CN106534168A - TCPIP protocol stack safety processing system based on FPGA - Google Patents
TCPIP protocol stack safety processing system based on FPGA Download PDFInfo
- Publication number
- CN106534168A CN106534168A CN201611111457.5A CN201611111457A CN106534168A CN 106534168 A CN106534168 A CN 106534168A CN 201611111457 A CN201611111457 A CN 201611111457A CN 106534168 A CN106534168 A CN 106534168A
- Authority
- CN
- China
- Prior art keywords
- frame
- tcp
- cpu
- superframe
- frames
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012545 processing Methods 0.000 title claims abstract description 37
- 230000005540 biological transmission Effects 0.000 claims abstract description 45
- 238000000034 method Methods 0.000 claims description 34
- 230000008569 process Effects 0.000 claims description 25
- 230000006870 function Effects 0.000 claims description 17
- 230000004048 modification Effects 0.000 claims description 13
- 238000012986 modification Methods 0.000 claims description 13
- 230000004044 response Effects 0.000 claims description 13
- 238000004458 analytical method Methods 0.000 claims description 12
- 238000007689 inspection Methods 0.000 claims description 12
- 238000007726 management method Methods 0.000 claims description 10
- 238000010276 construction Methods 0.000 claims description 8
- 238000001914 filtration Methods 0.000 claims description 8
- 238000013500 data storage Methods 0.000 claims description 7
- 238000009432 framing Methods 0.000 claims description 7
- 238000012546 transfer Methods 0.000 claims description 7
- 238000012795 verification Methods 0.000 claims description 7
- 230000004927 fusion Effects 0.000 claims description 6
- 230000004899 motility Effects 0.000 claims description 5
- 230000037361 pathway Effects 0.000 claims description 5
- 238000013459 approach Methods 0.000 claims description 4
- 230000009467 reduction Effects 0.000 claims description 4
- 230000008859 change Effects 0.000 claims description 3
- 230000011218 segmentation Effects 0.000 claims description 3
- 238000012163 sequencing technique Methods 0.000 claims description 3
- 239000000284 extract Substances 0.000 claims 1
- 230000009466 transformation Effects 0.000 abstract description 2
- 238000004891 communication Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 4
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 description 2
- 239000000306 component Substances 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 230000005764 inhibitory process Effects 0.000 description 2
- 230000007306 turnover Effects 0.000 description 2
- ATHVAWFAEPLPPQ-VRDBWYNSSA-N 1-stearoyl-2-oleoyl-sn-glycero-3-phosphocholine Chemical compound CCCCCCCCCCCCCCCCCC(=O)OC[C@H](COP([O-])(=O)OCC[N+](C)(C)C)OC(=O)CCCCCCC\C=C/CCCCCCCC ATHVAWFAEPLPPQ-VRDBWYNSSA-N 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a TCPIP protocol stack safety processing system based on FPGA, which comprises a TCP/IP protocol stack transformation scheme, an FPGA realization scheme and a system specific working flow. The invention is not only suitable for FPGA, but also suitable for ASIC, and makes single chip realize TCP/IP protocol stack, and reduces hardware cost of network equipment which does not need large-scale data transmission; a layer of safety protocol is added, the potential safety hazard of the TCP protocol is made up, and the flexibility of safety control is ensured by means of an internal safety control unit; the external interface is simple and can be conveniently expanded into various bus interfaces.
Description
Technical field
The present invention relates to a kind of safe processing system, more particularly to a kind of to be based on FPGA (Field-
Programmable Gate Array, field programmable gate array) TCP/IP protocol stack safe processing system.
Background technology
Currently, increasing legacy equipment is equipped with network communicating function, and particularly smart home was gradually in recent years
Popularization so that almost all of household electrical appliance can be transferred through the Internet and connect together, and realize automatization and intellectuality.But it is traditional
Network service ICP/IP protocol is processed by operating system software, bring huge expense to CPU, and in ICP/IP protocol do not have
Control mechanism supporting the discriminating of source address, buried hidden danger to network security.Technology of Internet of things and big data technology
Constantly development all proposes quick and safe high request to network service.
TOE (TCP Offload Engine, the TCP Offload Engines) technology for currently developing mitigates CPU pressure, improves
The processing speed of network packet, but this technology is not at present still very ripe, it has been disclosed that document compare mostly class
Seemingly, operability is low and cannot solve safety problem.Concrete contrast refers to this paper Part IX, the wherein TOE in retrieval result 3
Network interface card structure is as shown in Figure 1.As can be seen that realizing that complete ICP/IP protocol stack has its technical difficulty using hardware.But
At present many equipment are not trunk servers, or even computer is not that they are only the fairly simple network equipments, it is only necessary to
Small-scale data to be interacted using existing network, complete protocol stack need not be realized.They require network communication module energy
The hardware resource for utilizing is more few better, and some of which can also have very high requirement, such as gate control system to data safety.Institute
How to simplify protocol stack, easily realize it with hardware and can take into account secure communication requirement be the invention solves the problems that ask
Topic.
The content of the invention
The technical problem to be solved is to provide a kind of TCP/IP protocol stack safe processing system based on FPGA
System, which is applicable not only to FPGA, is also applied for ASIC, allows single-chip to realize ICP/IP protocol stack, and reducing some need not be big
The hardware cost of the network equipment of scale transmission data;One layer of security protocol is increased, the potential safety hazard of Transmission Control Protocol is compensate for,
And by means of internal security control unit, it is ensured that the motility of security control;External interface is simple, is conveniently extended to each
The EBI of type.
The present invention is solving above-mentioned technical problem by following technical proposals:A kind of TCP/IP based on FPGA
Stack safe processing system, it is characterised in which includes the modification scheme of ICP/IP protocol stack, the implementation of FPGA, system
Specific workflow;
The modification scheme of the ICP/IP protocol stack includes reduction procedure and safety approach;
The implementation of the FPGA includes:
Procotol resolution unit:Major function is to parse procotol, and this unit is controlled by CPU, optionally extracted
The information such as MAC Address, vlan number, IP address, tcp port number, then, selectively carry out the match query of security table, finally
By specific format by the result cache for parsing;
Superframe processing unit:Data path is divided into Pathways Mediating and download access;Pathways Mediating is read according to descriptor is received
Take the data division of receiving frame;If the ethernet frame for receiving just is the beginning of a superframe, the data division of the frame
Packet header and the instruction field of superframe are contained necessarily, header field needs to carry out watermarked security inspection, and instruction field needs basis
Concrete condition is substituted for specific instruction or Process Markup;The data division of several ethernet frames is spliced into according to header packet information
One superframe;Hardware parser instruction field notify that CPU carries out corresponding operating in download access, for example actively initiate TCP shake hands,
ARP broadcast etc. is actively initiated, and CPU calculated safety code is write into mark field, according to header packet information by superframe
It is decomposed into several ethernet frames and generates transmission descriptor;This module and the interface very simple of outside, only ask, answer
Answer, the port of data three types so that whole system, is conveniently expanded to various types of just as a memorizer to outside performance
The EBI of type;
Security control unit:This module is storage and the administrative unit of watermark function and security table, leaves outside and connects
Mouthful, this is that, in order to increase motility and safety, this module also supports exterior arrangement IP and MAC in addition;
Frame head maker:Major function is to store the packet header of the ICP/IP protocol for sending frame, and packet header is directly set up by CPU,
Transmission data buffer storage is coordinated to obtain complete ethernet frame;
Receive dma module:According to IP address filter ethernet frame, inspection IP agreement verification and, generate receive frame descriptor,
The ethernet frame for receiving is transferred to into reception frame buffer, or filters vlan number;
Send dma module:Fusion sends the frame head in data and frame head maker in data buffer storage, and calculates respectively
ARP protocol, IP agreement, ICMP agreements, the verification of Transmission Control Protocol and, constitute normal ethernet frame and pass to mac controller and send out
Send;Due to acknowledgement frame and the set form of some special frames, module response directly according to required for sending descriptor and generate
Frame and special frames, it is not necessary to which software is participated in;
Upload dma module:Descriptor is provided by CPU, ethernet frame is optionally uploaded, during long pass, gives up to fall frame head
Part and some nonsensical frames, convenient construction superframe;
Download dma module:Descriptor is provided by CPU, superframe is optionally downloaded, here a superframe segmentation is read,
It is decomposed into multiple ethernet frames;
Embedded CPU module:The configuration and management of main responsible modules depositor, according to receiving data path and sends out
Send data path through the sequencing of module, poll modules, carry out corresponding operating;Additionally need establishment and send frame frame
Head, calculates watermark, safeguards and receives descriptor and send descriptor, safeguards and receives frame buffer and send data buffer storage, provides data
Transmission strategy;
EBI or other functions module:For connecting components;
Send data cache module:For the sent data of storage system;
Receiving data cache module:For storage system received data;
Mac controller:For controlling media interviews;
Program storage on piece:For storage program data;
Bus management unit:For transmitting information for each functional part;
Data storage on piece:For data storage;
PHY modules, for being connected with external signal.
Preferably, the system specific workflow includes initialization procedure, up process, descending process.
Preferably, the initialization procedure is comprised the following steps:
Step one, configuration MAC Address, IP address;
Step 2, checks the SBR of watermark generating function and security table, the corresponding depositor of initialization modules;
Step 3, CPU generate ARP broadcast frame descriptors and frame head, transfer to transmission DMA to send ARP broadcast frames.
Preferably, the up process is comprised the following steps:
Step 11, ethernet frame enter mac controller by PHY, in mac controller carry out MAC to ethernet frame
Address filtering and data link layer checks and inspection, broadcast frame are not filtered, and similarly hereinafter, go to step 12 afterwards;
Step 12, through receiving DMA, carries out IP address filtration, vlan number here and filters, and check to ethernet frame
IP agreement verifies and if inspection is not by going to step 11, otherwise generated by reception DMA and receive frame descriptor, go to step ten
Three;
Step 13, carries out protocol analysis by procotol resolution unit, and analysis result notifies CPU, if it find that being ARP
Frame or ICMP frames, then go to step 14, if it find that being TCP frames, then goes to step 15;
Step 14, procotol resolution unit judge whether to need response, and if response is not needed, CPU completes to update
Just frame is directly abandoned after the associative operations such as ARP table, response frame descriptor is generated by CPU otherwise and acknowledgement frame frame head is set up, so
After go to step 16;
Step 15, CPU carry out the filtration of No. ID and tcp port number according to security table, will carry connecing for the TCP frames of data
Upload DMA is given after receiving descriptor modification, and then some ethernet frames are uploaded in superframe processing unit is constructed superframe, turn
Step 10 seven, while setting up TCP acknowledgement frames and its descriptor, goes to step 16;
Step 10 six, sends DMA according to descriptor to distinguish agreement, constructs acknowledgement frame or the special frames of different agreement,
Frame head is read in frame head maker, the corresponding reply data part of different agreement is then automatically generated, and calculates respective protocol
Verify and then go to step 18;
Step 10 seven, superframe processing unit analysis superframe packet header, takes out mark field and transfers to CPU to differentiate, for discriminating not
The superframe for passing through directly is abandoned, and is otherwise just uploaded;The step also wants analysis instruction field, if command request terminates TCP links
Or have received the FIN frames of TCP, then CPU needs to remove the descriptor for setting up associated frame in TCP disconnection process, goes to step ten afterwards
Six, otherwise repeat the step;
Acknowledgement frame or FIN frames are sent by step 10 eight, mac controller by PHY, 10 one to step 10 seven of repeat step.
Preferably, the descending process is comprised the following steps:
Step 2 11, reads the instruction field of superframe by superframe processing unit, if instruction field requires transmission, ARP is wide
Frame is broadcast, then goes to step 22, if instruction field requires to set up TCP links, go to step 23, if instruction field will
Modification IP address or MAC Address is asked, then goes to step 24, remaining situation goes to step 25;
Step 2 12, by CPU construct ARP broadcast frames transmission descriptor and frame head, give transmission DMA framings and by
Mac controller sends, and goes to step 21 afterwards;
Step 2 13, by CPU construction TCP request frame descriptors and frame head, gives transmission DMA framings and sends, it
CPU coordinates each correlation module to carry out three TCP handshake operations afterwards, goes to step 25, otherwise go to step if shaking hands successfully
26;
Step 2 14, CPU are respectively configured mac controller and receive the related register of DMA, change MAC Address with this,
IP address, goes to step 21 afterwards;
Step 2 15, superframe processing unit parse the packet header of superframe, and a superframe is resolved into several ethernet frames,
And transmission data buffer storage is passed to by downloading DMA, while generate send descriptor;CPU is generated in frame head according to this descriptor
The frame head of ethernet frame is generated in device;DMA is sent by the frame head in frame head maker and the data fusion in data buffer storage is sent
Into complete ethernet frame, give mac controller and send;A TCP frame is sent often it is necessary to wait the return of an ACK frame, such as
Fruit ACK frames are returned in the stipulated time and then go to step 27, otherwise go to step 28;
Step 2 16, shakes hands unsuccessfully, repeats handshake operation and abandons whole superframe afterwards three times, goes to step 21;
Step 2 17, for the ACK frames for returning, needs to carry out the discriminating of No. ID and secondary watermark, if by if after
20 one to step 2 15 of continuous repeat step, otherwise goes to step 28, and until instruction field requires to send FIN frames, CPU matches somebody with somebody
Close each correlation module and complete TCP opening operations, link so as to terminate this TCP, go to step 21;
Step 2 18, through three retransmission operations, if receiving ACK frames, goes to step 27, otherwise actively initiates
Disconnect TCP linked operations, 20 one to step 2 17 of repeat step.
The present invention positive effect be:The present invention is applicable not only to FPGA, is also applied for ASIC, allows single-chip reality
Existing ICP/IP protocol stack, reduces the hardware cost of some network equipments for not needing mass transport data;Increased one layer
Security protocol, compensate for the potential safety hazard of Transmission Control Protocol, and by means of internal security control unit, it is ensured that security control
Motility;External interface is simple, is conveniently extended to various types of EBIs.
Description of the drawings
Fig. 1 is the integrated stand composition of existing TOE network interface cards.
Fig. 2 is construction security protocol figure of the present invention based on the system of the TCP/IP protocol stack safe processing system of FPGA.
Fig. 3 is system general frame figure of the present invention based on the system of the TCP/IP protocol stack safe processing system of FPGA.
Fig. 4 is the block schematic illustration of procotol resolution unit in the present invention.
Fig. 5 is the block schematic illustration of superframe processing unit in the present invention.
Specific embodiment
Present pre-ferred embodiments are given below in conjunction with the accompanying drawings, to describe technical scheme in detail.
The invention discloses a kind of TCPIP based on FPGA (field programmable gate array) (is assisted between transmission control protocol/net
View) protocol stack safe processing system includes the modification scheme of ICP/IP protocol stack, the implementation of FPGA, system specific works
Flow process.
The modification scheme of the ICP/IP protocol stack includes reduction procedure, safety approach, wherein:
The particular content of reduction procedure is as follows:
1.1) agreement that protocol stack includes only has ARP (address resolution protocol), ICMP (Internet Control Message Protocol), IP (between net
Agreement), TCP (transmission control protocol), an and self-defining security protocol, although simplification can all be made to every kind of agreement,
But the framing format below application layer is still in strict accordance with existing ICP/IP protocol prescribed form;
1.2) ARP table of complexity is not constructed, ICMP agreements only realize PING (the Internet packets survey meter);
1.3) configuration IP address, MAC (media access control) addresses and VLAN (VLAN) number is allowed, but is unable to structure
Make complicated VLAN;
1.4) fully simplify Transmission Control Protocol, specially do not support that excessive TCP is linked, and gives up windowing mechanism, recipient often connects
Receive a frame and provide an ACK (confirmation character), sender often send a frame will wait receive ACK after just send next frame, this
Although sample sacrifices efficiency of transmission, but efficiently avoid out of order problem and and can guarantee that the reliability of transmission;TCP is linked once
Set up, the number of retransmissions per frame is fixed as three times, three disconnection TCP links afterwards;
The particular content of safety approach is as follows:
2.1) on Transmission Control Protocol, the data that several ethernet frames are carried are spliced into into the superframe of full-size fixation,
Thus one layer of security protocol is constructed, the data structure of superframe is as shown in Figure 2;ACK frames during TCP transmission are different from general simultaneously
Logical ACK frames, the ACK frames by information safe to carry, form such as Fig. 2;
2.2) instruction field in superframe refers to operational order or Process Markup, provides specific operational order, sets up
TCP is linked, and is configured MAC Address and IP address, is retransmitted the operation such as superframe of particular number, or some specific Process Markups, is used
To recognize the flow process of present data transmission;
2.3) security mechanism is realized by ID (identity) number and watermark, constructs safe ID tables, to No. ID, IP ground
Location, MAC Address and tcp port number carry out secure binding, limit the communication between specific ID;And watermark is calculated based on special algorithm
The safety code to all data of whole superframe for going out, recipient just think what superframe was carried after must verifying watermark correctly
Data are true and reliable;Secondary watermark is another safety code for obtaining mark field through special algorithm, for differentiating
The verity of ACK frames.
As shown in figure 3, the implementation of the FPGA includes that procotol resolution unit, superframe processing unit, safety are controlled
Unit processed, frame head maker, reception DMA (direct memory access) module, transmission dma module, upload dma module, download DMA moulds
Block, embedded type CPU (central processing unit) module, EBI or other functions module, transmission data cache module, receiving data
Data storage, PHY (physical layer) mould on program storage, bus management unit, piece on cache module, mac controller, piece
Block, wherein:
Procotol resolution unit:Major function is to parse procotol, and this unit is controlled by CPU, optionally extracted
The information such as MAC Address, vlan number, IP address, tcp port number, then, selectively carry out the match query of security table, finally
By specific format by the result cache for parsing, internal structure is as shown in Figure 4;
Superframe processing unit:This modular structure is as shown in figure 5, data path is divided into Pathways Mediating and download access;Upload
Path reads the data division of receiving frame according to descriptor is received;If the ethernet frame for receiving just is opening for a superframe
Head, then the data division of the frame necessarily contain packet header and the instruction field of superframe, header field needs to carry out watermarked security inspection
Look into, instruction field needs to be substituted for specific instruction or Process Markup as the case may be;According to header packet information by several ether
The data division of net frame is spliced into a superframe;Hardware parser instruction field notify that CPU carries out corresponding operating in download access,
For example actively initiate TCP to shake hands, actively initiate ARP broadcast etc., and CPU calculated safety code is write into watermark word
Superframe is decomposed into several ethernet frames according to header packet information and generates transmission descriptor by section;This module is connect with outside
Mouth very simple, only request, response, the port of data three types so that whole system is to outside performance just as one
Memorizer, conveniently expands to various types of EBIs;
Security control unit:This module is storage and the administrative unit of watermark function and security table, leaves outside and connects
Mouthful, this is that, in order to increase motility and safety, this module also supports exterior arrangement IP and MAC in addition;
Frame head maker:Major function is to store the packet header of the ICP/IP protocol for sending frame, and packet header is directly set up by CPU,
Transmission data buffer storage is coordinated to obtain complete ethernet frame;
Receive dma module:According to IP address filter ethernet frame, inspection IP agreement verification and, generate receive frame descriptor,
The ethernet frame for receiving is transferred to into reception frame buffer, or filters vlan number;
Send dma module:Fusion sends the frame head in data and frame head maker in data buffer storage, and calculates respectively
ARP protocol, IP agreement, ICMP agreements, the verification of Transmission Control Protocol and, constitute normal ethernet frame and pass to mac controller and send out
Send;Due to acknowledgement frame and the set form of some special frames, module response directly according to required for sending descriptor and generate
Frame and special frames, it is not necessary to which software is participated in;
Upload dma module:Descriptor is provided by CPU, ethernet frame is optionally uploaded, during long pass, gives up to fall frame head
Part and some nonsensical frames, convenient construction superframe;
Download dma module:Descriptor is provided by CPU, superframe is optionally downloaded, here a superframe segmentation is read,
It is decomposed into multiple ethernet frames;
Embedded CPU module:The configuration and management of main responsible modules depositor, according to receiving data path and sends out
Send data path through the sequencing of module, poll modules, carry out corresponding operating;Additionally need establishment and send frame frame
Head, calculates watermark, safeguards and receives descriptor and send descriptor, safeguards and receives frame buffer and send data buffer storage, provides data
Transmission strategy;
EBI or other functions module:For connecting components;
Send data cache module:For the sent data of storage system;
Receiving data cache module:For storage system received data;
Mac controller:For controlling media interviews;
Program storage on piece:For storage program data;
Bus management unit:For transmitting information for each functional part;
Data storage on piece:For data storage;
PHY modules, for being connected with external signal.
The system specific workflow includes initialization procedure, up process, descending process.
The initialization procedure is comprised the following steps:
Step one, configuration MAC Address, IP address;
Step 2, checks the SBR of watermark generating function and security table, the corresponding depositor of initialization modules;
Step 3, CPU generate ARP broadcast frame descriptors and frame head, transfer to transmission DMA to send ARP broadcast frames.
The up process is comprised the following steps:
Step 11, ethernet frame enter mac controller by PHY, in mac controller carry out MAC to ethernet frame
Address filtering and data link layer checks and inspection, broadcast frame are not filtered, and similarly hereinafter, go to step 12 afterwards;
Step 12, through receiving DMA, carries out IP address filtration, vlan number here and filters, and check to ethernet frame
IP agreement verifies and if inspection is not by going to step 11, otherwise generated by reception DMA and receive frame descriptor, go to step ten
Three;
Step 13, carries out protocol analysis by procotol resolution unit, and analysis result notifies CPU, if it find that being ARP
Frame or ICMP frames, then go to step 14, if it find that being TCP frames, then goes to step 15;
Step 14, procotol resolution unit judge whether to need response, and if response is not needed, CPU completes to update
Just frame is directly abandoned after the associative operations such as ARP table, response frame descriptor is generated by CPU otherwise and acknowledgement frame frame head is set up, so
After go to step 16;
Step 15, CPU carry out the filtration of No. ID and tcp port number according to security table, will carry connecing for the TCP frames of data
Upload DMA is given after receiving descriptor modification, and then some ethernet frames are uploaded in superframe processing unit is constructed superframe, turn
Step 10 seven, while setting up TCP acknowledgement frames and its descriptor, goes to step 16;
Step 10 six, sends DMA according to descriptor to distinguish agreement, constructs acknowledgement frame or the special frames of different agreement,
Frame head is read in frame head maker, the corresponding reply data part of different agreement is then automatically generated, and calculates respective protocol
Verify and then go to step 18;
Step 10 seven, superframe processing unit analysis superframe packet header, takes out mark field and transfers to CPU to differentiate, for discriminating not
The superframe for passing through directly is abandoned, and is otherwise just uploaded;The step also wants analysis instruction field, if command request terminates TCP links
Or have received the FIN frames of TCP, then CPU needs to remove the descriptor for setting up associated frame in TCP disconnection process, goes to step ten afterwards
Six, otherwise repeat the step;
Acknowledgement frame or FIN frames are sent by step 10 eight, mac controller by PHY, 10 one to step 10 seven of repeat step.
The descending process is comprised the following steps:
Step 2 11, reads the instruction field of superframe by superframe processing unit, if instruction field requires transmission, ARP is wide
Frame is broadcast, then goes to step 22, if instruction field requires to set up TCP links, go to step 23, if instruction field will
Modification IP address or MAC Address is asked, then goes to step 24, remaining situation goes to step 25;
Step 2 12, by CPU construct ARP broadcast frames transmission descriptor and frame head, give transmission DMA framings and by
Mac controller sends, and goes to step 21 afterwards;
Step 2 13, by CPU construction TCP request frame descriptors and frame head, gives transmission DMA framings and sends, it
CPU coordinates each correlation module to carry out three TCP handshake operations afterwards, goes to step 25, otherwise go to step if shaking hands successfully
26;
Step 2 14, CPU are respectively configured mac controller and receive the related register of DMA, change MAC Address with this,
IP address, goes to step 21 afterwards;
Step 2 15, superframe processing unit parse the packet header of superframe, and a superframe is resolved into several ethernet frames,
And transmission data buffer storage is passed to by downloading DMA, while generate send descriptor;CPU is generated in frame head according to this descriptor
The frame head of ethernet frame is generated in device;DMA is sent by the frame head in frame head maker and the data fusion in data buffer storage is sent
Into complete ethernet frame, give mac controller and send;A TCP frame is sent often it is necessary to wait the return of an ACK frame, such as
Fruit ACK frames are returned in the stipulated time and then go to step 27, otherwise go to step 28;
Step 2 16, shakes hands unsuccessfully, repeats handshake operation and abandons whole superframe afterwards three times, goes to step 21;
Step 2 17, for the ACK frames for returning, needs to carry out the discriminating of No. ID and secondary watermark, if by if after
20 one to step 2 15 of continuous repeat step, otherwise goes to step 28, and until instruction field requires to send FIN frames, CPU matches somebody with somebody
Close each correlation module and complete TCP opening operations, link so as to terminate this TCP, go to step 21;
Step 2 18, through three retransmission operations, if receiving ACK frames, goes to step 27, otherwise actively initiates
Disconnect TCP linked operations, 20 one to step 2 17 of repeat step.
The present invention is realized easily with the FPGA of Xilinx or Altera, or adopts the special asic chip of exploitation come real
It is existing, while developing the TOE network interface card plates of corresponding PCI/PCIE based on FPGA or asic chip.
The applicable concrete instance of the present invention is further illustrating:A kind of network type door control system, core component are gate inhibitions
Controller, is made up of gate inhibition's security managing unit and network processing unit.Generally, access controller pass through card reader or
Bio-identification instrument is obtaining the card number information of the personnel of swiping the card, and the card number authority stored in the card number for receiving and controller is entered
Row contrast judgement, decides whether to allow the turnover of personnel's period with this.Access controller passes through TCP/IP networks and management
The information transmission of logout and the personnel that swipe the card for receiving is given management computer, and reception carrys out Self management by computer networking
The new information of computer.At some in particular cases, remote side administration computer adapter access controller comprehensively, forbids local card
Number authority is compared, and realizes the turnover of remotely control personnel.Such network access controller need not transmit substantial amounts of data, but
It is to need the ICP/IP protocol of encryption and spend minimum hardware costs to process network protocol stack, its network processing unit is completely sharp
Realized with the present invention program.When realizing the present invention program, soft core NIOS is carried using the EP2S60/130 series FGPA of Altera
Processing requirement can be just fully met, if the ZYNQ Series FPGAs using Xilinx can also be on the basis of the present invention further
Increase agreement meeting widely application.
The present invention has following characteristics:One, monolithic FPGA realizes ICP/IP protocol stack.The existing TCP/ of Rational Simplification is needed for this
IP protocol stack, it is desirable to after simplification protocol stack construction ethernet frame can meet normal frame call format, do not affect its
Propagation in existing network.Two, data safe transmission in a network.Need safe transformation to be carried out to ICP/IP protocol stack, lead to
Crossing increases a safe floor on the tcp layer and constructs the mode of encryption superframe forming security mechanism.Three, it is convenient extensively to apply.
The present invention is without the need for operating system software.Realized using SOPC, region be directly facing hardware programming, code is simple, joins without the need for operating system
With.The mode that in addition control instruction has been included in packet by the present invention causes interface very simple, can with arbitrary extension or
Person directly uses.
In addition to gate control system, the present invention is applied to any needs secure network communications and traffic rate and data volume will
It is not extra high occasion to ask.We have developed net using existing FPGA network interface cards development board and based on the present invention program
Network secure communication prototype system, the system can accomplish safely to transmit some specific informations, and the present invention is for ICP/IP protocol stack
Hardware-accelerated process ensure that the system can be operated with fast speed.
Particular embodiments described above, the technical problem, technical scheme and beneficial effect to the solution of the present invention are carried out
Further describe, it is be should be understood that to the foregoing is only specific embodiment of the invention, it is not limited to
The present invention, all any modification, equivalent substitution and improvements within the spirit and principles in the present invention, done etc., should be included in this
Within the protection domain of invention.
Claims (5)
1. a kind of TCP/IP protocol stack safe processing system based on FPGA, it is characterised in which includes ICP/IP protocol stack
Modification scheme, the implementation of FPGA, system specific workflow;
The modification scheme of the ICP/IP protocol stack includes reduction procedure and safety approach;
The implementation of the FPGA includes:
Procotol resolution unit:Major function is to parse procotol, and this unit is controlled by CPU, optionally extracts MAC ground
The information such as location, vlan number, IP address, tcp port number, then, selectively carry out the match query of security table, finally by specific
Form is by the result cache for parsing;
Superframe processing unit:Data path is divided into Pathways Mediating and download access;Pathways Mediating is connect according to descriptor reading is received
Receive the data division of frame;If the ethernet frame for receiving just is the beginning of a superframe, the data division certainty of the frame
Packet header and the instruction field of superframe is contained, header field needs to carry out watermarked security inspection, and instruction field is needed according to concrete
Situation is substituted for specific instruction or Process Markup;The data division of several ethernet frames is spliced into into one according to header packet information
Superframe;Hardware parser instruction field notify that CPU carries out corresponding operating in download access, for example, actively initiate TCP and shake hands, actively
ARP broadcast etc. is initiated, and CPU calculated safety code is write into mark field, superframe is decomposed according to header packet information
For several ethernet frames and generate transmission descriptor;This module with outside interface very simple, only request, response,
The port of data three types so that whole system conveniently expands to all kinds to outside performance just as a memorizer
EBI;
Security control unit:This module is storage and the administrative unit of watermark function and security table, leaves external interface, this
It is that, in order to increase motility and safety, this module also supports exterior arrangement IP and MAC in addition;
Frame head maker:Major function is the packet header of the ICP/IP protocol that storage sends frame, and packet header is directly set up by CPU, coordinated
Send data buffer storage and obtain complete ethernet frame;
Receive dma module:Ethernet frame is filtered according to IP address, the verification of inspection IP agreement is with generation receives frame descriptor, will connect
The ethernet frame for receiving is transferred to reception frame buffer, or filters vlan number;
Send dma module:Fusion sends the frame head in data and frame head maker in data buffer storage, and calculates ARP associations respectively
View, IP agreement, ICMP agreements, the verification of Transmission Control Protocol and, constitute normal ethernet frame and pass to mac controller transmission;Due to
The set form of acknowledgement frame and some special frames, the acknowledgement frame direct according to required for sending descriptor and generate of the module and special
Frame, it is not necessary to which software is participated in;
Upload dma module:Descriptor is provided by CPU, ethernet frame is optionally uploaded, during long pass, gives up to fall frame head part
Nonsensical frames with some, convenient construction superframe;
Download dma module:Descriptor is provided by CPU, superframe is optionally downloaded, here a superframe segmentation is read, is decomposed
Become multiple ethernet frames;
Embedded CPU module:The configuration and management of main responsible modules depositor, according to receiving data path and transmission number
According to path through module sequencing, poll modules carry out corresponding operating;Additionally need establishment and send frame frame head, meter
Watermark is calculated, is safeguarded and is received descriptor and send descriptor, safeguarded and receive frame buffer and send data buffer storage, provide data transfer plan
Slightly;
EBI or other functions module:For connecting components;
Send data cache module:For the sent data of storage system;
Receiving data cache module:For storage system received data;
Mac controller:For controlling media interviews;
Program storage on piece:For storage program data;
Bus management unit:For transmitting information for each functional part;
Data storage on piece:For data storage;
PHY modules, for being connected with external signal.
2. the TCP/IP protocol stack safe processing system based on FPGA as claimed in claim 1, it is characterised in that the system
System specific workflow includes initialization procedure, up process, descending process.
3. the TCP/IP protocol stack safe processing system based on FPGA as claimed in claim 2, it is characterised in that it is described just
Beginning process is comprised the following steps:
Step one, configuration MAC Address, IP address;
Step 2, checks the SBR of watermark generating function and security table, the corresponding depositor of initialization modules;
Step 3, CPU generate ARP broadcast frame descriptors and frame head, transfer to transmission DMA to send ARP broadcast frames.
4. the TCP/IP protocol stack safe processing system based on FPGA as claimed in claim 2, it is characterised in that on described
Row process is comprised the following steps:
Step 11, ethernet frame enter mac controller by PHY, in mac controller carry out MAC Address to ethernet frame
Filter and data link layer checks and inspection, broadcast frame is not filtered, and similarly hereinafter, goes to step 12 afterwards;
Step 12, through receiving DMA, carries out IP address filtration, vlan number here and filters, and check IP to assist to ethernet frame
View verifies and if inspection is not by going to step 11, otherwise generates reception frame descriptor by reception DMA, go to step 13;
Step 13, carries out protocol analysis by procotol resolution unit, and analysis result notifies CPU, if it find that be ARP frames or
Person's ICMP frames, then go to step 14, if it find that being TCP frames, then goes to step 15;
Step 14, procotol resolution unit judge whether to need response, and if response is not needed, CPU completes to update ARP
Just frame is directly abandoned after the associative operations such as table, response frame descriptor is generated by CPU otherwise and acknowledgement frame frame head, Ran Houzhuan is set up
Step 10 six;
Step 15, CPU carry out the filtration of No. ID and tcp port number according to security table, and the reception for carrying the TCP frames of data is retouched
Upload DMA is given after stating symbol modification, and then some ethernet frames are uploaded in superframe processing unit is constructed superframe, go to step
17, while setting up TCP acknowledgement frames and its descriptor, go to step 16;
Step 10 six, sends DMA according to descriptor to distinguish agreement, constructs acknowledgement frame or the special frames of different agreement, in frame
Frame head is read in header generator, the corresponding reply data part of different agreement is then automatically generated, and calculates the verification of respective protocol
With then go to step 18;
Step 10 seven, superframe processing unit analysis superframe packet header, takes out mark field and transfers to CPU to differentiate, for discriminating does not pass through
Superframe directly abandon, otherwise just upload;The step also wants analysis instruction field, if command request terminate TCP link or
The FIN frames of TCP are have received, then CPU needs to remove the descriptor for setting up associated frame in TCP disconnection process, goes to step 16 afterwards, no
Then repeat the step;
Acknowledgement frame or FIN frames are sent by step 10 eight, mac controller by PHY, 10 one to step 10 seven of repeat step.
5. the TCP/IP protocol stack safe processing system based on FPGA as claimed in claim 2, it is characterised in that under described
Row process is comprised the following steps:
Step 2 11, reads the instruction field of superframe by superframe processing unit, if instruction field requires to send ARP broadcast
Frame, then go to step 22, if instruction field requires to set up TCP links, goes to step 23, if instruction field is required
Modification IP address or MAC Address, then go to step 24, and remaining situation goes to step 25;
Step 2 12, constructs the transmission descriptor and frame head of ARP broadcast frames by CPU, gives transmission DMA framings and by MAC
Controller sends, and goes to step 21 afterwards;
Step 2 13, by CPU construction TCP request frame descriptors and frame head, gives transmission DMA framings and sends, afterwards CPU
Coordinate each correlation module to carry out three TCP handshake operations, go to step 25 if shaking hands successfully, otherwise go to step 20
Six;
Step 2 14, CPU are respectively configured mac controller and receive the related register of DMA, change MAC Address, IP ground with this
Location, goes to step 21 afterwards;
Step 2 15, superframe processing unit parse the packet header of superframe, a superframe is resolved into several ethernet frames, and is led to
Cross download DMA and pass to transmission data buffer storage, while generate sending descriptor;CPU is according to this descriptor in frame head maker
Generate the frame head of ethernet frame;Sending DMA will be the frame head in frame head maker into complete with the data fusion sent in data buffer storage
Whole ethernet frame, gives mac controller and sends;A TCP frame is sent often it is necessary to wait the return of an ACK frame, if
ACK frames are returned in the stipulated time and then go to step 27, otherwise go to step 28;
Step 2 16, shakes hands unsuccessfully, repeats handshake operation and abandons whole superframe afterwards three times, goes to step 21;
Step 2 17, for the ACK frames for returning, needs to carry out the discriminating of No. ID and secondary watermark, if the continuation weight by if
10 one to step 2 15 of multiple step 2, otherwise goes to step 28, and until instruction field requires to send FIN frames, CPU coordinates each
Correlation module completes TCP opening operations, links so as to terminate this TCP, goes to step 21;
Step 2 18, through three retransmission operations, if receiving ACK frames, goes to step 27, otherwise actively initiates to disconnect
TCP linked operations, 20 one to step 2 17 of repeat step.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611111457.5A CN106534168B (en) | 2016-12-06 | 2016-12-06 | TCP/IP protocol stack safety processing system based on FPGA |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611111457.5A CN106534168B (en) | 2016-12-06 | 2016-12-06 | TCP/IP protocol stack safety processing system based on FPGA |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106534168A true CN106534168A (en) | 2017-03-22 |
| CN106534168B CN106534168B (en) | 2019-08-09 |
Family
ID=58341410
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611111457.5A Active CN106534168B (en) | 2016-12-06 | 2016-12-06 | TCP/IP protocol stack safety processing system based on FPGA |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106534168B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110061999A (en) * | 2019-04-28 | 2019-07-26 | 华东师范大学 | A kind of network data security analysis ancillary equipment based on ZYNQ |
| CN111224773A (en) * | 2018-11-26 | 2020-06-02 | 山东量子科学技术研究院有限公司 | Quantum key management equipment |
| CN111615078A (en) * | 2020-04-20 | 2020-09-01 | 深圳联友科技有限公司 | Communication method and device of C-V2X protocol stack |
| CN111725776A (en) * | 2020-04-27 | 2020-09-29 | 国网江苏省电力有限公司电力科学研究院 | FPGA-based power distribution network current differential protection device |
| CN112100119A (en) * | 2020-08-18 | 2020-12-18 | 中国科学院声学研究所 | High-speed Ethernet frame reconstruction system based on FPGA |
| CN114489840A (en) * | 2022-01-14 | 2022-05-13 | 南京邮电大学 | TCP/IP hardware unloading system based on FPGA and implementation method thereof |
| CN114567614A (en) * | 2022-03-07 | 2022-05-31 | 江苏新质信息科技有限公司 | Method and device for realizing ARP protocol processing based on FPGA |
| CN114584526A (en) * | 2022-03-07 | 2022-06-03 | 江苏新质信息科技有限公司 | ARP protocol processing method, system, storage medium and electronic equipment |
| CN114726883A (en) * | 2022-04-27 | 2022-07-08 | 重庆大学 | Embedded RDMA system |
| CN115442267A (en) * | 2022-08-20 | 2022-12-06 | 西安翔腾微电子科技有限公司 | ICMP method based on ARINC664 protocol |
| CN116112826A (en) * | 2023-01-06 | 2023-05-12 | 上海拿森汽车电子有限公司 | SENT data acquisition method, computer equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101651673A (en) * | 2009-09-17 | 2010-02-17 | 山东大学 | Method for connecting system on programmable chip to Ethernet |
| CN101950037A (en) * | 2010-09-12 | 2011-01-19 | 上海英迈吉东影图像设备有限公司 | Safety inspection system with embedded Ethernet transmission based on SOPC |
-
2016
- 2016-12-06 CN CN201611111457.5A patent/CN106534168B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101651673A (en) * | 2009-09-17 | 2010-02-17 | 山东大学 | Method for connecting system on programmable chip to Ethernet |
| CN101950037A (en) * | 2010-09-12 | 2011-01-19 | 上海英迈吉东影图像设备有限公司 | Safety inspection system with embedded Ethernet transmission based on SOPC |
Non-Patent Citations (3)
| Title |
|---|
| ADAM DUNKELS: ""Full TCP/IP for 8-Bit Architectures"", 《PROCEEDINGS OF MOBISYS 2003:THE FIRST INTERNATIONAL CONFERENCE ON MOBILE SYSTEMS,APPLICATIONS,AND SERVICES 》 * |
| AN BRAEKEN等: ""Secure remote reconfiguration of an FPGA-based embedded system"", 《6TH INTERNATIONAL WORKSHOP ON RECONFIGURABLE COMMUNICATION-CENTRIC SYSTEMS-ON-CHIP (RECOSOC)》 * |
| 徐俊: ""基于FPGA的嵌入式TCP/IP协议栈的实现"", 《华东师范大学硕士学位论文》 * |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111224773B (en) * | 2018-11-26 | 2022-07-26 | 山东量子科学技术研究院有限公司 | Quantum key management equipment |
| CN111224773A (en) * | 2018-11-26 | 2020-06-02 | 山东量子科学技术研究院有限公司 | Quantum key management equipment |
| CN110061999A (en) * | 2019-04-28 | 2019-07-26 | 华东师范大学 | A kind of network data security analysis ancillary equipment based on ZYNQ |
| CN111615078A (en) * | 2020-04-20 | 2020-09-01 | 深圳联友科技有限公司 | Communication method and device of C-V2X protocol stack |
| CN111615078B (en) * | 2020-04-20 | 2023-02-24 | 深圳联友科技有限公司 | Communication method and device of C-V2X protocol stack |
| CN111725776A (en) * | 2020-04-27 | 2020-09-29 | 国网江苏省电力有限公司电力科学研究院 | FPGA-based power distribution network current differential protection device |
| CN111725776B (en) * | 2020-04-27 | 2022-08-23 | 国网江苏省电力有限公司电力科学研究院 | FPGA-based power distribution network current differential protection device |
| CN112100119A (en) * | 2020-08-18 | 2020-12-18 | 中国科学院声学研究所 | High-speed Ethernet frame reconstruction system based on FPGA |
| CN114489840A (en) * | 2022-01-14 | 2022-05-13 | 南京邮电大学 | TCP/IP hardware unloading system based on FPGA and implementation method thereof |
| CN114584526A (en) * | 2022-03-07 | 2022-06-03 | 江苏新质信息科技有限公司 | ARP protocol processing method, system, storage medium and electronic equipment |
| CN114567614A (en) * | 2022-03-07 | 2022-05-31 | 江苏新质信息科技有限公司 | Method and device for realizing ARP protocol processing based on FPGA |
| CN114726883A (en) * | 2022-04-27 | 2022-07-08 | 重庆大学 | Embedded RDMA system |
| CN114726883B (en) * | 2022-04-27 | 2023-04-07 | 重庆大学 | Embedded RDMA system |
| CN115442267A (en) * | 2022-08-20 | 2022-12-06 | 西安翔腾微电子科技有限公司 | ICMP method based on ARINC664 protocol |
| CN115442267B (en) * | 2022-08-20 | 2023-11-10 | 西安翔腾微电子科技有限公司 | ICMP method based on ARINC664 protocol |
| CN116112826A (en) * | 2023-01-06 | 2023-05-12 | 上海拿森汽车电子有限公司 | SENT data acquisition method, computer equipment and storage medium |
| CN116112826B (en) * | 2023-01-06 | 2024-03-26 | 上海拿森汽车电子有限公司 | SENT data acquisition method, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106534168B (en) | 2019-08-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106534168A (en) | TCPIP protocol stack safety processing system based on FPGA | |
| CN108062230B (en) | Serial port transparent transmission and program updating system and method in Internet range | |
| CN106027358A (en) | Network security management and control system for accessing social video networks to video private network | |
| CN100496038C (en) | Method for implementing experimental system of firewall under multiple user's remote concurrency control in large scale | |
| CN104270344B (en) | 10000000000 gateways | |
| CN109684246A (en) | The method and system carried out data transmission between the equipment of distinct interface agreement | |
| CN105007308B (en) | A kind of document transmission method under database isolating device environment | |
| CN104168257A (en) | Data isolation device based on non-network mode, and method and system thereof | |
| CN105187227A (en) | Device utilizing RMAP protocol to realize plug-and-play function of CAN bus equipment | |
| CN107171827A (en) | A kind of railway real-time ethernet TRDP gateways based on Linux platform | |
| CN102055765A (en) | Network communication system | |
| CN106789605A (en) | A kind of railway real-time ethernet TRDP gateways | |
| CN104539600B (en) | A kind of industry control method of realizing fireproof wall for supporting to filter IEC104 agreements | |
| CN105791252A (en) | UDP (User Datagram Protocol) IP (Intellectual Property) core based on FPGA (Field Programmable Gate Array) | |
| CN106100839B (en) | A kind of Network Communicate Security method based on TCP data packet and custom algorithm | |
| WO2023273719A1 (en) | Upgrade method and apparatus under mesh networking | |
| CN104283716B (en) | Data transmission method, equipment and system | |
| CN103595712B (en) | A kind of Web authentication method, apparatus and system | |
| CN107888613A (en) | A kind of management system framework based on cloud platform | |
| CN106973059A (en) | A kind of ten thousand mbit ethernets and Rapid I/O networks switching control system and method | |
| CN107453861B (en) | A kind of collecting method based on SSH2 agreement | |
| CN107277058A (en) | A kind of interface authentication method and system based on BFD agreements | |
| CN108712289A (en) | Using hard-wired TTE end systems network administration apparatus | |
| CN102546542A (en) | Electronic system and embedded device and transit device of electronic system | |
| CN103888450B (en) | IPSec processing method on Window platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |