【作者】 任杰麟；

【导师】 李之棠；

【作者基本信息】 华中科技大学 ， 计算机系统结构， 2006， 硕士

【摘要】 随着网络技术的发展,网络传输的速度已经大幅度的提高,对作为保障网络数据安全传输的VPN设备的高性能、高可用性、可扩展性等方面提出了更高的要求。为此,提出了一种基于IPSec的高性能VPN系统的并行体系结构,称为并行IPSec VPN(Parallel IPSec VPN,简称PVPN)。PVPN采用流水线并行处理算法,实现了系统的多加密卡并行处理;采用CompactPCI硬件平台,构建多机并行体系,大幅度提高了IPSec VPN的处理性能。流水线并行处理算法将CPU与加密卡分为两个功能部件,通过使两个功能部件重叠运行,流水作业,从而实现时间上的并行操作。同时,设置多个加解密部件,依靠这些加解密部件的同时工作来提高对多个报文的批处理速度,从而实现空间上的并行操作。用排队论的方法分析了流水线并行处理算法的性能;并对流水线并行处理算法进行了仿真以及性能测试,并对测试结果进行了理论分析。负载均衡技术是集群系统的关键技术。针对IPSec VPN工作机制的特点,设计了一个适用于PVPN系统的负载均衡算法。它能够有效的将加解密报文均匀分发到CPU处理板上;将属于同一报文的IPSec分片报文发往一块CPU处理板上,使得报文能够顺利重组、处理。实验表明PVPN的负载均衡算法达到了设计的目标。PVPN是一个集群系统,发生单点故障的概率比传统的IPSec VPN高。PVPN使用集群互备模式,防止CPU处理板发生故障;使用双机热备份模式,防止交换板发生故障。从而,实现了整个系统的高可用性。最后,对PVPN进行了仿真以及性能测试,并用实际的测试结果说明了系统设计的可行性、合理性。更多还原

【Abstract】 The speed of transmitting data on network has been greatly increased with the development of network technology. As an equipment to ensure secure transmission on network, VPN must be high-powered, available and scalable.The article brings forward a high-powered parallel architecture of VPN on IPSec which is called IPSec VPN. PVPN adopts the pipelining parallel algorithm to achieve multi-cards parallel management, meanwhile largely improves the capability of VPN equipments on the basis of the hardware platform of CompactPCI.Pipeline parallel algorithm separates CPU and encrypt card into two functional parts. Overlapping and pipelining the two components can carry out parallel operations on time. At the same time, setting several encrypt components and decrypt components can enhance the speed of wholesale management to achieve parallel operations on space. The article analyzes the performance of pipelining parallel algorithm by queueing theory, then emulates the algorithm, tests and analyzes the performance the algorithm.Load balancing technology is the key technology of the cluster system. Pointed to the characteristics of mechanism of IPSec VPN, the article designs a load balancing measure applied to PVPN. The load balancing design can hand out packets evenly and efficiently, send IPSec fragment packets attributed to the same packets to the identical CPU processing board to recompose them successfully. The experiment verifies the implementation. PVPN is a cluster system and the probability of it’s single point is higher than the traditional IPSec VPN. The article puts up profound research on high-powered PVPN.PVPN use cluster backup mode to prevent the fault of the CPU managing board and hotbak mode to avoid the fault of switching board. All these means safeguard the high availability of the whole system.At the end of the article, a large number of experiments emulate PVPN and test the performance of the system. The results of the tests indicate the resolution.更多还原