KR101875093B1 - Performance Enhancing System for HTTPs Packet Analysis Processing - Google Patents

Abstract

The present invention is to provide a system for processing HTTPs packet analysis, which is able to simplify a processing process for packet recombination by excluding a kernel area in an HTTPs packet analysis module, and transmitting and receiving packets. The system comprises: a web server which can conduct HTTPs encoding communications; and an HTTPs security facility which is positioned between client terminals connected to the relevant web server. In addition, the HTTPs security facility includes a network interface card (NIC) which has a physical port for inputting and outputting incoming packets. The NIC checks port information of an incoming raw packet, checks the existence of HTTPs traffic according to ip/port rule, determines whether to drop or not the relevant packet, and directly delivers a received Rx/Tx packet to a user space for packet analysis without passing a kernel space from the physical port of the NIC. Therefore, the system for processing HTTPs packet analysis can minimize consumption of system resources (CPU/memory) required during an HTTPs analysis process, by removing a packet processing process conducted in a kernel space to be implemented in a user space.

Description

[0001] The present invention relates to an HTTPs packet processing method,

The present invention relates to an HTTPs packet analysis processing system for analyzing and processing a packet of HTTPs, which is a world wide web communication protocol, in which an HTTPs packet analysis module excludes a kernel area and transmits and receives a packet, simplifying and simplifying a process of a packet .

HTTP, a protocol for Web communications, is a protocol vulnerable to attack and sniffing by hackers. In order to protect the contents of the packet transmitted between the user and the server connected to the user for the secure web service, the encrypted HTTPs protocol is applied instead of the HTTP protocol which has been used.

By using HTTPs encryption communication, 1) TLS protocol is applied to prevent data sniffing (data encryption), 2) ensuring integrity of data to be transmitted and received (data integrity), and 3) Most websites use HTTPs protocol for security purposes because they have the effect of securing site reliability (site reliability).

As shown in FIG. 1, major homepages such as e-commerce companies, government / financial institutions, large corporations' homepages have already relieved the anxiety of security of general users by using HTTPs.

Meanwhile, according to the Internet Engineering Task Force (IETF) standardization organization, as shown in FIG. 2, homepages converted into HTTPs are displayed in the address book at the top of the browser so as to show a safety logo in the form of a green padlock So that it is possible to distinguish whether the web service used by the users is a secure site.

As the HTTPs homepage is widely used, the packet interception device or the packet analyzing device consumes a large amount of system resources for the encryption / decryption according to the HTTPs, so that the server resource consumption such as the CPU load / It increased several times more than when not in use.

In order to efficiently perform encryption / decryption of HTTPs traffic in a security device that handles packet analysis such as Firewall / IDS / IPS due to such load increase, a hardware performance improvement method and a software performance improvement method And to improve performance for packet analysis.

First, as a hardware performance improvement method, a special NIC (Network Interface Card) card equipped with a NPU (Network Processing Unit) is used to increase the packet analysis performance, And to develop it.

As shown in FIG. 3, in the case of performance enhancement from a hardware point of view, a basic packet processing method in an existing security device such as a firewall or an IDS / IPS, that is, a packet arriving at the ethernet port from the NIC card, And then the process of transferring the packet structure to the user space is performed while the memory allocation and the memory copying operation of the packet structure are performed through the packet processing in the kernel area. That is, the packet processing is a method of relying on the performance enhancement of a hardware device while maintaining the conventional method.

Next, from a software point of view, the performance enhancement method, unlike the hardware method, aims at improvement of the throughput and latency in the physical environment or network environment to be given, stack parallel processing / stack control flow management, header prediction, And the performance improvement of the protocol itself.

In the present invention, in the present invention, when the raw packet is processed, the main factors of the load of the existing system and the relative ratios of the loads are shown in Table 1 below You can organize.

Main factors of load generation in raw packet processing For UDP packets For TCP packets 시스템 회 About 50% About 20% Memory allocation About 30% About 60% Copy Memory About 10% About 10% Other About 10% About 10%

As shown in the above table, the TCP packet is designed to reduce 1) system calls (20% of the total load) or 2) reduce the time required for TCP memory allocation (60% of the total load) This can be a major improvement in performance improvement in packet analysis work.

(001) Korean Patent No. 10-1458231

The present invention provides an efficient S / W structure design system for raw packet analysis processing in order to reduce system load for analyzing HTTPs protocol, so that overhead I want to solve the problem.

1. Overhead due to TCP Host Stack (layer) movement after TCP segment creation

In the present invention, a packet transmitted from a memory buffer to a kernel space is used to encapsulate and decode Ethernet header / IP header information for TCP / IP connection in the Host Stack to all packet units (PDUs) unit), the NIC driver tries to solve the problem of over-allocation of system resources in order to change the packet structure received by the operating system into an understandable packet structure in order to forward the packet received in the kernel space to the upper layer.

2. Context Switching  Overhead caused by

Since the context switching operation for accessing the memory of the user area and the memory of the kernel area is repeated due to the system call (read / write function, etc.) called in the application of the user space To reduce the overhead caused by frequent switching between kernel / user space, it is necessary to reduce the waiting time and reduce the system load.

3. Improve memory copy ability / reduce copy count

The present invention is intended to increase the maximum number of packets that can be processed per second by reducing the memory usage, the number of memory accesses, and the like required for one device to process a packet.

According to an aspect of the present invention, there is provided an HTTPS security device located between a web server capable of HTTPs encryption communication and a client browser connected to the web server, The HTTPs security device is configured to include a User area and a NIC area, the NIC area including: a water report for inputting and outputting a packet reception and transmission; And a circular queue for storing received packets and transmission packets to be transmitted, wherein the User area comprises an encapsulator for performing packet processing, and an HTTPs packet analysis module including an encapsulator for performing packet processing, The packet processing refers to a process of reassembling or reconfiguring a packet by inserting and removing MAC, IP, and Header information according to the TCP / IP protocol for a transmission / reception packet.

Here, the encapsulator may include a packet assembling module for assemble the packets according to the order of the packets entered by the TCP / IP protocol; And a removal insertion module for removing or inserting MAC / IP / other Header information for use by the user application.

The HTTPs packet analysis module may further comprise a shared memory capable of storing packets received in the circular queue in the User area.

The circular queue also includes an Rx circular receive queue corresponding to a receipt report to transmit the received packet; And a Tx circular transmission queue corresponding to the transmission report to transmit the packet to be transmitted.

The circular queue may be managed by using an internal pointer that specifies the location of the received packet (incomming packet) and an external pointer that specifies the location of the outgoing packet.

Also, packet data transmission / reception of the circular queue may be performed in synchronization with a control signal using the '/ dev /' device file of the system.

The HTTPs packet analysis module may further comprise an IP / Port selection unit for discriminating the types of packets stored in the shared memory and selectively selecting only HTTPs packets.

The HTTPs packet analysis module may further comprise an IP / Port selection unit for determining the type of packets provided from the circular queue, selectively selecting only HTTPs packets, and providing the selected HTTPs packets to the shared memory.

The following effects can be expected in the HTTPs packet analysis processing system according to the present invention.

That is, in order to minimize the consumption of system resources (CPU / memory resources) consumed during the HTTPs analysis process, the packet processing process in the kernel space is omitted and the packet is analyzed / processed in the user space, Can be expected. For example, when data is transmitted at a rate of 10 Gigabit / s, a structure must be created and returned for more than one million packets per second. In this case, Work can be reduced, and the efficiency of raw packet processing is improved.

In addition, by storing the raw packet data in the shared memory area, it is possible to reduce the load due to the memory copy.

1 is an exemplary diagram illustrating an example of application of HTTPs protocol on a web page;
FIG. 2 is an exemplary diagram showing an example in which the HTTPs protocol is applied on a web page; FIG.
3 is a diagram illustrating an example of a packet analysis method by the HTTPs packet analysis processing system according to the related art.
4 is a flowchart showing a packet analysis method of the HTTPs packet analysis processing system according to the present invention.
5 is a block diagram showing a configuration of an HTTPs packet analysis processing system according to the present invention;
FIG. 6 is a conceptual diagram illustrating copying and encapsulator operations of Raw packets in the HTTPs packet analysis processing system according to the present invention. FIG.
7 is a conceptual diagram illustrating a process of sharing a shared memory of a NIC memory buffer and a user area in an HTTPs packet analysis processing system according to the present invention.

Hereinafter, an HTTPs packet analysis processing system according to a specific embodiment of the present invention will be described with reference to the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS The above and other objects, features and advantages of the present invention will be more apparent from the following detailed description taken in conjunction with the accompanying drawings, in which: FIG. The present invention may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Is provided to fully convey the scope of the invention to those skilled in the art, and the invention is only defined by the scope of the claims.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In the following description of the present invention, detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. , Which may vary depending on the intention or custom of the user, the operator, and the like. Therefore, the definition should be based on the contents throughout this specification.

Each block of the accompanying block diagrams and combinations of steps of the flowcharts may be performed by computer program instructions (execution engines), which may be stored in a general-purpose computer, special purpose computer, or other processor of a programmable data processing apparatus The instructions that are executed through the processor of the computer or other programmable data processing equipment will generate means for performing the functions described in each block or flowchart of the block diagram.

These computer program instructions may also be stored in a computer usable or computer readable memory capable of directing a computer or other programmable data processing apparatus to implement the functionality in a particular manner so that the computer usable or computer readable memory It is also possible for the instructions stored in the block diagram to produce an article of manufacture containing instruction means for performing the functions described in each block or flowchart of the flowchart.

And computer program instructions may be loaded onto a computer or other programmable data processing equipment so that a series of operating steps may be performed on a computer or other programmable data processing equipment to create a computer- It is also possible that the instructions that perform the data processing equipment provide the steps for executing the functions described in each block of the block diagram and at each step of the flowchart.

Also, each block or step may represent a portion of a module, segment, or code that includes one or more executable instructions for executing the specified logical functions, and in some alternative embodiments, It is also possible for functions to occur out of order.

That is, it is also possible that the two blocks or steps shown are actually concurrently performed, and that the blocks or steps are performed in the reverse order of the function as required.

The description of the HTTPs packet analysis processing system according to the present invention will be described in comparison with a standardized existing HTTPs packet analysis processing system for convenience and understanding.

4 is a flowchart illustrating a method of analyzing a packet in the HTTPs packet analysis processing system according to the present invention. FIG. 5 is a flowchart illustrating a method of analyzing a packet in the HTTPs packet analysis processing system according to the present invention. FIG. 6 is a conceptual diagram illustrating a copying and encapsulating operation of a raw packet in the HTTPs packet analysis processing system according to the present invention. FIG. FIG. 4 is a conceptual diagram illustrating a process of sharing a shared memory of the NIC memory buffer and the user area of the HTTPs packet analysis processing system. FIG.

As shown in FIG. 3, the HTTPs packet analysis processing system according to the related art includes an HTTPs security device 10, and the HTTPs security device 10 includes a client browser 50 and a web browser and an NIC 40 including an input / output report 44, which are located between the servers.

The client browser 50 typically transmits the encrypted packet to the web server using the encryption key of the web server certificate.

The HTTPs packet analysis module decodes the packet and analyzes the user request or web server response contents.

At this time, the analyzed contents are encrypted again and transmitted to a web server or a client browser.

Specifically, the packet processing process of the HTTPs packet analysis processing system according to the related art will be described. The HTTPs security device 10 receives the incoming com- munication packet 60 from the NIC card 40.

At this time, the raw packet received from the water report (eth0, 44) of the NIC card 40 is transferred to the kernel space 30 of the host area. Here, the Kernel STACK 32 performs a packet processing operation according to the TCP / IP protocol.

That is, in order to reassemble the packets based on the time and the session, the MAC / IP / other header information is deleted and inserted into the raw packet to reconstruct the raw packet.

Accordingly, the system call function (read / write) is repeatedly called to read or store the assembled packet in the user space and the kernel space, and system performance is degraded due to mode change (context switching).

Meanwhile, the reassembled packet is transmitted to the application 22 of the user space 20 to perform a normal packet encryption / decryption operation on the HTTPs packet.

In contrast, as shown in FIG. 4, the HTTPs packet analysis processing system according to the present invention includes an incomming packet 60 requesting the web server 300 from the external client browser 200 to include a water report 133 Lt; RTI ID = 0.0 > 130 < / RTI >

The incoming packet is delivered to the encapsulator (113) of the user space (110) without passing through the kernel space (120).

The encapsulator 113 is provided in the user space 110 to perform a packet processing operation.

That is, the encapsulator 113 performs MAC / IP / Header information inserting / removing operations on the raw packet, based on the TCP / IP protocol for the raw packet, and reassembles and reconfigures the raw packet .

As described above, since the packet processing process is changed in the use space 110, the system call function (read / write) is repeated to avoid a portion where overhead has occurred.

5, the HTTPs packet analysis processing system according to the present invention includes HTTPs security (HTTPS) security processing between the client browser 200 and the web server 300, Equipment 100, and the HTTPs security appliance 100 may be configured on a network including an inline proxy method or a packet mirroring method.

That is, the packet requested by the client browser 200 is transmitted to the web server 300 through the HTTPS security device 100. At this time, the HTTPs security device 100 includes a NIC (Network Interface Card) 130 including a physical Ethernet port and other devices (hardware devices such as a power supply device and a graphic card) .

The HTTPs security device 100 according to the present invention is a general-purpose server driven through its own operating system (OS) and has a HTTPs packet analysis function as its main function.

At this time, the packet analysis function provided by the HTTPs security device 100 includes both the NIC 130 and the application programs of the OS and the User space through the user space 110 and the device space .

The HTTPs packet analyzing apparatus 100 referred to in the present invention includes an HTTPs packet analyzing module 117 in the user area 110. The HTTPs packet analyzing module 117 analyzes the insertion / An IP / port selector 115 and a shared memory 140 for selecting packets according to an IP / port rule.

The NIC area 130 is an area including hardware and software having a water report, a driver, a buffer structure, and a buffer memory for packet reception, and refers to an area related to packet reception among areas excluding the Host area.

The NIC area 130 includes an Rx circular reception queue 135A corresponding to the Ethernet reception port and a Tx circular transmission queue 135B corresponding to the Ethernet transmission port. The device file corresponding to the physical device For example, / Dev / HSdevice), a device file manager is responsible for synchronizing packet processing such as raw packet transmission and reception through a control command.

When an incomming packet 60 is received from the client browser 200 into the HTTPS security device 100, a packet flow is described. A packet received via the water report 133 is transmitted to the Rx circular reception queue 135A And the raw packet stored in the circular buffer is stored in the shared memory area 140 shared with the user area.

Then, the stored raw packet data is subjected to deletion of MAC / IP / other header information in order to reassemble the packet based on the time and the session based on the TCP / IP protocol in the receiving capsulator 113 And reconstructs the raw packet.

5, the capsulator 113 includes a packet assembling module 113A for assembling packets according to the TCP / IP protocol in order and a user application program And a removal insertion module 113B for removing or inserting MAC / IP / other Header information so that the MAC / IP / other header information is removed.

The reassembled packets in the user area 110 are transmitted to the IP / Port selector 115 again. If the packets are not HTTPs packets (generally 443 ports), the IP / It is dropped (packet drop).

Only the packets identified as the 443 port (HTTPs packet) are reassembled and transferred to the user application program 111 (physically referring to the HTTPs packet analysis module 117) to undergo decryption / packet analysis / encryption.

After the HTTPS packet analysis module 117 analyzes the packet, the encrypted packet is transmitted to the capsulator 113 for insertion of the MAC / IP / other header information, and the packet processing operation according to the TCP / IP protocol is performed.

Then, the corresponding packet is stored in the shared memory 140, and the transmission queue 135B of the NIC area 130 directly transmits the outgoing packet 70 (70) to the web server 300 via the water report (eth02, 133B) ).

Hereinafter, with reference to FIG. 6, a description will be given of a packet process when a packet is received from the NIC 130. FIG.

The NIC card 130 includes circular circles 135A and 135B for transmission and reception in addition to the water reports Eth0 133A and Eth1 133B and the circular queue 135 uses an internal pointer and an external pointer And manages the received packet and the transmitted packet, respectively.

When all the packets received in the circular queue 135 are transmitted, the positions of the received internal pointers and the transmitted external pointers are the same, and the circular queue is in a state of waiting for the received packets.

Meanwhile, in the user area 110, the shared memory area for storing the received packet and the shared memory area for storing the transmitted packet are physically divided into the Rx area (receiving part) and the Tx area (transmitting part), respectively .

The encapsulator 113 is divided into a de-capsulator (removal module) and an en-capsulator (insertion module). The encapsulator 113 performs a packet processing operation according to the TCP / IP protocol, In order to reassemble the packet based on the criteria, the MAC / IP / other header information is deleted and inserted, and the reconstruction work of the raw packet is performed.

Next, the structure and operation of the circular queue 135 of the NIC card 130 will be described with reference to FIG. 7. The packet 60 received from the external data report is transmitted to the slots # 1, # 2, # 3, # 4, # 5 ...).

Since the receiving circular queue 135A performs packet reception and transmission in the same packet buffer, it manages it using an internal pointer and an external pointer.

That is, the received raw packet loads the raw packet into the receiving circular queue 135A using the internal pointer, and transmits the loaded raw packet to the shared memory area 140 using the external pointer.

At this time, the data transmission structure of the queue buffer that defines the packet data to be stored includes an array structure having pointer information / offset information / IP, MAC, and other header information / packet length information / payload information for each slot of the circular queue 135 )to be.

The packet structure data defined in the data transmission structure is stored in the same structure format in the shared memory area 140. The capsulator 113 of the user area 110 carries out a packet processing operation according to the TCP / IP protocol. The type defined in the data receiving structure is the same as that of the data transmitting structure, Only the point information that represents it may have different information.

The present invention can be easily applied to general-purpose equipment without depending on hardware or driver of a specific specification, and minimizes the work in the host area (kernel space + user space) where packet processing processing is performed. The memory allocation and operation of the NIC can be eliminated. The NIC buffer memory area and the User memory area can be simplified by simplifying the process of copying and transferring the memory, and the memory allocation for the encapsulation / decapsulation operations in the kernel space And the copying process can be simplified, thereby reducing the overhead required for packet analysis processing.

That is, in the present invention, by changing the packet flow path, the performance of the HTTPs security device can be improved.

Specifically, the present invention performs a packet processing operation according to a TCP / IP protocol in a user area, not in a kernel area. Accordingly, in order to assemble the raw packets, the MAC / IP / other header information insertion and deletion operations are performed on the raw packets, and the reassembling and reconfiguration process of the raw packets is performed.

By performing the operation in the user space, externally incoming packets bypass the existing kernel space and are directly transmitted to the user space, thereby reducing the load on the related packet operations, thereby contributing to the performance improvement of the HTTPs security equipment.

Also, in the present invention, it is possible to contribute to the performance improvement of HTTPs security equipment by using memory mapped packet data.

Specifically, the present invention designates a shared memory of the User area to 1) store the received raw packet and directly use the user application program, or 2) store the data generated by the application of the user area in the shared memory area , And it can contribute to the performance improvement of HTTPs security equipment by simplifying the packet copying process by allowing it to be drawn out through the water report.

In addition, when sending and receiving raw packets to a water report, control signals are input by using the device file (/ dev /) of the system to load the packets in the shared memory, Increase the efficiency of packet processing.

That is, the device devices exist under the directory "/ dev" on the file system, and this is an abstraction of actual hardware. In the present invention, the use of these character device files to control raw packet data use.

It is to be understood that the invention is not limited to the disclosed embodiment, but is capable of many modifications and variations within the scope of the appended claims. It is self-evident.

For example, the IP / Port selection unit according to the present invention is provided between the circular queue and the shared memory to discriminate the types of packets provided from the circular queue, selectively select only HTTPs packets and provide them to the shared memory .

 In this case, only packets other than the HTTPs packet are selected and shared in the shared memory, so that the load on the shared memory can be further reduced.

The present invention provides an HTTPs packet analysis processing system that excludes a kernel region in a HTTPs packet analysis module and transmits and receives a packet to simplify and simplify a processing procedure of a packet. According to the present invention, In order to minimize the consumption of the CPU / memory, the packet processing process in the kernel space is simplified and implemented in the user space, thereby improving the performance related to the packet processing.

100: HTTPs packet analysis security device 110: User area
111: Application 113: Capsulator
113A: Packet assembling module 113B: Removing insertion module
115: IP / PORT selection unit 117: HTTPs packet analysis module
120: Kernel area 130: NIC area
131: NIC card 133: water report
135: circular queue 140: shared memory
200: client browser 300: web server
60: received packet 70: transmitted packet

Claims (6)

And an HTTPs security device located between a web server capable of HTTPs encryption communication and a client browser connected to the web server,
The HTTPs security device includes a User area and a NIC area,
Wherein the NIC area comprises:
A water report for inputting and outputting a packet reception and transmission;
And a circular queue for storing a reception packet and a transmission packet to be directly transmitted and received to the User area,
The " User "
And an HTTPs packet analysis module configured with an encapsulator for performing packet processing, the packet analysis module comprising:
The packet processing includes:
The process of reassembling or reconfiguring a packet by inserting and removing MAC, IP, and Header information according to the TCP / IP protocol for a transmission / reception packet,
Wherein the encapsulator comprises:
A packet assembling module for assembling packets according to the order of the packets received by the TCP / IP protocol;
It consists of an Uninstall Insert module that removes or inserts MAC / IP / Other Header information for your application to take advantage of:
The HTTPs packet analysis module,
A shared memory for storing packets received in the circular queue in the User area;
And an IP / Port selection unit for discriminating the type of packets stored in the shared memory and selectively selecting only HTTPs packets.
delete delete The method according to claim 1,
The circular queue includes:
An Rx circular receive queue corresponding to a receipt report to transmit a received packet;
And a Tx circular transmission queue corresponding to a transmission report to transmit a packet to be transmitted.
5. The method of claim 4,
The circular queue includes:
Wherein the transmission / reception packet is managed using an internal pointer that designates a location of a received packet and an external pointer that designates a location of the transmitted packet.
6. The method of claim 5,
Wherein the packet data transmission /
The device is synchronized with a control signal using the '/ dev /' device file of the system.

Images