Performance analysis of IPSec

With the development of web services, more social networks and commercial networks are introduced in to the internet. These internet applications deal with various types of data. Securing data over networks is becoming a more critical issue on the internet. Network security should provide confidentiality, integrity and authenticity to data networks. Network layer security protection is essential to the internet communication. The IP Security (IPSec) protocol is the most famous, secure and widely deployed security protocol that secures the data communication on the internet at the network layer. The performance evaluation of IPSec is an important factor in network security.  It is important to achieve network security without degrading the performance level in the communication system. In this paper, we analyze the IPSec performance as a network security gateway security protocol.

IPSec security protocol acts in the network layer. And it has two modes of operation: Transport mode and Tunnel mode. There are two major protocols in the IPSec protocol suite: the Authentication Header (AH) protocol and the Encapsulating Security Payload (ESP) protocol. ESP provides confidentiality, Integrity and authenticity for the communication. AH ensures authenticity and integrity of the data protected. IPSec consults Security Policy Database (SPD) and Security Association Database (SAD) to determine the way to security the IP packets. The security policy determines the security services offered to the IP flow.  The Security Associations (SAs) act as the contract between two communicating entities. They determine the IPSec protocol used in the transforms, the keys, and the duration that the keys are valid. The Internet Key Exchange (IKE) creates SAs dynamically on behalf of IPSec and manages the SAD. IKE provides key management schemes for communicating entities. Establishing IPSec connection requires two phases. Phase 1 performs mutual authentication and produces the encryption key required to protect Phase 2 transactions. Phase 2 negotiates the cipher and authentication algorithm to protect future communication.

Security is a critical factor to the development of the internet. IPSec is a suite of protocols that provides source authentication, data integrity and data confidentiality at the network layer, in both the Ipv4 and Ipv6 environments. Linux kernel 2.6 is a powerful platform for the development of security gateway. We have analyzed the performance of the security gateway in different configurations of ESP tunneling. 

When the compression is applied, we can see a drop in IPSec performance. This performance decrease happens due to the relation between the encryption algorithm speed and the compression algorithm speed. When we apply the compression to the higher speed encryption algorithm in IPSec, it will cause the throughput to degrade.  HMAC-MD5 shows a higher performance than the HMAC-S HA1 in both with compression and without. Also AES performs better than the other encryption mechanism. DES and 3DES have lower throughput than others, because of their time consuming encryption process.

The increase and decrease of throughput is based on a combination of elements: the residing layer, the header size and the relevant speed between the compression, the encryption and the transfer. AES presents better encryption capability than DES and 3DES. HMAC-MD5 has better authentication compatibility than HMAC-SHA1. We can achieve higher network security and lower performance degradation by implementing ESP tunnel with AES encryption and HMAC-MD5 authentication.

Binary data modulation with coding

When we design a communication system, we need to consider transmitter and receiver structures, probability of error, bandwidth occupancy of the modulated signal and bandwidth efficiency. Communication performance is critical factor in achieving error free transmission.


Let’s discuss the main blocks in a communication system and the way to organize them to achieve higher performance. Data to be sent is generated in the data source and fed in to the channel encoder. The purpose of the channel encoder is introducing redundancy bits to combat the effects of noise and interference over the channel. Channel coding is referred as a signal transformation designed to improve communication performance. Convolution coding is a type of channel coding. The importance characteristic of convolution coding is that coder has memory. K is a parameter called constraint length in the convolution coder. The output n-tuple emitted by coder is not only a function of input k-tuple, but also it is a function of the previous K-1 input k-tuple. 


The output of the channel encoder fed in to the digital modulator. The primary purpose of the digital modulator is to map the binary information sequence into signals suitable for transmission over the channel. We have to test Coherent phase shift keying (PSK) and Coherent frequency shift keying (FSK) modulation techniques in our communication system. Coherent receiver means receiver has a phase recovery circuitry. Receiver knows both the frequency and the phase of the carrier signal used in the transmission. PSK means signals carries information in the phase, and FSK means signal carries information in the frequency.


Modulated signal is transmitted via communication channel. Communication channel is the physical channel we use to transmit data for transmitter to the receiver. The essential feature in this physical medium is the transmitted signals are corrupted in a random manner due to various mechanisms. Here we have used Additive White Gaussian Noise channel for our simulations. Modulated signal transmitted over the channel and then converted back to sequence of binary data in the demodulator. Chanel decoder attempts to decode the channel encoded sequence. As the channel decoder in the receiver we can use maximum likelihood decoding and Viterbi decoding. We used Viterbi decoding for our simulations. The signal at the channel decoder in our scenario is the approximation of the original data.


We need to consider probability of error, bandwidth occupancy of the modulated signal and bandwidth efficiency of the communication system in designing. With coding we can achieve lower probability of error without increasing the signal to noise ratio. By introducing channel coding to the modulation, we raised the performance of the communication system. But when we used coding we need higher bandwidth for data transmission. Bandwidth the price we have to pay for the higher performance with channel coding.


We can achieve lower bit error probability in using BPSK modulation over BFSK modulation. BPSK showed higher performance than BFSK for same signal to noise ratio.With coding we can increase the performance of the communication system. When we use channel coding we can achieve the same probability of error level that we have in modulation with lower signal to noise ratio. We saw that code rate ½ perform well over code rate 1/3 at lower probability of error levels. But there is a price that we have to pay when we use channel coding in communication systems. When we use channel coding we need higher bandwidth, because we transmit more bits in the same bit duration. So higher code rates will result higher spectral occupancy. Normally, BPSK has less spectral occupancy than BFSK. 


BPSK is the best modulation technique for binary data transmission. BPSK with channel coding raised the performance level of the communication system, resulting higher utilization of the bandwidth.

Crypto concepts used in IPSEC

IPSEC is very complicated and very extensible system for network security. IPSEC uses symmetric cyphers in encryption and HMAC for data authentication. Internet key exchange is basically an authenticated Diffie-hellman exchange. There are several ways of authentication, one way of authentication is digital signatures, another involves HMAcing a shared secret, third involves public key encryption to authenticate a peer.

IPSEC standard key exchange, IKE has an option for perfect forward secrecy. It adds extra overhead while doing Diffie-Hellman exchange in each rekey interval. Denial of service attacks are possible to force the computer to do unnecessary work while trying to achieve security, which leads to shutting down the computer. DOS can be launched against cryptographic systems, when the attacker cause the system to do more work in response to the attack than is necessary to launch the attack. Thankfully, IPSEC and IKE are constructed with partial defenses against denial of service attacks, but merely increase the cost and complexity to launch them.

Killed the presentation

I recently found that I am good at planing things and I wanted to try my skill on the course presentation. I wasn't good presenter before, but with my new plan I have become one. I wrote few steps how to prepare for a presentation. It really worked for me. After I followed the below steps when  I am get ready for the presentation, I was well organized and very confident about the presentation.

Presentation plan:

• Prepare the presentation
• Write down the exact points that you are going to say in a paper
• Practice the presentation several times
• check timing
• Try to remember the important slides
• Keep the flow of the presentation in mind
• Be normal and calm in presenting
• Keep the point paper when you present

IPTV Customer has to be managed

When I was at IPTV industry I worked closely with customer account management software called Geneva. It is an product of IBM cognos version 7. account management was really important in billing the customer. We have enrolled a single customer which used PSTN, broadband and IPTV in to one account. so he had different products namely PSTN, internet and IPTV in the same account. We define price plans for each IPTV channel package we are creating in the system. In the stage of customer creation we add the specific package to the customer with the price plan. We add the IPTV as the parent product and then add other services like TSTV, VOD and SVOD as child products with relevant price plans. In this way we have control over the product price plans and it is important as in marketing aspects. Billing is according to the base package, VOD subscription and channel subscription of the user. when we create a product in the GENEVA, a work order passed to the workforce management software to initiate the work order. So the product creation in the GENEVA is the starting point in IPTV provisioning. Account information is important in product creation, if it is an existing customer information like  telephone number and billing address are in the system. If it is new customer all the information has to enter accurately and first we have to begin with PSTN connection, then broadband connection and finally IPTV provisioning.

IPTV is not normal TV

Most of the telecommunication companies all over the world moving towards convergence in their network with triple play voice, video and data(broad band internet). IPTV which stands for Internet protocol TV is a technology that multicast TV channels and VOD on broadband networks.  bandwidth of the network plays a main role in the IPTV business. Other aspect of IPTV is the video encoding and compression mechanism used in video delivery. I have closely worked with UT starcom IPTV system which is called as UT Starcom's rolling stream IPTV system(http://www.utstar.com/). IPTV aand Satellite TV is two different technologies which are competing to the same market segment.

Let me explain the IPTV architecture first. First let's talk about  how live channels are transmitted over broad band networks. The trick play function on live channels, gives you the control over what you are watching. it gives you the pausing function where you can pause the live stream and go back in time. Time shifting is the term that is used in IPTV for going back in time to watch something already been telecast. Live channels get transmitted via satellite and fibers to the IPTV head end from television stations.

My new NIKON D3100

I brought a new NIKON D3100 las week. This DSLR camera is know as entry level DSLR camera and this really suits to an armature photographer. Camera is lighter in weight and has a good grip to hold the camera one hand. This camera has 14.2 Megapixels that gives additional 2 MP than its predecessor D3000. And also it has 1080 p HD movie recording facility improved over D5000. D3100 gives in camera retouching options that we can finish a quality picture in camera it self. I like that NIKON now give you good quality pictures and HD video recording too. D3100 has a help guide to beginner in photography and which helps me a lot to get to know with the camera. I took some snaps around and I noticed that the color of the pictures were great . D3100 live view lever is positioned in a great place in the rear of the camera, and it gives easy access to the video recording. I am planing to shoot some videos in London,ON area with D3100 and make a short documentary about it. Let's see how well it goes. I have found that the USB cable is not coming with the camera and it was little bit disappointed. But I could get my first photos in to my computer because I had a SD card reader in my laptop.I am still discovering my camera and it is quite a beauty.