研究 Research

Contents

1 High-Speed Packet Processing & Measurement
2 Packet Processing on Stream Architecture
1. 2.1 川流處理架構之高速網路封包處理
2. 2.2 高速網路系統之FPGA雛型實現

My research is focused on computer networks with particular interests on integrating novel architecture & functionality into network systems. We work on topics related to embedded design for network security and traffic measurement on FPGA and Network Processors.

High-Speed Packet Processing & Measurement

Traffic analysis and measurement are important tasks for the proper operation of IP networks. The accurate estimation of Internet traffic statistics serves as the basis for infrastructure planning, network provisioning, capacity forecasting and accounting. Anomaly detection on worm distribution and prevention of distributed denial of service (DDoS) attacks are also based on the same information. However, as network bandwidth grows exponentially, the scaling of monitoring and measuring capabilities for collecting accurate statistics becomes a critical issue. Hash-based algorithms are very useful and popular techniques adopted in many high-speed router design. We are exploring these advanced techniques with hardware and architecture support for data reduction and synopsis construction.

Sketch-guided Filtering Support for Superspreaders Detection

A sketch-guided filtering scheme for assisting superspreader detection in the measurement of high-speed network traffic is proposed. The scheme comprises of an array of linear-counting sketches that rapidly eliminates flows with potentially low fan-out during a measurement interval. Based on the results of simulations obtained using realworld network traces, the filter can eliminate up to 90% of the flows of non-superspreader sources and improve the accuracy of superspreader identification. Furthermore, the proposed scheme has a smaller fan-out estimation error and consumes less memory than previously developed approaches. The hardware implementation can process network traffic at a throughput of 27 Gbit/s.

A Stream-based Entropy Norm Estimation for High-speed Network Traffic 適用於高速網路流量分析之川流估計熵演算法研究

The purpose of this project is to study and implement a hardware-accelerated platform for stream-based high-speed network traffic measurement. The computation of entropy of a high-speed data stream in a one-pass fashion is crucial to many network security applications. Motivated by the work of Lall et al., this study examines the design trade-off of processing speed and accuracy for estimating the entropy norm. The proposed scheme leverages the Count Sketch with constant memory access on counter update and point query operations. With a bounded relative error and a constant memory access cycle, the design can process incoming traffic with a throughput of 30Gbps.

Network Traffic Change Detection in Real Time 即時網路流量變異偵測

Sketch-based algorithms are widely applied in various networking applications. In this research, we present a compact implementation of real-time traffic change detection system with OpenFlow on a NetFPGA platform. It is capable of monitoring network traffic up to 4Gbps line rate with detection accuracy needed based on limited memory on-board. The system utilizes an one-pass scheme to reveal the flow ID exceeding the predefined threshold. Based on the network IDs, actions are issued immediately to switches for proper responses through OpenFlow protocol.

1st Asia NetFPGA Developers’Workshop, June 14, 2010 at KAIST, Daejeon, Korea

Demo setup photos

by John Lockwood

流量偵測系統DEMO

Packet Processing on Stream Architecture

Stream processing architectures have been proposed as efficient and flexible platforms for network packet processing. This is because packet processing shares many of the same characteristics of media and image processing that motivate stream architectures: little global data reuse, abundant data parallelism, and high computational complexity. Moreover, in comparison with multithread approach, stream architecture provides much lower cost to hide a given amount of latency.

川流處理架構之高速網路封包處理

近年來，網路快速的發展，已使人們對相關的網路應用與需求，從傳統路由、及管理，轉移到需要更深入封包內層檢查，或是更改其內容衍生之議題，諸如基於內容計費、服務品質、第七層的路由交換、以及網路安全等相關的應用。然而這些應用都有些共同的特色：需要處理川流不息的封包中每一個位元組的資料，而且這些額外的處理工作，已經超出原有網路系統設備所能負荷之處理能量。傳統的網路系統實現技術使用一般微處理器架構，但因網路系統運算的複雜度，使用一般低效率封包處理能量的傳統微處理器架構，很難達到硬體線速(wire-speed)的效能。因此目前大部份的網路系統設計，是使用特定用途晶片(ASIC)來達到高速流量處理的目標，但其固定架構的特色無法滿足網際網路通訊協定快速變化，和系統設計彈性化的需求。於是、工程師們使用網路處理器(Network Processors)，以其優化之多核、多執行緒處理器架構、達到一個結合特定用途晶片(ASIC)在效能上的優勢，與一般微處理器可程式化彈性的優點，來達成高速網路系統設計的目標。

川流處理架構原為提供影像處理所需之高效能數位訊號(DSP)處理器。在封包處理的過程中與影像處理有很多如：(1)高運算複雜度與、(2)高資料平行度，等相同之特色。此外，與多執行緒架構比較起來，川流處理架構沒有像多執行序微處理器中，要具備有記錄每一個執行緒系統狀態的控制、與記憶電路，也因此節省了大量的系統晶片面積與功率消耗。所以，川流處理架構已被應用為另一具備高速網路封包處理，與程式化及彈性兼具的架構。

高速網路系統之FPGA雛型實現

NetFPGA發展環境是由美國史丹佛大學(Stanford University)團隊專為網路硬體開發而設計的實驗平台，此硬體平台基於FPGA場效可程式化邏輯閘陣列元件重複使用的優點，同時配備額外系統資源，對於應用於網路硬體的設計領域提供莫大的助益。

NetFPGA 為一傳輸匯流排寬度為64位元之管線式(pipeline)傳遞系統。在此架構下，各主要階層資料的傳遞是以完整封包作為單位。管線階層與階層之間資料傳遞是以先進先出緩衝器(First In First Out)作為暫存空間。以路由器(Reference Router)系統架構為例，其架構乃透過五階層管線式來達成，其第一階層為接收佇列(Receive Queue)，接收從CPU發送、經由PCI匯流排或是從乙太網路接收通訊埠傳遞之封包。第二階層的輸入仲裁器(Input Arbiter)作為決定服務封包來源通訊埠的時機。第三階層輸出埠查詢(Output Port Lookup)藉由封包標頭查詢封包的目的地。第四階層輸出佇列(Output Queues)作為達到最大傳輸量的緩衝儲存機制，第五階層則將封包經由對應通訊埠傳送。

NetFPGA發展板使用Xilinx Virtex-II Pro 50場效可程式化邏輯閘陣列為系統設計核心，並配備4.5百萬位元組(Megabytes)的靜態隨機存取記憶體與64MB的動態隨機存取記憶體，同時具備四埠傳輸速率為1Gbps的乙太網路通訊埠，此平台以PCI介面連結個人電腦，作為實現系統控制之核心(Control Path) 。Virtex-II Pro 50本身提供資源主要分為53,136個邏輯單元(Logic Cell)、23,616個可組態邏輯區塊(Configurable Logic Block) 與232個18K位元區塊記憶體(Block RAM)。

NetFPGA發展平台具有非常彈性的架構，在教學方面，NetFPGA發展平台有現成的軟、硬體模組，學生們可以透過NetFPGA實體，來暸解網路卡、交換器與路由器系統之軟、硬體以及通訊模式之運作原理。

在研究方面，NetFPGA發展平台可以讓學生與研究者，快速地來實現網路系統的雛形，更可供作新型網路架構之概念實現與通訊模式之驗証平台。

目前CNSRL實驗室有許多的研究主題，聚焦在資訊與網路安全之領域，研究生們致力在如何設計、並提供更有效率的硬體系統，來協助相關的偵測、分析與防止網路異常與攻擊之事件。而NetFPGA正是可以提供達成上述目標之系統發展平台！