In data communication via internet, security is becoming one of the mostinfluential aspects. One way to support it is by classifying and filteringethernet packets within network devices. Packet classification is a fundamentaltask for network devices such as routers, firewalls, and intrusion detectionsystems. In this paper we present architecture of fast and reconfigurablePacket Classification Engine (PCE). This engine is used in FPGA-based firewall.Our PCE inspects multi-dimensional field of packet header sequentially based ontree-based algorithm. This algorithm simplifies overall system to a lower scaleand leads to a more secure system. The PCE works with an adaptation of singlecycle processor architecture in the system. Ethernet packet is examined withPCE based on Source IP Address, Destination IP Address, Source Port,Destination Port, and Protocol fields of the packet header. These are basicfields to know whether it is a dangerous or normal packet before inspecting thecontent. Using implementation of tree-based algorithm in the architecture,firewall rules are rebuilt into 24-bit sub-rules which are read as processorinstruction in the inspection process. The inspection process is comparing onesub-rule with input field of header every clock cycle. The proposed PCE shows91 MHz clock frequency in Cyclone II EP2C70F896C6 with 13 clocks throughputaverage from input to output generation. The use of tree-based algorithmsimplifies the multidimensional packet inspection and gives us reconfigurableas well as scalable system. The architecture is fast, reliable, and adaptableand also can maximize the advantages of the algorithm very well. Although thePCE has high frequency and little amount of clock, filtering speed of afirewall also depends on the other components, such as packet FIFO buffer. Fastand reliable FIFO buffer is needed to support the PCE. This PCE also is notcompleted with rule update mechanism yet. This proposed PCE is tested as acomponent of FPGA-based firewall to filter Ethernet packet with FPGA DE2 Boardusing NIOS II platform.
展开▼
机译:在通过互联网进行的数据通信中,安全性已成为最有影响力的方面之一。支持它的一种方法是对网络设备中的以太网数据包进行分类和过滤。数据包分类是网络设备(如路由器,防火墙和入侵检测系统)的一项基本任务。在本文中,我们介绍了快速且可重新配置的数据包分类引擎(PCE)的体系结构。该引擎用于基于FPGA的防火墙。我们的PCE根据基于树的算法顺序检查数据包头的多维字段。该算法将整个系统简化为更小的规模,并导致更安全的系统。 PCE与系统中的单周期处理器体系结构相适应。使用PCE根据数据包头的源IP地址,目标IP地址,源端口,目标端口和协议字段检查以太网数据包。这些是检查内容之前要知道它是危险还是正常数据包的基本领域。使用体系结构中基于树的算法的实现,将防火墙规则重新构建为24位子规则,这些子规则在检查过程中将作为处理器指令读取。检查过程是在每个时钟周期将一个子规则与标题的输入字段进行比较。拟议中的PCE在Cyclone II EP2C70F896C6中显示了91 MHz时钟频率,从输入到输出生成的平均时钟吞吐量为13个时钟。基于树的算法的使用简化了多维数据包检查,并为我们提供了可重构和可伸缩的系统。该体系结构快速,可靠,适应性强,也可以很好地发挥算法的优势。尽管PCE具有较高的频率和很少的时钟量,但是防火墙的过滤速度还取决于其他组件,例如数据包FIFO缓冲区。需要快速可靠的FIFO缓冲区来支持PCE。该PCE还没有完成规则更新机制。该提议的PCE已作为基于FPGA的防火墙的组件进行了测试,以使用NIOS II平台通过FPGA DE2板过滤以太网数据包。
展开▼
