多CPU实现的IPv6防火墙实现与性能优化研究
发布时间:2018-12-20 22:22
【摘要】:由于全球IPv4地址已经接近耗尽,IPv6的部署势在必行,基于IPv6的安全防护也变得日益重要。网络中的防火墙设备是网络安全的核心,因此,防火墙对IPv6的支持决定了IPv6网络安全的基础。国内防火墙设备对IPv6的支持尚不完善。本课题的目的是利用多处理器硬件平台,实现支持IPv6的防火墙,并使其吞吐量与新建连接速率性能达到业界先进水平。 本文的研究过程中,我们通过增量式迭代开发的方法,较为快速地开发出了多核处理器防火墙的原型,进而实现了防火墙的各项功能和性能要求。 本文研究的创新点主要有: 在多核平台上实现了支持IPv6的防火墙基本功能;通过在多核平台上实现高性能NAT64功能,实现了IPv6与IPv4的高速互联互通;为未来将防火墙系统升级到ASIC/NP转发,或分布式防火墙系统提供了演进的接口; 作者完成的主要工作如下: 分析和设计多核平台下IPv6防火墙各模块的交互界面;设计多核系统数据平面的负载分担方式;将单核平台下IPv6防火墙的ASPF/NAT/ALG等模块移植到多核平台运行;增加快速转发流程,并针对多核系统的自旋锁/Cache/协处理器等做优化; 经过本文的研究,结论为,基于XLP832多核MlPS处理器实现的IPv6防火墙,可以实现8Gbpsi:小包)/20Gbps(大包)的吞吐量,以及60kcps的新建连接速率,达到了业界先进水平,符合市场对IPv6高性能企业级防火墙的需求。
[Abstract]:As the global IPv4 address is running out, the deployment of IPv6 is imperative, and the security protection based on IPv6 is becoming more and more important. Firewall equipment is the core of network security, so the support of firewall to IPv6 determines the foundation of IPv6 network security. Domestic firewall equipment to IPv6 support is not perfect. The purpose of this paper is to realize the firewall supporting IPv6 using multiprocessor hardware platform, and make the throughput and the performance of new connection rate reach the advanced level in the industry. In the research process of this paper, we developed the prototype of multi-core processor firewall quickly through incremental iterative development method, and then realized the functions and performance requirements of firewall. The innovations of this paper are as follows: the basic functions of firewall supporting IPv6 are realized on multi-core platform, and the high speed interconnection between IPv6 and IPv4 is realized by realizing high performance NAT64 function on multi-core platform. It provides an evolutionary interface for upgrading firewall system to ASIC/NP forwarding or distributed firewall system in the future. The main work accomplished by the author is as follows: analyzing and designing the interactive interface of each module of IPv6 firewall under multi-core platform; The load-sharing mode of multi-core system data plane is designed, and the ASPF/NAT/ALG module of IPv6 firewall is transplanted to multi-core platform to run. The fast forwarding flow is added, and the spin lock / Cache/ coprocessor of multi-core system is optimized. Through the research of this paper, it is concluded that the IPv6 firewall based on XLP832 multi-core MlPS processor can achieve the throughput of 8Gbpsi-small packet / 20Gbps (large packet) and the new connection rate of 60kcps, and reach the advanced level of industry. Meet the market demand for IPv6 high performance enterprise firewall.
【学位授予单位】:中国科学院大学(工程管理与信息技术学院)
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.04
本文编号:2388504
[Abstract]:As the global IPv4 address is running out, the deployment of IPv6 is imperative, and the security protection based on IPv6 is becoming more and more important. Firewall equipment is the core of network security, so the support of firewall to IPv6 determines the foundation of IPv6 network security. Domestic firewall equipment to IPv6 support is not perfect. The purpose of this paper is to realize the firewall supporting IPv6 using multiprocessor hardware platform, and make the throughput and the performance of new connection rate reach the advanced level in the industry. In the research process of this paper, we developed the prototype of multi-core processor firewall quickly through incremental iterative development method, and then realized the functions and performance requirements of firewall. The innovations of this paper are as follows: the basic functions of firewall supporting IPv6 are realized on multi-core platform, and the high speed interconnection between IPv6 and IPv4 is realized by realizing high performance NAT64 function on multi-core platform. It provides an evolutionary interface for upgrading firewall system to ASIC/NP forwarding or distributed firewall system in the future. The main work accomplished by the author is as follows: analyzing and designing the interactive interface of each module of IPv6 firewall under multi-core platform; The load-sharing mode of multi-core system data plane is designed, and the ASPF/NAT/ALG module of IPv6 firewall is transplanted to multi-core platform to run. The fast forwarding flow is added, and the spin lock / Cache/ coprocessor of multi-core system is optimized. Through the research of this paper, it is concluded that the IPv6 firewall based on XLP832 multi-core MlPS processor can achieve the throughput of 8Gbpsi-small packet / 20Gbps (large packet) and the new connection rate of 60kcps, and reach the advanced level of industry. Meet the market demand for IPv6 high performance enterprise firewall.
【学位授予单位】:中国科学院大学(工程管理与信息技术学院)
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.04
【参考文献】
相关期刊论文 前7条
1 张国杰;张毅;;多核多线程处理器XLR732的多核间通信[J];重庆工学院学报(自然科学版);2008年10期
2 王景兰;朱庆友;;基于IPv4向IPv6技术过渡的分析与探讨[J];电脑知识与技术;2013年22期
3 任晓瑞;时磊;;支持对称多处理器结构的操作系统设计[J];航空计算技术;2008年02期
4 迟秀伟;唐朔飞;季振州;李鑫;;状态检测防火墙中几种协议的结构设计[J];计算机应用研究;2006年02期
5 褚丽莉;高影;高明涛;;状态检测防火墙的研究与分析[J];辽宁工学院学报;2006年05期
6 赵丽莉;孙伟;;TCP协议乱序数据包处理算法综述[J];软件工程师;2010年07期
7 华一强;杨艳松;;NAT64技术及其部署与保护方案研究[J];邮电设计技术;2013年12期
,本文编号:2388504
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2388504.html
