Firewall Design And Implementation Of Ipv6 Network Processor-based State Tracking

As the rapid development of internet, the number of network nodes is increasingdrastically. In order to solve the problem of insufficient IP addresses and meanwhileenhance internet data transfer security, the current IPv4 will inevitably be replaced byIPv6. Furthermore, the internet bandwidth keeps on growing, followed by more andmore new network techniques. Increasing emphasis is paid on the long developmentcycle and upgrade difficulty of the earliest technologies such as ASIC. Because of allthese, a new technology called Network Processor (NP) is presented. To adapt the highspeed modern networks the NP is hardware optimized especially for the network dataprocessing. Meanwhile, it is programmable and thus can be upgraded quickly to applynew network technology and applicatoins.This thesis is mainly about the design of the connect track firewall which is basedon Intel NP and IPv6. Intel IXA(Internet Exchange Architecture) is studied and basedon it the whole design of IPv6 firewall is finished. This paper can be divided into fourparts.The author takes charge of designing the whole structure of this Firewall systemand allocating each module on several different MicroEngine to balance the wholesystem, and thus to make best use of the Network Processor Architecture to ensureprocessing packet with high speed. the Connect Track, dynamic Hash, and Packet Filteralso were implemented.Compared with the traditional Packet Filter Firewall, the Packet Filter withConnect Track has better flexibility and security. It is a new technique of Firewall.Although there are still many Firewall products with the function of Connect Track atthe market now, because of the distinct hardware characteristics of the NetworkProcessor, many common methods can not be applied on Network Processor directly.The Connect Track were partitioned into two sections: Application Layer Connect Trackand Transport Layer Connect Track. In terms of the characteristics of the NetworkProcessor, we put different sections on different hardware layers to realize the functionand guarantee high speed performance at the same time.Meanwhile, as the data plane does not get the support from Operating System, thus we also designed a newmechanism for dynamic memory allocating module and dynamic Hash module. Beingthe bases of Connect Track Firewall, these two modules improve the packet processingspeed a lot.