CN110035074A - A kind of chip implementing method and device of ACL matching UDF message - Google Patents
A kind of chip implementing method and device of ACL matching UDF message Download PDFInfo
- Publication number
- CN110035074A CN110035074A CN201910257519.0A CN201910257519A CN110035074A CN 110035074 A CN110035074 A CN 110035074A CN 201910257519 A CN201910257519 A CN 201910257519A CN 110035074 A CN110035074 A CN 110035074A
- Authority
- CN
- China
- Prior art keywords
- acl
- message
- udf
- matching
- parsing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
Present invention discloses the chip implementing methods and device of a kind of ACL matching UDF message, parse the method includes chip identification UDF message and to message, the parsing result that parsing is obtained is sent into ACL table;Parsing result is formed into ACL keyword, ACL table is searched according to ACL keyword, respective handling is carried out to message according to obtained matching behavior is searched.The present invention makes chip that the matching customized message of user may be implemented, so as to allow user to dispose more service applications.
Description
Technical field
The present invention relates to a kind of ACL matching message technologies, realize more particularly, to a kind of chip of ACL matching UDF message
Method and device.
Background technique
It is very big that UDF (user defined field, user's custom field) for user provides a kind of freedom degree
Match (matching) tool, it is not necessary to stick to network layer/transport layer (L3/L4) defined protocol fields, but according to making by oneself
The offset (offset) and content of justice are matched.
The full name of UDF ACL is User Define Field ACL.Common ACL (Access Control List, access
Control list) lack the matching capacity for being directed to four layers of information above.User's user-defined ACL (UDF ACL) is defined by user and is reported
The deviation post and offset of text extract related content composition UDF (User Define Format) keyword from message to be come
The mode for generating matching rule, formulates the matching rule of message, passes through the keyword in ACL key in which can allow user flexibility
Udf is identified.User-defined ACL is supported since the three layers of head, four layers of head of two layers of head of message, IPv4 and IPv6 partially
It moves, can at most configure 4 matching sections, every section of 4 bytes, maximum matching length is 16 bytes (128bit), it is necessary to be message
Within the scope of preceding 144Bit.Mainly there are following features: compared to common ACL, the fixation position in fixed format message can only be matched
Protocol fields do not support Payload (load) partial content to match;And user's user-defined ACL is for passing through the position that specifies Offsets
Specified matching regular length Bit data, it is more flexible, it customizes stronger;Also the matching of Payload partial content is supported, so as to
Rapid deployment is directed to the virus attack etc. with fixed character and is quickly defendd.
To sum up, although common ACL can remove ip, mpls (multiprotocol label switching), the arp (Address of matching criteria
Resolution Protocol, address resolution protocol) etc. conventional message, but user be frequently necessary to ACL go to match it is some they
Oneself fixed message, so need to provide a kind of ACL chip implementation of the matching customized message of user, so that user can be with
Dispose more service applications.
Summary of the invention
It is an object of the invention to overcome the deficiencies of existing technologies, a kind of chip realization side of ACL matching UDF message is provided
Method and device.
To achieve the above object, the following technical solutions are proposed by the present invention: a kind of chip realization side of ACL matching UDF message
Method, which comprises
S1, chip identification UDF message simultaneously parse message, and the parsing result that parsing is obtained is sent into ACL table;
S2, forms ACL keyword for the parsing result, ACL table is searched according to the ACL keyword, according to searching
The matching behavior arrived carries out respective handling to message.
Preferably, the S1 includes:
S11, chip search UDF table, find the matched message of condition according to lookup result, and carry out UDF to the message
Parsing;
S12 takes out the matching content of designated position according to the lookup result from message;
S13, chip parse to obtain the parsing result, include the matching content in the parsing result.
Preferably, the lookup result includes the type and offset of start offset position.
Preferably, the parsing result further includes index address field and message validity field.
Preferably, the S2 includes:
S21 closes ACL described in the matching content of parsing result, index address field and message validity field groups
Key word;
S22 judges that the ACL keyword and mask do logical operation, does together with the keyword in ACL table with the mask
Whether the result of the logical operation of sample is equal, if equal, the matching behavior is taken out from ACL table.
Preferably, in S22, the logical operation is logic and operation.
Present invention further teaches another technical solutions: a kind of chip realization device of ACL matching UDF message, described
Device includes UDF message identification device and ACL coalignment, wherein
The UDF message identification device UDF message and parses message for identification, the parsing knot that parsing is obtained
Fruit is sent into ACL table;
The ACL coalignment is used to the parsing result forming ACL keyword, is searched according to the ACL keyword
ACL table carries out respective handling to message according to obtained matching behavior is searched.
Preferably, the UDF message identification device includes searching parsing module, matching content taking-up module, the lookup
Parsing module finds the matched message of condition for searching UDF table, according to lookup result, and carries out UDF parsing to the message,
Parsing obtains parsing result;The matching content is taken out module and is used for according to the lookup result for searching parsing module from message
The middle matching content for taking out designated position includes the matching content in the parsing result.
Preferably, the parsing result further includes index address field and message validity field.
Preferably, the ACL coalignment includes group ACL keyword module and matching module, the ACL keyword module
For by ACL keyword described in the matching content of parsing result, index address field and message validity field groups;It is described
Matching module is done together with the keyword in ACL table with the mask for judging that the ACL keyword and mask do logical operation
Whether the result of the logical operation of sample is equal, if equal, the matching behavior is taken out from ACL table.
The beneficial effects of the present invention are: the present invention makes chip that the matching customized message of user may be implemented, so as to allow
User disposes more service applications.
Detailed description of the invention
Fig. 1 is the schematic illustration of the method for the present invention;
Fig. 2 is the flow diagram of the method for the present invention;
Fig. 3 is the idiographic flow schematic diagram of step S1 of the present invention;
Fig. 4 is the idiographic flow schematic diagram of step S2 of the present invention.
Specific embodiment
Below in conjunction with attached drawing of the invention, clear, complete description is carried out to the technical solution of the embodiment of the present invention.
The revealed a kind of chip implementing method and device of ACL matching UDF message of the embodiment of the present invention, pass through identification
UDF message is matched from being taken out in required matching content feeding ACL in message, realizes that ACL can match unconventional UDF report
Text is conducive to user and disposes more service applications.
Referring to figs. 1 and 2, the revealed a kind of chip realization side of ACL matching UDF message of the embodiment of the present invention
Method is broadly divided into two large divisions, and first part is the process of chip identification UDF message, and second part is ACL matching UDF message
Process.Specifically include:
S1, chip identification UDF message simultaneously parse message, and the parsing result that parsing is obtained is sent into ACL table.
As shown in connection with fig. 3, step S1 is specifically included:
S11, chip search UDF table, find the matched message of condition according to lookup result, and carry out UDF parsing to message.
Specifically, message enters chip, and chip first looks for UDF table (i.e. UDF cam, UDF content adressable memory), looks for
To the matched message of condition, UDF parsing is carried out.
UDF cam entry (entry) is defined in UDF cam (ParserUdfCam), comprising a plurality of in UDF cam
Entry, such as 16, validity field (entryValid), data field (data) and mask field are included in each entry
(mask) etc..Wherein, the port information (portBitmapBase, portBitmap) in data field including message, message class
Type information (layer2Type, etherType), vlan quantity (vlanNum), two layers of information, three-layer information (ipsa, ipda),
Four layers of information (l4srcport, l4dstport) etc..Wherein, UDF cam is a kind of chip memory mechanism, content addressable storage
Device (Coment Addressable Memory).
Chip matches according to the information in message with the above-mentioned corresponding field in UDF cam entry, if matching, i.e.,
Matched entry is found, lookup result (ParserUdfCamResult) is obtained from the matching entry.
S12 takes out the matching content of designated position according to lookup result from message.
Specifically, include following field in above-mentioned lookup result:
The type (udfStartPosType) and offset (udfEntryOffset) of start offset position, the present embodiment
In, the type definition of start offset position four kinds, it is respectively as follows:
2 ' b00:Start from L2header indicate that udfStartPosType is 0, from two layer message head
L2Header starts to take;
2 ' b01:Start after L2header indicate that udfStartPosType is 1, from three-tier message head
L3Header starts to take;
2 ' b10:Start after L3header indicate that udfStartPosType is 2, from four layers of header
L4Header starts to take;
2 ' b11:UDF=127 ' d0 indicate disabling udf (disable udf).
Corresponding offset also defines four seed types:
UdfEntryOffset0 [3:0], unit:4Byte;
UdfEntryOffset1 [3:0], unit:4Byte;
UdfEntryOffset2 [3:0], unit:4Byte;
UdfEntryOffset3 [3:0], unit:4Byte.
That is, if lookup result are as follows:
If udfStartPosType is 0, taken since L2Header, udfEntryOffset0 [3:0]~
UdfEntryOffset3 [3:0] specified 4 opposite offset initial positions, can at most take out 128bits content in total;
If udfStartPosType is 1, taken since L3Header, udfEntryOffset0 [3:0]~
UdfEntryOffset3 [3:0] specified 4 opposite offset initial positions, can at most take out 128bits content in total;
If udfStartPosType is 2, taken since L4Header, udfEntryOffset0 [3:0]~
UdfEntryOffset3 [3:0] specified 4 opposite offset initial positions, can at most take out 128bits content in total;
If udfStartPosType is 3, then it represents that disable udf.
S13, chip parse to obtain parsing result, include matching content in parsing result.
Specifically, chip parses UDF message, and obtained parsing result includes following data:
Matching content (ParserResult.udf): the 128bits message content of i.e. above-mentioned taking-up, as
ParserResult.udf[127:0];
Index address field: in the present embodiment, it is defined as ParserResult.udfHitIndex [3:0];
Message validity field: in the present embodiment, it is defined as ParserResult.udfValid.
Chip by these fields (ParserResult.udf [127:0], ParserResult.udfHitIndex [3:0],
ParserResult.udfValid it) is sent into subsequent ACL and handles, that is, enter step S2.
S2, forms ACL keyword for parsing result, searches ACL table according to ACL keyword, the matching obtained according to lookup
Behavior carries out respective handling to message.
This part is the process of above-mentioned ACL matching UDF message, and as shown in connection with fig. 4, specifically, S2 includes:
S21, by the matching content of parsing result, index address field and message validity field groups ACL keyword.
Data ParserResult.udf [127:0] that above-mentioned UDF is finally exported,
ParserResult.udfHitIndex [3:0], ParserResult.udfValid form corresponding ACL keyword (key),
It is matched for ACL.
S22 judges that ACL keyword and mask do logical operation, does same logic with mask with the keyword in ACL table
Whether the result of operation is equal, if equal, matching behavior is taken out from ACL table.
Specifically, after judging that the above-mentioned ACL key of chipset and the mask (mask) under user do logical operation, this implementation
It is logic and operation (&) in example, the knot of same logical operation is done with the keyword in ACL table and the mask under user (mask)
Whether fruit is equal, if equal, i.e. expression TCAM is found, and takes corresponding matching behavior (Action), does corresponding processing;If no
It is equal, then illustrate that TCAM is not found, corresponding Action will not be taken.
It is corresponding with the above-mentioned ACL matching chip implementing method of UDF message, a kind of revealed ACL of the embodiment of the present invention
Match the chip realization device of UDF message, including UDF message identification device and ACL coalignment, wherein
UDF message identification device UDF message and parses message for identification, and parsing result that parsing obtains is sent
Enter ACL table.
Specifically, UDF message identification device includes searching parsing module, matching content taking-up module, wherein searches parsing
Module finds the matched message of condition for searching UDF table, according to lookup result, and carries out UDF parsing to message, and parsing obtains
Parsing result.
Matching content takes out module and is used to take out designated position from message according to the lookup result for searching parsing module
Matching content includes matching content in parsing result.
ACL coalignment is used to parsing result forming ACL keyword, ACL table is searched according to ACL keyword, according to looking into
The matching behavior found carries out respective handling to message.
Specifically, ACL coalignment includes group ACL keyword module and matching module, wherein
ACL keyword module is used for the matching content of parsing result, index address field and message validity field groups
At ACL keyword.
Matching module is done together with the keyword in ACL table with mask for judging that ACL keyword and mask do logical operation
Whether the result of the logical operation of sample is equal, if equal, matching behavior is taken out from ACL table.
Wherein, the concrete principle of above-mentioned UDF message identification device and ACL coalignment can refer to retouching in above-mentioned S1 and S2
It states, which is not described herein again.
Technology contents and technical characteristic of the invention have revealed that as above, however those skilled in the art still may base
Make various replacements and modification without departing substantially from spirit of that invention, therefore, the scope of the present invention in teachings of the present invention and announcement
It should be not limited to the revealed content of embodiment, and should include various without departing substantially from replacement and modification of the invention, and be this patent Shen
Please claim covered.
Claims (10)
1. a kind of chip implementing method of ACL matching UDF message, which is characterized in that the described method includes:
S1, chip identification UDF message simultaneously parse message, and the parsing result that parsing is obtained is sent into ACL table;
S2, forms ACL keyword for the parsing result, searches ACL table according to the ACL keyword, is obtained according to lookup
Matching behavior carries out respective handling to message.
2. a kind of chip implementing method of ACL matching UDF message according to claim 1, which is characterized in that the S1 packet
It includes:
S11, chip search UDF table, find the matched message of condition according to lookup result, and carry out UDF parsing to the message;
S12 takes out the matching content of designated position according to the lookup result from message;
S13, chip parse to obtain the parsing result, include the matching content in the parsing result.
3. a kind of chip implementing method of ACL matching UDF message according to claim 2, which is characterized in that the lookup
It as a result include the type and offset of start offset position.
4. a kind of chip implementing method of ACL matching UDF message according to claim 2, which is characterized in that the parsing
Result further includes index address field and message validity field.
5. a kind of chip implementing method of ACL matching UDF message according to claim 4, which is characterized in that the S2 packet
It includes:
S21, by ACL keyword described in the matching content of parsing result, index address field and message validity field groups;
S22 judges that the ACL keyword and mask do logical operation, does similarly with the keyword in ACL table with the mask
Whether the result of logical operation is equal, if equal, the matching behavior is taken out from ACL table.
6. a kind of chip implementing method of ACL matching UDF message according to claim 5, which is characterized in that in S22, institute
Stating logical operation is logic and operation.
7. a kind of chip realization device of ACL matching UDF message, which is characterized in that described device includes UDF message identification device
With ACL coalignment, wherein
The UDF message identification device UDF message and parses message for identification, and parsing result that parsing obtains is sent
Enter ACL table;
The ACL coalignment is used to the parsing result forming ACL keyword, searches ACL according to the ACL keyword
Table carries out respective handling to message according to obtained matching behavior is searched.
8. a kind of chip realization device of ACL matching UDF message according to claim 7, which is characterized in that the UDF
Message identification device includes searching parsing module, matching content taking-up module, and the lookup parsing module is used to search UDF table,
The matched message of condition is found according to lookup result, and UDF parsing is carried out to the message, parsing obtains parsing result;It is described
Matching content takes out the matching that module is used to take out designated position from message according to the lookup result for searching parsing module
Content includes the matching content in the parsing result.
9. a kind of chip realization device of ACL matching UDF message according to claim 7, which is characterized in that the parsing
Result further includes index address field and message validity field.
10. a kind of chip realization device of ACL matching UDF message according to claim 9, which is characterized in that the ACL
Coalignment includes group ACL keyword module and matching module, and the ACL keyword module is used for described in parsing result
With ACL keyword described in content, index address field and message validity field groups;The matching module is described for judging
ACL keyword and mask do logical operation, in ACL table keyword and the mask do same logical operation the result is that
It is no equal, if equal, the matching behavior is taken out from ACL table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910257519.0A CN110035074A (en) | 2019-04-01 | 2019-04-01 | A kind of chip implementing method and device of ACL matching UDF message |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910257519.0A CN110035074A (en) | 2019-04-01 | 2019-04-01 | A kind of chip implementing method and device of ACL matching UDF message |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110035074A true CN110035074A (en) | 2019-07-19 |
Family
ID=67237161
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910257519.0A Withdrawn CN110035074A (en) | 2019-04-01 | 2019-04-01 | A kind of chip implementing method and device of ACL matching UDF message |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110035074A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110708329A (en) * | 2019-10-16 | 2020-01-17 | 盛科网络(苏州)有限公司 | Method for identifying unknown tunnel message based on UDF |
| CN111464559A (en) * | 2020-04-20 | 2020-07-28 | 苏州雄立科技有限公司 | Data transmission method and transmission device based on UDB |
| CN113132241A (en) * | 2021-05-07 | 2021-07-16 | 杭州迪普信息技术有限公司 | ACL template dynamic configuration method and device |
| CN113438252A (en) * | 2021-07-08 | 2021-09-24 | 恒安嘉新(北京)科技股份公司 | Message access control method, device, equipment and storage medium |
| WO2023116318A1 (en) * | 2021-12-23 | 2023-06-29 | 苏州盛科通信股份有限公司 | Packet processing method and apparatus, electronic device and computer storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102857428A (en) * | 2012-09-18 | 2013-01-02 | 杭州华三通信技术有限公司 | Message transmitting method and message transmitting equipment on basis of access control list |
| CN106572085A (en) * | 2016-10-19 | 2017-04-19 | 盛科网络(苏州)有限公司 | Chip from perspective of UDF application and matching method |
| WO2017124693A1 (en) * | 2016-01-21 | 2017-07-27 | 中兴通讯股份有限公司 | Method and device for message decapsulation and data writing |
| CN108881037A (en) * | 2018-09-12 | 2018-11-23 | 盛科网络(苏州)有限公司 | It is a kind of that Hash operation, the method and device of load balancing are realized based on UDF message |
-
2019
- 2019-04-01 CN CN201910257519.0A patent/CN110035074A/en not_active Withdrawn
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102857428A (en) * | 2012-09-18 | 2013-01-02 | 杭州华三通信技术有限公司 | Message transmitting method and message transmitting equipment on basis of access control list |
| WO2017124693A1 (en) * | 2016-01-21 | 2017-07-27 | 中兴通讯股份有限公司 | Method and device for message decapsulation and data writing |
| CN106572085A (en) * | 2016-10-19 | 2017-04-19 | 盛科网络(苏州)有限公司 | Chip from perspective of UDF application and matching method |
| CN108881037A (en) * | 2018-09-12 | 2018-11-23 | 盛科网络(苏州)有限公司 | It is a kind of that Hash operation, the method and device of load balancing are realized based on UDF message |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110708329A (en) * | 2019-10-16 | 2020-01-17 | 盛科网络(苏州)有限公司 | Method for identifying unknown tunnel message based on UDF |
| CN111464559A (en) * | 2020-04-20 | 2020-07-28 | 苏州雄立科技有限公司 | Data transmission method and transmission device based on UDB |
| CN111464559B (en) * | 2020-04-20 | 2022-12-23 | 苏州雄立科技有限公司 | Message data transmission method and transmission device based on UDB |
| CN113132241A (en) * | 2021-05-07 | 2021-07-16 | 杭州迪普信息技术有限公司 | ACL template dynamic configuration method and device |
| CN113132241B (en) * | 2021-05-07 | 2022-05-24 | 杭州迪普信息技术有限公司 | ACL template dynamic configuration method and device |
| CN113438252A (en) * | 2021-07-08 | 2021-09-24 | 恒安嘉新(北京)科技股份公司 | Message access control method, device, equipment and storage medium |
| WO2023116318A1 (en) * | 2021-12-23 | 2023-06-29 | 苏州盛科通信股份有限公司 | Packet processing method and apparatus, electronic device and computer storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110035074A (en) | A kind of chip implementing method and device of ACL matching UDF message | |
| US8874876B2 (en) | Method and apparatus for packet switching | |
| CN109672669B (en) | Method and device for filtering flow message | |
| US10476794B2 (en) | Efficient caching of TCAM rules in RAM | |
| US9627063B2 (en) | Ternary content addressable memory utilizing common masks and hash lookups | |
| US9984144B2 (en) | Efficient lookup of TCAM-like rules in RAM | |
| US7933268B1 (en) | IP multicast forwarding in MAC bridges | |
| US7289498B2 (en) | Classifying and distributing traffic at a network node | |
| US7801139B2 (en) | Method and apparatus for filtering packet data in a network device | |
| US7149216B1 (en) | M-trie based packet processing | |
| US8599859B2 (en) | Iterative parsing and classification | |
| JP5518135B2 (en) | Extensible multicast forwarding method and apparatus for data center | |
| WO2018178906A1 (en) | Flexible processor of a port extender device | |
| WO2019185051A1 (en) | Integrated flow table-based packet forwarding method and device | |
| US8798066B2 (en) | Method for IPv6 longest prefix match | |
| CN105591914B (en) | Openflow flow table lookup method and device | |
| CN101035060A (en) | Integrated processing method for three-folded content addressable memory message classification | |
| CN1972240A (en) | Fast package filter processing method and its apparatus | |
| US7624226B1 (en) | Network search engine (NSE) and method for performing interval location using prefix matching | |
| CN112667526B (en) | Method and circuit for realizing access control list circuit | |
| US10623316B2 (en) | Scaling of switching tables with high bandwidth | |
| US7403526B1 (en) | Partitioning and filtering a search space of particular use for determining a longest prefix match thereon | |
| CN111937360A (en) | Longest prefix matching | |
| US6970971B1 (en) | Method and apparatus for mapping prefixes and values of a hierarchical space to other representations | |
| US7219187B1 (en) | Search parameter table in a content addressable memory |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20190719 |