CAJ | 학술논문

IPv6防火墙作为下一代网络安全的关键技术，其性能越来越受到人们的重视。当前Linux内核中的防火墙模块Netfilter／Ip6tables基于顺序查找算法实现规则匹配，当规则数增加时，其性能急剧下降。本文分析了基于HiPAC算法的IPv4高性能防火墙规则匹配技术，针对大规则集下该算法分段太多而导致子节点数迅速增加问题，提出了一种基于位选取法的IPv6防火墙规则匹配算法。该算法具有O（log2n）的时间复杂度和O（n）的空间复杂度，性能相对于Ip6tables实现算法有了极大的改善。
IPv6방화장작위하일대망락안전적관건기술，기성능월래월수도인문적중시。당전Linux내핵중적방화장모괴Netfilter／Ip6tables기우순서사조산법실현규칙필배，당규칙수증가시，기성능급극하강。본문분석료기우HiPAC산법적IPv4고성능방화장규칙필배기술，침대대규칙집하해산법분단태다이도치자절점수신속증가문제，제출료일충기우위선취법적IPv6방화장규칙필배산법。해산법구유O（log2n）적시간복잡도화O（n）적공간복잡도，성능상대우Ip6tables실현산법유료겁대적개선。
As is known to all, IPv6 firewall is one of the most important technologies for the next generation network security. People had paid much more attention to its performance. As part of Linux kernel, Netfilter/Ip6tables implement rule matching using linear search algorithm, its performance will dramatically decrease with the increasing of rules. To get started, this paper detailed in a high performance firewall based on HiPAC algorithm, and then, considering that the number of subnodes will dramatically increase due to large number of rules, we put forward a high performance IPv6 firewall based on Bit Selection. The time complexity of this algorithm is O（log2n）, and space complexity is O（n）, which has a good improvement over Ip6tables.