一個獨特的閘道器架構用來管理使用動態連接埠的點對點連線

Abstract

傳統閘道器架構無法管理使用動態連接埠的點對點連線，我們提出一個整合新架構來管理下面項目：1.辨識連線屬於那個應用程式 2.過濾不被允許的應用程式 3.對傳送的檔案進行掃毒 4.過濾並且監控聊天訊息或是傳送的檔案 5.對特定應用程式進行頻寬管理。此架構在核心進行連線辨識並在使用者層進行複雜的內容管理。在核心中有兩個封包佇列，一個多執行緒的使用者層程式與核心一同同步操縱這兩個封包佇列中的封包。使用者層的程式使用這兩個封包佇列來解決封包順序錯誤的問題還有線頭阻擋的問題。外部測試顯示這個架構的吞吐量能達到84.83 Mb/s，但是如果啟動掃毒功能，吞吐量馬上降到20.52 Mb/s。內部測試顯示掃毒花的時間是其他步驟的200至800倍。而與傳統利用連接埠來重導連線的代理伺服器相比，連線辨認與導引影響吞吐量大約40 Mb/s。

Conventional port-redirect proxy architecture can not manage peer-to-peer (P2P) traffic which might run over dynamic ports instead of fixed well-known ports. We propose a novel gateway architecture for five management objectives: (1) connection classification of P2P applications, (2) filtering undesirable P2P traffic, (3) virus scanning on P2P shared files, (4) filtering and auditing of chatting messages and transferred files and (5) bandwidth control of the P2P traffic. This architecture performs connection classification and complex content management in the kernel and user space, respectively. The packets of identified connections are queued in the kernel. There are two packet queues in the kernel. A multi-threaded proxy program cooperates with the kernel to manipulate packets in theses two packet queues synchronously to solve the packet out-of-order problem and the head-of-line blocking problem. The external benchmarking reveals that the throughput of this architecture can achieve 84.83 Mb/s. But if enable the virus scanning function, the throughput decreases to 20.52 Mb/s. The internal benchmarking reveals that the time spent on virus scanning is 200 ~ 800 times than other steps. Comparing with port-redirect proxy, the impact of connection classification and redirection is about 40Mb/s.