KR101665583B1 - Apparatus and method for network traffic high-speed processing - Google Patents

Apparatus and method for network traffic high-speed processing Download PDF

Info

Publication number
KR101665583B1
KR101665583B1 KR1020150056068A KR20150056068A KR101665583B1 KR 101665583 B1 KR101665583 B1 KR 101665583B1 KR 1020150056068 A KR1020150056068 A KR 1020150056068A KR 20150056068 A KR20150056068 A KR 20150056068A KR 101665583 B1 KR101665583 B1 KR 101665583B1
Authority
KR
South Korea
Prior art keywords
rule
item
index
hash map
received packet
Prior art date
Application number
KR1020150056068A
Other languages
Korean (ko)
Inventor
이상만
최간호
한석재
김지윤
Original Assignee
(주) 시스메이트
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주) 시스메이트 filed Critical (주) 시스메이트
Priority to KR1020150056068A priority Critical patent/KR101665583B1/en
Application granted granted Critical
Publication of KR101665583B1 publication Critical patent/KR101665583B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

According to the present invention, an apparatus for high-speed processing of network traffic includes: a hash map configuration unit for classifying a rule of an access control list by a value over individual item and providing a rule index to configure a hash map; a rule search unit searching, for each item, the hash map of an access control rule for the rule index corresponding to at least one item included in a received packet; and a rule determination unit for performing logical product operation on the found rule index for each item, to determine the rule for processing the received packet. The apparatus for the high-speed processing of the network traffic further includes a packet processing unit for processing the received packet on the basis of the determined rule.

Description

[0001] APPARATUS AND METHOD FOR NETWORK TRAFFIC HIGH-SPEED PROCESSING [0002]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to network traffic processing, and more particularly, to a technique for high-speed processing of network traffic in a firewall or a filtering system.

Thanks to the rapid development of communication technologies, many users are transmitting a lot of information and data through the network. As a result, the number of unit networks increases rapidly and the amount of network traffic is increasing rapidly. The network is connected to the internal network and the external network, and a communication path is established by a plurality of routers, and the received traffic is transmitted to the destination. An access control list (ACL) is used as a method for processing high-speed network traffic in a router. Routers can filter and control packets passing through routers through ACL rules. However, in the conventional ACL rule processing technique, since each item is first matched for ACL rule processing, the number of rules and the item of the rule must be compared. However, because of the process of comparing the number of rules and the items of rules, it is difficult to handle high-speed network traffic. Korean Patent Laid-Open No. 10-2011-0035382 uses ACL for traffic filtering of a network, but only uses a general ACL, and does not solve the above-described problem.

Korean Patent Publication No. 10-2011-0035382

An object of the present invention is to provide an apparatus and method for high-speed processing of network traffic capable of processing large-capacity network traffic at a high speed.

The high-speed network traffic processing apparatus according to the present invention classifies a rule of an access control list into individual item values and assigns a rule index to construct a hash map A hash map constructing unit, a rule retrieving unit for retrieving a rule index corresponding to one or more items included in the received packet in a hash map of the access control rule for each item, and a rule index retrieved for each item, The packet processing unit may further include a rule determination unit that determines rules for processing the received packet, and processes the received packet according to the determined rule. The rule determination unit calculates a rule index common to all items by logically calculating a rule index searched for each item.

The network traffic processing method according to the present invention comprises the steps of classifying a rule of an access control list into values according to individual items and constructing a hash map by assigning a rule index Searching the hash map of the access control rule for each rule index corresponding to one or more items included in the received packet, and performing a logic product operation on the retrieved rule index for each item to process the received packet Determining a rule for the received packet, and processing the received packet according to the determined rule.

The apparatus and method for high-speed processing of network traffic according to the present invention are different from the conventional ACL rule processing method in that the hash values are compared only once for each item and the common rule is calculated by applying a logical product operation to the comparison result, Thereby improving the processing speed of the network traffic.

FIG. 1 is a configuration diagram of an embodiment of a network traffic high-speed processing apparatus according to the present invention.
2 is a flowchart illustrating a network traffic processing method according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. The terms and words used in the present specification are selected in consideration of the functions in the embodiments, and the meaning of the terms may vary depending on the intention or custom of the invention. Therefore, the terms used in the following embodiments are defined according to their definitions when they are specifically defined in this specification, and unless otherwise specified, they should be construed in a sense generally recognized by those skilled in the art.

FIG. 1 is a configuration diagram of an embodiment of a network traffic high-speed processing apparatus according to the present invention.

Referring to FIG. 1, an apparatus 100 for fast processing network traffic according to the present invention includes a hash map configuration unit 110, a rule search unit 120, a rule determination unit 130, and a packet processing unit 140.

The hash map constructing unit 110 classifies the rules included in the access control list (ACL) stored in the rule determining unit 130 into individual items and individual item values, And a hash map (Hash Map) is constructed by assigning a rule index for matching by checking a rule corresponding to each value. A hash map is a data structure used to add an associative array, a structure that maps keys to values. The item may be a source address, a destination address, a protocol, a source port, a destination port, and so on. Generally, each rule contained in an access control list contains content for one or more items. For example, rule 1 may consist of a destination address of 192.168.1.1, a protocol of TCP, and a destination port of 80. The hash map construction unit 110 constructs a hash map for each item of the rule, and includes a rule index for matching in the hash map of each item. The types of items are not limited to the five types described above, and they may vary depending on the type of network. For example, a Software Defined Network (SDN) may include 13 items. The structure of the hash map and the rule index will be further described in Tables 1 to 3 below.

In the present invention, a rule index serving as a key is constituted for individual items of one or more rules constituting an access control list. A rule index is an index assigned to each of a plurality of rules included in an access control list. In general, a rule index must be a bit. By searching the rule index constructed in this manner, matching of items and rules can be performed quickly.

The rule search unit 120 stores an access control list including one or more rules for processing received packets. Each rule configuring the access control list of the rule search unit 120 is constructed by hash map configuration unit 110 by creating a rule index for each item and forming a hash map.

When a new packet is received, the rule search unit 120 searches the access control rule for each rule index corresponding to one or more items included in the received packet. The rule searching unit 120 identifies the items included in the header of the received packet, and searches the access control list for a rule index corresponding to each item. Accordingly, the rule search unit 120 can search for one or more rule indexes corresponding to each item.

The rule determination unit 130 determines a rule for processing the received packet by applying a logical product operation to a rule index searched for each item of the packet received from the rule search unit 120. [ Each item included in the packet received through the rule search unit 120 has one or more rule indexes corresponding thereto. The rule determination unit 130 performs an AND operation on a corresponding rule index for each item to derive a rule index that is common to all items. In the conventional traffic processing using ACL, each item should be matched with all the rules from the beginning. Therefore, the number of rules and rules must be compared with each other. Therefore, the traffic processing using the conventional ACL increases proportionally when the number of rules increases. However, in the present invention, the computation amount can be reduced by deriving the common rule index through the logical product operation, and thereby the network traffic can be processed at a high speed.

The rule processing procedure of the access control list using the logical AND operation will be further described with an example to be described later. Table 1 shows the number of access control list (ACL) rules among 31 (2 5 - 1) ACLs that can be represented by 5 items (source address, destination address, protocol, destination port, An example of a rule.

An example of an ACL rule with 5 entries Rule 1 Destination address: 192.168.1.1, Protocol: TCP, Destination port: 80 Rule 2 Origin address: 192.168.10.1, Protocol: TCP, Origin port: 22 Rule 3 Origin address: 192.168.10.100, Protocol: UDP, Origin port: 21 Rule 4 Origin address: 192.168.10.100, Protocol: UDP, Origin port: 25 Rule 5 Destination address: 192.168.1.1, Protocol: UDP, Source port: 21

Table 1 contains the items corresponding to each rule and the values of the corresponding items. In Table 1, for convenience of explanation, the packet processing method corresponding to each rule (detailed rule for packet processing) is omitted. As shown in Table 1, the hash map construction unit 110 may construct a hash map for each item and match the item-specific rule index as shown in Table 2, for the five rules of Rule 1 to Rule 5.

Example of rule index by item according to Table 1 Item value Rule index From address 192.168.10.1 2 192.168.10.100 3,4 Unmatched value 1,5 Destination address
192.168.1.1 1,5 Unmatched value 2,3,4 protocol TCP 1,2 UDP 3,4,5 Unmatched value From port 21 3,5 22 2 25 4 Unmatched value 1,5 Destination port 80 One Unmatched value 2,3,4,5

The rules in Table 1 have a form in which one rule contains values for two or more items. The rules in Table 1 have the form of item-by-item index rules as shown in Table 2 by the hash map constructing unit 110. Referring to Table 2, the starting address 192.168.10.1 corresponds to rule 2 in Table 1. [ Therefore, the source address 192.168.10.1 is assigned the rule index 2. In this way, a rule index can be given according to a rule corresponding to each item. The unmatched values in Table 2 represent the values of the items that are not included in the rule. That is, the hash map constructing unit 110 rearranges the rules by individual items and assigns the rule indexes.

For example, when the items included in the received packet are the same as the source address 192.168.10.1, the destination address 192.168.1.20, the protocol TCP, the source port 22, and the destination port 1024, the rule search unit 120 The matching items as shown in Table 3 can be obtained by matching the item of the received packet with the rule index for each item of Table 2. [

An example of matching items of received packets Item value Rule index From address 192.168.10.1 2 Destination address Unmatched value 2, 3, 4 protocol TCP 1, 2 From port 22 2 Destination port Unmatched value 2, 3, 4, 5

When the item included in the received packet is compared with the item-specific rule index in Table 2, the source address of the item included in the received packet is matched to rule index 2 as 192.168.10.1. The destination address 192.168.1.20 is a value not included in the rule, and is matched with the rule index 2, 3, or 4 corresponding to the unmatched value of the destination address. The protocol TCP matches the rule indices 1 and 2, the source port 22 matches the rule index 2, and the destination port 1024 matches the rule indices 2, 3, 4, and 5 with unmatched values.

If the item of the received packet matches the rule index, the rule determination unit 130 performs a logical product operation on the matched rule index to derive a result. In the example of Table 3, applying a logical multiplication operation to the matched rule index results in the result of rule index 2. The packet processing unit 140 processes the received packet according to the packet processing rule included in the rule 2 corresponding to the rule index.

2 is a flowchart illustrating a network traffic processing method according to an embodiment of the present invention.

Referring to FIG. 2, in the network traffic processing method according to an embodiment of the present invention, a rule of an access control list is classified into individual item values and a rule index is assigned to configure a hash map (S 201). Each of the one or more rules included in the access control list includes a value for one or more items. In order to construct a hash map from access control rules, the rules of the access control list are classified into individual item values, and a rule index is assigned to the classified individual item values (see Table 2). By searching the rule index constructed in this manner, matching of items and rules can be performed quickly.

When a new packet is received, a rule index corresponding to the item included in the received packet is retrieved (S202). The header of the packet includes information on items such as a destination address, a source address, a protocol, and a port for the packet. Therefore, the packet is analyzed to check the item-specific value of the packet, and the packet is compared with the access control list configured with the hash map to search for the corresponding (matched) rule index. Thus, the rule index corresponding to each item value can be identified for each item of the received packet.

When a rule index corresponding to the item of the received packet is found, a rule for processing the received packet is determined by applying an AND operation to the retrieved item rule index (S203). In step S202, one or more rule indexes are searched for each item. By applying a logical multiplication operation between the retrieved rule indices, it is possible to calculate a rule index common to all items. In the conventional traffic processing using ACL, each item should be matched with all the rules from the beginning. Therefore, the number of rules and rules must be compared with each other. Therefore, the traffic processing using the conventional ACL increases proportionally when the number of rules increases. However, in the present invention, the calculation amount can be reduced by deriving the common rule index through the logical multiplication.

Then, the received packet is processed according to the determined rule (S204). When a rule index is calculated through a logical product operation, the received packet is processed according to a rule corresponding to the calculated rule index. For example, if the rule blocks a packet, it can block the received packet without delivering it to its destination. According to the present invention, the rules of the access control list corresponding to the received packet can be quickly retrieved to process the received packet, thereby enabling high-speed processing of network traffic.

The present invention including the above-described contents can be written in a computer program. And the code and code segment constituting the program can be easily deduced by a computer programmer of the field. In addition, the created program can be stored in a computer-readable recording medium or an information storage medium, and can be read and executed by a computer to implement the method of the present invention. And the recording medium includes all types of recording media readable by a computer.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, but, on the contrary, It is possible.

100: Network traffic high-speed processing device
110: Hash map component
120:
130:
140: Packet processing section

Claims (6)

A hash map consisting of a rule index classified into items by classifying the rule of an access control list into values of each item, assigning a rule index to the values of the classified items, A hash map constructing unit configuring a hash map;
A rule search unit for searching, in a hash map of rules of the access control list, a rule index corresponding to each value of one or more items included in the received packet by item; And
A rule determination unit for determining a rule for processing the received packet by performing a logical product operation of a rule index searched for by the item to derive a common rule index;
Wherein the network traffic processing unit includes: The method according to claim 1,
A packet processor for delivering or blocking the received packet according to the determined rule;
Further comprising: a network interface for receiving the network traffic; The method according to claim 1,
Wherein the rule index is in the form of a bit. The method according to claim 1,
Wherein the rule determination unit calculates a rule index common to all items by logically calculating a rule index searched for each item. A hash map consisting of a rule index classified into items by classifying the rule of an access control list into values of each item, assigning a rule index to the values of the classified items, Hash Map);
Retrieving a rule index corresponding to each value of one or more items included in the received packet in a hash map of rules of the access control list for each item; And
Determining a rule for processing the received packet by deriving a common rule index by performing a logical product operation on a rule index retrieved for each item;
The network traffic processing method comprising the steps of: 6. The method of claim 5,
Transmitting or blocking the received packet according to the determined rule;
Lt; RTI ID = 0.0 > 1, < / RTI >
KR1020150056068A 2015-04-21 2015-04-21 Apparatus and method for network traffic high-speed processing KR101665583B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150056068A KR101665583B1 (en) 2015-04-21 2015-04-21 Apparatus and method for network traffic high-speed processing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150056068A KR101665583B1 (en) 2015-04-21 2015-04-21 Apparatus and method for network traffic high-speed processing

Publications (1)

Publication Number Publication Date
KR101665583B1 true KR101665583B1 (en) 2016-10-24

Family

ID=57256583

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150056068A KR101665583B1 (en) 2015-04-21 2015-04-21 Apparatus and method for network traffic high-speed processing

Country Status (1)

Country Link
KR (1) KR101665583B1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20210121253A (en) * 2019-04-12 2021-10-07 후아웨이 테크놀러지 컴퍼니 리미티드 Traffic classification methods and devices
KR102437825B1 (en) 2021-07-27 2022-08-30 지니언스(주) Virtual inliine gateway apparatus, traffic control method and network system for providing dynamic network access control through it
KR20230072281A (en) * 2021-11-17 2023-05-24 주식회사 윈스 Method and Apparatus for Detecting DDoS Attacks

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7324514B1 (en) * 2000-01-14 2008-01-29 Cisco Technology, Inc. Implementing access control lists using a balanced hash table of access control list binary comparison trees
JP2010057034A (en) * 2008-08-29 2010-03-11 Nec Infrontia Corp Access control method in router, router, and access control program
KR20110035382A (en) 2009-09-30 2011-04-06 주식회사 케이티 Apparatus and method for filtering anomaly traffic at access network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7324514B1 (en) * 2000-01-14 2008-01-29 Cisco Technology, Inc. Implementing access control lists using a balanced hash table of access control list binary comparison trees
JP2010057034A (en) * 2008-08-29 2010-03-11 Nec Infrontia Corp Access control method in router, router, and access control program
KR20110035382A (en) 2009-09-30 2011-04-06 주식회사 케이티 Apparatus and method for filtering anomaly traffic at access network

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20210121253A (en) * 2019-04-12 2021-10-07 후아웨이 테크놀러지 컴퍼니 리미티드 Traffic classification methods and devices
KR102601351B1 (en) * 2019-04-12 2023-11-10 후아웨이 테크놀러지 컴퍼니 리미티드 Traffic classification methods and devices
KR102437825B1 (en) 2021-07-27 2022-08-30 지니언스(주) Virtual inliine gateway apparatus, traffic control method and network system for providing dynamic network access control through it
KR20230072281A (en) * 2021-11-17 2023-05-24 주식회사 윈스 Method and Apparatus for Detecting DDoS Attacks
KR102594137B1 (en) * 2021-11-17 2023-10-26 주식회사 윈스 Method and Apparatus for Detecting DDoS Attacks

Similar Documents

Publication Publication Date Title
US9813420B2 (en) Priority resolution for access control list policies in a networking device
US10496680B2 (en) High-performance bloom filter array
US20230127391A1 (en) Algorithmic tcam based ternary lookup
US9098601B2 (en) Ternary content-addressable memory assisted packet classification
US9390134B2 (en) Regular expression matching method and system, and searching device
US10671667B2 (en) Data matching method and apparatus and computer storage medium
US8478707B1 (en) System and method for reducing flow rules in forwarding tables
US20130246698A1 (en) Hybrid Memory for Search Operations
KR101331018B1 (en) Method for classifying packet and apparatus thereof
US9294390B2 (en) Hash table storage and search methods and devices
CN105122745A (en) Efficient longest prefix matching techniques for network devices
WO2015051741A1 (en) Packet processing
US11463360B2 (en) System and method for range matching
US20170366459A1 (en) Jump on a Match Optimization for Longest Prefix Match using a Binary Search Tree
JP7170905B2 (en) Traffic classification method and apparatus
KR101665583B1 (en) Apparatus and method for network traffic high-speed processing
CN109905413B (en) IP address matching method and device
US10587516B1 (en) Hash lookup table entry management in a network device
US20180270152A1 (en) Packet processing
CN106487769B (en) Method and device for realizing Access Control List (ACL)
EP3269099B1 (en) Packet classification
CN104205745B (en) Method and device for processing message
US20170012874A1 (en) Software router and methods for looking up routing table and for updating routing entry of the software router
CN105357118A (en) Rule based flow classifying method and system
WO2021151301A1 (en) Ovs-based data packet processing method and apparatus, computer device, and computer readable storage medium

Legal Events

Date Code Title Description
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20191209

Year of fee payment: 4