王勝德臺灣大學:電機工程學研究所鄭名利Cheng, Ming-LiMing-LiCheng2010-07-012018-07-062010-07-012018-07-062009U0001-1307200912182300http://ntur.lib.ntu.edu.tw//handle/246246/188048在現今網路設備的設計裡，IP卸載引擎是有必要使用在網路入侵偵測系統或者入侵防護系統。在電腦網路傳輸過程裡接收到的網路協定封包片段，網路協定封包重組單元可提供高速和高效能的網路協定封包重組。傳統上，從媒介存取控制層接收到的網路協定封包片段，由軟體重組成傳輸控制協定的封包。為了達到目前網路流量的需求，像是每秒數億個位元，網路協定封包硬體重組單元被用來取代傳統由軟體處理網路協定片段重組的任務。本論文闡述一個可用硬體實作的網路協定重組單元設計。網路協定重組單元使用同步計時器為每一個片段群組做計時工作，同步計時器可解決記憶體資源的佔用問題。網路協定重組單元使用多表格的散列表，針對每一個正被重組成原始封包的片段，來記錄每一個接收到的片段的狀況資訊。它可解決表格搜尋的問題，而且在系統上達到了速度、記憶體大小和成本的平衡。我們將我們提出的以散列方式的網路協定封包重組單元實作在Xilinx ML507開發平台上，而且得到每秒3.2億個位元的資料處理效能。In modern designs of network appliances, an IP offload engine is used essentially in a Network Intrusion Detection System (NIDS) or an Intrusion Prevention System (IPS). An IP packet reassembly module provides high-speed and efficient reassembly of IP fragments received at an intermediate station in a computer network. Traditionally, software reassembles the IP fragments received from the MAC layer to a TCP packet. In order to achieve multi-gigabit per second data rates, the IP packet reassembly hardware module is configured to replace the reassembly task of IP fragments. This thesis addresses the design of a hardware implementation of an IP reassembly module. The IP reassembly module utilizes a synchronous timer to do time work for each fragment group. The synchronous timer resolves the occupied issue in the memory resource. The IP reassembly module is equipped with a hash table having a plurality of entries for maintaining status information for each received fragment and for each original packet being reassembled from the fragments. The proposed hash table accelerates searching and achieves the balance between speed, memory size and cost in the system. We implemented the proposed hashing approach IP packet reassembly module in a Xilinx ML507 FPGA development platform and obtained an estimated throughput of 3.2 Gbps.口試委員會審定書 i謝 ii要 iiibstract ivontents vables viiigures viiihapter 1 Introduction 1.1 Background 1.2 Motivation 2.3 Thesis Organization 5hapter 2 Related Work 6.1 RFC:791 6.2 RFC:815 8.3 Patent 10.4 Summary 12hapter 3 Design Concept 13.1 Introduction of IPv4 Packet Header 13.2 Header Checksum Validation 14.3 Reassembly Flow Chart 15.4 Bitmap 18.5 Timer 20.6 Improvement 21hapter 4 Implementations 23.1 System Architecture BlockDiagram 23.2 TEMAC Retriever 25.3 Packet Queue 27.4 Header Parser 28.5 Hash Function 29.6 Reassembly Table 31.7 Slots Entry Registers 32.8 Synchronous Timer 33.9 Bitmap Table 35.10 Central Controller 35.11 Processor Local Bus 4.6 Controller 38.12 IP Reassembly Module 38hapter 5 Implementation Results 41.1 FPGA Development Board 41.2 System Architecture 42.3 Function Verification 43.4 Synthesis Result 46.5 Performance Estimation 48.6 Packet Drop Rate 51hapter 6 Conclusions and Future Work 54.1 Conclusions 54.2 Future Works 55eferences 56ablesable 1 Port Description of IP Reassembly Module 40able 2 Main Components 42able 3 Experimental Environment 45able 4 Test Patterns 46able 5 Utilization of TEMAC Retriever 46able 6 Utilization of IP Reassembly Module 47able 7 Data Widths 49iguresigure 1 IPv4 Header 2igure 2 The Comparison of Traditional NIC and TOE Adapter 4igure 3 Hole Descriptor Illustration 9igure 4 A Schematic Block Diagram of Novel IP Reassembly Engine 11igure 5 A Flow Chart Illustrating a Process Use by the IP Reassembly Engine 11igure 6 Snap Shot of network traffic monitoring 17igure 7 Reassembly Flow Chart 18igure 8 False Reassembly Calculation caused by the Teardrop 20igure 9 System Architecture Blocks Diagram 24igure 10 System with XPS_LL_FIFO connected to dual XPS_LL_TEMAC 25igure 11 Retriever Flow 26igure 12 The Interface of Retriever 27igure 13 Packet Queue Illustration 28igure 14 Header Parser Block Diagram 29igure 15 Reassembly Table 32igure 16 Slots Entry Registers 33igure 17 Synchronous Timer 34igure 18 Finite State Machine 36igure 19 IP Reassembly Module Block Diagram 39igure 20 Xilinx ML507 Development Platform 41igure 21 System Architecture 42igure 22 Fragment Series in the Network 44igure 23 The Percentage of Each Fragment Series 44igure 24 Network Packet Generator Processed Time 45igure 25 The System Utilization 47igure 26 The Frequency Comparison of Sequential and Hashing Approaches 48igure 27 The Performance Comparison of Sequential and Hashing Approaches 49igure 28 The Performance Comparison in PLB Limitation 50igure 29 The Packet Drop Rate of Hash Function Collision 51igure 30 System Packet Drop Rate at Timer = 1000 milliseconds 52igure 31 System Packet Drop Rate at Timer = 750 milliseconds 53igure 32 System Packet Drop Rate at Timer = 500 milliseconds 531859963 bytesapplication/pdfen-US網路入侵偵測系統入侵防護系統網路協定封包重組散列片段硬體計時器NIDSIPSIP packet reassemblyhashfragmenthardwaretimerthesishttp://ntur.lib.ntu.edu.tw/bitstream/246246/188048/1/ntu-98-J96921003-1.pdf