WO2001078309A2 - A method and apparatus for wire-speed application layer classification of data packets - Google Patents
A method and apparatus for wire-speed application layer classification of data packets Download PDFInfo
- Publication number
- WO2001078309A2 WO2001078309A2 PCT/IB2001/000697 IB0100697W WO0178309A2 WO 2001078309 A2 WO2001078309 A2 WO 2001078309A2 IB 0100697 W IB0100697 W IB 0100697W WO 0178309 A2 WO0178309 A2 WO 0178309A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- memory
- bit
- data packet
- tuple
- computer
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
- H04L45/7453—Address table lookup; Address filtering using hashing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/19—Flow control; Congestion control at layers above the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2441—Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
Definitions
- the present invention relates generally to the classification of packets in a full duplex communication system, and more specifically to high speed digital communication networks transporting packets which may be monitored at the application level of the communication model where wire speed handling of the packet is required.
- the present invention is embodied in a network system, a data classifier, a method for hashing and computer program products for enabling a computer to perform data packet classification.
- a message in a digital form is divided into multiple packets for faster and more convenient transmission and for reducing errors.
- Examples of such communication networks are the Internet, Wide and Local Area Networks.
- the digital packets are then transmitted over the network between the source computer and a destination computer. It should be noted that the source and destination could be personal computers or servers and the like.
- a modern day computer network system comprises a substantial number of individual computers and servers.
- a simple computer network is shown in FIG.l.
- a computer can act as both a source and a destination.
- Computer sending a data packet is a source and a computer receiving a packet is a destination.
- the same computer that acted as a source in a packet transfer could act as a destination for another packet.
- a computer acting as a router acts as both the source and a destination for a packet. This is because it receives a packet from a different source and then simply routes it to a different computer.
- each of the computers in the network forms at least part of a "node" of the network, and data is transferred among the various nodes by transmitting data packets among the computers.
- a first computer located at a first node may run a first application program that generates first data to be subsequently processed by a second computer at a second node.
- the first computer divides the first data into a plurality of data segments and forms a data packet corresponding to each of the data segments. Then, the data packets are transmitted downstream from the first computer to the second computer.
- the second computer may transmit data packets upstream to the first computer in response to the data packets received from the first computer.
- Each of the data packets transmitted from the first computer to the second computer typically contains a data packet header.
- the headers are often referred to as tuples.
- the header often includes data that identifies the type of data contained in the data packet, the source computer from which the data packet was transmitted, the intended destination computer of the data packet, etc.
- An example of a data packet header is illustrated in Fig. 4.
- the header HDR comprises a source internet protocol ("IP") address field 100, a destination IP address field 110, a protocol field 120, a source port field 130, and a destination port field 140.
- the source IP address field 100 contains a 32-bit source IP address that identifies the source computer transmitting the data packet.
- the destination IP address field 110 contains a 32-bit destination address that identifies the intended destination computer of the data packet.
- the protocol field 120 contains eight bits of protocol data that identify the data format and/or the transmission format of the data contained in the data packet.
- the source port field 130 includes sixteen bits of data that identify the computer port that physically outputs the data packet, and the destination port field 140 contains sixteen bits of data that represent the computer port that is supposed to input the data packet.
- the tuple uniquely defines the path between the source and destination and therefore defines the origin and target for the packet being sent.
- Such network components may be included in the destination computer and/or may be contained in an intermediate computer that processes the data as it is being transmitted from the source computer to the destination computer. If the data packets can be quickly and efficiently processed and routed between the various nodes of the network, the operation of the entire network is enhanced. For example, by quickly and efficiently transmitting data packets to the destination computer, the quality of real-time applications such as internet video conferencing and internet voice conferencing is improved. Also, the network components can quickly process the data packets to determine if they are authorized to be transmitted to the destination computer, and if they are not, the network components discard the data packets. As a result, the security of the network is greatly enhanced.
- a network component Before processing a data packet, a network component must "classify" the data packet according to various characteristics of the data packet and/or the data contained in the packet. Then, the network component processes the data packet based on its classification.
- the packets of data that flow among the computers that form part of the network can be considered to carry portions of digital information between the different nodes of the network.
- an application may be running at a computer in one node of the network.
- the results of such an application may be sent to a computer in a different node of the computer.
- the information is divided into one or more packets before the data is transferred over the respective network.
- packets are run upstream and then down stream in order to verify a full response loop.
- it is required to analyze the packets flowing back and forth for better network management and system administration, and other application related activities such as billing, prioritizing, and the like.
- a large tuple for example a 104-bit wide tuple, will enable the precise description of the source and destination nodes, the input and output ports as well as the protocol used.
- a large tuple in turn creates a large address space.
- a 104-bit wide tuple would require an address space of 2 104 addresses.
- a large address space would require addressing a memory using a large tuple.
- Such a large address would result in huge memory requirements and very inefficient usage of the memory. Therefore, an important challenge is to effectively prevent the need to use such a large tuple for addressing the memory.
- a commonly used technique employs hash tables or other hashing techniques.
- address or location of an identifier is obtained by computing some arithmetic function of the identifier.
- This arithmetic function is called a hashing function.
- a hashing function essentially transforms an identifier into an address in the hash table. For example, if X is an identifier, f(X) gives the address of the identifier in the hash table.
- the memory available to maintain the hash table is normally assumed to be sequential.
- hash table is normally partitioned into hash buckets. The buckets in turn have one or more slots each capable of holding exactly one record. Therefore, if there are b buckets in the hash table, the transformation f(X) transforms X into an integer 0 through b-1.
- a CAM is an associative memory device that is capable of searching a list of stored information entries based on the content of the entries.
- conventional memories search based on the location of the entries in the memory.
- An information string is provided as an input to the CAM.
- the output from the CAM is the address of all of the memory locations in the CAM that contain the particular information string.
- an address of a memory location is provided as input .
- the information string contained at that address forms the output.
- a unique property of CAM memories is their ability to search (i.e., compare to the information string) all of the entries in the CAM table simultaneously.
- the simultaneous search capability is achieved, in part, by including a separate comparator means at each memory location in the CAM device.
- a CAM is complicated in terms of hardware required to implement. For large address spaces a CAM is simply infeasible to implement.
- U.S. Patent No. 5,414,704 704) discloses a way of doing source address and destination address lookups for use in a packet data communication system. A way of searching a relatively large database is described, using a combination of programmable hash algorithms. In the hashing technique used in '704 N-bits are hashed into N-bits. Clearly, such a solution is not practical when the address space is large as would be in the case of a communication network. Though '704 discloses the use of a content addressable memory (CAM) in parallel to the hash function, the present invention uses a much improved method.
- CAM content addressable memory
- U.S. Patent No. 5,708,659 0659 discloses performing hashing on certain packet headers.
- a predetermined number of bits from the packet address information is selected to use a hash key.
- This hash key is then used to compute a table address.
- the contents of the table at that address are compared with the packet address information. If it matches, the packet is transmitted over the pott associated with that particular destination address. If it does not match, the table address is incremented by one, and the contents of the new table location identified by the incremented address are compared with the packet address information.
- v 659 but does not teach the method and technique on how to associate a packet with an existing flow in the system.
- An existing flow in the system refers to one or more packets flowing through the system that was already identified and newly arrived packet needs to be directed to the same packet processor for efficient processing.
- a translation is performed by using a programmable hashing technique on an input number to generate a hashed number.
- ⁇ 900 a subset of the hashed number bits are used to index a first hash table. If a collision does not occur in the first hash table, an entry contains an index into an output table which contains the desired translated output number. If a collision occurs, an entry in the first hash table contains a pointer to a first resolution table area in a second hash table.
- the first resolution table area contains entries which are indexed by additional bits selected from the hashed number in accordance with a mask field in the first hash table location. If collisions occur in the resolution table, a new resolution table is created and the process is repeated. The resolution process thus proceeds in stages until all input numbers have been translated.
- ⁇ 900 deals with the problem of packet collision but does not address the issue of association between packets forming a full process flow.
- all of the above- mentioned conventional techniques posses very limited capabilities of scalability of the solution. Therefore, they are unsuitable for handling the increasing demand for high-speed packet processing at wire speed. Additionally, it is desirable to associate packet flow with the 7 th layer (Application layer) of the Open Systems Interconnection (OSI) 7-layer model.
- OSI Open Systems Interconnection
- the OSI 7-layer model is a commonly used framework for defining standard for linking heterogeneous computers that form part of a network.
- OSI uses a concept of layering whereby communication functions are partitioned into a vertical set of layers. Each layer performs a related subset of functions required for communication between two nodes in a computer network system.
- the seven layers in the model are Physical layer, Data link layer, Network layer, Transport layer, Session layer, Presentation layer and Applications layer.
- the Physical layer is concerned with the transmission of unstructured bit streams over a physical link. It deals with the mechanical, electrical, and procedural characteristics to establish and maintain the physical link.
- the Data link layer provides for the reliable transfer of data across the physical link. It sends blocks of data with a necessary synchronization, error control and flow control.
- the Network layer provides all upper layers with independence from the data transmission and switching technologies used to connect systems. It is responsible for establishing maintaining and terminating connections.
- the Transport layer avoids reliable and transparent transfer of data between end points. It provides end-to-end error recovery and flow control.
- the Session layer provides the control structure for communication between applications. It establishes manages and terminates sessions between cooperating applications.
- the Presentation layer performs useful transformations on data to provide a standardized application interface and provides common communication services. Such services include encryption, text compression and any formatting.
- the Application layer provides user-level services to the users of the environment. Examples of such services are transaction service, file transfer, and network management. Therefore, associating packet flow with the 7 th layer (Application layer) of the Open Systems Interconnection (OSI) 7-layer model provides for better network management.
- OSI Open Systems Interconnection
- an object of the present invention is to provide an apparatus which is capable of accepting a packet tuple and uniquely identify it with an existing flow of packets in the system, or alternatively identify it as a new flow.
- the processing of packet tuples should be performed at wire speeds.
- this invention allows the monitoring and ' management of the system up to the application layer, or the seventh layer of the 7-layer Open Systems Interconnection (OSI) communication model. Furthermore, it allows for the efficient data processing of such packets as all the processing is performed by the same packet processing unit.
- OSI Open Systems Interconnection
- Another object of this invention is to generate a reduced bit number from a large number based on hashing techniques incorporating certain improvements allowing the generation of "white hashing" numbers. Because of such an improved hashing, though tuples may be highly localized they will still be spread throughout the much more limited range of the hashed numbers. This means that though tuples may poses a locality in the numbers, i.e., are in close proximity to each other, they will still be spread evenly throughout the limited range of the reduced number range.
- a data packet classifier to classify a plurality of N-bit input tuples, said classifier comprising a hash address generator to generate a plurality of M-bit hash addresses from said plurality of N-bit input tuples, wherein M is significantly smaller than N; a memory having a plurality of memory entries, said memory being addressable by said plurality of M-bit hash addresses, each such address corresponding to a plurality of memory entries, each of said plurality of memory entries capable of storing one of said plurality of N-bit tuples and an associated process flow information; a comparison unit to determine if an incoming N-bit tuple can be matched with a stored N-bit tuple, wherein said associated process flow information is output if a match is found and wherein a new entry is created in the memory for the incoming N-bit tuple if a match is not found.
- the data packet classifier further comprises a content addressable memory (
- the process flow information in the memory comprises a flow identification number.
- the process flow information in the memory can be updated.
- an entry in the memory can be deleted.
- Preferably searching for an entry in the memory can be ceased when a kill-process command is received.
- the process flow information in the CAM comprises a flow identification number.
- the process flow information in the CAM can be updated.
- an entry in the CAM can be deleted.
- the data packet classifier is further capable of generating a trap if both the memory and the CAM are full.
- both the memory and CAM are searched in parallel.
- the hash address generator performs hashing on a first 96 bits of an associated N-bit tuple.
- a comparison of tuple stored in the memory and an incoming tuple is performed using three 32-bit comparators.
- Another aspect of the present invention is a network system comprising a plurality of nodes, each of said nodes having a unique N-bit tuple, each of said plurality of nodes comprising a data packet classifier, said address classifier comprising : a hash address generator to generate a plurality of M-bit hash addresses from said plurality of N-bit input tuples, wherein M is significantly smaller than N; a memory having a plurality of memory entries, said memory being addressable by said plurality of M-bit hash addresses, each of said plurality of memory entries capable of storing one of said plurality of N-bit tuples and an associated process flow information; a comparison unit to determine if an incoming N-bit address can be matched with a stored N-bit tuple, wherein said associated process flow information is output if a match is found and wherein a new entry is created in the memory for the incoming N-bit tuple if a match is not found.
- Yet another aspect of the present invention is a method of generating an M-bit hash address from an N-bit input tuple comprising: splitting said N-bit input tuple into a first range of X bits and a second range of Y bits wherein X is equal to or smaller than M; applying a hash function to said X bits to generate a white hash address with Z bits wherein Z is equal to or smaller than M; creating said M-bit hash address by combining said Z-bit white hash address and said second range of Y bits using a Boolean operator.
- X is significantly larger than Y.
- X is significantly larger than Z.
- the Boolean operator is an OR.
- the Boolean operator is an XOR.
- the Boolean operation is an AND.
- N is 104.
- X is 96 and Y is 8.
- Z is 20 and M is 20.
- Still another aspect of the present invention is a computer program product, including a computer-readable medium comprising instructions, said instructions enabling a computer to perform a hashing function on an N-bit input tuple according to the following steps: splitting said N-bit input tuple into a first range of X bits and a second range of Y bits; applying a hash function to said X bits to generate a white hash address with Z bits; creating said M-bit hash address by combining said Z-bit white hash address and said second range of Y bits using a Boolean operator.
- Yet another aspect of the present invention is a computer program product, including a computer-readable medium comprising instructions, said instructions comprising: a hash address generator code to enable a computer to generate a plurality of M-bit hash addresses from said plurality of N-bit input tuples, wherein M is significantly smaller than N ; a memory code to enable a computer to store data in a memory having a plurality of memory entries, said memory code further enabling the computer to address said plurality of M-bit hash addresses, each of said plurality of memory entries capable of storing one of said plurality of N-bit addresses and an associated process flow information; a comparison code to determine if an incoming N-bit tuple can be matched with a stored N-bit tuple, wherein said associated process flow information is output if a match is found and wherein a new entry is created in the memory for the incoming N-bit tuple if a match is not found.
- a hash address generator code to enable a computer to generate a
- FIG.l shows a preferred embodiment of a network system according to the present invention.
- FIG. 2 is a block diagram of a preferred embodiment of a data packet classifier according to the present invention.
- FIG. 3 is a block diagram illustrating the hashing function of the Hash
- FIG.4 shows an example of a tuple or a header.
- a policy-based network Such a network system is capable of associating the packets flowing in the system with the Application layer of the 7-layer OSI communication model. It is to be noted that, this ability to associate packet flow with the application it is related to allows for better system and network management. Further, many other enhanced functionality allows for better implementation of a policy-based network.
- An example of the use of this invention would be in systems that have to provide special priority to packets containing voice over IP or video over IP.
- such a system also provides the ability to route the packets in a defined manner and provide billing specific information. Another example would be differentiated billing system based on the type of application data being transmitted over the network.
- An example of a policy-based network system is shown in FIG.l.
- the network system of FIG. l comprises hosts 1.1-1.4.
- a host can be any type of computer including, but not limited to a server 1.2 and 1.3, a workstation 1.4 or a desktop Personal Computer 1.1.
- the individual hosts are connected using network connections 1.5-1.11. It should be noted that though only four hosts are shown, the network comprises many more hosts. Each host in the network has a unique tuple. Information can ideally flow from any host in the network to any other host in the network.
- Each host in the network includes a data packet classifier.
- the data packet classifier further comprises a hash address generator, a memory and a comparison unit.
- a preferred embodiment of a data packet classifier is described subsequently with reference to FIG.2.
- the data packet classifier in such a network system is required to process a substantial number of flows. Additionally, each such flow is associated with a plurality of packets all of which move around the various components of the network.
- the host that sends digital information is called the source and the host that receives the information is called the destination.
- Each message or information flow is divided into one or more packets.
- Each packet is processed separately and sent from the source to the destination.
- Such a packet contains a header.
- the packet header is uniquely identified by a tuple which is 104 bits. Since a bit can have a value of a 0 or 1. Therefore, using 104 bits, 2 104 tuples possible. However, if each tuple is uniquely identified with its entire number, the number of possible tuples to be handled and classified becomes substantially large for any practical implementation of the system. A real time processing of such a large number of tuples is likely to be impossible.
- FIG.2 shows a preferred embodiment of a data packet classifier.
- 104 bit tuples are received by a hash address generator 2.4.
- the hash address generator is capable of transforming the 104 bits of the tuple into a 20 bit long number. Therefore, using the results of the hashing, 2 20 or more than a million unique digital information flows can be represented.
- the operation of the Hash Generator is further discussed below. It should be noted that though the preferred embodiment is described using a tuple with 104 bits, tuples of any length can be used without deviating from the spirit of the invention. Likewise, the hash address can be of any length less than the length of the tuple to be within the scope of the present invention.
- the 20 bit hash address generated by the Hash Generator is used to access the memory 2.5.
- Each hash address corresponds to a hash bucket.
- the memory 2.5 is designed in such a way that each hash bucket is capable of storing eight separate entries. As noted in the background section, it is possible that two different tuples on applying the hashing function result in the same hash address. This memory is designed so that it has actually eight separate entries for each hush address accessing the memory unit. This specific number of entries for each hash address is chosen based on extensive system simulations balanced with the need to ensure wire speed performance. However, as technology develops, additional entries may be added as necessary. Providing eight different entries for a hash address would ensure eight different entries could be stored in the same hash bucket. That is up to eight different tuples resulting in the same hash address can still be stored in the hash table. This substantially reduces the chance of a tuple being bounced off from the hash table because a particular hash bucket is full.
- the hash address generator performs hashing on a tuple associated with an incoming data packet. The result of such a hashing is used to identify a hash bucket that is associated with the incoming tuple.
- the comparison unit 2.3 which is attached to the CAM, compares data associated with the incoming data packet and the data in each of the eight entries. The comparison unit determines that a successful match has resulted if a match is found between the incoming tuple and an entry in the memory. Upon finding a successful match, the stored process flow information corresponding to the matched entry is output. This process flow information includes a unique ID. If no match is found with an existing entry, a new entry is created corresponding to the incoming packet.
- a CAM is provided as an additional storage facility to deal with incoming packets having tuples that produce a hash address of a hash bucket that is already full.
- the CAM 2.1 unit is accessed with the full tuple corresponding to the incoming packet.
- the CAM is used for storing process flow information related to such packets having tuples that produce hash addresses that represent hash buckets that are already full.
- the CAM is accessed with the full tuple. Simulations have shown that a CAM containing 8K entries is sufficient to reduce the risk of inability to handle a tuple in the classifier unit to a practically negligible number. As systems and technology develops, it is easy to add entries to the CAM to handle additional requirements.
- the data packet classifier is also capable of updating the process flow information associated with a data packet. Entries stored in both the memory as well as the CAM can be updated. The data packet classifier is also capable of deleing an entry in the memory.
- a trap is generated. Such a trap indicates that the corresponding incoming packet can not be handled by the data packet classifier. Additionally a "kill process" command can be issued to the data packet classifier. On receiving a "kill process” command, the data packet classifier ceases searching the memory as well as the CAM.
- a new entry is created. Such a new entry is created in the memory if a corresponding hash bucket has not been filled up. If space exists in the memory to store the entry, it is registered in the memory. As part of the entry, full tuple information, the flow identification and other control information is stored. This stored information will be later attached to each incoming packet incoming with a tuple that matches the corresponding entry. After this information is attached, the incoming packet is sent to the packet processor. The ability to update an entry is provided because incoming packets may have undergone further processing. Such a processing may create a need for making further changes in the stored entry. An update command is used to perform such an updating. When an update command is initiated, the control information associated with the tuple is modified.
- An important advantage of the architecture of this system is its ability to easily scale as system demands grow and require handling of millions of more process flow in short periods of time and at wire speed.
- Another aspect of the invention is an improved method to perform hashing that is used by the Hash Address Generator.
- a preferred embodiment of this hash function is described using Fig.3.
- the hashing function is applied to all the bits corresponding to a tuple.
- the tuple is divided into two portions, 96 bits of the tuple and the remaining 8 bit indicating the protocol type. Hashing is performed on the 96 bits.
- the fixed number of bits (104, 96, 8, etc) used to describe the preferred embodiment are merely illustrative. The division of bits can be done in any convenient manner without deviating from the spirit of the invention.
- Hash Generator While any hash function could be used it is necessary to ensure that the specific hash function used generates a "white hash address". This would mean that when taking a group of tuples, which in many times can be different in only a minimal way from other tuples, the Hash Generator will still generate hash numbers that are equally spread through the range of address spanned by the 20 bit address space available. While less than the 96 bits could be used for the hash function (in fact, as little as 84 bits would suffice), it is advisable to use the maximum number of bits possible in order to increase the spread and effectiveness of the hash function.
- the reason for selecting 96 bits specifically is that this allows the use of three 32-bit comparators to compare the incoming tuple and the memory content and get a unique comparison result and further permit the use of six standard 16-bit memory banks to hold the memory content.
- the hash operation performed on the 96 bits result in a preliminary 20 bit hash address. This is then followed by a logical "OR” or an "XOR” operation performed between the 20-bit result of the preliminary hash operation and the remaining 8 bits from the tuple that did not form part of the hashing operation. Instead of performing a logical "OR” or an "XOR” a Boolean "AND” operation can also be performed. Such a two-step hashing operation results in producing a final hash address that spans the entire 20-bit hash address range.
- Another important aspect of the present invention is a computer program product to enable a computer to perform the hashing operation according to the present invention.
- the preferred embodiment of such a program product includes a computer-readable medium.
- the computer-readable medium comprises instructions to enable a computer to perform a hashing function on an
- the instructions enable the computer to split the N-bit input tuple into a first range of X bits and a second range of Y bits.
- the instructions further enable the computer to apply a hash function to the X bits to generate a white hash address with Z bits.
- Further instructions enable the computer to create a M-bit hash address by combining the Z-bit white hash address and the second range of Y bits using a Boolean operator.
- the Boolean operator could be a logical "Or” or an "XOR".
- the instructions comprise a hash address generator code to enable a computer to generate a plurality of M- bit hash addresses from a plurality of N-bit input tuples, wherein M is significantly smaller than N.
- the instructions further comprise a memory code to enable a computer to store data in a memory having a plurality of memory entries.
- the memory code further enables the computer to address the plurality of M-bit hash addresses. Each of the plurality of memory entries capable of storing one of the plurality of N-bit tuples and an associated process flow information.
- the instructions further comprise a comparison code to determine if an incoming N-bit tuple can be matched with a stored N-bit tuple.
- the associated process flow information is output if a match is found and new entry is created in the memory for the incoming N-bit tuple if a match is not found.
- the computer readable medium includes any fixed media including, but not limited to, floppy disk, hard disk, CD, chips, tapes, cartridges with ICs, etc.
- the computer readable media also includes instructions transmitted through a network or downloaded from the Internet.
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB0223453A GB2377528B (en) | 2000-04-11 | 2001-04-04 | A method for wire-speed generation of an m-bit hash address from an n-bit tuple of a packet |
AU48708/01A AU4870801A (en) | 2000-04-11 | 2001-04-04 | A method and apparatus for wire-speed application layer classification of data packets |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US54703400A | 2000-04-11 | 2000-04-11 | |
US09/547,034 | 2000-04-11 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2001078309A2 true WO2001078309A2 (en) | 2001-10-18 |
WO2001078309A3 WO2001078309A3 (en) | 2002-05-16 |
Family
ID=24183070
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IB2001/000697 WO2001078309A2 (en) | 2000-04-11 | 2001-04-04 | A method and apparatus for wire-speed application layer classification of data packets |
Country Status (3)
Country | Link |
---|---|
AU (1) | AU4870801A (en) |
GB (1) | GB2377528B (en) |
WO (1) | WO2001078309A2 (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003036902A2 (en) * | 2001-10-22 | 2003-05-01 | Sun Microsystems, Inc. | Method and apparatus for a packet classifier using a two-step hash matching process |
US7093092B2 (en) | 2002-12-10 | 2006-08-15 | Isic Corporation | Methods and apparatus for data storage and retrieval |
CN1633111B (en) * | 2005-01-14 | 2010-04-28 | 中国科学院计算技术研究所 | High-speed network traffic flow classification method |
CN104932851A (en) * | 2014-03-20 | 2015-09-23 | 卡西欧计算机株式会社 | Display device and display method |
WO2015174779A1 (en) * | 2014-05-15 | 2015-11-19 | Samsung Electronics Co., Ltd. | Method of distributing data and device supporting the same |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0694845A1 (en) * | 1994-07-28 | 1996-01-31 | Sun Microsystems, Inc. | Low-latency memory indexing method and structure |
WO1999013620A2 (en) * | 1997-09-09 | 1999-03-18 | Sics | A lookup device and a method for classification and forwarding of packets in packet-switched networks |
US5920900A (en) * | 1996-12-30 | 1999-07-06 | Cabletron Systems, Inc. | Hash-based translation method and apparatus with multiple level collision resolution |
-
2001
- 2001-04-04 GB GB0223453A patent/GB2377528B/en not_active Expired - Lifetime
- 2001-04-04 WO PCT/IB2001/000697 patent/WO2001078309A2/en active Application Filing
- 2001-04-04 AU AU48708/01A patent/AU4870801A/en not_active Abandoned
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0694845A1 (en) * | 1994-07-28 | 1996-01-31 | Sun Microsystems, Inc. | Low-latency memory indexing method and structure |
US5920900A (en) * | 1996-12-30 | 1999-07-06 | Cabletron Systems, Inc. | Hash-based translation method and apparatus with multiple level collision resolution |
WO1999013620A2 (en) * | 1997-09-09 | 1999-03-18 | Sics | A lookup device and a method for classification and forwarding of packets in packet-switched networks |
Non-Patent Citations (2)
Title |
---|
CHANDRANMENON G P ET AL: "TRADING PACKET HEADERS FOR PACKET PROCESSING" IEEE / ACM TRANSACTIONS ON NETWORKING, IEEE INC. NEW YORK, US, vol. 4, no. 2, 1 April 1996 (1996-04-01), pages 141-152, XP000582666 ISSN: 1063-6692 * |
RAMAKRISHNA M V ET AL: "Perfect hashing functions for hardware applications" PROCEEDINGS OF THE INTERNATIONAL CONFERENCE ON DATA ENGINEERING. KOBE, JP, APRIL 8 - 12, 1991, LOS ALAMITOS, IEEE COMP. SOC. PRESS, US, vol. CONF. 7, 8 April 1991 (1991-04-08), pages 464-470, XP010022765 ISBN: 0-8186-2138-9 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003036902A2 (en) * | 2001-10-22 | 2003-05-01 | Sun Microsystems, Inc. | Method and apparatus for a packet classifier using a two-step hash matching process |
WO2003036902A3 (en) * | 2001-10-22 | 2003-08-21 | Sun Microsystems Inc | Method and apparatus for a packet classifier using a two-step hash matching process |
US7248585B2 (en) | 2001-10-22 | 2007-07-24 | Sun Microsystems, Inc. | Method and apparatus for a packet classifier |
US7093092B2 (en) | 2002-12-10 | 2006-08-15 | Isic Corporation | Methods and apparatus for data storage and retrieval |
CN1633111B (en) * | 2005-01-14 | 2010-04-28 | 中国科学院计算技术研究所 | High-speed network traffic flow classification method |
CN104932851A (en) * | 2014-03-20 | 2015-09-23 | 卡西欧计算机株式会社 | Display device and display method |
CN104932851B (en) * | 2014-03-20 | 2018-09-07 | 卡西欧计算机株式会社 | Display device and display methods |
WO2015174779A1 (en) * | 2014-05-15 | 2015-11-19 | Samsung Electronics Co., Ltd. | Method of distributing data and device supporting the same |
US10721160B2 (en) | 2014-05-15 | 2020-07-21 | Samsung Electronics Co., Ltd. | Method of distributing data and device supporting the same |
Also Published As
Publication number | Publication date |
---|---|
GB0223453D0 (en) | 2002-11-13 |
WO2001078309A3 (en) | 2002-05-16 |
GB2377528A (en) | 2003-01-15 |
AU4870801A (en) | 2001-10-23 |
GB2377528B (en) | 2004-10-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7436830B2 (en) | Method and apparatus for wire-speed application layer classification of upstream and downstream data packets | |
Van Lunteren et al. | Fast and scalable packet classification | |
US6549519B1 (en) | Network switching device with pipelined search engines | |
US6691168B1 (en) | Method and apparatus for high-speed network rule processing | |
US9032089B2 (en) | Methods and apparatus for path selection within a network based on flow duration | |
US6453358B1 (en) | Network switching device with concurrent key lookups | |
JP5518135B2 (en) | Extensible multicast forwarding method and apparatus for data center | |
US20040177139A1 (en) | Method and apparatus for computing priorities between conflicting rules for network services | |
Cai et al. | A distributed TCAM coprocessor architecture for integrated longest prefix matching, policy filtering, and content filtering | |
US7545809B2 (en) | Packet classification | |
US20050144553A1 (en) | Longest prefix match (LPM) algorithm implementation for a network processor | |
Wang et al. | CoPTUA: Consistent policy table update algorithm for TCAM without locking | |
JP2001053789A (en) | System for preparing multilayer wide band in computer network | |
CN101009656A (en) | Routing system and method for managing rule entry thereof | |
CN112367278B (en) | Cloud gateway system based on programmable data switch and message processing method thereof | |
US6725218B1 (en) | Computerized database system and method | |
Yoon et al. | Minimizing the maximum firewall rule set in a network with multiple firewalls | |
CN106487769B (en) | Method and device for realizing Access Control List (ACL) | |
EP1419625A1 (en) | Virtual egress packet classification at ingress | |
US9184997B2 (en) | Selective network merging | |
Yu et al. | Hardware accelerator to speed up packet processing in NDN router | |
WO2001078309A2 (en) | A method and apparatus for wire-speed application layer classification of data packets | |
US11463479B2 (en) | Intercepting network traffic | |
GB2399199A (en) | Data packet classification system | |
CN115834478A (en) | Method for realizing PBR high-speed forwarding by using TCAM |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
ENP | Entry into the national phase |
Ref country code: GB Ref document number: 0223453 Kind code of ref document: A Free format text: PCT FILING DATE = 20010404 Format of ref document f/p: F |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
AK | Designated states |
Kind code of ref document: A3 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A3 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
122 | Ep: pct application non-entry in european phase | ||
NENP | Non-entry into the national phase |
Ref country code: JP |