CN102104544B - Order preserving method for fragmented message flow in IP (Internet Protocol) tunnel of multi-nuclear processor with accelerated hardware - Google Patents
Order preserving method for fragmented message flow in IP (Internet Protocol) tunnel of multi-nuclear processor with accelerated hardware Download PDFInfo
- Publication number
- CN102104544B CN102104544B CN2011100264877A CN201110026487A CN102104544B CN 102104544 B CN102104544 B CN 102104544B CN 2011100264877 A CN2011100264877 A CN 2011100264877A CN 201110026487 A CN201110026487 A CN 201110026487A CN 102104544 B CN102104544 B CN 102104544B
- Authority
- CN
- China
- Prior art keywords
- message
- processor
- tunnel
- processing engine
- tcp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 16
- 238000012545 processing Methods 0.000 claims abstract description 62
- 239000012634 fragment Substances 0.000 claims description 28
- 230000008521 reorganization Effects 0.000 claims description 10
- 238000000605 extraction Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 claims description 5
- 230000007717 exclusion Effects 0.000 abstract description 5
- 230000005540 biological transmission Effects 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000013507 mapping Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000013467 fragmentation Methods 0.000 description 2
- 238000006062 fragmentation reaction Methods 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 241000331006 Euchaeta media Species 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 239000000654 additive Substances 0.000 description 1
- 230000000996 additive effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to an order preserving method for a fragmented message flow in an IP (Internet Protocol) tunnel of a multi-nuclear processor with accelerated hardware. In a network security device of a multi-nuclear processor framework, an ordinary IP message and a fragmented IP message in an identical TCP/UDP (Transmission Control Protocol/User Data Protocol) flow both are loaded and balanced to different processors in an IP tunnel mode. In order to ensure order preserving of the messages in the flow, extra synchronization and mutual exclusion are needed to be performed between the different processors to consume implement resources of the processors and bandwidth resources of Cache interconnection buses of the processors. In order to solve the problem, the fragmented message is re-submitted to the processor used for processing the ordinary message by a hardware accelerator after being recombined by the processor so as to carry out follow-up processing of the identical TCP/UDP flow in the IP tunnel on the identical processor, thereby the processing complexity and expenses of software and hardware in the network security device of the multi-nuclear processor framework on order preserving of the fragmented message in the IP tunnel are reduced.
Description
Technical field
The present invention relates to data communication field, particularly Network Security Device is specifically related to a kind of hardware-accelerated polycaryon processor IP tunnel fragment message stream order-preserving method.
Background technology
The continuous development of network reaches to popularize and brings increasingly serious safety problem.Traditional Network Security Device all has been difficult to satisfy the demands on function and performance.Use the Network Security Device performance of asic technology high, but flexibility is not enough, can not adapt to the network security problem that changes day by day.Use the Network Security Device of general processor because processor has programmability, and flexibility is very high, but performance is not good.
Along with the continuous development of hardware and chip technology, the polycaryon processor technology is more and more ripe and universal.The framework that the design of Network Security Device also gradually adopts hardware accelerator and polycaryon processor to combine, existing so programmable flexibility can improve performance again.
In the equipment of the framework that employing hardware accelerator and polycaryon processor combine, owing to have a plurality of even tens processor parallel processings, the synchronous and mutual exclusion expense between processor makes the performance of system be difficult to along with the increase of processor core linear growth.And between processor synchronously make also with mutual exclusion that software is complicated more, easy error and be difficult to maintenance.
In order to reduce synchronously and mutually exclusive operation, reduce software complexity, according to (source address, source port, destination address, destination interface, agreement) five-tuple cryptographic hash, same TCP/UDP stream is sent to same processor processes.Under the IP tunnel pattern, data message adopts (external IP head, inner IP head, TCP/UDP head, data) encapsulation mode, and wherein (inner IP head, TCP/UDP head) described a TCP/UDP stream.
But, under the IP tunnel pattern, if the IP message by burst, inner IP head might be encapsulated in the different IP fragmentation messages with the TCP/UDP head.Can cause like this extracting, can only come the load balancing fragment message according to inner IP head (source address, destination address) doublet cryptographic hash less than source port, destination interface information.This common message that just causes same TCP/UDP stream under the IP tunnel pattern and fragment message load balancing are to different processors.For reasons such as message flow order-preservings, fragment message need be submitted to after recombinating with on the processor that common message is processed in first-class.At this moment inevitably produce directly alternately between the software on two processors, need use synchronously and primitive operation such as mutual exclusion, increase the software overhead and the bandwidth of wasting processor Cache interconnection of processor, influence systematic function.
Summary of the invention
To the problems referred to above; The applicant has carried out improving research; A kind of hardware-accelerated polycaryon processor IP tunnel fragment message stream order-preserving method is provided; In polycaryon processor architecture network safety means, participate in accomplishing the function that the IP tunnel fragment message flows order-preserving, reduce the expense of processor, the elevator system performance by hardware accelerator.
Technical scheme of the present invention is following:
Under the IP tunnel pattern, the IP tunnel fragment message of polycaryon processor be processed think highly of group after,, and resubmited on another processor of handling common message in the same TCP/UDP stream to importing processing engine by output processing engine loop.
Its further technical scheme is: concrete steps are following:
1) ethernet mac is received TCP/UDP stream from physical link, and this TCP/UDP stream packet is delivered to the input processing engine;
2) under the IP tunnel pattern, if the common message of non-burst, the input processing engine is the extraction source address from inner IP head of message and TCP/UDP head; Source port, destination address, destination interface; Protocol number five-tuple information is also calculated cryptographic hash, confirms first receiving processor by cryptographic hash;
3) under the IP tunnel pattern, if fragment message, the input processing engine is from inner IP the extraction source address of message, and the destination address binary group information is also calculated cryptographic hash, confirms second receiving processor by cryptographic hash;
4) second receiving processor is recombinated to the IP tunnel fragment message, and the good message of will recombinating sends to the output processing engine;
5) export IP tunnel message loop to the input processor engine that it is good that processing engine will be recombinated;
6) input processing engine IP tunnel interior message IP head and TCP/UDP extraction source address from recombinating; Source port, destination address, destination interface; Protocol number five-tuple information is also calculated cryptographic hash, and the IP tunnel message that reorganization is good is committed to first receiving processor.
Said first receiving processor is different processors with second receiving processor, or belongs to different processor cores.
And its further technical scheme is:
Recombinated the back by exporting the processing engine loop to the process of importing processing engine at the IP tunnel fragment message; The payload of message is deposited in the memory always, is message descriptor to exporting processing engine to importing what transmit on processing engine to the path of handling the processor of common message in the same TCP/UDP stream at the processor of burst reorganization.
Said input processing engine, output processing engine and polycaryon processor are in the same chip, or are in the different chips.
Said input processing engine, output processing engine and ethernet mac are in the same chip, or are in the different chips.
Useful technique effect of the present invention is:
The present invention flows order-preserving in order to realize the IP tunnel fragment message, adopts burst reorganization, loop, again behind the Hash, finally make in the IP tunnel same TCP/UDP stream in IP fragmentation message reorganization back by same processor processes; Do not have mutual exclusion and synchronous primitive operation between the processor, thereby reduce additive decrementation, the elevator system performance of consequent processor execution resources expense, reduction processor Cache interconnection bandwidth resources.
Description of drawings
Fig. 1 is the system that the present invention relates to or the composition structural representation of chip.
Fig. 2 is the interactive step and the sequential schematic of each processing unit among the present invention.
Embodiment
Further specify below in conjunction with the accompanying drawing specific embodiments of the invention.
As shown in Figure 1; System that the present invention relates to or one chip are identical with prior art; It is made up of following formant: ethernet mac (Media Access Control, i.e. media interviews control), input processing engine, output processing engine, polycaryon processor and interconnection.
With reference to figure 1, in the present invention, above-mentioned each unit role is following: input processing engine and output processing engine are accomplished function of hardware acceleration; The input processing engine arrives each processor with TCP/UDP stream (comprising common message and fragment message) load balancing; The output processing engine sends to IP tunnel message loop after maybe will recombinating on the physical link to importing processing engine with the message of from processor through ethernet mac.The IP tunnel fragment message is processed thinks highly of group back and is sent to the input processing engine by the output processing engine through the reconstructed file loop, and is resubmited and handle the processor that belongs to the common message in the same TCP/UDP stream with this IP tunnel fragment message.
Under the IP tunnel pattern, the input processing engine according in inner IP head and the TCP/UDP head with source address, source port, destination address, destination interface, the five-tuple cryptographic hash of agreement composition is balanced to each processor with common message load; And according in the inner IP head with source address, the doublet cryptographic hash that destination address is formed with the fragment message load balancing to each processor; After the IP tunnel fragment message is processed and thinks highly of group; Submit to output processing engine loop to importing processing engine; The input processing engine is again according to source address, source port, destination address; Destination interface, the five-tuple cryptographic hash that agreement is formed is submitted to said reconstructed file on the processor of handling common message in the same TCP/UDP stream.
In the process of above-mentioned IP tunnel slicing message flow order-preserving; The payload of message is deposited in the memory always; The processor of burst reorganization is to exporting processing engine to importing the copy that does not have the payload of message on processing engine to the path of handling the processor of common message in the same TCP/UDP stream, the just message descriptor of transmission.Input processing engine, output processing engine and polycaryon processor and ethernet mac can be in same chips, also can be in different chips.
The present invention can be according to being described below practical implementation:
Adopt ASIC or FPGA to realize a plurality of ethernet macs, input processing engine and output processing engine.Polycaryon processor adopts 6 nuclears or 12 nuclear X86 CPU.ASIC or FPGA adopt x16 gen2 pci-e bus to be connected with the X86 polycaryon processor.
Above-mentioned polycaryon processor also can be the programmable processor of any instruction set, here not for limiting.
As shown in Figure 2, concrete treatment step of the present invention is following:
Step 1: ethernet mac will be given the input processing engine through FIFO from the message that physical link is received.
Step 2b: under the IP tunnel pattern, if fragment message, the input processing engine is extracted (source address from the inner IP head of message; Destination address) binary group information and calculate cryptographic hash; Search mapping table according to last 8 of cryptographic hash, confirm receiving processor B, submit to this processor B to message.
Step 3: processor B is recombinated to the IP tunnel fragment message, and the message that reorganization is good sends to the output processing engine.
Step 4: the IP tunnel message that it is good that the output processing engine will be recombinated is through FIFO loop to input processor engine.
Step 5: the input processing engine is extracted five-tuple information and is calculated cryptographic hash and look into mapping table from the IP tunnel interior message IP head of recombinating and TCP/UDP head, and the IP tunnel message that reorganization is got well is committed to processor A.
Through above-mentioned steps, realized that the message of same TCP/UDP stream is all handled in the IP tunnel after reorganization in same processor.
Above-described only is preferred implementation of the present invention, the invention is not restricted to above embodiment.Be appreciated that other improvement and variation that those skilled in the art directly derive or associate under the prerequisite that does not break away from spirit of the present invention and design, all should think to be included within protection scope of the present invention.
Claims (5)
1. a hardware-accelerated polycaryon processor IP tunnel fragment message flows order-preserving method; It is characterized in that: under the IP tunnel pattern; The IP tunnel fragment message of polycaryon processor be processed think highly of group after;, and resubmited on another processor of handling common message in the same TCP/UDP stream to importing processing engine by output processing engine loop, concrete steps are following:
1) ethernet mac is received TCP/UDP stream from physical link, and this TCP/UDP stream packet is delivered to the input processing engine;
2) under the IP tunnel pattern, if the common message of non-burst, the input processing engine is the extraction source address from inner IP head of message and TCP/UDP head; Source port, destination address, destination interface; Protocol number five-tuple information is also calculated cryptographic hash, confirms first receiving processor by cryptographic hash;
3) under the IP tunnel pattern, if fragment message, the input processing engine is from inner IP the extraction source address of message, and the destination address binary group information is also calculated cryptographic hash, confirms second receiving processor by cryptographic hash;
4) second receiving processor is recombinated to the IP tunnel fragment message, and the good message of will recombinating sends to the output processing engine;
5) export IP tunnel message loop to the input processor engine that it is good that processing engine will be recombinated;
6) input processing engine IP tunnel interior message IP head and TCP/UDP extraction source address from recombinating; Source port, destination address, destination interface; Protocol number five-tuple information is also calculated cryptographic hash, and the IP tunnel message that reorganization is good is committed to first receiving processor.
2. according to right 1 said hardware-accelerated polycaryon processor IP tunnel fragment message stream order-preserving method, it is characterized in that: said first receiving processor is different processors with second receiving processor, or belongs to different processor cores.
3. according to each said hardware-accelerated polycaryon processor IP tunnel fragment message stream order-preserving method in the right 1 ~ 2; It is characterized in that: recombinated the back by exporting the processing engine loop to the process of importing processing engine at the IP tunnel fragment message; The payload of message is deposited in the memory always, is message descriptor to exporting processing engine to importing what transmit on processing engine to the path of handling the processor of common message in the same TCP/UDP stream at the processor of burst reorganization.
4. according to each said hardware-accelerated polycaryon processor IP tunnel fragment message stream order-preserving method in the right 1 ~ 2, it is characterized in that: said input processing engine, output processing engine and polycaryon processor are in the same chip, or are in the different chips.
5. according to each said hardware-accelerated polycaryon processor IP tunnel fragment message stream order-preserving method in the right 1 ~ 2, it is characterized in that: said input processing engine, output processing engine and ethernet mac are in the same chip, or are in the different chips.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100264877A CN102104544B (en) | 2011-01-25 | 2011-01-25 | Order preserving method for fragmented message flow in IP (Internet Protocol) tunnel of multi-nuclear processor with accelerated hardware |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100264877A CN102104544B (en) | 2011-01-25 | 2011-01-25 | Order preserving method for fragmented message flow in IP (Internet Protocol) tunnel of multi-nuclear processor with accelerated hardware |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102104544A CN102104544A (en) | 2011-06-22 |
| CN102104544B true CN102104544B (en) | 2012-06-20 |
Family
ID=44157081
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100264877A Expired - Fee Related CN102104544B (en) | 2011-01-25 | 2011-01-25 | Order preserving method for fragmented message flow in IP (Internet Protocol) tunnel of multi-nuclear processor with accelerated hardware |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102104544B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2740023A1 (en) * | 2011-10-28 | 2014-06-11 | Hitachi, Ltd. | Computer system and management system for performance optimisation in a storage network |
| CN102811169B (en) * | 2012-07-24 | 2015-05-27 | 成都卫士通信息产业股份有限公司 | Virtual private network (VPN) implementation method and system for performing multi-core parallel processing by using Hash algorithm |
| CN102821049A (en) * | 2012-08-15 | 2012-12-12 | 华为技术有限公司 | Method and device for forwarding message |
| CN103457868A (en) * | 2013-08-15 | 2013-12-18 | 北京华为数字技术有限公司 | Load sharing method and device |
| CN104486226B (en) * | 2014-12-23 | 2019-04-05 | 北京天融信科技有限公司 | A kind of message processing method and device |
| CN105786618B (en) * | 2016-02-24 | 2019-06-18 | 华为技术有限公司 | Method and device for routing packets in accelerator network |
| CN107404446A (en) * | 2016-05-19 | 2017-11-28 | 中兴通讯股份有限公司 | A kind of method and device for handling fragment message |
| US10425472B2 (en) * | 2017-01-17 | 2019-09-24 | Microsoft Technology Licensing, Llc | Hardware implemented load balancing |
| CN107181662A (en) * | 2017-05-18 | 2017-09-19 | 迈普通信技术股份有限公司 | A kind of method and system of VXLAN tunnel load balancings |
| CN109286584B (en) * | 2017-07-21 | 2021-07-13 | 东软集团股份有限公司 | Fragmentation recombination method, device and equipment in multi-core system |
| CN113783973B (en) * | 2021-08-31 | 2023-09-15 | 上海弘积信息科技有限公司 | Implementation method for NAT port allocation lock-free data flow under multi-core |
| CN114422445B (en) * | 2022-02-24 | 2023-05-30 | 成都北中网芯科技有限公司 | Method for realizing load balancing and disordered recombination |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101035082A (en) * | 2007-04-28 | 2007-09-12 | 杭州华三通信技术有限公司 | Unpacked message recombining method and interface board |
| CN101286945A (en) * | 2008-05-22 | 2008-10-15 | 北京星网锐捷网络技术有限公司 | Method and apparatus for processing of data fragmentation |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004107800A1 (en) * | 2003-05-29 | 2004-12-09 | Endace Technology Limited | A method of recombining data units |
-
2011
- 2011-01-25 CN CN2011100264877A patent/CN102104544B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101035082A (en) * | 2007-04-28 | 2007-09-12 | 杭州华三通信技术有限公司 | Unpacked message recombining method and interface board |
| CN101286945A (en) * | 2008-05-22 | 2008-10-15 | 北京星网锐捷网络技术有限公司 | Method and apparatus for processing of data fragmentation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102104544A (en) | 2011-06-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102104544B (en) | Order preserving method for fragmented message flow in IP (Internet Protocol) tunnel of multi-nuclear processor with accelerated hardware | |
| CN102681971B (en) | A kind of method of carrying out high-speed interconnect between FPGA plate based on aurora agreement | |
| US7813339B2 (en) | Direct assembly of a data payload in an application memory | |
| CN103748845B (en) | Message sending method, receiving method, device and system | |
| TWI745034B (en) | Method of aggregating and disaggregating packet | |
| CN104281493A (en) | Method for improving performance of multiprocess programs of application delivery communication platforms | |
| CN104780333A (en) | High-bandwidth video source interface adaptation device based on FPGA (Field Programmable Gate Array) | |
| CN104468309B (en) | A kind of efficient adaptation method of low speed SMP and high speed password card | |
| CN105554002A (en) | Tunnel message analyzing method and device | |
| CN104486185A (en) | Control system communication method and system for nuclear power plant | |
| CN102546399B (en) | Intelligent transformer substation process level message linear processing framework and intelligent transformer substation process level message linear processing method | |
| CN108282454A (en) | For using inline mode matching to accelerate the devices, systems, and methods of safety inspection | |
| CN107508828B (en) | A kind of very-long-range data interaction system and method | |
| CN104717050A (en) | Multiple frame rate system | |
| US20160380890A1 (en) | Intermediate Unicast Network and Method for Multicast Data Networks | |
| CN105357148A (en) | Method and system for preventing output message of network exchange chip from being disordered | |
| CN104536928A (en) | Data sorting method through multi-core PCIE accelerating daughter card | |
| CN204597988U (en) | The AFDX terminal test equipment of Based PC PCI interface | |
| CN102404207B (en) | A kind of processing method and processing device of Ethernet data | |
| US20230023258A1 (en) | Computing network physical layer device including port expander, and method of using same | |
| CN206533391U (en) | Main website type special line encryption authentication device | |
| CN117875447A (en) | FPGA acceleration scheme for federally learning Paillier algorithm | |
| CN109347818A (en) | A File Transfer System with Protocol Reconfigurable 10 Gigabit Communication | |
| CN103491030B (en) | A kind of data processing method and equipment | |
| WO2019015487A1 (en) | Data retransmission method, rlc entity and mac entity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Free format text: FORMER OWNER: JIANGSU HUALI NETWORK ENGINEERING CO., LTD. Effective date: 20150424 Owner name: TANG WENJIE Free format text: FORMER OWNER: INFINITRUM CO., LTD. Effective date: 20150424 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 214028 WUXI, JIANGSU PROVINCE TO: 215600 SUZHOU, JIANGSU PROVINCE |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20150424 Address after: 215600 Jiangsu city of Zhangjiagang Province Tang Qiao Zhen Heng Jing Cun Jing Dong Pan Bridge Group No. 5 Patentee after: Tang Wenjie Address before: 214028 room 1102 and 21-1, 1107 Changjiang Road, New District, Jiangsu, Wuxi Patentee before: INFINITRUM Co.,Ltd. Patentee before: Jiangsu Huali Networks Engineering Co.,Ltd. |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20200916 Address after: Room 603, building 52, Hongqiao 5 village, Jiangyin City, Wuxi City, Jiangsu Province Patentee after: Ding Xiangen Address before: 215600 Jiangsu city of Zhangjiagang Province Tang Qiao Zhen Heng Jing Cun Jing Dong Pan Bridge Group No. 5 Patentee before: Tang Wenjie |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120620 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |