CA2169181A1 - Improved packet filtering for data networks - Google Patents
Improved packet filtering for data networksInfo
- Publication number
- CA2169181A1 CA2169181A1 CA002169181A CA2169181A CA2169181A1 CA 2169181 A1 CA2169181 A1 CA 2169181A1 CA 002169181 A CA002169181 A CA 002169181A CA 2169181 A CA2169181 A CA 2169181A CA 2169181 A1 CA2169181 A1 CA 2169181A1
- Authority
- CA
- Canada
- Prior art keywords
- target
- candidate
- field
- packet
- representative
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4604—LAN interconnection over a backbone network, e.g. Internet, Frame Relay
- H04L12/462—LAN interconnection over a bridge based backbone
- H04L12/4625—Single bridge functionality, e.g. connection of two networks over a single bridge
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
An improved partial packet filter (10) for filtering data packets (210) in a computer network (12) wherein a candidate field (413) of the data packet (210) is hashed to a plurality of bit-wise subsets (636) each being an independent representation of the candidate field (413). Each of the bit-wise subsets (636) is compared to a reference hash table (644) which has been prepared in a preliminary operation series (514). The preliminary operation series (512) configures a plurality of target fields (714) to set selected memory locations (312) in the reference hash table (644).
Description
_ 2 1 6 9 1 8 1 PCT~S94/08~14 1 INPROVED PACRET FILTERING FOR DATA NETWOR~8 The present invention relates generally to the field 6 of computer science and more particularly to data networking 7 and component devices attached to data networks.
11 Computer networks are becoming increasingly common in 12 industry, education and the public sector. The media over 13 which data are carried generally carry data in units referred 14 to as "packets" which are destined for many different sources.
Addressing and packet typing are included in most st~nA~rdized 16 and proprietary packet based networking protocols which make 17 use of destination address fields at the beginning of and/or 18 within each data packet for the purpose of distinguishing 19 proper recipient(s) of the data of the packets. As a packet is received at intermediate and end components in a system, 21 rapid determination of the proper recipient(s) for the data 22 must be made in order to efficiently accept, forward, or 23 ~i~C~rd the data packet. Such determinations are made based 24 upon the above ~icrllcsed address, packet type and/or other fields within the relevant packets. These determinations can 26 be made by network controller hardware alone, by a combination 27 of hardware and software, or by software alone. In broadcast 28 type networks, every node is responsible for examining every 29 packet and accepting those "of interest", while rejecting all others. This is called "packet filtering". Accuracy, speed 31 and economy of the filtering mech~n;sm are all of importance.
32 When the above discussed determinations are made 33 through a combination of hardware and software, the hardware 34 is said to have accomplished a "partial filtering" of the incoming packet stream. It should be noted that one type of 36 packet filtering is accomplished on thç basis of packet error 37 characteristics such as collision fragments known as "runts", 38 frame check sequence errors, and the like. The type of 39 filtering relevant to the present discussion is based upon WO 9~ 5~ 6g~ PCT/US94/08514 1 packet filtering in which filtering criteria can be expressed 2 as simple Boolean functions of data fields within the packet 3 as opposed to filtering based upon detection of errors or 4 improperly formed packets.
In the simplest case, each node of a computer network 6 must capture those packets whose destination address field 7 matches the node's unique address. However there frequently 8 occur situations in which additional packets are also of 9 interest. One example occurs when the node belongs to a predefined set of nodes all of which simultaneously receive 11 certain specific "groupcast" packets which are addressed to 12 that group. Groupcast packets are usually identified by some 13 variation of the address field of the packet. Groupcast 14 address types generally fall into one of two forms.
"Broadcast" addresses are intended for all nodes and 16 "multicast" addresses are targeted for specific applications 17 to which subsets of nodes are registered. Another case of 18 such field-based packet filtering O~ur~ when certain network 19 management nodes are adapted to focus on specific protocols, inter-node transactions, or the like, to the exclusion of all 21 other traffic.
22 Attachment of a networked device to the network is 23 realized through a "controller" which operates independently 24 of the host processor. Packet filtering then G~ S in two successive stages beginning at the controller, which examines 26 packets in real-time. To accomplish this, the controller is 27 "conditioned" with an appropriate subset of the specified 28 filtering criteria, according to the filtering capabilities of 29 that controller. The controller classifies packets into three categories: Those not satisfying the filter criteria 31 ("rejects"); those satisfying the criteria ("exact matches");
32 and those possibly satisfying the criteria ("partial 33 matches"). Rejects are not delivered to the processor. Those 34 packets which are classified as exact or as possible matches are delivered, with appropriate indications of their 36 classification, to the device processor. The controller, 37 ideally, excludes as many unwanted packets as its capabilities 38 will allow, and the host processor (with the appropriate 39 software operating therein) completes the overall filtering W095/05~ 21 6 9 1 8 1 PCT~S94/08514 1 operation, as required. The value of filtering packets at the 2 controller level (the partial filtering) is that it reduces 3 the burden on the host processor.
4 Controller filtering implementations are constrained by the fact that they must process packets in real-time with 6 packet reception. This places a high value on filtering 7 me~hAnisms that can be implemented with a minimum amount of 8 logic and memory. Controller based filtering criteria are 9 contained in a target memory. In the case of exact ma~ching, a literal list of desired targets is stored-in the target 11 memory. While exact matching provides essentially perfect 12 filtering, it can be used in applications wherein there are 13 only a very small number of targets.
14 Partial filtering is employed when the potential lS number of targets is relatively large, such as is often the 16 case in multicast applications. A primary consideration is 17 the "efficiency" of the partial filter. Efficiency (E), in 18 this context, may be expressed as:
- E=Tn/Pn 22 where: Tn=the number of target packets of interest; and 23 Pn=the number of potential candidates delivered to 24 the processor.
An efficiency of E=1.0 represents an exact filtering 26 efficiency wherein every candidate is a desired target. This 27 is the efficiency of the filtering which occurs in the "exact 28 mat~hing" previously discussed herein. While exact filtering 29 efficiency is an objective, the previously mentioned constraints, including that the controller must do its 31 filtering in essentially real-time, will generally not allow 32 for such efficiency.
33 The predominant method used in the prior art for 34 partial packet filtering is "h~ch;ng". The process conventionally begins with the extraction from each received 36 packet of all fields involved in the specified filtering 37 criteria. The composite of such relevant fields is called the 38 "candidate field". Assuming an even distribution of candidate 39 fields (a situation that is not always literally accurate, but - 2 1 6 9 1 8 1 51 R~c'd P~ ' 1 O J U L l995 1 the assumption of which is useful for purposes of analysis), 2 there will be a potential number of packet candidates of 2cb, 3 where Cb is the number of bits in the candidate field. The 4 hashing function produces a reduction in the bit size of the candidate field according to a l~hARh; ~g function". As a part of 6 the initiation of the controller, the hAeh;ng function is applied 7 to each field of the target memory to assign a "target hash 8 value" to each such field. The controller memory is initialized 9 as a bit mask representing the set of target hash values. Then, during operation, a "candidate hash value" is created by applying 11 the hA~hing function to each candidate field. The candidate hash 12 value is used as a bit index into the controller memory, with a 13 match indicating a possible candidate.
14 As can be appreciated in light of the above discussion ~5 and from a general understAn~ing of simple hashing operations, 16 the hashing function has the effect of partitioning the 2cb 17 candidate possibilities into Mb groups (called "buckets"), where 18 Mb is the number of bits in the controller's target memory.
19 Because candidate packets that fall into the same bucket are not distinguished, a "hit" represents any of 2Cb/Mb candidates.
21 Useful hARhing functions will partition the candidate 22 possibilities in a roughly uniform distribution across the set 23 of Mb buckets. For a single target, the efficiency of such a 24 hARhing method is Mb/2Cb. If Tn desired targets are represented by Bn buckets (where Bn<=Tn and Bn<=Mb, the efficiency of such 6 a hashing method is:
28 E=Tn/(Bn2Cb/Mb)=TnMb/Bn2cb In exact matching, target memory could hold Mb/Cb 31 targets. ~ARh;ng is appropriate when the number of buckets (Bn) 32 is larger than this figure. However, effective hashing also 33 requires that the number of buckets be less than Mb, because as 34 target memory density increases there is less differentiationamong candidate fields. With the target memory full of hash 36 targets, Bn=Mb and the efficiency is Tn/2Cb.
4~ E~ EE~
W095/05~ 216918 I PCT~S94/08514 1 As can be appreciated, the described prior art 2 hAching method used for partial packet filtering implies a 3 loss of information in that a single hash value potentially 4 represents a large set of candidates. Clearly, it would be desirable to reduce such loss of data. Correspondingly, it 6 would desirable to maximize the filtering efficiency for a 7 given Mb or (or to minimize the Mb for a given filter 8 efficiency).
9 To the inventor's knowledge, no prior art method for partial packet filtering has improved efficiency or reduced ll data loss as compared to the conventional hAshing method 12 described above.
14 DISCLOSURE OF lNv~llON
16 Accordingly, it is an object of the present invention 17 to provide a method and means for efficiently performing a 18 partial filtering operation on data packets in a computer 19 network.
It is another object of the present invention to 21 provide a method and means for partial packet filtering which 22 rejects a maximum number of incoming packets which are not at 23 interest without requiring a large target memory and without 24 unduly slowing down the processing of incoming packets.
It is still another object of the present invention 26 to provide a partial packet filtering method and means which 27 is inexpensive to implement.
28 It is yet another object of the present invention to 29 provide a partial packet filtering method and means which will operate in real-time or near real-time.
31 It is still another object of the present invention 32 to provide a partial packet filtering method and means which 33 is adaptable to a variety of network system requirements.
34 Briefly, the preferred embodiment of the present invention implements multiple independent h~h;ng functions 36 applied in parallel to the candidate field of each packet.
37 The combined application of multiple independent h~hing 38 functions results in specification of a hash matrix, with each 39 coordinate of the hash matrix being the result of one of the W095/05~ ~69~ PCT~Sg4/085l4 1 hAching functions. The hash matrix includes the results of 2 different h~sh;ng algorithms applied to a single candidate 3 field, or the same h~h;ng function applied to different 4 subsets of the candidate field, or a combination thereof. The filter parameters consist of the set of acceptable result 6 values for each h~ch;ng operation.
7 An advantage of the present invention is that partial 8 packet filtering efficiency is improved, thereby freeing the 9 host processor from a substantial portion of the packet filtering operation.
11 Yet another advantage of the present invention is 12 that filtering efficiency is increased geometrically with an 13 increase in target memory.
14 Still another advantage of the present invention is that a minimum amount of target memory is required for a 16 specific target efficiency.
17 Yet another advantage of the present invention is 18 that the partial packet filtering can be performed in a 19 minimum amount of time for a given target efficiency.
These and other objects and advantages of the present 21 invention will become clear to those skilled in the art in 22 view of the description of the best presently known modes of 23 carrying out the invention and the industrial applicability of 24 the preferred emho~;ments as described herein and as illustrated in the several figures of the drawing.
29 Fig. 1 is a block diagram depicting a portion of a computer network with an improved partial packet filter 31 according to the present invention in place therein;
32 Fig. 2 is a diagrammatic representation of a 33 conventional prior art Ethernet data packet;
34 Fig. 3 is diagrammatic representation of a hash table;
36 Fig. 4 is a flow chart showing a conventional prior 37 art partial packet filtering operation;
38 Fig. 5 is a block depiction of a partial packet' 39 filtering method according to the present invention;
~O95/05~ 2 1 C 9 1 ~ ~ PCT~Sg4/085l4 1 Fig. 6 is a flow chart, similar to the chart of Fig.
2 4, depicting the packet processing operation series of Fig. 5;
3 and 4 Fig. 7 is a flow chart depicting the preliminary operation series of Fig. 5.
7 BEST MODE FOR CARRYING OUT lN V~N'l'lON
9 The best presently known mode for carrying out the invention is a partial packet filter for implementation in a 11 personal computer resident Ethernet controller. The 12 predominant expected usage of the inventive im~uved packet 13 filter is in the interconnection of computer devices, 14 particularly in network environments where there are relatively few targets.
16 The improved partial packet filter of the presently 17 preferred embodiment of the present invention is illustrated 18 in a block diagram in Fig. 1 and is designated therein by the 19 reference character 10. In the diagram of Fig. 1, the im~ovad partial packet filter 10 is shown configured as part 21 of a network system 12 (only a portion of which is shown in 22 the view of Fig. 1). In many respects, the best presently 23 known emho~iment 10 of the present invention is structurally 24 not unlike conventional partial packet filter mechAnisms.
Like prior art conventional partial packet filters, the best 26 presently known embodiment 10 of the present invention has a 27 controller 14 with an associated target memory 16. In the 28 example of Fig. 1, the improved partial packet filter 10 29 receives data from a network node 18 and performs the inventive improved packet filtering process on such data 31 before passing selected portions of the data on to a host 32 processor 18 to which the improved partial packet filter 10 is 33 dedicated.
34 Fig. 2 is a diagrammatic representation of a conventional Ethernet data packet 210. The standardized 36 Ethernet packet 210 has a preamble 212 which is 64 bits in 37 length, a destination address 214 which is 48 bits in length, 38 a source address 216 which is 48 bits in length, a length/type 39 field 218 which is 16 bits in length and a data field 220 ?,~69~
W095/0~ PCT~S94/08514 1 which is variable in length from a minimum of 46 eight bit 2 bytes to a maximum of 1500 bytes. Following the data field 3220 in the packet 210 is a 4 byte (32 bit) frame sequence 4check ("FCS") 222. The packet 210 is transmitted serially 5beginning at a "head" 224 and ending at a "tail" 226 thereof.
6The preamble 212, destination address 214, source address 216 7 and length/type field 218 are collectively referred to as the 8 header 219.
9Fig. 3 is a diagrammatic representation of a conventional single dimensional hash table 310 with which one 11 skilled in the art will be familiar. The hash table 310 has a 12 plurality of address locations 312 each of which can be "set"
13 (set to 1) or left unset (set to zero).
14Fig. 4 is a flow diagram depicting the operation of a conventional prior art partial packet filtering operation 410.
16 As previously discussed briefly, a packet 2io (Fig. 2) is 17received (receive packet operation 412) from the network 18 18(Fig. 1) and a candidate field 413 (such as the header 219 of 19 the packet 210) is extracted (extract candidate field 20operation 414). A h~h;ng operation 416 is performed on the 21extracted candidate field 413 to produce a hash value 417 and 22the hash value 417 is compared to the hash table 310 (Fig. 3) 23 stored in the target memory 16 (Fig. 1) in a comparison 24operation 418. If the result of the comparison operation 418 is a match, the packet 210 is forwarded in a forward packet 26operation 420. If the result of the comparison operation 418 27is not a match, the packet 210 is rejected 422 in a reject 28 packet operation. It should be remembered that the use of the 29 header 219 here is an example only, and any portion or combined portions of the packet 210 might constitute the 31 candidate field 413 in a given application.
32Fig. 5 is a flow diagram depicting the inventive 33 improved packet filtering process 510. The improved packet 34 filtering process 510 is accomplished in a preliminary 35operation series 512 and a packet processing operation 514, 36 each of which is repeated as required, as will be ~icç~s~
37 hereinafter. The preliminary operation series 512 is 38 accomplished according to software residing in the host 39processor 20 (Fig. 1) to configure the target memory 16 (Fig.
- 2l69l8l ;,PC~/US 94108514 /PT~ I ~^J~J 'JL iS9 1 1) as will be discussed hereinafter. It should be noted that the 2 fact that the improved packet filtering process 510 is divided 3 into the two main operation categories (the preliminary operation 4 series 512 and the packet processing operation 514) does not distinguish this invention over the prior art. Rather, the 6 processes within the preliminary operation series 512 and the 7 packet processing operation 514 describe the essence of the 8 inventive process.
9 Fig. 6 is a flow chart showing the inventive packet processing operation 514 in a manner analogous to the 11 presentation of the prior art partial packet filtering operation 12 410 depicted in Fig. 4. As can be seen in the view of Fig. 6, 13 the packet processing operation series 514 is similar in many 4 respects to the prior art partial packet filtering process 410 i5 (Fig. 4). In the packet processing operation series 514, a 16 packet 210 (Fig. 2) is received (receive packet operation 412) 17 and a candidate field 413 iS extracted in an extract candidate 18 field operation 414. In the best presently known embodiment 10 19 of the present invention, the inventive packet processing operation series 51~ next performs a candidate field reduction 21 operation 626. In the best presently known embodiment 10 of the 22 present invention, the candidate field reduction operation 626 23 is merely the application of the conventional CRC polynomial 24 algorithm to the candidate field 413 to yield a 32 bit CRC output ~5 value 628 (although any of a number of similar algorithms might 6 be applied for this purpose). Next, a subset selection operation 27 630 selects a predetermined number (two in the example of Fig.
28 6) of bit-wise subsets 636 from the CRC output value 628. The 29 method for determining the quantity of bit-wise subsets 636 to be selected in the subset selection operation 630, and the size 31 of each, will be discussed hereinafter. In the best presently 32 known embodiment 10 of the present invention, the bit-wise 33 subsets 636 are each 6 bits in length. It should be noted that, 34 in the best presently known embodiment lo of the present invention, the bit-wise subsets 636 are selected from the CRC
36 output value 628 simply by taking the first 6 bits of the CRC
37 output value 628, the second six bits, and so on until as many 38 bit-wise subsets as are needed are obtained and so, in the best 39 presently known embodiment 10 of the present invention, the bit ~ME~I~ED SHE~r 2169i8J 51R~c'dP~T/~TO IOJU-1935 1 wise subsets 636 are 'consecutive bit sections" of the fixed size 2 field (the CRC output value 628 in the best presently known 3 embodiment 10 of the present invention. The inventors have 4 determined that the bits of the CRC output value 628 (resulting from the CRC polynomial function) are independent of each other, 6 and so any 6 bit portion of the CRC output value 628 is as 7 representative of the CRC output value 628 as is any other 6 bit 8 portion.
9 The bit-wise subsets 636 are then compared to the hash table 310 (Fig. 3) stored in the target memory 16 (Fig. 1) in a 11 comparison operation 618. The combined multiple hash values 636 12 may be considered to be a hash matrix 638 (in the example of Fig.
13 6, a two dimensional hash matrix 638).
4 It is important to note that the essence of the present inventive method lies in the extraction of the plurality of 16 independent or relatively independent representative indices of 17 the candidate field 413 (~candidate field indicesn) which, in the 18 example of the best presently known embodiment 10 of the present 19 invention are the bit-wise subsets 636 which make up the hash matrix 638. That is, the bit-wise subsets 636 are representative 21 of the candidate field 413, as discussed above. The generally 22 simultaneous (parallel) processing of these is the source of the 23 advantages of the present inventive method and means. The exact 24 method described herein in relation to the best presently known ~5 embodiment 10 of the present invention, that of first reducing ~6 the candidate field 413 in the candidate field reduction 27 operation 626 and then extracting the bit-wise subsets 636 is but 28 one of many potential methods for accomplishing such a parallel 29 h~ch;ng operation 639, and the present invention is not intended to be limited by this aspect of the best presently known 31 embodiment 10.
32 In the best presently known embodiment 10 of the 33 present invention, in a comparison operation 6~2, each of the 34 bit-wise subsets 636 is compared to a reference hash table 6~
(a "target hash array") which is stored in the target memory 16 36 (Fig. 1) and only if all match is the packet 210 forwarded in a 37 packet forwarding operation 6~6. In the example of Fig. 6, the 38 reference hash table 644 will be a 64 element array representing 39 all values from 0 through 63 inclusive. Some elements of the AMENDE~ S~EE~
-- 2169181 5l ~c'd PCT/PTO IO JU1~33~
1 reference hash table 644 are set as will be discussed hereinafter 2 in relation to the preliminary operation series 512. If the 3 value of the bit-wise subset "falls into one of the buckets" (is 4 equivalent to a corresponding set bit in the reference hash table 644), then the data packet 210 is defined as being a Umatch'.
6 Now returning to a consideration of the preliminary 7 operation series 512 (Fig. 5) with an underst~n~ing of the packet 8 processing operation series 514, the target memory 16 is 9 configured in process steps much like those described in relation to the packet processing operation series 51~ of Fig. 6.
11 Fig. 7 is a flow diagram of the preliminary operation 12 series 514 according to the best presently known embodiment 10 13 of the present invention. A preliminary operation which is 4 common to both the prior art and the present invention is a target field(s) selection process 712. The target (field)s 16 selection process is merely the selection of criteria to which 17 incoming packets 210 are to be compared. For example, if the 18 entire process is to be on the basis of desired destinations, 19 then an intended destination address 214 (Fig. 2) will be (one of) the target field(s) 71~, and if three destinations are of 21 interest, then there will be three target fields 714 as 22 illustrated in the example of Fig. 7. The actual process 23 involved in selecting the target field(s) is a function of 24 network control software which is found in the prior art and ~5 which is not relevant to the present invention except to the ~6 extent that it delivers the target field(s) 714 to the inventive 27 preliminary operation series 512.
28 Having determined the quantity of target fields 714 of 29 interest, host software will next determine a bit-wise subset quantity 716 (the appropriate subset quantity of bit-wise 31 subsets 636) in a bit-wise subset quantity determination 32 operation 718. The bit-wise subset quantity determination 33 operation 718 will be discussed in more detail hereinafter, as 34 it can be better understood in light of the present description of the entire preliminary operation series 512. For the present 36 simplified example of Figs. 6 and 7, and as already mentioned, 37 the bit-wise subset quantity 716 is two. That is, two of the 38 bit-wise subsets 636 are to be extracted from the CRC output 39 value 628 in the subset selection operation 630 of Fig. 6.
4~ 1D'~ SHE~
P~TJU~ 9 4 / 0 8 5 1 4 2169181 51 Rec'dPCT/P~O I0JULl995 1 As can be appreciated, the target fields 714 are each 2 equivalent in form to the candidate fields 413 discussed 3 previously herein, and processing of the target fields 714 is 4 much the same as has been previously described herein in relation to the candidate fields 413. In the inventive preliminary 6 operation series 512, each of the target fields 714 is processed 7 in a target field reduction operation 726 by application of the 8 CRC polynomial to produce a target CRC value 728. Each of the 9 target CRC values 728 is then processed in a target subset selection operation 730 to produce a plurality (two for each 11 target CRC value 728 for a total of six, in the present example) 12 of target bit-wise subsets 736. In more general terms, each of 13 the "target fields 71~ (having been selected according to prior ~4 art methods, as discussed previously herein) is processed as lS described to produce a "target representative field~ (the target 16 CRC value 728 in the present example), which is then further 17 processed as described to produce the target representative field 18 and which are, in the present example, the target bit-wise 19 subsets 736. This process is alike to the process which is repeated as necessary to process each incoming data packet 210, 21 wherein the candidate fields 413 are processed to produce a 22 candidate representative field (the CRC output value 628 in the 23 present example), which is further processed to produce the 24 "candidate string subsets" (the bit-wise subsets 636 in the ~S present example). The quantity of target bit-wise subsets 736 ~6 taken from each target CRC value 728 is also the bit-wise subset 27 quantity 716 (two, in the present example). It should be noted 28 that a target parallel hashing operation 739 is like the 29 previously described parallel h~ching operation 639 in that the invention might be practiced with variations of the specific 31 steps therein which are presented here as features of the best 32 presently known embodiment 10 of the present invention.
33 In a target memory setting operation 740 the reference 34 hash table 644 is formatted such that each memory location 312 corresponding to a value of any of the target bit-wise subsets 36 736 is set. For example, if the first target bit-wise subset 37 736~ were "000010" (decimal value 2) then the third memory 38 location 312c in the reference hash table 644 would be set to 39 "1", as is illustrated in Fig. 7. As can be appreciated from the AMENDED SHEET
-- 21691 PCT/US 9410851 ~
8 1 51 R ~ G d P C ~ , . . , . ~ 3 1 above discussion, the maximum number of memory locations 312 in 2 the reference hash table 644 which can be set by this process is3 the quantity of target bit-wise subsets 736 (six, in the present4 example). However, since two or more of the target bit-wise subsets might coincidentally hash to the same value, a lesser 6 quantity of memory locations 312 might also be set.
7 Now returning to a more detailed discussion of the 8 bit-wise subset quantity determination operation 718, the target9 memory 16 is to be configured to maximize the effectiveness of the filtering based on the quantity of multicast packets 210 of 11 interest to the software of the host processor 20. Therefore, 12 the bit-wise subset quantity determination operation 718 attempts 13 to determine (or, at least, to approximate) an optimal number 4 of indices per packet 210 (and, thus, the bit-wise subset quantity 716 ~iccll~ce~ previously herein). The "optimal" number 16 here means that which will minimize the number of "uninteresting"
17 packets 210 which match the set data bits 312 in the reference 18 hash table 644 while matching all of the "interesting" packets 19 210. In the best presently known embodiment 10 of the present invention, the following table is used to determine the bit- wise 21 subset quantity 716.
23 T~RT.F OF SUR.~:~T OU~NTTTTF~.';
24Addresses of Number of Hash Indices ~5Interest (Bit-Wise Subset Quantity 716) ~6 1-2 5 3017 or more 32 The above table is offered here as a guide only, in 33 that the "optimal" number of selected hash indices may vary in 34 ways not presently contemplated. Furthermore, it should be noted that the above table is based upon an assumption that none of the 36 target indices (the target bitwise subsets 736 in the best 37 presently known embodiment 10 of the present invention) hash to 38 the same memory locations 312 in the reference hash table 644.
39 If, indeed, two or more of the target bit-wise subsets 736 did ~Mt~DDSHE~
51 Rec'd PCT, 1~ 1 0 J UL 1995 - 13a 1 hash to the same memory location 312, then additional hash 2 indices could be added to increase efficiency without sacrificing 3 speed or requiring additional memory or processing.
4 It should be noted that while the packet processing operation series 514 is accomplished in the hardware of the best 6 presently known embodiment 10 of the present invention, the 7 preliminary operation series (which can be accomplished at a more 8 leisurely pace) is performed primarily by software of the host 9 processor 20. As can be appreciated in light of the above discussion, the preliminary operation series 512 will be repeated 11 when the network 12 is reconfigured, when it is desired to 12 communicate with additional members of the network 12, or upon 13 other occasions according to the needs of the user and the '4 network 12. The packet processing operation series 51 AMENDE~ ~FFT
~,N095/Oj~ 216 9181 PCT~S94/08514 1 514 will be repeated whenever an incoming packet 210 is 2 detected from the network node 18.
3 It should also be noted that, while the best 4 presently known embodiment 10 of the present invention hAchPF
each of the CRC values 628 and 728 to a common reference hash 6 table 644, the invention might be practiced with equal 7 efficiency by h~shing each of the CRC values 628 and 728 to 8 its own individual hash table (not shown). Using the 9 quantities of the example of Figs. 6 and 7, each of the individual hash tables would be 32 bits (memory locations 312) 11 large (one half of 64 bits, since it must be divided between 12 the two target CRC values 728). The individual bit-wise 13 subsets 636 and 736 would then be 5 bits long (decimal value 0 14 through 31).
Various modifications may be made to the inventive 16 improved packet filter 10 without altering its value or scope.
17 For example, the guantity, size, and derivation of the 18 plurality of bit-wise subsets 636 and 738 could readily be 19 revised according to the parameters discussed herein.
All of the above are only some of the examples of 21 available embodiments of the present invention. Those skilled 22 in the art will readily observe that numerous other 23 modifications and alterations may be made without departing 24 from the spirit and scope of the invention. Accordingly, the above disclosure is not intended as limiting and the appended 26 claims are to be interpreted as encompassing the entire scope 27 of the invention.
31 The improved partial packet filter 10 is adapted to 32 be widely used in computer network communications. The 33 predominant current usages are for the interconnection of 34 computers and computer peripheral devices within networks and for the interconnection of several computer networks.
36 The improved partial packet filters 10 of the present 37 invention may be utilized in any application wherein 38 conventional computer interconnection devices are used. A
39 significant area of improvement is in the inclusion of the _vo ~;c '~ 21 6 9 1 8 1 PCT~S94/08514 1 parallel processing of a plurality of indices (bit-wise 2 subsets 636) of a packet 210.
3 The efficiency of the filtering provided by the 4 improved partial packet filter 10 is significantly improved, particularly for cases where the number of targets is small 6 relative to the number of "buckets" (memory locations 312).
7 To compare the efficiency of the present inventive improved 8 packet filtering process 510 embodied in the improved partial 9 packet filter 10 with the prior art partial packet filtering process 410, assume, for example, the following`values:
12 Mb=64 (representing 64 memory locations 312 in 13 the reference hash table 644) 14 Cb=48 (representing a 48 bit candidate field 413 size - a typical size of the destination 16 address 214 17 Dn=4 (representing a bit-wise subset quantity 716 18 of four) Then, the prior art partial packet filtering process 21 410 will partition the 2cb possibilities among 64 distinct 22 buckets, one of which matches the bucket into which the single 23 target falls. In the improved packet filtering process 510, 24 the four parallel h~hing functions partition among 16 possible buckets each. The efficiency (Ef) for the prior art 26 partial packet filtering process 410 would then be:
28 Ef=64/248=l/242 The efficiency (Ef4) for this example of the improved 31 packet filtering process 510 is:
33 Ef4=644/(44*248)=1/232 The efficiency Ef4 is better than the efficiency Ef 36 by a factor of 21 (1024), which i6 to say that only a 37 thousandth as many (uninteresting) packets will be delivered 38 to the next stage of filtering using the inventive improved 39 partial packet filter 10 as compared to the prior art.
WOg5/05~4 PCT~S94/08514 __ ` 216gl~,l 1 Filtering of packets may be accomplished through a 2 combination of exact and partial match filters. Typically, 3 one or more partial filterings will occur first, with the 4 multiple dimensions of each filtering accomplished in parallel with each other (according to the present invention). Packets 6 which pass through the inventive improved partial packet 7 filter 10 may then be filtered using an exact match filter 8 techn;que, such as "binary search lookup" of the filter data 9 in a sorted table of acceptable filter data values.
Furthermore, results of partial filtering can be used to 11 determine which of many (possibly sorted) tables in which to 12 search for the packet.
13 Accordingly, the inventive improved packet filtering 14 process 510 may be applied more than once to each incoming packet 210 (in a first stage and a second stage). In such an 16 example, configuration of the first stage partial filtering 17 would involve specification of the number and type of h~ching 18 operations to be performed, along with the portion of the 19 packet which is to comprise the filter data for each such operation, along with acceptable results for each. Multiple 21 partial filterings may be configured with the specification 22 including the logical relation to apply to the results of each 23 filtering. For example, partial filtering A might be to apply 24 the 32 bit CRC polynomial to the destination address field of an Ethernet packet, and retain the lowest order 3 bits - a 26 value from 0 to 7. Partial filtering B might be to apply the 27 32 bit CRC polynomial to the source address field of the 28 Ethernet packet, and retain the lowest order 3 bits. The 29 logical relation might be to accept packets only for which the results of the first filtering (A) is either 2 or 4, and the 31 result of the second filtering (B) is either a 3 or a 4. In a 32 general case, one may expect the likelihood of arbitrarily 33 filter data to "pass" the first filtering to be 2 in 8 (25%), 34 since 2 of the 8 values from 0 to 7 are acceptable.
Similarly, the likelihood of the second filtering "passing"
36 such a filter is 2 in 8 (25%). Assuming that the two 37 filterings are, as desired, truly independent, the likelihood 38 of this arbitrary packet being accepted is the product of 39 these, or 1 in 16. Note further that the specification of _ NO55/15~ 21 691 81 PCT~S94/08514 1 these "acceptable result sets" ({2,4} for A and {3,4} for B) 2 requires 16 bits of information for full specification, where 3 8 bits indicate the acceptability/unacceptability of each of 4 the 8 possible values of filtering A, and 8 additional bits indicate the acceptability/unacceptability of each of the 8 6 possible values of filtering B. Use of such multiple partial 7 filterings may be especially effective in situations where 8 filtering criteria are derived from independent portions of 9 the filter data, such as filtering for all packets whose destination address OR whose source address is within a set of 11 interesting addresses AND whose packet type indicates a 12 particular protocol of interest.
13 Since the improved partial packet filters of the 14 present invention may be readily constructed and are compatible with existing computer eguipment it is expected 16 that they will be acceptable in the industry as substitutes 17 for conventional means and methods presently employed for 18 partial packet filtering. For these and other reasons, it is 19 expected that the utility and industrial applicability of the invention will be both significant in scope and long-lasting 21 in duration.
11 Computer networks are becoming increasingly common in 12 industry, education and the public sector. The media over 13 which data are carried generally carry data in units referred 14 to as "packets" which are destined for many different sources.
Addressing and packet typing are included in most st~nA~rdized 16 and proprietary packet based networking protocols which make 17 use of destination address fields at the beginning of and/or 18 within each data packet for the purpose of distinguishing 19 proper recipient(s) of the data of the packets. As a packet is received at intermediate and end components in a system, 21 rapid determination of the proper recipient(s) for the data 22 must be made in order to efficiently accept, forward, or 23 ~i~C~rd the data packet. Such determinations are made based 24 upon the above ~icrllcsed address, packet type and/or other fields within the relevant packets. These determinations can 26 be made by network controller hardware alone, by a combination 27 of hardware and software, or by software alone. In broadcast 28 type networks, every node is responsible for examining every 29 packet and accepting those "of interest", while rejecting all others. This is called "packet filtering". Accuracy, speed 31 and economy of the filtering mech~n;sm are all of importance.
32 When the above discussed determinations are made 33 through a combination of hardware and software, the hardware 34 is said to have accomplished a "partial filtering" of the incoming packet stream. It should be noted that one type of 36 packet filtering is accomplished on thç basis of packet error 37 characteristics such as collision fragments known as "runts", 38 frame check sequence errors, and the like. The type of 39 filtering relevant to the present discussion is based upon WO 9~ 5~ 6g~ PCT/US94/08514 1 packet filtering in which filtering criteria can be expressed 2 as simple Boolean functions of data fields within the packet 3 as opposed to filtering based upon detection of errors or 4 improperly formed packets.
In the simplest case, each node of a computer network 6 must capture those packets whose destination address field 7 matches the node's unique address. However there frequently 8 occur situations in which additional packets are also of 9 interest. One example occurs when the node belongs to a predefined set of nodes all of which simultaneously receive 11 certain specific "groupcast" packets which are addressed to 12 that group. Groupcast packets are usually identified by some 13 variation of the address field of the packet. Groupcast 14 address types generally fall into one of two forms.
"Broadcast" addresses are intended for all nodes and 16 "multicast" addresses are targeted for specific applications 17 to which subsets of nodes are registered. Another case of 18 such field-based packet filtering O~ur~ when certain network 19 management nodes are adapted to focus on specific protocols, inter-node transactions, or the like, to the exclusion of all 21 other traffic.
22 Attachment of a networked device to the network is 23 realized through a "controller" which operates independently 24 of the host processor. Packet filtering then G~ S in two successive stages beginning at the controller, which examines 26 packets in real-time. To accomplish this, the controller is 27 "conditioned" with an appropriate subset of the specified 28 filtering criteria, according to the filtering capabilities of 29 that controller. The controller classifies packets into three categories: Those not satisfying the filter criteria 31 ("rejects"); those satisfying the criteria ("exact matches");
32 and those possibly satisfying the criteria ("partial 33 matches"). Rejects are not delivered to the processor. Those 34 packets which are classified as exact or as possible matches are delivered, with appropriate indications of their 36 classification, to the device processor. The controller, 37 ideally, excludes as many unwanted packets as its capabilities 38 will allow, and the host processor (with the appropriate 39 software operating therein) completes the overall filtering W095/05~ 21 6 9 1 8 1 PCT~S94/08514 1 operation, as required. The value of filtering packets at the 2 controller level (the partial filtering) is that it reduces 3 the burden on the host processor.
4 Controller filtering implementations are constrained by the fact that they must process packets in real-time with 6 packet reception. This places a high value on filtering 7 me~hAnisms that can be implemented with a minimum amount of 8 logic and memory. Controller based filtering criteria are 9 contained in a target memory. In the case of exact ma~ching, a literal list of desired targets is stored-in the target 11 memory. While exact matching provides essentially perfect 12 filtering, it can be used in applications wherein there are 13 only a very small number of targets.
14 Partial filtering is employed when the potential lS number of targets is relatively large, such as is often the 16 case in multicast applications. A primary consideration is 17 the "efficiency" of the partial filter. Efficiency (E), in 18 this context, may be expressed as:
- E=Tn/Pn 22 where: Tn=the number of target packets of interest; and 23 Pn=the number of potential candidates delivered to 24 the processor.
An efficiency of E=1.0 represents an exact filtering 26 efficiency wherein every candidate is a desired target. This 27 is the efficiency of the filtering which occurs in the "exact 28 mat~hing" previously discussed herein. While exact filtering 29 efficiency is an objective, the previously mentioned constraints, including that the controller must do its 31 filtering in essentially real-time, will generally not allow 32 for such efficiency.
33 The predominant method used in the prior art for 34 partial packet filtering is "h~ch;ng". The process conventionally begins with the extraction from each received 36 packet of all fields involved in the specified filtering 37 criteria. The composite of such relevant fields is called the 38 "candidate field". Assuming an even distribution of candidate 39 fields (a situation that is not always literally accurate, but - 2 1 6 9 1 8 1 51 R~c'd P~ ' 1 O J U L l995 1 the assumption of which is useful for purposes of analysis), 2 there will be a potential number of packet candidates of 2cb, 3 where Cb is the number of bits in the candidate field. The 4 hashing function produces a reduction in the bit size of the candidate field according to a l~hARh; ~g function". As a part of 6 the initiation of the controller, the hAeh;ng function is applied 7 to each field of the target memory to assign a "target hash 8 value" to each such field. The controller memory is initialized 9 as a bit mask representing the set of target hash values. Then, during operation, a "candidate hash value" is created by applying 11 the hA~hing function to each candidate field. The candidate hash 12 value is used as a bit index into the controller memory, with a 13 match indicating a possible candidate.
14 As can be appreciated in light of the above discussion ~5 and from a general understAn~ing of simple hashing operations, 16 the hashing function has the effect of partitioning the 2cb 17 candidate possibilities into Mb groups (called "buckets"), where 18 Mb is the number of bits in the controller's target memory.
19 Because candidate packets that fall into the same bucket are not distinguished, a "hit" represents any of 2Cb/Mb candidates.
21 Useful hARhing functions will partition the candidate 22 possibilities in a roughly uniform distribution across the set 23 of Mb buckets. For a single target, the efficiency of such a 24 hARhing method is Mb/2Cb. If Tn desired targets are represented by Bn buckets (where Bn<=Tn and Bn<=Mb, the efficiency of such 6 a hashing method is:
28 E=Tn/(Bn2Cb/Mb)=TnMb/Bn2cb In exact matching, target memory could hold Mb/Cb 31 targets. ~ARh;ng is appropriate when the number of buckets (Bn) 32 is larger than this figure. However, effective hashing also 33 requires that the number of buckets be less than Mb, because as 34 target memory density increases there is less differentiationamong candidate fields. With the target memory full of hash 36 targets, Bn=Mb and the efficiency is Tn/2Cb.
4~ E~ EE~
W095/05~ 216918 I PCT~S94/08514 1 As can be appreciated, the described prior art 2 hAching method used for partial packet filtering implies a 3 loss of information in that a single hash value potentially 4 represents a large set of candidates. Clearly, it would be desirable to reduce such loss of data. Correspondingly, it 6 would desirable to maximize the filtering efficiency for a 7 given Mb or (or to minimize the Mb for a given filter 8 efficiency).
9 To the inventor's knowledge, no prior art method for partial packet filtering has improved efficiency or reduced ll data loss as compared to the conventional hAshing method 12 described above.
14 DISCLOSURE OF lNv~llON
16 Accordingly, it is an object of the present invention 17 to provide a method and means for efficiently performing a 18 partial filtering operation on data packets in a computer 19 network.
It is another object of the present invention to 21 provide a method and means for partial packet filtering which 22 rejects a maximum number of incoming packets which are not at 23 interest without requiring a large target memory and without 24 unduly slowing down the processing of incoming packets.
It is still another object of the present invention 26 to provide a partial packet filtering method and means which 27 is inexpensive to implement.
28 It is yet another object of the present invention to 29 provide a partial packet filtering method and means which will operate in real-time or near real-time.
31 It is still another object of the present invention 32 to provide a partial packet filtering method and means which 33 is adaptable to a variety of network system requirements.
34 Briefly, the preferred embodiment of the present invention implements multiple independent h~h;ng functions 36 applied in parallel to the candidate field of each packet.
37 The combined application of multiple independent h~hing 38 functions results in specification of a hash matrix, with each 39 coordinate of the hash matrix being the result of one of the W095/05~ ~69~ PCT~Sg4/085l4 1 hAching functions. The hash matrix includes the results of 2 different h~sh;ng algorithms applied to a single candidate 3 field, or the same h~h;ng function applied to different 4 subsets of the candidate field, or a combination thereof. The filter parameters consist of the set of acceptable result 6 values for each h~ch;ng operation.
7 An advantage of the present invention is that partial 8 packet filtering efficiency is improved, thereby freeing the 9 host processor from a substantial portion of the packet filtering operation.
11 Yet another advantage of the present invention is 12 that filtering efficiency is increased geometrically with an 13 increase in target memory.
14 Still another advantage of the present invention is that a minimum amount of target memory is required for a 16 specific target efficiency.
17 Yet another advantage of the present invention is 18 that the partial packet filtering can be performed in a 19 minimum amount of time for a given target efficiency.
These and other objects and advantages of the present 21 invention will become clear to those skilled in the art in 22 view of the description of the best presently known modes of 23 carrying out the invention and the industrial applicability of 24 the preferred emho~;ments as described herein and as illustrated in the several figures of the drawing.
29 Fig. 1 is a block diagram depicting a portion of a computer network with an improved partial packet filter 31 according to the present invention in place therein;
32 Fig. 2 is a diagrammatic representation of a 33 conventional prior art Ethernet data packet;
34 Fig. 3 is diagrammatic representation of a hash table;
36 Fig. 4 is a flow chart showing a conventional prior 37 art partial packet filtering operation;
38 Fig. 5 is a block depiction of a partial packet' 39 filtering method according to the present invention;
~O95/05~ 2 1 C 9 1 ~ ~ PCT~Sg4/085l4 1 Fig. 6 is a flow chart, similar to the chart of Fig.
2 4, depicting the packet processing operation series of Fig. 5;
3 and 4 Fig. 7 is a flow chart depicting the preliminary operation series of Fig. 5.
7 BEST MODE FOR CARRYING OUT lN V~N'l'lON
9 The best presently known mode for carrying out the invention is a partial packet filter for implementation in a 11 personal computer resident Ethernet controller. The 12 predominant expected usage of the inventive im~uved packet 13 filter is in the interconnection of computer devices, 14 particularly in network environments where there are relatively few targets.
16 The improved partial packet filter of the presently 17 preferred embodiment of the present invention is illustrated 18 in a block diagram in Fig. 1 and is designated therein by the 19 reference character 10. In the diagram of Fig. 1, the im~ovad partial packet filter 10 is shown configured as part 21 of a network system 12 (only a portion of which is shown in 22 the view of Fig. 1). In many respects, the best presently 23 known emho~iment 10 of the present invention is structurally 24 not unlike conventional partial packet filter mechAnisms.
Like prior art conventional partial packet filters, the best 26 presently known embodiment 10 of the present invention has a 27 controller 14 with an associated target memory 16. In the 28 example of Fig. 1, the improved partial packet filter 10 29 receives data from a network node 18 and performs the inventive improved packet filtering process on such data 31 before passing selected portions of the data on to a host 32 processor 18 to which the improved partial packet filter 10 is 33 dedicated.
34 Fig. 2 is a diagrammatic representation of a conventional Ethernet data packet 210. The standardized 36 Ethernet packet 210 has a preamble 212 which is 64 bits in 37 length, a destination address 214 which is 48 bits in length, 38 a source address 216 which is 48 bits in length, a length/type 39 field 218 which is 16 bits in length and a data field 220 ?,~69~
W095/0~ PCT~S94/08514 1 which is variable in length from a minimum of 46 eight bit 2 bytes to a maximum of 1500 bytes. Following the data field 3220 in the packet 210 is a 4 byte (32 bit) frame sequence 4check ("FCS") 222. The packet 210 is transmitted serially 5beginning at a "head" 224 and ending at a "tail" 226 thereof.
6The preamble 212, destination address 214, source address 216 7 and length/type field 218 are collectively referred to as the 8 header 219.
9Fig. 3 is a diagrammatic representation of a conventional single dimensional hash table 310 with which one 11 skilled in the art will be familiar. The hash table 310 has a 12 plurality of address locations 312 each of which can be "set"
13 (set to 1) or left unset (set to zero).
14Fig. 4 is a flow diagram depicting the operation of a conventional prior art partial packet filtering operation 410.
16 As previously discussed briefly, a packet 2io (Fig. 2) is 17received (receive packet operation 412) from the network 18 18(Fig. 1) and a candidate field 413 (such as the header 219 of 19 the packet 210) is extracted (extract candidate field 20operation 414). A h~h;ng operation 416 is performed on the 21extracted candidate field 413 to produce a hash value 417 and 22the hash value 417 is compared to the hash table 310 (Fig. 3) 23 stored in the target memory 16 (Fig. 1) in a comparison 24operation 418. If the result of the comparison operation 418 is a match, the packet 210 is forwarded in a forward packet 26operation 420. If the result of the comparison operation 418 27is not a match, the packet 210 is rejected 422 in a reject 28 packet operation. It should be remembered that the use of the 29 header 219 here is an example only, and any portion or combined portions of the packet 210 might constitute the 31 candidate field 413 in a given application.
32Fig. 5 is a flow diagram depicting the inventive 33 improved packet filtering process 510. The improved packet 34 filtering process 510 is accomplished in a preliminary 35operation series 512 and a packet processing operation 514, 36 each of which is repeated as required, as will be ~icç~s~
37 hereinafter. The preliminary operation series 512 is 38 accomplished according to software residing in the host 39processor 20 (Fig. 1) to configure the target memory 16 (Fig.
- 2l69l8l ;,PC~/US 94108514 /PT~ I ~^J~J 'JL iS9 1 1) as will be discussed hereinafter. It should be noted that the 2 fact that the improved packet filtering process 510 is divided 3 into the two main operation categories (the preliminary operation 4 series 512 and the packet processing operation 514) does not distinguish this invention over the prior art. Rather, the 6 processes within the preliminary operation series 512 and the 7 packet processing operation 514 describe the essence of the 8 inventive process.
9 Fig. 6 is a flow chart showing the inventive packet processing operation 514 in a manner analogous to the 11 presentation of the prior art partial packet filtering operation 12 410 depicted in Fig. 4. As can be seen in the view of Fig. 6, 13 the packet processing operation series 514 is similar in many 4 respects to the prior art partial packet filtering process 410 i5 (Fig. 4). In the packet processing operation series 514, a 16 packet 210 (Fig. 2) is received (receive packet operation 412) 17 and a candidate field 413 iS extracted in an extract candidate 18 field operation 414. In the best presently known embodiment 10 19 of the present invention, the inventive packet processing operation series 51~ next performs a candidate field reduction 21 operation 626. In the best presently known embodiment 10 of the 22 present invention, the candidate field reduction operation 626 23 is merely the application of the conventional CRC polynomial 24 algorithm to the candidate field 413 to yield a 32 bit CRC output ~5 value 628 (although any of a number of similar algorithms might 6 be applied for this purpose). Next, a subset selection operation 27 630 selects a predetermined number (two in the example of Fig.
28 6) of bit-wise subsets 636 from the CRC output value 628. The 29 method for determining the quantity of bit-wise subsets 636 to be selected in the subset selection operation 630, and the size 31 of each, will be discussed hereinafter. In the best presently 32 known embodiment 10 of the present invention, the bit-wise 33 subsets 636 are each 6 bits in length. It should be noted that, 34 in the best presently known embodiment lo of the present invention, the bit-wise subsets 636 are selected from the CRC
36 output value 628 simply by taking the first 6 bits of the CRC
37 output value 628, the second six bits, and so on until as many 38 bit-wise subsets as are needed are obtained and so, in the best 39 presently known embodiment 10 of the present invention, the bit ~ME~I~ED SHE~r 2169i8J 51R~c'dP~T/~TO IOJU-1935 1 wise subsets 636 are 'consecutive bit sections" of the fixed size 2 field (the CRC output value 628 in the best presently known 3 embodiment 10 of the present invention. The inventors have 4 determined that the bits of the CRC output value 628 (resulting from the CRC polynomial function) are independent of each other, 6 and so any 6 bit portion of the CRC output value 628 is as 7 representative of the CRC output value 628 as is any other 6 bit 8 portion.
9 The bit-wise subsets 636 are then compared to the hash table 310 (Fig. 3) stored in the target memory 16 (Fig. 1) in a 11 comparison operation 618. The combined multiple hash values 636 12 may be considered to be a hash matrix 638 (in the example of Fig.
13 6, a two dimensional hash matrix 638).
4 It is important to note that the essence of the present inventive method lies in the extraction of the plurality of 16 independent or relatively independent representative indices of 17 the candidate field 413 (~candidate field indicesn) which, in the 18 example of the best presently known embodiment 10 of the present 19 invention are the bit-wise subsets 636 which make up the hash matrix 638. That is, the bit-wise subsets 636 are representative 21 of the candidate field 413, as discussed above. The generally 22 simultaneous (parallel) processing of these is the source of the 23 advantages of the present inventive method and means. The exact 24 method described herein in relation to the best presently known ~5 embodiment 10 of the present invention, that of first reducing ~6 the candidate field 413 in the candidate field reduction 27 operation 626 and then extracting the bit-wise subsets 636 is but 28 one of many potential methods for accomplishing such a parallel 29 h~ch;ng operation 639, and the present invention is not intended to be limited by this aspect of the best presently known 31 embodiment 10.
32 In the best presently known embodiment 10 of the 33 present invention, in a comparison operation 6~2, each of the 34 bit-wise subsets 636 is compared to a reference hash table 6~
(a "target hash array") which is stored in the target memory 16 36 (Fig. 1) and only if all match is the packet 210 forwarded in a 37 packet forwarding operation 6~6. In the example of Fig. 6, the 38 reference hash table 644 will be a 64 element array representing 39 all values from 0 through 63 inclusive. Some elements of the AMENDE~ S~EE~
-- 2169181 5l ~c'd PCT/PTO IO JU1~33~
1 reference hash table 644 are set as will be discussed hereinafter 2 in relation to the preliminary operation series 512. If the 3 value of the bit-wise subset "falls into one of the buckets" (is 4 equivalent to a corresponding set bit in the reference hash table 644), then the data packet 210 is defined as being a Umatch'.
6 Now returning to a consideration of the preliminary 7 operation series 512 (Fig. 5) with an underst~n~ing of the packet 8 processing operation series 514, the target memory 16 is 9 configured in process steps much like those described in relation to the packet processing operation series 51~ of Fig. 6.
11 Fig. 7 is a flow diagram of the preliminary operation 12 series 514 according to the best presently known embodiment 10 13 of the present invention. A preliminary operation which is 4 common to both the prior art and the present invention is a target field(s) selection process 712. The target (field)s 16 selection process is merely the selection of criteria to which 17 incoming packets 210 are to be compared. For example, if the 18 entire process is to be on the basis of desired destinations, 19 then an intended destination address 214 (Fig. 2) will be (one of) the target field(s) 71~, and if three destinations are of 21 interest, then there will be three target fields 714 as 22 illustrated in the example of Fig. 7. The actual process 23 involved in selecting the target field(s) is a function of 24 network control software which is found in the prior art and ~5 which is not relevant to the present invention except to the ~6 extent that it delivers the target field(s) 714 to the inventive 27 preliminary operation series 512.
28 Having determined the quantity of target fields 714 of 29 interest, host software will next determine a bit-wise subset quantity 716 (the appropriate subset quantity of bit-wise 31 subsets 636) in a bit-wise subset quantity determination 32 operation 718. The bit-wise subset quantity determination 33 operation 718 will be discussed in more detail hereinafter, as 34 it can be better understood in light of the present description of the entire preliminary operation series 512. For the present 36 simplified example of Figs. 6 and 7, and as already mentioned, 37 the bit-wise subset quantity 716 is two. That is, two of the 38 bit-wise subsets 636 are to be extracted from the CRC output 39 value 628 in the subset selection operation 630 of Fig. 6.
4~ 1D'~ SHE~
P~TJU~ 9 4 / 0 8 5 1 4 2169181 51 Rec'dPCT/P~O I0JULl995 1 As can be appreciated, the target fields 714 are each 2 equivalent in form to the candidate fields 413 discussed 3 previously herein, and processing of the target fields 714 is 4 much the same as has been previously described herein in relation to the candidate fields 413. In the inventive preliminary 6 operation series 512, each of the target fields 714 is processed 7 in a target field reduction operation 726 by application of the 8 CRC polynomial to produce a target CRC value 728. Each of the 9 target CRC values 728 is then processed in a target subset selection operation 730 to produce a plurality (two for each 11 target CRC value 728 for a total of six, in the present example) 12 of target bit-wise subsets 736. In more general terms, each of 13 the "target fields 71~ (having been selected according to prior ~4 art methods, as discussed previously herein) is processed as lS described to produce a "target representative field~ (the target 16 CRC value 728 in the present example), which is then further 17 processed as described to produce the target representative field 18 and which are, in the present example, the target bit-wise 19 subsets 736. This process is alike to the process which is repeated as necessary to process each incoming data packet 210, 21 wherein the candidate fields 413 are processed to produce a 22 candidate representative field (the CRC output value 628 in the 23 present example), which is further processed to produce the 24 "candidate string subsets" (the bit-wise subsets 636 in the ~S present example). The quantity of target bit-wise subsets 736 ~6 taken from each target CRC value 728 is also the bit-wise subset 27 quantity 716 (two, in the present example). It should be noted 28 that a target parallel hashing operation 739 is like the 29 previously described parallel h~ching operation 639 in that the invention might be practiced with variations of the specific 31 steps therein which are presented here as features of the best 32 presently known embodiment 10 of the present invention.
33 In a target memory setting operation 740 the reference 34 hash table 644 is formatted such that each memory location 312 corresponding to a value of any of the target bit-wise subsets 36 736 is set. For example, if the first target bit-wise subset 37 736~ were "000010" (decimal value 2) then the third memory 38 location 312c in the reference hash table 644 would be set to 39 "1", as is illustrated in Fig. 7. As can be appreciated from the AMENDED SHEET
-- 21691 PCT/US 9410851 ~
8 1 51 R ~ G d P C ~ , . . , . ~ 3 1 above discussion, the maximum number of memory locations 312 in 2 the reference hash table 644 which can be set by this process is3 the quantity of target bit-wise subsets 736 (six, in the present4 example). However, since two or more of the target bit-wise subsets might coincidentally hash to the same value, a lesser 6 quantity of memory locations 312 might also be set.
7 Now returning to a more detailed discussion of the 8 bit-wise subset quantity determination operation 718, the target9 memory 16 is to be configured to maximize the effectiveness of the filtering based on the quantity of multicast packets 210 of 11 interest to the software of the host processor 20. Therefore, 12 the bit-wise subset quantity determination operation 718 attempts 13 to determine (or, at least, to approximate) an optimal number 4 of indices per packet 210 (and, thus, the bit-wise subset quantity 716 ~iccll~ce~ previously herein). The "optimal" number 16 here means that which will minimize the number of "uninteresting"
17 packets 210 which match the set data bits 312 in the reference 18 hash table 644 while matching all of the "interesting" packets 19 210. In the best presently known embodiment 10 of the present invention, the following table is used to determine the bit- wise 21 subset quantity 716.
23 T~RT.F OF SUR.~:~T OU~NTTTTF~.';
24Addresses of Number of Hash Indices ~5Interest (Bit-Wise Subset Quantity 716) ~6 1-2 5 3017 or more 32 The above table is offered here as a guide only, in 33 that the "optimal" number of selected hash indices may vary in 34 ways not presently contemplated. Furthermore, it should be noted that the above table is based upon an assumption that none of the 36 target indices (the target bitwise subsets 736 in the best 37 presently known embodiment 10 of the present invention) hash to 38 the same memory locations 312 in the reference hash table 644.
39 If, indeed, two or more of the target bit-wise subsets 736 did ~Mt~DDSHE~
51 Rec'd PCT, 1~ 1 0 J UL 1995 - 13a 1 hash to the same memory location 312, then additional hash 2 indices could be added to increase efficiency without sacrificing 3 speed or requiring additional memory or processing.
4 It should be noted that while the packet processing operation series 514 is accomplished in the hardware of the best 6 presently known embodiment 10 of the present invention, the 7 preliminary operation series (which can be accomplished at a more 8 leisurely pace) is performed primarily by software of the host 9 processor 20. As can be appreciated in light of the above discussion, the preliminary operation series 512 will be repeated 11 when the network 12 is reconfigured, when it is desired to 12 communicate with additional members of the network 12, or upon 13 other occasions according to the needs of the user and the '4 network 12. The packet processing operation series 51 AMENDE~ ~FFT
~,N095/Oj~ 216 9181 PCT~S94/08514 1 514 will be repeated whenever an incoming packet 210 is 2 detected from the network node 18.
3 It should also be noted that, while the best 4 presently known embodiment 10 of the present invention hAchPF
each of the CRC values 628 and 728 to a common reference hash 6 table 644, the invention might be practiced with equal 7 efficiency by h~shing each of the CRC values 628 and 728 to 8 its own individual hash table (not shown). Using the 9 quantities of the example of Figs. 6 and 7, each of the individual hash tables would be 32 bits (memory locations 312) 11 large (one half of 64 bits, since it must be divided between 12 the two target CRC values 728). The individual bit-wise 13 subsets 636 and 736 would then be 5 bits long (decimal value 0 14 through 31).
Various modifications may be made to the inventive 16 improved packet filter 10 without altering its value or scope.
17 For example, the guantity, size, and derivation of the 18 plurality of bit-wise subsets 636 and 738 could readily be 19 revised according to the parameters discussed herein.
All of the above are only some of the examples of 21 available embodiments of the present invention. Those skilled 22 in the art will readily observe that numerous other 23 modifications and alterations may be made without departing 24 from the spirit and scope of the invention. Accordingly, the above disclosure is not intended as limiting and the appended 26 claims are to be interpreted as encompassing the entire scope 27 of the invention.
31 The improved partial packet filter 10 is adapted to 32 be widely used in computer network communications. The 33 predominant current usages are for the interconnection of 34 computers and computer peripheral devices within networks and for the interconnection of several computer networks.
36 The improved partial packet filters 10 of the present 37 invention may be utilized in any application wherein 38 conventional computer interconnection devices are used. A
39 significant area of improvement is in the inclusion of the _vo ~;c '~ 21 6 9 1 8 1 PCT~S94/08514 1 parallel processing of a plurality of indices (bit-wise 2 subsets 636) of a packet 210.
3 The efficiency of the filtering provided by the 4 improved partial packet filter 10 is significantly improved, particularly for cases where the number of targets is small 6 relative to the number of "buckets" (memory locations 312).
7 To compare the efficiency of the present inventive improved 8 packet filtering process 510 embodied in the improved partial 9 packet filter 10 with the prior art partial packet filtering process 410, assume, for example, the following`values:
12 Mb=64 (representing 64 memory locations 312 in 13 the reference hash table 644) 14 Cb=48 (representing a 48 bit candidate field 413 size - a typical size of the destination 16 address 214 17 Dn=4 (representing a bit-wise subset quantity 716 18 of four) Then, the prior art partial packet filtering process 21 410 will partition the 2cb possibilities among 64 distinct 22 buckets, one of which matches the bucket into which the single 23 target falls. In the improved packet filtering process 510, 24 the four parallel h~hing functions partition among 16 possible buckets each. The efficiency (Ef) for the prior art 26 partial packet filtering process 410 would then be:
28 Ef=64/248=l/242 The efficiency (Ef4) for this example of the improved 31 packet filtering process 510 is:
33 Ef4=644/(44*248)=1/232 The efficiency Ef4 is better than the efficiency Ef 36 by a factor of 21 (1024), which i6 to say that only a 37 thousandth as many (uninteresting) packets will be delivered 38 to the next stage of filtering using the inventive improved 39 partial packet filter 10 as compared to the prior art.
WOg5/05~4 PCT~S94/08514 __ ` 216gl~,l 1 Filtering of packets may be accomplished through a 2 combination of exact and partial match filters. Typically, 3 one or more partial filterings will occur first, with the 4 multiple dimensions of each filtering accomplished in parallel with each other (according to the present invention). Packets 6 which pass through the inventive improved partial packet 7 filter 10 may then be filtered using an exact match filter 8 techn;que, such as "binary search lookup" of the filter data 9 in a sorted table of acceptable filter data values.
Furthermore, results of partial filtering can be used to 11 determine which of many (possibly sorted) tables in which to 12 search for the packet.
13 Accordingly, the inventive improved packet filtering 14 process 510 may be applied more than once to each incoming packet 210 (in a first stage and a second stage). In such an 16 example, configuration of the first stage partial filtering 17 would involve specification of the number and type of h~ching 18 operations to be performed, along with the portion of the 19 packet which is to comprise the filter data for each such operation, along with acceptable results for each. Multiple 21 partial filterings may be configured with the specification 22 including the logical relation to apply to the results of each 23 filtering. For example, partial filtering A might be to apply 24 the 32 bit CRC polynomial to the destination address field of an Ethernet packet, and retain the lowest order 3 bits - a 26 value from 0 to 7. Partial filtering B might be to apply the 27 32 bit CRC polynomial to the source address field of the 28 Ethernet packet, and retain the lowest order 3 bits. The 29 logical relation might be to accept packets only for which the results of the first filtering (A) is either 2 or 4, and the 31 result of the second filtering (B) is either a 3 or a 4. In a 32 general case, one may expect the likelihood of arbitrarily 33 filter data to "pass" the first filtering to be 2 in 8 (25%), 34 since 2 of the 8 values from 0 to 7 are acceptable.
Similarly, the likelihood of the second filtering "passing"
36 such a filter is 2 in 8 (25%). Assuming that the two 37 filterings are, as desired, truly independent, the likelihood 38 of this arbitrary packet being accepted is the product of 39 these, or 1 in 16. Note further that the specification of _ NO55/15~ 21 691 81 PCT~S94/08514 1 these "acceptable result sets" ({2,4} for A and {3,4} for B) 2 requires 16 bits of information for full specification, where 3 8 bits indicate the acceptability/unacceptability of each of 4 the 8 possible values of filtering A, and 8 additional bits indicate the acceptability/unacceptability of each of the 8 6 possible values of filtering B. Use of such multiple partial 7 filterings may be especially effective in situations where 8 filtering criteria are derived from independent portions of 9 the filter data, such as filtering for all packets whose destination address OR whose source address is within a set of 11 interesting addresses AND whose packet type indicates a 12 particular protocol of interest.
13 Since the improved partial packet filters of the 14 present invention may be readily constructed and are compatible with existing computer eguipment it is expected 16 that they will be acceptable in the industry as substitutes 17 for conventional means and methods presently employed for 18 partial packet filtering. For these and other reasons, it is 19 expected that the utility and industrial applicability of the invention will be both significant in scope and long-lasting 21 in duration.
Claims (26)
1. An improved packet filtering process for filtering data packets in a computer network, comprising:
receiving a packet into a packet filter;
extracting a candidate field from the packet;
performing a plurality of hashing operations on the candidate field to produce a plurality of representative fields;
comparing each of the representative fields with a target hash array such that if all of the representative fields represent values that are set in the target hash array the packet is defined as being a match; and selectively forwarding from the packet filter those packets which are a match.
receiving a packet into a packet filter;
extracting a candidate field from the packet;
performing a plurality of hashing operations on the candidate field to produce a plurality of representative fields;
comparing each of the representative fields with a target hash array such that if all of the representative fields represent values that are set in the target hash array the packet is defined as being a match; and selectively forwarding from the packet filter those packets which are a match.
2. The improved packet filtering process of claim 1, wherein:
the plurality of hashing operations include the steps of:
reducing the candidate field to a fixed size field;
extracting the plurality of representative fields from the fixed size field.
the plurality of hashing operations include the steps of:
reducing the candidate field to a fixed size field;
extracting the plurality of representative fields from the fixed size field.
3. The improved packet filtering process of claim 2, wherein:
the candidate field is reduced to the fixed size field by application of a CRC polynomial algorithm to the candidate field.
the candidate field is reduced to the fixed size field by application of a CRC polynomial algorithm to the candidate field.
4. The improved packet filtering process of claim 2, wherein:
the candidate field is reduced to a fixed size of 32 bits.
the candidate field is reduced to a fixed size of 32 bits.
5. The improved packet filtering process of claim 2, wherein:
the representative fields of the fixed size field are each consecutive bit sections of the fixed size field.
the representative fields of the fixed size field are each consecutive bit sections of the fixed size field.
6. The improved packet filtering process of claim 1, wherein:
the representative fields are each of like size to each other.
the representative fields are each of like size to each other.
7. The improved packet filtering process of claim 1, wherein:
the representative fields are each 6 bits in size.
the representative fields are each 6 bits in size.
8. The improved packet filtering process of claim 1, wherein:
the quantity of representative fields is greater than one.
the quantity of representative fields is greater than one.
9. The improved packet filtering process of claim 1, wherein:
the target hash array is undivided such that each of the representative fields is compared to the same target hash array.
the target hash array is undivided such that each of the representative fields is compared to the same target hash array.
10. A method for selectively forwarding a data packet and controlling the distribution of data packets in a computer network system, the data packet having a candidate field containing information about the data packet, the method comprising:
configuring a target memory of a controller to contain a target hash array in steps including:
aa determining a target field and extracting a plurality of target indices from said target field, the target indices being a binary number having a value;
ab setting memory locations in the target memory corresponding to the value of each of the target indices; and processing the data packet in steps including:
ba extracting the candidate field from the data packet;
bb extracting from the candidate field a plurality of candidate field indices;
bc comparing the values of each of the candidate field indices to the target hash array; and bd forwarding the packet when each of the values of each of the candidate field indices corresponds to a memory location of the target hash array which was set in step ab.
configuring a target memory of a controller to contain a target hash array in steps including:
aa determining a target field and extracting a plurality of target indices from said target field, the target indices being a binary number having a value;
ab setting memory locations in the target memory corresponding to the value of each of the target indices; and processing the data packet in steps including:
ba extracting the candidate field from the data packet;
bb extracting from the candidate field a plurality of candidate field indices;
bc comparing the values of each of the candidate field indices to the target hash array; and bd forwarding the packet when each of the values of each of the candidate field indices corresponds to a memory location of the target hash array which was set in step ab.
11. The method of claim 10, wherein:
step aa is accomplished in substeps including:
aa1 reducing the target fields to a plurality of target representative fields; and aa2 selecting one or more target string subsets from the target representative field; and step bb is accomplished in substeps including:
bb1 reducing the candidate field to a plurality of candidate representative fields; and bb2 selecting one or more candidate string subsets from the target representative field.
step aa is accomplished in substeps including:
aa1 reducing the target fields to a plurality of target representative fields; and aa2 selecting one or more target string subsets from the target representative field; and step bb is accomplished in substeps including:
bb1 reducing the candidate field to a plurality of candidate representative fields; and bb2 selecting one or more candidate string subsets from the target representative field.
12. The method of claim 11, wherein:
step ab is accomplished by causing only those memory locations in the target memory which correspond to the value of each of the target string subsets to contain a value of one.
step ab is accomplished by causing only those memory locations in the target memory which correspond to the value of each of the target string subsets to contain a value of one.
13. The method of claim 10, wherein:
steps aa through ab are repeated when a change in the distribution of data packets is desired.
steps aa through ab are repeated when a change in the distribution of data packets is desired.
14. The method of claim 10, wherein:
steps ba through bd are repeated for each incoming data packet.
steps ba through bd are repeated for each incoming data packet.
15. The method of claim 11, wherein:
step aa1 is accomplished by applying a cyclic redundancy check algorithm to each of the target fields;
and step bb1 is accomplished by applying the same cyclic redundancy check algorithm to the candidate field.
step aa1 is accomplished by applying a cyclic redundancy check algorithm to each of the target fields;
and step bb1 is accomplished by applying the same cyclic redundancy check algorithm to the candidate field.
16. The method of claim 11, wherein:
in step aa2 the target string subsets are selected by extracting a plurality of target bit-wise subsets from the target representative field; and in step bb2 the candidate string subsets are selected by extracting a second plurality of consecutive bit strings from the representative candidate string.
in step aa2 the target string subsets are selected by extracting a plurality of target bit-wise subsets from the target representative field; and in step bb2 the candidate string subsets are selected by extracting a second plurality of consecutive bit strings from the representative candidate string.
17. The method of claim 10, and further including:
an additional process step preceding step ab wherein a subset quantity is determined, the subset quantity being the number of target indices to be extracted from each of the target fields and also the number of candidate indices to be extracted from each of the candidate fields.
an additional process step preceding step ab wherein a subset quantity is determined, the subset quantity being the number of target indices to be extracted from each of the target fields and also the number of candidate indices to be extracted from each of the candidate fields.
18. The method of claim 17, wherein:
the additional process step is accomplished, at least initially, by selecting the subset quantity from a table of subset quantities.
the additional process step is accomplished, at least initially, by selecting the subset quantity from a table of subset quantities.
19. The method of claim 11, and further including:
an additional process step preceding step ab wherein a subset quantity is determined, the subset quantity being the number of target string subsets to be extracted from each of the target representative fields and also the number of candidate string subsets to be extracted from each of the candidate representative strings.
an additional process step preceding step ab wherein a subset quantity is determined, the subset quantity being the number of target string subsets to be extracted from each of the target representative fields and also the number of candidate string subsets to be extracted from each of the candidate representative strings.
20. The method of claim 19, wherein:
the additional process step is accomplished, at least initially, by selecting the subset quantity from a table of subset quantities.
the additional process step is accomplished, at least initially, by selecting the subset quantity from a table of subset quantities.
21. The method of claim 11, wherein:
each of the target representative target and the candidate representative field are 32 bits in length.
each of the target representative target and the candidate representative field are 32 bits in length.
22. The method of claim 10, wherein:
the candidate field includes a target address field of the data packet.
page 22
the candidate field includes a target address field of the data packet.
page 22
23. The method of claim 10, wherein:
the data packet is a standardized Ethernet data packet.
the data packet is a standardized Ethernet data packet.
24. The method of claim 10, wherein:
the target hash array is an unapportioned array such that each of the target indices is used to set memory locations in that unapportioned array.
the target hash array is an unapportioned array such that each of the target indices is used to set memory locations in that unapportioned array.
25. The method of claim 10, wherein:
the target hash array is apportioned such that at least some of the target indices are directed to different portions of the target hash array.
the target hash array is apportioned such that at least some of the target indices are directed to different portions of the target hash array.
26. The method of claim 10, wherein:
the target indices and the candidate indices are each a binary string of fixed bit length.
the target indices and the candidate indices are each a binary string of fixed bit length.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US08/103,659 US5473607A (en) | 1993-08-09 | 1993-08-09 | Packet filtering for data networks |
| US08/103,659 | 1993-08-09 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2169181A1 true CA2169181A1 (en) | 1995-02-16 |
Family
ID=22296352
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002169181A Abandoned CA2169181A1 (en) | 1993-08-09 | 1994-07-27 | Improved packet filtering for data networks |
Country Status (6)
| Country | Link |
|---|---|
| US (1) | US5473607A (en) |
| EP (1) | EP0713624A4 (en) |
| JP (1) | JPH09509018A (en) |
| AU (1) | AU680030B2 (en) |
| CA (1) | CA2169181A1 (en) |
| WO (1) | WO1995005044A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112019449A (en) * | 2020-08-14 | 2020-12-01 | 四川电科网安科技有限公司 | Traffic identification packet capturing method and device |
Families Citing this family (256)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5598581A (en) * | 1993-08-06 | 1997-01-28 | Cisco Sytems, Inc. | Variable latency cut through bridge for forwarding packets in response to user's manual adjustment of variable latency threshold point while the bridge is operating |
| US5835726A (en) * | 1993-12-15 | 1998-11-10 | Check Point Software Technologies Ltd. | System for securing the flow of and selectively modifying packets in a computer network |
| WO1997000471A2 (en) * | 1993-12-15 | 1997-01-03 | Check Point Software Technologies Ltd. | A system for securing the flow of and selectively modifying packets in a computer network |
| US5542089A (en) * | 1994-07-26 | 1996-07-30 | International Business Machines Corporation | Method and apparatus for estimating the number of occurrences of frequent values in a data set |
| US5793978A (en) * | 1994-12-29 | 1998-08-11 | Cisco Technology, Inc. | System for routing packets by separating packets in to broadcast packets and non-broadcast packets and allocating a selected communication bandwidth to the broadcast packets |
| US5867666A (en) | 1994-12-29 | 1999-02-02 | Cisco Systems, Inc. | Virtual interfaces with dynamic binding |
| US6097718A (en) | 1996-01-02 | 2000-08-01 | Cisco Technology, Inc. | Snapshot routing with route aging |
| US6147996A (en) | 1995-08-04 | 2000-11-14 | Cisco Technology, Inc. | Pipelined multiple issue packet switch |
| US6182224B1 (en) | 1995-09-29 | 2001-01-30 | Cisco Systems, Inc. | Enhanced network services using a subnetwork of communicating processors |
| US6091725A (en) | 1995-12-29 | 2000-07-18 | Cisco Systems, Inc. | Method for traffic management, traffic prioritization, access control, and packet forwarding in a datagram computer network |
| US6035105A (en) | 1996-01-02 | 2000-03-07 | Cisco Technology, Inc. | Multiple VLAN architecture system |
| US6308148B1 (en) | 1996-05-28 | 2001-10-23 | Cisco Technology, Inc. | Network flow data export |
| US6243667B1 (en) | 1996-05-28 | 2001-06-05 | Cisco Systems, Inc. | Network flow switching and flow data export |
| US5850523A (en) * | 1996-06-21 | 1998-12-15 | National Instruments Corporation | Method and system for monitoring fieldbus network with multiple packet filters |
| US6212182B1 (en) | 1996-06-27 | 2001-04-03 | Cisco Technology, Inc. | Combined unicast and multicast scheduling |
| US6434120B1 (en) | 1998-08-25 | 2002-08-13 | Cisco Technology, Inc. | Autosensing LMI protocols in frame relay networks |
| US5949786A (en) * | 1996-08-15 | 1999-09-07 | 3Com Corporation | Stochastic circuit identification in a multi-protocol network switch |
| US6240084B1 (en) | 1996-10-10 | 2001-05-29 | Cisco Systems, Inc. | Telephony-enabled network processing device with separate TDM bus and host system backplane bus |
| US6904037B2 (en) | 1996-11-05 | 2005-06-07 | Cisco Technology, Inc. | Asymmetric implementation of DSVD for voice/data internet access |
| US5959976A (en) * | 1996-12-09 | 1999-09-28 | Kuo; Yung-Tien | Method and device for filtering transmission |
| US6304546B1 (en) | 1996-12-19 | 2001-10-16 | Cisco Technology, Inc. | End-to-end bidirectional keep-alive using virtual circuits |
| US6173364B1 (en) * | 1997-01-15 | 2001-01-09 | At&T Corp. | Session cache and rule caching method for a dynamic filter |
| US6233686B1 (en) * | 1997-01-17 | 2001-05-15 | At & T Corp. | System and method for providing peer level access control on a network |
| US5978379A (en) | 1997-01-23 | 1999-11-02 | Gadzoox Networks, Inc. | Fiber channel learning bridge, learning half bridge, and protocol |
| US6052751A (en) | 1997-02-14 | 2000-04-18 | Advanced Micro Devices, I Nc. | Method and apparatus for changing the number of access slots into a memory |
| US6151325A (en) * | 1997-03-31 | 2000-11-21 | Cisco Technology, Inc. | Method and apparatus for high-capacity circuit switching with an ATM second stage switch |
| US6094708A (en) | 1997-05-06 | 2000-07-25 | Cisco Technology, Inc. | Secondary cache write-through blocking mechanism |
| US6122272A (en) | 1997-05-23 | 2000-09-19 | Cisco Technology, Inc. | Call size feedback on PNNI operation |
| US6356530B1 (en) | 1997-05-23 | 2002-03-12 | Cisco Technology, Inc. | Next hop selection in ATM networks |
| US6088356A (en) * | 1997-06-30 | 2000-07-11 | Sun Microsystems, Inc. | System and method for a multi-layer network element |
| US6094435A (en) * | 1997-06-30 | 2000-07-25 | Sun Microsystems, Inc. | System and method for a quality of service in a multi-layer network element |
| US6119196A (en) * | 1997-06-30 | 2000-09-12 | Sun Microsystems, Inc. | System having multiple arbitrating levels for arbitrating access to a shared memory by network ports operating at different data rates |
| US6128666A (en) * | 1997-06-30 | 2000-10-03 | Sun Microsystems, Inc. | Distributed VLAN mechanism for packet field replacement in a multi-layered switched network element using a control field/signal for indicating modification of a packet with a database search engine |
| US5920566A (en) * | 1997-06-30 | 1999-07-06 | Sun Microsystems, Inc. | Routing in a multi-layer distributed network element |
| US6044418A (en) * | 1997-06-30 | 2000-03-28 | Sun Microsystems, Inc. | Method and apparatus for dynamically resizing queues utilizing programmable partition pointers |
| US6014380A (en) * | 1997-06-30 | 2000-01-11 | Sun Microsystems, Inc. | Mechanism for packet field replacement in a multi-layer distributed network element |
| US6081512A (en) * | 1997-06-30 | 2000-06-27 | Sun Microsystems, Inc. | Spanning tree support in a high performance network device |
| US6081522A (en) * | 1997-06-30 | 2000-06-27 | Sun Microsystems, Inc. | System and method for a multi-layer network element |
| US6052738A (en) * | 1997-06-30 | 2000-04-18 | Sun Microsystems, Inc. | Method and apparatus in a packet routing switch for controlling access at different data rates to a shared memory |
| US6246680B1 (en) | 1997-06-30 | 2001-06-12 | Sun Microsystems, Inc. | Highly integrated multi-layer switch element architecture |
| US6044087A (en) * | 1997-06-30 | 2000-03-28 | Sun Microsystems, Inc. | Interface for a highly integrated ethernet network element |
| US5938736A (en) * | 1997-06-30 | 1999-08-17 | Sun Microsystems, Inc. | Search engine architecture for a high performance multi-layer switch element |
| US6016310A (en) * | 1997-06-30 | 2000-01-18 | Sun Microsystems, Inc. | Trunking support in a high performance network device |
| US6049528A (en) * | 1997-06-30 | 2000-04-11 | Sun Microsystems, Inc. | Trunking ethernet-compatible networks |
| JP3413065B2 (en) * | 1997-07-03 | 2003-06-03 | 松下電器産業株式会社 | Program information processing device |
| US6704866B1 (en) | 1997-07-11 | 2004-03-09 | Cisco Technology, Inc. | Compression and encryption protocol for controlling data flow in a network |
| US6078590A (en) | 1997-07-14 | 2000-06-20 | Cisco Technology, Inc. | Hierarchical routing knowledge for multicast packet routing |
| US6330599B1 (en) | 1997-08-05 | 2001-12-11 | Cisco Technology, Inc. | Virtual interfaces with dynamic binding |
| US6212183B1 (en) | 1997-08-22 | 2001-04-03 | Cisco Technology, Inc. | Multiple parallel packet routing lookup |
| US6512766B2 (en) | 1997-08-22 | 2003-01-28 | Cisco Systems, Inc. | Enhanced internet packet routing lookup |
| US6157641A (en) | 1997-08-22 | 2000-12-05 | Cisco Technology, Inc. | Multiprotocol packet recognition and switching |
| US6343072B1 (en) | 1997-10-01 | 2002-01-29 | Cisco Technology, Inc. | Single-chip architecture for shared-memory router |
| US6128296A (en) * | 1997-10-03 | 2000-10-03 | Cisco Technology, Inc. | Method and apparatus for distributed packet switching using distributed address tables |
| US6147993A (en) | 1997-10-14 | 2000-11-14 | Cisco Technology, Inc. | Method and apparatus for implementing forwarding decision shortcuts at a network switch |
| US6252878B1 (en) | 1997-10-30 | 2001-06-26 | Cisco Technology, Inc. | Switched architecture access server |
| US6111877A (en) | 1997-12-31 | 2000-08-29 | Cisco Technology, Inc. | Load sharing across flows |
| JP4243428B2 (en) * | 1998-01-07 | 2009-03-25 | マイクロソフト コーポレーション | Low level content filtering |
| US6289464B1 (en) | 1998-01-07 | 2001-09-11 | Microsoft Corporation | Receiving wireless information on a mobile device with reduced power consumption |
| US6085328A (en) * | 1998-01-20 | 2000-07-04 | Compaq Computer Corporation | Wake up of a sleeping computer using I/O snooping and imperfect packet filtering |
| US6401188B1 (en) | 1998-02-27 | 2002-06-04 | Cisco Technology, Inc. | Method for selection on a pattern sequence |
| US6115385A (en) | 1998-03-11 | 2000-09-05 | Cisco Technology, Inc. | Method and system for subnetting in a switched IP network |
| US6208649B1 (en) | 1998-03-11 | 2001-03-27 | Cisco Technology, Inc. | Derived VLAN mapping technique |
| US6738814B1 (en) * | 1998-03-18 | 2004-05-18 | Cisco Technology, Inc. | Method for blocking denial of service and address spoofing attacks on a private network |
| US6430184B1 (en) * | 1998-04-10 | 2002-08-06 | Top Layer Networks, Inc. | System and process for GHIH-speed pattern matching for application-level switching of data packets |
| SE521814C2 (en) * | 1998-05-14 | 2003-12-09 | Telia Ab | A communication network or an IP network which includes a packet classifier |
| US6700891B1 (en) * | 1998-06-25 | 2004-03-02 | Cisco Technology, Inc. | Apparatus and method for providing a device level security mechanism in a network |
| US6370121B1 (en) | 1998-06-29 | 2002-04-09 | Cisco Technology, Inc. | Method and system for shortcut trunking of LAN bridges |
| US6377577B1 (en) | 1998-06-30 | 2002-04-23 | Cisco Technology, Inc. | Access control list processing in hardware |
| US6430188B1 (en) | 1998-07-08 | 2002-08-06 | Broadcom Corporation | Unified table for L2, L3, L4, switching and filtering |
| US6876653B2 (en) * | 1998-07-08 | 2005-04-05 | Broadcom Corporation | Fast flexible filter processor based architecture for a network device |
| US6694055B2 (en) | 1998-07-15 | 2004-02-17 | Microsoft Corporation | Proper name identification in chinese |
| US6182147B1 (en) | 1998-07-31 | 2001-01-30 | Cisco Technology, Inc. | Multicast group routing using unidirectional links |
| US6308219B1 (en) | 1998-07-31 | 2001-10-23 | Cisco Technology, Inc. | Routing table lookup implemented using M-trie having nodes duplicated in multiple memory banks |
| US6389506B1 (en) | 1998-08-07 | 2002-05-14 | Cisco Technology, Inc. | Block mask ternary cam |
| US6101115A (en) | 1998-08-07 | 2000-08-08 | Cisco Technology, Inc. | CAM match line precharge |
| US6269096B1 (en) | 1998-08-14 | 2001-07-31 | Cisco Technology, Inc. | Receive and transmit blocks for asynchronous transfer mode (ATM) cell delineation |
| US6535520B1 (en) | 1998-08-14 | 2003-03-18 | Cisco Technology, Inc. | System and method of operation for managing data communication between physical layer devices and ATM layer devices |
| US6381245B1 (en) | 1998-09-04 | 2002-04-30 | Cisco Technology, Inc. | Method and apparatus for generating parity for communication between a physical layer device and an ATM layer device |
| US6347087B1 (en) * | 1998-10-05 | 2002-02-12 | Packet Engines Incorporated | Content-based forwarding/filtering in a network switching device |
| US6785274B2 (en) | 1998-10-07 | 2004-08-31 | Cisco Technology, Inc. | Efficient network multicast switching apparatus and methods |
| US6574666B1 (en) | 1998-10-22 | 2003-06-03 | At&T Corp. | System and method for dynamic retrieval loading and deletion of packet rules in a network firewall |
| US6826694B1 (en) | 1998-10-22 | 2004-11-30 | At&T Corp. | High resolution access control |
| US7430171B2 (en) | 1998-11-19 | 2008-09-30 | Broadcom Corporation | Fibre channel arbitrated loop bufferless switch circuitry to increase bandwidth without significant increase in cost |
| US6700872B1 (en) | 1998-12-11 | 2004-03-02 | Cisco Technology, Inc. | Method and system for testing a utopia network element |
| US6721320B1 (en) * | 1998-12-18 | 2004-04-13 | Lsi Logic Corporation | Method and apparatus for fibre channel identification and retrieval |
| US20020188720A1 (en) * | 1998-12-28 | 2002-12-12 | William F. Terrell | Method and apparatus for dynamically controlling the provision of differentiated services |
| US6453357B1 (en) | 1999-01-07 | 2002-09-17 | Cisco Technology, Inc. | Method and system for processing fragments and their out-of-order delivery during address translation |
| US6535511B1 (en) | 1999-01-07 | 2003-03-18 | Cisco Technology, Inc. | Method and system for identifying embedded addressing information in a packet for translation between disparate addressing systems |
| US6771642B1 (en) | 1999-01-08 | 2004-08-03 | Cisco Technology, Inc. | Method and apparatus for scheduling packets in a packet switch |
| US6449655B1 (en) | 1999-01-08 | 2002-09-10 | Cisco Technology, Inc. | Method and apparatus for communication between network devices operating at different frequencies |
| US7215641B1 (en) | 1999-01-27 | 2007-05-08 | Cisco Technology, Inc. | Per-flow dynamic buffer management |
| US6515963B1 (en) | 1999-01-27 | 2003-02-04 | Cisco Technology, Inc. | Per-flow dynamic buffer management |
| US6341346B1 (en) | 1999-02-05 | 2002-01-22 | Cisco Technology, Inc. | Method for comparison between a pattern sequence and a variable length key |
| US7120117B1 (en) | 2000-08-29 | 2006-10-10 | Broadcom Corporation | Starvation free flow control in a shared memory switching device |
| US6542503B1 (en) | 1999-03-16 | 2003-04-01 | Cisco Technologies, Inc. | Multicast echo removal |
| US7366171B2 (en) * | 1999-03-17 | 2008-04-29 | Broadcom Corporation | Network switch |
| US20020039365A1 (en) * | 1999-03-17 | 2002-04-04 | Broadcom Corporation | Pipelined searches with a cache table |
| US7643481B2 (en) | 1999-03-17 | 2010-01-05 | Broadcom Corporation | Network switch having a programmable counter |
| US6707818B1 (en) | 1999-03-17 | 2004-03-16 | Broadcom Corporation | Network switch memory interface configuration |
| US6810037B1 (en) | 1999-03-17 | 2004-10-26 | Broadcom Corporation | Apparatus and method for sorted table binary search acceleration |
| US6996099B1 (en) | 1999-03-17 | 2006-02-07 | Broadcom Corporation | Network switch having a programmable counter |
| US6757791B1 (en) | 1999-03-30 | 2004-06-29 | Cisco Technology, Inc. | Method and apparatus for reordering packet data units in storage queues for reading and writing memory |
| US6442617B1 (en) * | 1999-03-31 | 2002-08-27 | 3Com Corporation | Method and system for filtering multicast packets in a peripheral component environment |
| US6603772B1 (en) | 1999-03-31 | 2003-08-05 | Cisco Technology, Inc. | Multicast routing with multicast virtual output queues and shortest queue first allocation |
| US6760331B1 (en) | 1999-03-31 | 2004-07-06 | Cisco Technology, Inc. | Multicast routing with nearest queue first allocation and dynamic and static vector quantization |
| US6839348B2 (en) | 1999-04-30 | 2005-01-04 | Cisco Technology, Inc. | System and method for distributing multicasts in virtual local area networks |
| US6553028B1 (en) | 1999-04-30 | 2003-04-22 | Cisco Technology, Inc. | Method and apparatus for multicast switching using a centralized switching engine |
| WO2000072533A1 (en) * | 1999-05-21 | 2000-11-30 | Broadcom Corporation | Stacked network switch configuration |
| US7031302B1 (en) | 1999-05-21 | 2006-04-18 | Broadcom Corporation | High-speed stats gathering in a network switch |
| US6567379B1 (en) * | 1999-06-09 | 2003-05-20 | Cisco Technology, Inc. | Traffic monitor using leaky bucket with variable fill |
| US6591304B1 (en) | 1999-06-21 | 2003-07-08 | Cisco Technology, Inc. | Dynamic, scaleable attribute filtering in a multi-protocol compatible network access environment |
| US6859454B1 (en) | 1999-06-30 | 2005-02-22 | Broadcom Corporation | Network switch with high-speed serializing/deserializing hazard-free double data rate switching |
| US7315552B2 (en) * | 1999-06-30 | 2008-01-01 | Broadcom Corporation | Frame forwarding in a switch fabric |
| US6742045B1 (en) * | 1999-07-02 | 2004-05-25 | Cisco Technology, Inc. | Handling packet fragments in a distributed network service environment |
| WO2001019040A1 (en) * | 1999-09-03 | 2001-03-15 | Broadcom Corporation | Apparatus and method for enabling voice over ip support for a network switch |
| JP3643507B2 (en) * | 1999-09-20 | 2005-04-27 | 株式会社東芝 | Packet processing apparatus and packet processing method |
| US7151775B1 (en) * | 1999-09-23 | 2006-12-19 | Pluris, Inc. | Apparatus and method for forwarding data on multiple label-switched data paths |
| US6775281B1 (en) * | 1999-09-30 | 2004-08-10 | Mosaid Technologies, Inc. | Method and apparatus for a four-way hash table |
| US6952421B1 (en) | 1999-10-07 | 2005-10-04 | Cisco Technology, Inc. | Switched Ethernet path detection |
| US6654796B1 (en) | 1999-10-07 | 2003-11-25 | Cisco Technology, Inc. | System for managing cluster of network switches using IP address for commander switch and redirecting a managing request via forwarding an HTTP connection to an expansion switch |
| US7131001B1 (en) | 1999-10-29 | 2006-10-31 | Broadcom Corporation | Apparatus and method for secure filed upgradability with hard wired public key |
| US7143294B1 (en) * | 1999-10-29 | 2006-11-28 | Broadcom Corporation | Apparatus and method for secure field upgradability with unpredictable ciphertext |
| US6529983B1 (en) | 1999-11-03 | 2003-03-04 | Cisco Technology, Inc. | Group and virtual locking mechanism for inter processor synchronization |
| US6570884B1 (en) * | 1999-11-05 | 2003-05-27 | 3Com Corporation | Receive filtering for communication interface |
| AU1580301A (en) * | 1999-11-16 | 2001-05-30 | Broadcom Corporation | Network switch with high-speed serializing/deserializing hazard-free double datarate switching |
| US7539134B1 (en) * | 1999-11-16 | 2009-05-26 | Broadcom Corporation | High speed flow control methodology |
| AU1754801A (en) | 1999-11-18 | 2001-05-30 | Broadcom Corporation | Table lookup mechanism for address resolution in a packet network switch |
| AU2066201A (en) * | 1999-12-07 | 2001-06-18 | Broadcom Corporation | Mirroring in a stacked network switch configuration |
| WO2001045418A1 (en) * | 1999-12-14 | 2001-06-21 | General Instrument Corporation | Hardware filtering of input packet identifiers for an mpeg re-multiplexer |
| US6674743B1 (en) | 1999-12-30 | 2004-01-06 | 3Com Corporation | Method and apparatus for providing policy-based services for internal applications |
| US6678409B1 (en) | 2000-01-14 | 2004-01-13 | Microsoft Corporation | Parameterized word segmentation of unsegmented text |
| US6728300B1 (en) * | 2000-02-11 | 2004-04-27 | Qualcomm Incorporated | Method and apparatus for maximizing standby time in remote stations configured to receive broadcast databurst messages |
| US6606628B1 (en) * | 2000-02-14 | 2003-08-12 | Cisco Technology, Inc. | File system for nonvolatile memory |
| US6725264B1 (en) | 2000-02-17 | 2004-04-20 | Cisco Technology, Inc. | Apparatus and method for redirection of network management messages in a cluster of network devices |
| US7009973B2 (en) * | 2000-02-28 | 2006-03-07 | Broadcom Corporation | Switch using a segmented ring |
| US7016351B1 (en) | 2000-02-29 | 2006-03-21 | Cisco Technology, Inc. | Small group multicast in a computer network |
| US6678678B2 (en) | 2000-03-09 | 2004-01-13 | Braodcom Corporation | Method and apparatus for high speed table search |
| US6892237B1 (en) | 2000-03-28 | 2005-05-10 | Cisco Technology, Inc. | Method and apparatus for high-speed parsing of network messages |
| US6970462B1 (en) | 2000-04-24 | 2005-11-29 | Cisco Technology, Inc. | Method for high speed packet classification |
| US7103053B2 (en) * | 2000-05-03 | 2006-09-05 | Broadcom Corporation | Gigabit switch on chip architecture |
| US7065079B1 (en) | 2000-05-04 | 2006-06-20 | Cisco Technology, Inc. | VC sharing for multicast in a computer network |
| US6505269B1 (en) | 2000-05-16 | 2003-01-07 | Cisco Technology, Inc. | Dynamic addressing mapping to eliminate memory resource contention in a symmetric multiprocessor system |
| US6826561B2 (en) | 2000-05-22 | 2004-11-30 | Broadcom Corporation | Method and apparatus for performing a binary search on an expanded tree |
| US6925085B1 (en) * | 2000-06-07 | 2005-08-02 | Advanced Micro Devices, Inc. | Packet classification using hash key signatures generated from interrupted hash function |
| US7020139B2 (en) * | 2000-06-09 | 2006-03-28 | Broadcom Corporation | Trunking and mirroring across stacked gigabit switches |
| US6850980B1 (en) | 2000-06-16 | 2005-02-01 | Cisco Technology, Inc. | Content routing service protocol |
| US6535510B2 (en) * | 2000-06-19 | 2003-03-18 | Broadcom Corporation | Switch fabric with path redundancy |
| US7126947B2 (en) * | 2000-06-23 | 2006-10-24 | Broadcom Corporation | Switch having external address resolution interface |
| US7062571B1 (en) * | 2000-06-30 | 2006-06-13 | Cisco Technology, Inc. | Efficient IP load-balancing traffic distribution using ternary CAMs |
| US7031267B2 (en) * | 2000-12-21 | 2006-04-18 | 802 Systems Llc | PLD-based packet filtering methods with PLD configuration data update of filtering rules |
| US6999455B2 (en) * | 2000-07-25 | 2006-02-14 | Broadcom Corporation | Hardware assist for address learning |
| US6771665B1 (en) | 2000-08-31 | 2004-08-03 | Cisco Technology, Inc. | Matching of RADIUS request and response packets during high traffic volume |
| US7411981B1 (en) | 2000-08-31 | 2008-08-12 | Cisco Technology, Inc. | Matching of radius request and response packets during high traffic volume |
| US7227862B2 (en) * | 2000-09-20 | 2007-06-05 | Broadcom Corporation | Network switch having port blocking capability |
| US7120155B2 (en) * | 2000-10-03 | 2006-10-10 | Broadcom Corporation | Switch having virtual shared memory |
| US7274705B2 (en) * | 2000-10-03 | 2007-09-25 | Broadcom Corporation | Method and apparatus for reducing clock speed and power consumption |
| US7020166B2 (en) * | 2000-10-03 | 2006-03-28 | Broadcom Corporation | Switch transferring data using data encapsulation and decapsulation |
| US6851000B2 (en) | 2000-10-03 | 2005-02-01 | Broadcom Corporation | Switch having flow control management |
| US7420977B2 (en) * | 2000-10-03 | 2008-09-02 | Broadcom Corporation | Method and apparatus of inter-chip bus shared by message passing and memory access |
| US6988177B2 (en) * | 2000-10-03 | 2006-01-17 | Broadcom Corporation | Switch memory management using a linked list structure |
| US7035255B2 (en) * | 2000-11-14 | 2006-04-25 | Broadcom Corporation | Linked network switch configuration |
| US7035286B2 (en) * | 2000-11-14 | 2006-04-25 | Broadcom Corporation | Linked network switch configuration |
| US6850542B2 (en) * | 2000-11-14 | 2005-02-01 | Broadcom Corporation | Linked network switch configuration |
| US7424012B2 (en) * | 2000-11-14 | 2008-09-09 | Broadcom Corporation | Linked network switch configuration |
| US6618388B2 (en) | 2001-01-05 | 2003-09-09 | Extreme Networks | Method and system for VMAN protocol |
| US7280540B2 (en) * | 2001-01-09 | 2007-10-09 | Stonesoft Oy | Processing of data packets within a network element cluster |
| KR20030000378A (en) * | 2001-06-23 | 2003-01-06 | 정우협 | How to adjust computer volume (volume) by mouse |
| US7107464B2 (en) * | 2001-07-10 | 2006-09-12 | Telecom Italia S.P.A. | Virtual private network mechanism incorporating security association processor |
| US7212534B2 (en) * | 2001-07-23 | 2007-05-01 | Broadcom Corporation | Flow based congestion control |
| US7860120B1 (en) | 2001-07-27 | 2010-12-28 | Hewlett-Packard Company | Network interface supporting of virtual paths for quality of service with dynamic buffer allocation |
| US7355970B2 (en) * | 2001-10-05 | 2008-04-08 | Broadcom Corporation | Method and apparatus for enabling access on a network switch |
| US7487254B2 (en) * | 2001-12-20 | 2009-02-03 | Nokia Corporation | Fixed length filtering to filter clusters of discrete segments of data |
| KR20030060306A (en) * | 2002-01-08 | 2003-07-16 | 신중호 | Using object module, active customized firewall |
| US7154888B1 (en) | 2002-02-08 | 2006-12-26 | Cisco Technology, Inc. | Method for classifying packets using multi-class structures |
| US7719980B2 (en) * | 2002-02-19 | 2010-05-18 | Broadcom Corporation | Method and apparatus for flexible frame processing and classification engine |
| US7295555B2 (en) | 2002-03-08 | 2007-11-13 | Broadcom Corporation | System and method for identifying upper layer protocol message boundaries |
| US20030174718A1 (en) * | 2002-03-15 | 2003-09-18 | Broadcom Corporation | Scalable packet filter for a network device |
| US7245620B2 (en) * | 2002-03-15 | 2007-07-17 | Broadcom Corporation | Method and apparatus for filtering packet data in a network device |
| US7274698B2 (en) * | 2002-03-15 | 2007-09-25 | Broadcom Corporation | Multilevel parser for conditional flow detection in a network device |
| US7280541B2 (en) * | 2002-03-15 | 2007-10-09 | Broadcom Corporation | Packet filtering based on conditional expression table |
| US7277426B2 (en) * | 2002-05-24 | 2007-10-02 | Mosaid Technologies, Inc. | Method and apparatus for reordering entries in a multi probe lookup |
| US20030223417A1 (en) * | 2002-06-04 | 2003-12-04 | Masashi Higashida | Method of processing data packets |
| US7236493B1 (en) | 2002-06-13 | 2007-06-26 | Cisco Technology, Inc. | Incremental compilation for classification and filtering rules |
| US7697526B2 (en) * | 2002-08-06 | 2010-04-13 | Broadcom Corporation | Packet filtering based on port bit map |
| US7307998B1 (en) | 2002-08-27 | 2007-12-11 | 3Com Corporation | Computer system and network interface supporting dynamically optimized receive buffer queues |
| US7724740B1 (en) * | 2002-08-27 | 2010-05-25 | 3Com Corporation | Computer system and network interface supporting class of service queues |
| US7894480B1 (en) | 2002-08-27 | 2011-02-22 | Hewlett-Packard Company | Computer system and network interface with hardware based rule checking for embedded firewall |
| US7934021B2 (en) | 2002-08-29 | 2011-04-26 | Broadcom Corporation | System and method for network interfacing |
| US7346701B2 (en) | 2002-08-30 | 2008-03-18 | Broadcom Corporation | System and method for TCP offload |
| US7313623B2 (en) | 2002-08-30 | 2007-12-25 | Broadcom Corporation | System and method for TCP/IP offload independent of bandwidth delay product |
| US8180928B2 (en) | 2002-08-30 | 2012-05-15 | Broadcom Corporation | Method and system for supporting read operations with CRC for iSCSI and iSCSI chimney |
| WO2004021626A2 (en) | 2002-08-30 | 2004-03-11 | Broadcom Corporation | System and method for handling out-of-order frames |
| US7418496B2 (en) * | 2003-05-16 | 2008-08-26 | Personnel Research Associates, Inc. | Method and apparatus for survey processing |
| US20050018693A1 (en) * | 2003-06-27 | 2005-01-27 | Broadcom Corporation | Fast filtering processor for a highly integrated network device |
| US7328463B2 (en) * | 2003-09-08 | 2008-02-12 | Microtek Medical Holdings, Inc. | Water-soluble articles and methods of making and using the same |
| US7886348B2 (en) * | 2003-10-03 | 2011-02-08 | Verizon Services Corp. | Security management system for monitoring firewall operation |
| US7421734B2 (en) * | 2003-10-03 | 2008-09-02 | Verizon Services Corp. | Network firewall test methods and apparatus |
| US7853996B1 (en) * | 2003-10-03 | 2010-12-14 | Verizon Services Corp. | Methodology, measurements and analysis of performance and scalability of stateful border gateways |
| US7886350B2 (en) | 2003-10-03 | 2011-02-08 | Verizon Services Corp. | Methodology for measurements and analysis of protocol conformance, performance and scalability of stateful border gateways |
| US7787471B2 (en) * | 2003-11-10 | 2010-08-31 | Broadcom Corporation | Field processor for a network device |
| US7240041B2 (en) * | 2003-11-25 | 2007-07-03 | Freescale Semiconductor, Inc. | Network message processing using inverse pattern matching |
| US7613775B2 (en) | 2003-11-25 | 2009-11-03 | Freescale Semiconductor, Inc. | Network message filtering using hashing and pattern matching |
| US7317723B1 (en) | 2004-02-03 | 2008-01-08 | Cisco Technology, Inc. | Action based termination of multidimensional lookup |
| US8320240B2 (en) * | 2004-11-30 | 2012-11-27 | Broadcom Corporation | Rate limiting and minimum and maximum shaping in a network device |
| US7463630B2 (en) * | 2005-02-18 | 2008-12-09 | Broadcom Corporation | Multi-part parsing in a network device |
| US20060187936A1 (en) * | 2005-02-18 | 2006-08-24 | Broadcom Corporation | Table searching techniques in a network device |
| US20060187923A1 (en) * | 2005-02-18 | 2006-08-24 | Broadcom Corporation | Dynamic filter processor key generation based on packet type |
| US20060187924A1 (en) * | 2005-02-18 | 2006-08-24 | Broadcom Corporation | Ingress handling of data in a network device |
| US7983291B2 (en) * | 2005-02-18 | 2011-07-19 | Broadcom Corporation | Flexible packet modification engine for a network device |
| US20060187832A1 (en) * | 2005-02-18 | 2006-08-24 | Broadcom Corporation | Filter based range check in a network device |
| US20060187919A1 (en) * | 2005-02-18 | 2006-08-24 | Broadcom Corporation | Two stage parser for a network |
| US20060203824A1 (en) * | 2005-02-18 | 2006-09-14 | Song-Huo Yu | Passing values through a memory management unit of a network device |
| US20060187920A1 (en) * | 2005-02-18 | 2006-08-24 | Broadcom Corporation | Flexible packet modification engine |
| US20060187948A1 (en) * | 2005-02-18 | 2006-08-24 | Broadcom Corporation | Layer two and layer three virtual private network support in a network device |
| US7787361B2 (en) | 2005-07-29 | 2010-08-31 | Cisco Technology, Inc. | Hybrid distance vector protocol for wireless mesh networks |
| US7646771B2 (en) | 2005-08-17 | 2010-01-12 | Cisco Technology, Inc. | Compilation of access control lists |
| US7660318B2 (en) | 2005-09-20 | 2010-02-09 | Cisco Technology, Inc. | Internetworking support between a LAN and a wireless mesh network |
| US7325074B2 (en) * | 2005-09-28 | 2008-01-29 | Cisco Technology, Inc. | Incremental compilation of packet classifications using fragmented tables |
| US9374342B2 (en) | 2005-11-08 | 2016-06-21 | Verizon Patent And Licensing Inc. | System and method for testing network firewall using fine granularity measurements |
| US8027251B2 (en) * | 2005-11-08 | 2011-09-27 | Verizon Services Corp. | Systems and methods for implementing protocol-aware network firewall |
| US7869411B2 (en) * | 2005-11-21 | 2011-01-11 | Broadcom Corporation | Compact packet operation device and method |
| US20070198420A1 (en) * | 2006-02-03 | 2007-08-23 | Leonid Goldstein | Method and a system for outbound content security in computer networks |
| US8966619B2 (en) * | 2006-11-08 | 2015-02-24 | Verizon Patent And Licensing Inc. | Prevention of denial of service (DoS) attacks on session initiation protocol (SIP)-based systems using return routability check filtering |
| US9473529B2 (en) | 2006-11-08 | 2016-10-18 | Verizon Patent And Licensing Inc. | Prevention of denial of service (DoS) attacks on session initiation protocol (SIP)-based systems using method vulnerability filtering |
| CA2671451A1 (en) * | 2006-12-01 | 2008-06-12 | Sonus Networks, Inc. | Filtering and policing for defending against denial of service attacks on a network |
| US7672336B2 (en) * | 2006-12-01 | 2010-03-02 | Sonus Networks, Inc. | Filtering and policing for defending against denial of service attacks on a network |
| US7940657B2 (en) * | 2006-12-01 | 2011-05-10 | Sonus Networks, Inc. | Identifying attackers on a network |
| US7804774B2 (en) * | 2006-12-01 | 2010-09-28 | Sonus Networks, Inc. | Scalable filtering and policing mechanism for protecting user traffic in a network |
| US7743003B1 (en) | 2007-05-16 | 2010-06-22 | Google Inc. | Scaling machine learning using approximate counting that uses feature hashing |
| US8522344B2 (en) * | 2007-06-29 | 2013-08-27 | Verizon Patent And Licensing Inc. | Theft of service architectural integrity validation tools for session initiation protocol (SIP)-based systems |
| US8302186B2 (en) | 2007-06-29 | 2012-10-30 | Verizon Patent And Licensing Inc. | System and method for testing network firewall for denial-of-service (DOS) detection and prevention in signaling channel |
| US10430604B2 (en) * | 2008-02-05 | 2019-10-01 | Equifax Inc. | Systems and methods for securing data in electronic communications |
| US8114117B2 (en) * | 2008-09-30 | 2012-02-14 | Tyco Healthcare Group Lp | Compression device with wear area |
| WO2010018508A1 (en) | 2008-08-12 | 2010-02-18 | Koninklijke Philips Electronics N.V. | A method for communicating in a network, radio stations and a system therefor |
| US7738454B1 (en) | 2008-09-30 | 2010-06-15 | Juniper Networks, Inc. | Methods and apparatus related to packet classification based on range values |
| US8804950B1 (en) | 2008-09-30 | 2014-08-12 | Juniper Networks, Inc. | Methods and apparatus for producing a hash value based on a hash function |
| US7961734B2 (en) | 2008-09-30 | 2011-06-14 | Juniper Networks, Inc. | Methods and apparatus related to packet classification associated with a multi-stage switch |
| US8798057B1 (en) | 2008-09-30 | 2014-08-05 | Juniper Networks, Inc. | Methods and apparatus to implement except condition during data packet classification |
| US7835357B2 (en) * | 2008-09-30 | 2010-11-16 | Juniper Networks, Inc. | Methods and apparatus for packet classification based on policy vectors |
| US8675648B1 (en) * | 2008-09-30 | 2014-03-18 | Juniper Networks, Inc. | Methods and apparatus for compression in packet classification |
| US7796541B1 (en) | 2008-09-30 | 2010-09-14 | Juniper Networks, Inc. | Methods and apparatus for range matching during packet classification based on a linked-node structure |
| US8892983B2 (en) * | 2008-11-04 | 2014-11-18 | Alcatel Lucent | Method and apparatus for error detection in a communication system |
| US8488588B1 (en) | 2008-12-31 | 2013-07-16 | Juniper Networks, Inc. | Methods and apparatus for indexing set bit values in a long vector associated with a switch fabric |
| US8111697B1 (en) | 2008-12-31 | 2012-02-07 | Juniper Networks, Inc. | Methods and apparatus for packet classification based on multiple conditions |
| US7889741B1 (en) | 2008-12-31 | 2011-02-15 | Juniper Networks, Inc. | Methods and apparatus for packet classification based on multiple conditions |
| US9449090B2 (en) * | 2009-05-29 | 2016-09-20 | Vizio Inscape Technologies, Llc | Systems and methods for addressing a media database using distance associative hashing |
| US9094714B2 (en) | 2009-05-29 | 2015-07-28 | Cognitive Networks, Inc. | Systems and methods for on-screen graphics detection |
| WO2011039569A1 (en) * | 2009-09-30 | 2011-04-07 | Freescale Semiconductor, Inc. | System and method for filtering received data units |
| US8599859B2 (en) * | 2009-11-16 | 2013-12-03 | Marvell World Trade Ltd. | Iterative parsing and classification |
| EP2330791B1 (en) * | 2009-11-30 | 2012-10-17 | Fujitsu Semiconductor Limited | Message reception |
| EP2337274B1 (en) * | 2009-12-17 | 2014-03-05 | Alcatel Lucent | Method for processing a plurality of data and switching device for switching communication packets |
| US9282060B2 (en) | 2010-12-15 | 2016-03-08 | Juniper Networks, Inc. | Methods and apparatus for dynamic resource management within a distributed control plane of a switch |
| US9100324B2 (en) | 2011-10-18 | 2015-08-04 | Secure Crossing Research & Development, Inc. | Network protocol analyzer apparatus and method |
| US9680650B2 (en) * | 2013-08-23 | 2017-06-13 | Qualcomm Incorporated | Secure content delivery using hashing of pre-coded packets |
| CA2973740C (en) | 2015-01-30 | 2021-06-08 | Inscape Data, Inc. | Methods for identifying video segments and displaying option to view from an alternative source and/or on an alternative device |
| CN108293140B (en) | 2015-07-16 | 2020-10-02 | 构造数据有限责任公司 | Detection of common media segments |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4399531A (en) * | 1980-09-29 | 1983-08-16 | Rockwell International Corporation | Distributed digital data communications network |
| GB8407102D0 (en) * | 1984-03-19 | 1984-04-26 | Int Computers Ltd | Interconnection of communications networks |
| US4679193A (en) * | 1985-11-14 | 1987-07-07 | Hewlett Packard Company | Runt packet filter |
| JPH0793634B2 (en) * | 1986-11-29 | 1995-10-09 | 株式会社東芝 | Bus adapter with address conversion function |
| US5032987A (en) * | 1988-08-04 | 1991-07-16 | Digital Equipment Corporation | System with a plurality of hash tables each using different adaptive hashing functions |
| US4891803A (en) * | 1988-11-07 | 1990-01-02 | American Telephone And Telegraph Company | Packet switching network |
| JP2808694B2 (en) * | 1989-07-24 | 1998-10-08 | 株式会社日立製作所 | Network Connection Bridge |
| US5210748A (en) * | 1990-02-09 | 1993-05-11 | Hitachi, Ltd. | Address filter unit for carrying out address filter processing among plurality of networks and method thereof |
| JPH04213242A (en) * | 1990-12-07 | 1992-08-04 | Hitachi Ltd | Limited multiple address communication system |
| US5274631A (en) * | 1991-03-11 | 1993-12-28 | Kalpana, Inc. | Computer network switching system |
-
1993
- 1993-08-09 US US08/103,659 patent/US5473607A/en not_active Expired - Lifetime
-
1994
- 1994-07-27 JP JP7506450A patent/JPH09509018A/en active Pending
- 1994-07-27 AU AU74065/94A patent/AU680030B2/en not_active Ceased
- 1994-07-27 EP EP94924045A patent/EP0713624A4/en not_active Withdrawn
- 1994-07-27 CA CA002169181A patent/CA2169181A1/en not_active Abandoned
- 1994-07-27 WO PCT/US1994/008514 patent/WO1995005044A1/en not_active Application Discontinuation
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112019449A (en) * | 2020-08-14 | 2020-12-01 | 四川电科网安科技有限公司 | Traffic identification packet capturing method and device |
| CN112019449B (en) * | 2020-08-14 | 2022-06-17 | 四川电科网安科技有限公司 | Traffic identification packet capturing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| AU7406594A (en) | 1995-02-28 |
| WO1995005044A1 (en) | 1995-02-16 |
| US5473607A (en) | 1995-12-05 |
| JPH09509018A (en) | 1997-09-09 |
| EP0713624A4 (en) | 1997-01-08 |
| AU680030B2 (en) | 1997-07-17 |
| EP0713624A1 (en) | 1996-05-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US5473607A (en) | Packet filtering for data networks | |
| US7684400B2 (en) | Logarithmic time range-based multifield-correlation packet classification | |
| US6792423B1 (en) | Hybrid longest prefix match and fixed match searches | |
| US9866540B2 (en) | System and method for rule matching in a processor | |
| US7394809B2 (en) | Method and apparatus for packet classification using a forest of hash tables data structure | |
| US7191468B2 (en) | System and method for multidimensional data compression | |
| CN104579940B (en) | Search the method and device of accesses control list | |
| CN1482548A (en) | Method and system for partitioning filter rules for multi-search enforcement | |
| US20040264373A1 (en) | Packet classification | |
| JP3881663B2 (en) | Packet classification apparatus and method using field level tree | |
| EP3917099A1 (en) | Stream classification method and device | |
| US20160335298A1 (en) | Methods, systems, and non-transitory computer readable media for generating a tree structure with nodal comparison fields and cut values for rapid tree traversal and reduced numbers of full comparisons at leaf nodes | |
| US20140105215A1 (en) | Converting addresses for nodes of a data center network into compact identifiers for determining flow keys for received data packets | |
| US20190347529A1 (en) | Packet classification method and device | |
| US6996559B1 (en) | IP address resolution methods and apparatus | |
| US7023859B2 (en) | Method for configuring a trie memory for the processing of data packets, and packet-processing device implementing such a method | |
| US11522917B2 (en) | Scalable network processing segmentation | |
| CN106487535B (en) | Method and device for classifying network traffic data | |
| US7508825B2 (en) | Data packet classification | |
| US7426608B1 (en) | Method and apparatus for constructing a search key | |
| WO2002015488A1 (en) | Methods and apparatus for packet classification with multiple answer sets | |
| US11770463B2 (en) | Packet filtering using binary search trees | |
| KR100467746B1 (en) | Multi-field classification system the address decomposition | |
| US8577854B1 (en) | Apparatus and method for high speed flow classification | |
| CN112968841A (en) | Message convergence and distribution method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Discontinued |