基于网络处理器的IPV6状态跟踪防火墙设计与实现
摘要
随着互联网的飞速发展,网络节点数量急剧增加,为解决网络地址紧张的问题并增强网络数据的安全性,采用新的IP协议IPv6替代现有的IPv4协议已经是不可逆转的技术潮流。同时,网络带宽不断提升,伴随着网络技术的不断推陈出新,最早用于解决高速网络的ASIC等技术的开发周期过长,不容易升级等问题越来越被人们所重视,在此情况下新的技术——网络处理器(NP)诞生了,它专门针对网络数据处理进行了硬件优化,能适应现代网络的高速度;可编程,能够快速升级以适应新的网络技术和应用。
本文主要研究基于Intel网络处理器和IPv6技术的状态跟踪防火墙系统的设计。研究Intel IXA(Internet Exchange Architecture),并基于该框架完成IPv6状态跟踪防火墙系统的整体设计。
本文作者负责对整个防火墙系统进行架构,将各个功能模块平衡分配到不同的微引擎,注重系统平衡,最大限度地发挥网络处理器高速处理数据包的能力。并在整个系统上实现了状态跟踪,动态Hash,包过滤等相关核心功能。
带状态跟踪的包过滤与传统包过滤防火墙的静态过滤规则表相比,它具有更好的灵活性和安全性,是新一代的防火墙技术。虽然目前市面是也具有相对应的状态跟踪防火墙,但由于网络处理器的平台的硬件特性,很多常用的方法并不能直接照搬过来。本文作者将状态跟踪分为应用层状态跟踪和传输层状态跟踪,并按照网络处理器平台的特点,分别将不同的层次的状态跟踪放入到不同硬件层次上,实现了高速与功能并重。
同时由于数据平面没有操作系统的支持,本文作者也根据硬件特点,设计了新的_套动态内存分配机制和动态Hash机制,作为状态跟踪防火墙的底层,极大地提高了防火墙的处理速度。
As the rapid development of internet, the number of network nodes is increasingdrastically. In order to solve the problem of insufficient IP addresses and meanwhileenhance internet data transfer security, the current IPv4 will inevitably be replaced byIPv6. Furthermore, the internet bandwidth keeps on growing, followed by more andmore new network techniques. Increasing emphasis is paid on the long developmentcycle and upgrade difficulty of the earliest technologies such as ASIC. Because of allthese, a new technology called Network Processor (NP) is presented. To adapt the highspeed modern networks the NP is hardware optimized especially for the network dataprocessing. Meanwhile, it is programmable and thus can be upgraded quickly to applynew network technology and applicatoins.
This thesis is mainly about the design of the connect track firewall which is basedon Intel NP and IPv6. Intel IXA(Internet Exchange Architecture) is studied and basedon it the whole design of IPv6 firewall is finished. This paper can be divided into fourparts.
The author takes charge of designing the whole structure of this Firewall systemand allocating each module on several different MicroEngine to balance the wholesystem, and thus to make best use of the Network Processor Architecture to ensureprocessing packet with high speed. the Connect Track, dynamic Hash, and Packet Filteralso were implemented.
Compared with the traditional Packet Filter Firewall, the Packet Filter withConnect Track has better flexibility and security. It is a new technique of Firewall.Although there are still many Firewall products with the function of Connect Track atthe market now, because of the distinct hardware characteristics of the NetworkProcessor, many common methods can not be applied on Network Processor directly.The Connect Track were partitioned into two sections: Application Layer Connect Trackand Transport Layer Connect Track. In terms of the characteristics of the NetworkProcessor, we put different sections on different hardware layers to realize the functionand guarantee high speed performance at the same time.Meanwhile, as the data plane does not get the support from Operating System, thus we also designed a newmechanism for dynamic memory allocating module and dynamic Hash module. Beingthe bases of Connect Track Firewall, these two modules improve the packet processingspeed a lot.
本文主要研究基于Intel网络处理器和IPv6技术的状态跟踪防火墙系统的设计。研究Intel IXA(Internet Exchange Architecture),并基于该框架完成IPv6状态跟踪防火墙系统的整体设计。
本文作者负责对整个防火墙系统进行架构,将各个功能模块平衡分配到不同的微引擎,注重系统平衡,最大限度地发挥网络处理器高速处理数据包的能力。并在整个系统上实现了状态跟踪,动态Hash,包过滤等相关核心功能。
带状态跟踪的包过滤与传统包过滤防火墙的静态过滤规则表相比,它具有更好的灵活性和安全性,是新一代的防火墙技术。虽然目前市面是也具有相对应的状态跟踪防火墙,但由于网络处理器的平台的硬件特性,很多常用的方法并不能直接照搬过来。本文作者将状态跟踪分为应用层状态跟踪和传输层状态跟踪,并按照网络处理器平台的特点,分别将不同的层次的状态跟踪放入到不同硬件层次上,实现了高速与功能并重。
同时由于数据平面没有操作系统的支持,本文作者也根据硬件特点,设计了新的_套动态内存分配机制和动态Hash机制,作为状态跟踪防火墙的底层,极大地提高了防火墙的处理速度。
As the rapid development of internet, the number of network nodes is increasingdrastically. In order to solve the problem of insufficient IP addresses and meanwhileenhance internet data transfer security, the current IPv4 will inevitably be replaced byIPv6. Furthermore, the internet bandwidth keeps on growing, followed by more andmore new network techniques. Increasing emphasis is paid on the long developmentcycle and upgrade difficulty of the earliest technologies such as ASIC. Because of allthese, a new technology called Network Processor (NP) is presented. To adapt the highspeed modern networks the NP is hardware optimized especially for the network dataprocessing. Meanwhile, it is programmable and thus can be upgraded quickly to applynew network technology and applicatoins.
This thesis is mainly about the design of the connect track firewall which is basedon Intel NP and IPv6. Intel IXA(Internet Exchange Architecture) is studied and basedon it the whole design of IPv6 firewall is finished. This paper can be divided into fourparts.
The author takes charge of designing the whole structure of this Firewall systemand allocating each module on several different MicroEngine to balance the wholesystem, and thus to make best use of the Network Processor Architecture to ensureprocessing packet with high speed. the Connect Track, dynamic Hash, and Packet Filteralso were implemented.
Compared with the traditional Packet Filter Firewall, the Packet Filter withConnect Track has better flexibility and security. It is a new technique of Firewall.Although there are still many Firewall products with the function of Connect Track atthe market now, because of the distinct hardware characteristics of the NetworkProcessor, many common methods can not be applied on Network Processor directly.The Connect Track were partitioned into two sections: Application Layer Connect Trackand Transport Layer Connect Track. In terms of the characteristics of the NetworkProcessor, we put different sections on different hardware layers to realize the functionand guarantee high speed performance at the same time.Meanwhile, as the data plane does not get the support from Operating System, thus we also designed a newmechanism for dynamic memory allocating module and dynamic Hash module. Beingthe bases of Connect Track Firewall, these two modules improve the packet processingspeed a lot.
引文
[1] Intel. Portability Framework Developer's Manual. 2004
[2] Intel. Portability Framework Reference Manual. 2004
[3] Intel. Intel ⅨA SDK 3.1.0 Software Framework Installation Guide. 7/2003
[4] Intel. Intel ⅨA SDK 3.1 Software Framework Getting Started Guide. 7/2003
[5] Intel. Intel ⅨA Software Building Blocks Developer's Manual. 7/2003
[6] Intel. Intel ⅨA Software Building Blocks Reference Manual. 7/2003
[7] Intel. Intel ⅨA Software Building Blocks Applications Design Guide. 7/2003
[8] 李秋江,韦卫,贺志强.网络处理器体系结构分析.计算机工程与应用,2003
[9] 王圣,苏金树,邓宇.网络处理器体系结构的比较与分析.计算机工程,2003
[10] 简贵胄,葛宁,冯重熙.网络处理器技术综述.电讯技术,2003
[11] 谭章熹,林闯,任丰源,等.网络处理器的分析与研究.软件学报,2003
[12] Wind River.VxWorks网络程序员指南(王金刚,宫霄霖,熊辉译).北京:清华大学出版社,2003
[13] Wind River.VxWorks程序员指南(王金刚,高伟,苏淇,等译).北京:清华大学出版社,2003
[14] 石晶林,程胜,孙江明.网络处理器原理、设计与应用.北京:清华大学出版社,2003
[15] 孔祥营,柏桂枝.嵌入式实时操作系统VxWorks及其开发环境Tornado.中国电力出版社,2002
[16] Erik J. Johnson and Aaron R. kunze. ⅨP2400/2800 Programming. 2003
[17] 陈红琳.基于Intel ⅨA架构的防火墙技术:[硕士学位论文].成都:电子科技大学,2003
[18] 陈四强.基于Intel ⅨA的千兆以太路由器设计:[硕士学位论文].成都:电子科技大学,2003
[19] 北京启明星辰信息技术有限公司.防火墙原理与实用技术.北京:电子工业出版社,2002
[20] 拉斯.克兰德.“Hacker Proof—The Ultimate Guide to Network Security”.电子工业出版社,2000
[21] Douglas E.Comer.用TCP/IP进行网际互联.北京:电子工业出版社,2001
[22] Russell Lusignan,Oliver Steudler,Jacques Allison.CISCO网络安全管理(王勇译).北京:中国电力出版社,7/2001
[23] Terry William Ogletree.Practical Firewalls(李之堂 李伟明 陈琳 译).电子工业出版社:2/2001
[24] 高峰,许南山.防火墙包过滤规则问题的研究.计算机应用,2003年6月
[25] 王晓薇,李锋.防火墙包过滤规则正确性的研究.沈阳师范大学学报(自然科学版),7/2003
[26] J. Postel. INTERNET CONTROL MESSAGE PROTOCOL. RFC792, September 1981.
[27] Andrew T. Campbelll, Michael E. Kounavisl and John B. Vicente. Programmable Networks. Center for Telecommunications Research, Columbia University, 4/2005
[28] 李俊娥,王婷,雷公武.UDP状态检测防火墙及实现算法.武汉大学学报(工学版),4/2004
[29] 郭锡泉,基于应用层协议分析的状态检测防火墙研究与实现:[硕士学位论文].长沙:暨南大学,2005
[30] 邱学强.基于ⅨA的IPv4IPv6双协议高性能硬件防火墙的研究:[硕士学位论文].成都:电子科技大学,2006
[32] 张恒汝.状态检测防火墙研究与设计:[硕士学位论文].成都:电子科技大学,2002
[33] 王欣.IPv4和IPv6转换网关的研究设计:[硕士学位论文].成都:电子科技大学,2003
[34] 彭军华.IPv4向IPv6的地址过渡技术及管理策略的研究:[硕士学位论文].长沙:长沙理工大学,2005
[34] 万玮.基于网络处理器开发环境编译器研究及实现:[硕士学位论文].西安:西北工业大学,2006
[35] 文成玉.基于ⅨA的IP交换技术的研究与分析:[硕士学位论文].成都:电子科技大学,2004
[36] Intel. ⅨA IXP2400 Hardware Reference Manual. 2003
[37] 周诚.基于多阶层状态检侧技术的防火墙系统研究与实现:[硕士学位论文].武汉:中南大学,2005
[38] 张士勇.网络安全原理与应用,北京:科学出版社.2003
[39] 张华,岳仑,杜新华.一种支持IPSe的NAT网关,计算机工程.2003
[40] Bruce Schneier著,吴世忠、祝世雄等译.应用密码学:协议、算法与C源程序,机械工业出版社.2001
[41] 何宝宏.IP虚拟专用网,人民邮电出版社.2002
[42] 江红,余青松.VPN安全技术的研究与分析,计算机工程.2002
[43] 张震.VPN技术分析及安全模型的应用,电子技术.2002
[44] 谭兴烈,张世雄.IPSec和NAT协同工作技术研究,计算机工程与应用.2003
[45] 孙鹏,李大兴.虚拟专用网(VPN)的安全机制,通信保密.2000
[46] 刘彦,陈弘.虚拟专用网的体系结构与实现,计算机工程.1999
[47] 雷缙.基于N P的硬件防火墙动态包过滤技术的研究与实现.电子科大研究生学报,2006
[48] 刘露.NAT-PT在ⅨDP2400上的设计与研究.电子科大研究生学报,2006
[49] 何可,肖宁.NP上下层通信机制的优化设计与研究.电子科大研究生学报,2005
[50] 肖宁.基于网络处理器平台的动态Hash算法的设计与实现.电子科大研究生学报,2006
[51] 张喆.防火墙状态检测技术研究与分析:[硕士学位论文].郑州:中国人民解放军信息工程大学电子技术学院,2004
[2] Intel. Portability Framework Reference Manual. 2004
[3] Intel. Intel ⅨA SDK 3.1.0 Software Framework Installation Guide. 7/2003
[4] Intel. Intel ⅨA SDK 3.1 Software Framework Getting Started Guide. 7/2003
[5] Intel. Intel ⅨA Software Building Blocks Developer's Manual. 7/2003
[6] Intel. Intel ⅨA Software Building Blocks Reference Manual. 7/2003
[7] Intel. Intel ⅨA Software Building Blocks Applications Design Guide. 7/2003
[8] 李秋江,韦卫,贺志强.网络处理器体系结构分析.计算机工程与应用,2003
[9] 王圣,苏金树,邓宇.网络处理器体系结构的比较与分析.计算机工程,2003
[10] 简贵胄,葛宁,冯重熙.网络处理器技术综述.电讯技术,2003
[11] 谭章熹,林闯,任丰源,等.网络处理器的分析与研究.软件学报,2003
[12] Wind River.VxWorks网络程序员指南(王金刚,宫霄霖,熊辉译).北京:清华大学出版社,2003
[13] Wind River.VxWorks程序员指南(王金刚,高伟,苏淇,等译).北京:清华大学出版社,2003
[14] 石晶林,程胜,孙江明.网络处理器原理、设计与应用.北京:清华大学出版社,2003
[15] 孔祥营,柏桂枝.嵌入式实时操作系统VxWorks及其开发环境Tornado.中国电力出版社,2002
[16] Erik J. Johnson and Aaron R. kunze. ⅨP2400/2800 Programming. 2003
[17] 陈红琳.基于Intel ⅨA架构的防火墙技术:[硕士学位论文].成都:电子科技大学,2003
[18] 陈四强.基于Intel ⅨA的千兆以太路由器设计:[硕士学位论文].成都:电子科技大学,2003
[19] 北京启明星辰信息技术有限公司.防火墙原理与实用技术.北京:电子工业出版社,2002
[20] 拉斯.克兰德.“Hacker Proof—The Ultimate Guide to Network Security”.电子工业出版社,2000
[21] Douglas E.Comer.用TCP/IP进行网际互联.北京:电子工业出版社,2001
[22] Russell Lusignan,Oliver Steudler,Jacques Allison.CISCO网络安全管理(王勇译).北京:中国电力出版社,7/2001
[23] Terry William Ogletree.Practical Firewalls(李之堂 李伟明 陈琳 译).电子工业出版社:2/2001
[24] 高峰,许南山.防火墙包过滤规则问题的研究.计算机应用,2003年6月
[25] 王晓薇,李锋.防火墙包过滤规则正确性的研究.沈阳师范大学学报(自然科学版),7/2003
[26] J. Postel. INTERNET CONTROL MESSAGE PROTOCOL. RFC792, September 1981.
[27] Andrew T. Campbelll, Michael E. Kounavisl and John B. Vicente. Programmable Networks. Center for Telecommunications Research, Columbia University, 4/2005
[28] 李俊娥,王婷,雷公武.UDP状态检测防火墙及实现算法.武汉大学学报(工学版),4/2004
[29] 郭锡泉,基于应用层协议分析的状态检测防火墙研究与实现:[硕士学位论文].长沙:暨南大学,2005
[30] 邱学强.基于ⅨA的IPv4IPv6双协议高性能硬件防火墙的研究:[硕士学位论文].成都:电子科技大学,2006
[32] 张恒汝.状态检测防火墙研究与设计:[硕士学位论文].成都:电子科技大学,2002
[33] 王欣.IPv4和IPv6转换网关的研究设计:[硕士学位论文].成都:电子科技大学,2003
[34] 彭军华.IPv4向IPv6的地址过渡技术及管理策略的研究:[硕士学位论文].长沙:长沙理工大学,2005
[34] 万玮.基于网络处理器开发环境编译器研究及实现:[硕士学位论文].西安:西北工业大学,2006
[35] 文成玉.基于ⅨA的IP交换技术的研究与分析:[硕士学位论文].成都:电子科技大学,2004
[36] Intel. ⅨA IXP2400 Hardware Reference Manual. 2003
[37] 周诚.基于多阶层状态检侧技术的防火墙系统研究与实现:[硕士学位论文].武汉:中南大学,2005
[38] 张士勇.网络安全原理与应用,北京:科学出版社.2003
[39] 张华,岳仑,杜新华.一种支持IPSe的NAT网关,计算机工程.2003
[40] Bruce Schneier著,吴世忠、祝世雄等译.应用密码学:协议、算法与C源程序,机械工业出版社.2001
[41] 何宝宏.IP虚拟专用网,人民邮电出版社.2002
[42] 江红,余青松.VPN安全技术的研究与分析,计算机工程.2002
[43] 张震.VPN技术分析及安全模型的应用,电子技术.2002
[44] 谭兴烈,张世雄.IPSec和NAT协同工作技术研究,计算机工程与应用.2003
[45] 孙鹏,李大兴.虚拟专用网(VPN)的安全机制,通信保密.2000
[46] 刘彦,陈弘.虚拟专用网的体系结构与实现,计算机工程.1999
[47] 雷缙.基于N P的硬件防火墙动态包过滤技术的研究与实现.电子科大研究生学报,2006
[48] 刘露.NAT-PT在ⅨDP2400上的设计与研究.电子科大研究生学报,2006
[49] 何可,肖宁.NP上下层通信机制的优化设计与研究.电子科大研究生学报,2005
[50] 肖宁.基于网络处理器平台的动态Hash算法的设计与实现.电子科大研究生学报,2006
[51] 张喆.防火墙状态检测技术研究与分析:[硕士学位论文].郑州:中国人民解放军信息工程大学电子技术学院,2004