Search

CN-121984945-A - Bidirectional table lookup device oriented to NAT system and implementation method

CN121984945ACN 121984945 ACN121984945 ACN 121984945ACN-121984945-A

Abstract

The application relates to the technical field of network communication, in particular to a bidirectional table lookup device and an implementation method for a NAT system, wherein the bidirectional table lookup device comprises a NAT table module, a management module, an available address pool module, a cold and hot table scheduling module and a cold and hot table scheduling module, wherein the NAT table module is used for storing address mapping information and realizing bidirectional table lookup operation, the management module is used for coordinating table lookup operation, table item maintenance, port number generation, result caching and conflict arbitration, the available address pool module is used for realizing allocation and recovery of address resources based on synchronous FIFO so as to realize address closed-loop multiplexing and outputting available address numbers and monitoring the occupancy rate of an address pool in real time, and the cold and hot table scheduling module is used for dynamically marking the cold and hot states of table items based on the occupancy rate of the lookup table and the table item silencing time and preferentially covering the cold table items based on the cold and hot states so as to solve resource competition blocking.

Inventors

  • SHI JIANGYI
  • CHEN DILONG
  • PAN WEITAO
  • ZHU JUNCHAO
  • MA PEIJUN
  • YANG BOYUAN
  • XU LIMING

Assignees

  • 西安电子科技大学

Dates

Publication Date
20260505
Application Date
20260210

Claims (10)

  1. 1. A bi-directional lookup device for a NAT system, the device comprising: The NAT table module is used for storing address mapping information and realizing bidirectional table lookup operation, wherein the bidirectional table lookup operation comprises forward table lookup operation and reverse table lookup operation, the forward table lookup operation is used for converting a private address into a public address, and the reverse table lookup operation is used for converting the public address into the private address; The management module is connected with the NAT table module and is used for coordinating table lookup operation, table item maintenance, port number generation, result caching and conflict arbitration; The system comprises a management module, an available address pool module, a cold and hot table scheduling module and a hot table scheduling module, wherein the available address pool module is connected with the management module and is used for realizing allocation and recovery of address resources based on synchronous FIFO (first in first out) to realize address closed loop multiplexing, outputting available address numbers and monitoring the occupancy rate of the address pool in real time; The cold and hot table scheduling module is connected with the NAT table module and the management module and is used for dynamically marking the cold and hot states of the table items based on the occupancy rate of the lookup table and the silent time of the table items and preferentially covering the cold table items based on the cold and hot states so as to solve the problem of resource competition blocking, wherein the occupancy rate of the lookup table is calculated based on the occupancy rate of the address pool.
  2. 2. The apparatus of claim 1, wherein the NAT table module comprises: the lookup table adopts a dual-port RAM structure and is used for storing NAT mapping information, table entry states, cold and hot marks and session attributes; The index table adopts a dual-port RAM structure and is used for optimizing reverse table lookup and storing address indexes and protocol types associated with the table lookup; the hash mapping module is used for generating an address index of the lookup table based on the CRC-10 hash algorithm and supporting concurrent processing of write table, lookup table and table item deletion operation.
  3. 3. The apparatus of claim 2, wherein the fields of the lookup table comprise: at least one of a cold and hot state, an overlay flag, a local area network IP address, a local area network port number, a wide area network port number, a valid bit, a session type, a SYN flag, a FIN flag, and a silent time; Wherein the cold and hot states are dynamically marked based on the difference between the entry silent time and the local time, and the overlay mark is used to protect the entry from modification.
  4. 4. The apparatus of claim 2, wherein the fields of the index table comprise: at least one of a lookup table address, an index valid bit, and a protocol type; The index valid bit and the lookup table valid bit are synchronous when writing the table, the index table provides the lookup table address index when looking up the table reversely, and the accuracy of looking up the table is ensured through double verification.
  5. 5. The apparatus of claim 2, wherein the Hash mapping module comprises three independent sets of arithmetic storage units; And each group of operation storage units comprises a CRC-10 operation register and an address latch register, and the quick generation of the address index is realized through pipeline logic.
  6. 6. The device according to claim 1, wherein the management module is specifically configured to: Generating a port number conforming to RFC specification by adopting a differentiated bit width combination strategy based on a session protocol type, wherein the session protocol type comprises TCP, UDP and ICMP; the pipeline caching of the table lookup result and the table writing data is realized through the built-in cache FIFO; And adopting a priority arbitration mechanism to process conflict arbitration, wherein the conflict arbitration comprises time sequence conflict between the table lookup and the write table, and conflict between the configuration table item and the dynamic table item and hash conflict.
  7. 7. The apparatus of claim 1, wherein the cold-hot table scheduling module is specifically configured to: Dynamically starting and stopping a cold and hot table marking function based on the occupancy rate of the lookup table, and adjusting cold table judging time based on the occupancy rate of the lookup table when the occupancy rate is greater than an occupancy rate threshold value; executing a multi-protocol hierarchical aging strategy, and setting a differential aging threshold value aiming at a session protocol type; the aging recovery process is controlled by a finite state machine, wherein the finite state machine comprises an IDLE state, a DELETE state, a FINISH state and a ACRELEASE state.
  8. 8. The bidirectional table lookup device as recited in claim 7 wherein the cold table covering mechanism of the cold table scheduling module has priority in order of a cold table entry, a dynamic hot table entry, and a CPU configured static table entry; Wherein, the CPU configures the static table entry to be protected by the coverage zone bit, so as to avoid being covered.
  9. 9. The bi-directional lookup device as claimed in any one of claims 1 to 8 which is integrated in a network processor chip and is applied to a network edge device of a router, gateway or firewall and supports high concurrency data forwarding for gigabit or tera networks.
  10. 10. The bidirectional table lookup implementation method for the NAT system is characterized by comprising the following steps of: receiving a target response message, and extracting an IP address, a port number, a session protocol type and a TCP (transmission control protocol) flag bit after verifying that the target response message is valid, wherein the target response message is a message from an intranet to an external network or a message from the external network to the intranet; When the intranet accesses the extranet, receiving intranet data, generating a forward lookup table address index through hash mapping, so that the forward lookup table obtains address mapping information, or distributing a new address and writing the new address into the forward lookup table and the index table, wherein the forward lookup table is used for converting a private address into a public address; When the external network accesses the internal network, receiving external network data, acquiring an address index of a reverse lookup table through an index table, verifying the matching degree of the reverse lookup table, and outputting a conversion result, wherein the reverse lookup table is used for converting a public address into a private address; Dynamically marking cold and hot table entries based on the occupancy rate of the lookup table and the silent time of the table entries, preferentially covering the cold table entries to solve resource competition, and executing hierarchical aging recovery; The mapping consistency is ensured by synchronously reading and writing the lookup table and the index table, and the resource utilization rate is improved by scheduling the cold and hot tables.

Description

Bidirectional table lookup device oriented to NAT system and implementation method Technical Field The embodiment of the application relates to the technical field of network communication, in particular to a bidirectional table look-up device facing a NAT system and an implementation method. Background With the rapid development of internet technology, the number of terminal devices grows exponentially, the problem of lack of IPv4 address resources is increasingly highlighted, and the network address translation (Network Address Translation, NAT) technology is widely applied to network edge devices of families, enterprises and operators as a key means for alleviating the problem. The core function of the NAT technology is to realize the conversion mapping between the private network address and the public network address, and the requirement of accessing a large number of private terminal devices to the public network is realized by sharing a small number of public IP addresses. In the actual running process of the NAT system, the bidirectional table lookup is a core link for ensuring smooth data communication, wherein when a private terminal sends data to a public network, the private address is converted to the public address by matching the corresponding public IP address and port through the table lookup (forward table lookup), and when the public network data is returned to the private terminal, the corresponding private IP address and port are positioned through the table lookup, and the public address is converted to the private address (reverse table lookup). Therefore, the efficiency of bidirectional table lookup directly determines the data packet forwarding performance of the NAT system, and especially under the high concurrency data transmission scene, the problems of too high table lookup delay, table lookup conflict, too large resource occupation and the like can seriously affect the network communication quality. Currently, the bidirectional table lookup schemes of the existing NAT system are mainly divided into two types, namely, one type is an implementation mode based on software table lookup, and the bidirectional query is realized by maintaining an address mapping table through an operating system kernel or an application layer program. The method has the advantages of flexible realization and low development cost, but the parallel processing capability of the software table lookup is weak, and under the scene of high concurrency data packets, the problems of increased table lookup delay and overhigh CPU occupation rate are easy to occur, and the transmission requirement of a high-speed network is difficult to meet. The other is an implementation mode based on hardware table lookup, and table lookup efficiency is improved by using parallel processing characteristics of hardware through an Application Specific Integrated Circuit (ASIC) or a Field Programmable Gate Array (FPGA) design table lookup module. However, most of the existing hardware table lookup schemes have the problems of complex design and low resource utilization rate, wherein part of the schemes are designed to be simplified, a separated forward table lookup structure and a separated reverse table lookup structure are adopted, two independent address mapping tables are required to be maintained, the occupied amount of hardware resources is increased, the problem that the forward and reverse mapping tables are inconsistent in synchronization is easy to occur, table lookup errors are caused, and other part of the schemes are integrated table lookup structures, but conflicts are easy to occur in the updating and searching processes of the address mapping tables, and the accuracy and the stability of table lookup are affected. In addition, along with the popularization of gigabit networks and tera networks and the emerging of emerging applications such as the internet of things and cloud computing, the NAT system faces higher concurrent access pressure and more complex network environments, and the prior bidirectional table lookup scheme is difficult to meet the actual application demands in the aspects of table lookup efficiency, resource occupation, stability and the like. Disclosure of Invention In view of this, the embodiment of the application provides a bidirectional table lookup device and an implementation method for a NAT system, which aim to ensure mapping consistency through an integrated table structure design, solve the technical problem of resource contention blocking through dynamic scheduling of a cold and hot table, and improve resource utilization through a hierarchical aging strategy, thereby ensuring mapping consistency of table entries, high concurrent line speed forwarding, and reducing resource occupation. In order to achieve the above object, an embodiment of the present application provides a bidirectional table lookup device for a NAT system, where the device includes: The NAT table module is used for