METHOD AND APPARATUS FOR USING FPGA SUPPORTING IPV4 AND IPV6

摘要

A unified security apparatus for supporting IP packets and a method thereof are provided to enable permission/filtering to be applied to an IPv4 packet and an IPv6 packet by physically using a single chipset when a dual stack scheme and a permission/filtering rule are applied. A unified security apparatus for supporting IP packets includes a packet classifier(210), a key generator(220), a lookup engine(230), and an intrusion response unit(240). The packet classifier classifies an IPv4 packet and an IPv6 packet based on version information in header information of an input IP packet. The key generator generates header information corresponding to the IPv4 packet or the IPv6 packet classified by the packet classifier and generates a discrimination key corresponding to the IPv4 packet or the IPv6 packet based on the generated header information. The lookup engine includes two banks(231,232). Different bits are assigned to the two banks. An IPv4 security policy and an IPv6 security policy are recorded in the lookup engine. In this way, both an IPv4 packet and an IPv6 packet can be searched in the current embodiment by physically using a single lookup engine. The intrusion response unit includes a packet filtering unit(241) and a bandwidth controller(242). The packet filtering unit decides a lookup key, which is a key value corresponding to the security policy established in the first bank or the second bank, and if the lookup key matches the discrimination key generated according to the IPv4 packet or the IPv6 packet by the key generator, the packet filtering unit discards or transmits the packet according to the security policy. The bandwidth controller decides a lookup key, which is a key value corresponding to the security policy established in the first bank or the second bank, and if the lookup key matches the discrimination key, the bandwidth controller controls a bandwidth according to the security policy.