基于网络处理器的IPV6状态跟踪防火墙设计与实现

【作者】 肖宁；

【导师】 秦志光；

【作者基本信息】 电子科技大学 ， 软件工程， 2007， 硕士

【摘要】 随着互联网的飞速发展，网络节点数量急剧增加，为解决网络地址紧张的问题并增强网络数据的安全性，采用新的IP协议IPv6替代现有的IPv4协议已经是不可逆转的技术潮流。同时，网络带宽不断提升，伴随着网络技术的不断推陈出新，最早用于解决高速网络的ASIC等技术的开发周期过长，不容易升级等问题越来越被人们所重视，在此情况下新的技术——网络处理器(NP)诞生了，它专门针对网络数据处理进行了硬件优化，能适应现代网络的高速度；可编程，能够快速升级以适应新的网络技术和应用。本文主要研究基于Intel网络处理器和IPv6技术的状态跟踪防火墙系统的设计。研究Intel IXA(Internet Exchange Architecture)，并基于该框架完成IPv6状态跟踪防火墙系统的整体设计。本文作者负责对整个防火墙系统进行架构，将各个功能模块平衡分配到不同的微引擎，注重系统平衡，最大限度地发挥网络处理器高速处理数据包的能力。并在整个系统上实现了状态跟踪，动态Hash，包过滤等相关核心功能。带状态跟踪的包过滤与传统包过滤防火墙的静态过滤规则表相比，它具有更好的灵活性和安全性，是新一代的防火墙技术。虽然目前市面是也具有相对应的状态跟踪防火墙，但由于网络处理器的平台的硬件特性，很多常用的方法并不能直接照搬过来。本文作者将状态跟踪分为应用层状态跟踪和传输层状态跟踪，并按照网络处理器平台的特点，分别将不同的层次的状态跟踪放入到不同硬件层次上，实现了高速与功能并重。同时由于数据平面没有操作系统的支持，本文作者也根据硬件特点，设计了新的_套动态内存分配机制和动态Hash机制，作为状态跟踪防火墙的底层，极大地提高了防火墙的处理速度。更多还原

【Abstract】 As the rapid development of internet, the number of network nodes is increasingdrastically. In order to solve the problem of insufficient IP addresses and meanwhileenhance internet data transfer security, the current IPv4 will inevitably be replaced byIPv6. Furthermore, the internet bandwidth keeps on growing, followed by more andmore new network techniques. Increasing emphasis is paid on the long developmentcycle and upgrade difficulty of the earliest technologies such as ASIC. Because of allthese, a new technology called Network Processor (NP) is presented. To adapt the highspeed modern networks the NP is hardware optimized especially for the network dataprocessing. Meanwhile, it is programmable and thus can be upgraded quickly to applynew network technology and applicatoins.This thesis is mainly about the design of the connect track firewall which is basedon Intel NP and IPv6. Intel IXA(Internet Exchange Architecture) is studied and basedon it the whole design of IPv6 firewall is finished. This paper can be divided into fourparts.The author takes charge of designing the whole structure of this Firewall systemand allocating each module on several different MicroEngine to balance the wholesystem, and thus to make best use of the Network Processor Architecture to ensureprocessing packet with high speed. the Connect Track, dynamic Hash, and Packet Filteralso were implemented.Compared with the traditional Packet Filter Firewall, the Packet Filter withConnect Track has better flexibility and security. It is a new technique of Firewall.Although there are still many Firewall products with the function of Connect Track atthe market now, because of the distinct hardware characteristics of the NetworkProcessor, many common methods can not be applied on Network Processor directly.The Connect Track were partitioned into two sections: Application Layer Connect Trackand Transport Layer Connect Track. In terms of the characteristics of the NetworkProcessor, we put different sections on different hardware layers to realize the functionand guarantee high speed performance at the same time.Meanwhile, as the data plane does not get the support from Operating System, thus we also designed a newmechanism for dynamic memory allocating module and dynamic Hash module. Beingthe bases of Connect Track Firewall, these two modules improve the packet processingspeed a lot.更多还原