簡易檢索 / 詳目顯示

回結果列表
研究生: 陳茂森
Chen, Mou-Sen
論文名稱: 以早期封包丟棄方式來提升高流量伺服器之效能
Using Early Discard Approaches to Boost the High-traffic Server Performance
指導教授: 楊竹星
Yang, Chu-Sing
學位類別: 碩士
Master
系所名稱: 電機資訊學院 - 電腦與通信工程研究所
Institute of Computer & Communication Engineering
論文出版年: 2010
畢業學年度: 98
語文別: 英文
論文頁數: 76
中文關鍵詞: 早期封包丟棄防火牆Linux 核心可程式化網路晶片卸載技術
外文關鍵詞: Early discard, Firewall, Linux kernel, NetFPGA, Offloading Technique
相關次數: 點閱:206下載:2
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 隨著網際網路頻寬及網路晶片技術的不斷成長,大部分網路密集應用系統如:Web伺服器及即時串流伺服器 (real-time streaming server)等等,已配置十億位元乙太網路卡 (Gigabit Ethernet Network Interface Card)。然而,即使網卡已支援十億位元之頻寬,而上層網路應用仍然無法到達網卡接收率或是核心 (kernel) 處理率。換言之,大量的封包進入主機核心 (host kernel) 中,但仍因核心內之緩衝區 (buffer) 不足而被丟棄。除此之外,大部分之伺服器建置防火牆以過濾惡意流量及攻擊封包。然而,軟體防火牆及網路應用程式共用 CPU之資源,隨著防火牆規則及進入封包的增加 ,網路密集應用系統消耗大量時間在網卡中斷處理及封包過濾,因此造成網路應用之效能低落。
    為了處理以上網路應用效能不足之情形,本論文提出早期封包丟棄方式來提升高流量伺服器之效能,提供兩種方案以早期封包丟棄方式為基礎:適應性之封包接收機制 (adaptive packet reception mechanism) 及卸載硬體防火牆 (offloading firewall)。適應性之封包接收機制以 Linux NAPI (New API) 為基礎,可動態偵測流量負擔並且提早丟棄超過負擔之封包。而卸載硬體防火牆實作在 NetFPGA平台,具備高速提早過濾 (early filter) 能力以隔離網路應用封包,避免網路應用封包受到攻擊封包之影響。

    Along with growth of Internet bandwidth and network chip technology, the most network-intensive application systems such as web servers and real-time streaming servers, have equipped Gigabit Ethernet NIC (Network Interface Card). Even if NIC has supported Gigabit bandwidth, upper-layer network applications cannot follow the NIC receiving or kernel processing rates. That is, tremendous amounts of packets enter host kernel, but still dropped due to unavailable kernel buffers. In addition, most servers also have built firewall for filtering the malicious traffic and attack packets. However, both software-based firewall and network applications share common CPU resources. With the increasing firewall rules and incoming packets, network-intensive application systems consume lots of time on handling NIC interrupt and filtering attack packets; thereby performance of network applications declines.
    For addressing above situations regarding the insufficient performance for network applications, this thesis proposed early-discard approaches so as to boost the performance of high-traffic server; providing two schemes based on early-discard approaches: Adaptive Packet Reception Mechanism and Offloading Firewall. Adaptive packet reception mechanism based on Linux NAPI (New API) scheme could detect traffic load dynamically and early discard overloading packets, in order to reserve more system resources for network applications. Offloading firewall was implemented through NetFPGA platform, being capable of early filtering attack packets in high speed for isolating the application traffic from attack traffic.

    Chapter 1 Introduction 1 1.1. Motivation 1 1.2. Problem Statements 2 1.3. Early-Discard Approaches 4 1.3.1. Introduction to adaptive packet reception mechanism 4 1.3.2. Introduction to offloading firewall 4 Chapter 2 Related Work 6 2.1. Packet Reception Mechanism 6 2.1.1. Packet reception flow 6 2.1.2. High-speed NIC driver design 8 2.1.3. Related researches for eliminating receive livelock 10 2.1.3.1. Interrupt moderation mechanism 10 2.1.3.2. NAPI (New API) 11 2.1.3.3. Small-budget NAPI 11 2.1.3.4. LRP (Lazy Receiver Processing) 11 2.1.3.5. Discussion 12 2.1.4. Packet reception mechanism in Linux kernel 12 2.1.4.1. The problems of packet reception mechanism in Linux kernel 13 2.2. Netfilter Framework 14 2.2.1. Five hooks in Netfilter Framework 15 2.2.2. IPTables utilities & Netlink socket 16 2.2.3. Problems of software-based firewall 16 2.3. NetFPGA 17 2.3.1. Hardware components in NetFPGA 17 2.3.2. Reusable pipeline design 19 2.3.2.1. Packet bus protocol 20 2.3.2.2. Register bus protocol 21 2.3.3. Related researches using FPGA 22 2.3.3.1. NIPS acceleration system - Shunt 22 2.3.3.2. NIDS acceleration system – Snort Offloader 22 2.3.3.3. Network-management acceleration system - AtoZ 23 2.3.4. Related researches using network processor 23 2.4. Early Discard Techniques 23 Chapter 3 Adaptive Packet Reception Mechanism 25 3.1. Design Principles 25 3.2. Prototyping Design and Implementation 26 3.2.1. Limiting kernel protocol processing in high traffic 27 3.2.2. Adaptive reception scheme in high-traffic mode and low-traffic mode 28 3.2.3. Cross-layer approach 29 3.2.4. Loading prediction mechanism 30 3.2.4.1. Evaluation of socket-layer packet loss rate 31 3.2.4.2. Time interval for profiling the socket-layer packet loss rate 32 3.2.5. Switching mechanism 32 Chapter 4 Design & Implementation of an Offloading Firewall 35 4.1. Offloading Firewall Design Concept 35 4.2. System Architecture 37 4.2.1. NF2 driver 38 4.2.2. NetfilterOffloader driver (NFO driver) 39 4.2.3. IPTables utilities 39 4.2.4. Linux Netfilter firewall 40 4.3. Multi-level Traffic Classification Technique 40 4.4. Packet Processing Flow in NetFPGA 41 4.4.1. Extract stage 41 4.4.2. Lookup stage 41 4.4.3. Process stage 42 4.4.4. Output stage 42 4.5. Hardware Data Path 42 4.5.1. Packet bus in NetfilterOffloader output port lookup 43 4.5.2. Register bus in NetfilterOffloader output port lookup 44 4.6. Hardware Verification 45 4.6.1. Simulation test 45 4.6.2. Regression test 47 Chapter 5 Performance Evaluation 50 5.1. Performance Results of Adaptive Packet Reception Mechanism 50 5.1.1. Experimental Setup 50 5.1.2. Experimental Results 51 5.1.2.1. Performance evaluation of limiting kernel protocol processing in high traffic 51 5.1.2.1.1. Throughput and packet loss rate 52 5.1.2.1.2. Interrupt and softirq rates 54 5.1.2.1.3. Interrupt-context and process-context softirq rates 56 5.1.2.2. Performance evaluation of adaptive switching mechanism 57 5.2. Performance Results of Offloading Firewall 61 5.2.1. Experimental setup 61 5.2.2. Experimental results 62 5.2.2.1. Increasing the http connection rate 63 5.2.2.2. Increasing the ping flood rate 65 Chapter 6 Conclusion 68 Chapter 7 Future Work 69 Reference 71 Biography 76

    [1] A. Romanow and S. Floyd, “Dynamics of TCP traffic over ATM networks,” IEEE Journal on Selected Areas Communication, vol. 13, pp. 633-641, 1995.
    [2] Apache Team. “Apache HTTP server project.” http://www.apache.org/
    [3] A. Silberschatz, P.B. Galvin, G. Gagne, “Operating System Principles,” 7th edition, John Wiley & Sons (Asia), pp. 59-61, 2006
    [4] C. Murta and M. Jonack, “Evaluating Livelock Control Mechanisms in a Gigabit Network,” Proceedings of 15th IEEE Computer Communications and Networks (ICCCN 2006), pp. 40-45, Arlington, Virginia, October 2006.
    [5] D. Mosberger, T. Jin, “Httperf: A Tool for Measuring Web Server Performance,” ACM, Workshop Internet Server Performance, pp. 59-67, June 1998.
    [6] C. S. Yang, M. Y. Liao, M. Y. Luo, S. M. Wang, “A Network Management System Based on DPI.” In the Proceeding of the fourth international workshop on Advanced Distributed and Parallel Network (ADPNA-2010). Takayama, Gifu, Japan, Sept. 14-16, 2010.
    [7] G. Watson, N. McKeown, M. Casado, “NetFPGA: A tool for network research and education”, in Workshop on Architecture Research using FPGA Platforms, Feb. 2006.
    [8] G. Gibb, J. W. Lockwood, J. Naous, P. Hartke, N. McKeown, “NetFPGA – An Open Platform for Teaching How to Build Gigabit-Rate Network Switches and Routers” - IEEE Transactions on Education, VOL.51, NO.3, AUGUST 2008
    [9] G. Adam Covington, Glen Gibb, John Lockwood, and Nick McKeown,“A Packet Generator on the NetFPGA Platform”, IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM), April 2009
    [10] G. A. Covington, G. Gibb, J. Naous, J. W. Lockwood, and N. McKeown, “Encouraging Reusable Network Hardware Design.” International Conference on Microelectronic Systems Education, 25-27 July 2009
    [11] H. Welte, “What is Netfilter/IPTables?” http://www.netfilter.org
    [12] H. Song, T. Sproull, M. Attig, and J. Lockwood, “Snort Off loader: A Reconfigurable Hardware NIDS Filter,” in Proceedings of the 15th International Conference on Field Programmable Logic and Applications (FPL ‘05), 2005, pp. 493-498.
    [13] Hewlett-Packard Research Laboratories, Httperf manual page, version 0.9, 27 May 2007
    [14] Intel, “Interrupt Moderation Using Intel® GbE Controllers,” Revision 1.2, April 2007
    [15] J. C. Mogul and K. K. Ramakrishnan, “Eliminating receive livelock in an interrupt-driven kernel,” In Journal of ACM Transactions on Computer System, v.15, no.3, pp. 217-252, August 1997.
    [16] J. W. Lockwood, N. Naufel, J. S. Turner ,D. E. Taylor, “Reprogrammable network packet processing on the field programmable port extender (FPX),” Proceedings of the 2001 ACM/SIGDA ninth international symposium on Field programmable gate arrays, p.87-93, February 2001, Monterey, California, United States
    [17] J. H. Salim, R. Olsson, A. Kuznetsov, “Beyond Softnet,” Proceedings of the 5th Annual Linux Showcase & Conference, pp. 165-172, March 2001.
    [18] J. Salim, H. Khosravi, A. Kleen, A. Kuznetsov, “Linux Netlink as an IP Services Protocol,” RFC 3549, IETF, July 2003.
    [19] J. Corbet, A. Rubini, G. Kroah-Hartman, “Linux device driver,” 3rd edition, O’Reilly, pp. 198-202, 2005.
    [20] J. W. Lockwood, N. McKeown , G. Watson, G. Gibb , P. Hartke , J. Naous , R. Raghuraman , J. Luo, “NetFPGA - An Open Platform for Gigabit-Rate Network Switching and Routing,” Proceedings of the 2007 IEEE International Conference on Microelectronic Systems Education, p.160-161, June 03-04, 2007
    [21] J. Naous, G. Gibb, S. Bolouki, and N. McKeown, “NetFPGA: reusable router architecture for experimental research,” In PRESTO ’08: Proceedings of the ACM workshop on Programmable routers for extensible services of tomorrow, pages 1–7, New York, NY, USA, 2008. ACM
    [22] J. Naous, D. Erickson, G. A. Covington, G. Appenzeller, and N. McKeown, “Implementing an OpenFlow switch on the NetFPGA platform,” In Symposium On Architecture for Networking and Communications Systems, 2008 (ANCS ‘08).
    [23] K. Accardi, T. Bock, F. Hady, and J. Krueger, “Network processor acceleration for a Linux Netfilter firewall,” In Symposium on Architecture for Networking and Communications Systems, 2005 (ANCS ‘05).
    [24] K. Salah and A. Qahtan, “Implementation and experimental performance evaluation of a hybrid interrupt-handling scheme,” Computer Communications, V.32, No.1, pp. 179-188, January 2009.
    [25] L. Gheorghe, “Designing and Implementing Linux Firewalls with QoS using Netfilter, iproute2, NAT and l7-filter,” Packt Publishing , Oct. 2006
    [26] M. Roesch, “Snort - Lightweight Intrusion Detection for Networks,” Proceedings of the 13th USENIX conference on System administration, November 07-12, 1999, Seattle, Washington
    [27] M. Kanazawa, K. Mitani, K. Hamasaki, M. Sugawara, F. Okano, K. Doi, M. Seino, “UltraHigh-Definition Video System with 4000 Scanning Lines,” International Broadcasting Convention, 2003 (IBC’03)
    [28] M. Canini, W. Li, M. Zadnik, A. W. Moore, “Experience with High-Speed Automated Application-Identification for Network-Management,” In Symposium On Architecture for Networking and Communications Systems, 2009 (ANCS ‘09).
    [29] Members in Linux foundation, “Generic Netlink Howto,” Linux Foundation, November 19, 2009
    http://www.linuxfoundation.org/collaborate/workgroups/networking/generic_netlink_howto
    [30] N. Weaver, V. Paxson, J. M. Gonzalez, “The shunt: an FPGA-based accelerator for network intrusion prevention,” Proceedings of the 2007 ACM/SIGDA 15th international symposium on Field programmable gate arrays, February 18-20, 2007, Monterey, California, USA
    [31] N. Dukkipati , G. Gibb , N. McKeown , J. Zhu, “Building a RCP (Rate Control Protocol) Test Network,” Proceedings of the 15th Annual IEEE Symposium on High-Performance Interconnects, p.91-98, August 22-24, 2007
    [32] P. Druschel and B. Gaurav, “Lazy Receive Processing (LRP), A Network Subsystem Architecture for Server Systems,” Proceeding 2nd USENIX Symposium on Operating Systems Design and Implementation, pp. 261-275, October 1996.
    [33] S. Floyd and V. Jacobson, “Random early detection gateways for congestion avoidance,” IEEE/ACM Transactions on Networking (TON), v.1 n.4, p.397-413, August 1993
    [34] S. Shakkottai, T. S. Rappaport, and P. C. Karlsson, “Cross-layer Design for Wireless Networks,” IEEE Communication Magazine, Vol. 41, No. 10, Oct. 2003, pp.74-80.
    [35] V. Paxson, “Bro: a System for Detecting Network Intruders in Real-time,” In Proceedings of the USENIX Security Symposium, Jan. 1998.
    [36] Xilinx Core Generator System - http://www.xilinx.com/tools/coregen.htm
    [37] Xilinx. Xilinx Content-Addressable Memory v5.1 Product Specification, V 2.1, Nov. 11, 2004
    [38] Xilinx ISE Design Suite - http://www.xilinx.com/ise_eval/index.htm
    [39] Mentor ModelSim –http://model.com/

    下載圖示 校內:2020-12-31公開
    校外:2020-12-31公開
    QR CODE