LLPA: A Protocol for High Speed Packet Authentication

Geoffrey G. Xie, Cynthia Irvine, Cary Colwell
Department of Computer Science, Naval Postgraduate School, Monterey, CA 93943
xie@cs.nps.navy.mil

We describe LLPA, a protocol for high speed authentication of 
IP packets.  While capable of insuring maximum security with per-packet 
origin authentication, LLPA boosts high throughput performance 
with the following two innovations.  First, only a fixed length 
Authentication Trailer is appended to each packet at the source.  
This allows the authentication gateway to examine packets at the 
link layer, eliminating all the overhead associated with parsing 
the complex IP header.  The trailer, hidden to intermediate routers 
as part of the payload, incurs no extra processing in transit, and 
is removed by the authentication gateway.  Therefore, LLPA is 
a nonintrusive solution similar to tunneling.   Second, the 
crypto-period of each key is made very short (e.g., 30 seconds), 
allowing an inexpensive keyed message digest function such as keyed 
MD5 to be used to compute the digital signature of a packet. 
Rekeying at such a high rate may be too costly even if automated and 
performed out-of-band.  LLPA addresses this problem by having a pool 
of keys prefetched with each rekeying session.  Either a host-centric 
or a gateway-centric approach may be used for rekeying in LLPA.  
Both approaches are carefully examined in this paper, resulting in a 
hybrid solution that is both efficient and scalable.  

We have implemented a prototype of LLPA on a NetBSD box and evaluated 
its performance.  The performance results indicate that software-based 
gigabit per second packet authentication can be realized 
on today's PC hardware.