CN106878185B - Message IP address matching circuit and method - Google Patents
Message IP address matching circuit and method Download PDFInfo
- Publication number
- CN106878185B CN106878185B CN201710239888.8A CN201710239888A CN106878185B CN 106878185 B CN106878185 B CN 106878185B CN 201710239888 A CN201710239888 A CN 201710239888A CN 106878185 B CN106878185 B CN 106878185B
- Authority
- CN
- China
- Prior art keywords
- address
- module
- hash
- mode
- matching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 23
- 238000013507 mapping Methods 0.000 claims abstract description 7
- 230000002457 bidirectional effect Effects 0.000 claims description 6
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
Abstract
The invention discloses a message IP address matching circuit and a method, which relate to the field of network message data processing.A circuit structure comprises a hash processing module, a hash conflict module, an IP rule hash storage module, a primary judgment module, a mode one matching module, a mode two matching module and a secondary judgment module; the invention reduces the number of synchronization bits required to be compared by the IP address and improves the time sequence by adopting a Hash mapping method; meanwhile, two levels of comparison modules are arranged to form flow multiplexing, hardware resources are saved, and fast and efficient comparison matching operation can be performed on the message IP addresses represented in the form of subnet masks or start and stop addresses.
Description
Technical Field
The invention relates to the field of network message data processing, in particular to a message IP address matching circuit and a message IP address matching method.
Background
The IP Address (Internet Protocol Address) is a unified Address format provided by the IP Protocol, and it allocates a logical Address to each network and each host on the Internet, so as to mask the difference of physical addresses. The IP message usually contains information such as message source IP and destination IP, and can realize message rule forwarding or storage by comparing and matching with IP address information in the strategy.
As a necessary step of network message data exchange, message IP address matching has a great influence on hardware resource occupation and processing time consumption, and the comparison and matching efficiency of the IP addresses influences the whole message processing and the operation of each subsequent module. In general, an IP address in a policy has more bits, occupies a part of bandwidth and hardware circuit in a comparison and matching process, has a large data redundancy, and additionally occupies a certain storage resource.
Disclosure of Invention
Aiming at the requirements and the defects of the prior art development, the invention provides a message IP address matching circuit and a message IP address matching method.
The invention discloses a message IP address matching circuit and a method, which solve the technical problems and adopt the following technical scheme: the message IP address matching circuit adopts a Hash mapping method and is simultaneously provided with two stages of judgment modules to form flow multiplexing, thereby realizing the rapid and efficient comparison matching operation of the message IP address represented by a subnet mask form or a start-stop address form; the message IP address matching circuit comprises a hash processing module, a hash collision module, an IP rule hash storage module, a primary judgment module, a mode one matching module, a mode two matching module and a secondary judgment module;
the hash processing module is used for performing hash operation processing on the high 16-bit part of the source IP address and the high 16-bit part of the destination IP address in the strategy, and outputting the obtained result to the hash collision module; meanwhile, carrying out hash operation processing on the high 16-bit part of the IP address and the high 16-bit part of the target IP in the real-time message, and outputting the obtained result to the hash collision module;
the hash collision module is used for identifying and recording the hash result which conflicts in the strategy, and outputting the hash result to the IP rule hash storage module; at the same time, the hash result with conflict in the message is identified and recorded, and the output is sent to the primary judgment module;
the IP rule hash storage module is used for storing hash results of high-order IP addresses in the strategy and sending the storage contents of the corresponding addresses to the primary judgment module according to the hash results;
the primary judging module is used for comparing the strategy IP address subjected to the hash processing with the real-time message IP address, if the items are matched, the result is respectively sent to the mode one matching module or the mode two matching module through mode selection, and if the items are not matched, the unmatched mark is directly output;
the first pattern matching module is used for comparing and matching the IP addresses expressed by the first pattern mode; the second pattern matching module is used for comparing and matching the IP addresses represented by the second pattern mode; the output results of the two are sent to a secondary judgment module;
and the secondary judging module is used for integrating the preceding stage result and sending the result into the hash processing module or outputting the result according to whether the message has the bidirectional IP address.
A message IP address matching method is specifically realized by the following steps:
firstly, a high-order IP address in the strategy is processed by Hash operation and Hash collision, and is stored into an IP rule Hash storage module together with a low-order IP address, an IP address mode, a subnet mask or a termination IP address and a processing strategy for primary judgment;
secondly, the IP address in the real-time message is processed by Hash operation and Hash collision, compared with the data in the IP rule Hash storage module by a primary judgment module, and sent to a mode one matching module or a mode two matching module for comparison and matching according to different IP address modes;
and thirdly, sending the results of the two mode matching modules in the second step into a second-stage judging module, and repeating the second step according to whether the message is a bidirectional IP address, a switching source IP address and a destination IP address or outputting the matching result to a later stage to finish the IP matching of the message.
Compared with the prior art, the message IP address matching circuit and the method have the beneficial effects that: the invention reduces the number of synchronization bits required to be compared by the IP address and improves the time sequence by adopting a Hash mapping method; meanwhile, two stages of judgment modules are arranged to form flow multiplexing, hardware resources are saved, and fast and efficient comparison matching operation can be carried out on the message IP addresses represented in the form of subnet masks or start and stop addresses.
Drawings
Fig. 1 is a schematic block diagram of a message IP address matching circuit.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clearly understood, the following describes a packet IP address matching circuit and method in detail with reference to specific embodiments.
Example (b):
in the packet IP address matching circuit described in this embodiment, a hash mapping method is adopted, and two stages of determination modules are simultaneously arranged to form pipeline multiplexing, so that a fast and efficient comparison matching operation is performed on a packet IP address represented in a subnet mask form or a start-stop address form.
As shown in fig. 1, the packet IP address matching circuit includes a hash processing module, a hash collision module, an IP rule hash storage module, a primary determination module, a mode one matching module, a mode two matching module, and a secondary determination module.
The hash processing module is used for performing hash operation processing on the high 16-bit part of the source IP address and the high 16-bit part of the destination IP address in the strategy, and storing the obtained result into the IP rule hash storage module through the hash collision module for primary judgment; and simultaneously, carrying out hash operation processing on the high 16-bit part of the IP address and the high 16-bit part of the target IP in the real-time message, and outputting the obtained result to the hash collision module.
The packet IP address matching circuit described in this embodiment implements a hash mapping circuit by using an MD5 algorithm.
The hash collision module is used for identifying and recording the hash result which conflicts in the strategy, and outputting the hash result to the IP rule hash storage module; and simultaneously, identifying and recording the hash result with conflict in the message, and outputting the hash result to the primary judgment module.
The hash collision module adopts a double-port RAM with the depth of 16 as a basic circuit of the hash collision circuit, and records and processes a collision hash result.
And the IP rule hash storage module is used for storing the hash result of the high-order IP address in the strategy and sending the storage content of the corresponding address to the primary judgment module according to the hash result.
The primary judging module is used for comparing the strategy IP address subjected to the hash processing with the real-time message IP address, if the items are matched, the result is respectively sent to the mode one matching module or the mode two matching module through mode selection, and if not, the unmatched mark is directly output.
The first pattern matching module is used for comparing and matching the IP addresses expressed by the first pattern mode; the second pattern matching module is used for comparing and matching the IP addresses represented by the second pattern mode; the output of the two is sent to a secondary judgment module.
And the secondary judging module is used for integrating the preceding stage result and sending the result into the hash processing module or outputting the result according to whether the message has the bidirectional IP address.
The mode selection in the primary judging module comprises a mode I and a mode II, wherein the mode I indicates that the current IP address is represented by using an IP address and a subnet mask mode; the mode two-finger uses the starting IP address and the ending IP address mode to represent the current IP address.
And the mode one matching module compares and matches the strategy IP address jointly determined by the low 16-bit IP address and the low 16-bit subnet mask and the real-time message IP address jointly determined by the low 16-bit IP address and the low 16-bit subnet mask.
And the mode-one matching module adopts a method of judging whether the two numbers are 0 or not according to the bitwise XOR to carry out size comparison.
The pattern two matching module firstly compares and matches the high 8 bits of the low 16 bits of the real-time message IP address with the corresponding bits of the strategy IP initial address, and then compares and matches the low 8 bits of the low 16 bits of the real-time message IP address with the corresponding bits of the strategy IP termination address, so that the number of synchronous bits in each time can be reduced, and the time sequence is improved.
Through the message IP address matching circuit, a message IP address matching method is realized, and the specific realization process of the message IP address matching method is as follows:
firstly, a high-order IP address in the strategy is processed by Hash operation and Hash conflict, and is stored into an IP rule Hash storage module together with a low-order IP address, an IP address mode, a subnet mask or a termination IP address and a processing strategy;
secondly, the IP address in the real-time message is processed by Hash operation and Hash collision, compared with the data in the IP rule Hash storage module by a primary judgment module, and sent to a mode one matching module or a mode two matching module for comparison and matching according to different IP address modes;
and thirdly, sending the results of the two mode matching modules in the second step into a second-stage judging module, and repeating the second step according to whether the message is a bidirectional IP address, a switching source IP address and a destination IP address or outputting the matching result to a later stage to finish the IP matching of the message.
The above embodiments are only specific examples of the present invention, and the scope of the present invention includes but is not limited to the above embodiments, and any suitable changes or substitutions that are consistent with the claims of the present invention and are made by those skilled in the art should fall within the scope of the present invention.
Claims (2)
1. A message IP address matching circuit is characterized in that a two-stage judgment module is arranged at the same time by adopting a Hash mapping method to form flow multiplexing, so that the fast and efficient comparison matching operation of the message IP address represented by a subnet mask mode or a start-stop address mode is realized;
the message IP address matching circuit comprises a hash processing module, a hash collision module, an IP rule hash storage module, a primary judgment module, a mode one matching module, a mode two matching module and a secondary judgment module;
the hash processing module is used for performing hash operation processing on the high 16-bit part of the source IP address and the high 16-bit part of the destination IP address in the strategy, and outputting the obtained result to the hash collision module; meanwhile, carrying out hash operation processing on the high 16-bit part of the IP address and the high 16-bit part of the target IP in the real-time message, and outputting the obtained result to the hash collision module;
the hash collision module is used for identifying and recording the hash result which conflicts in the strategy, and outputting the hash result to the IP rule hash storage module; at the same time, the hash result with conflict in the message is identified and recorded, and the output is sent to the primary judgment module;
the IP rule hash storage module is used for storing hash results of high-order IP addresses in the strategy and sending the storage contents of the corresponding addresses to the primary judgment module according to the hash results;
the primary judging module is used for comparing the strategy IP address subjected to the hash processing with the real-time message IP address, if the items are matched, the result is respectively sent to the mode one matching module or the mode two matching module through mode selection, and if the items are not matched, the unmatched mark is directly output;
the first pattern matching module is used for comparing and matching the IP addresses expressed by the first pattern mode; the second pattern matching module is used for comparing and matching the IP addresses represented by the second pattern mode; the output results of the two are sent to a secondary judgment module;
the second-stage judging module is used for integrating the preceding-stage result and sending the result into the hash processing module or outputting the result according to whether the message has a bidirectional IP address;
the hash processing module adopts an MD5 algorithm to realize a hash mapping circuit;
the hash collision module adopts a double-port RAM with the depth of 16 as a basic circuit and records and processes a collision hash result;
the mode selection in the primary judging module comprises a mode I and a mode II, wherein the mode I indicates that the current IP address is represented by using an IP address and a subnet mask mode; the mode two fingers use a starting IP address and an ending IP address mode to represent the current IP address;
the mode one matching module compares and matches a policy IP address jointly determined by the low 16-bit IP address and the low 16-bit subnet mask and a real-time message IP address jointly determined by the low 16-bit IP address and the low 16-bit subnet mask;
the mode one matching module adopts a method of judging whether the two numbers are 0 or not according to bitwise XOR to carry out size comparison;
the pattern two matching module firstly compares and matches the upper 8 bits of the lower 16 bits of the real-time message IP address with the corresponding bits of the strategy IP initial address, and then compares and matches the lower 8 bits of the lower 16 bits of the real-time message IP address with the corresponding bits of the strategy IP termination address.
2. A message IP address matching method is characterized in that a message IP address matching circuit is adopted, and the matching circuit comprises a hash processing module, a hash collision module, an IP rule hash storage module, a primary judgment module, a mode one matching module, a mode two matching module and a secondary judgment module;
the mode selection in the primary judging module comprises a mode I and a mode II, wherein the mode I indicates that the current IP address is represented by using an IP address and a subnet mask mode; the mode two fingers use a starting IP address and an ending IP address mode to represent the current IP address;
the message IP address matching specifically comprises the following steps:
firstly, a high-order IP address in the strategy is processed by Hash operation and Hash collision, and is stored into an IP rule Hash storage module together with a low-order IP address, an IP address mode, a subnet mask or a termination IP address and a processing strategy for primary judgment;
secondly, the IP address in the real-time message is processed by Hash operation and Hash collision, compared with the data in the IP rule Hash storage module by a primary judgment module, and sent to a mode one matching module or a mode two matching module for comparison and matching according to different IP address modes;
and thirdly, sending the results of the two mode matching modules in the second step into a secondary judgment module, and performing the second step again according to whether the message is a bidirectional IP address, a switching source IP address and a destination IP address or outputting the matching result to a later stage to finish the IP matching of the message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710239888.8A CN106878185B (en) | 2017-04-13 | 2017-04-13 | Message IP address matching circuit and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710239888.8A CN106878185B (en) | 2017-04-13 | 2017-04-13 | Message IP address matching circuit and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106878185A CN106878185A (en) | 2017-06-20 |
| CN106878185B true CN106878185B (en) | 2020-04-07 |
Family
ID=59163368
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710239888.8A Active CN106878185B (en) | 2017-04-13 | 2017-04-13 | Message IP address matching circuit and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106878185B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107707485A (en) * | 2017-10-23 | 2018-02-16 | 济南浪潮高新科技投资发展有限公司 | A kind of range type IP message strategy matching circuits and method |
| CN108650181A (en) * | 2018-04-20 | 2018-10-12 | 济南浪潮高新科技投资发展有限公司 | A kind of IP packet strategy matching circuit and method |
| CN115665051B (en) * | 2022-12-29 | 2023-03-28 | 北京浩瀚深度信息技术股份有限公司 | Method for realizing high-speed flow table based on FPGA + RLDRAM3 |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101267381A (en) * | 2007-03-13 | 2008-09-17 | 大唐移动通信设备有限公司 | Operation method and device for Hash table |
| CN101827137A (en) * | 2010-04-13 | 2010-09-08 | 西安邮电学院 | Hash table-based and extended memory-based high-performance IPv6 address searching method |
| CN102546293A (en) * | 2011-12-20 | 2012-07-04 | 东南大学 | High speed network flow network address measuring method based on Hash bit string multiplexing |
| CN102571494A (en) * | 2012-01-12 | 2012-07-11 | 东北大学 | Field programmable gate array-based (FPGA-based) intrusion detection system and method |
| CN104144223A (en) * | 2014-08-21 | 2014-11-12 | 北京奇艺世纪科技有限公司 | Data obtaining method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7289979B2 (en) * | 2003-12-10 | 2007-10-30 | Alcatel Lucent | Parallel asymmetric binary search on lengths |
-
2017
- 2017-04-13 CN CN201710239888.8A patent/CN106878185B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101267381A (en) * | 2007-03-13 | 2008-09-17 | 大唐移动通信设备有限公司 | Operation method and device for Hash table |
| CN101827137A (en) * | 2010-04-13 | 2010-09-08 | 西安邮电学院 | Hash table-based and extended memory-based high-performance IPv6 address searching method |
| CN102546293A (en) * | 2011-12-20 | 2012-07-04 | 东南大学 | High speed network flow network address measuring method based on Hash bit string multiplexing |
| CN102571494A (en) * | 2012-01-12 | 2012-07-11 | 东北大学 | Field programmable gate array-based (FPGA-based) intrusion detection system and method |
| CN104144223A (en) * | 2014-08-21 | 2014-11-12 | 北京奇艺世纪科技有限公司 | Data obtaining method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106878185A (en) | 2017-06-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103117931B (en) | Media access control (MAC) address hardware learning method and system based on hash table and ternary content addressable memory (TCAM) table | |
| US10764181B2 (en) | Pipelined evaluations for algorithmic forwarding route lookup | |
| US10623311B2 (en) | Technologies for distributed routing table lookup | |
| US10333845B2 (en) | Forwarding data packets | |
| Bando et al. | FlashTrie: beyond 100-Gb/s IP route lookup using hash-based prefix-compressed trie | |
| CN106878185B (en) | Message IP address matching circuit and method | |
| US10666564B2 (en) | Increasing entropy across routing table segments | |
| US20130173868A1 (en) | Generation of Activation List for Memory Translation and Memory Access Protection in Industrial Ethernet Standard | |
| TWI661698B (en) | Method and device for forwarding Ethernet packet | |
| CN109639579B (en) | Multicast message processing method and device, storage medium and processor | |
| US8923298B2 (en) | Optimized trie-based address lookup | |
| US20180375773A1 (en) | Technologies for efficient network flow classification with vector bloom filters | |
| US10547547B1 (en) | Uniform route distribution for a forwarding table | |
| CN102880628A (en) | Hash data storage method and device | |
| CN109981464B (en) | TCAM circuit structure realized in FPGA and matching method thereof | |
| CN102291472A (en) | Network address lookup method and device | |
| CN101510837B (en) | Ethernet bridge equipment, method and equipment for migrating polymerization mouth address | |
| CN104125150A (en) | Protocol message processing method, device and system | |
| CN112769973B (en) | Method for matching network address and network address conversion rule | |
| JP2006246488A (en) | Network router, address processing method, and computer program | |
| TWI239476B (en) | Address search | |
| CN112087389B (en) | Message matching table look-up method, system, storage medium and terminal | |
| CN108990126B (en) | Message forwarding method and device | |
| CN114338529B (en) | Five-tuple rule matching method and device | |
| CN111683036A (en) | Data storage method and device and message identification method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20200304 Address after: 250100 Ji'nan high tech Zone, Shandong, No. 1036 wave road Applicant after: INSPUR GROUP Co.,Ltd. Address before: 250100, Ji'nan province high tech Zone, Sun Village Branch Road, No. 2877, building, floor, building, on the first floor Applicant before: JINAN INSPUR HIGH-TECH TECHNOLOGY DEVELOPMENT Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230323 Address after: 250000 building S02, No. 1036, Langchao Road, high tech Zone, Jinan City, Shandong Province Patentee after: Shandong Inspur Scientific Research Institute Co.,Ltd. Address before: No. 1036, Shandong high tech Zone wave road, Ji'nan, Shandong Patentee before: INSPUR GROUP Co.,Ltd. |
|
| TR01 | Transfer of patent right |