Research On Packet Filtering Rule Matching And Parallelization Technology

The rapid development of information network technology has spawned a series of new network architectures,bringing convenience services to today's society.But these new architectures also cause information security issues,which need to be resolved.Taking the Space-ground Integrated Network as an example,there are many types of users in the network system,such as military,civilian,party and government,and enterprises.And these users correspond to different security levels of network domains.When communication data is transmitted across the domains,the inter-domain security devices need to implement access control process on the received data packets to ensure reliable cross-domain communication,according to security policies the access domain.However,as the amount of data transmitted between the domains increases,the traditional serial filtering method no longer satisfies the users' low latency performance requirements.The parallel computing process of multi-core processors is introduced into packet filtering to achieve efficient matching of filtering rules.Therefore,the thesis conducts research on rule matching in packet filtering,which is based on parallel computing process of multi-core processors.The main works is as follows:(1)A linear matching based on Hash algorithm is implemented.When a data packet is matched,the Hash value of the IP address and the port number is first calculated,and the matching rule is found in the hash table,then the chain search is performed according to the search result.(2)A tree matching based on hierarchical lookup is implemented.When a data packet is matched,the quintuple information is matched in turn according to the protocol,the port number,and the IP address.(3)A rule set parallelization method based on tuple categorization is proposed.This method builds rule tree based on the shared memory-based parallel processing method of traditional packet filtering,can reduces time of the original rule' set builds the rule tree,and improves the efficiency of packet filtering in the security gateway.The experimental results show that in terms of filtering time,in the case of small-scale rule sets,the two matching methods have little difference.As the number of rules increases,the tree matching effect based on hierarchical search is better;in terms of memory usage,when applying the same number of rule sets,the linear matching based on the Hash algorithm obtains less memory overhead.At the same time,parallelization rule matching obtains a performance improvement of about 10 times compared with serial rule matching.After the parallelization preprocessing optimization of the rule set,the time performance improvement becomes more and more obvious as the rule set scale increases.