Build A Network Security Device Platform Based On The P4080

Judging from the information security architecture, the information security solutions from five levels:physical security, system security, network security, application security and security management. Network security equipment is the product to solve the problem of network security. If the security of its system can not be resolved, the network security equipment will become an unsafe point in the security networks.For the above problem, this article study how to build the network security device platforms with the multi-core P4080processor, and system security boot, network packet processing and high-speed communications coprocessor. Mainly as follows:1. Analysis of the needs of network security equipment platform. Study Firewall, security gateway, VPN products to analyze the functional requirements of platform; study the security requirements of the trusted computer to analysis the security requirements of platform.2. According to the resources and the characteristics of the P4080chip, design the framework of the P4080network security device platform hardware.3. Study the principle of trusted computing, the structure of trusted chain, the principle of digital signature, as well as the P4080security mechanism, the principles of design and the approach of implementation. Then design ISBC to Uboot, from Uboot to Linux system the two trusted chain system security mechanism with security boot and trusted structure on P4080, and digital signature and verification techniques. Finally, test the design of the system security. The test results verify the correctness and effectiveness of the implementation of security mechanism.4. The P4080provides the PCI-E, and RapidIO high-speed bus layered architecture and each layer protocol functions and features, and taking into account the development of convenience, select PCI-E hardware coprocessor platform as the P4080network security equipment high speed interaction bus. Then, the design of the transceivers merge linked list of doubly linked list and transceiver two hardware coprocessor interaction protocolst. Finally, test two data transceiver protocol. The test results verify transceivers merge linked list mode the necessary interruption fewer than the transceiver of the doubly linked list approach, thereby reducing the consumption of the CPU performance.5. Research virtual machine mechanisms and achieve, as well as P4080multicore architecture; study the P4080the embedded security acceleration engine, IPsec encapsulation and decapsulation,"black" key and Blob mechanism. Then, the design of the Linux SMP, Hypervisor, KVM and USDPAA four system software architecture. In simultaneously, based USDPAA architecture design IPsec-VPN implementation architecture using separate CPU Device Manager handling business, the coprocessor transceiver processing business the IPsec processing business, received packet processing business and contract processing business. Finally, use TestCenter and P4080platform to test three structures IP packet forwarding performance.The test results prove that using USDPAA system architecture, and network security based USDPAA processing feasible, and can achieve the performance requirements of high-speed devices.