Research And Implementation Of The Packet Filtering Technology In Integrated Security Gateway Firewalls

With the diversification of the network business becoming a steady-going trend, the users present higher requirement on the function and performance of the access-level network device. It has been a hot spot problem to design new high-performance's architecture of device to syncretize the communication and security of network and support multiple services. As regards, to filter the packet with complex and efficient process is the key technology of this kind of device.According to the project"Research of reconfigurable router and its components"supported by the National High Technology Research and Development Program of China and the project"Research and Industrialization of IPv4/IPv6 United Network Chip"supported by the Jiangsu Provincial Department of Science and Technology, to satisfy the requirement of the device's muti-dimension, muti-purpose and line speed packets filtering, this thesis focuses on the defects of current researches. Then it implements the filter and improves its performance from the following aspects based on the current research fruit on the packet classification: optimizing the filtering architecture, designing a high speed filtering engine, dynamically optimizing the rule set and maintaining the TCAM items. Its main works and contributions are outlined as follows:■For the defects of current researches on filtering architecture: the absence of standardization architecture to insure the filtering function, and the system performance loss or exorbitant cost caused by"single layer"architecture, this thesis proposes an OML (Orientation-differentiated, Multi-stepped and Layered) packet filtering architecture. The Orientation-differentiated and Multi-stepped architecture could insure the filtering function and the Layered architecture could improve the system performance or reduce the cost of implementation. The simulation results verify the effectiveness of this architecture.■To satisfy the requirement of the device's muti-dimension, muti-purpose and line speed packets filtering, this thesis applies the OML filtering architecture and uses software cooperating with hardware mode to design and implement a packet filtering engine with integrated functions and high performance. This engine has been applied to corresponding devices. The test results show that it has high network performance and can satisfy various requirements of functions.■For the weakness of the linear search algorithm in time efficiency, this thesis designs a new algorithm which dynamically optimizes the organization of the filtering rules based on the internet traffic statistic characteristics. The new algorithm includes calculating the weights of rules, optimizing the order of rules, dynamically optimizing compositive algorithm and so on. The simulation results show that the algorithm has rather practical significance and has been debugging in corresponding devices.■TCAM takes on the main tasks of packets filtering. In order to satisfy the requirement of storing multiple kinds of items on the same TCAM and the implementing of the police-based routing, this thesis designs and implements a new scheme and algorithms to maintaining the TCAM items based on the characteristic of TCAM's lowest address hitting and the restriction conditions of reducing the offline updating time as much as possible. The new scheme and algorithms can not only ensure the functions, but also minimize the system burden of maintaining. Thus, they have been applied to corresponding devices successfully.