面向安全协议的虚拟化可编程数据平面

随着网络安全技术的发展,越来越多网络安全协议出现,因此需要网络转发设备对网络安全协议提供支持.可编程数据平面由于其协议的无关性,能够实现安全协议的快速部署.但当前可编程数据平面存在包头多次解析、独占数据平面和密码算法实现难的问题.针对上述问题,该文提出一种面向安全协议的虚拟化可编程数据平面(VCP4),其通过引入描述头降低包头解析次数,提高包头解析效率.使用控制流队列生成器和动态映射表实现可编程数据平面的虚拟化,实现多租户下数据平面的隔离,解决独占数据平面问题.在VCP4的语言编译器中添加密码算法原语,实现密码算法可重用.最后针对VCP4资源利用率,虚拟化性能和安全协议性能进行实验评估,结果显示在实现功能的基础上带来较小的性能损失,且能降低50％的代码量.     

云数据中心的安全虚拟网络

虚拟网络安全是云计算安全的重要组成。为了保障虚拟网络流量的可控性和安全性,文中提出了一种基于Ethsec加密压缩技术的安全虚拟网络解决方案。该方案设计了虚拟化安全层、虚拟化安全交换机、安全虚拟网络管理平台和安全虚拟网络密钥分发系统等组件,通过文中提出的Ethsec技术,采用国产商用密码算法SM2和SM4算法,对虚拟机的以太网MAC帧进行压缩和解密,实现虚拟化安全交换机对所有虚拟网络流量的监控和分析。     

可编程数据平面技术综述

在软件定义网络中,可编程数据平面提供的编程能力是网络功能虚拟化的基石。可编程数据平面技术的核心是可编程能力与数据包处理性能。首先从数据平面的可编程性出发,探讨现有数据平面的数据包处理抽象。然后,分别对数据平面实施的目标平台与对应平台上的主要流表算法进行介绍,详细论述现有数据平面技术。最后,探讨了高性能数据平面技术存在的关键挑战。     

支持未来网络创新的可编程虚拟化路由器技术

未来互联网体系结构、协议、算法需要在试验网络中进行评估与验证。可编程虚拟化路由器是构建未来互联网试验床的核心设备。由可编程虚拟化路由器构建的试验床可以在一个物理网络上构建多个独立虚拟网络,实现不同体系结构并行实验验证。相比传统路由器,可编程虚拟化路由器需要具备虚拟化与灵活可编程的特点。文章给出一种支持未来网络创新的可编程虚拟化路由器平台——PEARL。PEARL具有可编程、虚拟化隔离与高性能的特点,可满足未来互联网试验床建设要求。     

一种解析与执行联动的SDN可编程数据平面

当前互联网技术发展迅速,新型网络协议的不断出现,要求网络转发设备能够及时提供对新协议的支持.目前,软件定义网络要兼顾可编程协议解析和数据转发性能仍然面临诸多困难.对此,本文提出了基于解析和执行联动结构的可编程数据平面（CLIPE）,通过在硬件的解析器上部署用户可定义模块,可实时更新硬件中解析逻辑中的协议多叉树,从而实现协议解析的用户定制性;并且,通过解析器和动作执行器联动的创新结构,减少了整个处理架构的冗余性,从而减小动作执行时延,提高了硬件资源利用率,与现有方案相比,节约了11%的逻辑资源和24%的BRAM资源.最后,本文基于NetFPGA-10G板卡完成了本方案的原型机实现.     

基于可编程数据平面的南向协议研究

由于传统网络设备固化且依赖于物理基础设施,难以适应智能化网络的需求。为提高网络的智能化,开放网络的可编程能力,软件定义网络和可编程数据平面应运而生。文章介绍了软件定义网络、可编程数据平面,及其所对应的南向协议,包括OpenFlow协议及其所存在的问题,P4Runtime协议的优势。然后用Mininet软件搭建了网络仿真对P4Runtime的优势进行验证。仿真实验表明,在可编程数据平面协议无关的基础上,P4Runtime作为控制平面和数据平面之间的南向协议,提供了基于Python的交互式和脚本两种下流表方式,与SDN传统下流表方式相比具有更高的灵活性和扩展性,更易于管理人员对网络进行统一管理。为运营商、数据中心等应用场景提供了新的控制管理方案。     

支持业务需求灵活定制的多态路由系统

传统僵化单一的路由机制已经无法适应未来多样化的业务需求和各种新型网络体系结构的试验与部署。针对此问题,本文基于路由功能与业务需求自适配的思想提出了多态路由模型,并设计实现了多态路由原型系统。该系统通过虚拟化技术以及灵活可编程的数据平面结构,实现了同构和异构网络中多种路由协议的共存,完成了基于路由服务描述的路由协议个性化定制和数据平面的多表选择查询与转发处理。最后,基于NetFPGA-10G平台设计实现了多态路由原型系统。相较于现有路由试验系统,多态路由系统在实现路由协议定制化及异构网络共存的同时,更好地保证了业务的服务质量,具有更高的转发速率以及可扩展性。     

可编程网络数据平面技术进展

网络数据平面执行数据包处理转发,是网络性能的决定性因素之一。大带宽、低时延、可持续演进的网络基础设施需要构建高效可编程的网络数据平面。首先,介绍数据包处理转发模型,并以此为基础概述网络数据平面在性能与可编程性面临的关键挑战。然后,从数据包查找算法理论与软/硬件协同实现机制出发,详细论述其基本思路及关键核心技术进展以应对上述关键挑战。最后,探讨高效可编程数据平面的未来发展趋势与技术演进路线。     

网络功能虚拟化关键技术及影响分析

随着通信网络的快速发展,可以实现网元设备软硬件解耦的网络功能虚拟化技术应运而生。本文首先介绍了网络功能虚拟化的产生背景和体系结构,然后分析了网络功能虚拟化所带来的网络安全问题,最后针对网络安全问题给出了工作建议,为今后网络功能虚拟化的安全工作指出了研究方向。     

一种云计算虚拟化平台网络安全模式的研究

针对目前WMware虚拟化平台的网络特点及网络要求,从网络安全与网络性能两个方面,对WMware虚拟化平台的虚拟交换机网络进行分析,从虚拟主机功能分类、网络安全、网络规划、网络性能负载均衡等几个方面进行探讨。结合目前市面上常见的不同网口数的物理服务器的情况,通过3种类型的虚拟化负载均衡技术,在保障安全的基础上,同时优化网络的性能,针对目前虚拟化技术的网络安全性能方面给出一种网络安全解决方案和网络链路聚合方案。     

Programmable semantic parsing approach for mimic arbitration

Aiming at the application of mimic arbitration,a programmable semantic parsing approach for mimic arbitration was proposed.Based on the idea of matching lookup table,this method could achieve custom protocol parsing through domain pointer configuration,and solve the problem of programmable protocol parsing for different protocols.By adopting pipeline control method,the congestion free in the procedure of protocol parsing was guaranteed and the performance of protocol parsing was improved.By introducing Hash operation,the complexity of semantic reordering design of sub-packages was simplified.The performance analysis results show that this approach has the characteristics of high flexibility protocol parsing,high processing capacity and low resource utilization.     

弹性协议可定制的网络数据平面结构及其映射算法

随着网络功能的不断扩展,新型网络协议的不断涌现,这些协议中的数据包具有新的格式定义,需要网络设备能够支持相应的解析和查找。软件定义网络(Software Defined Networking, SDN)基于流表的转发设计使得网络的创新变得简单,但是仍然难以支持任意协议的可编程解析和处理。该文联合考虑数据包的解析和查找过程,提出一种支持协议弹性定制的数据包查找硬件结构,通过比特粒度的解析和基于元操作的查找过程,使得任意协议能够在硬件结构上得到处理;此外,该文针对所提硬件结构提出一种基于多叉树的映射算法,将用户定制协议映射到硬件处理流水线和查找表中。通过实际的FPGA部署验证了所提结构能够支持多种协议的灵活定制,在硬件中的处理速度可以达到390 Gbps,与已有方案相比,其硬件资源利用率有明显降低。该结构对未来的软件定义网络的数据平面设计有重要的意义。     

WLAN security processor

A novel wireless local area network (WLAN) security processor is described in this paper. It is designed to offload security encapsulation processing from the host microprocessor in an IEEE 802.11i compliant medium access control layer to a programmable hardware accelerator. The unique design, which comprises dedicated cryptographic instructions and hardware coprocessors, is capable of performing wired equivalent privacy, temporal key integrity protocol, counter mode with cipher block chaining message authentication code protocol, and wireless robust authentication protocol. Existing solutions to wireless security have been implemented on hardware devices and target specific WLAN protocols whereas the programmable security processor proposed in this paper provides support for all WLAN protocols and thus, can offer backwards compatibility as well as future upgrade ability as standards evolve. It provides this additional functionality while still achieving equivalent throughput rates to existing architectures.     

一种面向ABNF模式匹配的处理器设计

在对基于文本编码的网络协议解析中,传统的解决方案难以兼顾速度和灵活性两方面的要求.本文针对扩展巴克斯范式(ABNF)的文法特点,提出一种新型可编程处理器的指令系统和体系结构,以满足网络处理对速度和灵活性的共同要求.该方案在可编程逻辑器件(FPGA)上进行了验证,实验结果表明该处理器在实现面积、处理速度和灵活性上都占有较大优势.     

Mapping Application Requirements to Virtualization-Enabled Software Defined WSN

With the emergence of resource powerful sensor nodes, the concept of WSN virtualization is gaining increasing attention from the research community and the industry. One approach to achieve WSN virtualization is to exploit the capabilities of individual sensor nodes to execute tasks of multiple applications concurrently. In this paper, we consider the problem of task allocation in software-defined WSNs (SD-WSNs), which are distinguished by centralized control plane and programmable data plane. We extend our previous work on this topic, where we proposed the control algorithm which determines suitability of a sensor node for task allocation based on the active routing paths and residual energy in the network. Availability of such information can be easily justified in SD-WSNs. Through extensive simulations, the performance of this strategy has been evaluated and compared with two conventional task allocation approaches, which assume traditional minimum-hop routing. In addition, we analysed performance of more simple software defined networking-based approach, which performs resource allocation by considering only residual energy in the network. The obtained results demonstrate benefits of SD-WSN architecture when it comes to virtualization efficiency, and clarify improvements achieved by mutual correlation of routing and task allocation decisions.     

基于两种P2P协议的数据自销毁技术

随着云计算等互联网应用的兴起,个人数据更多地存储于网络上,其数据安全面临着极大挑战,传统的数据加密方式有时候存在加密密钥不能及时销毁的问题,存在着安全隐患。针对当前个人网络数据安全问题,采用Chord和Kademlia两种P2P协议设计了个人应用数据的自销毁协议,利用P2P协议固有的扰动特性进行个人网络数据的自动销毁数据,使用OMNEST仿真软件进行了两种协议对数据自销毁的性能分析,其仿真结果表明使用Kademlia协议的数据自销毁性能更优。     

Random Oracles in Constantinople: Practical Asynchronous Byzantine Agreement Using Cryptography

Byzantine agreement requires a set of parties in a distributed system to agree on a value even if some parties are maliciously misbehaving. A new protocol for Byzantine agreement in a completely asynchronous network is presented that makes use of new cryptographic protocols, specifically protocols for threshold signatures and coin-tossing. These cryptographic protocols have practical and provably secure implementations in the random oracle model. In particular, a coin-tossing protocol based on the Diffie-Hellman problem is presented and analyzed. The resulting asynchronous Byzantine agreement protocol is both practical and theoretically optimal because it tolerates the maximum number of corrupted parties, runs in constant expected rounds, has message and communication complexity close to the optimum, and uses a trusted dealer only once in a setup phase, after which it can process a virtually unlimited number of transactions. The protocol is formulated as a transaction processing service in a cryptographic security model, which differs from the standard information-theoretic formalization and may be of independent interest.     

OpenBNG: Central office network functions on programmable data plane hardware

Telecommunication providers continuously evolve their network infrastructure by increasing performance, lowering time to market, providing new services, and reducing the cost of the infrastructure and its operation. Network function virtualization (NFV) on commodity hardware offers an attractive, low-cost platform to establish innovations much faster than with purpose-built hardware products. Unfortunately, implementing NFV on commodity processors does not match the performance requirements of the high-throughput data plane components in large carrier access networks. Therefore, programmable hardware architectures like field programmable gate arrays (FPGAs), network processors, and switch silicon supporting the flexibility of the P4 language offer a promising way to account for both performance requirements and the demand to quickly introduce innovations into networks. In this article, we propose a way to offer residential network access with programmable packet processing architectures. On the basis of the highly flexible P4 programming language, we present a design and open source implementation of a broadband network gateway (BNG) data plane that meets the challenging demands of BNGs in carrier-grade environments. In addition, we introduce a concept of hybrid openBNG design, realizing the required hierarchical quality of service (HQoS) functionality in a subsequent FPGA. The proposed evaluation results show the desired performance characteristics, and our proposed design together with upcoming P4 hardware can offer a giant leap towards highest performance NFV network access.