US20040032829A1 - Network packet classification - Google Patents
Network packet classification Download PDFInfo
- Publication number
- US20040032829A1 US20040032829A1 US10/455,737 US45573703A US2004032829A1 US 20040032829 A1 US20040032829 A1 US 20040032829A1 US 45573703 A US45573703 A US 45573703A US 2004032829 A1 US2004032829 A1 US 2004032829A1
- Authority
- US
- United States
- Prior art keywords
- packet
- port number
- network
- identified
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0254—Stateful filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
Definitions
- the present invention is directed to the field of computer networking, and more particularly, to the field of network packet processing.
- TCP Transmission Control Protocol
- UDP User Datagram Protocol
- Protocols such as TCP and UDP generally specify dividing a body of information to be transmitted into a number of pieces, called “packets,” attaching to each packet a “header” containing additional information about the packet, and sending these packets from the source computer system to the destination computer system.
- packets a body of information to be transmitted into a number of pieces, called “packets,” attaching to each packet a “header” containing additional information about the packet, and sending these packets from the source computer system to the destination computer system.
- Both of the above protocols specify including in each packet header a numerical network address of the source computer system and the destination computer system. They additionally each specify including in each packet header a “port number” for each the source and destination computer system that allows these computer systems to differentiate between packets arriving for different purposes.
- Packet classification of this sort may be used, for example, to perform packet filtering—determining, for packets addressed to a protected computer system, which to forward to the protected computer system and which to discard. Such classification may also be used to selectively perform packet modification, such as reformatting packet contents, or to perform network traffic analysis.
- packet filtering determining, for packets addressed to a protected computer system, which to forward to the protected computer system and which to discard.
- Such classification may also be used to selectively perform packet modification, such as reformatting packet contents, or to perform network traffic analysis.
- existing approaches to classifying packets to identify the network sessions to which they belong each have significant disadvantages. Accordingly, a new, more effective approach to classifying packets to identify the network sessions to which they belong would have considerable utility.
- FIG. 1 is a high-level block diagram of the general-purpose computer system upon which the facility preferably executes.
- FIG. 2 is a flow diagram showing the steps preferably performed by the packet filtering facility for each packet received.
- FIG. 3 is a flow diagram showing the steps performed by the hash function.
- FIGS. 4A, 4B, and 4 C are data structure diagrams showing the processing of an outbound packet.
- FIGS. 5A and 5B are data structure diagrams showing the processing of an authorized inbound packet.
- FIGS. 6A and 6B are data structure diagrams showing the processing of an end-of-session, or “FIN” packet.
- FIGS. 7A and 7B are data structure diagrams showing the processing of an inbound packet whose authorization record has expired.
- the present invention provides an approach to classifying network packets.
- a packet is classified based on the sum of its source address, source port number, destination address, and destination port number.
- a packet is classified by assigning it a hash value equal to the modulo remainder of the above sum over a constant value. Classifying packets using this hashing function both provides an excellent hashing distribution and groups together packets exchanged in different directions in the same network session.
- this packet classification scheme is utilized in a software facility for network packet filtering (“the facility”).
- the facility operates in a computer system or other device that protects a group of protected computer systems from unauthorized packets.
- the computer system upon which the facility executes receives the packets addressed to the protected computer system (“inbound packets”) and the packets sent from the protected computer system (“outbound packets”), and determines whether to forward them to their destination.
- the facility maintains a hash table, into which it indexes with the hash values of the packets it receives.
- an outbound packet is received, it is treated as an indication that future corresponding inbound packets should be forwarded, until an end-of-session packet is received or a timeout period elapses.
- authorization records are stored in the hash table identifying inbound packets that are to be forwarded rather than discarded.
- each bucket of the hash table may contains a list of authorization records.
- Each authorization record contains information identifying a network session and representing the authority to forward packets that are part of the network session.
- such records contain an expiration time after which such authorization expires, and/or a specific identification of the end of the session whose packets are authorized.
- the packet classification scheme of the present invention is further adapted to use in other network administration applications, including network traffic analysis, such as network traffic modeling, or network packet processing, such as reformatting or translating data contained in certain network packets.
- network traffic analysis such as network traffic modeling
- network packet processing such as reformatting or translating data contained in certain network packets.
- FIG. 1 is a high-level block diagram of the computer system upon which the facility preferably executes.
- the computer system 100 contains one or more central processing units (CPUs) 110 , input/output devices 120 , and a computer memory (memory) 130 .
- CPUs central processing units
- input/output devices is a storage device 121 , such as a hard disk drive, and a computer-readable media drive 122 , which can be used to install software products, including components of the facility, which are provided on a computer-readable medium, such as a CD-ROM.
- the input/output devices also include a network connection 123 , through which the computer system 100 may communicate with other connected computer systems, and through which the facility receives network packets for filtering.
- the memory 130 preferably contains the packet filtering facility 131 , as well as a hashing function 132 and a packet filtering hash table 133 used by the facility. While the facility is preferably implemented on a computer system configured as described above, those skilled in the art will recognize that it may also be implemented on computer systems having different configurations. In particular, the facility may be implemented in a dedicated network security device, a dedicated network analysis device, a router, or other types of specialized network hardware.
- FIG. 2 is a flow diagram showing the steps preferably performed by the packet filtering facility for each packet received.
- the facility invokes the hash function in order to produce a hash result value for the received packet based upon its source address, source port number, target address, and target port number.
- FIG. 3 is a flow diagram showing the steps performed by the hash function.
- the hash function converts the source address, source port number, destination address, and destination port number for the current message each to host byte order, if necessary.
- Version 4 of the Internet Protocol standard (“IPv4”) specifies that numerical network addresses in an IP network (“IP addresses”) are unsigned 32-bit integers, made up of 48-bit bytes that transmitted in order from the most significant byte to the least significant byte. This ordering is called “network standard byte order.” (In version 6, or IPv6, IP addresses are unsigned 128-bit integers having the same bit ordering.)
- IPv4 Internet Protocol standard
- IP addresses are unsigned 32-bit integers, made up of 48-bit bytes that transmitted in order from the most significant byte to the least significant byte. This ordering is called “network standard byte order.”
- IP addresses are unsigned 128-bit integers having the same bit ordering.
- IP addresses are often expressed in what is called “dotted decimal notation,” in which the bytes are shown as decimal integers separated by decimal points. Accordingly, the IP address shown on line (1) may be expressed as:
- a computer system By performing the act of storing a transmitted IP address in memory by storing the first and highest-order byte at an initial memory location, and each successively lower-order byte at the next higher memory location, a computer system preserves the byte ordering, called “Big Endian” shown on line (1).
- Some computer systems internally represent integers using this Big Endian byte ordering.
- IP addresses can be stored in memory as described above and immediately operated upon as 32-bit integer values.
- Other computer systems use different byte orderings to represent integers. For example, some computer systems use Little Endian byte ordering, in which the lowest-order byte is stored in the lowest memory location and each successively higher-order byte is stored at the next higher memory location.
- Networked computer systems that use byte ordering schemes other than Big Endian generally have functions for converting between Big Endian network standard byte order and their internal order, called “host order.”
- host order For example, on a computer system using Little Endian byte ordering, the Unix function ntohl( ) converts the value on line (1) in Big Endian network standard byte order to the representation on line (3) in Little Endian host order:
- the Unix function ntohl( ) converts long 4-byte integers from network standard byte order to host order, while the Unix function ntohs( ) converts short 2-byte integers from network standard byte order to host order.
- ntohs( ) may be used in the same manner to convert port numbers, which are 2-byte integers, from network standard byte order to host order.
- the hash function preferably uses the ntohl( ) and ntohs( ) functions to convert the addresses and port numbers, respectively, of the message to host byte order.
- step 302 the facility sums the source address, source port number, destination address, and destination port number.
- step 303 the facility determines the modulo remainder of the sum over the hash table size.
- the hash table size is preferably chosen to be a value that is not a power of 2 and that further is a prime number.
- the table size is preferably based on the expected number of simultaneous sessions for which the packet filtering facility is expected to filter packets. For example, for about 500 simultaneous sessions, a table size of 2047 is preferably chosen.
- the function returns the modulo remainder determined in step 303 as the hash result value.
- hashing function can be expressed mathematically as:
- step 202 if the FIN flag is set in the packet, indicating that the packet marks the end of its session, then the facility continues at step 212 , else the facility continues at step 203 .
- step 203 if the packet is from a protected node, then the facility continues in step 204 to process the packet as an outbound packet, else the facility continues in step 208 to process the packet as an inbound packet.
- the facility performs the determination of step 203 by determining whether the source address and source port number of the packet correspond to a list of network nodes for which the facility is assigned to filter packets.
- the determination of step 203 is performed by determining whether the packet was received via a network connection to protected nodes, or via a separate network connection to unprotected nodes.
- step 204 if the list of authorization records for the bucket for the outbound packet's hash result contains an authorization record for the converse of this packet—that is, an inbound packet that is part of the same session as the received outbound packet—then the facility continues in step 205 , else the facility continues in step 206 .
- step 205 the facility updates the expiration time for the preexisting authentication record for the converse of this packet.
- step 207 the facility adds an authorization record for the converse of the packet to the list of authorization records for the bucket for the packet's hash result.
- step 207 the facility forwards the packet to its destination address and port number. After step 207 , these steps conclude.
- step 208 in order to process the inbound packet, if the list of authorization records for the bucket for the packet's hash result contains an authorization record for the packet, then the facility continues in step 209 , else the facility continues in step 211 .
- step 209 if the authorization record for the packet is expired, that is, if the current time is later than the expiration time for the authorization record, then the facility continues in step 210 , else the facility continues in step 207 to forward the packet.
- step 210 the facility removes the authorization record for the packet from the list for the bucket for the packet's hash result. Then, in step 211 , the facility discards the packet. After step 211 , these steps conclude.
- step 212 because a FIN packet has been received, the facility removes from the list of authorization records for the bucket for the packet's hash result any authorization record for the packet or its converse.
- step 213 if the packet is from a protected node, then the facility continues in step 207 to forward the packet, else the facility continues in step 208 to process the inbound packet.
- steps 204 and 208 involve traversing part or all of the list for the bucket for the hash result.
- the facility preferably identifies and removes any authorization records in the list that have expired.
- FIGS. 4 A- 7 B show examples of the operation of the facility.
- FIGS. 4A, 4B, and 4 C are data structure diagrams showing the processing of an outbound packet.
- the diagrams show a representation of the outbound packet 410 ; the hash function 420 ; the hash table buckets, such as buckets 431 - 438 ; and the lists of authorization records associated with each nonempty bucket, such as the list containing authorization record 441 associated with bucket 434 , the list containing authorization record 442 associated with bucket 435 , and the list containing authorization record 443 associated with bucket 436 .
- Each authorization record in a list is an authorization to forward inbound packets, and contains the source address and port number and destination address and port number of the authorized inbound packets, as well as an expiration time at which the authorization expires.
- authorization record 41 represents an authorization to forward inbound packets having source address 29.132.15.1, source port number 80, destination address 208.152.24.130, and destination port number 1501 . This authorization expires at time 12:00:52.129.
- Such an inbound packet would have a hash value of 1250, the hash value of bucket 434 . Because of the symmetry of the hash function with respect to source node information and destination node information, outbound packets for the same session will also have hash result 1250.
- the data structure diagram includes an indication 460 that the current time is 12:02:26.131.
- FIG. 4B shows that, because outbound packet 410 has hash result 1250, a new authorization record 444 is added to the list of authorization records for bucket 434 for hash value 1250.
- FIG. 4B further indicates that packet 410 , because it is an outbound packet, is forwarded to its destination.
- FIG. 4C shows the optional garbage collection feature of the facility.
- the facility In determining whether the list of authorization records for hash value 1250 already contains an authorization record for inbound packets that are part of the same session as outbound packet 410 , one embodiment of the facility preferably checks each traversed authorization record to determine whether its expiration time has passed. Because the expiration time of authorization record 441 , 12:00:52.129, is earlier than current time 460 , 12:02:26.131, FIG. 4C shows that the facility has removed authorization record 441 from the list of authorization records for hash value 1250.
- FIGS. 5A and 5B are data structure diagrams showing the processing of an authorized inbound packet.
- FIG. 5A shows inbound packet 510 which has source address 29.132.151.1, source port number 80, destination address 208.152.24.129, and destination port number 1502 .
- the facility determines whether a hash table contains an authorization record for such an inbound packet.
- the facility subjects the inbound packet 510 to the hash function to yield hash result 1250. It then searches the list of authorization records for hash result 1250 to determine whether the list contains an unexpired authorization record for this packet.
- the facility finds authorization record 444 , which specifies the same source address and port number and destination address and port number as inbound packet 510 .
- FIG. 5B shows that the facility forwards the inbound packet in accordance with the unexpired authorization record.
- FIGS. 6A and 6B are data structure diagrams showing the processing of an end-of-session, or “FIN” packet.
- the FIN packet 610 hashes to hash result 1824 .
- the facility searches in the list of authorization records for hash result 1824 for an authorization record matching packet 610 or its converse. In doing so, the facility identifies authorization record 643 and, though this authorization record has not yet expired, FIG. 6B shows that the facility removes authorization record 643 in response to the FIN packet.
- FIG. 6B further shows that the facility forwards the outbound FIN packet to its destination.
- FIGS. 7A and 7B are data structure diagrams showing the processing of an inbound packet whose authorization record has expired.
- the facility applies the hashing function to inbound packet 710 it obtains a hash result of 1250.
- the facility searches the list of authorization records for hash result 1250, and identifies authorization record 741 as matching the inbound packet 710 . Because the expiration time of authorization record 741 , 12:02:27.131, is earlier than the current time 760 , 12:02:28.220, FIG. 7B shows that the facility removes authorization record 741 and discards inbound packet 710 .
Abstract
Description
- The present invention is directed to the field of computer networking, and more particularly, to the field of network packet processing.
- In computer networks, information can be transmitted between two connected computer systems, herein termed the “source” and “destination” computer systems. A particular pair of computer systems exchanging information are said to be engaged in a “session.”
- Many protocols are available for formatting and transmitting this information, such as Transmission Control Protocol (“TCP”), defined in Internet Requests for Comment 675, 761, and 793, currently available at ftp://ftp.isi.edu/in-notes/rfc675.txt, ftp://ftp.isi.edu/in-notes/rfc761.txt, and ftp://ftp.isi.edu/in-notes/rfc793.txt, respectively; and User Datagram Protocol (“UDP”), defined in Internet RFC 768, currently available at ftp://ftp.isi.edu/in-notes/rfc768.txt.
- Protocols such as TCP and UDP generally specify dividing a body of information to be transmitted into a number of pieces, called “packets,” attaching to each packet a “header” containing additional information about the packet, and sending these packets from the source computer system to the destination computer system. Both of the above protocols specify including in each packet header a numerical network address of the source computer system and the destination computer system. They additionally each specify including in each packet header a “port number” for each the source and destination computer system that allows these computer systems to differentiate between packets arriving for different purposes.
- In many cases, it is useful to track packets based on the particular network session that they are part of. Packet classification of this sort may be used, for example, to perform packet filtering—determining, for packets addressed to a protected computer system, which to forward to the protected computer system and which to discard. Such classification may also be used to selectively perform packet modification, such as reformatting packet contents, or to perform network traffic analysis. Unfortunately, existing approaches to classifying packets to identify the network sessions to which they belong each have significant disadvantages. Accordingly, a new, more effective approach to classifying packets to identify the network sessions to which they belong would have considerable utility.
- FIG. 1 is a high-level block diagram of the general-purpose computer system upon which the facility preferably executes.
- FIG. 2 is a flow diagram showing the steps preferably performed by the packet filtering facility for each packet received.
- FIG. 3 is a flow diagram showing the steps performed by the hash function.
- FIGS. 4A, 4B, and4C are data structure diagrams showing the processing of an outbound packet.
- FIGS. 5A and 5B are data structure diagrams showing the processing of an authorized inbound packet.
- FIGS. 6A and 6B are data structure diagrams showing the processing of an end-of-session, or “FIN” packet.
- FIGS. 7A and 7B are data structure diagrams showing the processing of an inbound packet whose authorization record has expired.
- The present invention provides an approach to classifying network packets. In a preferred embodiment, a packet is classified based on the sum of its source address, source port number, destination address, and destination port number. In particular, a packet is classified by assigning it a hash value equal to the modulo remainder of the above sum over a constant value. Classifying packets using this hashing function both provides an excellent hashing distribution and groups together packets exchanged in different directions in the same network session.
- In one preferred embodiment, this packet classification scheme is utilized in a software facility for network packet filtering (“the facility”). The facility operates in a computer system or other device that protects a group of protected computer systems from unauthorized packets. The computer system upon which the facility executes receives the packets addressed to the protected computer system (“inbound packets”) and the packets sent from the protected computer system (“outbound packets”), and determines whether to forward them to their destination. In that connection, the facility maintains a hash table, into which it indexes with the hash values of the packets it receives. When an outbound packet is received, it is treated as an indication that future corresponding inbound packets should be forwarded, until an end-of-session packet is received or a timeout period elapses. In that connection, authorization records are stored in the hash table identifying inbound packets that are to be forwarded rather than discarded.
- In various alternative embodiments of the packet filtering facility, different levels of information are stored to identify authorized packets. In one preferred embodiment, each bucket of the hash table may contains a list of authorization records. Each authorization record contains information identifying a network session and representing the authority to forward packets that are part of the network session. In certain further preferred embodiments, such records contain an expiration time after which such authorization expires, and/or a specific identification of the end of the session whose packets are authorized.
- The packet classification scheme of the present invention is further adapted to use in other network administration applications, including network traffic analysis, such as network traffic modeling, or network packet processing, such as reformatting or translating data contained in certain network packets.
- FIG. 1 is a high-level block diagram of the computer system upon which the facility preferably executes. The
computer system 100 contains one or more central processing units (CPUs) 110, input/output devices 120, and a computer memory (memory) 130. Among the input/output devices is astorage device 121, such as a hard disk drive, and a computer-readable media drive 122, which can be used to install software products, including components of the facility, which are provided on a computer-readable medium, such as a CD-ROM. The input/output devices also include anetwork connection 123, through which thecomputer system 100 may communicate with other connected computer systems, and through which the facility receives network packets for filtering. Thememory 130 preferably contains thepacket filtering facility 131, as well as ahashing function 132 and a packet filtering hash table 133 used by the facility. While the facility is preferably implemented on a computer system configured as described above, those skilled in the art will recognize that it may also be implemented on computer systems having different configurations. In particular, the facility may be implemented in a dedicated network security device, a dedicated network analysis device, a router, or other types of specialized network hardware. - FIG. 2 is a flow diagram showing the steps preferably performed by the packet filtering facility for each packet received. In
step 201, the facility invokes the hash function in order to produce a hash result value for the received packet based upon its source address, source port number, target address, and target port number. - FIG. 3 is a flow diagram showing the steps performed by the hash function. In
step 301, the hash function converts the source address, source port number, destination address, and destination port number for the current message each to host byte order, if necessary. Version 4 of the Internet Protocol standard (“IPv4”) specifies that numerical network addresses in an IP network (“IP addresses”) are unsigned 32-bit integers, made up of 48-bit bytes that transmitted in order from the most significant byte to the least significant byte. This ordering is called “network standard byte order.” (In version 6, or IPv6, IP addresses are unsigned 128-bit integers having the same bit ordering.) An example of a version 4 IP address is shown on line (1): - 10000000 00001010 00000010 00011110 (1)
- IP addresses are often expressed in what is called “dotted decimal notation,” in which the bytes are shown as decimal integers separated by decimal points. Accordingly, the IP address shown on line (1) may be expressed as:
- 128.10.2.30 (2)
- By performing the act of storing a transmitted IP address in memory by storing the first and highest-order byte at an initial memory location, and each successively lower-order byte at the next higher memory location, a computer system preserves the byte ordering, called “Big Endian” shown on line (1). Some computer systems internally represent integers using this Big Endian byte ordering. On these computer systems, IP addresses can be stored in memory as described above and immediately operated upon as 32-bit integer values. Other computer systems, however, use different byte orderings to represent integers. For example, some computer systems use Little Endian byte ordering, in which the lowest-order byte is stored in the lowest memory location and each successively higher-order byte is stored at the next higher memory location. Networked computer systems that use byte ordering schemes other than Big Endian generally have functions for converting between Big Endian network standard byte order and their internal order, called “host order.” For example, on a computer system using Little Endian byte ordering, the Unix function ntohl( ) converts the value on line (1) in Big Endian network standard byte order to the representation on line (3) in Little Endian host order:
- 00011110 00000010 000001010 10000000 (3)
- The Unix function ntohl( ) converts long 4-byte integers from network standard byte order to host order, while the Unix function ntohs( ) converts short 2-byte integers from network standard byte order to host order. ntohs( ) may be used in the same manner to convert port numbers, which are 2-byte integers, from network standard byte order to host order. Accordingly, in
step 301, the hash function preferably uses the ntohl( ) and ntohs( ) functions to convert the addresses and port numbers, respectively, of the message to host byte order. - In
step 302, the facility sums the source address, source port number, destination address, and destination port number. Instep 303, the facility determines the modulo remainder of the sum over the hash table size. The hash table size is preferably chosen to be a value that is not a power of 2 and that further is a prime number. The table size is preferably based on the expected number of simultaneous sessions for which the packet filtering facility is expected to filter packets. For example, for about 500 simultaneous sessions, a table size of 2047 is preferably chosen. Afterstep 303, the function returns the modulo remainder determined instep 303 as the hash result value. To summarize, hashing function can be expressed mathematically as: - (ntohs(source address)+ntohs(source port number)+ntohl(destination address)+ntohs(destination port number)) mod (table size) (4)
- Returning to FIG. 2, in
step 202, if the FIN flag is set in the packet, indicating that the packet marks the end of its session, then the facility continues at step 212, else the facility continues atstep 203. Instep 203, if the packet is from a protected node, then the facility continues instep 204 to process the packet as an outbound packet, else the facility continues instep 208 to process the packet as an inbound packet. In one preferred embodiment, the facility performs the determination ofstep 203 by determining whether the source address and source port number of the packet correspond to a list of network nodes for which the facility is assigned to filter packets. In an alternative preferred embodiment, the determination ofstep 203 is performed by determining whether the packet was received via a network connection to protected nodes, or via a separate network connection to unprotected nodes. - In
step 204, if the list of authorization records for the bucket for the outbound packet's hash result contains an authorization record for the converse of this packet—that is, an inbound packet that is part of the same session as the received outbound packet—then the facility continues instep 205, else the facility continues instep 206. Instep 205, the facility updates the expiration time for the preexisting authentication record for the converse of this packet. Afterstep 205, the facility continues instep 207. Instep 206, the facility adds an authorization record for the converse of the packet to the list of authorization records for the bucket for the packet's hash result. Instep 207, the facility forwards the packet to its destination address and port number. Afterstep 207, these steps conclude. - In
step 208, in order to process the inbound packet, if the list of authorization records for the bucket for the packet's hash result contains an authorization record for the packet, then the facility continues instep 209, else the facility continues instep 211. Instep 209, if the authorization record for the packet is expired, that is, if the current time is later than the expiration time for the authorization record, then the facility continues instep 210, else the facility continues instep 207 to forward the packet. Instep 210, the facility removes the authorization record for the packet from the list for the bucket for the packet's hash result. Then, instep 211, the facility discards the packet. Afterstep 211, these steps conclude. - In step212, because a FIN packet has been received, the facility removes from the list of authorization records for the bucket for the packet's hash result any authorization record for the packet or its converse. In
step 213, if the packet is from a protected node, then the facility continues instep 207 to forward the packet, else the facility continues instep 208 to process the inbound packet. - In a further preferred embodiment, steps204 and 208 involve traversing part or all of the list for the bucket for the hash result. During such traversal, the facility preferably identifies and removes any authorization records in the list that have expired.
- FIGS.4A-7B show examples of the operation of the facility. FIGS. 4A, 4B, and 4C are data structure diagrams showing the processing of an outbound packet. The diagrams show a representation of the
outbound packet 410; thehash function 420; the hash table buckets, such as buckets 431-438; and the lists of authorization records associated with each nonempty bucket, such as the list containingauthorization record 441 associated withbucket 434, the list containingauthorization record 442 associated withbucket 435, and the list containingauthorization record 443 associated withbucket 436. Each authorization record in a list is an authorization to forward inbound packets, and contains the source address and port number and destination address and port number of the authorized inbound packets, as well as an expiration time at which the authorization expires. For example, authorization record 41 represents an authorization to forward inbound packets having source address 29.132.15.1,source port number 80, destination address 208.152.24.130, anddestination port number 1501. This authorization expires at time 12:00:52.129. Such an inbound packet would have a hash value of 1250, the hash value ofbucket 434. Because of the symmetry of the hash function with respect to source node information and destination node information, outbound packets for the same session will also havehash result 1250. Finally, the data structure diagram includes anindication 460 that the current time is 12:02:26.131. -
- FIG. 4B shows that, because
outbound packet 410 hashash result 1250, anew authorization record 444 is added to the list of authorization records forbucket 434 forhash value 1250. FIG. 4B further indicates thatpacket 410, because it is an outbound packet, is forwarded to its destination. - FIG. 4C shows the optional garbage collection feature of the facility. In determining whether the list of authorization records for
hash value 1250 already contains an authorization record for inbound packets that are part of the same session asoutbound packet 410, one embodiment of the facility preferably checks each traversed authorization record to determine whether its expiration time has passed. Because the expiration time ofauthorization record 441, 12:00:52.129, is earlier thancurrent time 460, 12:02:26.131, FIG. 4C shows that the facility has removedauthorization record 441 from the list of authorization records forhash value 1250. - FIGS. 5A and 5B are data structure diagrams showing the processing of an authorized inbound packet. FIG. 5A shows
inbound packet 510 which has source address 29.132.151.1,source port number 80, destination address 208.152.24.129, anddestination port number 1502. In order to determine whether to forward the packet, the facility determines whether a hash table contains an authorization record for such an inbound packet. The facility subjects theinbound packet 510 to the hash function to yieldhash result 1250. It then searches the list of authorization records forhash result 1250 to determine whether the list contains an unexpired authorization record for this packet. The facility findsauthorization record 444, which specifies the same source address and port number and destination address and port number asinbound packet 510. Further, the authorization record is unexpired as its expiration time, 12:02:27.131, is later than thecurrent time 560, 12:02.26.437. For this reason, FIG. 5B shows that the facility forwards the inbound packet in accordance with the unexpired authorization record. - FIGS. 6A and 6B are data structure diagrams showing the processing of an end-of-session, or “FIN” packet. The
FIN packet 610 hashes to hashresult 1824. The facility searches in the list of authorization records forhash result 1824 for an authorizationrecord matching packet 610 or its converse. In doing so, the facility identifiesauthorization record 643 and, though this authorization record has not yet expired, FIG. 6B shows that the facility removesauthorization record 643 in response to the FIN packet. FIG. 6B further shows that the facility forwards the outbound FIN packet to its destination. - FIGS. 7A and 7B are data structure diagrams showing the processing of an inbound packet whose authorization record has expired. When the facility applies the hashing function to
inbound packet 710 it obtains a hash result of 1250. The facility searches the list of authorization records forhash result 1250, and identifiesauthorization record 741 as matching theinbound packet 710. Because the expiration time ofauthorization record 741, 12:02:27.131, is earlier than thecurrent time 760, 12:02:28.220, FIG. 7B shows that the facility removesauthorization record 741 and discardsinbound packet 710. - While this invention has been shown and described with reference to preferred embodiments, it will be understood by those skilled in the art that various changes or modifications in form and detail may be made without departing from the scope of the invention. For example, other hashing functions that combine the source address and part number and destination address and part number, or a different combination of packet header values, may be used. Also, the hash function may be straightforwardly used for any application that involves classifying network products. Further, while the hash function is discussed above with respect to messages confirming the Internet protocols such as TCP and UDP, those skilled in the art will recognize that the hash function may be straightforwardly applied to packets, or other units of data transmission, conforming to other network protocols.
Claims (43)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/455,737 US20040032829A1 (en) | 1999-08-25 | 2003-09-29 | Network packet classification |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/382,568 US6597661B1 (en) | 1999-08-25 | 1999-08-25 | Network packet classification |
US10/455,737 US20040032829A1 (en) | 1999-08-25 | 2003-09-29 | Network packet classification |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/382,568 Continuation US6597661B1 (en) | 1999-08-25 | 1999-08-25 | Network packet classification |
Publications (1)
Publication Number | Publication Date |
---|---|
US20040032829A1 true US20040032829A1 (en) | 2004-02-19 |
Family
ID=23509549
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/382,568 Expired - Fee Related US6597661B1 (en) | 1999-08-25 | 1999-08-25 | Network packet classification |
US10/455,737 Abandoned US20040032829A1 (en) | 1999-08-25 | 2003-09-29 | Network packet classification |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/382,568 Expired - Fee Related US6597661B1 (en) | 1999-08-25 | 1999-08-25 | Network packet classification |
Country Status (1)
Country | Link |
---|---|
US (2) | US6597661B1 (en) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030043798A1 (en) * | 2001-08-30 | 2003-03-06 | Pugel Michael Anthony | Method, apparatus and data structure enabling multiple channel data stream transmission |
US6975628B2 (en) * | 2000-12-22 | 2005-12-13 | Intel Corporation | Method for representing and controlling packet data flow through packet forwarding hardware |
US7177930B1 (en) * | 2002-10-11 | 2007-02-13 | Network General Technology | Method and system for network traffic analysis with configuration enhancements |
WO2007147310A1 (en) * | 2006-06-15 | 2007-12-27 | Huawei Technologies Co., Ltd. | A method and an apparatus for realizing partaking of network traffic load |
US7653938B1 (en) * | 2005-02-03 | 2010-01-26 | Cisco Technology, Inc. | Efficient cookie generator |
US20110208871A1 (en) * | 2002-01-15 | 2011-08-25 | Intel Corporation | Queuing based on packet classification |
US8584228B1 (en) * | 2009-12-29 | 2013-11-12 | Amazon Technologies, Inc. | Packet authentication and encryption in virtual networks |
US8593969B1 (en) * | 2005-04-18 | 2013-11-26 | Marvell International Ltd. | Method and apparatus for rate-limiting traffic flow of packets in a network device |
US8976658B1 (en) | 2005-04-18 | 2015-03-10 | Marvell International Ltd. | Packet sampling using rate-limiting mechanisms |
US9047417B2 (en) | 2012-10-29 | 2015-06-02 | Intel Corporation | NUMA aware network interface |
WO2015170150A1 (en) * | 2014-05-07 | 2015-11-12 | Yandex Europe Ag | Method and device for forwarding a packet |
CN107113282A (en) * | 2014-12-30 | 2017-08-29 | 华为技术有限公司 | A kind of method and device for extracting data message |
US10684973B2 (en) | 2013-08-30 | 2020-06-16 | Intel Corporation | NUMA node peripheral switch |
US11960429B2 (en) | 2022-12-15 | 2024-04-16 | Intel Corporation | Many-to-many PCIE switch |
Families Citing this family (49)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6580791B1 (en) * | 1999-09-16 | 2003-06-17 | Worldcom, Inc. | Apparatus for providing data to switching elements in a communications system |
US6728243B1 (en) * | 1999-10-28 | 2004-04-27 | Intel Corporation | Method for specifying TCP/IP packet classification parameters |
US6925085B1 (en) * | 2000-06-07 | 2005-08-02 | Advanced Micro Devices, Inc. | Packet classification using hash key signatures generated from interrupted hash function |
US7398317B2 (en) | 2000-09-07 | 2008-07-08 | Mazu Networks, Inc. | Thwarting connection-based denial of service attacks |
US7043759B2 (en) * | 2000-09-07 | 2006-05-09 | Mazu Networks, Inc. | Architecture to thwart denial of service attacks |
US7124440B2 (en) * | 2000-09-07 | 2006-10-17 | Mazu Networks, Inc. | Monitoring network traffic denial of service attacks |
US7702806B2 (en) * | 2000-09-07 | 2010-04-20 | Riverbed Technology, Inc. | Statistics collection for network traffic |
US7743134B2 (en) * | 2000-09-07 | 2010-06-22 | Riverbed Technology, Inc. | Thwarting source address spoofing-based denial of service attacks |
US7278159B2 (en) * | 2000-09-07 | 2007-10-02 | Mazu Networks, Inc. | Coordinated thwarting of denial of service attacks |
US20030097439A1 (en) * | 2000-10-23 | 2003-05-22 | Strayer William Timothy | Systems and methods for identifying anomalies in network data streams |
US7170860B2 (en) * | 2000-10-23 | 2007-01-30 | Bbn Technologies Corp. | Method and system for passively analyzing communication data based on frequency analysis of encrypted data traffic, and method and system for deterring passive analysis of communication data |
US8520679B1 (en) * | 2001-01-24 | 2013-08-27 | Advanced Medical Devices, Inc. | Trunking distribution systems and methods |
US7283526B2 (en) * | 2001-07-19 | 2007-10-16 | International Business Machines Corporation | Method and system for providing a symmetric key for more efficient session identification |
US7574597B1 (en) | 2001-10-19 | 2009-08-11 | Bbn Technologies Corp. | Encoding of signals to facilitate traffic analysis |
US7283475B2 (en) * | 2001-10-19 | 2007-10-16 | Bbn Technologies Corp. | Fractal dimension analysis for data stream isolation |
US20030084148A1 (en) * | 2001-10-19 | 2003-05-01 | Cousins David Bruce | Methods and systems for passive information discovery using cross spectral density and coherence processing |
US7200656B1 (en) | 2001-10-19 | 2007-04-03 | Bbn Technologies Corp. | Methods and systems for simultaneously detecting short and long term periodicity for traffic flow identification |
US7263479B2 (en) * | 2001-10-19 | 2007-08-28 | Bbn Technologies Corp. | Determining characteristics of received voice data packets to assist prosody analysis |
US7743415B2 (en) * | 2002-01-31 | 2010-06-22 | Riverbed Technology, Inc. | Denial of service attacks characterization |
US7213264B2 (en) | 2002-01-31 | 2007-05-01 | Mazu Networks, Inc. | Architecture to thwart denial of service attacks |
US20030188056A1 (en) * | 2002-03-27 | 2003-10-02 | Suresh Chemudupati | Method and apparatus for packet reformatting |
US8819252B1 (en) | 2002-05-03 | 2014-08-26 | Foundry Networks, Llc | Transaction rate limiting |
US7707295B1 (en) * | 2002-05-03 | 2010-04-27 | Foundry Networks, Inc. | Connection rate limiting |
US8554929B1 (en) | 2002-05-03 | 2013-10-08 | Foundry Networks, Llc | Connection rate limiting for server load balancing and transparent cache switching |
US7284272B2 (en) * | 2002-05-31 | 2007-10-16 | Alcatel Canada Inc. | Secret hashing for TCP SYN/FIN correspondence |
US8504879B2 (en) * | 2002-11-04 | 2013-08-06 | Riverbed Technology, Inc. | Connection based anomaly detection |
US7363656B2 (en) * | 2002-11-04 | 2008-04-22 | Mazu Networks, Inc. | Event detection/anomaly correlation heuristics |
US8479057B2 (en) * | 2002-11-04 | 2013-07-02 | Riverbed Technology, Inc. | Aggregator for connection based anomaly detection |
US7043494B1 (en) * | 2003-01-28 | 2006-05-09 | Pmc-Sierra, Inc. | Fast, deterministic exact match look-ups in large tables |
US20040184467A1 (en) * | 2003-03-21 | 2004-09-23 | Toshiba Tec Kabushiki Kaisha | Gateway apparatus and IPv6 network system |
US20040240447A1 (en) * | 2003-05-28 | 2004-12-02 | Dorbolo Riccardo G. | Method and system for identifying bidirectional packet flow |
US9584522B2 (en) * | 2004-02-26 | 2017-02-28 | Vmware, Inc. | Monitoring network traffic by using event log information |
WO2005086850A2 (en) * | 2004-03-09 | 2005-09-22 | The University Of North Carolina At Chapel Hill | Methods, systems, and computer program products for modeling and simulating application-level traffic characteristics in a network based on transport and network layer header information |
US7929534B2 (en) * | 2004-06-28 | 2011-04-19 | Riverbed Technology, Inc. | Flow logging for connection-based anomaly detection |
US7760653B2 (en) * | 2004-10-26 | 2010-07-20 | Riverbed Technology, Inc. | Stackable aggregation for connection based anomaly detection |
GB2425912A (en) * | 2005-05-04 | 2006-11-08 | Psytechnics Ltd | Packet filtering |
US7984180B2 (en) * | 2005-10-20 | 2011-07-19 | Solarflare Communications, Inc. | Hashing algorithm for network receive filtering |
US20070168377A1 (en) * | 2005-12-29 | 2007-07-19 | Arabella Software Ltd. | Method and apparatus for classifying Internet Protocol data packets |
US7957400B2 (en) * | 2009-03-26 | 2011-06-07 | Terascale Supercomputing Inc. | Hierarchical network topology |
US7957385B2 (en) * | 2009-03-26 | 2011-06-07 | Terascale Supercomputing Inc. | Method and apparatus for packet routing |
US20100250784A1 (en) * | 2009-03-26 | 2010-09-30 | Terascale Supercomputing Inc. | Addressing Scheme and Message Routing for a Networked Device |
WO2010118255A2 (en) | 2009-04-08 | 2010-10-14 | The University Of North Carolina At Chapel Hill | Methods, systems, and computer program products for network server performance anomaly detection |
DK2478677T3 (en) * | 2009-09-15 | 2013-09-30 | Napatech As | An apparatus for analyzing data packets, a data processing system and a method |
US9336551B1 (en) * | 2011-09-29 | 2016-05-10 | Amazon Technologies, Inc. | Bidding on electronic resources |
US10009263B1 (en) | 2015-10-09 | 2018-06-26 | Gigamon Inc. | Network switch device for routing network traffic through an inline tool |
US9912575B2 (en) * | 2015-11-18 | 2018-03-06 | Gigamon Inc. | Routing network traffic packets through a shared inline tool |
US20180089288A1 (en) | 2016-09-26 | 2018-03-29 | Splunk Inc. | Metrics-aware user interface |
US11558269B2 (en) * | 2018-07-27 | 2023-01-17 | Nokia Solutions And Networks Oy | Method, device, and system for network traffic analysis |
US11934332B2 (en) * | 2022-02-01 | 2024-03-19 | Mellanox Technologies, Ltd. | Data shuffle offload |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5216670A (en) * | 1991-07-03 | 1993-06-01 | International Business Machines Corporation | Message stripping protocol for a communication network |
US5390173A (en) * | 1992-10-22 | 1995-02-14 | Digital Equipment Corporation | Packet format in hub for packet data communications system |
US5526352A (en) * | 1993-04-22 | 1996-06-11 | Washington University | Integrated low complexity broadband multi-channel switch |
US5920900A (en) * | 1996-12-30 | 1999-07-06 | Cabletron Systems, Inc. | Hash-based translation method and apparatus with multiple level collision resolution |
-
1999
- 1999-08-25 US US09/382,568 patent/US6597661B1/en not_active Expired - Fee Related
-
2003
- 2003-09-29 US US10/455,737 patent/US20040032829A1/en not_active Abandoned
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5216670A (en) * | 1991-07-03 | 1993-06-01 | International Business Machines Corporation | Message stripping protocol for a communication network |
US5390173A (en) * | 1992-10-22 | 1995-02-14 | Digital Equipment Corporation | Packet format in hub for packet data communications system |
US5526352A (en) * | 1993-04-22 | 1996-06-11 | Washington University | Integrated low complexity broadband multi-channel switch |
US5920900A (en) * | 1996-12-30 | 1999-07-06 | Cabletron Systems, Inc. | Hash-based translation method and apparatus with multiple level collision resolution |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6975628B2 (en) * | 2000-12-22 | 2005-12-13 | Intel Corporation | Method for representing and controlling packet data flow through packet forwarding hardware |
US7215679B2 (en) * | 2001-08-30 | 2007-05-08 | Thomson Licensing | Method, apparatus and data structure enabling multiple channel data stream transmission |
US20030043798A1 (en) * | 2001-08-30 | 2003-03-06 | Pugel Michael Anthony | Method, apparatus and data structure enabling multiple channel data stream transmission |
US8730984B2 (en) * | 2002-01-15 | 2014-05-20 | Intel Corporation | Queuing based on packet classification |
US20110208871A1 (en) * | 2002-01-15 | 2011-08-25 | Intel Corporation | Queuing based on packet classification |
US7177930B1 (en) * | 2002-10-11 | 2007-02-13 | Network General Technology | Method and system for network traffic analysis with configuration enhancements |
US7653938B1 (en) * | 2005-02-03 | 2010-01-26 | Cisco Technology, Inc. | Efficient cookie generator |
US8976658B1 (en) | 2005-04-18 | 2015-03-10 | Marvell International Ltd. | Packet sampling using rate-limiting mechanisms |
US8593969B1 (en) * | 2005-04-18 | 2013-11-26 | Marvell International Ltd. | Method and apparatus for rate-limiting traffic flow of packets in a network device |
WO2007147310A1 (en) * | 2006-06-15 | 2007-12-27 | Huawei Technologies Co., Ltd. | A method and an apparatus for realizing partaking of network traffic load |
US8584228B1 (en) * | 2009-12-29 | 2013-11-12 | Amazon Technologies, Inc. | Packet authentication and encryption in virtual networks |
US9197610B1 (en) | 2009-12-29 | 2015-11-24 | Amazon Technologies, Inc. | Packet authentication and encryption in virtual networks |
US9876773B1 (en) | 2009-12-29 | 2018-01-23 | Amazon Technologies, Inc. | Packet authentication and encryption in virtual networks |
US9047417B2 (en) | 2012-10-29 | 2015-06-02 | Intel Corporation | NUMA aware network interface |
US10684973B2 (en) | 2013-08-30 | 2020-06-16 | Intel Corporation | NUMA node peripheral switch |
US11593292B2 (en) | 2013-08-30 | 2023-02-28 | Intel Corporation | Many-to-many PCIe switch |
WO2015170150A1 (en) * | 2014-05-07 | 2015-11-12 | Yandex Europe Ag | Method and device for forwarding a packet |
CN107113282A (en) * | 2014-12-30 | 2017-08-29 | 华为技术有限公司 | A kind of method and device for extracting data message |
US11960429B2 (en) | 2022-12-15 | 2024-04-16 | Intel Corporation | Many-to-many PCIE switch |
Also Published As
Publication number | Publication date |
---|---|
US6597661B1 (en) | 2003-07-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6597661B1 (en) | Network packet classification | |
Belenky et al. | Tracing multiple attackers with deterministic packet marking (DPM) | |
US6826694B1 (en) | High resolution access control | |
US9729655B2 (en) | Managing transfer of data in a data network | |
AU2001241717B2 (en) | System, device and method for rapid packet filtering and processing | |
EP1365556B1 (en) | Method and apparatus for efficiently matching responses to requests previously passed by a network node | |
US6654701B2 (en) | Method and apparatus for measuring protocol performance in a data communication network | |
McDonald et al. | PF_KEY key management API, version 2 | |
US7930413B2 (en) | System and method for controlling access to a network resource | |
KR100997182B1 (en) | Flow information restricting apparatus and method | |
US20050076227A1 (en) | In-line mode network intrusion detect and prevent system and method thereof | |
US8855143B1 (en) | Bandwidth saving system and method for communicating self describing messages over a network | |
Peuhkuri | A method to compress and anonymize packet traces | |
EP2528265A1 (en) | Technique for maintaining secure network connections | |
AU2001241717A1 (en) | System, device and method for rapid packet filtering and processing | |
JP2009510815A (en) | Method and system for reassembling packets before search | |
US7200105B1 (en) | Systems and methods for point of ingress traceback of a network attack | |
US7409542B2 (en) | Security association management through the use of lookup tables | |
US7017185B1 (en) | Method and system for maintaining network activity data for intrusion detection | |
US20040114634A1 (en) | Avoiding compression of encrypted payload | |
Hilgenstieler et al. | Extensions to the source path isolation engine for precise and efficient log-based IP traceback | |
US7389529B1 (en) | Method and apparatus for generating and using nested encapsulation data | |
US8307415B2 (en) | Safe hashing for network traffic | |
CN113132419B (en) | Message forwarding method and device, switch, router and server | |
US7917649B2 (en) | Technique for monitoring source addresses through statistical clustering of packets |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: SILICON VALLEY BANK, CALIFORNIA Free format text: SECURITY AGREEMENT;ASSIGNORS:WATCHGUARD TECHNOLOGIES, INC.;GLADIATOR CORPORATION;REEL/FRAME:023098/0771 Effective date: 20090730 Owner name: SILICON VALLEY BANK,CALIFORNIA Free format text: SECURITY AGREEMENT;ASSIGNORS:WATCHGUARD TECHNOLOGIES, INC.;GLADIATOR CORPORATION;REEL/FRAME:023098/0771 Effective date: 20090730 |
|
AS | Assignment |
Owner name: GLADIATOR CORPORATION, WASHINGTON Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:SILICON VALLEY BANK;REEL/FRAME:028477/0268 Effective date: 20120628 Owner name: WATCHGUARD TECHNOLOGIES, INC., WASHINGTON Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:SILICON VALLEY BANK;REEL/FRAME:028477/0268 Effective date: 20120628 |