本文選題：IPSec　切入點(diǎn)：異步加密　出處：《西安電子科技大學(xué)》2014年碩士論文

【摘要】：隨著網(wǎng)絡(luò)技術(shù)的飛速發(fā)展,網(wǎng)絡(luò)傳輸速度不斷提高,系統(tǒng)對(duì)關(guān)鍵網(wǎng)絡(luò)設(shè)備的處理速度要求不斷提高。IPSec VPN作為數(shù)據(jù)轉(zhuǎn)發(fā)的安全平臺(tái),很容易成為網(wǎng)絡(luò)系統(tǒng)的瓶頸。傳統(tǒng)的IPSec VPN存在加解密模塊性能低,沒(méi)有充分利用多核系統(tǒng)優(yōu)勢(shì)等問(wèn)題。本文主要對(duì)IPSec VPN的加速技術(shù)進(jìn)行了深入細(xì)致的研究。針對(duì)目前廣泛應(yīng)用的IPSec VPN技術(shù)性能低的弱點(diǎn),通過(guò)分析IPSec VPN加解密模塊以及多核下網(wǎng)絡(luò)協(xié)議并行,提出了兩種IPSec VPN加速技術(shù):多加密卡異步并行加密技術(shù)和多核系統(tǒng)下IPSec協(xié)議并行。基于提出的多加密卡異步并行加速技術(shù),本文實(shí)現(xiàn)了一種用于IPSec VPN系統(tǒng)的多加密卡異步并行加密模型。該模型利用加密卡代替CPU做計(jì)算密集的加解密運(yùn)算,以此來(lái)釋放CPU,從而提高IPSec VPN系統(tǒng)的加解密的性能。在實(shí)現(xiàn)的多加密卡異步并行加密模型中,本文利用Linux提供的工作隊(duì)列機(jī)制,改進(jìn)了傳統(tǒng)IPSec VPN系統(tǒng)的同步加密方式,使得加密卡以異步的方式并行工作。同時(shí),在該模型中設(shè)計(jì)并實(shí)現(xiàn)了用于多加密卡加密任務(wù)調(diào)度的最小等待時(shí)間算法,使得數(shù)據(jù)包加解密處理所等待的時(shí)間最小化。多加密卡異步并行加密技術(shù)通過(guò)改進(jìn)IPSec VPN系統(tǒng)的加解密模塊的方式,提高了IPSec VPN系統(tǒng)的整體性能�；诙嗪薎PSec協(xié)議并行技術(shù),本文設(shè)計(jì)并實(shí)現(xiàn)了一種多核IPSec協(xié)議的并行模型。該模型利用了多隊(duì)列網(wǎng)卡,CPU親和性以及Linux軟中斷等機(jī)制,實(shí)現(xiàn)了基于數(shù)據(jù)包多核并行處理的IPSec VPN系統(tǒng)。針對(duì)Linux內(nèi)核為每個(gè)數(shù)據(jù)包都分配與回收sk_buffer結(jié)構(gòu),造成的內(nèi)存管理模塊效率不高的問(wèn)題,本文提出的多核IPSec協(xié)議的并行模型中設(shè)計(jì)并實(shí)現(xiàn)了一種數(shù)據(jù)包隊(duì)列重用算法,并詳細(xì)介紹了在多核處理器環(huán)境下該重用隊(duì)列算法的實(shí)現(xiàn)方法。本文對(duì)所提出的兩種加速技術(shù)進(jìn)行了實(shí)現(xiàn)和測(cè)試。測(cè)試結(jié)果表明,兩種加速技術(shù)對(duì)IPSec VPN系統(tǒng)有顯著的加速效果。最后,根據(jù)實(shí)驗(yàn)結(jié)果對(duì)兩種加速技術(shù)進(jìn)行了深入的分析。
[Abstract]:With the rapid development of network technology, the speed of network transmission is increasing, and the processing speed of the system to the key network equipment is increasing. IPSec VPN as the security platform for data forwarding is easy to become the bottleneck of the network system.The traditional IPSec VPN has some problems such as low performance of encryption and decryption module and insufficient utilization of the advantages of multi-core system.In this paper, the acceleration technology of IPSec VPN is studied in detail.Aiming at the weakness of IPSec VPN technology which is widely used at present, this paper analyzes IPSec VPN encryption and decryption module and network protocol parallelism under multi-core.This paper presents two kinds of IPSec VPN acceleration techniques: asynchronous parallel encryption for multi-encryption cards and parallel IPSec protocol for multi-core systems.Based on the multi-encryption card asynchronous parallel acceleration technology proposed, this paper implements a multi-encryption card asynchronous parallel encryption model for IPSec VPN system.The model uses encryption card instead of CPU to do computationally intensive encryption and decryption operations, so as to release CPU and improve the performance of IPSec VPN system in encryption and decryption.In the implementation of the asynchronous parallel encryption model of multi-encryption cards, this paper improves the synchronous encryption mode of traditional IPSec VPN system by using the work queue mechanism provided by Linux, which makes the encryption cards work in parallel in an asynchronous manner.At the same time, a minimum waiting time algorithm for multi-encryption card encryption task scheduling is designed and implemented in this model, which minimizes the waiting time of data packet encryption and decryption processing.Multi-encryption card asynchronous parallel encryption technology improves the overall performance of IPSec VPN system by improving the encryption and decryption module of IPSec VPN system.Based on the parallel technology of multi-core IPSec protocol, a parallel model of multi-core IPSec protocol is designed and implemented in this paper.In this model, IPSec VPN system based on multi-core parallel processing is implemented by using the mechanism of multi-queue network card CPU affinity and Linux soft interrupt.To solve the problem that the Linux kernel allocates and reclaims the sk_buffer structure for each packet, the memory management module is inefficient. In this paper, a packet queue reuse algorithm is designed and implemented in the parallel model of the multi-core IPSec protocol.The implementation method of the reuse queue algorithm in multi-core processor environment is introduced in detail.In this paper, two kinds of acceleration techniques are implemented and tested.The test results show that the two acceleration techniques have significant acceleration effect on IPSec VPN system.Finally, based on the experimental results, two acceleration techniques are analyzed.
【學(xué)位授予單位】：西安電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【相似文獻(xiàn)】

相關(guān)期刊論文 前10條

1 齊建業(yè);余祥;劉峻宇;李強(qiáng);;協(xié)議一致性測(cè)試數(shù)據(jù)包的構(gòu)造與解析[J];西南科技大學(xué)學(xué)報(bào);2013年04期

2 張敦行;張廣興;張大方;謝高崗;于真;;基于多空間內(nèi)存共享的高速網(wǎng)絡(luò)鏈路數(shù)據(jù)包捕獲方法[J];計(jì)算機(jī)應(yīng)用研究;2008年03期

3 閻冬;王玉龍;蘇森;楊放春;;基于協(xié)作交互的概率性數(shù)據(jù)包標(biāo)記溯源方法[J];北京郵電大學(xué)學(xué)報(bào);2012年01期

4 李虎雄;張文杰;;網(wǎng)絡(luò)交互平臺(tái)數(shù)據(jù)包的分析與處理[J];計(jì)算機(jī)工程與設(shè)計(jì);2007年08期

5 王鋼,劉暉,蘇雁泳;IP電話數(shù)據(jù)包優(yōu)先級(jí)設(shè)置及對(duì)QoS影響的研究[J];哈爾濱工業(yè)大學(xué)學(xué)報(bào);2002年04期

6 俞瑾;王偉明;;基于IXDP2401的轉(zhuǎn)發(fā)件間數(shù)據(jù)包處理信息傳輸方法的研究[J];現(xiàn)代電子技術(shù);2005年24期

7 韓曉非,王學(xué)光,楊明福;位并行數(shù)據(jù)包分類算法研究[J];華東理工大學(xué)學(xué)報(bào);2003年05期

8 金慶輝;王東;楊建華;謝高崗;;一種網(wǎng)絡(luò)入侵檢測(cè)中的數(shù)據(jù)包采樣方法[J];計(jì)算機(jī)應(yīng)用研究;2008年10期

9 ;風(fēng)河網(wǎng)絡(luò)加速平臺(tái)線速超過(guò)每秒2.1億個(gè)數(shù)據(jù)包[J];中國(guó)電子商情(基礎(chǔ)電子);2010年06期

10 羅章琪;黃昆;張大方;關(guān)洪濤;謝高崗;;面向數(shù)據(jù)包處理的眾核處理器核資源分配方法[J];計(jì)算機(jī)研究與發(fā)展;2014年06期

相關(guān)會(huì)議論文 前2條

1 向曉明;歐陽(yáng)建權(quán);操璐;;基于Linux的802.11b WLAN捕包解析器的設(shè)計(jì)[A];虛擬運(yùn)營(yíng)與云計(jì)算——第十八屆全國(guó)青年通信學(xué)術(shù)年會(huì)論文集（上冊(cè)）[C];2013年

2 查達(dá)仁;荊繼武;林t燂，

本文編號(hào)：1730675