一种面向100Gbps网络的L7-filter硬件加速方法

L7-filter是当前广泛应用的流量分类系统，其采用基于正则表达式匹配的深包检测方法，通过检测数据包有效载荷中存在的字符串特征对流量进行分类.然而，由于计算复杂度高、存储消耗大等原因，现有L7-filter软硬件方法的处理性能严重不足，不能适应当前40Gbps以及更高性能骨干网络.在对L7-filter的应用层协议规则集进行分析，总结其中广泛存在的特征的基础上，本文提出了一个硬件加速方法，其通过有针对性的数据模型、算法优化、匹配架构设计以提高流量分类系统的处理能力.为了验证方法的可行性，采用了基于Virtex6的FPGA板卡实现原型系统并对其进行评估.实验结果表明，原型系统的数据吞吐率可以达到约115Gbps.

A Hardware-Accelerated L7-filter Method for 100Gbps Networks

L7-filter is a widely used traffic classification system which relies on regular expression matching based deep packet inspect method and can identify network traffic by inspecting string patterns hidden in the packet payload.How-ever,due to considerable computation and storage expenditures,existing L7-filter software and hardware solutions could not offer sufficient performance in the context of 40 Gbps and higher speed networks.Based on analysis of common features of the L7-filter protocol patterns,this paper proposes a hardware-accelerated method which is for achieving high performance and includes customized data structure,optimization and matching architecture.To validate the proposed method,a hardware prototype on Virtex 6 FPGA card is implemented and tested.Experimental results show that the prototype can scan network traffic at a typical rate of about 115Gbps.