Research And Design Of Linked IPS For IPv6 Based On Multi-core Network Processor

At present, the new generation network has higher bandwidth, smaller communication delay and larger throughput than ever before, and the campus backbone has its transmission rate increased to Gbps or even 10Gbps level. The traditional network intrusion detection and prevention system (NIDS/NIPS) distributed in the campus backbone are more and more difficult to deploy because of their less processing power to keep up with the speed of modern networks, and the single-CPU based platform has gone to its road end. On the other hand, the new generation network will adopt IPv6 protocol. Besides the security threatens involved in IPv4, some new security problems are introduced in IPv6 network. In order to satisfy the requirements of high speed, high performance, and high efficiency for NIDS/NIPS in the new generation network, the network multi-core platform should be studied and employed to improve the processing power.Firstly, this thesis reviews the development state of research and deployment in the field of IPv6 network and multi-core processor at home and abroad, then analyzes and researches the architecture, hardware units and programming of Octeon multi-core network processor, including the simple executive Hardware Abstraction Layer (HAL) and the architecture model of software and hardware. Moreover, it analyzes the new security problems introuduced by IPv6 network, and discusses the advantage and feasibility adopting Octeon multi-core high-speed network processing architecture to implement the IPS for new generation IPv6 network.The paper has made research on the Linked Intrusion Prevention System based on Octeon multi-core high-speed network processor for new generation IPv6 network, and has designed its prototype. The system design is based on high-speed processing on Octeon multi-core, and considers new intrusion characteristics occurring in IPv6 network. On the basis of the technique of matching rules in rule library for intrusion detection, and using the new protocol analysis and flow-based detection techniques, the different executions including control plane and data plane are distributed on multiple cores of Octeon. Adopting the mechanism of named blocks to communicate between multiple cores, and by means of the feedbacks from the cores running data plane code to the control plane core, the system has realized the high-speed linking between the flow processing, protocol analysis module and the control module.The paper has elaborated on the system analysis and overall design, the design of flow processing module, protocol analysis module and control module. It introduces the key technique used in the system, and discusses the measures and methods used to maximize the multi-core parallel processing in the system. At last, the thesis has built the experimental platform with IXIA tester to simulate the real IPv6 network environment, and has completed the test in the functionality and performance.