CAJ | 학술논문

由于虚拟网络数据传输时，用户态与核心态之间频繁切换，导致虚拟域间多次数据拷贝严重影响网络 I/O 性能。为此，提出一种高性能的虚拟机防火墙设计方案。利用 SR-IOV 规范的高性能数据传输特性和对接收数据包的过滤功能，使虚拟域直接与真实网卡交互。针对低特权级的虚拟域中防火墙容易受到攻击的问题，通过在高特权级的Xen中部署监控模块，对虚拟域中的防火墙进行实时监控。实验结果表明，应用SR-IOV网卡可使虚拟机的网络I/O性能相对于Xen传统网络访问模式平均提高1倍以上，并且具有监控模块的Xen能防止防火墙被非法访问和恶意篡改，保证防火墙的安全。
유우허의망락수거전수시，용호태여핵심태지간빈번절환，도치허의역간다차수거고패엄중영향망락 I/O 성능。위차，제출일충고성능적허의궤방화장설계방안。이용 SR-IOV 규범적고성능수거전수특성화대접수수거포적과려공능，사허의역직접여진실망잡교호。침대저특권급적허의역중방화장용역수도공격적문제，통과재고특권급적Xen중부서감공모괴，대허의역중적방화장진행실시감공。실험결과표명，응용SR-IOV망잡가사허의궤적망락I/O성능상대우Xen전통망락방문모식평균제고1배이상，병차구유감공모괴적Xen능방지방화장피비법방문화악의찬개，보증방화장적안전。
Aiming at the problem of low performance caused by frequent switching between user mode and kernel mode, multiple copies of data between the virtual domains through virtual network data transmission, this paper proposes a high performance virtual machine firewall, and it adopts the network packet filtering and high performance of SR-IOV to make virtual domain directly interact with the real network card. Aiming at the problem of vulnerable attack for a lower privilege level virtual domain firewall, it takes higher privilege level of Xen to real-time monitor the virtual machine firewall module and protect it from illegally accessing. Experimental results show that the deployment of SR-IOV network card in the virtual machine firewall makes the network I/O performance increase by 1 time compared with the Xen network I/O assess mode. The deployment of the monitor module in Xen can successfully prevent the firewall from unauthorized access and malicious tampering, and ensure the safety of the firewall.