支援早期封包檢測及樣式比對之快速傳輸層封包重組架構

Abstract

隨著網路流量不斷地增加, 軟體形式的網路入侵偵測系統越來越無法滿足這樣的網路環境。因此目前多數的系統開發者會嘗試去設計專為網路應用的硬體電路來取代越來越不符需求的軟體系統, 這樣的概念通常被稱為TCP卸載引擎( TCP offload engine, TOE) 。傳輸層封包重組的工作一般是由作業系統所執行,在設計TOE的硬體架構時, 傳輸層封包重組扮演著足以影響整體系統效能的角色。 本篇論文提出一個傳輸層封包重組硬體架構的實作方法。 嘗試在有限的記憶體資源之下, 作最大的利用。此傳輸層封包重組架構除了處理一般的重組工作之外, 我們也加入了一套仔細規劃過的排程系統。這個排程系統直接與樣式比對硬體溝通, 通知樣式比對硬體照正確的順序將封包的內容由記憶體讀出進行樣式比對。 本篇論文提出的架構, 可以達到超過5 Gbps 的處理能力, 同時提出一個創新的方法名為早期封包檢測。 在不影響安全顧慮的前提下, 嘗試及早將記憶體空間釋放。同時也討論封包遺失對於系統記憶體的影響, 避免記憶體空間因為封包遺失而被大量暫存的封包資料給佔滿而無法處理新進的封包。

Network intrusion detection software is becoming insufficient while the traffic on the internet is increasing. As a result, developers seek to design internet specific intellectual circuits, often known as TCP offload engines (TOEs), to substitute for software solutions. TCP reassembly, which is traditionally managed by operating system, plays an important role in the design of TOEs. This thesis presents a hardware implementation of TCP reassembly system dedicated for pattern matching that utilizes the limited memory resources and a carefully designed scheduling mechanism that informs the pattern matching unit to inspect the packet payloads in the correct order. The proposed architecture achieves more than 5 Gbit/s throughput. It also presents a novel mechanism called early inspection to keep the receive buffer from being overwhelmed that packet-loss might cause to common TCP reassembly units.