methods are as follows:

  • EAP_PROTO_AKA

  • EAP_PROTO_GTC

  • EAP_PROTO_LEAP

  • EAP_PROTO_MD5

  • EAP_PROTO_MSCHAPv2

  • EAP_PROTO_PSK

  • EAP_PROTO_SIM

  • EAP_PROTO_SRP

  • Implement the following IKE callout setting and assign it accordingly:

    IKE_ikeSettings()->funcPtrGetToken()
    

Compilation flags

The following additional compilation flags are required to build the IKE EAP supplicant:

  • __ENABLE_MOCANA_EAP_GTC__

  • __ENABLE_MOCANA_EAP_LEAP__

  • __ENABLE_MOCANA_EAP_MD5__

  • __ENABLE_MOCANA_EAP_MSCHAPv2__

  • __ENABLE_MOCANA_EAP_PEER__

  • __ENABLE_MOCANA_EAP_PSK__

  • __ENABLE_MOCANA_EAP_SIM__

  • __ENABLE_MOCANA_EAP_SRP__

  • __ENABLE_MOCANA_MD4__

NanoSec IKE EAP authenticator

This section provides guidelines on extra steps and the requirements needed to integrate NanoSec IKE as an EAP authenticator.

For a sample integration of IKE EAP authenticator, refer to the ike_example.c file in the src/examples directory. Note that this feature is applicable in IKEv2 only.

IKE configuration

Configure the following setting (after the call to IKE_init) to set up the EAP method to use:

IKE_ikeSettings()->eapProtoAuth = <EAP_METHOD>;

The supported EAP methods are as follows:

  • EAP_PROTO_AKA

  • EAP_PROTO_GTC

  • EAP_PROTO_LEAP

  • EAP_PROTO_MD5

  • EAP_PROTO_MSCHAPv2

  • EAP_PROTO_PSK

  • EAP_PROTO_SIM

  • EAP_PROTO_SRP

Implement the following IKE callout settings and assign them accordingly:

IKE_ikeSettings()->funcPtrIkeVerifyPassword() /* EAP-GTC only */

IKE_ikeSettings()->funcPtrIkeLookupSecret()

IKE_ikeSettings()->funcPtrIkeReleaseSecret()

Compilation flags

The following additional compilation flags are required to build the IKE EAP authenticator:

  • __ENABLE_MOCANA_EAP_AUTH__

  • __ENABLE_MOCANA_EAP_GTC__

  • __ENABLE_MOCANA_EAP_LEAP__

  • __ENABLE_MOCANA_EAP_MD5__

  • __ENABLE_MOCANA_EAP_MSCHAPv2__

  • __ENABLE_MOCANA_EAP_PSK__

  • __ENABLE_MOCANA_EAP_SIM__

  • __ENABLE_MOCANA_EAP_SRP__

  • __ENABLE_MOCANA_MD4__

NanoSec IKE EAP-TTLS authenticator

This section provides guidelines on extra steps required to integrate NanoSec IKE as EAP-TTLS authenticator. It is presumed that a backend RADIUS is available to handle legacy EAP methods (i.e., not EAP-TTLS).

Specifically, the handshake phase in EAP-TTLS is handled internally by NanoSec IKE via the NanoSSL Server, where the data phase carrying legacy EAP protocols is delegated to the backend RADIUS server via the NanoRADIUS Client.

For a sample integration of IKE EAP-TTLS authenticator, refer to the ike_example.c file in the src/examples directory. Note that this feature is applicable in IKEv2 only.

The end-user integration requirements are covered in this section.

IKE configuration

Configure the following settings (after the call to IKE_init):

IKE_ikeSettings()->eapProtoAuth = EAP_PROTO_TTLS;

IKE_ikeSettings()->bDoEapOnly = TRUE;

NanoRADIUS client

Because NanoSec IKE is dependent on the NanoRADIUS client for communication with the RADIUS server, end-users must also integrate NanoRADIUS client into their target applications.

The relevant end-user integration requirements are as follows:

  • After the call to IKE_init, initialize the NanoRADIUS client:

    RADIUS_init();
    
  • Implement the following IKE callout setting and assign it accordingly, based on the end-user’s NanoRADIUS client configuration:

    IKE_ikeSettings()->funcPtrIkeGetRadSvrId()
    
  • Receive responses from the RADIUS server.

  • Process RADIUS responses by calling the following function:

    IKE_radRecv();
    
  • After the end-user application has exited, shut down the NanoRADIUS client:

    RADIUS_shutdown();
    

NanoSSL server

Because NanoSec IKE is dependent on the NanoSSL server for the handshake phase in EAP-TTLS, end-users must also integrate NanoSSL Server into their target applications.

The relevant end-user integration requirements are as follows:

  • After the call to IKE_init, initialize NanoSSL Server:

    SSL_ASYNC_init(IKE_SA_MAX*2, 0);
    
  • Implement the following IKE callout setting and assign it accordingly:

    IKE_ikeSettings()->funcPtrIkeGetTlsCertStore()
    
  • After the end-user application has existed, shut down the NanoSSL server:

    SSL_releaseTables();
    
    SSL_shutdownStack();
    

Compilation flags

The following compilation flags that are also required to build the IKE EAP-TTLS authenticator:

  • __ENABLE_IKE_EAP_ONLY__

  • __ENABLE_MOCANA_EAP_AUTH__

  • __ENABLE_MOCANA_EAP_MD5__

  • __ENABLE_MOCANA_EAP_MSCHAPv2__

  • __ENABLE_MOCANA_EAP_RADIUS__

  • __ENABLE_MOCANA_EAP_TLS__

  • __ENABLE_MOCANA_EAP_TTLS__

  • __ENABLE_MOCANA_MD4__

  • __ENABLE_MOCANA_RADIUS_CLIENT__

  • __ENABLE_MOCANA_SSL_ASYNC_API_EXTENSIONS__

  • __ENABLE_MOCANA_SSL_ASYNC_CLIENT_API__

  • __ENABLE_MOCANA_SSL_ASYNC_SERVER_API__

  • __ENABLE_MOCANA_SSL_KEY_EXPANSION__

  • __ENABLE_RFC3576__