KR101115098B1 - Flow processing unit and method for controlling flow processing unit - Google Patents

Abstract

Disclosed are a flow processing unit and a flow processing unit control method capable of significantly improving performance by processing in a flow unit rather than a packet in a server-based Unified Thread Management (UTM) platform.
In one embodiment, the flow processing unit comprises a controller for determining an input packet, an output packet corresponding to the input packet as a single flow, and granting a session to the determined flow, and a core assigned to the session. It can be configured to include a processor for signal processing for the flow.

Description

FLOW PROCESSING UNIT AND METHOD FOR CONTROLLING FLOW PROCESSING UNIT}

Embodiments of the present invention relate to a flow processing unit (FPU) and a flow processing unit control method.

In general, the Internet is vulnerable to security because the Internet does not require a separate user authentication procedure. As a result, a firewall was developed to protect the internal network from the outside, and then, an intrusion prevention system (IPS) that inspects harmful patterns hidden in the packet payload, web firewall, anti-virus, and SIP security. This area is specialized and expanded by application.

As the security area expands, the increased security costs associated with the management and operation of various security devices and the deterioration of security due to policy inconsistency among security devices have emerged. It is in full swing.

In addition, the increase of broadband Internet speed and the increase of wireless Internet traffic due to the spread of smart phones have increased the network bandwidth and demand high performance security equipment.

Conventional high-performance professional equipment takes the development method of the H / W method, the general-purpose equipment of the composite function has taken the development method of the S / W method, but now a methodology for solving the high performance and complex functions at the same time is required.

The NPU (Network Processor Unit, Intel's IXP2400 series), ASIC, and NSP (Network Security Processor, Cavium's Octeon series) methods for solving high performance are fundamentally limited in responding to increasingly heterogeneous and mixed attacks. . In addition, S / W-based UTM on general-purpose server boards consumes most of the CPU resources just by processing network traffic, making it difficult to handle various security functions.

1 is a diagram illustrating the structure of a server-based network security equipment according to a conventional embodiment.

Figure 1 shows the structure of a typical PC server hardware based security equipment system. With a network interface card (NIC) on the PCI bus, the network is physically separated into an internal network and an external network (or a trust network and an un-trust network), and security functions are performed on packets passing through all networks.

Depending on compliance with security policies, the presence of harmful data in the payload of packets, and the primary use of security features such as encryption and authentication against external eavesdropping / forgeries, network security devices can be classified into firewalls, IPS (Intrusion Prevention System) ), Virtual Private Network (VPN), Web Application Firewall (WAF), Anti-Virus (AV), and Anti-Spam (AS) .In recent years, these functions have been integrated to introduce the UTM (Unified Thread Management) product line. .

Each security function can be implemented in the form of proxy in the application area or in the kernel area for faster performance. UTM products implement these methods in a mixture.

In general, since the Proxy method operates at the application layer, whenever network input / output (I / O) occurs, the overhead of copying packet contents between kernel and app areas is very high. However, as it is implemented as a proxy, it can control precisely and check the security review in detail. Accordingly, Anti-Virus products are generally implemented as proxies.

The security equipment structure shown above is a case where the security function is implemented only by software in a general system. Since security functions depend entirely on software, any security function can be implemented.

However, there is a performance index as an important evaluation index of network equipment. Routers measure the performance of their equipment in PPS and should not degrade due to the features they provide. In other words, the goal is to provide wire-speed for any packet.

Table 1 below shows the number of packet sizes in the 1 Gbps bandwidth.

When operating in full duplex in a 1Gbps network environment, up to 3 million packets pass through security devices. In other words, a 1Gbps two-port security device must read 3 million packets, inspect the policy, and forward the packets to another interface to ensure wire-speed.

Today's 3.0 GHz processors take into account ILP (Instruction Level Parallelism), which is about 6000 MIPS per core. That is, the processor can execute 6000M instructions in one second, and if the entire instruction is used only for packet processing, it means that the processing must be completed within 2000 instructions per packet.

If packet processing is largely listed as a unit of work, it is equivalent to `` enter interrupt mode → NIC ISR processing → check policy for packet → check routing table → send packet to next NIC → exit from interrupt mode ''.

For example, even with NIS ISR processing, the total number of instructions is more than a few tens of K lines because of the long chain of tasks such as packet memory allocation, packet multicast address checking, NIC-related descriptors, and protocol-specific sanity checks. As a result, server-based network security devices offer significantly less performance at wire-speed, and several hardware technologies have been introduced to overcome these capabilities.

ASIC-based, NPU (Network Processor Unit) -based, NSP (Network Security Processor) -based, and Server Blade-based technologies are being introduced, but security functions are becoming more complex, like UTM. Accordingly, high-performance professional security products that simplify functions and adopt dedicated hardware and general network-based integrated network security products coexist.

However, as attacks move from L3 to L7, heterogeneous, complex and mixed attacks occur, there is a need for a methodology for building high-performance UTM equipment. According to the ASIC, NPU, and NSP methods, only simple security equipment can be manufactured.

The problem with the existing server-based hardware, first of all, is the excessive network I / O operation problem. Originally, a server is a computer system designed to run limited applications efficiently. In other words, as the TCP / IP communication protocol became an OSI communication standard, an application standard development methodology called a client-server model was introduced, and a server system was developed accordingly. Hereinafter, referring to FIGS. 2 and 3, excessive network I / O operation problems in the existing server-based hardware will be described.

2 is a diagram illustrating a process of operating a web or mail service in server-based hardware according to an exemplary embodiment.

Referring to FIG. 2, a packet received from the outside is input to the service daemon, or a response packet is output from the service daemon to the outside. That is, the NIC card, the NIC ISR, and the service daemon are naturally connected to each other, and thus, a server resource is effectively allocated to the service.

3 is a diagram illustrating a process of operating as a network security device in a server-based hardware according to an embodiment of the present invention.

Referring to FIG. 3, the security module in the security device may basically perform bypass or drop. However, in the existing hardware, as the work is broken down, most of the CPU resources are exhausted in packet processing. In other words, a work unit called bypass is divided into two stages: first step of receiving Rx from eth0 NIC ISR and two steps of ISR processing after transmitting Tx to eth1 NIC, thus wasting CPU resources.

Another problem of the existing server-based hardware, there is a performance improvement constraints due to the increase in the number of multicores. Processor performance improvements are shifting from traditional operating frequency increases to multicores, which increase the number of operating cores. From a software perspective, it's the same as the traditional Shared Memory Processor (SMP) configuration, just as the number of processors increases from two to four to eight. The performance of server-based network security equipment should use multicore effectively, and it is difficult to achieve performance increase in proportion to the number of cores inherent in NIC-based network. Hereinafter, with reference to FIG. 4, the performance improvement constraint problem in the existing server-based hardware.

4 is a diagram illustrating a process of processing a packet in a server-based network security device according to an exemplary embodiment.

Referring to FIG. 4, if eth0 is connected to the internal network and eth1 is connected to the external internet network, the eth0 and eht1 NICs (NETWORK INTERFACE CARD) bind the IRQs to CPU0 and CPU1 to increase the NIC ISR throughput. .

When connecting from the internal IP A to the external web server B, the packet output from the client to the web server is processed by CPU0, and the packet input from the web server to the client is processed by CPU1. At this time, even if the packet type, IP, or port value is different, it should be processed based on the session as the same operation.

In other words, when accessing the session table, a synchronization operation is required to maintain consistency.When processing the same session, work is performed on only one core regardless of the number of cores, and the other cores are idle until the spinlock is released. do.

In a traditional web / mail server, processing by packet is sufficient, but processing by packet in a network security module does not fit the mechanism. As threats continue to evolve in a complex, heterogeneous, or mixed fashion, connecting single security devices to cascades cannot cope with attacks. Therefore, there is a need for a method that is based on the UTM platform, but can dramatically improve performance. As a method for improving performance as described above, the present invention is to propose a network security equipment that can be processed in units of flows, not packets.

An embodiment of the present invention provides a method for controlling a flow processing unit and a flow processing unit that can significantly improve performance by processing a flow unit rather than a packet in a server-based Unified Thread Management (UTM) platform. do.

In addition, an embodiment of the present invention provides a flow processing unit and a flow processing unit control method based on packet forwarding which is a packet processing work unit in a network equipment.

In addition, an embodiment of the present invention provides a flow processing unit and a flow processing unit control method capable of minimizing a host operation due to packet forwarding between ports in a card.

In addition, an embodiment of the present invention provides a flow processing unit and a flow processing unit control method capable of directly performing alloc / free logic on a packet storing buffer.

In addition, an embodiment of the present invention provides a flow processing unit and a flow processing unit control method capable of performing packet forwarding between ports in a TCP / UDP checksum calculation and a single operation.

In addition, an embodiment of the present invention provides a flow processing unit and a flow processing unit control method capable of reducing session synchronization work in a host by maintaining session information in a packet.

In addition, an embodiment of the present invention is a flow processing unit for reducing the network I / O instruction (ISR) load due to packet forwarding in the existing NIC card by performing packet forwarding processing in server-based hardware and A flow processing unit control method is provided.

In addition, an embodiment of the present invention provides a flow processing unit and a flow processing unit control method capable of eliminating session synchronization costs by maintaining a session on its own, causing packets in the same session to interrupt the same CPU.

In addition, an embodiment of the present invention provides a flow processing unit and a flow processing unit control method that can be implemented in an FPGA including a multi-GbE MAC, and capable of producing a high performance UTM security device that is fast enough even in an existing PC server board.

In order to achieve the above object, a flow processing unit includes an input packet, a controller for determining an output packet corresponding to the input packet as a single flow and granting a session to the determined flow, and a core assigned to the session. And a processor for signal processing for the flow.

In addition, as a technical method for achieving the above object, the flow processing unit control method, the step of determining the input packet, the output packet corresponding to the input packet as a single flow, and granting a session to the determined flow And signaling the flow at the core assigned to the session.

According to one embodiment of the present invention, performance can be dramatically improved by processing in units of flows rather than packets in a server-based Unified Thread Management (UTM) platform.

In addition, according to an embodiment of the present invention, by performing the packet forwarding process in the server-based hardware, there is no need for ISR processing for packet reception or packet transmission required for packet forwarding in the existing NIC card.

In addition, according to an embodiment of the present invention, by maintaining the session information in the packet it is possible to reduce the session synchronization operation in the host, accordingly, performance scalability according to the increase in the number of multi-core in the SMP (Security Management Portal) system ( Scalability) can be obtained.

1 is a diagram illustrating the structure of a server-based network security equipment according to a conventional embodiment.
2 is a diagram illustrating a process of operating a web or mail service in server-based hardware according to an exemplary embodiment.
3 is a diagram illustrating a process of operating as a network security device in a server-based hardware according to an embodiment of the present invention.
4 is a diagram illustrating a process of processing a packet in a server-based network security device according to an exemplary embodiment.
5 is a diagram illustrating an internal configuration of a flow processing unit according to an embodiment of the present invention.
6 is a diagram illustrating an example of processing packet forwarding in a flow processing unit according to an embodiment of the present invention.
7 is a diagram illustrating an example of processing a packet in the same session in a flow processing unit according to an embodiment of the present invention.
8 is a flowchart illustrating a sequence of a method for controlling a flow processing unit according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. However, the present invention is not limited or limited by the embodiments. Like reference numerals in the drawings denote like elements.

5 is a diagram illustrating an internal configuration of a flow processing unit according to an embodiment of the present invention.

Referring to FIG. 5, a flow processing unit (FPU) 500 according to an embodiment of the present invention may include a controller 510 and a processor 520. In addition, the flow processing unit 500 according to another embodiment of the present invention may further include a database 530.

The controller 510 determines an input packet and an output packet corresponding to the input packet as a single flow and assigns a session to the determined flow.

For example, the database 530 may record the session-specific session and the core information about the core in correspondence with each other, and the controller 510 obtains the core information from the input packet via the first port. The session recorded in correspondence with the acquired core information may be searched in the database 530, and the searched session may be assigned to a flow to which the input packet belongs.

The processor 520 is responsible for signaling the flow in the core assigned to the session. In one example, the processor 520 may allocate, among the plurality of cores, a core not assigned to the session or a core having the least amount of usage to the session.

In this case, the processor 520 may include a descriptor 540.

Here, the descriptor 540 may serve to designate a buffer in the core that stores the descriptive information regarding the input packet via the first port.

That is, the descriptor 540 may cause the processor 520 to acquire the descriptive information from the designated buffer when processing a signal for an output packet of a flow to which the input packet belongs.

For example, the flow processing unit 500 i) receives a packet from the MAC, ii) extracts 5-tuple information from the IP / TCP header, retrieves it from the existing session table, and iii) registers it in the session table if it is a new session. Allocate cores with low usage, iii) If there is an existing session table, obtain the core information pre-allocated for the session, iii) Allocate a packet buffer in the buffer pool, DMA transfer the packet to the buffer, and iv) By updating the contents of the ring descriptor and iii) generating an MSI / MSI-X interrupt to the core, the packet can be received and processed.

Therefore, according to an embodiment of the present invention, the server-based Unified Thread Management (UTM) platform, by processing the flow (units) rather than packets, it is possible to significantly improve the performance.

In addition, according to an embodiment of the present invention, by performing the packet forwarding process in the server-based hardware, there is no need for ISR processing for packet reception or packet transmission required for packet forwarding in the existing NIC card.

In addition, according to an embodiment of the present invention, by maintaining the session information in the packet it is possible to reduce the session synchronization operation in the host, accordingly, performance scalability according to the increase in the number of multi-core in the SMP (Security Management Portal) system ( Scalability) can be obtained.

6 is a diagram illustrating an example of processing packet forwarding in a flow processing unit according to an embodiment of the present invention.

Referring to FIG. 6, a flow processing unit according to an embodiment of the present invention determines an input packet (In packet) and an output packet (Out packet) corresponding to the input packet as a single flow, and determines the determined flow. Signaling can be done by granting a session to.

7 is a diagram illustrating an example of processing a packet in the same session in a flow processing unit according to an embodiment of the present invention.

Referring to FIG. 7, when the Internet web servers X and Y are connected to the internal network hosts A and B, respectively, in the conventional scheme, as IRQs are divided into CPUs by NICs, A → X and X → A are different from each other. As handled by the CPU, synchronization is required to update the session table.

On the other hand, the flow processing unit according to an embodiment of the present invention maintains its own session, and packets in the same session generate interrupts to the same CPU, thereby eliminating the cost of session synchronization.

8 is a flowchart illustrating a sequence of a method for controlling a flow processing unit according to an embodiment of the present invention.

The flow processing unit control method according to an embodiment of the present invention may be implemented by the flow processing unit 500 shown in FIG. Hereinafter, in the description of FIG. 8, FIG. 8 will be described with reference to FIG. 5 described above to understand the invention.

In step 810, the flow processing unit 500 determines an input packet and an output packet corresponding to the input packet as a single flow. In step 820, the flow processing unit 500 establishes a session for the determined flow. Grant.

For example, the database 530 may record the session-specific session and the core information about the core in correspondence with each other, and the controller 510 obtains the core information from the input packet via the first port. The session recorded in correspondence with the acquired core information may be searched in the database 530, and the searched session may be assigned to a flow to which the input packet belongs.

In step 820, the flow processing unit 500 signals the flow in the core assigned to the session.

In one example, the processor 520 may allocate, among the plurality of cores, a core not assigned to the session or a core having the least amount of usage to the session.

In this case, the processor 520 may include a descriptor 540.

Here, the descriptor 540 may serve to designate a buffer in the core that stores the descriptive information regarding the input packet via the first port.

That is, the descriptor 540 may cause the processor 520 to acquire the descriptive information from the designated buffer when processing a signal for an output packet of a flow to which the input packet belongs.

For example, the flow processing unit 500 i) receives a packet from the MAC, ii) extracts 5-tuple information from the IP / TCP header, retrieves it from the existing session table, and iii) registers it in the session table if it is a new session. Allocate cores with low usage, iii) If there is an existing session table, obtain the core information pre-allocated for the session, iii) Allocate a packet buffer in the buffer pool, DMA transfer the packet to the buffer, and iv) By updating the contents of the ring descriptor and iii) generating an MSI / MSI-X interrupt to the core, the packet can be received and processed.

Therefore, according to an embodiment of the present invention, the server-based Unified Thread Management (UTM) platform, by processing the flow (units) rather than packets, it is possible to significantly improve the performance.

In addition, according to an embodiment of the present invention, by performing the packet forwarding process in the server-based hardware, there is no need for ISR processing for packet reception or packet transmission required for packet forwarding in the existing NIC card.

In addition, according to an embodiment of the present invention, by maintaining the session information in the packet it is possible to reduce the session synchronization operation in the host, accordingly, performance scalability according to the increase in the number of multi-core in the SMP (Security Management Portal) system ( Scalability) can be obtained.

Further, embodiments of the present invention include a computer readable medium having program instructions for performing various computer implemented operations. The computer readable medium may include program instructions, data files, data structures, etc. alone or in combination. Program instructions recorded on the media may be those specially designed and constructed for the purposes of the present invention, or they may be of the kind well-known and available to those having skill in the computer software arts. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tape, optical media such as CD-ROMs, DVDs, and magnetic disks, such as floppy disks. Magneto-optical media, and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, flash memory, and the like. Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like.

As described above, the present invention has been described by specific embodiments such as specific components and the like. For those skilled in the art to which the present invention pertains, various modifications and variations are possible. Therefore, the spirit of the present invention should not be construed as being limited to the described embodiments, and all of the equivalents or equivalents of the claims, as well as the following claims, are included in the scope of the present invention.

500: flow processing unit
510: controller
520: processor
530: database
540: descriptor

Claims (10)

A controller for determining an input packet and an output packet corresponding to the input packet as a single flow and assigning a session to the determined flow; And
A processor that signals the flow in the core assigned to the session and a descriptor that specifies a buffer in the core that stores descriptive information about the input packet via the first port.
Flow processing unit comprising a. The method of claim 1,
The processor comprising:
And assign, among the plurality of cores, a core not assigned to a session or a core having the least amount of usage to the session. The method of claim 1,
Database that records the session-specific sessions and the core information on the cores in association with each other
Further comprising:
The controller,
A flow processing unit for acquiring core information from an input packet via a first port, retrieving a session recorded corresponding to the acquired core information from the database, and assigning the retrieved session to a flow to which the input packet belongs; . delete The method of claim 1,
The descriptor is,
And, when processing the signal for the output packet of the flow to which the input packet belongs, the processor to obtain the descriptive information from the designated buffer. A flow processing unit control method implemented by a flow processing unit,
Determining, at the flow processing unit, an input packet and an output packet corresponding to the input packet as a single flow;
At the flow processing unit, assigning a session to the determined flow;
At the flow processing unit, signal processing for the flow at a core assigned to the session; And
In the flow processing unit, specifying a buffer in the core that holds descriptive information about an input packet via a first port
Flow processing unit control method comprising a. The method of claim 6,
Signal processing for the flow,
Assigning, among the plurality of cores, a core not assigned to the session, or a core having the least usage, to the session
Comprising a flow processing unit control method. The method of claim 6,
In the flow processing unit, correlating a session granted for each flow with core information about the core and recording the same in a database;
Further comprising:
Granting a session for the determined flow,
Obtaining core information from an input packet via the first port;
Retrieving the recorded session from the database corresponding to the acquired core information; And
Assigning the retrieved session to a flow to which the input packet belongs
Comprising a flow processing unit control method. delete The method of claim 6,
In the flow processing unit, causing the descriptive information to be obtained from the designated buffer when processing a signal for an output packet of a flow to which the input packet belongs;
Further comprising a flow processing unit control method.

Images