基于Intel IXA的千兆以太路由器设计
摘要
Internet的不断发展,对作为Internet基础设施之一的路由器提出了越来越高的要求,新一代路由器不仅要具有很快的包转发速度,而且要具有较好的安全性能来提供对网络的保护。Intel IXA以其强大的处理能力、灵活的开发工具为诸如此类的网络应用提供了最佳的解决方案。本课题在对IXA进行深入分析的基础上实践开发一个具有一定安全性能的千兆以太路由器。论文包括以下内容:
第一章描述了整个设计的背景。具体地,分析了网络流量模式的变化,慨述了Intel IXA架构,并简要地描述了本设计的硬件平台——IXP1200以太评估系统。接下来在第二章中详细地分析了IXA的核心——IXP1200网络处理器。在本章中总结了IXP1200的特性,分析了IXP1200中采用的一些技术和新概念,并对组成IXP1200的每个主要功能单元进行了详细的描述。
第三章对整个设计进行概述。首先描述了系统具备的三个主要功能:建立基本数据通路、包过滤和网络地址转换,以及StrongARM和微引擎任务的分摊。然后分别对StrongARM软件结构和微引擎数据流进行了简要介绍。最后描述了设计中重要的数据结构以及它们在3种内存中的分配情况。
第四章中实现一系列最基本的功能,包括微引擎初始化,包接收处理,异常处理,MAC及IP头部处理,IP转发以及包发送处理等。这些功能为整个系统建立起一条基本的数据通路。后面的功能(以及本设计中暂时没有实现的功能)可以在该数据通路上进行扩展。
第五章和第六章分别在第四章所实现的基本数据通路的基础上实现了一些安全特性,它们是包过滤和网络地址转换(NAT)。包过滤是一种在路由器、防火墙上普遍采用的安全手段,它具有直接、高效的优点。NAT是解决IP地址紧缺的一种短期方案,本身不是并不是一种安全措施,不过客观上它能“隐藏”内部网络。这两章分别详细描述了安全特性,工作原理以及在IXP1200上的实现。
在文章的最后总结了本设计中所实现的功能,以及没有实现的功能,分析了以后的工作。
本文的第1、2章参考了《IXP1200硬件手册》及相关文档,设计部分的工作由本人独立完成。
The rapid growth of the Internet has prompted increasing needs for the router that is one of the Internet infrastructures. The new generation of router will not only forward packets at high speed, but also possess proper security to protect the network. The Intel IXA, through powerful processor and flexible development tools, provides the best solution for such network applications. This paper practices design a gigabit Ethernet router with some security features based on the study of the IXA. The paper consists of the following aspects:
Chapter 1 describes the background of the design. Analyzes the changing of the network traffic pattern, and simply describes the hardware platform of the design - the IXP1200 Ethernet Evaluation System. Then describes the core of the IXA - the IXP1200 network processor in the chapter 2. This chapter summarizes the features of the IXP1200, analyzes some technology and new concepts introduced in the IXP1200, and describes each function unit in the IXP1200 in detail.
Chapter 3 serves as the system design. Firstly, describes the three main functions of the system: building the basic data path, packet filtering, and network address transition (NAT) as well as the task partitioning of the StrongARM Core and microengines. Then describes the StrongARM software structure and microengine data flow. Lastly, describes the important data structures and the usage of the three type memories.
A series of basic functions are performed in the chapter 4, includes microengine Initialization, packet receive processing, exception process, MAC and IP header processing, IP forwarding, and packet transmit processing, etc. These functions build a basic data path for the whole system. The later functions (as well as the functions not implemented in this design) can be expanded on this basic data path.
Chapter 5 and chapter 6 implements some security functions based on the basic data path implemented in the chapter 4, they are packet filtering and network address transition (NAT). Packet filtering is an efficient security method that is commonly used in router and firewall. NAT is a
short-term solution for the IP address shortage, and not a security method essentially, but it can "hide" the inside network actually. The two chapters describe the security features, mechanism, and the implements on the IXP1200.
The ending of the paper summarizes the functions implemented and not implemented in the design, and arranges the things to do.
Some information in the chapter 1 and chapter 2 refers to "The IXP1200 Hardware Manual", the design portion of the paper is accomplished by myself.
第一章描述了整个设计的背景。具体地,分析了网络流量模式的变化,慨述了Intel IXA架构,并简要地描述了本设计的硬件平台——IXP1200以太评估系统。接下来在第二章中详细地分析了IXA的核心——IXP1200网络处理器。在本章中总结了IXP1200的特性,分析了IXP1200中采用的一些技术和新概念,并对组成IXP1200的每个主要功能单元进行了详细的描述。
第三章对整个设计进行概述。首先描述了系统具备的三个主要功能:建立基本数据通路、包过滤和网络地址转换,以及StrongARM和微引擎任务的分摊。然后分别对StrongARM软件结构和微引擎数据流进行了简要介绍。最后描述了设计中重要的数据结构以及它们在3种内存中的分配情况。
第四章中实现一系列最基本的功能,包括微引擎初始化,包接收处理,异常处理,MAC及IP头部处理,IP转发以及包发送处理等。这些功能为整个系统建立起一条基本的数据通路。后面的功能(以及本设计中暂时没有实现的功能)可以在该数据通路上进行扩展。
第五章和第六章分别在第四章所实现的基本数据通路的基础上实现了一些安全特性,它们是包过滤和网络地址转换(NAT)。包过滤是一种在路由器、防火墙上普遍采用的安全手段,它具有直接、高效的优点。NAT是解决IP地址紧缺的一种短期方案,本身不是并不是一种安全措施,不过客观上它能“隐藏”内部网络。这两章分别详细描述了安全特性,工作原理以及在IXP1200上的实现。
在文章的最后总结了本设计中所实现的功能,以及没有实现的功能,分析了以后的工作。
本文的第1、2章参考了《IXP1200硬件手册》及相关文档,设计部分的工作由本人独立完成。
The rapid growth of the Internet has prompted increasing needs for the router that is one of the Internet infrastructures. The new generation of router will not only forward packets at high speed, but also possess proper security to protect the network. The Intel IXA, through powerful processor and flexible development tools, provides the best solution for such network applications. This paper practices design a gigabit Ethernet router with some security features based on the study of the IXA. The paper consists of the following aspects:
Chapter 1 describes the background of the design. Analyzes the changing of the network traffic pattern, and simply describes the hardware platform of the design - the IXP1200 Ethernet Evaluation System. Then describes the core of the IXA - the IXP1200 network processor in the chapter 2. This chapter summarizes the features of the IXP1200, analyzes some technology and new concepts introduced in the IXP1200, and describes each function unit in the IXP1200 in detail.
Chapter 3 serves as the system design. Firstly, describes the three main functions of the system: building the basic data path, packet filtering, and network address transition (NAT) as well as the task partitioning of the StrongARM Core and microengines. Then describes the StrongARM software structure and microengine data flow. Lastly, describes the important data structures and the usage of the three type memories.
A series of basic functions are performed in the chapter 4, includes microengine Initialization, packet receive processing, exception process, MAC and IP header processing, IP forwarding, and packet transmit processing, etc. These functions build a basic data path for the whole system. The later functions (as well as the functions not implemented in this design) can be expanded on this basic data path.
Chapter 5 and chapter 6 implements some security functions based on the basic data path implemented in the chapter 4, they are packet filtering and network address transition (NAT). Packet filtering is an efficient security method that is commonly used in router and firewall. NAT is a
short-term solution for the IP address shortage, and not a security method essentially, but it can "hide" the inside network actually. The two chapters describe the security features, mechanism, and the implements on the IXP1200.
The ending of the paper summarizes the functions implemented and not implemented in the design, and arranges the things to do.
Some information in the chapter 1 and chapter 2 refers to "The IXP1200 Hardware Manual", the design portion of the paper is accomplished by myself.
引文
[1] Intel IXA,“Intel IXP1200 Network Processor Family Hardware Reference Manual”,2002
[2] Intel IXA,“Intel IXP1200 Ethernet Evaluation System User's Manual”,2002
[3] Intel IXA,“Intel IXP1200 Programmer's Reference manual”,2002
[4] Intel IXA,“Intel IXP1200 Development Tools User's Guide”,2002
[5] Intel IXA,“IXP1200 Network Processor Gigabit Ethernet Example Design”,2002
[8] Intel IXA, "IXP1200 Network Processor Microengine C RFC1812 Layer3 Forwarding Example Design",2002
[9] Intel IXA, "IXP1200 Network Processor ATM OC-3 / Ethernet IP Router Example Design",2002
[6] Cisco, “Cisco PIX Firewall and Stateful Firewall Security”,2003
[7] RFC1631,“The IP Network Address Translator (NAT)”
[10] [美]Russell Lusignan, Oliver Steudler, Jacques Allison. "CISCO网络安全管理",王勇译,中国电力出版社,7/2001
[11] [美]Terry William Ogletree, "Practical Firewalls", 李之堂 李伟明 陈琳 译,电子工业出版社,2/2001
[12] [美]Douglas E.Comer, “用TCP/IP进行网际互联",电子工业出版社,3/2001
[13] [美]拉斯.克兰德, "Hacker Proof-The Ultimate Guide to Network Security",电子工业出版社,6/2000
[2] Intel IXA,“Intel IXP1200 Ethernet Evaluation System User's Manual”,2002
[3] Intel IXA,“Intel IXP1200 Programmer's Reference manual”,2002
[4] Intel IXA,“Intel IXP1200 Development Tools User's Guide”,2002
[5] Intel IXA,“IXP1200 Network Processor Gigabit Ethernet Example Design”,2002
[8] Intel IXA, "IXP1200 Network Processor Microengine C RFC1812 Layer3 Forwarding Example Design",2002
[9] Intel IXA, "IXP1200 Network Processor ATM OC-3 / Ethernet IP Router Example Design",2002
[6] Cisco, “Cisco PIX Firewall and Stateful Firewall Security”,2003
[7] RFC1631,“The IP Network Address Translator (NAT)”
[10] [美]Russell Lusignan, Oliver Steudler, Jacques Allison. "CISCO网络安全管理",王勇译,中国电力出版社,7/2001
[11] [美]Terry William Ogletree, "Practical Firewalls", 李之堂 李伟明 陈琳 译,电子工业出版社,2/2001
[12] [美]Douglas E.Comer, “用TCP/IP进行网际互联",电子工业出版社,3/2001
[13] [美]拉斯.克兰德, "Hacker Proof-The Ultimate Guide to Network Security",电子工业出版社,6/2000