| In the middle of last century, the computers' appearance brings our life tremendous changes , the development speed of the network is fast. Computer networks are distributed with wide area, open architecture, resource sharing and access to the features shared. These increasing networks' relevance, at the same time, inevitably bring about the fragile and dangerous nature of the system, which makes people worrying about. Simultaneously, IPv4 is facing serious security problems, such as IP address is deficient, it can't provide multi-media service and can't support mobile users and so on. In order to overcome the disadvantages of IPv4, especially the lack of IP address and the over-expansion of route tables in backbone routers, IETF has established IPng Organization. The next generation IP protocol: IPv6 , thus has come into being.Certainly, IPv6 will lead to take the dominant position in the development of Internet Network. Meanwhile, the security of the next generation network has become the problem demanding prompt solution. Firewall, as a powerful tool in the security of network, has been widely used in IPv4 network. However, this powerful tool is seldom used in IPv6 network, which is one of my paper's researching backgrounds.Through referring to many information, it is believed that majority of Linux firewall rule filtering algorithm in IPv6 is sequential lookup. When dealing with a large set of rules, the efficiency of filtering algorithm drops quickly. Especially, the huge address space in IPv6 causes the efficiency of packets filtering more lower .From above, it is believed that the sequential lookup algorithm is a performance bottleneck for IPv6 firewall. In another words, the reliability of firewall is not one hundred percent.Based of it, in order to enhance the reliability of firewall, a fast rule matching algorithm of two-forks-tree has been proposed after analysing several packet filtering algorithms thoroughly. The Trie data structure is used to store rule table in the algorithm, and only store corresponding rules in the leaf nodes, which saves store space. The rule matching item generally includes source address, destination address, source port, destination port, protocol type. In the paper. A method of combination is used in the algorithm after breaking-up. That is to say, the algorithm matches each rule item separately, and then sums the results gotten form last step. At last, the filter rule has been gotten, so firewall will deal with the data packet according to it. After improving the algorithm of sequential matching filter rules, rule matching speed of firewall and system throughout has been raised, and eventually has achieved the goal of enhancing firewall's reliability to some extents. Next, the paper has studied on the problems of efficiency and losing packet brought by lock, and has designed application method of lock according to the character of algorithm. In addition, the paper has analyzed another problem in the data packet filter technical: rule conflict, and has produced the rule conflict theory research and the searching algorithm. The experiment has proved that this algorithm can accurately find out the conflict rule.Not only analogy the paper the algorithm and performance of firewall, but also the paper has realized the design and experiment of fast matching rule algorithm and the rule conflict searching algorithm in IPv6 network. Based on the existing development technology of firewall, the paper has improved and enhanced the reliability of firewall in IPv6 eventually. |
PDF Full Text Request