Design Of Several Logical Function Blocks Of Forces Based Security Gateway And Implementation On Network Processor

As the development of computer network technology, a variety of security flaws exist in the network information system is continually exposed. The network security problem is increasing. ForCES (Forwarding and Control Elements Separation) is a new architecture of the Next Generation Network(NGN) element (a network element mainly refers to routers, switches, etc), that is based on the thinking of open programmable, and is brought forward by the ForCES working group in the routing area of IETF (Internet Engineering Task Force).It can better solve the security problem in the network, and currently become an important research direction of the NGN.This thesis mostly studies some key technologies based on the ForCES framework, includes: (1) the model of ForCES framework security gateway. (2) ForCES framework security gateway's firewall-related LFB (Logical Function Block) modeling. (3) The key technology of NP-based LFB realization, and bring forward concrete solutions. (4) The technology of hardware realization about data encryption/decryption.Depending on the study of the above-mentioned key technologies, this thesis mainly completes the following tasks.·Design a LFB model that can be applied to the firewall and VPN security policy; Design a sort of SPI(Stateful Packet Inspection) LFB model; Design a sort of authentication LFB model; based on the study of a variety of encryption and decryption technology, design a sort of encryption/decryption LFB model;·Bring forward a hash technology-based SPI rule fast matching algorithm, and realize the state packet inspection LFB based on this algorithm;·Thought an in-depth study of the serial data stream under muti-engine and muti-threaded which exist in the programming process of NP, put forward and realize an effective solution to the complicated data access.·Implement the security policy LFB based on the security policy matching algorithm;·Depend on a in-depth study of NP parallel programming technology, implement a pipeline technology-based encryption/decryption LFB on the IXP2850;·Thought the quantitative analysis of IPSec VPN data packet process, get the specific performance indicators of IPSec VPN. The performance test of IPSec VPN system verify the proposed performance indicators, and to propose some improvements.In the end, we carried out experiments to test the prototype system of NP-based ForCES framework security gateway. The results show the model based on ForCES framework security gateway is correct. At the same time, the experiments verify the design of the security gateway-related LFB's availability, and provide important technical parameters for the application of ForCES.