Yaxuan Qi,Zongwei Zhou,Yiyao Wu,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/GLOCOM.2010.5684120

2010-01-01

Abstract:With the continual growth of network speed and the increasing sophistication of network applications, keeping network operations efficient and secure becomes more challenging. Pattern matching is one of the key technologies for content-ware network processing, such as traffic classification, application identification and intrusion prevention. In this paper, we propose a hybrid pattern matching algorithm optimized for multi-core network processing platforms. As a system-level solution, our scheme focuses on both performance stability and hardware/software co-design. To verify the effectiveness of our design, the proposed algorithm is implemented on a state-of-art 16-MIPS-core network processing platform and evaluated with real-life data sets. Experimental results show that, when compared with the traditional Aho-Corasick algorithm, our hybrid solution saves 60~95% memory space while guarantees stable performance on large pattern sets and against adverse test traffic.

Haipeng Cheng,Zheng Chen,Bei Hua,Xinan Tang

DOI: https://doi.org/10.1145/1345206.1345214

2008-01-01

Abstract:Packet classification is an enabling technology to support advanced Internet services. It is still a challenge for a software solution to achieve 10Gbps (line-rate) classification speed. This paper presents a classification algorithm that can be efficiently implemented on a multi-core architecture with or without cache. The algorithm embraces the holistic notion of exploiting application characteristics, considering the capabilities of the CPU and the memory hierarchy, and performing appropriate data partitioning. The classification algorithm adopts two stages: searching on a reduction tree and searching on a list of ranges. This decision is made based on a classification heuristic: the size of the range list is limited after the first stage search. Optimizations are then designed to speed up the two-stage execution. To exploit the speed gap (1) between the CPU and external memory; (2) between internal memory (cache) and external memory, an interpreter is used to trade the CPU idle cycles with demanding memory access requirements. By applying the CISC style of instruction encoding to compress the range expressions, it not only significantly reduces the total memory requirement but also makes effective use of the internal memory (cache) bandwidth. We show that compressing data structures is an effective optimization across the multi-core architectures.We implement this algorithm on both Intel IXP2800 network processor and Core 2 Duo X86 architecture, and experiment with the classification benchmark, ClassBench. By incorporating architecture-awareness in algorithm design and taking into account the memory hierarchy, data partitioning, and latency hiding in algorithm implementation, the resulting algorithm shows a good scalability on Intel IXP2800. By effectively using the cache system, the algorithm also runs faster than the previous fastest RFC on the Core 2 Duo architecture.

Yaxuan Qi,Yibo Xue,Jun Li

DOI: https://doi.org/10.1016/s1007-0214(11)70062-1

2011-01-01

Tsinghua Science & Technology

Abstract:Packet classification is crucial to the implementation of advanced network services that require the capability to distinguish traffic in different flows, such as access control in firewalls and protocol analysis in intrusion detection systems. This paper proposes a novel packet classification algorithm optimized for multi-core network processors. The proposed algorithm, AggreCuts, has an explicit worst-case search time with modest memory usage. The data structure of AggreCuts is flexible and well-adapted to different types of multi-core platforms. The algorithm on both Intel IXP2850 32-bit and Cavium OCTEON3860 64-bit multi-core platforms was implemented to evaluate the performance of AggreCuts. The experimental results show that AggreCuts outperforms the best-known existing algorithm in terms of memory usage and classification speed.

Yaxuan Qi,Bo Xu,Fei He,Xin Zhou,Jianming Yu,Jun Li

DOI: https://doi.org/10.1109/ICPP.2007.82

2007-01-01

Abstract:In this paper, a novel packet classification scheme optimized for multi-core network processors is proposed. The algorithm, Explicit Cuttings (ExpCuts), adopts a hierarchical space aggregation technique to significantly reduce the memory usage. Consequently, without burst of memory usages, the time-consuming linear search in the conventional decision-tree based packet classification algorithms is eliminated, and an explicit worst-case search time is achieved. To evaluate the performance of ExpCuts, we implement the algorithm, as well as HiCuts and HSM, on the Intel IXP2850 network processor. Experimental results show that ExpCuts outperforms the existing best- known algorithms in terms of memory usage and classification speed.

Yaxuan Qi,Zongwei Zhou,Baohua Yang,Fei He,Yibo Xue,Jun Li

DOI: https://doi.org/10.1145/1477942.1477963

2008-01-01

Abstract:ABSTRACTTo build high-performance network devices with holistic security protection, a large number of algorithms have been proposed. However, multi-core implementation of the existing algorithms suffers from three limitations: performance instability, data-structure heterogeneity, and hardware dependency. In this paper, we propose three principles for effective network processing on multi-core network processors. To verify the effectiveness of these principles, algorithms for two typical network processing tasks are redesigned and implemented on the Cavium Octeon3860 network processor. Test results show that our schemes achieve superior performance in comparison with existing best-known algorithms.

Tong Shen,Da-Fang Zhang,Gao-Gang Xie,Xin-Yi Zhang

DOI: https://doi.org/10.1007/s11390-018-1873-9

2018-01-01

Abstract:Packet classification has been studied for decades; it classifies packets into specific flows based on a given rule set. As software-defined network was proposed, a recent trend of packet classification is to scale the five-tuple model to multi-tuple. In general, packet classification on multiple fields is a complex problem. Although most existing softwarebased algorithms have been proved extraordinary in practice, they are only suitable for the classic five-tuple model and difficult to be scaled up. Meanwhile, hardware-specific solutions are inflexible and expensive, and some of them are power consuming. In this paper, we propose a universal multi-dimensional packet classification approach for multi-core systems. In our approach, novel data structures and four decomposition-based algorithms are designed to optimize the classification and updating of rules. For multi-field rules, a rule set is cut into several parts according to the number of fields. Each part works independently. In this way, the fields are searched in parallel and all the partial results are merged together at last. To demonstrate the feasibility of our approach, we implement a prototype and evaluate its throughput and latency. Experimental results show that our approach achieves a 40% higher throughput than that of other decomposed-based algorithms and a 43% lower latency of rule incremental update than that of the other algorithms on average. Furthermore, our approach saves 39% memory consumption on average and has a good scalability.

Yizhen Liu,Daxiong Xu,Wuying Song,Zhixin Mu

DOI: https://doi.org/10.1109/fitme.2008.88

2008-01-01

Abstract:The rapid increasing Internet services need high performance, scalable and flexible network security devices. IPSec is a set of protocols to ensure transmission of packets in IP network. Multi-core processors are targeted to a wide range of applications with complex packet processing and high throughput requirements. Although there are several designs of IPSec system with heterogeneous hardware platforms, practical ultra-speed network security systems remain elementary. The disparity arises because IP network security algorithms with theoretically considerable computational cost and packet processing have unacceptably memory access latency. This paper discusses the design and implementation of IPSec applications at 17 Gbps using next generation programmable multi-core processor RMI XLR732. We focus on IP Security software architecture suitable for high speed network, and present consideration of traffic load balance and hardware framework. The improved software architecture is implemented on the dual multi-core processor hardware, and actual packet data is used to assess performance.

Liang CHEN,Jian WANG,Yong ZHAO

DOI: https://doi.org/10.3778/j.issn.1002-8331.1606-0006

2017-01-01

Abstract:In order to meet the security requirements of modern high bandwidth Internet application environment, an IPSec VPN architecture based on Tilera GX36 multi-core network processor is proposed, and program function modules of control plane and data plane are designed according to SDN architecture to achieve flexible security control on network traffic. To meet the security strategy retrieval performance requirement, a three-level security policy flow-table structure based on Hash algorithm is put forward, and a security policy search method is designed using security association flow-table cached on tile CPUs as fast retrieval data source. The test results show that the system can achieve the processing performance in 40 Gb/s Internet applications under the typical short, medium and long package-length circumstance.

Xing Biao,Wang DanDan,Yang Yongquan,Wei Zhiqiang,Wu Jiajing,He Cuihua

DOI: https://doi.org/10.1007/s10766-021-00692-4

2021-01-01

International Journal of Parallel Programming

Abstract:Data security is the focus of information security. As a primary method, file encryption is adopted for ensuring data security. Encryption algorithms created to meet the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES) are widely used in a variety of systems. These algorithms are computationally highly complex, thus, the efficiency of encrypting or decrypting large files can be drastically reduced. To this end, we propose an optimized algorithm that efficiently encrypts and decrypts large files by parallelizing processing tasks on a single heterogeneous many-core processor in the Sunway TaihuLight computer system. Firstly, we convert the serial DES and AES programs to our experimental platform. Then we implement a task assignment strategy to test the converted algorithms. Finally, in order to optimize parallelized algorithms and improve data transmission performance, we apply the master-slave communication optimization, the three-stage parallel pipeline, and vectorization. Extensive experiments demonstrate that our optimized algorithm is faster than the state-of-the-art open-source implementations of DES and AES. Compared with the serial processing algorithms, our parallelized DES and AES perform nearly 40 times and 72 times faster, respectively. The work described in this paper leverages existing methods and provides a sound basis for the direction of future research in data encryption.

Yang Xiang,Daxin Tian

DOI: https://doi.org/10.4018/978-1-60566-661-7.ch037

2010-01-01

Abstract:Network security applications such as intrusion detection systems (IDSs), firewalls, anti-virus/spyware systems, anti-spam systems, and security visualisation applications are all computing-intensive applications. These applications all heavily rely on deep packet inspection, which is to examine the content of each network packet’s payload. Today these security applications cannot cope with the speed of broadband Internet that has already been deployed, that is, the processor power is much slower than the bandwidth power. Recently the development of multi-core processors brings more processing power. Multi-core processors represent a major evolution in computing hardware technology. While two years ago most network processors and personal computer microprocessors had single core configuration, the majority of the current microprocessors contain dual or quad cores and the number of cores on die is expected to grow exponentially over time. The purpose of this chapter is to discuss the research on using multi-core technologies to parallelize deep packet inspection algorithms, and how such an approach will improve the performance of deep packet inspection applications. This will eventually provide a security system the capability of real-time packet inspection thus significantly improve the overall status of security on current Internet infrastructure.

Yaxuan Qi,Bo Xu,Fei He,Baohua Yang,Jianming Yu,Jun Li

DOI: https://doi.org/10.1145/1323548.1323552

2007-01-01

Abstract:There is a growing interest in designing high-performance network devices to perform packet processing at flow level. Applications such as stateful access control, deep inspection and flow-based load balancing all require efficient flow-level packet processing. In this paper, we present a design of high-performance flow-level packet processing system based on multi-core network processors. Main contribution of this paper includes: a) A high performance flow classification algorithm optimized for network processors; b) An efficient flow state management scheme leveraging memory hierarchy to support large number of concurrent flows; c) Two hardware-optimized order-preserving strategies that preserve internal and external per-flow packet order. Experimental results show that: a) The proposed flow classification algorithm, AggreCuts, outperforms the well-known HiCuts algorithm in terms of classification rate and memory usage; b) The presented SigHash scheme can manage over 10M concurrent flow states on the Intel IXP2850 NP with extremely low collision rate; c) The performance of internal packet order-preserving scheme using SRAM queue-array is about 70% of that of external packet order-preserving scheme realized by ordered-thread execution.

Chuan Xu -,Weiren Shi -,Qingyu Xiong -

DOI: https://doi.org/10.4156/jcit.vol6.issue4.27

2011-01-01

Journal of Convergence Information Technology

Abstract:Recently, it is becoming increasingly difficult to implement effective systems for real-time network monitoring for large variety of applications including accounting, traffic identification and abnormal detection. The current solutions have to resort to custom capturing hardware that usually comes with high cost, and software-based capturing solutions, such as libpcap, cannot cope with 10Gbps link rates. In this article, we propose an architecture customized for parallel execution of packet analysis using commodity multi-core processor which now broadly implemented in personal computer. On our approach, the packets are dispatched with similar properties to same core and partitioned into several parts, which allows threads maintained in each core for concurrent execution. Numerical results based on real Campus network traffic data are presented to demonstrate the good performance and effectiveness of our system.

Xiang Wang,Yaxuan Qi,Baohua Yang,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/icpads.2009.109

2009-01-01

Abstract:Network intrusion prevention system (NIPS) becomes more complex due to the rapid growth of network bandwidth and requirement of network security. However existing solutions, either hardware-based or software-based cannot obtain a good tradeoff between performance and flexibility. In this paper, we propose a parallel NIPS architecture using emerging network services processor. To resolve the problems and bottlenecks of high-speed processing, we investigate the main design aspects which have dramatic impacts on most parallel network security system implementations: efficient and flexible pipeline and parallel processing, flow-level packet-order preserving, and latency hiding of deep packet inspection. To these key points, we address several optimizations and modifications with an architecture-aware design principle to guarantee high performance and flexibility of the NIPS on a network services processor implementation. Performance evaluation shows that, our prototype NIPS on Cavium OCTEON3860 processor can reach line-rate stateful inspection and multi-Gbps deep inspection performance.

Ting Li,Jinjiang Yang,Yin Zhou,Shaojun Wei

DOI: https://doi.org/10.1145/3672919.3673034

2024-01-01

Abstract:Cryptography is very important in the field of network security. In order to encrypt various types of data using different encryption algorithms, an efficient encryption hardware architecture must have both flexibility and high performance. However, current hardware often fails to balance encryption speed and flexibility. This is a question that researchers need to address. This paper proposes a reconfigurable cryptographic algorithm processing module RPU, which can support various publicly available block cipher, hashing algorithms and streaming algorithms, as well as user-defined algorithms. This module is integrated into the SOC system. In this paper, we also map AES and SM4 algorithms and conduct experiments to demonstrate that we achieve better performance and lower power consumption. Compared with other hardware implementations, our proposed architecture has an energy efficiency advantage of 12X to 102X. Additionally, this design also improves energy efficiency by 3.7X compared to other CGRA chips.

Mian Cheng,Jin-shu Su,Jing Xu

DOI: https://doi.org/10.1631/fitee.1700507

IF: 2.526

2017-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:With the rapidly increasing number of mobile devices being used as essential terminals or platforms for communication, security threats now target the whole telecommunication infrastructure and become increasingly serious. Network probing tools, which are deployed as a bypass device at a mobile core network gateway, can collect and analyze all the traffic for security detection. However, due to the ever-increasing link speed, it is of vital importance to offload the processing pressure of the detection system. In this paper, we design and evaluate a real-time pre-processing system, which includes a hardware accelerator and a multi-core processor. The implemented prototype can quickly restore each encapsulated packet and effectively distribute traffic to multiple back-end detection systems. We demonstrate the prototype in a well-deployed network environment with large volumes of real data. Experimental results show that our system can achieve at least 18 Gb/s with no packet loss with all kinds of communication protocols.

Chen Zheng,Zhang Zhenhua,Yu Nenghai,Tang Xinan

2008-01-01

Abstract:Packet classification is a critical data-plane task for modern routers to support value-added services, especially for those requiring QoS and flow based processing. However, classification at 10Gbps or higher using an algorithmic approach is still challenging. New generation of Network processor unit (NPU) provides unprecedented processing power for network applications, and it opens a new venture to explore thread-level parallelism for attacking networking performance bottlenecks. This paper studies the implementation issues of how an adaptive classification algorithm can be efficiently implemented on a multi-core and multithreaded NPU architecture. Our algorithm combines best traits of Recursive flow classification (RFC) algorithm and bitmap compression technique to achieve deterministic classification performance while keeping the memory growth checked. When mapping such an algorithm onto the Intel IXP network processor, we consider the characteristic of IXP architecture early in the algorithm-design phase to eliminate the potential performance bottlenecks. The implemented algorithm is highly efficient and it can run at lOGbps speed or higher on a real IXP2800 chip.

Yizhen Liu,Daxiong Xu,Zhixin Mu,Jiayi Qin

DOI: https://doi.org/10.1109/icacc.2009.31

2009-01-01

Abstract:The fast increasing Internet applications need accurate, high performance and scalable packet classification in traffic control systems. Although there are several designs of packet classification implemented on heterogeneous hardware platforms, accurate and ultra-speed packet classification remains elementary. The disparity arises because traditional packet classification algorithms with imprecise port-based method and packet processing have unacceptably memory access latency. This paper discusses an efficient hybrid packet classification in gigabits traffic control systems using second-generation programmable network processor. Firstly, we address the problem of inaccurate packet classification and analyze the payload of applications. Secondly, we present the packet classification using not only packet header but the first 64-bit payload. Finally, we describe the software pipeline architecture and hardware design for our approach with network processor. Compared with traditional solutions, the hybrid packet classification has 93% accuracy and speed up to 7.6Gbps in a real network environment.

YAO Jun-Xi,LIANG Gang,GONG Xun,HAN Zhong-Qiu

DOI: https://doi.org/10.3969/j.issn.0490-6756.2010.02.010

2010-01-01

Abstract:Requirements for a high-quality Intrusion Prevention System(IPS)are becoming more and more demanding with the wide use of high speed Ethernet and increasing complexity of network intrusion. By the analysis of the working principles in the traditional IPS,a improved IPS based on the multicore processor is designed and implemented.In this system,multicore processing units are divided into groups among which the data can be transmitted by building shared cache queues.In this way,IPS can work parallelized with a multicore processor.The results of our experiments demonstrate that the efficiency is greatly enhanced and that the packet loss ratio decreases.

Duo Liu,Zheng Chen,Bei Hua,Nenghai Yu,Xinan Tang

DOI: https://doi.org/10.1145/1331331.1331340

2008-01-01

ACM Transactions on Embedded Computing Systems

Abstract:Packet classification is crucial for the Internet to provide more value-added services and guaranteed quality of service. Besides hardware-based solutions, many software-based classification algorithms have been proposed. However, classifying at 10 Gbps speed or higher is a challenging problem and it is still one of the performance bottlenecks in core routers. In general, classification algorithms face the same challenge of balancing between high classification speed and low memory requirements. This paper proposes a modified recursive flow classification (RFC) algorithm, Bitmap-RFC, which significantly reduces the memory requirements of RFC by applying a bitmap compression technique. To speed up classifying speed, we exploit the multithreaded architectural features in various algorithm development stages from algorithm design to algorithm implementation. As a result, Bitmap-RFC strikes a good balance between speed and space. It can significantly keep both high classification speed and reduce memory space consumption. This paper investigates the main NPU software design aspects that have dramatic performance impacts on any NPU-based implementations: memory space reduction, instruction selection, data allocation, task partitioning, and latency hiding. We experiment with an architecture-aware design principle to guarantee the high performance of the classification algorithm on an NPU implementation. The experimental results show that the Bitmap-RFC algorithm achieves 10 Gbps speed or higher and has a good scalability on Intel IXP2800 NPU.

Junchang Wang,Haipeng Cheng,Bei Hua,Xinan Tang

DOI: https://doi.org/10.1145/1542275.1542307

2009-01-01

Abstract:The industry wide shift to multi-core architectures arouses great interests in parallelizing sequential applications. However, it I S very difficult to parallelize fine-grained applications for multicore architectures due to insufficient hardware support of fast communication and synchronization. Fortunately, network applications can be decomposed into pipelined structures that are amenable to streaming based parallel processing. To realize the potential of pipelining on multi-core architectures, it requires reevaluating the basic tradeoffs in parallel processing, including the ones between load balance and data locality and between general lock mechanisms and special lock-free data structures. This paper presents the practice of building a high-performance multi-core based network processing platform in which connection-affinity and lock-free design principles are applied effectively for better data locality and faster core-to-core synchronization and communication.We parallelize a complete Layer 2 to Layer 7 (L2-L7) network processing system on an Intel Core 2 Quad processor, including a TCP/IP stack based on Libnids (L2-L4) and a port-independent protocol identification engine by deep packet inspection (L7+). Furthermore, we develop a compiling method to transform sequential network applications to parallel ones to enable those applications to run on multi-core architectures. Our experience suggests that (1) fine-grained pipelining can be a good software solution for parallelizing network applications on multi-core architectures if connection-affinity and lock-free are used as the first design principles; (2) a delicate partitioning scheme is required to map pipelined structures onto specific multi-core architecture; (3) an automatic parallelization approach can work if domain knowledge is considered in the parallelizing process. Our multi-core based network processing platform can deliver not only 6Gbps processing speed for large packet sizes but also more challenging 2Gbps speed for smaller packets.