Introducing QoS mechanisms into the IPsec packet processing

The deployment and use of IPsec has consistently increased in recent years. IPsec is a protocol that allows, besides other things, secure branch offices connectivity and secure VPN access for road warriors. The limitations of IPsec are much better understood today, and efforts to improve IPsec are still underway. One aspect of improvement is the integration of IPsec with other functions and protocols of the network. Quality of Service (QoS) is one example. QoS is used to prioritize demanding traffic like Voice over IP, network control messages, and traffic for other mission-critical systems. QoS can be used to mitigate risks of DoS attacks, ill-behaving hosts, and other attacks by separating traffic classes and treating packets according to the respective class. In order to facilitate all the advantages QoS can offer, an IPsec implementation must not only be superficially changed, but needs thorough modifications or, even better, should be designed with QoS support as an objective. The current IPsec standard does hardly offer any guidance to do this. In this paper, we detail our QoS-capable IPsec and compare it with a widely-used regular IPsec implementation. Furthermore, we show that these QoS extensions prove to be valuable, even in difficult scenarios, e.g. using host CPUs for packet processing.