| The project, named as IPv6 hardware firewall based on the Intel IXP2400 networkprocessor, is funded by the 863 foundation. The project belongs to the informationtechnology research field, and its number is 2003AA0010. It mainly aims at the designand implementation of an IPv4/IPv6 hardware firewall based on IXP2400. At present,the firewall has been accomplished, waiting for formal examination.After fully analyzing the characteristics of the Intel network processor's fast datapath, the author proposes four types of microengine distribution models, which fit forvarious network situations and maximize the processing efficiency. How to dispatchmicroengines and how to implement load balance among microengines are discussed inthis thesis.Using the Intel microcode as developing language, the author overcomes theshortcomings and particularities of the Intel network processor and its developmenttools to realize the communication among microengines. The author designs acontext-swap method to get rid of the waste of time when the microengine is waiting forread and write operations to complete. The communication between the fast data pathand the slow data path is also implemented. The fast data path sends packets that are notapplicable to fast processing to the slow data path. Meanwhile, the fast data path alsoreceives packets from the slow data path.Based on the hardware characteristics of the network processor, the author designsNAT-PT algorithm, using the hardware HASH unit. NAT-PT allows the communicationbetween IPv6-only and IPv4-only nodes via protocol independent translation of IPv4and IPv6 datagrams.After identifying disadvantages and advantages of the fast data path, the authorimplements the IPv4/IPv6 filter based on limited register resources. It can eliminateseveral security vulnerabilities to protect the intranet by making reasonable IPv4/IPv6filter rules.Finally, the author analyses the characteristics and the disadvantages of the systemand presents future works. |
PDF Full Text Request