| Along with the rapid growth of global network bandwidth in recent years, the speed requirement of network devices especially edge/access devices gets higher. At the same time, quickly developing network applications call for devices with more flexibility and lower cost of change. Nowadays firewall technology also faces the dilemma concering speed and flexibility. Designed on traditional platforms, software firewall on x86 architecture solved new application and protocol supporting problem, while hardware firewall based on ASIC met the need for speed and scalability. However, neither of them could achieve advantages in both speed and flexibility. The emergence of network processor brings a brand new solution. Firewall system based on network processor combines the speed of ASIC with the flexibility provided by the common CPU.The paper's research work includes the study of hardware and software architecture of Intel IXP2400 network processor. By utilizing hardware parallelism of multi-thread microengines, as well as constructing layered and modularized software framework, an architecture design of the firewall system based on IXP2400 is introduced. Furthermore, three core function——Forwarder, Filter and NAT microblock in the microengine data-plane are designed and implemented. After theoretical analysis using packet classification perspective and considering advantages brought by the hardware platform, assistant data structure for each microblock and its lookup flowchart are introduced. The design is validated by tests under critical circumstance respectively to each module. It also proves that the system could generally run well in the line rate. |
PDF Full Text Request