计算机科学

计算机科学 ›› 2017, Vol. 44 ›› Issue (3): 158-162.doi: 10.11896/j.issn.1002-137X.2017.03.035

• 信息安全 • 上一篇    下一篇

一种IPV6环境下的高性能规则匹配算法研究

庞立会,江峰   

  1. 国防科学技术大学计算机学院 长沙410073,国防科学技术大学计算机学院 长沙410073
  • 出版日期:2018-11-13 发布日期:2018-11-13
  • 基金资助:
    本文受国家863项目:QoS服务质量保证设计(2012AA01A50606),国家自然科学基金项目:高级持续威胁网络行为建模与检测方法研究(61303264)资助

Research on High Performance Rule Matching Algorithm in IPV6 Networks

PANG Li-hui and JIANG Feng   

  • Online:2018-11-13 Published:2018-11-13

PDF (PC)

647

摘要: 防火墙是确保网络安全的关键设施,而规则匹配又是防火墙的核心技术。随着网络技术的发展,互联网体系结构正逐渐从IPV4向IPV6结构发展,原有的IPV4防火墙规则匹配算法很难直接应用于IPV6网络环境,因为IPV6协议所能表示的地址范围远远超过IPV4协议对应的地址范围。因此提出了一种适用于IPV6环境的高性能规则匹配算法HiPRM(High Performance Rule Matching)。HiPRM算法的核心思想是依据规则的协议和目的端口分布特征,先把整个规则集划分成多个子规则集,再利用位选取算法对规则的源和目的IPV6地址组合的特定位进行选取,然后据此构建二叉查找规则树,最后利用规则树把多个规则子集划分成若干个更小的规则集合。而当报文匹配到某个更小的规则集合时,在小规则集中利用线性匹配法确定具体匹配的对应规则。分析和测试表明,HiPRM算法可以在时间复杂度和空间复杂度较低的情况下实现报文的高速匹配,且具有较好的规则集适应性。

关键词: 防火墙,规则匹配,IPV6,二叉树

Abstract: As is known to al1,firewall is the core device to guarantee network security,and rule matching is one of the most important technologies to firewall.However,those high performance rule matching algorithms based on IPV4 are not suitable for IPV6 with the network derivation from IPV4 to IPV6.The main cause of this situation is that the range of IPV6 address is much bigger than the range of IPV4 address.Thus we suggested a high performance rule matching algorithm suitable for IPV6,named HiPRM (High Performance Rule Matching).HiPRM algorithm classifies the whole rule set into several parts with the protocol and destination port field of rules,and it selects special bits from the combination of source and destination IPV6 address of rules to construct binary trees.After the construction of binary trees,those rule sets are split into smaller rule sets.When a packet matches one of these smaller rule sets,the linear searching algorithm is used to find the matching rules in this small rule set.Analysis and experiment results show that HiPRM algorithm not only has good time and space performance,but also has better scalability with different rule sets.

Key words: Firewall,Rule matching,IPV6,Binary tree

[1] LAKSHMAN T V,STILIADIS D.High Speed Policy Based PacketForwarding Using Efficient Multidimensional Range Matching[J].ACM Computer Communication Review,1998,28(4):203-214.
[2] GUPTA P,MCKEOWN N.Packet Classification on MultipleFields [J].ACM SIGCOMM Computer Communication Review,1999,29(14):147-160.
[3] HiPAC [EB/OL].(2005-11-8) [2014-12-5].http://www.hi-pac.org.
[4] WANG Z L,WU Z J,YI L.HigH-Dimension Large-scale Packet Matching Algorithm in IPV6 [J].ACTA Electronica Sinica,2013,41(11):2181-2186.(in Chinese) 王则林,吴志健,尹兰.IPV6环境下的高维大规模分类算法[J].电子学报,2013,1(11):2181-2186.
[5] SINGH S,BABOESCU F,VARGHESE G,et al.Packet Classification Using Multi-dimensional Cutting[C]∥Proceedings of the 2003 Conference on Applications,Technologies,Architectures,and Protocols for Computer Communications,2003.Karlsruhe:ACMSIGCOMM,2003:213-224.
[6] BABOESCU F,SINGH S,VARGHESE G.Packet Classification for Core Routers:Is There an Alternative to CAMs?[C]∥Proc of IEEE Infocom,2003.San Francisco,IEEE Infocom,2003:53-63.
[7] HAN W T,YI P,ZHANG X.Hybrid Cutting Algorithm for PacketClassification [J].Journal of Software,2014,25(11):2616-2626.(in Chinese) 韩伟涛,伊鹏,张霞.一种采用混合切分法的报文分类算法[J].软件学报,2014,5(11):2616-2626.
[8] KOGAN K,NIKOLENKO S,ROTTENSTEICH O,et al.SAX-PAC(Scalable and Expressive Packet Classification)[C]∥Proceedings of the 2014 ACM Conference on SIGCOMM,2014.Chicago,IL,USA:ACM Press,2014:15-26.
[9] TAYLOR D E,TURNER J S.ClassBench:A Packet Classification Benchmark [J].IEEE/ACM Trans.on Networking,2007,15(3):499-511.
[10] HAGER S,SELENT S,Scheuermann B.Trees in the List:Accelerating List-based Packet Classification Through Controlled Rule Set[C]∥Proc of ACM CoNEXT,2014.Sydney,Australia:ACM Press,2014:101-107.
No related articles found!
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发