计算机工程 ›› 2008, Vol. 34 ›› Issue (17): 123-126.doi: 10.3969/j.issn.1000-3428.2008.17.044

• 安全技术 • 上一篇    下一篇

一种新型的复合式NAT防护系统的实现机制

司 靓1,2,李昀晖1,郜 帅1   

  1. (1. 北京交通大学电子信息工程学院,北京 100044;2. 中国人民解放军北京军区,北京 100041)
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2008-09-05 发布日期:2008-09-05

Implementation Mechanism of Novel Compound NAT Firewall System

SI Liang1,2, LI Yun-hui1, GAO Shuai1   

  1. (1. School of Electronics and Information Engineering, Beijing Jiaotong University, Beijing 100044; 2. Beijing Military District of PLA, Beijing 100041)
  • Received:1900-01-01 Revised:1900-01-01 Online:2008-09-05 Published:2008-09-05

摘要: 提出一种基于可编程网络处理器IXP2400和GP-CPU的NAT/NAPT的实现方案,设计与实现了基于两片IXP2400和GP-CPU组成的具有安全防火墙功能的NAT防护系统。针对该NAT防护系统进行了性能分析,能够支持六十多万并发TCP/UDP的连接容量与全线速为2 Gb/s以太网连接速率,实现了网络地址复用,提高了NAT/NAPT的操作速度,克服了传统NAT实现方案中的性能瓶颈。

关键词: 网络处理器, 网络地址转换技术, 网络地址与端口转换, 防火墙, 功能模块

Abstract: This paper puts forward an implementation scheme, which is called Network Address Translation(NAT)/Network Address Port Translation(NAPT) based on programmable Network Processor(NP) IXP2400 and GP-CPU. Meanwhile, the NAT firewall system with firewall function, containing a pair of Intel IXP2400 and GP-CPU, is designed and implemented. And the performance analysis of the NAT Firewall system is made, which can support more than six hundred thousand of concurrent TCP/UDP sessions and sustain the full line rate on two Gigabit Ethernet links. In addition, the NAT Firewall system can successfully achieve the multiplexing of network address, effectively improve the performance of NAT/NAPT processing and overcome the bottleneck of performance in traditional implementation of NAT.

Key words: Network Processor(NP), Network Address Translation(NAT) technology, Network Address Port Translation(NAPT), firewall, microblock

中图分类号: