卫星网络路由器高速数据转发设计

卫星网络由多颗卫星和地面站组成,星间通过高速激光链路通信。卫星网络的核心之一就是路由器。高性能路由器的典型特点为数据路径和控制路径的分离。控制路径处理与高层路由协议相关的数据包,数据路径处理需要转发的数据包。数据路径是路由器的关键路径,直接影响着路由器的整体性能。在调研路由器技术发展历程之后,分析了高性能路由器典型结构及相关关键技术,考虑目前卫星网络系统需求、软硬件环境约束条件,对现有技术进行了优化和适应性修改,确定了卫星网络路由器中数据路径的实现方案。该方案满足当前卫星网络应用需求,且经简单扩展后,还可满足后续更高性能卫星网络路由器的设计需求。     

Learning the valid incoming direction of IP packets

Packet forwarding on the Internet is solely based on the destination address of packets, and it is easy to forge the source address of IP packets without affecting the delivery of the packets. To solve this problem, one can have routers check whether or not every packet comes from a correct direction based on its source address field. However, due to routing asymmetry in today’s Internet, a router cannot simply reverse its forwarding table to determine the correct incoming direction of a packet.In this paper, we present the source address validity enforcement protocol, SAVE, which allows routers to learn valid incoming directions for any given source address. SAVE is independent from—and can work with—any specific routing protocol. By only interfacing with the forwarding table at routers, SAVE allows routers to properly propagate valid source address information from source address spaces to all destinations, and allows each router en route to build and maintain an incoming tree to associate each source address prefix with a corresponding incoming interface. The incoming tree is further valuable in handling routing changes: although a routing change at one router could affect the incoming direction of source address spaces from many locations, only the router that sees the change needs to send out new updates. Finally, SAVE has a good performance with low overhead.     

面向应用的可编程报文转发技术研究

Internet正从单一服务形式的网络逐步向多服务、智能化网络发展。根据应用的需求和特征,通过可编程机制动态形成适应应用的报文转发机制,是未来路由器发展的趋势。该文提出了一种面向应用转发的多服务虚拟交换路由器结构:PVSMR,并对其主要构成及其关键实现技术进行了深入的探讨。PVSMR基于资源分割形成的虚拟转发结构,它能够提供与多类应用相适应的、灵活的报文处理和转发控制能力。     

A More Practical Approach for Single-Packet IP Traceback using Packet Logging and Marking

Tracing IP packets to their origins is an important step in defending Internet against denial-of-service attacks. Two kinds of IP traceback techniques have been proposed as packet marking and packet logging. In packet marking, routers probabilistically write their identification information into forwarded packets. This approach incurs little overhead but requires large flow of packets to collect the complete path information. In packet logging, routers record digests of the forwarded packets. This approach makes it possible to trace a single packet and is considered more powerful. At routers forwarding large volume of traffic, the high storage overhead and access time requirement for recording packet digests introduce practicality problems. In this paper, we present a novel scheme to improve the practicality of log-based IP traceback by reducing its overhead on routers. Our approach makes an intelligent use of packet marking to improve scalability of log-based IP traceback. We use mathematical analysis and simulations to evaluate our approach. Our evaluation results show that, compared to the state-of-the-art log-based approach called hash-based IP traceback, our approach maintains the ability to trace single IP packet while reducing the storage overhead by half and the access time overhead by a factor of the number of neighboring routers.     

基于虚拟拓扑的多级可信传输体系及路由计算

路由器及转发路径的安全可信一直备受关注.不同厂商的网络设备或处于不同管理环境中的同一款网络设备,都具有不同的安全可信度.人们期望为不同安全需求的流量提供相应可信级别的转发路径,实现网络数据的可信传输.设计了多级可信传输机制(credible transmission with multiple levels, CETML),提出了基本的可信管理策略.所有路由节点和IP前缀都被指定可信级别,网络流量也基于源、目的IP被设置可信级别.CETML为不同可信级别的传输网络构建虚拟拓扑,确保网络中的报文必须通过不小于其可信级别的路由器进行转发.路由器转发项要包含多个下一跳信息,会引入极少量的存储开销.面向SDN网络环境,分析多级虚拟拓扑的关联,基于Floyd算法思想设计了可依次迭代的多关联拓扑路由计算方法,计算时间相对典型的路由算法显著降低.     

Tracing network attacks to their sources

An IP traceback architecture in which routers log data about packets and adjacent forwarding nodes lets us trace IP packets to their sources, even when the source IP address is forged     

使用主动标记建立攻击连接链的关联

网络攻击者通常在攻击最后目标前使用双向交互式连接一系列中间主机(跳板机)掩盖其真实攻击路径,并使用匿名技术隐藏真实身份。论文利用主动网络技术,通过向流经主动路由器的双向连接链流量进行主动标记,减少关联计算复杂性,快速、准确地建立攻击连接链的关联。在主动网络环境下设计了利用主动标记检测跳板机的原型系统,并在ANTS中实现。分析了amTrace原型系统的性能以及主动关联对数据包转发的影响。     

基于短前缀长度分割的高速二维分组分类算法

分组分类是路由器根据IP分组的多个域，从分类器数据库中匹配每个输入分组，确定分组转发规则的技术，分类器为实现因特网新业务提供了统一的方式，这些新业务包括：防火墙，网络地址翻译等，二维分组分类问题在未来的因特网体系结构中占有十分重要的地位，目前，人们已经提出了几种分组分类算法，但没有一种是理想的，提出基于短前缀长度分割的二维分组分类算法，它使用短前缀长度分割（SPLS）技术对分类器集合进行分割，使得分割后的小分类器子集合可以使用巳有快速IP路由查找方法进行查找，实现时以多叉树作为基本数据结构，实验显示它具有存储需求小，平均查询时间快，更新时间快，适合于大的分类器等特点，是一种较好的二维分组分类算法。     

基于MPLS的按需分枝组播方法

提出一种新的基于MPLS的组播方法--按需分枝组播方法.该方法采用一种全新的组播树维护方式,即组播树上只有分枝节点处的路由器和本地链路上有组成员的路由器需要保存组播树的有关信息,并参加组播树的维护过程,组播树上的其它路由器只是以普通单播的路由方式组播数据包,无须维护组播树的任何信息.网络仿真实验和与其它算法性能比较分析表明,该方法可有效地提高IP组播的可量测性和减少转发状态.     

一种在MPLS网络中提供单流QoS保障的区分服务标记方法*

为了在MPLS网络中提供对单流的高质量服务,提出了一种基于网络的、供应方的区分服务标记方法。在数据流进入网络前按交换路径进行逐点的接入控制,再将许可的资源预留作为流状态安装在入口路由器上。在传输时,数据流在入口路由器按资源预留标记为预留内/预留外,网络节点按不同的标记队列进行区分处理。该方法提出按预留带宽标记数据流,将基于单流的资源预留定量地映射为基于行为聚合的PHB标记,实现了从集成服务到区分服务的融合。其一方面避免了拥塞,提供了对单流的定量服务质量保证;另一方面无须在核心路由器安装流状态和实现流管理,保持了区分服务的可扩展性。     

Attacking network routers

One of the more critical components to computer networks is the router. Routers are used for many protocols to provide packet forwarding services between networks and geographic locations. Many vendors, for some time now, have been creating what are called multiprotocol routers which are capable of forwarding packets for a range of protocols over a variety of network hardware selections.     

High-speed data paths in host-based routers

In networking today, host workstations are increasingly being used as routers. Host based routers offer a number of advantages, but they suffer from inefficient support for high bandwidth interfaces. The authors' work has focused on the technology's major drawback its inefficiency in supporting high bandwidth interfaces. Their approach is to optimize packet processing by applying techniques that transfer packets directly among host interfaces, thus removing an extra data copy. This technique increases data throughput by 45 percent while reducing the host's CPU load. They found that peer DMA forwarding can increase host based router throughput by up to 45 percent, supporting bandwidths of 480 Mbps. Peer DMA host based forwarding requires network interface cards with substantial shared memory resources, because packet queues are stored on the interfaces themselves, rather than in host RAM. The queuing algorithm remains in the host CPU, supporting advanced queue management. Current systems have limited packet processing. A combination of streamlined forwarding algorithms and aggregate interrupt processing should further increase host based capability. Moving some of the IP processing out to the NIC coprocessor may enable this. It is also apparent that as processor speeds increase, the advantages of peer DMA will aid throughput for small packet sizes     

Object identification in the lego kernel

In a message-based operating system, the kernel is responsible for forwarding messages to destination objects using a destination identifier. Part of the kernel overhead in processing the message involves mapping the identifier into a network address. This paper describes how the choice of identifier structure has simplified the techniques used by the Lego kernel when handling messages, notably: minimizing the overheads associated with address mapping, eliminating the reception of unwanted network packets, while permitting both individual (unicast) and group (multicast) communications.     

一种基于路由器的伪装IP回溯方法

在因特网中,攻击者能伪造其IP地址。本文提出了一种新的针对洪泛型攻击(flooding attack)的IP回溯技术——PPL。在该方法中,路由器以一定的概率存储转发分组的信息．然后利用这些信息．从被攻击者开始回溯攻击分组到其源,对网络攻击者起到威慑的作用。仿真实验证明．新方案在回溯洪泛型攻击时,其性能优于文[2]中的方案。     

对路由表结构和查找算法的研究

随着网络流量的指数性增长,每秒能够传输10G以上比特的光纤骨干网络大量投入使用,但是大部分骨干路由器无法相应达到每秒转发百万个分组的高速,成为网络瓶颈。分组转发性能由多种因素决定,其中路由查找算法是关键。综述了近年来在路由表数据结构和查找算法的研究方面的最新进展,并对一种较先进的转发表结构进行了重点分析。     

MPSSF:一种低失序的缓存转发移动切换方案

全IP无线移动网络的微移动协议在无线接入网采用快速切换技术降低移动切换时延,同时采用了数据包缓存转发技术来解决切换过程中的丢包。多流转发方案存在较多的失序,使上层的TCP协议不适当地启动拥塞控制机制而降低吞吐量。单流转发方案虽然没有失序,但是会占用较多的网络资源并增加数据包的时延。提出一种多径单流转发方案MPSSF,较好地解决了移动切换过程中数据包的丢失与失序问题,同时网络资源消耗以及数据包时延也比单流转发方案显著减小。网络模拟实验表明,MPSSF在移动切换时避免了数据包失序,保持了TCP的拥塞窗口,对TCP性能的改善效果优于多流转发方案及单流转发方案。     

基于博弈论的无线传感网能量均衡模型

提出一种基于贝叶斯博弈的无线传感网能量均衡算法,该算法将每次数据转发过程分解为两个阶段的博弈。第一阶段博弈是指节点结合自身能量水平及参与博弈其他节点的战略,构造静态贝叶斯博弈模型,以最优化期望收益函数的解作为节点参与路由转发数据包的最优决策概率;第二阶段博弈是指源节点与邻居节点根据能量水平及相互战略,构造博弈模型,根据最大化期望收益函数的解,决定双方在博弈阶段的最优转发包数量。仿真实验结果表明,本文提出的算法能够有效地均衡网络的能量消耗,延长网络的生存时间。     

可编程路由器原型系统的设计与实现

基于网络的应用服务现在正飞速地发展,但传统的网络体系结构已经越来越难以满足当前灵活快速的、种类多样的、高服务质量的应用特点。根据多服务虚拟交换路由器结构(ProgrammableVirtualSwitchMultiserviceRouter,PVSMR)的技术思想,设计出一个可编程路由器原型系统,并就该系统平台的构建及其实现过程中有关要点进行了深入的讨论。     

A novel forwarding and routing mechanism design in SDN-based NDN architecture

Combining named data networking (NDN) and software-defined networking (SDN) has been considered as an important trend and attracted a lot of attention in recent years. Although much work has been carried out on the integration of NDN and SDN, the forwarding mechanism to solve the inherent problems caused by the flooding scheme and discard of interest packets in traditional NDN is not well considered. To fill this gap, by taking advantage of SDN, we design a novel forwarding mechanism in NDN architecture with distributed controllers, where routing decisions are made globally. Then we show how the forwarding mechanism is operated for interest and data packets. In addition, we propose a novel routing algorithm considering quality of service (QoS) applied in the proposed forwarding mechanism and carried out in controllers. We take both resource consumption and network load balancing into consideration and introduce a genetic algorithm (GA) to solve the QoS constrained routing problem using global network information. Simulation results are presented to demonstrate the performance of the proposed routing scheme.     

高性能路由器的体系结构分析

路由器作为互联网上的关键设备,其体系结构随着硬件技术、宽带技术以及用户需求的不断发展,组建主干网的路由器必然需要以千兆比特以上的速率转发分组,而基于总线和中央处理器的路由器具有无法克服的局限,这就对传统的路由器体系结构提出了严峻的挑战。文章介绍了路由器体系结构的发展演变,并着重分析了交换式路由器的特点,最后,指出了该领域的发展趋势和需要进一步研究的问题。