KR101665583B1 - Apparatus and method for network traffic high-speed processing - Google Patents
Apparatus and method for network traffic high-speed processing Download PDFInfo
- Publication number
- KR101665583B1 KR101665583B1 KR1020150056068A KR20150056068A KR101665583B1 KR 101665583 B1 KR101665583 B1 KR 101665583B1 KR 1020150056068 A KR1020150056068 A KR 1020150056068A KR 20150056068 A KR20150056068 A KR 20150056068A KR 101665583 B1 KR101665583 B1 KR 101665583B1
- Authority
- KR
- South Korea
- Prior art keywords
- rule
- item
- index
- hash map
- received packet
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to network traffic processing, and more particularly, to a technique for high-speed processing of network traffic in a firewall or a filtering system.
Thanks to the rapid development of communication technologies, many users are transmitting a lot of information and data through the network. As a result, the number of unit networks increases rapidly and the amount of network traffic is increasing rapidly. The network is connected to the internal network and the external network, and a communication path is established by a plurality of routers, and the received traffic is transmitted to the destination. An access control list (ACL) is used as a method for processing high-speed network traffic in a router. Routers can filter and control packets passing through routers through ACL rules. However, in the conventional ACL rule processing technique, since each item is first matched for ACL rule processing, the number of rules and the item of the rule must be compared. However, because of the process of comparing the number of rules and the items of rules, it is difficult to handle high-speed network traffic. Korean Patent Laid-Open No. 10-2011-0035382 uses ACL for traffic filtering of a network, but only uses a general ACL, and does not solve the above-described problem.
An object of the present invention is to provide an apparatus and method for high-speed processing of network traffic capable of processing large-capacity network traffic at a high speed.
The high-speed network traffic processing apparatus according to the present invention classifies a rule of an access control list into individual item values and assigns a rule index to construct a hash map A hash map constructing unit, a rule retrieving unit for retrieving a rule index corresponding to one or more items included in the received packet in a hash map of the access control rule for each item, and a rule index retrieved for each item, The packet processing unit may further include a rule determination unit that determines rules for processing the received packet, and processes the received packet according to the determined rule. The rule determination unit calculates a rule index common to all items by logically calculating a rule index searched for each item.
The network traffic processing method according to the present invention comprises the steps of classifying a rule of an access control list into values according to individual items and constructing a hash map by assigning a rule index Searching the hash map of the access control rule for each rule index corresponding to one or more items included in the received packet, and performing a logic product operation on the retrieved rule index for each item to process the received packet Determining a rule for the received packet, and processing the received packet according to the determined rule.
The apparatus and method for high-speed processing of network traffic according to the present invention are different from the conventional ACL rule processing method in that the hash values are compared only once for each item and the common rule is calculated by applying a logical product operation to the comparison result, Thereby improving the processing speed of the network traffic.
FIG. 1 is a configuration diagram of an embodiment of a network traffic high-speed processing apparatus according to the present invention.
2 is a flowchart illustrating a network traffic processing method according to an embodiment of the present invention.
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. The terms and words used in the present specification are selected in consideration of the functions in the embodiments, and the meaning of the terms may vary depending on the intention or custom of the invention. Therefore, the terms used in the following embodiments are defined according to their definitions when they are specifically defined in this specification, and unless otherwise specified, they should be construed in a sense generally recognized by those skilled in the art.
FIG. 1 is a configuration diagram of an embodiment of a network traffic high-speed processing apparatus according to the present invention.
Referring to FIG. 1, an
The hash
In the present invention, a rule index serving as a key is constituted for individual items of one or more rules constituting an access control list. A rule index is an index assigned to each of a plurality of rules included in an access control list. In general, a rule index must be a bit. By searching the rule index constructed in this manner, matching of items and rules can be performed quickly.
The rule search unit 120 stores an access control list including one or more rules for processing received packets. Each rule configuring the access control list of the rule search unit 120 is constructed by hash
When a new packet is received, the rule search unit 120 searches the access control rule for each rule index corresponding to one or more items included in the received packet. The rule searching unit 120 identifies the items included in the header of the received packet, and searches the access control list for a rule index corresponding to each item. Accordingly, the rule search unit 120 can search for one or more rule indexes corresponding to each item.
The
The rule processing procedure of the access control list using the logical AND operation will be further described with an example to be described later. Table 1 shows the number of access control list (ACL) rules among 31 (2 5 - 1) ACLs that can be represented by 5 items (source address, destination address, protocol, destination port, An example of a rule.
Table 1 contains the items corresponding to each rule and the values of the corresponding items. In Table 1, for convenience of explanation, the packet processing method corresponding to each rule (detailed rule for packet processing) is omitted. As shown in Table 1, the hash
The rules in Table 1 have a form in which one rule contains values for two or more items. The rules in Table 1 have the form of item-by-item index rules as shown in Table 2 by the hash
For example, when the items included in the received packet are the same as the source address 192.168.10.1, the destination address 192.168.1.20, the protocol TCP, the source port 22, and the destination port 1024, the rule search unit 120 The matching items as shown in Table 3 can be obtained by matching the item of the received packet with the rule index for each item of Table 2. [
When the item included in the received packet is compared with the item-specific rule index in Table 2, the source address of the item included in the received packet is matched to rule index 2 as 192.168.10.1. The destination address 192.168.1.20 is a value not included in the rule, and is matched with the rule index 2, 3, or 4 corresponding to the unmatched value of the destination address. The protocol TCP matches the rule indices 1 and 2, the source port 22 matches the rule index 2, and the destination port 1024 matches the rule indices 2, 3, 4, and 5 with unmatched values.
If the item of the received packet matches the rule index, the
2 is a flowchart illustrating a network traffic processing method according to an embodiment of the present invention.
Referring to FIG. 2, in the network traffic processing method according to an embodiment of the present invention, a rule of an access control list is classified into individual item values and a rule index is assigned to configure a hash map (S 201). Each of the one or more rules included in the access control list includes a value for one or more items. In order to construct a hash map from access control rules, the rules of the access control list are classified into individual item values, and a rule index is assigned to the classified individual item values (see Table 2). By searching the rule index constructed in this manner, matching of items and rules can be performed quickly.
When a new packet is received, a rule index corresponding to the item included in the received packet is retrieved (S202). The header of the packet includes information on items such as a destination address, a source address, a protocol, and a port for the packet. Therefore, the packet is analyzed to check the item-specific value of the packet, and the packet is compared with the access control list configured with the hash map to search for the corresponding (matched) rule index. Thus, the rule index corresponding to each item value can be identified for each item of the received packet.
When a rule index corresponding to the item of the received packet is found, a rule for processing the received packet is determined by applying an AND operation to the retrieved item rule index (S203). In step S202, one or more rule indexes are searched for each item. By applying a logical multiplication operation between the retrieved rule indices, it is possible to calculate a rule index common to all items. In the conventional traffic processing using ACL, each item should be matched with all the rules from the beginning. Therefore, the number of rules and rules must be compared with each other. Therefore, the traffic processing using the conventional ACL increases proportionally when the number of rules increases. However, in the present invention, the calculation amount can be reduced by deriving the common rule index through the logical multiplication.
Then, the received packet is processed according to the determined rule (S204). When a rule index is calculated through a logical product operation, the received packet is processed according to a rule corresponding to the calculated rule index. For example, if the rule blocks a packet, it can block the received packet without delivering it to its destination. According to the present invention, the rules of the access control list corresponding to the received packet can be quickly retrieved to process the received packet, thereby enabling high-speed processing of network traffic.
The present invention including the above-described contents can be written in a computer program. And the code and code segment constituting the program can be easily deduced by a computer programmer of the field. In addition, the created program can be stored in a computer-readable recording medium or an information storage medium, and can be read and executed by a computer to implement the method of the present invention. And the recording medium includes all types of recording media readable by a computer.
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, It is possible.
100: Network traffic high-speed processing device
110: Hash map component
120:
130:
140: Packet processing section
Claims (6)
A rule search unit for searching, in a hash map of rules of the access control list, a rule index corresponding to each value of one or more items included in the received packet by item; And
A rule determination unit for determining a rule for processing the received packet by performing a logical product operation of a rule index searched for by the item to derive a common rule index;
Wherein the network traffic processing unit includes:
A packet processor for delivering or blocking the received packet according to the determined rule;
Further comprising: a network interface for receiving the network traffic;
Wherein the rule index is in the form of a bit.
Wherein the rule determination unit calculates a rule index common to all items by logically calculating a rule index searched for each item.
Retrieving a rule index corresponding to each value of one or more items included in the received packet in a hash map of rules of the access control list for each item; And
Determining a rule for processing the received packet by deriving a common rule index by performing a logical product operation on a rule index retrieved for each item;
The network traffic processing method comprising the steps of:
Transmitting or blocking the received packet according to the determined rule;
Lt; RTI ID = 0.0 > 1, < / RTI >
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150056068A KR101665583B1 (en) | 2015-04-21 | 2015-04-21 | Apparatus and method for network traffic high-speed processing |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150056068A KR101665583B1 (en) | 2015-04-21 | 2015-04-21 | Apparatus and method for network traffic high-speed processing |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101665583B1 true KR101665583B1 (en) | 2016-10-24 |
Family
ID=57256583
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150056068A KR101665583B1 (en) | 2015-04-21 | 2015-04-21 | Apparatus and method for network traffic high-speed processing |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101665583B1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20210121253A (en) * | 2019-04-12 | 2021-10-07 | 후아웨이 테크놀러지 컴퍼니 리미티드 | Traffic classification methods and devices |
KR102437825B1 (en) | 2021-07-27 | 2022-08-30 | 지니언스(주) | Virtual inliine gateway apparatus, traffic control method and network system for providing dynamic network access control through it |
KR20230072281A (en) * | 2021-11-17 | 2023-05-24 | 주식회사 윈스 | Method and Apparatus for Detecting DDoS Attacks |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7324514B1 (en) * | 2000-01-14 | 2008-01-29 | Cisco Technology, Inc. | Implementing access control lists using a balanced hash table of access control list binary comparison trees |
JP2010057034A (en) * | 2008-08-29 | 2010-03-11 | Nec Infrontia Corp | Access control method in router, router, and access control program |
KR20110035382A (en) | 2009-09-30 | 2011-04-06 | 주식회사 케이티 | Apparatus and method for filtering anomaly traffic at access network |
-
2015
- 2015-04-21 KR KR1020150056068A patent/KR101665583B1/en active IP Right Grant
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7324514B1 (en) * | 2000-01-14 | 2008-01-29 | Cisco Technology, Inc. | Implementing access control lists using a balanced hash table of access control list binary comparison trees |
JP2010057034A (en) * | 2008-08-29 | 2010-03-11 | Nec Infrontia Corp | Access control method in router, router, and access control program |
KR20110035382A (en) | 2009-09-30 | 2011-04-06 | 주식회사 케이티 | Apparatus and method for filtering anomaly traffic at access network |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20210121253A (en) * | 2019-04-12 | 2021-10-07 | 후아웨이 테크놀러지 컴퍼니 리미티드 | Traffic classification methods and devices |
KR102601351B1 (en) * | 2019-04-12 | 2023-11-10 | 후아웨이 테크놀러지 컴퍼니 리미티드 | Traffic classification methods and devices |
KR102437825B1 (en) | 2021-07-27 | 2022-08-30 | 지니언스(주) | Virtual inliine gateway apparatus, traffic control method and network system for providing dynamic network access control through it |
KR20230072281A (en) * | 2021-11-17 | 2023-05-24 | 주식회사 윈스 | Method and Apparatus for Detecting DDoS Attacks |
KR102594137B1 (en) * | 2021-11-17 | 2023-10-26 | 주식회사 윈스 | Method and Apparatus for Detecting DDoS Attacks |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9813420B2 (en) | Priority resolution for access control list policies in a networking device | |
US10496680B2 (en) | High-performance bloom filter array | |
US20230127391A1 (en) | Algorithmic tcam based ternary lookup | |
US9098601B2 (en) | Ternary content-addressable memory assisted packet classification | |
US9390134B2 (en) | Regular expression matching method and system, and searching device | |
US10671667B2 (en) | Data matching method and apparatus and computer storage medium | |
US8478707B1 (en) | System and method for reducing flow rules in forwarding tables | |
US20130246698A1 (en) | Hybrid Memory for Search Operations | |
KR101331018B1 (en) | Method for classifying packet and apparatus thereof | |
US9294390B2 (en) | Hash table storage and search methods and devices | |
CN105122745A (en) | Efficient longest prefix matching techniques for network devices | |
WO2015051741A1 (en) | Packet processing | |
US11463360B2 (en) | System and method for range matching | |
US20170366459A1 (en) | Jump on a Match Optimization for Longest Prefix Match using a Binary Search Tree | |
JP7170905B2 (en) | Traffic classification method and apparatus | |
KR101665583B1 (en) | Apparatus and method for network traffic high-speed processing | |
CN109905413B (en) | IP address matching method and device | |
US10587516B1 (en) | Hash lookup table entry management in a network device | |
US20180270152A1 (en) | Packet processing | |
CN106487769B (en) | Method and device for realizing Access Control List (ACL) | |
EP3269099B1 (en) | Packet classification | |
CN104205745B (en) | Method and device for processing message | |
US20170012874A1 (en) | Software router and methods for looking up routing table and for updating routing entry of the software router | |
CN105357118A (en) | Rule based flow classifying method and system | |
WO2021151301A1 (en) | Ovs-based data packet processing method and apparatus, computer device, and computer readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
GRNT | Written decision to grant | ||
FPAY | Annual fee payment |
Payment date: 20191209 Year of fee payment: 4 |