Proceedings of International Conference on Applied Innovation in IT
2019/03/06, Volume 7, Issue 1, pp.23-29

Hardware Implementation of IP Packet Filtering in FPGA

Ana Cholakoska, Danijela Efnusheva, Marija Kalendar

Abstract: In the present rapid expansion of the number of computers and devices connected to the Internet, one of the top three issues that need to be addressed is the network security. The greater the number of connected users and devices, the attempts to invade privacy and data of connected users becomes more and more tempting to hostile users. Thus, network intrusion detection systems become more and more necessary and present in any network enabling Internet connections. This paper addresses the network security issues by implementing NIDS style hardware implementation for filtering network packets intended for faster packet processing and filtering. The hardware is based on several NIDS rules that can be programmed in the system's memory, thus enabling modularity and flexibility. The designed hardware modules are described in VHDL and implemented in a Virtex7 VC709 FPGA board. The results are discussed and analyzed in the paper and are presenting good foundation for further improvement.

Keywords: FPGA, IP Header Fields Extracting, IP Packet Filtering, Network IDS Systems

DOI: 10.25673/13478

Download: PDF


  1. B. Wheeler, "A new era of network processing,"LinleyGroup Bob Wheeler's White paper, 2013.
  2. P.C. Lekkas, "Network Processors: Architectures, Protocols and Platforms," McGraw-Hill Professional, 2013.
  3. R. Giladi, "Network Processors - Architecture, Programming and Implementation", Ben-Gurion University of the Negev and EZchip Technologies Ltd., 2008.
  4. J. Naous, G. Gibb, S. Bolouki, N. McKeown, "NetFPGA: reusable router architecture for experimental research", in Sigcomm Presto Workshop, 2008.
  5. B. Doud, "Accelerating the data plane with the Tilemx manycore processor", in Linley Data Center Conference, 2015.
  6. J. M. P. Cardoso, M. Hubner, "Reconfigurable Computing: From FPGAs to Hardware/Software Codesign", Springer-Verlag, 2011.
  7. G. Gibb, G. Varghese, M. Horowitz, N. McKeown, "Design principles for packet parsers", In ACM/IEEE Symposium on Architectures for Networking and Communications Systems, 2013, pp. 13–24.
  8. D. Efnusheva, A. Tentov, A. Cholakoska, M. Kalendar, "FPGA Implementation of IP Packet Header Parsing Hardware", In Proc. of the 5th International Conference on Applied Innovations in IT, (ICAIIT), 2017, pp. 33-41.
  9. J. Kořenek, "Hardware acceleration in computer networks". In 16th International Symposium on Systems, 2013.
  10. L. Kekely, V. Puš, J. Kořenek, "Software Defined Monitoring of application protocols", In IEEE Conference on Computer Communications, 2014, pp. 1725–1733.
  11. R. Bolla, R. Bruschi, C. Lombardo, F. Podda, "OpenFlow in the Small: A Flexible and Efficient Network Acceleration Framework for Multi-Core System", In IEEE Transactions on Network and Service Management, 2014, pp. 390-404.
  12. V. Puš, L. Kekely, J. Kořenek, "Design methodology of configurable high performance packet parser for FPGA", In 17th International Symposium on Design and Diagnostics of Electronic Circuits Systems, 2014, pp. 189-194.
  13. M. Attig, G. Brebner, "400 Gb/s Programmable Packet Parsing on a Single FPGA", In Seventh ACM/IEEE Symposium on Architectures for Networking and Communications Systems, 2011, pp. 12-23.
  14. G. Brebner, W. Jiang, "High-Speed Packet Processing using Reconfigurable Computing", In IEEE Micro, vol. 34, no. 1, 2014, pp. 8-18.
  15. S. Pontarelli, G. Bianchi, S. Teofil, "Traffic-aware Design of a High Speed FPGA Network Intrusion Detection System". In IEEE Transactions on Computers, Vol. 62, Issue: 11, 2013, pp. 2322 - 2334.
  16. R. Ajami, A. Dinh, "Embedded Network Firewall on FPGA", In Proc. of 8th 2011 International Conference on Information Technology: New Generations, 2011.
  17. S. Yusuf, W. Luk, M.K.N. Szeto, W. Osborne, "UNITE: Uniform hardware-based Network Intrusion deTection EngineS". In Proc. of ARC 2006: Reconfigurable Computing: Architectures and Applications, 2006, pp 389-400.
  18. I. Sourdis, V. Dimopoulos, D. Pnevmatikatos, S. Vassiliadis, "Packet Pre-filtering for Network Intrusion Detection". In Proc. of ANCS’06, 2006.
  19. A. Wicaksana, A. Sasongko, "Fast and Reconfigurable Packet Classification Engine in FPGA-Based Firewall", In Proc. of 2011 International Conference on Electrical Engineering and Informatics, 2011.
  20. J.F. Zazo, S. Lopez-Buedo, G. Sutter, J. Aracil, "Automated synthesis of FPGA-based packet filters for 100 Gbps network monitoring applications", In Proc. of 2016 International Conference on ReConFigurable Computing and FPGAs (ReConFig), 2016.



       - Final Paper Submission
       - Important Dates
       - Committee
       - Guest registration


       - Volume 8, Issue 1 (ICAIIT 2020)
       - Volume 7, Issue 1 (ICAIIT 2019)
       - Volume 7, Issue 2 (ICAIIT 2019)
       - Volume 6, Issue 1 (ICAIIT 2018)
       - Volume 5, Issue 1 (ICAIIT 2017)
       - Volume 4, Issue 1 (ICAIIT 2016)
       - Volume 3, Issue 1 (ICAIIT 2015)
       - Volume 2, Issue 1 (ICAIIT 2014)
       - Volume 1, Issue 1 (ICAIIT 2013)


       ICAIIT 2020
         - Photos
         - Reports

       ICAIIT 2019
         - Photos
         - Reports

       ICAIIT 2018
         - Photos
         - Reports





           ISSN 2199-8876
           Copyright © 2013-2020 Leonid Mylnikov. All rights reserved.