KR101644402B1 - Record size control method for high speed SSL packet processing and apparatus using the same - Google Patents

Record size control method for high speed SSL packet processing and apparatus using the same Download PDF

Info

Publication number
KR101644402B1
KR101644402B1 KR1020150185716A KR20150185716A KR101644402B1 KR 101644402 B1 KR101644402 B1 KR 101644402B1 KR 1020150185716 A KR1020150185716 A KR 1020150185716A KR 20150185716 A KR20150185716 A KR 20150185716A KR 101644402 B1 KR101644402 B1 KR 101644402B1
Authority
KR
South Korea
Prior art keywords
record
load
length
network device
packet
Prior art date
Application number
KR1020150185716A
Other languages
Korean (ko)
Inventor
문병주
장동호
이경헌
Original Assignee
주식회사 파이오링크
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 파이오링크 filed Critical 주식회사 파이오링크
Priority to KR1020150185716A priority Critical patent/KR101644402B1/en
Application granted granted Critical
Publication of KR101644402B1 publication Critical patent/KR101644402B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/24Negotiation of communication capabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/10Streamlined, light-weight or high-speed protocols, e.g. express transfer protocol [XTP] or byte stream

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention suggests a method and a device for controlling a record length to process a high speed secure socket layer (SSL) capable of maximizing a packet processing performance of a network device by dynamically changing the record length of a packet according to the CPU load state, the number of sessions, transaction per second (TPS), a changing rate of connection per second (CPS) of the network device or content type of the packet. For this, the present invention relates to the method for controlling a record length according to a predetermined communications protocol in a network device, which comprises: (a) a step of allowing the network device to change the record length to produce a dynamic record by referring to a changing value regarding at least one among processor load, session load, the load of a reception terminal connected with a network, and load of the network between the network device and the reception terminal; and (b) a step of producing a packet including the dynamic record.

Description

[0001] The present invention relates to a method and apparatus for controlling a record length for high speed SSL processing,

The present invention relates to a method and apparatus for controlling a record length for high speed SSL processing, and more particularly, to a method and apparatus for controlling a record length by using a load of a processor, a number of session connections, A method for dynamically increasing or decreasing a record length of a packet according to at least a part of load of a terminal connected to the terminal and dynamically increasing a record length for a packet requiring streaming transmission, ≪ / RTI >

The amount of data transmitted over the Internet is increasing exponentially, and various kinds of information that require security, such as personal information and financial information, are also increasingly being transmitted through the Internet. Accordingly, a method of encrypting data for security of data transmitted over the Internet has been proposed. Currently, SSL (Secure Socket Layer) protocol is used as a standardized encrypted communication protocol.

The SSL protocol is one of the industry standard protocols for securely sending and receiving data between a web browser and a server. When a session is established between a web browser and a server, the SSL protocol uses an encryption method and a key value The encrypted communication is performed using a predefined encryption method and a key value so that a third party can not grasp the contents of the data even if the web browser and the server partially leak the data.

As described above, when transmitting and receiving data by encrypting, there is an advantage in terms of security, but in terms of traffic management, there is a disadvantage that the network device is overloaded because of increased security. Before encrypting the data, the network device analyzes the received packet and delivers it to the destination. However, since the encrypted packet can be checked only after decryption, the encrypted packet is transmitted for packet delivery. The process of decoding needs to be added, which is directly related to the load on the network device.

On the other hand, Korean Patent Laid-Open No. 2011-0057125 proposes a load balancing method for reducing the network load by distributing the increased load to a plurality of distributed servers when the load applied to the network increases. Specifically, Korean Patent Publication No. 2011-0057125 discloses a method for switching an increased session to a distributed server when the number of sessions of an encrypted security protocol (for example, SSL, IPSec, PPTP, etc.) increases in a network device , And the load of the network device is lowered. However, Korean Patent Laid-Open Publication No. 2011-0057125 does not improve much in the load processing capability of the network device itself and adds a distributed server according to the increase of the network. As the network load increases, the distributed server increases . In addition, Korean Patent Publication No. 2011-0057125 discloses various aspects of the network load, for example, a load of a processor provided in a network device, a load of a session, a load of a network, and a load of a terminal connected to a network device .

It is an object of the present invention to refer to a TPS and a CPS value per unit time (e.g., one second) of a network device, a load state of a network device, for example, a load state of a processor housed in the network device, And a method and an apparatus for controlling the record length for high speed SSL processing in which the transmission state of the packet is optimized by increasing or decreasing the record size of the packet in accordance with the load state of the network device.

It is another object of the present invention to provide a method and apparatus for managing a record length of a packet for streaming transmission in order to increase the overall packet processing efficiency even when the time required for single packet processing is increased, And to provide a method and an apparatus for controlling the same.

According to an aspect of the present invention, there is provided a method for controlling a record length in a network device according to a predetermined protocol protocol, the method comprising the steps of: (a) Generating a dynamic record by varying a length of the record with reference to a variation value of at least one of load of a network between the network device and the receiving terminal; And (b) generating a packet including the dynamic record.

According to another aspect of the present invention, there is provided a method for controlling a record length of a packet according to a predetermined protocol protocol in a network device, the method comprising the steps of: (a) obtaining a packet; And (b) generating, by the network device, a content type information in a header of the packet and adjusting a length of the record according to the content type information to generate a packet; Is provided.

According to another aspect of the present invention, there is provided a server for controlling a length of a record according to a predetermined communication protocol protocol in a network device, the server comprising: a processor load, a session load, A processor for generating a dynamic record by varying a length of the record with reference to a variation value of at least one of a network load between the device and the receiving terminal; And a communication unit for transmitting a packet including the dynamic record to a receiving terminal.

According to still another aspect of the present invention, there is provided a server for controlling a record length of a packet according to a predetermined protocol protocol, the server comprising: a communication unit for obtaining a packet; And a processor for referring to the content type information in the header of the packet and adjusting the length of the record according to the content type information to generate a packet.

According to the present invention, it is possible to maximize the packet processing performance of the network device by dynamically varying the record length of the packet in accordance with the CPU load state, the number of sessions, the TPS, the variation rate of the CPS, or the content type of the packet of the network device.

FIG. 1 is a conceptual diagram of a network device according to an embodiment of the present invention and a method for controlling a record length for high-speed SSL processing.
FIG. 2 shows a reference diagram for a process in which a packet is generated through a divided record in a network device.
Fig. 3 shows a conceptual diagram of a dynamic record.
FIG. 4 shows a reference diagram of a process of transmitting and receiving a packet including a dynamic record between a network device and a terminal according to an embodiment.

A terminal as referred to herein may refer to a device such as a computer, a server, and a smart phone that are networked with the network device of the present disclosure to send and receive packets to and from the network device. In addition, the present invention can be applied to any terminal capable of data communication with the network device according to the present invention. However, it is not limited.

The network devices referred to herein may refer to various devices capable of controlling a record layer protocol belonging to a server, a router, a switch, and a communication protocol protocol for security (for example, an SSL communication protocol protocol) .

The communication protocol protocol referred to herein may refer to a communication protocol for performing security communication with the present network device. The mainstream of current secure communications correspond to the communication protocol protocols referred to herein, such as TLS (Transport Layer Security) or SSL (Secure Sockets Layer) communication protocols, which include the Handshake protocol and the record layer protocol Is defined. If the communication protocol is a communication protocol including a handshake protocol and a record layer protocol, even if it is a communication protocol other than the TLS or SSL mentioned above, it can be regarded as a communication protocol protocol mentioned in this specification.

Hereinafter, the present invention will be described in detail with reference to the drawings.

1 is a conceptual diagram of a method for controlling a record length for high-speed SSL processing in a network device and a network device according to an embodiment of the present invention.

Referring to FIG. 1, a network device 100 according to an embodiment may include a communication unit 110 and a processor 120.

The communication unit 110 may forward a packet received from the outside to the processor 120 or a packet to be transmitted from the processor 120 to the external network to the Ethernet connector 101. [

The processor 120 may include one or more cores, encrypts data to be transmitted to the terminal, calculates a hash value for verifying the integrity of the encrypted data, and adds the hash value to the packet to be transmitted to the terminal .

In addition, the processor 120 may determine various load fluctuations to be described later, and may dynamically vary the length of a record according to a determination result to generate a dynamic record.

The load of the network device 100 can be largely divided into a load imposed on the communication unit 110 and a load imposed on the processor 120. The load on the processor 120 is used to encrypt A load for encrypting a packet for the integrity of the encrypted record, generating an integrity check value of the encrypted packet and adding it to the packet, a load required to decrypt the received packet and verify the hash value, Various loads may be applied including the load required for encrypting a packet to be transmitted and generating a hash value, the load required for session management, and so on. In the present invention, these loads are defined as the load on the processor 120, the load on the processor 120 is 0% to 100%, 0% is idle, 100% (Full load) state.

According to an embodiment of the present invention, the various loads can be defined according to the following expressions.

1) a processor loaded in the network device 100,

2) the load due to the number of sessions connected in the network device 100,

3) network load due to increase of Transaction Per Second (TPS) or Connection Per Second (CPS) of the network device 100,

4) load of the terminal connected to the network device 100 and

5) It can be defined as the network load between the network device and the terminal.

Here, the network load of 5) is not a load on the network device 100 or a terminal but a problem of a network connecting the network device 100 and a terminal. Usually, a network load of a packet transmitted between the network device 100 and a terminal (Latency).

The Transaction Per Second (TPS) described in the item 3) indicates the number of transactions that can be processed per second in the network device 100. As the number of transactions per second increases, the load of the network device 100 increases And decreases in the opposite case. The CPS (Connection Per Second) represents the number of Transmission Control Protocol (TCP) connections generated by the network device 100 per unit time (for example, one second). Increasing the CPS value also increases the load on the network device 100, which increases the packet processing performance of the network device 100.

The latency mentioned in item 5) does not increase the self-load of network device 100. As the value of the latency increases, the data transmission / reception with the network device 100 and the terminal (e.g., personal computer, server) connected to the network device 100 is not smooth. The latency may be increased due to circuit problems between the devices 100 or various other causes. The latency between the network device 100 and the terminal results in a transmission delay of the packet, which degrades the packet transmission performance of the network. In the present invention, this is also considered as one load.

4) The load of the terminal mentioned in the item may mean a load whose network quality varies depending on the state of the terminal such as a personal computer, a notebook computer, and a portable terminal.

Even when the network device 100 according to the embodiment is in a good state and the load of the network device 100 is low, if the terminal is in an overload state, the network device 100 and the terminal do not perform data communication smoothly I can not. For example, if the CPU usage rate of the terminal exceeds 90%, a delay may occur when the terminal transmits and receives a packet, and when the memory utilization of the terminal approaches 100% The communication between the terminal and the network device 100 may be difficult. That is, the state of the terminal as well as the network device 100 needs to be considered for smooth network communication.

The network device 100 requests status information (e.g., CPU utilization rate or memory utilization rate) from the terminal while performing network communication with the terminal and obtains the record length of the packet transmitted to the terminal dynamically It can increase or decrease.

In the case where the load of the terminal (CPU utilization rate or memory utilization rate, not shown) increases, the record length of the packet to be transmitted to the terminal is made long so that the terminal can receive the long length data at one time, It is possible to reduce the processing delay caused by frequent processing.

Here, when a packet is to be transmitted from the network device 100 to a terminal, if the application data can be transmitted in a single packet, the dynamic record may not be applied to the packet. However, when transmitting the packet from the network device 100 to the terminal, if the application data can not be transmitted in a single packet, the application data is divided into a plurality of records, and each divided record is compressed, An integrity check value (MAC: Message Authentication Code) may be added to generate an encrypted record. This will be described with reference to FIG.

2 shows a reference diagram for a process in which a packet is generated through a divided record in the network device 100. In FIG.

2, when it is desired to transmit application data from the network device 100 to the terminal, the network device 100 divides the application data into units of 16 KB (16384 bytes) to generate divided data, And then generates an integrity check value for the compressed partitioned data. The integrity check value can be calculated by an encryption function that takes as a factor a key shared between the network device 100 and the network device 100 and the terminal according to the embodiment. The network device 100 and the terminal have the same key. When the network device 100 transmits a packet to the terminal, the terminal refers to the MAC value included in the packet and determines whether the data of the packet is a correct value can do.

The network device 100 compresses and encrypts each of the divided records. Encryption is normally handled by a hash function, and the encrypted partitioned data and the integrity check value are packed together to form a packet.

Here, the length of the divided record can be varied according to the conditions of the above-mentioned 1) to 5). This will be described with reference to FIG.

Fig. 3 shows a conceptual diagram of a dynamic record. Referring to FIG. 3, the processor 120 of the network device 100 divides application data into a plurality of records to form a divided record.

Assuming that the communication protocol protocol is the SSL protocol, when load is applied to the network device 100 according to the conditions under which the network device 100 is loaded, that is, the conditions 1) to 5) described above, (R1). If the load applied to the network device 100 is small, the length of the divided record may decrease (R2). The length of the split record can be increased or decreased within a maximum 16 KB range when the communication protocol protocol is the SSL protocol. When dynamically varying the length of a record, the length of the record does not increase indefinitely, which means it is increased or decreased within the maximum range defined by the communication protocol protocol (for example, 16 KB in the SSL communication protocol).

In accordance with the above, the length of the record is dynamic in the packet. Hereinafter, the present invention will be described in detail with reference to a case in which the length of a record increases or decreases according to the load of the network device 100. [

When the network device 100 is overloaded, there is a fear that transmission latency occurs in the packet when the packet is transmitted from the network device 100 to the terminal, or the performance of the network device 100 is reduced.

For example, if the processor 120 that is embedded in the network device 100 is in an overload condition (e.g., 80% utilization of the processor 120), the processor 120 may send a plurality of packets to the terminal at one time It may be difficult to transmit. If the processor 120 transmits a large number of packets to the terminal in an overloaded state, a packet transmitted from the network device 100 to the terminal may increase latency due to processing delay of the processor 120. [

In this case, the processor 120 may minimize the transmission delay by increasing the length of the packet and decreasing the total number of packets to be transmitted to the terminal, and the Applicant notes this point, A method of reducing the number of packets transmitted from the network device 100 to the terminal by increasing the length of a record constituting a packet when an overload state occurs is considered.

When the length of the record included in the packet increases, the length of the record of the packet transmitted to the terminal increases, and as long as the length of the record becomes longer, the processor 120 encrypts the packet and transmits it to the terminal at once. However, when the application data to be transmitted is transmitted to the terminal several times, the processing delay of the network device 100 is deteriorated due to a processing delay caused by an overload of the processor 120, that is, an increase in latency, It is possible to offset the disadvantage that the network quality is deteriorated, which is more advantageous than the packet having the fixed record length.

When the reference recognized by the processor 120 as overload is defined as a reference load, the reference load is preferably selected from a range of 50% to 100%. As an example, 80% can be set as the reference load for the processor. When the load of the processor 120 is 80% or more, the processor 120 can increase the length of the record, and the method of increasing the length of the record is as follows

1-1) If the load of the processor is larger than the reference load, set the record length to the maximum value specified by the communication protocol protocol.

1-2) When the load of the processor is larger than the reference load, the length of the record is determined by the load change ratio. For example:

1-2-1) Between the reference load (for example, 80%) and the full-load (100% load) for 20 intervals (100-80), define the record length for each interval.

1-2-2) Increase or decrease the length of the record with reference to the rate of increase or decrease of the load toward the full load (100% load) at the reference load (for example, 80%).

1-2-3) If the load of the processor 120 is between no-load (0%) and the reference load, the length of the record is reduced to the record length defined by intervals.

1-2-4) If the load of the processor 120 is between the no load (0%) and the reference load, the length of the record is reduced according to the reduction rate decreasing from 0% at the reference load.

Next, when the load is the number of sessions, the network device 100 defines the number of reference sessions with respect to the number of sessions, decreases the length of the record when the number of sessions connected to the external network is larger than the reference number of sessions, Can be increased.

The network device 100 can increase or decrease the length of the record by referring to the increase / decrease rate of the number of reference sessions. For example, if the number of reference sessions is 100,000, and then the session formed in the network device 100 is 110,000, the length of the record may be increased by 10%.

Next, let us consider a case where the load is a network load relating to a Transaction Per Second (TPS) or a Connection Per Second (CPS).

The TPS represents the number of transactions that can be processed per second in the network device 100. When a terminal accesses a web source, it appears to access a single web source externally, but actually accesses a number of partial sources included in the web source, including text, image, and video included in the web source, Each partial source triggers a transaction between the web source and the terminal. That is, one web source does not mean one transaction.

A situation in which the network device 100 has to process a TPS value greater than the reference TPS when the transaction that the network device 100 can handle is 40,000 and the reference TPS is 30,000, then the situation is that the network device 100 is overloaded It can be judged. The network device 100 may increase the length of the record by increasing the length of the record to a maximum value (for example, 16 KB) or referring to the rate of increase of the TPS value with reference to the increase rate of the TPS value.

CPS represents the number of TCP connections that network device 100 generates per unit time (e.g., one second). An increase in the CPS value causes an overload in the network device 100. [ If the CPS that can be processed by the network device 100 is 4,000 and the reference CPS is 3,000, the network device 100 increases the length of the record to a maximum value (for example, 16 KB) with reference to the increase rate of the CPS value , Or by decreasing the length of the record with reference to the decreasing rate of the CPS value.

Next, let us examine the case where the load is a network load.

Even when the network device 100 or the terminal is not in an overloaded state, the latency between the network device 100 and the terminal increases, thereby deteriorating the network quality. If the line between the network device 100 and the terminal is aged or damaged, the latency value may also be increased by other network devices located between the network device 100 and the terminal. The increase in the latency value corresponds to a packet transmission delay in that the packet transmitted from the network device 100 to the terminal does not arrive at the receiving terminal on time.

In this case, the network device 100 may measure the latency with the terminal before transmitting the packet to the terminal, and improve the network quality by increasing or decreasing the length of the record attached to the packet according to the latency with the terminal.

For example, the network device 100 may define a period from a point where the latency value is 0 to a reference latency (for example, 5 ms) and a period in which the latency value is generated, The record length can be increased to the point where the latency is reached, and when the record latency is not less than the reference latency, the record length can be set to the maximum value (for example, 16 KB) to form a dynamic record. Of course, the latency values shown herein are arbitrarily set for understanding and explanation of the present invention, and it is needless to say that the presented values may be changed as needed.

The process of forming dynamic records by dynamically varying the record length according to the load variation in the network device 100 according to the embodiment has been described above. It should be understood that the dynamic records may be performed by the processor 120, which is embedded in the network device, in which case the foregoing are performed in the processor 120 embedded in the network device 100.

In addition, the communication unit 110 can receive a packet from the external network and transmit a packet including a dynamic record to the terminal. It should be understood that when the communication unit 110 receives an external network packet or transmits a packet including a dynamic record to the terminal, the communication unit 110 of the network device processes the packet.

1, the processor 120 is connected to the load or the load factor of the network device 100 via the processor monitoring unit 121, the session monitoring unit 122, the network load monitoring unit 123 and the terminal load monitoring unit 124 Obtains the load information.

The processor monitoring unit 121 monitors the load of the processor 120,

The session monitoring unit 122 monitors the number of sessions connected to the network device 100,

The network load monitoring unit 123 monitors the number of transactions and the number of TPC connections processed in the network device 100,

The terminal load monitoring unit 124 may monitor the latency value between the network device 100 and the terminal.

Also, P REF , S REF , and N REF T REF may correspond to a reference load, a number of reference sessions, a reference CPS (or reference TPS), and a reference latency, respectively.

These configurations 121 through 124 connected to the processor 120 may be implemented in hardware or in the form of a program. The diagnosis of the network device 100 may be carried out according to the following subclauses.

1-1) Processor 120 self-diagnoses,

1-2) Diagnose from an operating system (OS) running on the processor,

1-3) Diagnose by hardware separate from processor.

When the network device 100 is a "server ", it is easiest to diagnose the load of the processor by 1-1) or 1-2). However, in the case of a device other than the server, the load of the processor can be diagnosed by 1-3). Further, even when the network device 100 is a server, additional diagnostic hardware may be added to or installed in the server 100 to diagnose the load of the processor. For example, monitoring hardware monitoring the status of the processor may be installed on the main board to diagnose errors in the processor 120, and illustrate that the hardware logic that controls the processor or the main board is being commercialized. For example, mainboards sold by Taiwan's Acer (http://www.asus.com) in 2015 include a TPU (Turbo Processing Unit) chip that monitors the voltage and signal between the processor and the graphics card, An EPU (Energy Processing Unit) chip, which controls the applied voltage according to the amount of workload of the processor, is mounted. The TPU chip or EPU chip is mounted on the same printed circuit board as the processor, Respectively.

As described above, even if the network device 100 is a "server ", it is possible to use separate hardware without depending on an operating system or a diagnostic program to diagnose an overload state of the processor 120. [ 1, the processor monitoring unit 121, the session monitoring unit 1221, the network load monitoring unit 123, and the terminal load monitoring unit 124 are provided for monitoring a load occurring in the network device 100, Or may be implemented in the form of a diagnostic program included in the operating system or in the form of a separate diagnostic program running in the operating system. However, it is not limited.

FIG. 4 shows a reference diagram of a process of transmitting and receiving a packet including a dynamic record between the network device 100 and a terminal according to an embodiment.

Referring to FIG. 4, the network device 100 according to the embodiment compresses a dynamic record, generates an integrity check value (MAC), and generates a hash ) Algorithm, and then each encrypted dynamic record is collected to form a packet and transmitted to the terminal through the communication unit 110. [

At this time, since the length of the packet transmitted from the network device 100 to the terminal differs according to the load of the network device 100, the length of the packet may not be uniform.

Next, the receiving side, i.e., the terminal receives the packet including the dynamic record, decodes it, and obtains an integrity check value (MAC) contained in the decoded packet. The terminal then individually generates an integrity check value for the packet, and then compares the integrity check value (MAC) included in the decrypted packet with the integrity check value (MAC) generated for the packet at the terminal. If the results of the comparison are the same, the value of the record is authenticated as being reliable, but in the opposite case, the value of the record is judged to be unreliable and is treated as authentication failure for integrity.

In addition, the embodiments of the present invention described above can be implemented in the form of program instructions that can be executed through various computer components and recorded in a computer-readable recording medium. The computer-readable recording medium may include program commands, data files, data structures, and the like, alone or in combination. The program instructions recorded on the computer-readable recording medium may be those specially designed and constructed for the present invention or may be those known and used by those skilled in the computer software arts. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tape, optical recording media such as CD-ROMs and DVDs, magneto-optical media such as floptical disks, media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those generated by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware device may be configured to operate as one or more software modules for performing the processing according to the present invention, and vice versa.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, Those skilled in the art will appreciate that various modifications, additions and substitutions are possible, without departing from the scope and spirit of the invention as disclosed in the accompanying claims.

Therefore, the spirit of the present invention should not be construed as being limited to the above-described embodiments, and all of the equivalents or equivalents of the claims, as well as the following claims, I will say.

100: Network device 110:
120: Processor 121: Processor monitoring unit
122: session monitoring unit 123: network load monitoring unit
124: terminal load monitoring unit

Claims (25)

A method for controlling a length of a record in a network device according to a predetermined protocol protocol,
(a) generating a dynamic record by varying the length of the record, with reference to a variation value of at least one of a processor load, a session load, and a load of a receiving terminal connected to the network; And
(b) generating a packet including the dynamic record,
In the step (a)
The network device comprising:
(i) when the load on the processor is equal to or greater than a preset reference load,
Setting a length of the record to a maximum value defined by the communication protocol protocol or increasing a length of the record with reference to an increase rate from the reference load to a full load,
Decreasing a length of the record with reference to a rate of reduction of a load applied to the processor when the load of the processor is a value between no-load and the reference load,
(ii) if, in the session load, the number of sessions entering the network device is greater than or equal to a preset number of reference sessions, setting the length of the record to a maximum value defined by the communication protocol protocol,
Decreasing the length of the record with reference to a rate of decrease of the number of sessions when the number of sessions is a value between 0 and the reference session,
(iii) when the load of the receiving terminal is the latency of the receiving terminal and the latency is equal to or greater than a predetermined reference latency, the length of the record is set to a maximum value defined by the communication protocol protocol,
And decreasing the length of the record with reference to the latency reduction rate with respect to the reference latency when the latency is equal to or less than a preset reference latency. delete delete delete delete delete The method according to claim 1,
In the step (a)
The network device comprising:
Wherein the dynamic record is generated by varying a length of the record with reference to a variation value for a transaction per second (TPS) or a connection per second (CPS) of the network device. 8. The method of claim 7,
In the step (a)
When the TPS or the CPS is equal to or greater than a preset reference TPS or a reference CPS,
And setting the length of the record to a maximum value defined by the communication protocol protocol. 8. The method of claim 7,
In the step (a)
When the TPS or the CPS is less than a preset reference TPS or a reference CPS, decreasing the length of the record with reference to the reference TPS or the reference CPS. delete delete A method for controlling a record length of a packet according to a predetermined protocol protocol in a network apparatus,
(a) the network device acquiring a packet; And
(b) generating, by the network device, a content type information in a header of the packet and adjusting a length of the record according to the content type information to generate a packet; Lt; / RTI >
The step (b)
I) generating a dynamic record in which the length of the record is set to a maximum value defined by the communication protocol protocol, and ii) generating a packet including the dynamic record if streaming transmission of the content type information is required. Lt; / RTI > delete A server for controlling a length of a record according to a predetermined protocol protocol in a network device,
A processor for generating a dynamic record by varying a length of the record with reference to a variation value of at least one of a processor load, a session load, and a load of a receiving terminal connected to a network, with respect to data to be transmitted; And
And a communication unit for transmitting a packet including the dynamic record to the receiving terminal,
The processor comprising:
(i) when the processor load is equal to or greater than a preset reference load,
The length of the record is set to a maximum value defined by the communication protocol protocol or the length of the record is increased with reference to an increase rate from the reference load to a full load,
When the processor load is a value between no-load and the reference load,
Decreasing a length of the record with reference to a reduction rate of a load applied to the processor,
(ii) if, in the session load, the number of sessions entering the network device is greater than or equal to the preset number of reference sessions,
Setting a length of the record to a maximum value defined by the communication protocol protocol,
Decreasing the length of the record with reference to a rate of decrease of the number of sessions when the number of sessions is a value between 0 and the reference session,
(iii) when the load of the receiving terminal is the latency of the receiving terminal and the latency is equal to or greater than a predetermined reference latency, the length of the record is set to a maximum value defined by the communication protocol,
And decreases the length of the record with reference to the latency reduction rate with respect to the reference latency when the latency is equal to or less than a preset reference latency. delete delete delete delete delete 15. The method of claim 14,
The processor comprising:
Wherein the dynamic record is generated by varying a length of the record with reference to a variation value for a transaction per second (TPS) or a connection per second (CPS). 21. The method of claim 20,
The processor comprising:
And sets the length of the record to a maximum value defined by the communication protocol protocol when the TPS or the CPS is equal to or greater than a preset reference TPS or a reference CPS. 21. The method of claim 20,
The dynamic record includes:
Wherein when the TPS or the CPS is smaller than a predetermined reference TPS or a reference CPS, the length decreases with reference to the reference TPS or the reference CPS reduction rate. delete delete A server for controlling a record length of a packet according to a predetermined protocol protocol,
A communication unit for acquiring a packet; And
And a processor for referring to the content type information in the header of the packet and adjusting the length of the record according to the content type information to generate a packet,
The processor comprising:
I) generating a dynamic record in which the length of the record is set to a maximum value defined by the communication protocol protocol, and ii) generating a packet including the dynamic record if streaming transmission of the content type information is required. Server.
KR1020150185716A 2015-12-24 2015-12-24 Record size control method for high speed SSL packet processing and apparatus using the same KR101644402B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150185716A KR101644402B1 (en) 2015-12-24 2015-12-24 Record size control method for high speed SSL packet processing and apparatus using the same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150185716A KR101644402B1 (en) 2015-12-24 2015-12-24 Record size control method for high speed SSL packet processing and apparatus using the same

Publications (1)

Publication Number Publication Date
KR101644402B1 true KR101644402B1 (en) 2016-08-01

Family

ID=56707025

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150185716A KR101644402B1 (en) 2015-12-24 2015-12-24 Record size control method for high speed SSL packet processing and apparatus using the same

Country Status (1)

Country Link
KR (1) KR101644402B1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20030031668A (en) * 2001-10-15 2003-04-23 엘지전자 주식회사 Network traffic control method in voip
KR20080024972A (en) * 2006-09-13 2008-03-19 브로드콤 코포레이션 Adaptive packet modification for voice over packet networes
KR20100138713A (en) * 2009-06-24 2010-12-31 한국전자통신연구원 Apparatus and method for creating variable mpeg-2 transport packet
KR20140139406A (en) * 2013-05-27 2014-12-05 한국전자통신연구원 Randomization of packet size

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20030031668A (en) * 2001-10-15 2003-04-23 엘지전자 주식회사 Network traffic control method in voip
KR20080024972A (en) * 2006-09-13 2008-03-19 브로드콤 코포레이션 Adaptive packet modification for voice over packet networes
KR20100138713A (en) * 2009-06-24 2010-12-31 한국전자통신연구원 Apparatus and method for creating variable mpeg-2 transport packet
KR20140139406A (en) * 2013-05-27 2014-12-05 한국전자통신연구원 Randomization of packet size

Similar Documents

Publication Publication Date Title
US7502925B2 (en) Method and apparatus for reducing TCP frame transmit latency
US10785020B2 (en) Hardware offload for QUIC connections
US8856913B2 (en) Method and protection system for mitigating slow HTTP attacks using rate and time monitoring
US10158742B2 (en) Multi-stage acceleration system and method
US10516617B2 (en) Network throughput
KR101201002B1 (en) Bulk transmission of messages using a single http request
US9055108B2 (en) Method for increasing performance in encapsulation of TCP/IP packets into HTTP in network communication system
US8472469B2 (en) Configurable network socket aggregation to enable segmentation offload
US20070266233A1 (en) Method and apparatus to minimize latency by avoiding small tcp segments in a ssl offload environment
CN104601550B (en) Reverse isolation file transmission system and method based on cluster array
CN111771366B (en) Method for encrypting a data stream with negotiable and adaptable encryption levels
US11777915B2 (en) Adaptive control of secure sockets layer proxy
Restuccia et al. Low-power IoT communication security: On the performance of DTLS and TLS 1.3
CN110620762A (en) RDMA (remote direct memory Access) -based data transmission method, network card, server and medium
US11082411B2 (en) RDMA-based data transmission method, network interface card, server and medium
KR101644402B1 (en) Record size control method for high speed SSL packet processing and apparatus using the same
US6920556B2 (en) Methods, systems and computer program products for multi-packet message authentication for secured SSL-based communication sessions
CN111245601B (en) Communication negotiation method and device
US20030135757A1 (en) Internet protocol security decryption with secondary use speculative interrupts
US11252265B2 (en) Packet communication system and method
CN110521167A (en) Information processing unit, information processing method and computer program
CN116232944B (en) Method, equipment and medium for transport layer security protocol message service
CN115189969B (en) Network encryption communication method, device, medium and equipment
KR102476159B1 (en) Method for offloading secure connection setup into network interface card, and a network interface card, and a computer-readable recording medium
US20240039902A1 (en) Techniques for mitigating nic ktls denial-of-service attacks

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20190725

Year of fee payment: 4