智能手机的普及带来了移动互联网的浪潮，用户数量与网络流量急剧增长。为了提供更好的服务，互联网公司都在积极建设数据中心(IDC)。分布于各地IDC的数据传输通常使用专线，但专线费用高昂，因此IDC的公网数据传输逐渐得到发展。为保证安全，IDC通常通过IPSec VPN的方式在Internet上传输数据。IPSec VPN 解决方案基于传统协议栈。在高速网络环境下，传统协议栈系统性能已经到达一个瓶颈，用户态协议栈成为热门研究课题, Intel DPDK是一款优秀的用户态协议栈开发平台。本文针对传统协议栈在数据处理过程中面临的中断频繁、数据冗余拷贝、不支持多核框架、锁竞争开销大等问题，详细介绍了DPDK中解决这些问题的关键技术：大内存页、用户空间I/O与处理器亲和性。然后设计了基于DPDK的用户态协议栈框架，并详细介绍了其中的四个主要模块。底层驱动模块负责对多核与分布式存储提供支持。数据收发模块负责快速的收发数据、存储数据包与减小多核竞争开销。三层转发协议栈模块提供路由转发以及用户态协议栈与传统协议栈的通信。IPSec处理模块提供数据包的认证与加解密。基于各个模块的详细设计，本文实现了一个基于DPDK的用户态IPSec协议栈。通过在高速网络环境下与传统协议栈的IPSec进行测试对比，可以得到结论，用户态IPSec协议栈具有更高的性能，能够解决传统协议栈的问题。

The popularity of smart phone brings a fresh wave of mobile internet. Not only the number of clients but also the network traffic has a dramatic increase. In order to provide better quality of services, major internet companies are actively building data centers (IDC). Data transfers between IDC of scattered departments is usually completed using private lines with high cost, thus the public network has gradually played a role in data transfers between IDC. To ensure safety, IPSec VPN is often applied to transfer data for IDC in public network. IPSec VPN solution is based on traditional protocol stack, which has already approached a bottleneck under high speed network environment. User-mode protocol stack has become a popular research subject, while Intel DPDK is an excellent development platform for user-mode protocol stack.To deal with problems faced in data processing for traditional protocol stack such as frequent interruptions, redundant data copies, not supporting multi-core framework and high cost of lock contention, this thesis introduced the key techniques to fight with these problems in DPDK: large pages, user space I/O and processor affinity. Then a user-mode protocol stack framework based on DPDK is designed and four major modules are introduced in detail. The driver module is responsible for supporting multi-cores and distributed storage. The data receiving and dispatching module is responsible for quick data receiving and dispatching, data storage and less multi-core competition. The third layer protocol stack module is responsible for route switchover and communication between kernel-mode protocol stack and user-mode protocol. The IPSec processing module is responsible for the authentication and encryption for data packets. Based on detailed design of each module, a user-mode IPSec protocol stack based on DPDK is complemented. Tests against IPSec in traditional protocol stack in high speed network environment can provide the conclusion that user-mode IPSec protocol stack has superior performance and the ability to solve problems faced in traditional protocol stack.