CN101645906A - Realization method and system of computer network security communication - Google Patents
Realization method and system of computer network security communication Download PDFInfo
- Publication number
- CN101645906A CN101645906A CN200910173827A CN200910173827A CN101645906A CN 101645906 A CN101645906 A CN 101645906A CN 200910173827 A CN200910173827 A CN 200910173827A CN 200910173827 A CN200910173827 A CN 200910173827A CN 101645906 A CN101645906 A CN 101645906A
- Authority
- CN
- China
- Prior art keywords
- data
- computer network
- security communication
- network security
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the field of computer network security communication, in particular to a realization method and a system of computer network security communication. The system adopted in theinvention takes a cell processor as a hardware system, takes the Power processing unit (PPU) in the cell processor as a client and takes each coprocessor unit SPUE as a network server to realize the transmission of data packet, wherein, the client takes an independent closed processor as a request terminal of the network communication and requests to carry out network communication with the otherclient, thus realizing performance monitoring on the network server and realizing the functions of performance monitoring, data transmission and device driving and the like by the network server.
Description
Technical field
The present invention relates to the computer network security communication field, specifically the present invention is a kind of implementation method and system about computer network security communication.
Background technology
Network is a crucial part in the middle of the relevant highly available system of many safety.Along with the progressively expansion of the distributed system scope of application, the use of network in these systems also more and more widely.Most multi-core technology now on the performance aspect confirmability that service is provided and the reliability because what adopt is the isomorphism multi-core technology of universal cpu, since sort processor in the course of the work each equipment increase can access processor, therefore can't satisfy the network service to a certain extent in isolatism (isolation of computational resource on hardware), confirmability (the provide services on the Internet predictability of performance of coprocessor, and key service can not interference) etc. the demand of aspect, also constituted the unsafe factor in the computer operation simultaneously.
Summary of the invention
The invention provides a kind of prior art deficiency that overcomes, the computer network security communication system of the relevant reliable Network Transmission of system of high availability and safety can be provided, and the implementation method of this system.
System of the present invention is to be hardware system with the cell processor, and be client with the Power processor unit PPU in the cell processor, with each coprocessor unit SPU is the transmission that network server end realizes packet, client wherein is one independently to seal the request end of processor as network service, request is carried out network service with another client, and the monitor message to server end is correspondingly processed, realized functions such as performance monitoring, transfer of data and device drives by network server end, its basic system architecture is referring to accompanying drawing 1.
The irrelevant thread synchronization mechanism of lock is adopted in the transmission of data in the implementation method of the present invention, preferably adopts the CAS algorithm that adopts in the irrelevant agreement of lock.
The buffer stores mechanism based on priority is adopted in the transmission of data in the implementation method of computer network security communication of the present invention, and the structure of buffering area is the combination chain list structure, is made up of structure array and dynamic link table.
In the implementation method of computer network security communication of the present invention, the definite target that will monitor of the mode of contractual agreement:
The present invention has following advantage:
The present invention since its hardware using CELL, have following advantage:
This locality storage (Local Store) of each coprocessor (SPU) and relevant 256K can make critical tasks independently carry out
MFC, Mailbox, Signal, character such as EIB have strengthened the transmission and the system synchronization ability of data
The Isolation pattern has strengthened the confidentiality and the fail safe of task
The characteristic (only allowing single-threaded operation on the SPU) that order is carried out strengthened task predictability all these ensured the reliability of system, and communication security.
Software used in the present invention has following advantage:
Physical characteristic-the isolation that makes full use of Cell is strong, selects some good algorithms of real-time for use, reaches the fail safe of network service.
Use is adjusted at special user's request dynamically based on the traffic model of contractual agreement, and can guarantee the reliability of communication.
Basic framework all is transparent for user and equipment, so the practical application area of this model can not be subjected to the restriction of industry
Description of drawings
Accompanying drawing 1 is the system architecture schematic diagram.Accompanying drawing 2 is an implementation model.Several situation signals of Fig. 3 for existing among the data fifo.Accompanying drawing 4 is the buffering area structure chart based on priority.Accompanying drawing 5 is the system data flow graph.
Embodiment
Below be one embodiment of the present of invention:
Development platform:
Hardware: select Playstation3 (PS3) for use, its core is the CELL processor.
Software: select for use Gentoo Linux to make the operation system, use Git documentation release Control Software management document, development language: C, compilation.
The vim editing machine, the PowerPC-gcc cross-compiler.
Mentality of designing:
Make application layer by a processor, association in addition handles and makes server end.Consider the related constraint of PS3 hardware and for the test and the debugging problem of model construction, on real hardware device, do not move this system: adopt mode, coprocessor is designed to the hardware device that can send and accept data with another coprocessor unit analog hardware equipment.Two fifo of use between device driver module and virtual unit (fifo[1], fifo[2]).When receiving data from data processing module, uses application module fifo[0].Have three fifo like this.
Specific implementation:
1, in underlying device:
Main process is like this in bottom:
while(1){
dev_init_info(argp,envp);
dev_read();
dev_send();
}
Dev_init_info: this is the initialization operation that carries out equipment, uses array buf, uses the memcpy function that buf is write in the internal memory of server end, and we set buf[0]=' a '; Buf[DEVICE_RAM_SIZE-1]=' b ', the indication equipment initialization is finished, can reading of data.Call function data_encode carries out CRC check.
static?int?data_encode(void*spack,int?nsize,int?dsize){
unsigned?int?crc;
unsigned?char*_data;
int_size;
_size=dsize;
_data=(unsigned?char*)spack+nsize-dsize;
prot_crc(_data,&crc,_size);
((nspu_pack_t*)spack)->tail.check=crc;
return?0;
}
Whether the CRC-cyclic redundancy check (CRC) can be implemented in the transmission by this verification and to make that because of some incident data are revised unusually.Used herein is the CRC32 algorithm, and CRC32 can produce corresponding check value and this value is deposited in the nspu_elem_t structure according to the length of data and content.Length for data is not limited in this algorithm.By just finding with the comparison of the CRC check value of transmitting the back generation whether mistake exists before transmitting.Check value is identical, and then transmission is correct, and system continues operation downwards; Otherwise system stops.
Dev_read () calls spu_read from fifo[1] reading of data, and call irq_dev_write ().
Dev_send () function call data_send () and irq_dev_active (), the former calls spu_write to fifo[2] in write data.
When carrying out spu_read () and spu_write (), consider the position of data in buf.These are with reference to the accompanying drawings 3 years old.
Use two variablees of irq_dev and irq_dri herein, thereby calculating quantity of data packets in fifo buffer comes annunciator whether to have data to be about to transmission with the form of interrupting.When packets need is transmitted, thereby drive part will increase the value annunciator of irq_dri.Because this variable is shared between need and driving at equipment, so will use the mechanism of depositing.Driving is before the FIFO reading of data, and the state that must be at first reads irq_dev in the mode that latchs to be to guarantee to have at least the packet can be for transmission, read finish after, reduce value among the irq_dev with the method that latchs again.Realize that on coprocessor latching of memory headroom need be used mfc_getllar and two methods of mfc_putllc are transmitted.Code segment for latch be achieved as follows shown in:
do{
mfc_getllar(&tmp,netinfo->irq_dri_addr,0,0);
status=spu_readch(MFC_RdAtomicStat);
if(status==4){
tmp[0]++;
mfc_putllc(&tmp,netinfo->irq_dri_addr,0,0);
status=spu_readch(MFC_RdAtomicStat);
}
}while(status==1);
2, monitoring module:
For monitor component, because the content of monitoring also can be different according to the application of model difference.Just realized the most basic supervisory work in our model, just sent the monitoring of the delay that the stage produced at this communication server for transfer of data.Pass the response time of testing when the maximum delay time of coming moves with system and compare by receiving application end, and unusual situation is returned to application end to further process.We use demultiplier to realize the calculating that postpones in model.When the transmission that in acceptable time, does not have data, system's information that will give a warning.The transmission of message adopts mail mechanism to realize between supervisory control system and application layer.
static?void?monitor(float?data,float?stand){
if(data>stand){
spu_writech(SPU_WrOutIntrMbox,1);
}else{
spu_writech(SPU_WrOutIntrMbox,0);
}
}
3, data processing module:
Net_spu_pack_send () reads the data of application layer.Application layer module can be write data in the memory priority table by the module of oneself.This function call net_spu_pack_read reading of data if read success, can be called net_fsm_pack_send data are sent to equipment.
Net_spu_pack_read (), according to priority from high in the end, reading of data in the memory priority table, an each packet, just data node of reading.After reading end, call net_spu_node_del () this back end is deleted.
Net_fsm_pack_send () can call net_fsm_protocol_encode data are encrypted, and calls net_fsm_dev_send then and carries out the data transmission.Before encrypting, the size of data need be adjusted, and the data of this moment do not need the priority of data, and need the head of packet, then big or small nsize:
dsize=size-sizeof(prio_elem_t);
nsize=dsize+sizeof(nspu_pack_t);
Net_fsm_protocol_encode calls prot_crc () and carries out the CRC check encryption.About CRC, can be referring to the introduction of underlying device one joint.
Net_fsm_dev_send () calls among the buffuer of spu_write with the data write device, just fifo[1] in.In underlying device one joint, introduction is arranged also about spu_write.
Accept the data of application layer in service end after, also should transmit data to the application layer end accordingly, promptly call recv_start, this function then calls net_fsm_dev_recv.
Net_fsm_dev_recv () calls reading of data among the buffer (fifo[2]) of buf_read slave unit, because the data among the buffer of equipment are encrypted, so calling net_fsm_protocol_decode is decrypted, call net_spu_pack_recv and spu_write then successively, data write buffer memory fifo[0 between service end and the client] in.Can allow client read like this.
When transmitting, also can feed back necessary information and give system monitor, concrete monitoring is finished by monitoring module.
start=spu_readch(SPU_RdDec);
net_spu_pack_send();
end=spu_readch(SPU_RdDec);
monitor(((float)(start-end))/TIMEBASE*1000,para);
4, client:
Client provides the initialization function of a contractual agreement, contracet_init (paramter).Contract content herein is the maximum delay that data send, and contract=paramter represents.At server end, just use actual data transmission lag and contract relatively, monitor.
In system initialization (net_spu_init), call function pthread_create creates monitoring thread, in this thread, calls spe_signal_write earlier, the content contract of write signal monitoring contract in monitoring module; Set up event handling handle--spe_event_handler_create, adopt the information that mail mechanism transmits to handle accordingly server end.
……
while(1){
ret=spe_event_wait(evhandler,event,100,50);
if(ret==-1)printf(″Event?wait?error:%s\n″,strerror(errno));
else?if(ret==0)printf(″No?data?available!\n″);
while(!spe_out_intr_mbox_status(sif->ctx));
spe_out_intr_mbox_read(sif->ctx,mbox_data,1,SPE_MBOX_ALL_BLOCKING);
if(*mbox_data!=0)printf(″Contract?violation!\n″);
// can be correspondingly processed our processing that just simply reports an error herein for the error message that obtains
}
……
Send: net_ppu_send (priority, data, size) function carries out the transmission of data, in this function, come priority, content, the size of retention data with the ppu_send_info_t form, create then and send thread,, data are sent among the server spu by this thread dispatching function net_pack_send ().
Net_pack_send, data are deposited with new form, promptly add the numerical value of an expression data address in the front of data, and the size of data, be convenient to search and obtain data like this, then by function net_ppu_pack_insert (), be put in the corresponding data queue according to the priority of data.
Net_spu_pack_insert joins data in the memory priority table, before adding data, with (new==NULL||prio<0||prio 〉=MAX_PRIO) statement is judged, guarantee that data exist, and priority is correct, joins the team then.Our priority selected for use has 32 here, and promptly 0 to greatest priority (31), with the call number of two-dimensional array as priority.The concrete model of depositing is seen Fig. 4.
In net_spu_pack_insert:
……
do{
pre=priot[prio].addr;
old_addr=pre;
if(pre!=0){
while(((prio_elem_t*)pre)->addr)pre=((prio_elem_t*)pre)->addr;
((prio_elem_t*)pre)->size=size;
p=((prio_elem_t*)pre);
}else{
priot[prio].size=size;
p=&(priot[prio]);
}
if(old_addr!=0)
while(((prio_elem_t*)old_addr)->addr)old_addr=((prio_elem_t*)old_addr)->addr;
new->addr=0;
new->size=0;
}while(!CAS((unsigned?long*)(&(p->addr)),old_addr,(unsigned?long?long)new));
……
Receive: net_ppu_recv (), create receiving thread, thread dispatching function net_pack_recv () function.This function can call net_fifo_read the data among the fifo between the client and server end are read.
Net_fifo_read (* mem, size, net_fifo_t): reading of data in fifo, fifo uses is that the form of round-robin queue is deposited, so will consider so several situations when reading:
At first, FIFO is empty; Remove in addition, first kind of situation, the data length that read is less than the data length that can provide in the fifo buffer, and the measure of taking is read process and is returned error message for stopping.Second kind of situation, in the contiguous memory that begins from the port of export of FIFO, the length that reads is less than can read length; The third situation reads length less than can read length, and still the data that read are not continuous.For these several situations, please referring to the Fig. 3 in the description of drawings.
……
if(ff->buf_outp<ff->buf_inp){
memcpy(mem,(void*)ff->buf_outp,rsize);
ff->buf_outp=ff->buf_outp+rsize;
}else{
if(ff->buf_outp+rsize<ff->buf_addr+ff->buf_size){
memcpy(mem,(void*)ff->buf_outp,rsize);
ff->buf_outp=ff->buf_outp+rsize;
}else{
dsize=ff->buf_addr+ff->buf_size-ff->buf_outp;
memcpy(mem,(void*)ff->buf_outp,dsize);
memcpy((unsigned?char*)mem+dsize,(void*)ff->buf_addr,rsize-dsize);
ff->buf_outp=ff->buf_addr+rsize-dsize;
}
}
……
In order to solve the stationary problem of application layer and communication server end data transmission, adopting the synchronization mechanism of unblock---the lock independent mechanism is used for insertion and the deletion action for data, and we select CAS (comparing and exchange) algorithm to realize.By read at internal memory with ablation process in use the read-modify-write atomic operation, make the value returned after the operation or be newly to be worth completely, or be the old value before unmodified.Set the pointer of 32 of sensings or 64 bit digital; Copy the content of pointer to a variable that is used for comparison; Produce a new value based on this comparison variable; Use CAS algorithm comes the value in relatively newer value and the comparison variable, if the two equates that the content that then changes in the pointer is new value content (this is operating as atomic operation); If the previous action success is then withdrawed from, re-execute whole steps otherwise return the first step:
The CAS algorithm that is used in communication server model is as follows:
static_inline_unsigned?long?CAS(unsigned?long*addr,unsigned?long?oldp,unsigned?longnewp){
unsigned?long?prev;
_asm__volatile_(″\n\
1:
ldarx%0,0,%2\n\
cmpd0,%0,%3\n\
bne-2f\n\
stdcx.%4,0,%2\n\
bne-1b\n″
″\n\
2:″
:″=&r″(prev),″=m″(*addr)
:″r″(addr),″r″(oldp),″r″(newp)
:″cc″,″memory″);
return(prev==oldp);
}
The data that receive are correspondingly processed, and we just print with the printf function herein.
In termination of contract, dev, fsm, mon thread are cancelled, then the used context environmental of dev, fsm is discharged.Know the processing handle of creating when falling this thread creation of mon.
The data flow circuit footpath
When client had data to transmit, meeting be called by sending thread dispatching net_pack_send with this data are sent, and this function can call net_ppu_pack_insert data are write in the memory priority table.Next be exactly that server end sends data.Be responsible for the transmission of data at server end net_spu_pack_send, it calls reading of data the memory priority table of net_spu_pack_read between server end and application layer earlier, call the equipment transmission function of encryption more successively by net_fsm_pack_send, data encrypted is sent to virtual unit by main storage buffer 2, and can on terminal, show.
Server end also can be given control module to the delay of the transmission of data, and control module can be informed application module with the form of message informing, and application module is made corresponding processing.
It then is an opposite process that client receives data.The receiving thread of client is mainly finished reading of data by net_pack_recv.Net_pack_recv function call net_fifo_read reads fifo buffer 1 between application layer and the server (fifo[0]).Writing of this buffer data then is that the function recv_start of server end finishes.It at first calls et_fsm_dev_recv, by reading of data in the fifo buffer between buf_read slave unit driver module and the virtual unit 3 (fifo[2]), call net_spu_pack_recv and spu_write then, data write buffer memory fifo[0 between service end and the client] in.Can allow client read like this.System data flow can be with reference to figure 5.
Expand
The device driver module of a server end provides some necessary functions, and the device driver module by the network equipment and another one (or several) server end communicates, i.e. the described the sort of situation of Fig. 2.
Claims (5)
1, a kind of implementation method of computer network security communication, it is characterized in that with the cell processor be hardware system, and be client with the Power processor unit PPU in the cell processor, with each coprocessor unit SPU is the transmission that network server end realizes packet, client wherein is one independently to seal the request end of processor as network service, request is carried out network service with another client, and the monitor message to server end is correspondingly processed, and is realized functions such as performance monitoring, transfer of data and device drives by network server end.
2, the implementation method of computer network security communication according to claim 1 is characterized in that the irrelevant thread synchronization mechanism of lock is adopted in the transmission of data.
3, the implementation method of computer network security communication according to claim 2 is characterized in that locking the CAS algorithm that adopts in the irrelevant agreement.
4, the implementation method of computer network security communication according to claim 1 is characterized in that adopting the mode of contractual agreement to determine the target that will monitor.
5, according to the implementation method of arbitrary described computer network security communication in the claim 1 to 4, it is characterized in that the buffer stores mechanism of the transmission employing of data based on priority, the structure of buffering area is the combination chain list structure, is made up of structure array and dynamic link table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910173827A CN101645906A (en) | 2009-09-03 | 2009-09-03 | Realization method and system of computer network security communication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910173827A CN101645906A (en) | 2009-09-03 | 2009-09-03 | Realization method and system of computer network security communication |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101645906A true CN101645906A (en) | 2010-02-10 |
Family
ID=41657626
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910173827A Pending CN101645906A (en) | 2009-09-03 | 2009-09-03 | Realization method and system of computer network security communication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101645906A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103428198A (en) * | 2012-05-23 | 2013-12-04 | 佳能株式会社 | Network device, system and method |
| CN105099645A (en) * | 2014-05-04 | 2015-11-25 | 北京卓越信通电子股份有限公司 | Multi-user concurrent communication method and device based on half-duplex communication device |
| CN111431805A (en) * | 2020-03-27 | 2020-07-17 | 上海天好信息技术股份有限公司 | Internet of things multi-channel signal multiplexing synchronization strategy method |
-
2009
- 2009-09-03 CN CN200910173827A patent/CN101645906A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103428198A (en) * | 2012-05-23 | 2013-12-04 | 佳能株式会社 | Network device, system and method |
| US9560116B2 (en) | 2012-05-23 | 2017-01-31 | Canon Kabushiki Kaisha | Network device, system, method, and storage medium |
| CN105099645A (en) * | 2014-05-04 | 2015-11-25 | 北京卓越信通电子股份有限公司 | Multi-user concurrent communication method and device based on half-duplex communication device |
| CN111431805A (en) * | 2020-03-27 | 2020-07-17 | 上海天好信息技术股份有限公司 | Internet of things multi-channel signal multiplexing synchronization strategy method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11381526B2 (en) | Multi-tenant optimized serverless placement using smart network interface cards and commodity storage | |
| US7757232B2 (en) | Method and apparatus for implementing work request lists | |
| ES2218688T3 (en) | APPARATUS AND METHOD FOR RECOVERING DATA DISTANCE. | |
| CN104753817B (en) | A kind of cloud computing Message Queuing Services local analogy method and system | |
| CN101616174B (en) | Method for optimizing system performance by dynamically tracking IO processing path of storage system | |
| US8990451B2 (en) | Controller for direct access to a memory for the direct transfer of data between memories of several peripheral devices, method and computer program enabling the implementation of such a controller | |
| CN109347917A (en) | Block chain data common recognition processing method, system, storage medium and electronic equipment | |
| CN101663651A (en) | Distributed storage system | |
| CN112131002B (en) | Data management method and device | |
| CN108306866A (en) | A kind of Enterprise Service Bus platform and data analysing method | |
| CN113268336A (en) | Service acquisition method, device, equipment and readable medium | |
| CN112835885B (en) | Processing method, device and system for distributed form storage | |
| CN103282888B (en) | Data processing method, image processor GPU and primary nodal point equipment | |
| CN101645906A (en) | Realization method and system of computer network security communication | |
| US9053092B2 (en) | System authorizing direct data transfers between memories of several components of that system | |
| Ledeul et al. | Data streaming with apache kafka for cern supervision, control and data acquisition system for radiation and environmental protection | |
| JP2009123202A (en) | Processor-server hybrid system for processing data | |
| CN116866422A (en) | Method, device, equipment and storage medium for pushing sensitive information and desensitizing information in real time | |
| Janet et al. | Optimizing data movement within cloud environment using efficient compression techniques | |
| Scott | The SCX channel: A new, supercomputer-class system interconnect | |
| CN114531289A (en) | System interaction method based on artificial intelligence and related equipment | |
| US11016807B2 (en) | Intermediary system for data streams | |
| CN108805741B (en) | Fusion method, device and system of power quality data | |
| CN111984202A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN112799920B (en) | Program running state monitoring method based on program log |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20100210 |