JP5807676B2 - Packet classifier, packet classification method, and packet classification program - Google Patents

Description

  The present invention relates to packet classification.

  Packet classification is an important technique for classifying packets into packet sequences having a series of attributes called flows in routers and switches on the network. Packet classification plays an important role in the realization of network applications with added value, such as providing QoS (Quality of Service) for individual flows and security such as a firewall.

  In packet classification, a “rule (sometimes called a filter)” is defined using one or more fields included in the header of the packet. The rules are defined in, for example, a TCP (Transmission Control Protocol) / UDP (User Datagram Protocol) header in addition to a source IP address, a destination IP address, and a protocol number defined in an IP (Internet Protocol) header of the packet. Defined by a plurality of header fields such as a transmission port number and a destination port number. Packet classification in which a rule is defined using a plurality of header fields in this way is particularly called multi-field packet classification.

  Usually, a plurality of such rules are defined. When the packet arrives, the field value used for defining the rule is extracted from the packet header. The set of extracted field values is compared with a plurality of rules, and a rule is matched to determine a rule, so that the packet is classified into a flow. Here, a set of field values extracted from the header of the arrived packet is called a “search key”. In general, a priority (Priority) and an action (Action) are defined for each rule. If the search key matches two or more rules among the plurality of rules, a rule with a higher priority is selected. The action defines how to handle an incoming packet when it matches the rule (for example, discard it and send it to the first port).

  In addition, for each field in the rule, Exact Match defined as a specific value, a plurality of upper bits are specified, but a few lower bits are defined as undefined using a wildcard (*). Prefix Match, Range Match defined as a range of two specific values, and Wildcard Match defined by specifying a wild card for each bit unit are used. For example, when an 8-bit field is considered, a specified value such as “00110101” is specified as a value starting from 4 bits of “0011” such as Exact Match, “0011 ***”. The thing is Prefix Match, and the 8-bit field should be within the range of 3 to 64 when considered in decimal as in [3-64]. Range Match, “0 ** 10 * 01” A wildcard match is a wildcard that can be used in bit units.

  With respect to such a multi-field packet classification technique, it is one technical problem how to process this in a high-speed router or switch by increasing the capacity of the rule set and improving the link speed. Currently, in order to realize the high-speed processing, a technique based on Tertiary Content Addressable Memory (TCAM) is often used.

  However, TCAM has problems such as high cost, large power consumption and circuit scale. In addition, when Range Match is used, there is a problem that the number of rules increases because the rule needs to be divided into rules using Prefix Match.

  On the other hand, various multi-fields using static random access memory (SRAM) and dynamic random access memory (DRAM) with lower cost and lower power consumption to avoid the problem of high cost and high power consumption of TCAM. Packet classification methods have been proposed.

  For example, Non-Patent Document 1 proposes a method using a “Decision Tree”. In the method using the decision tree, matching is not performed for all rules, but only for a small number of rules that can be matched by the search key. This reduces the time required for the search process. A method using a decision tree will be briefly described with reference to FIGS.

  FIG. 1 shows an example of a rule set consisting of 16 rules from R0 to R15 defined using two fields X and Y each having a length of 4 bits. The fields X and Y correspond to actual packet header fields such as a transmission source IP address and a transmission source port number. The field X is expressed in binary numbers, and '*' indicates a wild card. The field Y is represented by Range Match, and a and b of “[a: b]” represent a lower limit value and an upper limit value (decimal notation), respectively. Here, the priority and action assigned to each rule are omitted.

  FIG. 2 represents the rule set shown in FIG. 1 on a two-dimensional space composed of two axes of fields X and Y. Note that the numbers on the X-axis and the Y-axis are expressed in decimal numbers. According to the technique using a decision tree, a multidimensional space as shown in FIG. 2 is divided by paying attention to a plurality of dimensions. The decision tree is constructed by repeating the area division until the number of rules existing in the divided area is equal to or smaller than a threshold value. Here, the rule group managed in the divided area is referred to as a “rule list”.

  FIG. 3 shows an example of a decision tree constructed for the rule set shown in FIG. In the decision tree shown in FIG. 3, the threshold value of the number of rules in the divided area is set to 2. As shown in FIG. 3, first, the entire space is divided into two parts in the X direction and the Y direction, respectively. That is, the entire space (X, Y) = ([0:15], [0:15]) is the region 0 ([0: 7], [0: 7]), region 1 ([0: 7], [8:15]), region 2 ([8:15], [0: 7]), and region 3 ([8:15], [8:15]). The rule list managed in each area is [R7, R8, R9, R11] (area 0), [R0, R6, R9, R10, R11, R12] (area 1), [R1, R2, R3, R4, R5, R13, R14] (region 2) and [R10, R14, R15] (region 3). Since more rules than the threshold value 2 are still managed in each region, further region division is performed until the number of rules is equal to or less than the threshold value for each region. In the example shown in FIG. 3, the entire space is finally divided into 24 regions. Note that the algorithm for constructing a decision tree is described in Non-Patent Document 1 and Non-Patent Document 2, and is omitted here.

  When packet classification is performed, the decision tree is traced while referring to the search key, and matching is performed for all rules that are equal to or less than the threshold number managed by the arrived leaf node. As an example, consider packet classification for packets with search keys X = 0111 and Y = 1001. In the decision tree shown in FIG. 3, the entire space is divided into the above four regions at the root node, and the packet is divided into region 1 ([0: 7], [8:15] among these four regions). ). Subsequently, at the node in the region 1, the space is further divided into two parts in the X direction and the Y direction. That is, region 1 is region 10 ([0: 3], [8:11]), region 11 ([0: 3], [12:15]), region 12 ([4: 7], [8: 11]) and area 13 ([4: 7], [12:15]). It can be seen that the packet belongs to the region 12 among them. Further, the area 12 is divided into four, and it can be seen that the packet belongs to the area 122 ([6: 7], [8: 9]). Then, matching is performed on the two rules R9 and R10 managed in the area 122, and the matched rule is selected. In this example, since the packet matches both the rules R9 and R10, the rule is selected according to the priority assigned to each rule omitted in FIG.

  According to the method using the decision tree as described above, the same rule may be managed in a plurality of divided areas as a result of area division, which is hereinafter referred to as “replication of rules”. . For example, in FIG. 3, rules such as R7 and R9 are duplicated. When rule duplication occurs, the memory capacity for managing the duplicate rule itself or the address value for the duplicate rule increases, and it seems to handle more rules than the actual rule set. Become. That is, rule duplication causes an increase in the amount of data in the decision tree. The following are known techniques for suppressing rule duplication.

  According to Non-Patent Document 1, nodes that are not leaf nodes also have a rule list. If the same rule is duplicated in all child nodes (divided areas) as a result of area division, the duplicated rules are managed in the rule list of the node. However, this method cannot prevent replication of rules to a plurality of child nodes that are not all.

  Non-Patent Document 2 proposes a hardware architecture that allows a packet classification method using a decision tree to be processed at high speed by hardware using pipeline processing. In this method, nodes that are not leaf nodes also have rule lists. When the same rule is duplicated to a plurality of child nodes as a result of area division, the duplicated rule is managed in the rule list of the node. However, if the number of rules replicated in a single node exceeds the number of rules that can be managed in the rule list, rule replication occurs.

  In Non-Patent Document 3, as in Non-Patent Document 2, a method in which hardware performs packet classification using pipeline processing is proposed. However, unlike the cases of Non-Patent Document 1 and Non-Patent Document 2, only the leaf nodes manage rules in the decision tree. According to this method, a plurality of decision trees are prepared, and any one of the decision trees that does not cause replication of rules manages the rules. This prevents rule duplication.

Sumeet Singh, Florin Baboescu, George Varghese, Jia Wang, "Packet Classification Using Multidimensional Cutting", Proceedings of the ACM SIGCOMM 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, 2003 years, pp. 213-224 Weilong Jiang, Victor K. Prasanna, “Large-Scale Wire-Speed Packet Classification on FPGAs”, Processeds of the ACM / SIGDA International Symposium on Field Program. 219-228 Weilong Jiang, Victor K. Prasanna, Norio Yamagaki, “Decision Forest: A Scalable Architecture for Flexible Principal Matching on FPGA”, Proceedings of 2010, International Contest. 394-399

  In packet classification using a decision tree, it is also important to add a new rule to the decision tree or delete an existing rule from the decision tree. Such rule addition / deletion processing is hereinafter referred to as “dynamic update of an entry”.

  Non-Patent Document 3 does not describe a specific procedure for dynamically updating entries. Therefore, it is considered necessary to determine in advance which rule in which decision tree the rule is to be updated. That is, there is a problem that “preprocessing” is separately required to dynamically update an entry. In particular, in Non-Patent Document 3, it is assumed that an optimal decision tree is configured for a rule set given in advance. Therefore, in the worst case, it is necessary to change all of the configuration of the decision tree itself. Conceivable. In such a case, there is a problem that both the time required for the pre-processing of dynamic entry update and the time required for entry update increase.

  One object of the present invention is to provide a technique capable of realizing dynamic update of an entry without performing preprocessing in packet classification using a decision tree.

  In one aspect of the invention, a packet classifier is provided. The packet classifier includes a plurality of decision tree processing blocks constituting each of a plurality of decision trees used for packet classification, a command input block for simultaneously inputting commands to the plurality of decision tree processing blocks, An entry addition target decision block connected to the decision tree processing block. One rule is managed by a single leaf node in any one of a plurality of decision trees. When the command is a search command, each of the plurality of decision tree processing blocks determines whether or not the search key matches any rule by using its own decision tree. If the command is an insert command to add a new rule to the decision tree, each of the multiple decision tree processing blocks determines whether the new rule can be managed by a single leaf node in its decision tree. judge. When a new rule can be managed by a single leaf node, the decision tree processing block is an entry addition target candidate, and the single leaf node is an addition target leaf node. In this case, the entry addition target determination block selects an entry addition target to which a new rule is to be added from among the entry addition target candidates. The selected entry addition target adds a new rule to the rule list managed by the addition target leaf node in its own decision tree.

  In another aspect of the present invention, a packet classification method using a plurality of decision trees is provided. One rule is managed by a single leaf node in any one of a plurality of decision trees. In the packet classification method according to the present invention, (A) a step of inputting commands to a plurality of decision trees all at once, and (B) when the command is a search command, a search key is set in each of the plurality of decision trees. A step of determining whether or not any of the rules is matched; and (C) when the command is an insertion command for adding a new rule to the decision tree, the new rule is determined in each of the plurality of decision trees. Determining whether it can be managed by a single leaf node, and if the new rule can be managed by a single leaf node, then the decision tree is a candidate for entry addition, The leaf node is an addition target leaf node, and (D) selecting an entry addition target to which a new rule is to be added from among entry addition target candidates; The new rules, including the steps of adding to the rule list addition target leaf nodes entry additional object is managed, a.

  In still another aspect of the present invention, a packet classification program for causing a computer to execute packet classification processing using a plurality of decision trees is provided. One rule is managed by a single leaf node in any one of a plurality of decision trees. The packet classification processing according to the present invention includes (A) a step of inputting commands to a plurality of decision trees all at once, and (B) when the command is a search command, a search key is set in each of the plurality of decision trees. A step of determining whether or not any of the rules is matched; and (C) when the command is an insertion command for adding a new rule to the decision tree, the new rule is determined in each of the plurality of decision trees. Determining whether it can be managed by a single leaf node, and if the new rule can be managed by a single leaf node, then the decision tree is a candidate for entry addition, The leaf node is an addition target leaf node, and (D) selecting an entry addition target to which a new rule is to be added from among entry addition target candidates; The new rules, including the steps of adding to the rule list addition target leaf nodes entry additional object is managed, a.

  According to the present invention, in packet classification using a decision tree, it is possible to realize dynamic update of an entry without performing preprocessing.

FIG. 1 is a conceptual diagram illustrating an example of a rule set. FIG. 2 is a conceptual diagram showing a case where the rule set shown in FIG. 1 is arranged in a two-dimensional space consisting of two axes of fields X and Y. FIG. 3 is a conceptual diagram showing an example of a decision tree for the rule set shown in FIG. FIG. 4 is a block diagram showing the configuration of the packet classifier according to the first embodiment of the present invention. FIG. 5 is a block diagram illustrating a configuration of each decision tree processing block of the packet classifier according to the first embodiment. FIG. 6 is a conceptual diagram showing a correspondence relationship between the decision tree node processing block and each node of the decision tree in the first embodiment. FIG. 7 is a block diagram illustrating a configuration of a decision tree node processing block of the decision tree processing block according to the first embodiment. FIG. 8 is a block diagram showing the configuration of the entry count block of the decision tree processing block according to the first embodiment. FIG. 9 is a conceptual diagram illustrating a correspondence relationship between the rule processing block and the rules included in the rule list of each leaf node of the decision tree according to the first embodiment. FIG. 10 is a block diagram illustrating a configuration of a rule processing block of the decision tree processing block according to the first embodiment. FIG. 11 is a flowchart showing the LOOKUP process in the first embodiment. FIG. 12 is a conceptual diagram illustrating a configuration example of a command according to the first embodiment. FIG. 13 is a flowchart showing the process of step A2. FIG. 14 is a conceptual diagram illustrating a configuration example of node information according to the first embodiment. FIG. 15 is a diagram for explaining an address calculation method according to the first embodiment. FIG. 16 is a flowchart showing the process of step A4. FIG. 17 is a conceptual diagram illustrating a configuration example of entry information in the first embodiment. FIG. 18 is a flowchart illustrating the INSERT processing according to the first embodiment. FIG. 19 is a flowchart showing the process of step A6. FIG. 20 is a flowchart showing the process of step A9. FIG. 21 is a flowchart showing the process of step A12. FIG. 22 is a flowchart illustrating the DELETE process in the first embodiment. FIG. 23 is a flowchart showing the process of step A14. FIG. 24 is a block diagram showing a configuration of a packet classifier according to the second embodiment of the present invention. FIG. 25 is a block diagram illustrating a configuration of a decision tree processing block of the packet classifier according to the second embodiment. FIG. 26 is a flowchart illustrating the INSERT processing according to the second embodiment. FIG. 27 is a flowchart showing the process of step A18. FIG. 28 is a flowchart illustrating a DELETE process according to the second embodiment. FIG. 29 is a conceptual diagram showing a command configuration example according to the third embodiment of the present invention. FIG. 30 is a flowchart showing the INSERT processing according to the third embodiment. FIG. 31 is a flowchart showing the process of step A19. FIG. 32 is a flowchart showing the process of step A20. FIG. 33 is a block diagram showing a configuration of a packet classifier according to the fourth exemplary embodiment of the present invention.

  Embodiments of the present invention will be described with reference to the accompanying drawings.

1. 1. First embodiment 1-1. Overview FIG. 4 is a block diagram showing a configuration of the packet classifier 1 according to the first exemplary embodiment of the present invention. The packet classifier 1 performs packet classification by using a decision tree. That is, the packet classifier 1 determines which rule the search key extracted from the packet header matches by using the decision tree. Furthermore, the packet classifier 1 according to the present embodiment automatically performs dynamic update of entries (addition of new rules, deletion of existing rules) according to input commands.

  In the present embodiment, the packet classifier 1 is realized by a hardware circuit. More specifically, as shown in FIG. 4, the packet classifier 1 includes one or more decision tree processing blocks 2 (2-1 to 2-N: N is an integer of 2 or more), entry addition target A decision block 3, a command input block 4, and a result output block 5 are provided. Further, input data 6 is input to the packet classifier 1, and output data 7 is output from the packet classifier 1.

  The input data 6 depends on the process to be executed by the packet classifier 1. The processing executed by the packet classifier 1 includes (1) processing for searching for a rule matching the search key (hereinafter referred to as “LOOKUP processing”), and (2) new rule (new entry) as a decision tree. Processing to be added (hereinafter referred to as “INSERT processing”), (3) Processing to invalidate existing rules (existing entries) (hereinafter referred to as “DELETE processing”), (4) Packet classifier 1 is a configuration process in which a setting value is written in advance in a memory, a setting register, or the like included in 1. Here, the configuration process is performed at the time of initialization, and is to set a value related to the configuration in a setting register or a memory provided in each block included in the packet classifier 1. Only the LOOKUP process, the INSERT process, and the DELETE process will be described below. The input data 6 includes type data indicating a processing type and data used in the processing. In the case of the LOOKUP process, the input data 6 includes type data indicating the LOOKUP process and a search key. In the case of the INSERT process, the input data 6 includes type data indicating the INSERT process and a new rule to be added. In the case of the DELETE process, the input data 6 includes type data indicating the DELETE process and an existing rule to be invalidated.

  The command input block 4 receives the input data 6 and creates a command corresponding to the input data 6. As in the case of the input data 6, the command includes type data indicating the type of processing and data used in the processing. The search command for instructing execution of the LOOKUP process includes type data indicating the LOOKUP process and a search key. The insertion command for instructing execution of the INSERT process includes type data indicating the INSERT process and a new rule to be added. The delete command for instructing execution of the DELETE process includes type data indicating the DELETE process and an existing rule to be invalidated. The command input block 4 inputs the generated commands all at once to the plurality of decision tree processing blocks 2-1 to 2-N.

  Each of the plurality of decision tree processing blocks 2-1 to 2-N constitutes a plurality of decision trees used for packet classification. Here, the plurality of decision trees are configured so that rule duplication does not occur as in the method described in Non-Patent Document 3. That is, each rule is managed in a decision tree where no duplication of the rule occurs. In other words, one rule is managed only by a single leaf node in any one of a plurality of decision trees. Each decision tree processing block 2 executes a LOOKUP process, an INSERT process, or a DELETE process according to the command input from the command input block 4. The plurality of decision tree processing blocks 2-1 to 2-N can execute each process in parallel.

<LOOKUP processing>
The plurality of decision tree processing blocks 2-1 to 2-N execute the LOOKUP processing simultaneously and in parallel according to the search command. Specifically, each decision tree processing block 2 uses its own decision tree to determine whether the search key matches any rule managed by any leaf node. If there is a rule that matches the search key, the decision tree processing block 2 notifies the result output block 5 of the match rule. When the search key matches a plurality of rules included in the rule list in the leaf node, the decision tree processing block 2 notifies the result output block 5 of the highest priority rule among the plurality of match rules. On the other hand, if there is no rule that matches the search key, the decision tree processing block 2 notifies the result output block 5 that there is no match rule. The result output block 5 receives the search results from the plurality of decision tree processing blocks 2-1 to 2-N, and selects the match rule with the highest priority. Then, the result output block 5 outputs the output data 7 indicating the selection result as the final result of the LOOKUP process.

<INSERT processing>
The plurality of decision tree processing blocks 2-1 to 2-N execute the INSERT processing simultaneously and in parallel according to the insertion command. Specifically, each decision tree processing block 2 first determines whether or not duplication of rules will occur even if a new rule is added to its own decision tree. In other words, each decision tree processing block 2 determines whether the new rule can be managed only by a single leaf node in its decision tree. When rule duplication occurs, the decision tree processing block 2 is not a target for adding a new rule. On the other hand, when rule duplication does not occur, that is, when a new rule can be managed only by a single leaf node in its own decision tree, the decision tree processing block 2 becomes an “entry addition target candidate” The leaf node is “addition target leaf node”.

  The decision tree processing block 2 to which new rules are added is “entry addition target”. The entry addition target is selected from the entry addition target candidates. The entry addition target determination block 3 selects the entry addition target. As shown in FIG. 4, the entry addition target determination block 3 is connected to each of a plurality of decision tree processing blocks 2-1 to 2-N. Then, the entry addition target determination block 3 recognizes the entry addition target candidate based on information notified from the plurality of decision tree processing blocks 2-1 to 2-N, and selects the entry addition target from the entry addition target candidates. Select.

  For example, each entry addition target candidate notifies the entry addition target determination block 3 of the number of valid rule entries managed by the addition target leaf node. Then, the entry addition target determination block 3 refers to the number of valid entries received from each entry addition target candidate, and selects an entry addition target according to a predetermined policy. For example, the entry addition target determination block 3 selects the entry addition target candidate having the minimum number of valid entries as the entry addition target. In this case, the deviation of the number of rules among a plurality of decision trees is suppressed, which is preferable.

  The entry addition target determination block 3 notifies each decision tree processing block 2 of the selection result of the entry addition target. For example, the entry addition target determination block 3 instructs the entry addition target to add a new rule, and instructs the other decision tree processing block 2 not to execute the rule addition process. Then, the decision tree processing block 2 as an entry addition target adds the new rule to the rule list managed by the addition target leaf node in its own decision tree.

  In this way, the INSERT process is executed. The result output block 5 receives the processing results from the plurality of decision tree processing blocks 2-1 to 2-N, and outputs the output data 7 indicating the final result of the INSERT processing.

<DELETE processing>
The plurality of decision tree processing blocks 2-1 to 2-N execute the DELETE processing in parallel in response to the delete command. Specifically, each decision tree processing block 2 determines whether an existing rule to be deleted is managed by a single leaf node in its own decision tree. When the existing rule is managed by a single leaf node, the decision tree processing block 2 is “entry deletion target”, and the single leaf node is “deletion target leaf node”. The decision tree processing block 2 that is the entry deletion target invalidates the existing rule managed by the deletion target leaf node.

  In this way, the DELETE process is executed. The result output block 5 receives the processing results from the plurality of decision tree processing blocks 2-1 to 2-N, and outputs the output data 7 indicating the final result of the DELETE processing.

  As described above, according to the present embodiment, rule duplication does not occur. In particular, the INSERT process is executed so that rule replication does not occur even in the dynamic update of entries. As a comparative example, let us consider a case where dynamic update of an entry is performed on a decision tree in which rule duplication is allowed. In dynamic update of an entry, it is necessary to rewrite data in a data storage area on the memory of the entry to be updated. If there are duplicated rules, data rewrite is required for the number of duplicates. Therefore, in the INSERT processing and the DELETE processing, the processing time is not constant every time, and the processing time may be greatly increased in some cases. According to the present embodiment, such a problem is solved. That is, the processing time required for dynamic update of entries such as INSERT processing and DELETE processing is constant.

  Furthermore, according to the present embodiment, at the time of INSERT processing, each of the plurality of decision tree processing blocks 2-1 to 2-N receives an insertion command, and according to the insertion command, is it an entry addition target candidate? Automatically determine whether or not. The entry addition target determination block 3 automatically determines an appropriate entry addition target based on at least information notified from the entry addition target candidate. The entry addition target automatically adds a new rule to the addition target leaf node. Further, at the time of DELETE processing, each of the plurality of decision tree processing blocks 2-1 to 2-N receives a deletion command and automatically determines whether or not itself is an entry deletion target in accordance with the deletion command. The entry deletion target automatically invalidates the specified rule in the deletion target leaf node. Thus, the dynamic update of the entry is automatically performed according to the command. “Preprocessing” such as determining in advance which rule in which decision tree is to be updated is unnecessary. That is, according to the present embodiment, it is possible to realize dynamic update of entries without performing preprocessing in packet classification using a decision tree.

  The packet classifier 1 according to the present embodiment is provided, for example, in a network device such as a switch or a router, or in an NIC (Network Interface Card) mounted on a server expansion card or onboard. In this case, the packet classifier 1 is connected to the control block. The control block has a function of analyzing a header of an incoming packet, a function of extracting a search key from the packet header, and a function of causing the packet classifier 1 to execute a LOOKUP process using the search key. Further, the control block has a function for causing the packet classifier 1 to execute an INSERT process for adding a new rule specified from the outside, and a function for causing the packet classifier 1 to execute a DELETE process for deleting an existing rule specified from the outside. Have The packet classifier 1 receives input data 6 corresponding to the processing from the control block, and outputs output data 7 to the control block.

1-2. Configuration Example Next, a configuration example of the packet classifier 1 according to the present embodiment will be described in more detail. FIG. 5 is a block diagram showing a configuration of each decision tree processing block 2 of the packet classifier 1 according to the present embodiment. As shown in FIG. 5, the decision tree processing block 2 includes a decision tree pipeline block 20, an entry count block 21, and a rule pipeline block 22. Data input from the command input block 4 to the decision tree processing block 2 is input data 23. Data output from the decision tree processing block 2 to the result output block 5 is output data 24. Data exchanged between the decision tree processing block 2 and the entry addition target determination block 3 is input / output data 25.

1-2-1. Decision tree pipeline block 20
The decision tree pipeline block 20 searches for a decision tree by pipeline processing. Specifically, the decision tree pipeline block 20 includes decision tree node processing blocks 200-1 to 200-H having the same number of stages as the depth (number of stages) H of the decision tree. As shown in FIG. 6, the decision tree node processing block 200-i (i = 1, 2,..., H) has a depth j (j = 0, 1,..., H) from the root node of the decision tree. -1) corresponds to the node and performs processing related to the node. By using these decision tree node processing blocks 200-1 to 200-H, the decision tree pipeline block 20 executes a search process node by node from the root node of the decision tree toward the leaf node. Preferably, a process of tracing one node of the decision tree is executed every clock cycle.

  FIG. 7 is a block diagram showing a configuration of the decision tree node processing block 200 according to the present embodiment. As shown in FIG. 7, the decision tree node processing block 200 includes a child node determination block 2000 and a node information storage block 2001.

  The node information storage block 2001 is configured by a storage medium such as a memory or a register, and stores node information. The node information indicates, for each of all nodes at the same depth when viewed from the root node, area division information in the node, that is, information on a child node (divided area) managed by the node.

  The decision tree node processing block 200 receives the input data 2002 from the preceding decision tree node processing block 200. However, the decision tree node processing block 200-1 receives the input data 2002 (= input data 23) from the command input block 4. The input data 2002 includes a command corresponding to each process and an address value used for accessing the node information storage block 2001. The input data 2002 from the decision tree node processing block 200 at the preceding stage further includes “effective bit length” information described later.

  The child node determination block 2000 receives the input data 2002 and reads the node information from the node information storage block 2001 with reference to the address value specified by the input data 2002. Then, the child node determination block 2000 calculates an address value in which the node information of the child node of the node is stored based on the node information, the effective bit length, and the command. In addition, the child node determination block 2000 updates the effective bit length. The calculation of the address value and the update of the effective bit length will be described in detail later. The output data 2003 includes the command included in the input data 2002, the calculated new address value, and the updated effective bit length. The child node determination block 2000 outputs the output data 2003 to the decision tree node processing block 200 at the next stage.

  The decision tree node processing block 200-H at the final stage is as follows. In the case of LOOKUP processing or DELETE processing, the address value calculated by the child node determination block 2000 is an address value used for accessing an entry storage block 2201 (described later) of the rule processing block 220 of the rule pipeline block 22. is there. The decision tree node processing block 200-H outputs the output data 2003 to the rule processing block 220-1. In the case of the INSERT processing, the address value calculated by the child node determination block 2000 is an address value used for access to the entry number storage block 211 (described later) of the entry number count block 21. The output data 2004 includes the command included in the input data 2002 and the calculated address value. The child node determination block 2000 outputs the output data 2004 to the entry count block 21.

1-2-2. Entry count block 21
The entry count block 21 manages, for each leaf node, the number of valid rule entries managed for all leaf nodes of the decision tree. Note that the processing by the entry count block 21 is executed in a processing cycle corresponding to the depth H of the decision tree.

  FIG. 8 is a block diagram showing a configuration of the entry count block 21 according to the present embodiment. As shown in FIG. 8, the entry count block 21 includes a count processing block 210 and an entry count storage block 211.

  The entry number storage block 211 includes a storage medium such as a memory or a register, and stores entry number information. The entry number information indicates the number of valid rule entries managed by each leaf node of the decision tree.

  In the case of the INSERT processing, the count processing block 210 receives the input data 212 (= the above-mentioned output data 2004) from the decision tree node processing block 200-H of the decision tree pipeline block 20. The input data 212 includes an insert command and an address value used for accessing the entry number storage block 211. The count processing block 210 refers to the address value and reads the entry number information (valid rule entry number) regarding the addition target leaf node from the entry number storage block 211. Then, the count processing block 210 outputs the output data 216 indicating the number of read valid rule entries to the entry addition target determination block 3 described above.

  The count processing block 210 receives the input data 216 from the entry addition target determination block 3. When the input data 216 specifies “add new rule to decision tree”, the count processing block 210 adds “1” to the number of valid rule entries related to the addition target leaf node, and stores the number of entries storage block. 211 is written. As a result, the entry number storage block 211 is updated to the latest state. Further, the count processing block 210 outputs the output data 214 to the rule processing block 220-1 of the rule pipeline block 22. The output data 214 includes an insert command and an address value used for accessing the entry storage block 2201 (described later) of the rule processing block 220-1.

  In the case of DELETE processing, the count processing block 210 receives the input data 213 from the rule processing block 220-B of the rule pipeline block 22. The count processing block 210 refers to the address value specified by the input data 213 and reads the entry number information (valid rule entry number) regarding the deletion target leaf node from the entry number storage block 211. Then, the count processing block 210 subtracts “1” from the number of valid rule entries and writes it to the entry number storage block 211. As a result, the entry number storage block 211 is updated to the latest state. Further, the count processing block 210 outputs output data 215 indicating completion of the DELETE processing to the result output block 5 as output data 24.

1-2-3. Rule pipeline block 22
The rule pipeline block 22 performs rule processing (search for a rule matching the search key, addition of a new rule, deletion of an existing rule) by pipeline control. Specifically, the rule pipeline block 22 includes rule processing blocks 220-1 to 220-B having the same number of stages as the maximum number of rules (rule list size) B that can be managed in each leaf node. As shown in FIG. 9, the rule processing block 220-i (i = 1, 2,..., B) includes a rule j (j = 1, 2,. B) is associated with the rule j, and the rule processing relating to the rule j is executed. By using these rule processing blocks 220-1 to 220-B, the rule pipeline block 22 executes rule processing for each rule included in the rule list of the leaf node. Preferably, rule processing for one rule is executed every clock cycle.

  FIG. 10 is a block diagram showing a configuration of rule processing block 220 according to the present embodiment. As shown in FIG. 10, the rule processing block 220 includes a comparative update processing block 2200 and an entry storage block 2201.

  The entry storage block 2201 includes a storage medium such as a memory or a register, and stores entry information. The entry information includes a validity flag indicating whether the rule is valid or invalid, a rule ID, a rule, and the like.

  In the case of LOOKUP processing or DELETE processing, the rule processing block 220-1 receives the input data 2202 (= the above-described output data 2003) from the decision tree node processing block 200-H of the decision tree pipeline block 20. The input data 2202 includes a command corresponding to each process and an address value used for accessing the entry storage block 2201.

  In the case of the INSERT processing, the rule processing block 220-1 receives the input data 2203 (= the output data 214 described above) from the entry count block 21. The input data 2203 includes an insert command and an address value used for accessing the entry storage block 2201. Thereafter, the input data 2203 is handled in the same manner as the input data 2202 described above.

  The comparison update processing block 2200 receives the input data 2202 and reads the entry information from the entry storage block 2201 with reference to the address value specified by the input data 2202. Then, the comparative update processing block 2200 executes rule processing according to the command based on the read entry information. Details of the rule processing will be described later. The comparison update processing block 2200 outputs the received input data 2202 as output data 2204 to the rule processing block 220 at the next stage.

  Each of the rule processing blocks 220-2 to 220-B receives the input data 2202 (= the output data 2204 described above) from the preceding rule processing block 220. The processing by the comparative update processing block 2200 is the same as described above. In the case of the DELETE processing, the comparison update processing block 2200 of the final-stage rule processing block 220 -B outputs the output data 2205 (= the above-mentioned input data 213) instead of the output data 2204 to the entry count block 21. . The contents of the output data 2205 are the same as the output data 2204.

1-3. Operation Next, the operation of the packet classifier 1 according to the present embodiment will be described in detail.

1-3-1. LOOKUP Process First, the LOOKUP process will be described. FIG. 11 is a flowchart showing the LOOKUP process in the present embodiment.

Step A1:
Input data 6 is input to the packet classifier 1. The input data 6 includes type data indicating the LOOKUP process and a search key extracted from the search target packet. The command input block 4 receives the input data 6. The command input block 4 generates an in-device command (here, a search command) based on the input data 6 and outputs the in-device command to the decision tree processing blocks 2-1 to 2-N all at once.

  FIG. 12 is a conceptual diagram showing a configuration example of the in-device command. The command part includes a processing type, an end flag, and a result flag. For example, if the processing type that is 2-bit data is “00”, it indicates LOOKUP processing, “01” indicates INSERT processing, and “10” indicates DELETE processing. If the end flag is “0”, it indicates that the end is not completed, and if it is “1”, it indicates the end. The result flag is set to “1” when an entry is added or deleted. Note that the end flag and the result flag are referred to only in the INSERT process and the DELETE process, and the usage method thereof will be described later. Further, the search key (LOOKUP process), a new entry to be added (INSERT process), or an existing entry to be deleted (DELETE process) is stored in the latter half of the in-device command.

  Here, the entry (rule) can take various expression forms in consideration of the Prefix Match, the Range Match, and the Wildcard Match. For example, data strings A and B having the same length as the search key length are prepared, and in the case of Prefix Match or Wildcard Match, target data is assigned to A, and mask bit data is assigned to B. In the case of Range Match, A A method of assigning a lower limit value to B and an upper limit value to B can be considered. In this case, the entry length of the rule is twice the search key length. Considering these, in the second half of the in-device command, it is allowed that the search key at the time of LOOKUP processing and the length of the addition / deletion entry at the time of INSERT and DELETE processing are different. In the case of an additional entry, its priority is also specified.

Step A2:
When a search command is received from the command input block 4, each decision tree processing block 2 executes a process for tracing its own decision tree using the designated search key. FIG. 13 is a flowchart showing the processing of step A2.

Step B1:
The process of tracing the decision tree starts from the root node of the decision tree. Therefore, first, the current processing node is set as the root node of the decision tree. Specifically, an insertion command is input to the decision tree node processing block 200-1 at the first stage of the decision tree pipeline block 20.

Step B2:
The child node determination block 2000 reads the node information from the node information storage block 2001 after confirming that the processing type is LOOKUP.

FIG. 14 is a conceptual diagram illustrating a configuration example of node information. The node information is area division information in the node. As shown in FIG. 14, the node information includes C pairs of a field identifier (field ID) and the number of divisions (k), and a base address. Here, C is the maximum number of fields that can be used for region division in one node of the decision tree. The field ID is determined in advance for each field constituting the search key and rule. In addition, the range of each field is divided into ^2k (k is a natural number), and the divided number k represents the index. For example, when the ranges of the fields X and Y are divided into two as in the examples of FIGS. 1 to 3 described above, the division number k of the field X is 1, and the division number k of the field Y is also 1. is there. The maximum number of k is determined in advance. The base address indicates the minimum address value of the storage area in which the node information of the child node of the node is stored. More specifically, the base address is the minimum address value in the node information storage block 2001 of the next decision tree node processing block 200 in which the node information of the child node of the node is stored, and all the children of the node The node information of the node is stored in a storage area continuous from this base address.

Step B3:
Based on the read node information, the bit string of each field of the search key, and the effective bit length, the child node determination block 2000 calculates the address value of the storage area in which the node information of the child node at the next stage is stored. Specifically, the address value of the next stage is calculated as follows (see also FIG. 15).

  For example, it is assumed that division information (field ID, number of divisions) = (0001, 01), (0100, 11) and base address = 00001000 are set as node information. In the search key, it is assumed that the field value of field ID = 0001 is “0101”, the field value of field ID = 0100 is “0110”, and the effective bit lengths are 3 and 4, respectively. Here, the effective bit length corresponds to the length from the lower bit used for region division for the bit string of each field. That is, the bit string from the lower bits having the length specified by the effective bit length is referred to in the field value. The field ID = 0001 will be described. Since the effective bit length is 3, the lower 3 bits “101” of the field value are referred to. Since the division number k = 1, the upper 1 bit of the effective bits is referred to obtain “1” (see FIG. 15). Similarly, for field ID = 0100, since the effective bit length is 4 and the division number k is 3, “011” is obtained. The base address “00001000” is added to “1011” obtained by connecting these. “00010011” obtained as a result is the address value of the storage area in which the node information of the child node of the next stage is stored.

Step B4:
Subsequently, the child node determination block 2000 updates the effective bit length by subtracting the division number k from the input effective bit length. In the above example, the effective bit length of the field ID = 0001 is updated to 3-1 = 2, and the effective bit length of the field ID = 0100 is updated to 4-3 = 1. Note that the effective bit length is not input to the decision tree node processing block 200-1, but the effective bit length in this case is assumed to be set in advance as the field length of each field. For the subsequent decision tree node processing block 200, the effective bit length is input from the preceding decision tree node processing block 200.

Step B5, B6:
Next, it is determined whether the child node is a leaf node. Specifically, since the child node of the node processed by the decision tree node processing block 200-H is a leaf node (see FIG. 6), the decision tree node processing block 200 to be processed may automatically determine.

  The case where the next node is not a leaf node (step B5; No) corresponds to the case of the decision tree node processing block 200-i (i = 1, 2,..., H-1). The decision tree node processing block 200-i outputs the output data 2003 to the next-stage decision tree node processing block 200- (i + 1) (step B6). The output data 2003 includes the command included in the input data 2002, the calculated new address value, and the updated effective bit length. Then, the process returns to step B2, and the next node becomes a processing node.

  The case where the next node is a leaf node (step B5; Yes) corresponds to the case of the decision tree node processing block 200-H. In this case, step A2 ends.

Step A3:
When step A2 ends, the decision tree node processing block 200-H outputs the output data 2003 including the calculated address value and command to the rule processing block 220-1 of the rule pipeline block 22.

Step A4:
Subsequently, the rule pipeline block 22 performs a comparison (matching process) between the search key and each rule in the rule list. FIG. 16 is a flowchart showing the process of step A4.

Step C1:
The matching process starts from the first rule in the rule list. Specifically, the processing is started from the first-stage rule processing block 220-1.

Step C2:
The comparison update processing block 2200 reads the entry information from the entry storage block 2201 using the input address value after confirming that the processing type is LOOKUP. Then, the comparative update processing block 2200 confirms the valid flag.

  FIG. 17 is a conceptual diagram illustrating a configuration example of entry information. The entry information includes a valid flag indicating whether the rule is valid, a rule ID, a rule, and a priority. An action may be added when actions corresponding to a rule are stored simultaneously. Here, it is assumed that the action is managed at a location different from that of the packet classifier 1, and the search is performed by the packet classifier 1, and then the action is acquired by using the rule ID. In the configuration example of the entry information in FIG. 17, the rule ID is included, but this is not included in the entry information. For example, the ID of the decision tree processing block that has performed the process, the ID of the leaf node, the rule list A rule ID may be generated from the order or the like. More specifically, i is the i of the decision tree processing block 2-i (i = 1, 2,..., N) that has been processed, and the ID of the leaf node reached in the decision tree processing block 2-i. j, a rule processing block 220-k (k = 1, 2,..., B) concatenated with binary numbers can be referred to as a rule ID.

Step C4:
When the rule is valid (step C3; Yes), the comparison / update processing block 2200 compares the search key with the read rule. This comparison method is disclosed in Non-Patent Document 2, for example.

Step C6:
When the search key matches the rule (step C5; Yes), the comparison update processing block 2200 compares the priority of the rule with the priority of the current match rule. Here, the current matching rule means a rule having the highest priority among the rules matched up to the previous rule processing block 220. On the other hand, the rule used for comparison in the current rule processing block 220 is referred to as a comparison rule.

Step C8:
When the priority of the comparison rule is higher (step C7; Yes), the comparison update processing block 2200 sets the comparison rule as a new current match rule. Thereafter, the processing proceeds to step C9.

Steps C9, C10, C11:
It is determined whether the current rule is the last rule in the rule list. Specifically, when the rule processing block 220-i (i = 1, 2,..., B-1) is executing a process, it is not the last rule (step C9; No). In this case, the rule processing block 220-i outputs the output data 2204 including the address value and the command to the next-stage rule processing block 220- (i + 1) (step C10). Then, the process returns to step C2, and the matching process for the next rule in the rule list is executed.

  If the read rule is not valid (step C3; No) and the search key does not match the rule (step C5; No), the priority of the comparison rule is lower than the priority of the match rule. In the case (step C7; No), the process proceeds to step C9.

  When the current rule is the last rule in the rule list, that is, when the processing is performed in the rule processing block 220-B (step C9; Yes), the rule processing block 220-B displays the rule ID of the match rule. The priority and the command are output to the result output block 5 (step C11). Then, step A4 ends. If there is no match rule, for example, a special value in which all the bit values of the rule ID are 1 is output to indicate that no match rule exists.

Step A5:
The result output block 5 receives search results from the plurality of decision tree processing blocks 2-1 to 2-N. The result output block 5 compares the priority levels of the match rules and selects the match rule with the highest priority. Then, the result output block 5 outputs, for example, the rule ID of the match rule having the highest priority as the final result of the LOOKUP process as the output data 7 indicating the selection result. At this time, if there is no match rule, the rule ID having the above-described special value can be output to indicate that no match rule exists.

1-3-2. INSERT Processing Next, INSERT processing will be described. FIG. 18 is a flowchart showing the INSERT processing in the present embodiment.

Step A1:
Input data 6 is input to the packet classifier 1. The input data 6 includes type data indicating INSERT processing and a new rule to be added. The command input block 4 receives the input data 6. The command input block 4 generates an in-device command (here, an insert command) based on the input data 6 and outputs the in-device command to the decision tree processing blocks 2-1 to 2-N all at once.

Step A6:
When an insertion command is received from the command input block 4, each decision tree processing block 2 executes a process of tracing its own decision tree using the designated new rule. FIG. 19 is a flowchart showing the process of step A6.

Step B1:
First, as in the case of the LOOKUP process, the current processing node is set as the root node of the decision tree.

Step B7:
The child node determination block 2000 refers to the end flag in the command after confirming that the processing type is INSERT. If the end flag is “1” (step B7; Yes), the process proceeds to step B5. On the other hand, when the end flag is “0” (step B7; No), the process proceeds to step B2.

Step B2:
As in the case of the LOOKUP process, the child node determination block 2000 reads node information from the node information storage block 2001.

Step B8:
The child node determination block 2000 determines whether or not rule duplication occurs based on the read node information, the bit string of each field of the new rule, and the effective bit length. Whether or not rule duplication occurs can be determined by whether or not a wild card is included when calculating an address value.

  For example, it is assumed that area division information (field ID, number of divisions) = (0001, 01), (0100, 11) and base address = 00001000 are set as node information. In the addition target rule, for each field of field ID = 0001 and field ID = 0100, (field value, mask bit string) is (“0101”, “1111”), (“0110”, “1111”). ) And the effective bit lengths are 3 and 4, respectively. The mask bit string is valid if each bit is ‘1’, and invalid if ‘0’, that is, it is treated as a wild card. In this case, since both fields do not contain a wild card, it can be seen that rule duplication does not occur, and the address value of the next child node can be calculated in the same manner as in step B3 at LOOKUP. On the other hand, for the same node information and effective bit length, (field value, mask bit string) of each field of field ID = 0001 and field ID = 0100 in the addition target rule is (“0101”, “1111”), Consider the case where the setting is made as (“0110”, “1100”). In this case, considering the mask bit string, the field values are “0101” and “01 **”, respectively. When trying to calculate the address value of the child node based on the node information, since the effective bit lengths are 3 and 4, the upper 1 bit of the lower 3 bits “101” is referred to for the field ID = 0001. And get '1'. On the other hand, for the field with field ID = 0100, the effective bit length is 4 and the number of divisions is 3, so that “01 *” is obtained. As a result, a wild card is included in the bit string indicating the divided area of the child node, which means that rule duplication occurs. When the field value is set as Range Match, it can be determined whether or not the bit strings referred to are the same value for the bit string corresponding to the effective bit length of the lower limit value and the upper limit value. For example, in the above example, it is assumed that the field ID = 0001 is set as the lower limit value 0000 and the upper limit value 0011. Since the effective bit length is 3, the lower 3 bits “000” and “011” of the lower limit value and the upper limit value are referred to. Since the number of divisions is 1, the first bit of each effective bit length is referred to, and since both are '0', it can be determined that rule duplication does not occur even if region division is performed. On the other hand, when the field ID = 0001 is set to the lower limit value 0000 and the upper limit value 0111, since the reference bits are ‘0’ and ‘1’, it can be determined that duplication of the rule occurs.

Step B10:
When rule duplication occurs (step B9; Yes), the decision tree processing block 2 is not an entry addition target candidate. In this case, the child node determination block 2000 sets the command end flag to “1”. Thereafter, the process proceeds to step B5.

Step B3, B4:
On the other hand, if no rule duplication occurs (step B9; No), the next-stage address value is calculated (step B3) and the effective bit length is updated (step B4), as in the case of the LOOKUP process. Thereafter, the process proceeds to step B5.

Step B5, B6:
As in the case of the LOOKUP process, steps B5 and B6 are performed. That is, when the next node is not a leaf node (step B5; No), the decision tree node processing block 200-i (i = 1, 2,..., H−1) Output data 2003 is output to block 200- (i + 1) (step B6). Then, the process returns to step B7, and the next node becomes a processing node. On the other hand, when the next node is a leaf node (step B5; Yes), step A6 ends.

Step A7:
When step A6 ends, the decision tree node processing block 200-H outputs the output data 2004 including the calculated address value and command to the entry count block 21.

Step A8:
The count processing block 210 of the entry count block 21 receives the input data 212 (= the output data 2004 described above) from the decision tree node processing block 200-H. The count processing block 210 refers to the end flag after confirming that the processing type is INSERT. When the end flag is “0”, the decision tree processing block 2 is an entry addition target candidate. In this case, the count processing block 210 reads the entry number information (number of valid rule entries) regarding the addition target leaf node from the entry number storage block 211 using the input address value. Then, the count processing block 210 outputs output data 216 indicating the number of read valid rule entries to the entry addition target determination block 3.

  On the other hand, when the end flag is “1”, the decision tree processing block 2 is not an entry addition target candidate. In this case, the count processing block 210 outputs a processing end signal to the entry addition target determination block 3. Alternatively, the count processing block 210 may set the number of valid rule entries to the maximum value and notify the entry addition target determination block 3 of the number of valid rule entries.

Step A9:
The entry addition target determination block 3 recognizes an entry addition target candidate based on information notified from the plurality of decision tree processing blocks 2-1 to 2-N, and selects an entry addition target from the entry addition target candidates. To do. FIG. 20 is a flowchart showing the process of step A9.

Steps D1, D2, D3:
The entry addition target determination block 3 receives information indicating the number of valid rule entries from the entry addition target candidate (step D1). Next, the entry addition target determination block 3 checks whether or not there is any valid rule entry number that is less than the maximum number B (list size) of the rule list (step D2). If there is no valid rule entry number less than the list size (step D2; No), the entry addition target determination block 3 determines that there is no entry addition target (step D3).

Steps D4 and D5:
On the other hand, if there is one in which the number of valid rule entries is smaller than the list size (step D2; Yes), the entry addition target determination block 3 selects the entry addition target candidate having the smallest number of valid entries as the entry addition target. (Step D4). Thereafter, the entry addition target determination block 3 notifies each decision tree processing block 2 of whether or not an entry can be added (step D5). For example, the entry addition target determination block 3 instructs the entry addition target to add a new rule, and instructs the other decision tree processing block 2 not to execute the rule addition process. Here, the entry addition target candidate having the minimum number of valid rule entries is selected as the entry addition target, but the entry addition target may be selected according to another policy.

Step A10:
The entry count block 21 of the decision tree processing block 2 that is the entry addition target adds “1” to the number of valid rule entries related to the addition target leaf node, and writes the result into the entry count storage block 211. As a result, the entry number storage block 211 is updated to the latest state. The other entry count block 21 of the decision tree processing block 2 sets the command end flag to “1”.

Step A11:
The entry count block 21 of each decision tree processing block 2 outputs the output data 214 including the address value and the insertion command to the rule processing block 220-1 of the rule pipeline block 22.

Step A12:
The rule pipeline block 22 performs rule addition processing. FIG. 21 is a flowchart showing the processing of step A12.

Step C12:
Step A12 starts from the first rule in the rule list. Specifically, the processing is started from the first-stage rule processing block 220-1.

Step C13:
The comparative update processing block 2200 refers to the end flag in the command after confirming that the processing type is INSERT. When the end flag is “1” (step C13; Yes), the process proceeds to step C9. On the other hand, when the end flag is “0” (step C13; No), the process proceeds to step C2.

Step C2:
As in the case of the LOOKUP process, the comparison / update processing block 2200 reads entry information from the entry storage block 2201 using the input address value. Then, the comparative update processing block 2200 confirms the valid flag.

Step C15:
If the rule is valid (step C3; Yes), writing a new rule to the entry is not permitted. In this case, the rule processing block 220-i outputs output data 2204 including an address value and a command to the next-stage rule processing block 220- (i + 1). Then, the process returns to step C13, and the process for the next rule in the rule list is executed.

Step C14:
On the other hand, if the rule is not valid (step C3; No), a new rule can be written in the entry (that is, an empty entry). In this case, the comparison update processing block 2200 rewrites the rule information in the entry information to that of the new rule, sets the valid flag to “1”, and writes it in the entry storage block 2201. Further, the comparison update processing block 2200 sets the end flag in the command to “1”, and sets the result flag to “1” (addition success). Thereafter, the processing proceeds to step C9.

Step C9:
As in the case of the LOOKUP process, it is determined whether or not the current rule is the last rule in the rule list. If the current rule is not the last rule (step C9; No), the process proceeds to step C15. On the other hand, in the case of the last rule (step C9; Yes), the rule processing block 220-B outputs the current command to the result output block 5 (step C16). Then, step A12 ends.

Step A13:
The result output block 5 receives commands from the plurality of decision tree processing blocks 2-1 to 2-N. The result output block 5 refers to the result flag in the received command and confirms whether a new rule has been added or not added. Then, the result output block 5 outputs output data 7 indicating the result as the final result of the INSERT process.

  Here, as the final result of the INSERT processing, an entry ID indicating the location where the new rule is added may be output. The entry ID is generated from the ID of the decision tree processing block that is the entry addition target, the ID of the leaf node, the rule list order, etc., as in the rule ID generation method when the rule ID is not included in the entry information described above can do. At this time, if there is no free space where a new rule can be added and a new rule could not be added, it can indicate that the rule could not be added by outputting a signal indicating that, for example, By outputting as a special value with all entry IDs set to “1”, a signal indicating that a rule could not be added can be omitted. In INSERT processing, processing was performed using an end flag and a result flag each consisting of 1 bit, but the bit width of the end flag was increased, for example, the processing was terminated due to the occurrence of rule duplication. Alternatively, it is possible to express a factor that terminated the processing, such as the termination of the processing due to the fact that there is no space in the rule list of the leaf node. By referring to such an end flag, when a new rule cannot be added as the final result of the INSERT processing, the factor can also be output as the final result.

1-3-3. DELETE Process Next, the DELETE process will be described. FIG. 22 is a flowchart showing DELETE processing in the present embodiment.

Step A1:
Input data 6 is input to the packet classifier 1. The input data 6 includes type data indicating DELETE processing and an existing rule to be deleted. The command input block 4 receives the input data 6. The command input block 4 generates an in-device command (in this case, a delete command) based on the input data 6 and outputs the in-device command to the decision tree processing blocks 2-1 to 2-N all at once.

Step A6:
As in the case of the INSERT process, each decision tree processing block 2 executes a process of tracing its own decision tree using the specified existing rule.

Step A3:
When step A6 ends, the decision tree node processing block 200-H outputs the output data 2003 including the calculated address value and command to the rule processing block 220-1 of the rule pipeline block 22.

Step A14:
The rule pipeline block 22 performs rule deletion processing. FIG. 23 is a flowchart showing the process of step A14.

Step C1:
Step A14 starts from the first rule in the rule list. Specifically, the processing is started from the first-stage rule processing block 220-1.

Step C13:
The comparative update processing block 2200 refers to the end flag in the command after confirming that the processing type is DELETE. When the end flag is “1” (step C13; Yes), the process proceeds to step C9. On the other hand, when the end flag is “0” (step C13; No), the process proceeds to step C2.

Steps C2, C3:
As in the case of the LOOKUP process, the comparison / update processing block 2200 reads entry information from the entry storage block 2201 using the input address value. Then, the comparative update processing block 2200 confirms the valid flag. If the rule is invalid (step C3: No), the entry is not a deletion target. In this case, the process proceeds to step C9. On the other hand, if the rule is valid (step C3; Yes), the process proceeds to step C17.

Step C17:
The comparison update processing block 2200 compares the read rule with the rule designated as the deletion target. That is, the comparison update processing block 2200 determines whether or not the rule designated as the deletion target matches the read rule. Here, it is determined whether or not both match completely. If they do not match (step C5; No), the process proceeds to step C9. On the other hand, if it is a complete match (step C5; Yes), the process proceeds to step C18.

Step C18:
The comparison update processing block 2200 sets the valid flag in the entry information to “0” and writes it in the entry storage block 2201. Thereby, the entry (rule) is invalidated. This process corresponds to deletion of an existing rule. Further, the comparison update processing block 2200 sets the end flag in the command to “1”, and sets the result flag to “1” (successful deletion). Thereafter, the processing proceeds to step C9.

Steps C9 and C15:
As in the case of the LOOKUP process, it is determined whether or not the current rule is the last rule in the rule list. When the current rule is not the last rule (step C9; No), the rule processing block 220-i outputs output data 2204 including an address value and a command to the next rule processing block 220- (i + 1). (Step C15). Then, the process returns to step C13, and the process for the next rule in the rule list is executed. On the other hand, when the current rule is the last rule in the rule list (step C9; Yes), step A14 ends.

Step A15:
When step A14 is completed, the rule processing block 220-B outputs the output data 2205 including the address value and the command to the entry count block 21.

Step A16:
The count processing block 210 of the entry count block 21 receives the input data 213 (= the output data 2005 described above) from the rule processing block 220-B. The count processing block 210 refers to the end flag and the result flag after confirming that the processing type is DELETE. When both the end flag and the result flag are “1”, the count processing block 210 uses the input address value to obtain entry number information (valid rule entry number) related to the deletion target leaf node from the entry number storage block 211. read out. Then, the count processing block 210 subtracts 1 from the number of valid rule entries and writes it in the entry number storage block 211. As a result, the entry number storage block 211 is updated to the latest state.

Step A17:
Finally, the count processing block 210 outputs output data 215 including a command to the result output block 5. The result output block 5 refers to the result flag in the command received from each of the decision tree processing blocks 2-1 to 2-N and confirms whether the rule is deleted or not deleted. Then, the result output block 5 outputs the output data 7 indicating the result as the final result of the DELETE process.

  Here, the final result of the DELETE process is to output an entry ID indicating the location where the deletion rule is added, as with the entry ID of the new rule addition location during the INSERT processing. At this time, if the deletion rule does not exist in the management rule for some reason, a signal indicating that the deletion rule does not exist, or a special value with all entry IDs set to '1', It can be shown that the delete rule did not exist.

1-3-4. Supplementary Note: In the operation in the present embodiment, at the time of INSERT and DELETE processing, when the decision tree pipeline block 20 traces the decision tree, or the rule pipeline block 22 performs rule addition / deletion processing, Even if processing is completed, each pipeline is processed in order. However, the processing block in each pipeline does not perform any processing when the processing is completed. For this reason, when the processing is completed, the processing block may directly output a signal and a command that have been processed to the entry count block 21 or the result output block 5. Then, waiting may be performed so that the processing timing of each decision tree processing block matches in each block.

  Further, it is assumed that a rule is always added to only one of a plurality of decision trees at the time of INSERT processing, and that only one deletion target rule is always deleted at the time of DELETE processing. In the operation according to the present embodiment, the processing for adding the same entry as that already added is not described in detail. However, at the time of INSERT processing, it is possible to prevent duplicate additions with already added entries by comparing valid entries, including decision trees other than the addition target tree, with newly added entries. . Such processing can be realized by combining with the above-mentioned LOOKUP processing. By checking the entry to be added at the time of INSERT and the entry that has already been added, the rule to be deleted at the time of DELETE will not be deleted from a plurality of locations.

  Further, the command input block 4 receives a processing type, a search key, and an entry to be added / deleted as input data 6 from the outside, and generates an in-device command. However, the in-device command may be generated by directly receiving the arrival packet or the header information data of the arrival packet as the input data 6 and performing header analysis and search key extraction.

1-4. Effect According to the present embodiment, it is possible to realize dynamic update of entries without performing preprocessing in packet classification using a decision tree.

  Further, according to the present embodiment, a new rule is added to the entry list having the minimum number of valid rule entries in the INSERT process. As a result, the deviation in the number of rules among a plurality of decision trees is suppressed, which is preferable.

  Furthermore, according to the present embodiment, the processing time required for dynamic update of entries such as INSERT processing and DELETE processing is constant.

  Specifically, the approximate number of cycles required for each process and the number of cycles until the next command input to the packet classifier 1 are estimated. The estimate here is for the command input block 4, the entry addition target determination block 3, the result output block 5, the decision tree node processing block 200, the entry count counting block 21, and the rule processing block 220. Or an approximate value when it is assumed that the writing process and the related process can be executed in one unit cycle. Here, one unit cycle is preferably one clock cycle. The number of cycles until the next command input changes depending on which processing command is input next to each of the LOOKUP processing, INSERT processing, and DELETE processing, but here the next processing command is input. This is an estimated value for the case where the number of cycles is the largest until.

  In the case of the LOOKUP process, only reading is executed for each memory area in the packet classifier 1. Therefore, the processing of the command input block 4, the processing of the decision tree processing block 2 in the H-stage decision tree pipeline block 20, the processing of the B-stage rule pipeline block 22, and the processing of the result output block 5 are total H + B + 2 unit cycles. It is possible to execute with. Further, since the information in the memory is not updated, the next command can be input in the next cycle after the LOOKUP command is input.

  In the case of the INSERT process, reading and writing are executed for each memory area in the packet classifier 1. For this reason, the process of the command input block 4, the process of the decision tree pipeline block 20 of the H stage of the decision tree process block 2, the read process of the entry count block 21, the process of the entry addition target determination block 3, the entry count block It is possible to execute 21 write processes, a read process in the B-stage rule pipeline block 22, a single write process, and a process in the result output block 5 in H + B + 6 unit cycles. Further, the next command, in particular, the INSERT processing cannot be correctly executed unless the writing processing of the entry number storage block 211 of the entry number counting block 21 is completed. For this reason, the next command can be input if three unit cycles elapse after the INSERT command is input.

  In the case of the DELETE process, as in the case of the INSERT process, reading and writing are performed on each memory area in the packet classifier. Therefore, processing of the command input block 4, processing of the decision tree pipeline block 20 of the H stage of the decision tree processing block 2, read processing and one-time writing processing in the rule pipeline block 22 of the B stage, entry count count block It is possible to execute one read and one write process in 21 and the process of the result output block 5 in H + B + 5 unit cycles. Further, the next command, in particular, the INSERT processing cannot be correctly executed unless the writing processing of the entry number storage block 211 of the entry number counting block 21 is completed. For this reason, if B + 3 unit cycles elapse after the INSERT command is input, the next command can be input.

  Thus, in this embodiment, for example, the LOOKUP process can be processed in a fixed time such as H + B + 2 unit cycles, the INSERT process is H + B + 6 unit cycles, and the DELETE process is H + B + 5 unit cycles. Unlike the conventional example, the processing time does not fluctuate due to duplication of rules. In the case of LOOKUP processing, the next command can be input after the next unit cycle, in the case of INSERT processing after 3 unit cycles have elapsed, and in the case of DELETE processing, the next command can be input after B + 3 unit cycles. Therefore, each process can be executed with a slight processing overhead.

2. Second Embodiment Next, a second embodiment of the present invention will be described. In addition, the description which overlaps with 1st Embodiment is abbreviate | omitted suitably.

2-1. Configuration and Outline FIG. 24 is a block diagram illustrating a configuration of the packet classifier 1 according to the second embodiment. Compared with the configuration of the first embodiment shown in FIG. 4, the decision tree processing blocks 2-1 to 2-N are replaced by decision tree processing blocks 9-1 to 9-N, respectively. .

  FIG. 25 is a block diagram illustrating a configuration of the decision tree processing block 9 according to the second embodiment. Compared with the configuration of the decision tree processing block 2 shown in FIG. 5, the entry count block 21 is omitted. Also, the rule processing block 220 -B of the rule pipeline block 22 outputs the output data 26 to the entry addition target determination block 3. The rule processing block 220-1 receives the input data 27 from the entry addition target determination block.

  According to this embodiment, at the time of INSERT processing, all of the entry addition target candidates temporarily add new rules to the decision tree. This process is hereinafter referred to as “temporary addition process”. More specifically, in the temporary addition process, each rule pipeline block 22 of the entry addition target candidate temporarily adds a new rule to the rule list managed by the addition target leaf node. During this temporary addition process, the rule pipeline block 22 counts the number of valid rule entries in the rule list. The rule pipeline block 22 notifies the entry addition target determination block 3 of the number of valid rule entries instead of the entry count block 21. Specifically, the rule processing block 220 -B at the final stage of the rule pipeline block 22 outputs output data 26 indicating the number of valid rule entries obtained through the temporary addition process to the entry addition target determination block 3.

  As in the first embodiment, the entry addition target determination block 3 selects one entry addition target from among the entry addition target candidates. Then, the entry addition target determination block 3 sends information (input data 27) indicating the selection result to all entry addition target candidates.

  Each of the entry addition target candidates other than the selected entry addition target performs “addition entry invalidation processing”. In this additional entry invalidation process, the entry addition target candidate invalidates the new rule temporarily added by the temporary addition process. The additional entry invalidation process can be realized in the same manner as the DELETE process.

  Thus, according to the present embodiment, the same processing result as that of the first embodiment can be obtained without using the entry count block 21. Since the entry count block 21 is omitted, the entire memory capacity can be reduced.

2-2. Operation Next, the operation of the packet classifier 1 according to the present embodiment will be described in detail.

2-2-1. LOOKUP process The LOOKUP process is the same as in the first embodiment.

2-2-2. INSERT Processing Next, INSERT processing will be described. FIG. 26 is a flowchart showing the INSERT processing in the present embodiment. Steps A1, A6, and A13 are the same as those in the INSERT processing of the first embodiment.

Step A3:
When step A6 ends, step A3 is executed instead of step A7 as in the case of the LOOKUP process. That is, the decision tree node processing block 200-H outputs the output data 2003 including the calculated address value and command to the rule processing block 220-1 of the rule pipeline block 22.

Step A18:
The rule pipeline block 22 executes the “temporary addition process” described above. FIG. 27 is a flowchart showing the processing of step A18.

Step C12:
Step A18 starts with the first rule in the rule list. Specifically, the processing is started from the first-stage rule processing block 220-1. Here, the number of valid rule entries is set to an initial value of zero.

Steps C2, C3, C19:
Similar to the first embodiment, the rule processing block 220 reads the entry information and checks the valid flag (step C2). If the rule is valid (step C3; Yes), the rule processing block 220 adds “1” to the number of valid rule entries (step C19). Thereafter, the processing proceeds to step C15.

Step C15:
The rule processing block 220-i outputs output data 2204 including the number of valid rule entries in addition to the address value and command to the next-stage rule processing block 220- (i + 1). Then, the process returns to step C2, and the process for the next rule in the rule list is executed.

Step C13:
On the other hand, when the rule is not valid (step C3; No), the rule processing block 220 refers to the end flag in the command. If the end flag is “1” (step C13; Yes), the process proceeds to step C15. On the other hand, when the end flag is “0” (step C13; No), the process proceeds to step C14.

Step C14:
Similar to the first embodiment, the rule processing block 220 writes a new rule to the entry (that is, an empty entry) and sets the valid flag to “1”. Further, the rule processing block 220 sets the end flag in the command to “1”, and sets the result flag to “1” (addition success). Thereafter, the processing proceeds to step C9.

Steps C9 and C20:
As in the first embodiment, it is determined whether or not the current rule is the last rule in the rule list. If the current rule is not the last rule (step C9; No), the process proceeds to step C15. On the other hand, in the case of the last rule (step C9; Yes), the rule processing block 220-B outputs the current command and the number of valid rule entries to the entry addition target determination block 3 (step C20). Then, step A18 ends.

Step A9:
Next, the entry addition target determination block 3 selects an entry addition target from among the entry addition target candidates, as in the first embodiment. Then, the entry addition target determination block 3 sends information indicating the selection result to all entry addition target candidates.

Step A14:
The rule pipeline block 22 executes the “addition entry invalidation process” described above. This additional entry invalidation process is performed in the same manner as the DELETE process. Here, the rule to be deleted is a new rule added by the temporary addition process. Note that “11” that is not used in the first embodiment may be used as the command processing type when the additional entry invalidation processing is performed. The end flag and result flag at this time are initialized.

2-2-3. DELETE Process FIG. 28 is a flowchart showing the DELETE process in the present embodiment. According to the present embodiment, the entry count block 21 is omitted. Therefore, as compared with the DELETE process in the first embodiment shown in FIG. 22, steps A15 and A16 related to the entry count block 21 can be omitted. Others are the same as those in the first embodiment.

2-3. Effect According to the present embodiment, the same effect as in the first embodiment can be obtained. Further, the memory area is reduced.

  As in the case of the first embodiment, the approximate number of cycles required for each process and the approximate number of cycles until the next command input to the packet classifier 1 are estimated.

  The LOOKUP process is the same as that in the first embodiment.

  The INSERT processing includes processing of the command input block 4, processing of the H-stage decision tree pipeline block 20 of the decision tree processing block 2, reading processing and one-time writing processing in the B-stage rule pipeline block 22, and entry addition targets The processing of the decision block 3, and further includes the reading processing in the B-stage rule pipeline block 22, one writing processing, and processing of the result output block 5. Therefore, it is possible to execute in H + 2B + 5 unit cycles as a whole. Further, if invalidation of the additional entry for the decision tree other than the addition target tree is not completed, the subsequent processing cannot be performed without waiting. For this reason, if B + 3 unit cycles elapse after the INSERT command is input, the next command can be input.

  The DELETE processing includes processing of the command input block 4, processing of the decision tree pipeline block 20 in the H stage of the decision tree processing block 2, reading processing and writing processing once in the rule pipeline block 22 of the B stage, and result output block 5 processes are included. Therefore, it is possible to execute in H + B + 3 unit cycles as a whole. On the other hand, since the entries to be deleted are sequentially deleted, the next command is input when one unit cycle elapses after the DELETE command is input in consideration of one writing process in the rule pipeline block 22 that deletes the entries. be able to.

  Thus, in this embodiment, for example, the LOOKUP process can be processed in a fixed time such as H + B + 2 unit cycles, the INSERT process is H + 2B + 5 unit cycles, and the DELETE process is H + B + 3 unit cycles. Unlike the conventional example, the processing time does not fluctuate due to duplication of rules. The next command can be input in the next unit cycle in the case of LOOKUP processing, the B + 3 unit cycle in the case of INSERT processing, and the one unit cycle in the case of DELETE processing. Therefore, although a slight processing overhead is required, each process can be executed sequentially.

3. Third Embodiment A third embodiment of the present invention differs from the second embodiment in the configuration of commands and the INSERT processing using the commands. The configuration, the LOOKUP process, and the DELETE process are the same as those in the second embodiment, and redundant descriptions are omitted as appropriate.

  FIG. 29 is a conceptual diagram illustrating a command configuration example according to the third embodiment. As shown in FIG. 29, according to the present embodiment, a field of “entry addition list ID” is further added to the command portion. This entry addition list ID is position information indicating the position (number of stages) where a new rule is added in the temporary addition process described above. That is, when a new rule is added in the rule processing block 220-i (i = 1, 2,..., B), “i” is set in the entry addition list ID.

  FIG. 30 is a flowchart showing INSERT processing in the present embodiment. In the present embodiment, step A19 is executed as a temporary addition process instead of step A18 in the second embodiment. As additional entry invalidation processing, step A20 is executed instead of step A14 in the second embodiment. Others are the same as in the second embodiment.

Step A19:
FIG. 31 is a flowchart showing the process of step A19. Compared with step A18 (refer FIG. 27) in 2nd Embodiment, step C21 is added between step C14 and step C9. In step C21, the rule processing block 220-i sets the entry addition list ID of the command to the ID (= i) of the rule processing block. Others are the same as step A18.

Step A20:
FIG. 32 is a flowchart showing the process of step A20.

Step C1:
Step A20 starts from the first rule in the rule list. Specifically, the processing is started from the first-stage rule processing block 220-1.

Step C22:
The rule processing block 220 determines whether its own ID matches the entry addition list ID of the input command. If they match (step C22; Yes), the process proceeds to step C2. On the other hand, if they do not match (step C22; No), the process proceeds to step C9.

Steps C2, C18:
The rule processing block 220 reads entry information from the entry storage block 2201 using the input address value (step C2). Further, the rule processing block 220 sets the valid flag in the entry information to “0” and writes it in the entry storage block 2201. Thereby, the entry (rule) is invalidated. Further, the rule processing block 220 sets the end flag in the command to “1”, and sets the result flag to “1” (deletion success). Thereafter, the processing proceeds to step C9.

Steps C9 and C15:
As in the case of the above-described embodiment, it is determined whether or not the current rule is the last rule in the rule list. When the current rule is not the last rule (step C9; No), the rule processing block 220-i outputs output data 2204 including an address value and a command to the next rule processing block 220- (i + 1). (Step C15). Then, the process returns to step C22, and the process for the next rule in the rule list is executed. On the other hand, when the current rule is the last rule in the rule list (step C9; Yes), step A20 ends.

  According to the present embodiment, the same effect as in the second embodiment can be obtained. Furthermore, in the additional entry invalidation process, it is possible to skip the rule matching process (reading / comparison process) related to a rule that is not invalidated. Therefore, processing time and power consumption are reduced.

4). Fourth Embodiment FIG. 33 is a block diagram showing a configuration of a packet classifier according to a fourth embodiment of the present invention. In the fourth embodiment, packet classification processing is realized by a computer executing a software program. Specifically, the packet classifier according to the present embodiment includes a program processing device 10 and a packet classification program 11. The program processing apparatus 10 is realized by a CPU of a host such as a server or a PC. The packet classification program 11 is a computer program executed by the program processing apparatus 10 and controls the operation of the program processing apparatus 10. The program processing apparatus 10 can have the function of the packet classifier 1 described in the foregoing embodiment by executing the packet classification program 11.

  The packet classification program 11 may be recorded on a computer-readable recording medium.

  As the program processing apparatus 10, a multi-core processor having a plurality of CPU cores (and a many-core processor having more CPU cores) may be used. In this case, each CPU core includes a command input block 4, decision tree processing blocks 2-1 to 2 -N, an entry addition target determination block 3, a result output block 5, and a decision tree processing block 2. By executing the processing of the decision tree node processing block 200, the entry number counting block 21, and the rule processing block 220, higher speed processing is possible.

  The embodiments of the present invention have been described above with reference to the accompanying drawings. However, the present invention is not limited to the above-described embodiments, and can be appropriately changed by those skilled in the art without departing from the scope of the invention.

  A part or all of the above-described embodiment can be described as in the following supplementary notes, but is not limited thereto.

(Appendix 1)
A plurality of decision tree processing blocks constituting each of a plurality of decision trees used for packet classification;
A command input block for simultaneously inputting commands to the plurality of decision tree processing blocks;
An entry addition target decision block connected to the plurality of decision tree processing blocks;
One rule is managed by a single leaf node in any one of the plurality of decision trees,
When the command is a search command, each of the plurality of decision tree processing blocks determines whether or not the search key matches any rule by using its own decision tree.
If the command is an insert command for adding a new rule to a decision tree, each of the plurality of decision tree processing blocks can be managed by a single leaf node in which the new rule is in its decision tree Whether or not
When the new rule can be managed by a single leaf node, the decision tree processing block is an entry addition target candidate, the single leaf node is an addition target leaf node,
The entry addition target determination block selects an entry addition target to which the new rule is added from the entry addition target candidates,
The selected entry addition target adds the new rule to a rule list managed by the addition target leaf node in its own decision tree.

(Appendix 2)
The packet classifier according to appendix 1,
The entry addition target candidate notifies the entry addition target determination block of the number of valid rule entries managed by the addition target leaf node,
The entry addition target determination block is a packet classifier that selects the entry addition target based on the number of entries.

(Appendix 3)
The packet classifier according to attachment 2, wherein
The entry addition target determination block selects the entry addition target candidate having the minimum number of entries as the entry addition target.

(Appendix 4)
The packet classifier according to appendix 2 or 3,
Each of the plurality of decision tree processing blocks includes an entry number storage block for storing the number of valid rule entries managed by each leaf node of its own decision tree;
The entry addition target candidate reads the number of entries related to the addition target leaf node from the entry number storage block, notifies the entry addition target determination block of the read number of entries,
The entry addition target is a packet classifier that updates the entry number storage block by adding 1 to the number of entries related to the addition target leaf node.

(Appendix 5)
The packet classifier according to appendix 4, wherein
If the command is a delete command for deleting an existing rule, each of the plurality of decision tree processing blocks determines whether the existing rule is managed by a single leaf node in its decision tree. And
When the existing rule is managed by a single leaf node, the decision tree processing block is an entry deletion target, the single leaf node is a deletion target leaf node,
The packet deletion classifier updates the entry number storage block by invalidating the existing rule and subtracting 1 from the number of entries related to the deletion target leaf node.

(Appendix 6)
The packet classifier according to appendix 2 or 3,
Each of the entry addition target candidates performs a temporary addition process for temporarily adding the new rule to the rule list managed by the addition target leaf node, and during the temporary addition process, the rule list Count the number of active rule entries in
Each of the entry addition target candidates notifies the entry addition target determination block of the number of entries obtained in the temporary addition process,
Each of the entry addition target candidates other than the selected entry addition target performs an additional entry invalidation process for invalidating the newly added rule.

(Appendix 7)
The packet classifier according to appendix 6, wherein
In the temporary addition process, each of the entry addition target candidates writes position information indicating a position where the new rule is added in the rule list to the insertion command,
Each of the entry addition target candidates other than the selected entry addition target performs the additional entry invalidation processing without performing rule matching by referring to the position information.

(Appendix 8)
The packet classifier according to any one of appendices 1 to 7,
Each of the plurality of decision tree processing blocks is
A decision tree pipeline block having a decision tree node processing block having the same number of stages as each decision tree, and performing a search of the decision tree by pipeline processing by using the decision tree node processing block;
A packet classifier comprising a rule processing block having the same number of stages as the number of rules that can be managed in each leaf node, and a rule pipeline block that searches, adds, and deletes rules by pipeline processing by using the rule processing block .

(Appendix 9)
A packet classification method using a plurality of decision trees,
One rule is managed by a single leaf node in any one of the plurality of decision trees,
The packet classification method includes:
Inputting commands simultaneously to the plurality of decision trees;
If the command is a search command, determining whether a search key matches any rule in each of the plurality of decision trees;
Determining whether in each of the plurality of decision trees, the new rule can be managed by a single leaf node if the command is an insert command for adding a new rule to the decision tree; Here, if the new rule can be managed by a single leaf node, the decision tree is an entry addition candidate, the single leaf node is an addition leaf node,
Selecting an entry addition target to which the new rule is to be added from the entry addition target candidates;
Adding the new rule to a rule list managed by the addition target leaf node of the entry addition target.

(Appendix 10)
A packet classification program for causing a computer to execute packet classification processing using a plurality of decision trees,
One rule is managed by a single leaf node in any one of the plurality of decision trees,
The packet classification process includes:
Inputting commands simultaneously to the plurality of decision trees;
If the command is a search command, determining whether a search key matches any rule in each of the plurality of decision trees;
Determining whether in each of the plurality of decision trees, the new rule can be managed by a single leaf node if the command is an insert command for adding a new rule to the decision tree; Here, if the new rule can be managed by a single leaf node, the decision tree is an entry addition candidate, the single leaf node is an addition leaf node,
Selecting an entry addition target to which the new rule is to be added from the entry addition target candidates;
Adding the new rule to a rule list managed by the addition target leaf node to which the entry is to be added.

  This application claims the priority on the basis of the Japan patent application 2010-279593 for which it applied on December 15, 2010, and takes in those the indications of all here.

DESCRIPTION OF SYMBOLS 1 Packet classifier 2 Decision tree processing block 3 Entry addition object decision block 4 Command input block 5 Result output block 9 Decision tree processing block 10 Program processing device 11 Packet classification program 20 Decision tree pipeline block 21 Entry count block 22 Rule pipe Line block 200 Decision tree node processing block 210 Count processing block 211 Entry number storage block 220 Rule processing block 2000 Child node determination block 2001 Node information storage block 2200 Comparison update processing block 2201 Entry storage block

Claims (10)

A plurality of decision tree processing blocks constituting each of a plurality of decision trees used for packet classification;
A command input block for simultaneously inputting commands to the plurality of decision tree processing blocks;
An entry addition target decision block connected to the plurality of decision tree processing blocks;
One rule is managed by a single leaf node in any one of the plurality of decision trees,
When the command is a search command, each of the plurality of decision tree processing blocks determines whether or not the search key matches any rule by using its own decision tree.
If the command is an insert command for adding a new rule to a decision tree, each of the plurality of decision tree processing blocks can be managed by a single leaf node in which the new rule is in its decision tree Whether or not
When the new rule can be managed by a single leaf node, the decision tree processing block is an entry addition target candidate, the single leaf node is an addition target leaf node,
The entry addition target determination block selects an entry addition target to which the new rule is added from the entry addition target candidates,
The selected entry addition target adds the new rule to a rule list managed by the addition target leaf node in its own decision tree. The packet classifier according to claim 1, wherein
The entry addition target candidate notifies the entry addition target determination block of the number of valid rule entries managed by the addition target leaf node,
The entry addition target determination block is a packet classifier that selects the entry addition target based on the number of entries. The packet classifier according to claim 2, wherein
The entry addition target determination block selects the entry addition target candidate having the minimum number of entries as the entry addition target. The packet classifier according to claim 2 or 3, wherein
Each of the plurality of decision tree processing blocks includes an entry number storage block for storing the number of valid rule entries managed by each leaf node of its own decision tree;
The entry addition target candidate reads the number of entries related to the addition target leaf node from the entry number storage block, notifies the entry addition target determination block of the read number of entries,
The entry addition target is a packet classifier that updates the entry number storage block by adding 1 to the number of entries related to the addition target leaf node. The packet classifier according to claim 4, wherein
If the command is a delete command for deleting an existing rule, each of the plurality of decision tree processing blocks determines whether the existing rule is managed by a single leaf node in its decision tree. And
When the existing rule is managed by a single leaf node, the decision tree processing block is an entry deletion target, the single leaf node is a deletion target leaf node,
The packet deletion classifier updates the entry number storage block by invalidating the existing rule and subtracting 1 from the number of entries related to the deletion target leaf node. The packet classifier according to claim 2 or 3, wherein
Each of the entry addition target candidates performs a temporary addition process for temporarily adding the new rule to the rule list managed by the addition target leaf node, and during the temporary addition process, the rule list Count the number of active rule entries in
Each of the entry addition target candidates notifies the entry addition target determination block of the number of entries obtained in the temporary addition process,
Each of the entry addition target candidates other than the selected entry addition target performs an additional entry invalidation process for invalidating the newly added rule. The packet classifier according to claim 6, comprising:
In the temporary addition process, each of the entry addition target candidates writes position information indicating a position where the new rule is added in the rule list to the insertion command,
Each of the entry addition target candidates other than the selected entry addition target performs the additional entry invalidation processing without performing rule matching by referring to the position information. The packet classifier according to any one of claims 1 to 7,
Each of the plurality of decision tree processing blocks is
A decision tree pipeline block having a decision tree node processing block having the same number of stages as each decision tree, and performing a search of the decision tree by pipeline processing by using the decision tree node processing block;
A packet classifier comprising a rule processing block having the same number of stages as the number of rules that can be managed in each leaf node, and a rule pipeline block that searches, adds, and deletes rules by pipeline processing by using the rule processing block . A packet classification method using a plurality of decision trees,
One rule is managed by a single leaf node in any one of the plurality of decision trees,
The packet classification method includes:
Inputting commands simultaneously to the plurality of decision trees;
If the command is a search command, determining whether a search key matches any rule in each of the plurality of decision trees;
Determining whether in each of the plurality of decision trees, the new rule can be managed by a single leaf node if the command is an insert command for adding a new rule to the decision tree; Here, if the new rule can be managed by a single leaf node, the decision tree is an entry addition candidate, the single leaf node is an addition leaf node,
Selecting an entry addition target to which the new rule is to be added from the entry addition target candidates;
Adding the new rule to a rule list managed by the addition target leaf node of the entry addition target. A packet classification program for causing a computer to execute packet classification processing using a plurality of decision trees,
One rule is managed by a single leaf node in any one of the plurality of decision trees,
The packet classification process includes:
Inputting commands simultaneously to the plurality of decision trees;
If the command is a search command, determining whether a search key matches any rule in each of the plurality of decision trees;
Determining whether in each of the plurality of decision trees, the new rule can be managed by a single leaf node if the command is an insert command for adding a new rule to the decision tree; Here, if the new rule can be managed by a single leaf node, the decision tree is an entry addition candidate, the single leaf node is an addition leaf node,
Selecting an entry addition target to which the new rule is to be added from the entry addition target candidates;
Adding the new rule to a rule list managed by the addition target leaf node to which the entry is to be added.

Images