一种面向100Gbps网络的L7-filter硬件加速方法
|
摘要
L7-filter是当前广泛应用的流量分类系统,其采用基于正则表达式匹配的深包检测方法,通过检测数据包有效载荷中存在的字符串特征对流量进行分类.然而,由于计算复杂度高、存储消耗大等原因,现有L7-filter软硬件方法的处理性能严重不足,不能适应当前40Gbps以及更高性能骨干网络.在对L7-filter的应用层协议规则集进行分析,总结其中广泛存在的特征的基础上,本文提出了一个硬件加速方法,其通过有针对性的数据模型、算法优化、匹配架构设计以提高流量分类系统的处理能力.为了验证方法的可行性,采用了基于Virtex6的FPGA板卡实现原型系统并对其进行评估.实验结果表明,原型系统的数据吞吐率可以达到约115Gbps.
L7-filter is a w idely used traffic classification system w hich relies on regular expression matching based deep packet inspect method and can identify netw ork traffic by inspecting string patterns hidden in the packet payload. How-ever,due to considerable computation and storage expenditures,existing L7-filter softw are and hardw are solutions could not offer sufficient performance in the context of 40 Gbps and higher speed netw orks. Based on analysis of common features of the L7-filter protocol patterns,this paper proposes a hardw are-accelerated method w hich is for achieving high performance and includes customized data structure,optimization and matching architecture. To validate the proposed method,a hardw are prototype on Virtex 6 FPGA card is implemented and tested. Experimental results show that the prototype can scan netw ork traffic at a typical rate of about 115 Gbps.
L7-filter is a w idely used traffic classification system w hich relies on regular expression matching based deep packet inspect method and can identify netw ork traffic by inspecting string patterns hidden in the packet payload. How-ever,due to considerable computation and storage expenditures,existing L7-filter softw are and hardw are solutions could not offer sufficient performance in the context of 40 Gbps and higher speed netw orks. Based on analysis of common features of the L7-filter protocol patterns,this paper proposes a hardw are-accelerated method w hich is for achieving high performance and includes customized data structure,optimization and matching architecture. To validate the proposed method,a hardw are prototype on Virtex 6 FPGA card is implemented and tested. Experimental results show that the prototype can scan netw ork traffic at a typical rate of about 115 Gbps.
引文
[1]GA/T1177-2014,信息安全技术第二代防火墙安全技术要求[S].
[2]J.Nielsen.Nielsen’s law of internet bandwidth[EB/OL].http://w w w.nngroup.com/articles/law-of-bandw idth/,2015-3-12.
[3]Application layer packet classifier for Linux[EB/OL].http://l7-filter.sourceforge.net/,2005-02-18.
[4]付文亮,嵩天,周舟.Rocket TC一个基于FPGA的高性能网络流量分类架[J].计算机学报,2014,37(2):414-422.FU Wen-liang,SONG Tian,ZHOU Zhou.Rocket TC:A high throughput traffic classification architecture on FPGA[J].Chinese Journal of Computers,2014,37(2):414-422.(in Chinese)
[5]Antonello Rafael,et al.Design and optimizations for efficient regular expression matching in DPI systems[J].Proceedings of Computer Communications,2015,61:103-120.
[6]Wang Kai,Zhe Fu,Xiaohe Hu,and Jun Li.Practical regular expression matching free of scalability and performance barriers[J].Proceedings of Computer Communications2014:97-119.
[7]Wang Jianhua,et al.A regular expression matching algorithm based on high-efficient finite automaton[J].Proceedings of Journal of Computing Science and Engineering,2014:78-86.
[8]WANG X,et al.Stri FA:Stride finite automata for highspeed regular expression matching in netw ork intrusion detection systems[J].IEEE Systems Journal,2013,7(3):374-384.
[9]Liu Tingwen,et al.Towards fast and optimal grouping of regular expressions via DFA size estimation[J].IEEE Journal on Selected Areas in Communications,2014,32(10):1797-1809.
[10]Shukla Surendra Kumar,et al.A survey of approaches used in parallel architectures and multi-core processors[J].For Performance Improvement.Proceedings of Progress in Systems Engineering,2015:537-545.
[11]Vasiliadis Giorgos,et al.GASPP:a GPU-accelerated stateful packet processing framew ork[A].Proceedings of 2014USENIX Conference on Annual Technical Conference[C].Philadelphia:USENIX,2014.321-332.
[12]FEITOZA SANTOS A,et al.Multigigabit traffic identification on GPU[A].Proceedings of the First Edition Workshop on High Performance and Programmable Netw orking[C].New York:ACM,2013.39-44.
[13]Van Lunteren J,et al.Hardware-accelerated regular expression matching at multiple tens of gb/s[A].Proceedings of 31th IEEE INFOCOM[C].New York:ACM,2013.1737-1745.
[14]Smith R,et al.XFA:faster signature matching with extended automata[A].Proceedings of IEEE Symposium on Security and Privacy(S&P)[C].New York:IEEE,2008.187-201.
[15]Becchi M and Cadami S.Memory-efficient regular expression search using state merging[A].Proceedings of IEEE INFOCOM[C].New York:ACM,2007.1064-1072.
[16]Bando M,et al.Scalable lookahead regular expression detection system for deep packet inspection[J].IEEE/ACM Trans on Netw orking,2012,20(3):699-714.
[17]余慧,王健.一种专用可重配置的FPGA嵌入式存储器模块的设计和实现[J].电子学报,2012,40(2):215-222.YU Hui,WANG Jian.The design and implement of a special reconfigureable FPGA embedded BRAM[J].Acta Electronica Sinica,2012,40(2):215-222.(in Chinese)
[18]Yamagaki N,Sidhu R,Kamiya S.High-speed regular expression matching engine using multi-character NFA[A].Proceedings of IEEE Field Programmable Logic and Applications[C].New York:ACM,2008.131-136.
[19]HOPCROFT J E.Introduction to Automata Theory,Languages,and Computation[M].3rd ed,Addison-Wesley Longman Publishing Co,Inc,2006.
[20]Regular expression patterns for L7-filter[EB/OL].http://l7-filter.sourceforge.net/protocols,2015-03-12.
[21]Net FPGA[OL].http://netfpga.org.2015-07-20.
[22]Wang L,et al.Gregex:GPU based high speed regular expression matching engine[A].Proceedings of IEEE Innovative M obile and Internet Services in Ubiquitous Computing[C].New York:IEEE,2011.366-370.
[2]J.Nielsen.Nielsen’s law of internet bandwidth[EB/OL].http://w w w.nngroup.com/articles/law-of-bandw idth/,2015-3-12.
[3]Application layer packet classifier for Linux[EB/OL].http://l7-filter.sourceforge.net/,2005-02-18.
[4]付文亮,嵩天,周舟.Rocket TC一个基于FPGA的高性能网络流量分类架[J].计算机学报,2014,37(2):414-422.FU Wen-liang,SONG Tian,ZHOU Zhou.Rocket TC:A high throughput traffic classification architecture on FPGA[J].Chinese Journal of Computers,2014,37(2):414-422.(in Chinese)
[5]Antonello Rafael,et al.Design and optimizations for efficient regular expression matching in DPI systems[J].Proceedings of Computer Communications,2015,61:103-120.
[6]Wang Kai,Zhe Fu,Xiaohe Hu,and Jun Li.Practical regular expression matching free of scalability and performance barriers[J].Proceedings of Computer Communications2014:97-119.
[7]Wang Jianhua,et al.A regular expression matching algorithm based on high-efficient finite automaton[J].Proceedings of Journal of Computing Science and Engineering,2014:78-86.
[8]WANG X,et al.Stri FA:Stride finite automata for highspeed regular expression matching in netw ork intrusion detection systems[J].IEEE Systems Journal,2013,7(3):374-384.
[9]Liu Tingwen,et al.Towards fast and optimal grouping of regular expressions via DFA size estimation[J].IEEE Journal on Selected Areas in Communications,2014,32(10):1797-1809.
[10]Shukla Surendra Kumar,et al.A survey of approaches used in parallel architectures and multi-core processors[J].For Performance Improvement.Proceedings of Progress in Systems Engineering,2015:537-545.
[11]Vasiliadis Giorgos,et al.GASPP:a GPU-accelerated stateful packet processing framew ork[A].Proceedings of 2014USENIX Conference on Annual Technical Conference[C].Philadelphia:USENIX,2014.321-332.
[12]FEITOZA SANTOS A,et al.Multigigabit traffic identification on GPU[A].Proceedings of the First Edition Workshop on High Performance and Programmable Netw orking[C].New York:ACM,2013.39-44.
[13]Van Lunteren J,et al.Hardware-accelerated regular expression matching at multiple tens of gb/s[A].Proceedings of 31th IEEE INFOCOM[C].New York:ACM,2013.1737-1745.
[14]Smith R,et al.XFA:faster signature matching with extended automata[A].Proceedings of IEEE Symposium on Security and Privacy(S&P)[C].New York:IEEE,2008.187-201.
[15]Becchi M and Cadami S.Memory-efficient regular expression search using state merging[A].Proceedings of IEEE INFOCOM[C].New York:ACM,2007.1064-1072.
[16]Bando M,et al.Scalable lookahead regular expression detection system for deep packet inspection[J].IEEE/ACM Trans on Netw orking,2012,20(3):699-714.
[17]余慧,王健.一种专用可重配置的FPGA嵌入式存储器模块的设计和实现[J].电子学报,2012,40(2):215-222.YU Hui,WANG Jian.The design and implement of a special reconfigureable FPGA embedded BRAM[J].Acta Electronica Sinica,2012,40(2):215-222.(in Chinese)
[18]Yamagaki N,Sidhu R,Kamiya S.High-speed regular expression matching engine using multi-character NFA[A].Proceedings of IEEE Field Programmable Logic and Applications[C].New York:ACM,2008.131-136.
[19]HOPCROFT J E.Introduction to Automata Theory,Languages,and Computation[M].3rd ed,Addison-Wesley Longman Publishing Co,Inc,2006.
[20]Regular expression patterns for L7-filter[EB/OL].http://l7-filter.sourceforge.net/protocols,2015-03-12.
[21]Net FPGA[OL].http://netfpga.org.2015-07-20.
[22]Wang L,et al.Gregex:GPU based high speed regular expression matching engine[A].Proceedings of IEEE Innovative M obile and Internet Services in Ubiquitous Computing[C].New York:IEEE,2011.366-370.