Security IP icon

Security

IPsec Toolkit

A complete, highly scalable IPsec implementation (previously QuickSec from Inside Secure) that supports all relevant (90+) RFCs and standards required for servers and clients that need to communicate with any type of client/server device and interoperate with existing gateways. The Linux Data Plane is supported without any kernel dependency and is ideal for high traffic gateways or deployment in virtual environments.

The IPsec toolkit is optionally integrated with the FIPS 140-2 or FIPS 140-3 validated crypto module and deployed by leading vendors of physical and virtual cloud/networking products, printers and embedded devices.

How the IPsec Toolkit works

As our customers develop products that must work seamlessly with various IPsec implementations, the Rambus IPsec Toolkit supports the 90+ standard specifications required to work with the various flavors of IPsec. Interoperability is verified as part of the QA process in Rambus’ own laboratory.

High scalability

  • High session set-up rate. Able to reach 2000 IPsec tunnel-establishment per-second with only two CPU cores; scales well on multicore architectures
  • Tunnel number only limited by available computing resources
  • High availability (HA). Includes HA APIs for import and export of IKE and IPsec security associations (SAs) for device redundancy and failover
  • Easy debugging. Enables requesting detailed logs for specific tunnels for problem resolution in large deployments without impacting performance
  • Multi-tenancy: supports independent and overlapping virtual routing and forwarding (VRF) instances for multiple network or eNodeB support of multiple operators
  • Integrates with Linux kernel IPsec data plane supporting the same API. Additionally, a higher-level common data plane API allows integration with any IPsec data plane.
 

Leading companies are using the IPsec Toolkit for implementations in Cloud, SD-WAN, enterprise security gateways, high-security government appliances, high-capacity carrier gateways, eNodeB, mobile devices and printers.

Solution Offerings

Features
  • Complete IPsec and IKE Client/Server Toolkit
  • Highly interoperable and standards compliant
  • Scalability: Deployments with 1M+ IPsec tunnels and unbeaten tunnel setup rate
  • Available with FIPS 140-2 or FIPS 140-3 validated crypto module
  • Written in clear, highly-portable C-source code free of GPL constraints
  • Routing instances isolate traffic for multi-tenancy
  • Broad hardware and software platform support
  • High-quality commercial replacement for GPL licensed open source software
  • Engineer-level support and regular updates provided under maintenance
 

IKE (Internet Key Exchange) Support

  • IKEv2 (RFC 7296), IKEv2 fragmentation (RFC 7383), IKEv2 redirect (RFC 5685)
  • MOBIKE (RFC 4555, RFC 4621)
  • IKEv1 main mode and aggressive mode
  • Perfect forward secrecy (PFS) option
  • Re-keying, dead peer detection (DPD), NAT-Traversal (NAT-T)
  • Authentication: pre-shared keys (PSK), XAUTH, certificates ((full PKI support), extensible authentication protocol (EAP-SIM, EAP-AKA, EAPMD5), RADIUS, multiple authentication (RFC 4739)
  • IPv4 and IPv6 support: IPv4 over IPv6, IPv6 over IPv4, IPv6 over IPv6, DHCPv4 and DHCPv6
  • RSA, DSA and ECDSA public key algorithms (IKE signature modes only)
  • RSA signature support for SHA2 in IKE per NIST Special Pub. 800-131A
  • Diffie-Hellman key exchange algorithm
  • FIPS 140-2 or FIPS 140-3 certified cryptography as an optional commercial option
  • Remote access support: virtual adapter configured by the server
  • Built-in IP address allocation
 

Certificates and PKI Functionality

  • X.509v3 (PKIX) certificate profile support
  • X.509v3 (PKIX) certificate revocation list (CRL) support
  • Certificate distribution point support, with LDAP and HTTP
  • On-line certificate status checking, using OCSP
  • RSA signature support for SHA2 in certificates per NIST Special Pub. 800-131A
 

Complete IPsec Cryptography

  • Cipher algorithms: AES, AES-CCM, AES-GCM, AES-GCM-64, GMAC-AES, 3DES
  • MAC algorithms: SHA-1, SHA-2, GMAC-AES, AES-XCBC
  • Asymmetric crypto algorithms: RSA, Diffie-Hellman, ECC DH, ECC DSA, PKCS#1, PKCS#5, PKCS#7, PKCS#8, PKCS#10, PKCS#12
  • Elliptic curve cyrpto: Brainpool elliptic curves (RFC 5639, RFC 6932), ECDSA (RFC 4754) ECP groups (RFC 5903), Elliptic curve digital signature (ECDS)DHCPv4 and