有状态防火墙
数据包处理
计算机科学
防火墙(物理)
基于上下文的访问控制
试验台
应用防火墙
网络数据包
瓶颈
计算机网络
网络处理器
嵌入式系统
软件定义的网络
计算机体系结构
分布式计算
物理
施瓦西半径
经典力学
万有引力
带电黑洞
作者
Katharina Dietz,Nicholas Gray,Manuel Wolz,Claas Lorenz,Tobias Hoßfeld,Michael Seufert
标识
DOI:10.1109/noms56928.2023.10154224
摘要
Software-based network security solutions using SDN/NFV provide high flexibility and short development cycles, but may impose a bottleneck onto the network due to their lack of ASIC-based hardware packet processing. To overcome this limitation, several frameworks have emerged to enable flexible high speed packet processing in software, e.g., NAPI, XDP, or DPDK, or on programmable data planes in hardware, e.g., P4. Despite aiming for a common goal, the design principles of these technologies diverge, which raises the question of their suitability for critical security-related network functions, such as firewalls. In this work, we implement a stateful firewall, which is capable of tracking TCP state and sequence numbers, for each of the four aforementioned high speed packet processing technologies and make the firewall modules publicly available. We integrate multithreading strategies, where applicable, and discuss the impact of each packet processing technology during the development process. Finally, we evaluate and compare their performance in terms of throughput in two scenarios following the guidelines of RFC3511 in a 100 Gbps testbed.
科研通智能强力驱动
Strongly Powered by AbleSci AI