【摘要】：由于全球IPv4地址已經(jīng)接近耗盡,IPv6的部署勢(shì)在必行,基于IPv6的安全防護(hù)也變得日益重要。網(wǎng)絡(luò)中的防火墻設(shè)備是網(wǎng)絡(luò)安全的核心,因此,防火墻對(duì)IPv6的支持決定了IPv6網(wǎng)絡(luò)安全的基礎(chǔ)。國(guó)內(nèi)防火墻設(shè)備對(duì)IPv6的支持尚不完善。本課題的目的是利用多處理器硬件平臺(tái),實(shí)現(xiàn)支持IPv6的防火墻,并使其吞吐量與新建連接速率性能達(dá)到業(yè)界先進(jìn)水平。 本文的研究過(guò)程中,我們通過(guò)增量式迭代開(kāi)發(fā)的方法,較為快速地開(kāi)發(fā)出了多核處理器防火墻的原型,進(jìn)而實(shí)現(xiàn)了防火墻的各項(xiàng)功能和性能要求。 本文研究的創(chuàng)新點(diǎn)主要有： 在多核平臺(tái)上實(shí)現(xiàn)了支持IPv6的防火墻基本功能；通過(guò)在多核平臺(tái)上實(shí)現(xiàn)高性能NAT64功能,實(shí)現(xiàn)了IPv6與IPv4的高速互聯(lián)互通；為未來(lái)將防火墻系統(tǒng)升級(jí)到ASIC/NP轉(zhuǎn)發(fā),或分布式防火墻系統(tǒng)提供了演進(jìn)的接口； 作者完成的主要工作如下： 分析和設(shè)計(jì)多核平臺(tái)下IPv6防火墻各模塊的交互界面；設(shè)計(jì)多核系統(tǒng)數(shù)據(jù)平面的負(fù)載分擔(dān)方式；將單核平臺(tái)下IPv6防火墻的ASPF/NAT/ALG等模塊移植到多核平臺(tái)運(yùn)行；增加快速轉(zhuǎn)發(fā)流程,并針對(duì)多核系統(tǒng)的自旋鎖/Cache/協(xié)處理器等做優(yōu)化； 經(jīng)過(guò)本文的研究,結(jié)論為,基于XLP832多核MlPS處理器實(shí)現(xiàn)的IPv6防火墻,可以實(shí)現(xiàn)8Gbpsi：小包)/20Gbps(大包)的吞吐量,以及60kcps的新建連接速率,達(dá)到了業(yè)界先進(jìn)水平,符合市場(chǎng)對(duì)IPv6高性能企業(yè)級(jí)防火墻的需求。
[Abstract]:As the global IPv4 address is running out, the deployment of IPv6 is imperative, and the security protection based on IPv6 is becoming more and more important. Firewall equipment is the core of network security, so the support of firewall to IPv6 determines the foundation of IPv6 network security. Domestic firewall equipment to IPv6 support is not perfect. The purpose of this paper is to realize the firewall supporting IPv6 using multiprocessor hardware platform, and make the throughput and the performance of new connection rate reach the advanced level in the industry. In the research process of this paper, we developed the prototype of multi-core processor firewall quickly through incremental iterative development method, and then realized the functions and performance requirements of firewall. The innovations of this paper are as follows: the basic functions of firewall supporting IPv6 are realized on multi-core platform, and the high speed interconnection between IPv6 and IPv4 is realized by realizing high performance NAT64 function on multi-core platform. It provides an evolutionary interface for upgrading firewall system to ASIC/NP forwarding or distributed firewall system in the future. The main work accomplished by the author is as follows: analyzing and designing the interactive interface of each module of IPv6 firewall under multi-core platform; The load-sharing mode of multi-core system data plane is designed, and the ASPF/NAT/ALG module of IPv6 firewall is transplanted to multi-core platform to run. The fast forwarding flow is added, and the spin lock / Cache/ coprocessor of multi-core system is optimized. Through the research of this paper, it is concluded that the IPv6 firewall based on XLP832 multi-core MlPS processor can achieve the throughput of 8Gbpsi-small packet / 20Gbps (large packet) and the new connection rate of 60kcps, and reach the advanced level of industry. Meet the market demand for IPv6 high performance enterprise firewall.
【學(xué)位授予單位】：中國(guó)科學(xué)院大學(xué)（工程管理與信息技術(shù)學(xué)院）
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類(lèi)號(hào)】：TP393.04

【參考文獻(xiàn)】

相關(guān)期刊論文 前7條

1 張國(guó)杰;張毅;;多核多線程處理器XLR732的多核間通信[J];重慶工學(xué)院學(xué)報(bào)(自然科學(xué)版);2008年10期

2 王景蘭;朱慶友;;基于IPv4向IPv6技術(shù)過(guò)渡的分析與探討[J];電腦知識(shí)與技術(shù);2013年22期

3 任曉瑞;時(shí)磊;;支持對(duì)稱(chēng)多處理器結(jié)構(gòu)的操作系統(tǒng)設(shè)計(jì)[J];航空計(jì)算技術(shù);2008年02期

4 遲秀偉;唐朔飛;季振州;李鑫;;狀態(tài)檢測(cè)防火墻中幾種協(xié)議的結(jié)構(gòu)設(shè)計(jì)[J];計(jì)算機(jī)應(yīng)用研究;2006年02期

5 褚麗莉;高影;高明濤;;狀態(tài)檢測(cè)防火墻的研究與分析[J];遼寧工學(xué)院學(xué)報(bào);2006年05期

6 趙麗莉;孫偉;;TCP協(xié)議亂序數(shù)據(jù)包處理算法綜述[J];軟件工程師;2010年07期

7 華一強(qiáng);楊艷松;;NAT64技術(shù)及其部署與保護(hù)方案研究[J];郵電設(shè)計(jì)技術(shù);2013年12期

，

本文編號(hào)：2388504