RU2538323C1 - Method of organising filter table of internetwork switch and apparatus therefor - Google Patents

Abstract

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to computer engineering. A method of organising an filter table of an internetwork switch without storing a search key, wherein for source node addresses and frame destination nodes, a hash function value is calculated; the obtained value is an address in a record storage table; if a collision is detected, the law of calculating the hash function is changed and the record storage table is cleared, wherein N-1 values of the hash function are further calculated using non-recurrent laws which are cell addresses in additional N-1 parallel record storage tables in which bits identifying the source node with switch ports are stored; the values of bits identifying the destination node with switch ports read from N parallel tables are combined by a logic AND operation; the resultant identity bits enable to detect collision and change the law of calculating the hash function for one of the N parallel tables are simultaneously the search result of associated information in the filter table.

EFFECT: searching and storing information with single access to a filter table.

2 cl, 1 dwg

Description

The invention relates to the field of computer technology and can be used in computer networks with frame (packet) data switching.

One of the main functions of gateways and bridges is frame filtering. Frames that are not intended for network nodes connected to ports on a gateway or switch should not be transmitted to these ports. Filtering, or making a decision about the need to transfer a frame to a specific port on a gateway bridge or switch, is carried out on the basis of previously known or accumulated information about the addresses of network nodes connected to the corresponding switch ports, which is stored in the filter table. Based on the logic of the work of gateway bridges and switches described in the standard [IEEE Std 802.1D, 1998 Edition, Part 3: Media Access Control (MAC) Bridges], the filtering table is filled with the addresses of the senders of data frames and the port numbers through which these frames were sent to switch. To make a decision on the need to transfer a frame to another switch port in the table, a search is made for the address that matches the destination address of the frame and the port number to which the frame should be transmitted associated with this address.

To organize filter tables, hashed tables are currently used in which the record address in the table is a hash function of the search key. This allows you to search and save records in the table for one (in some cases several) access to it.

Since for one value of a hash function several search keys may exist, there is a chance of getting an incorrect search result in a hashed table - a collision. There are various ways to resolve collisions. All of them are based on the need to store the search key in the table. In the event of a collision or the desired destination address is not found in the filter table, the frame is transmitted to all ports of the switch, which leads to an increase in network load and lower performance of the switch.

The purpose of this invention is to reduce the required amount of memory for storing the filter table, search and save records for one call to the filter table, and reduce the likelihood of receiving an incorrect search result in the filter table.

The effectiveness of organizing filter tables is determined by the following criteria:

- the amount of memory required to store one record in the filter table;

- the number of calls to the table when searching for records;

- probability of collision.

The probability of collision can be determined by the expression:

$$P=\frac{Q}{W},(\mathrm{one})$$

where Q is the number of combinations of nodes in the networks joined by the gateway switch at which the collision occurs, ω is the total number of combinations of nodes in the networks being joined.

A known method of organizing filter tables using hashed tables, and a method of "blocks" for resolving collisions [US Patent No. 6266705B1, G06F 15/173]. In this method, a combination of a MAC address and a VLAN identifier of a frame is used as a search key. Using the search key, the value of the hash function is calculated, which is the address for finding the record in the filter table. Search is carried out simultaneously in 8 block tables. The obtained 8 values from the tables are compared with the search key and in case of a match, the record is considered found - the frame is transmitted to the port with the number found in the table.

To save the record in the table, an additional check is made of the cell occupancy with the address calculated for the block table using the hash function. If the cell is busy, the cell is checked in the next table block, etc.

For the described method, 512 bits are required to store one record (8 block tables of 64 bits for each record). In total, the described filtering table requires 16777216 bits (2 MB) of memory. Moreover, as shown in [Makov S.V., Shraifel I.S. Evaluation of the effectiveness of traffic filtering in gateways and switches [Electronic resource] // Service in Russia and abroad. - Issue 5 (24). - 2011 URL: http: // http: //www.mgus.ru/ files / electronic_journal / number24 / 5.doc] the probability of collision for such a table is non-zero and can be determined by the expression:

$$P_B=\mathrm{one}-\frac{{\lambda }_{rl}^{mk}(rl)!(m-rl)!}{m!},(2)$$

определяется рекуррентным выражением:where r is the number of possible values of the hash function, rl is the total number of possible network addresses, m is the total number of nodes in the networks joined by the switch, k is the number of block tables, $${\lambda }_{rl}^{mk}$$

defined by the recurrence expression:

$${\lambda }_{rl}^{mk}={\displaystyle \sum _{s=max\left(0;m-r\left(k-\mathrm{one}\right)\right)}^{\left[\frac{m}{k}\right]}{C}_r^s{\left(C_l^k\right)}^s{\lambda }_{r-s,l}^{m-ks,k-\mathrm{one}}}.(3)$$

The features of the analogue method, which coincide with the features of the proposed technical solution, are as follows: using the value of the hash function from the search key as the address of the entry in the table; Search in the filtering table for information that allows you to decide on the need to transfer the frame to the appropriate port on the gateway.

The disadvantages of the known method and device that implements it are:

- saving records may require up to 8 accesses to the table;

- excess memory required to store the filter table.

The reasons that impede the achievement of the required technical result are as follows:

- in the case of a decrease in the number of table blocks, the probability of collision increases sharply, which leads to a decrease in the performance of the switch.

The structural diagram of a device that solves the considered analogue method contains a hash function calculator, a table for storing search keys and associated information, consisting of 8 identical blocks, a node for comparing the search key, and a decision block on whether to save the record in the next block.

A known method of using CRC to calculate a hash function and a device that implements it [US Patent No. 20070071015, H04L 12/28].

In the considered method for organizing a filtering table, records containing 72 bits - 45 bits of the search key and 27 bits of associated information are located in blocks of 4 in the table. A total of 32768 blocks are allocated based on the number of possible values of the 15-bit hash function. Thus, 72 bits are used to store one record, and in total 9437184 bits (1.125 MB) are needed to store the filter table.

Using the search key, the value of the hash function is calculated, which is the address of the block of 4 entries. The search is carried out by sequentially reading records from the block and comparing with the search key. Saving a record is carried out in an unoccupied cell block. Thus, up to 4 accesses to the table may be required to save or search for records in the filtering table.

The collision probability for such a table can also be calculated from expression (2). For 1024 nodes in networks connected by the switch with a 15-bit hash function and 4 entries in the block, the probability of collision is about 10 ^-6 .

The features of the analogue method, which coincide with the features of the proposed technical solution, are as follows: using the value of the hash function from the search key as the address of the entry in the table; Search in the filtering table for information that allows you to decide on the need to transfer the frame to the appropriate port on the gateway.

The disadvantages of the known method and device that implements it are:

- saving records and their search may require up to 4 accesses to the table;

- excess memory required to store the filter table.

The reasons that impede the achievement of the required technical result are as follows:

- in the case of a decrease in the number of records in the blocks, the probability of collision increases sharply, which leads to a decrease in the performance of the switch.

The structural diagram of a device that solves the considered analogue method contains a hash function calculator, a table for storing search keys and associated information, consisting of blocks of 4 records for each value of the hash function, a node for comparing the search key, and a decision block about the need to save the record in next cell block.

Closest to the invention is a prototype method of organizing filter tables using hashed tables with adaptive calculation of the hash function [US Patent No. 6279097, G06F 12/00], where the 48-bit MAC address of the source or destination of the frame is used as the search key. Using the search key, the value of the 13-bit hash function is calculated according to a changing law, which is used as the record address in the filter table. The filter table contains a 48-bit MAC address and 16 bits of associated information to determine the port to which the frame should be transmitted. A change in the law of calculation of the hash function occurs in case of collision detection, i.e. when the same hash value was obtained for two different search keys.

The use of such a method of organizing a filter table makes it possible to select a law for computing a hash function in which no collisions will be observed for a given set of network addresses. The probability that a hash function calculation law will not be found for which there are no collisions can be found from the expression:

$$P_A^t={\left(P_B\right)}^t,(\mathrm{four})$$

where P _B is the probability of the occurrence of a collision for resolving collisions by the block method, which can be found from expression (2), t is the number of options for enumerating the laws of computing a hash function.

Thus, for the method under consideration, there is also a nonzero probability of a collision, which rapidly decreases with an increase in the number of laws for calculating it.

In accordance with this method, 64 bits are required to store one record. The full size of the table with a 13-bit hash function is 524288 bits (64 kBytes).

The structural diagram of a device that solves the prototype method described above contains a hash function calculator, a table for storing search keys and associated information, a comparison node for the search key and the read record, and a collision detection unit.

The disadvantages of the known method and device that implements it are:

- the need to select the law of calculation of the hash function;

- during the selection of the law for calculating the hash function, the switch works with collisions of the filter table;

- the need to store a search key in the filter table for accurate comparison and collision detection.

The reasons that impede the achievement of the required technical result are as follows:

- in the case of a decrease in the number of table blocks, the probability of collision increases sharply, which leads to a decrease in switch performance;

- refusal to store the search key will not allow collision detection for this method.

The aim of the invention is the organization of the filter table of the gateway bridge or switch, allowing you to search for records or save them for one call to the filter table; requiring less memory to place the table compared to known methods; allowing to provide a lower probability of collision compared with known methods.

The proposed method of organizing a filter table without storing a search key involves:

1) the presence of N parallel tables of the same size;

2) selection from the frame of the address of the source node and destination node, which is the search key;

3) calculation of N values of the hash function from the search key for each of the parallel tables according to its own law;

4) saving in each table only the information associated with the search key in the form of a bit belonging to the node to the switch port to which it is connected;

5) definition of collision;

6) a change in the law of computing a hash function for one of the parallel tables.

For the proposed method of organizing the frame filtering table in the gateway or switch without storing the search key, the records are saved to the filtering table as follows. The device node receives the address of the source node. For the received address of the source node, N values of hash functions are calculated according to different laws. In all parallel tables, the address corresponding to its hash function value stores the value of the bit belonging to the source node to the port through which the frame arrived, and additional information, for example, the value of the “lifetime” field of the record. Membership bits are a binary number in which the number of bits corresponds to the number of switch ports. 1 sets the bit whose sequence number is equal to the port number through which the frame arrived. Thus, the record is saved in one call to the table. To store one record, N · (m + a ) bits are required, where N is the number of parallel tables, m is the number of ports, a is the number of bits for additional information. So, for example, for an 8-port switch using 8 parallel tables and 8 bits of additional information, 128 bits per entry are needed. With a 10-bit hash function, 128 kB of memory (16 kB) is required to store all parallel tables.

Search in the table organized by the proposed method is as follows. The address of the destination node is received at the input of the device. For the received destination node address, N values of hash functions are calculated according to the same laws as for the record saving procedure. From all parallel tables at addresses corresponding to their hash function values, the bit value of the destination node belongs to the ports. The resulting port ownership bits are calculated as follows:

$$B_i=\underset{k=\mathrm{one}}{\overset{N}{\cap }}{A}_i^k,(5)$$

- i-й бит принадлежности портам, полученный из k-й параллельной таблицы; N - количество параллельных таблиц. Т.е. результирующие биты принадлежности - это результат побитной операции «логическое И» для всех параллельных таблиц.where B _i is the i-th resulting bit of belonging to the ports; i = 1, 2, ..., m; m is the number of switch ports; $$A_i^k$$

- the i-th port ownership bit obtained from the k-th parallel table; N is the number of parallel tables. Those. the resulting membership bits are the result of the logical AND bitwise operation for all parallel tables.

Collision is determined by the resulting bits of port membership as follows. If the number of bits set to 1 in the resulting ownership bits is greater than 1, a collision is detected.

In case of collision detection for one of the parallel tables, the law of computing the hash function changes to a mismatch with the previously used ones. The corresponding parallel table is reset.

The result of the search for information in the filter table is the number of the set resulting bit matching ports. The frame must be transmitted to the appropriate port on the switch. If all resulting bits are not set or a collision is detected, then 0. is returned as the search result. In this case, the frame should be transmitted to all ports of the switch.

A device for organizing a filter table of a firewall without storing a search key (Fig. 1) contains blocks for calculating the values of hash functions 1.N, the inputs of which are connected to the information input of the device, and the outputs are connected to the first inputs of storage blocks of records 2.N, second inputs which are connected to the second information input of the device, the outputs of which are connected to the N inputs of the result calculation unit 3, respectively, the output of which is the information output of the device and connected to the input of the call detection unit sion 4, whose output is connected to the second input unit calculating a hash value 1.1 and the third input of the storage unit records 2.1.

A device for organizing a filter table of a firewall without storing a search key works as follows. At the first information input of the device, the address of the source or destination node of the frame is received, which goes to the calculators of the values of the hash functions 1.N. The obtained values of the hash functions from the outputs of the calculators of the hash functions 1.N go to the first inputs of the storage blocks of records 2.N, which are address inputs. Thus, cells with addresses corresponding to the hash functions of the source address or destination of the frame are selected in the record storage blocks. The second information input of the device receives information about which port of the device the frame received. The port membership bits corresponding to the incoming number in the selected cells of the recording storage blocks 2.N are set to logical 1 if the source address is received at the first information input. When the destination address arrives at the first information input, the outputs of the record storage blocks 2.N receive the values read from the selected cells of the record storage blocks and are transmitted to the corresponding inputs of the result calculation block 3. Bits of belonging to ports with the same serial numbers in accordance with the law (5 ) are added according to the logical “AND” in the unit for calculating the result 3. The resulting resulting values of the membership bit are sent to the information output of the device and to the input of the collision detection unit 4. V collision detection locator 4, the number of ports assigned to logical 1 is checked, and if there are more than 1, then the output of the collision detection block 4 receives a signal for changing the hash function calculation law, which goes to the second input of one of the hash function calculation blocks 1.1 . In this case, the calculation law changes to the previously unused law in this hash function calculation block. At the same time, the signal for changing the law of calculation of the hash function is fed to the third input of the storage unit 2.1, associated with the calculation unit of the hash function with a variable law of its calculation.

The technical result is the search and storage of information in the filtering table of the frames of the gateway.

Through statistical studies of the mathematical model of the proposed method, it was found that the proposed method has the following advantages:

- allows you to save and find associated information in the frame filtering table for one call to the table;

- allows you to significantly reduce the required amount of memory for storing the filter table in view of the refusal to store the search key;

- provides a zero-chance collision probability;

- allows you to select the law of calculation of the hash function, ensuring the absence of collisions for the given operating conditions of the switch without significantly reducing its performance.

Claims (2)

1. A method of organizing a filter table of a firewall without storing a search key, which consists in calculating the value of the hash functions for the addresses of the source nodes and the destination nodes of the frames, the resulting value is the address in the record storage table, if the collision is detected, the hash calculation law changes functions and the record storage table is reset, characterized in that it additionally computes N-1 values of hash functions according to non-repeating laws, which are the addresses of cells in the additional N-1 parallel the individual record storage tables that store the bits of belonging of the source node to the switch ports, read from N parallel tables the values of the bits of the destination node belonging to the switch ports are combined using the logical AND operation, the resulting resulting membership bits allow you to determine if there is a collision and change the hash calculation law -functions for one of N parallel tables and at the same time are the result of the search for associated information in the filter table. 2. A device for organizing a filter table of a firewall without storing a search key, comprising a hash function calculation unit with a variable calculation law, the first input of which is the first information input of the device, the second input is connected to the output of the collision detection unit, and the output is connected to the first input of the block recording records, the second input of which is connected to the second information input of the device, and the third input of the recording storage unit is connected to the output of the collision detection unit, characterized in o the information input of the device is connected to the inputs of the additional N-1 hash function calculation blocks, the outputs of which are connected to the first inputs of the additional recording storage blocks, the second information input of the device is connected to the second inputs of theirs, and their outputs are connected to the N-1 inputs of the result calculation block the first input of which is connected to the output of the recording storage unit, and the output is connected to the input of the collision detection unit and is the information output of the device.