孫雅麗臺灣大學：資訊管理學研究所黃仲君Huang, Chung-ChunChung-ChunHuang2007-11-262018-06-292007-11-262018-06-292004http://ntur.lib.ntu.edu.tw//handle/246246/54203本論文所提出的狀態化封包內容分類架構，相較於傳統的封包分類器，具有應用層內容檢視、動態的通訊協定狀態紀錄與維持，以及能夠同時處理IPv4/IPv6封包的特點。 整個系統的架構，首先是從研究多種目前常見的通訊協定與應用服務之規格開始，再歸納出在檢視封包標頭與應用層內容時會使用的比對特徵，進而設計合適的描述語言(Script Lan-guage)。描述語言要涵豪為鱆漱髀黻捊In this thesis, the architecture of stateful content-based packet classification is proposed. Compared to the traditional packet classifier, this architecture is capable to inspect the packet application content, maintain and track the protocol state transition dynamically, and handle both IPv4 and IPv6 packets. At first, we study the specification of numerous protocols and applications in wide-spread use. We generalize their features which are commonly utilized when inspecting the packet header and application content, and then Script Language is designed. Script Lan-guage has to cover sufficient types of matches to satisfy the requirements for convenience and flexibility. Next, Script Language Compiler compiles Script Language into codes which store the rule specifications into the rule table. Along with the rule table, Stateful Con-tent-based Classification Engine therefore can perform the procedure of packet classification. Classification Engine comprises several functional components. Separating the filtering pro-cedure into multiple stages is one of the features of Classification Engine. Each stage is im-plemented as different building blocks consistent with the characteristics of the matches. In addition, classification engine maintains and tracks the state transition of protocols in order to understand the evolution of connections. The architecture we proposed not only meets the requirements of current packet classi-fication (stateful and content inspection), but also brings up some original ideas and design.謝詞 二 論文摘要 三 THESIS ABSTRACT 四 目錄 五 表次 七 圖次 八 第一章 序論 1 第一節 研究背景 1 第二節 研究動機 2 第三節 研究目標 5 第四節 論文架構 7 第二章 文獻探討 8 第一節 封包分類架構 8 2.1.1 Hardware-based TCP/IP Content Scanning System 8 2.1.2 Iptables: Connection Tracking 10 2.1.3 BPF+ 12 2.1.4 L7-filter 13 第二節 封包分類演算法 14 2.2.1 Bit Vector Algorithm 14 2.2.2 Recursive Flow Classification Algorithm 16 2.2.3 HiCuts Algorithm 18 第三章 系統架構 21 第一節 描述語言 (SCRIPT LANGUAGE) 21 第二節 描述語言編譯器 (SCRIPT LANGUAGE COMPILER) 24 第三節 分類引擎 (CLASSIFICATION ENGINE) 25 3.3.1 資料流分類器 (Flow Classifier) 27 3.3.2 連線管理器 (Connection Manager) 31 3.3.3 狀態管理器 (State Manager) 33 3.3.4 有限狀態機 (Finite State Machines) 37 3.3.5 封包過濾器 (Packet Filter) 45 3.3.6 政策引擎 (Policy Engine) 47 第四章 實作細節與設計 48 第一節 描述語言編譯器的實作 48 第二節 分類引擎的實作 49 4.2.1 資料流狀態儲存庫的實作 50 4.2.2 封包過濾器的實作 51 第五章 結論及未來展望 54 參考文獻 55 附錄一 描述語言範例 58 附錄二 描述語言BNF 63 附錄三 分類引擎實作細節 70 簡歷 744229463 bytesapplication/pdfen-US內容檢視狀態封包分類StatefulPacket ClassifierPacket ClassificationContent Inspectionotherhttp://ntur.lib.ntu.edu.tw/bitstream/246246/54203/1/ntu-93-R91725009-1.pdf