SDIG: Toward Software-Defined IPsec Gateway

The current IPsec gateway integrates many functions of IPsec operation, tunnel management and forwarding decision, which makes the IPsec gateway complicated in maintenance and deployment. The problem of maintaining such devices prevents IPsec VPN from applying widely. The emergence of SDN provides an innovative way to decouple the control plane and data plane. In this paper, a Software-Defined IPsec Gateway (SDIG) is proposed to achieve net2net IPsec VPN. Different from the traditional IPsec gateway, the SDIG device serves as a data plane equipment that just concentrates on exchanging IKE packets and encrypting/decrypting IP packets. A global view of SDIG devices can be constructed in the SDN controller by collecting the status of all devices. Therefore the controller can manage and configure SDIG devices centrally, and simplify deployment complexity. Outbound IP packets for the SDIG device can be viewed as a trigger to control the establishment of IPsec tunnels. The SDIG device and the controller exchange information through a customized southbound protocol. The prototype system of SDIG is implemented, and the preliminary experimental results show that the method is feasible and effective.