CN110166300A - A kind of IP five-tuple matching filtering implementation method based on FPGA - Google Patents

A kind of IP five-tuple matching filtering implementation method based on FPGA Download PDF

Info

Publication number
CN110166300A
CN110166300A CN201910450488.0A CN201910450488A CN110166300A CN 110166300 A CN110166300 A CN 110166300A CN 201910450488 A CN201910450488 A CN 201910450488A CN 110166300 A CN110166300 A CN 110166300A
Authority
CN
China
Prior art keywords
tuple
ram
byte
block ram
rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910450488.0A
Other languages
Chinese (zh)
Inventor
陈晖�
王东锋
陈伟峰
张晓峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin Optical Electrical Communication Technology Co Ltd
Original Assignee
Tianjin Optical Electrical Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin Optical Electrical Communication Technology Co Ltd filed Critical Tianjin Optical Electrical Communication Technology Co Ltd
Priority to CN201910450488.0A priority Critical patent/CN110166300A/en
Publication of CN110166300A publication Critical patent/CN110166300A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/0223User address space allocation, e.g. contiguous or non contiguous base addressing
    • G06F12/023Free address space management
    • G06F12/0238Memory management in non-volatile memory, e.g. resistive RAM or ferroelectric memory
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0604Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The IP five-tuple matching filtering implementation method based on FPGA that the invention discloses a kind of.IP five-tuple is divided into 13 byte sections by this method, each byte section is as a block RAM inside address access FPGA, every block RAM write address is 13 byte sections that the IP five-tuple of user demand divides, RAM write enables when to configure for user, and RAM write data are that this IP five-tuple rule is stored in RAM by 1 expression;13 byte sections that RAM read address divides for practical received IP five-tuple, RAM, which reads data, indicates whether this RAM has matched byte section for 0 or 1.The output progress and operation of 13 block RAMs are meant that only when the corresponding equal successful match of IP five-tuple byte section of all RAM, this IP five-tuple stream ability successful match.The present invention solves the problems, such as that IP five-tuple matching filtering implementation method matching speed is slow in the prior art, rule storage item number is few, rule match conflict.

Description

A kind of IP five-tuple matching filtering implementation method based on FPGA
Technical field
The present invention relates to network data processing more particularly to a kind of IP five-tuple matching filtering realization sides based on FPGA Method.
Background technique
In network message categorizing system, many systems are IP five-tuple (agreement, source IP, destination IP, the source message Mouthful, destination port) as the rule classified.Such as (tcp, 192.168.1.1,121.14.88.76,
10000,80) five-tuple constituted is meant that: the terminal that an IP address is 192.168.1.1 passes through port 10000, benefit It is 121.14.88.76 with Transmission Control Protocol and IP address, the terminal that port is 80 is attached.It is filtered to network message When, matching screening is achieved the purpose that by the comparison for carrying out IP five-tuple to received ether packet.Most systems use at present The mode of tcam chip or hash table realizes the rule match of five-tuple, tcam implementation have search speed it is fast, can be to rule Then the advantages of mask, but it is limited to memory space and can only matches the five-tuple of a small amount of rule;And hash table can store largely Five-tuple rule, but it is limited to that algorithm search speed is slow, it is not able to satisfy the requirement of system real time, and have asking for matching conflict Topic, i.e., different five-tuples are possible to obtain identical hash value, and then matching is made to become more difficult.So a kind of good IP Five-tuple matching filtering implementation method plays the role of vital in network message categorizing system.
Summary of the invention
In view of present technology there are the problem of, the present invention provide it is a kind of based on FPGA IP five-tuple matching filtering realization side Method.Present invention aim to solve, IP five-tuple rule match speed present in above-mentioned technology is slow, rule storage item number Less, the problem of rule match conflicts.
The technical solution adopted by the present invention is that: a kind of IP five-tuple matching filtering implementation method based on FPGA, feature It is, IP five-tuple is divided into 13 byte sections { porttype, srcip0.srcip1.srcip2. by this method
Srcip3, dstip0.dstip1.dstip2.dstip3, srcport0.srcport1, dstport0. dstport1 }, Each byte section is as one piece of BLOCK RAM inside address access FPGA;Every piece of BLOCK RAM write address is the IP of user demand 13 byte sections that five-tuple divides, BLOCK RAM write enable when to configure for user, and BLOCK RAM write data are 1 expression This IP five-tuple rule is stored in BLOCK RAM;
BLOCK RAM read address is 13 byte sections that practical received IP five-tuple divides, and it is 0 or 1 table that BLOCK RAM, which reads data, Show whether this BLOCK RAM has matched byte section;By the output progress and operation of 13 pieces of BLOCK RAM, it is meant that: only works as The corresponding equal successful match of IP five-tuple byte section of all BLOCK RAM, this IP five-tuple stream ability successful match.
The invention has the advantages that: solve IP five-tuple rule match speed existing in the prior art Slowly, the problem of rule storage item number is few, rule match conflicts.This method is widely used valence in network data processing field Value.
Detailed description of the invention
Fig. 1 is realization principle figure of the present invention.
Specific embodiment
Below in conjunction with drawings and examples, the present invention will be further described.
IP five-tuple (agreement, source IP, destination IP, source port, destination port) includes 13 bytes altogether, wherein protocol fields For 1 byte, source IP field is 4 bytes, and destination IP field is 4 bytes, and source port field is 2 bytes, destination port Field is 2 bytes.
Variable each in Fig. 1 is illustrated below:
RAM0-RAM12 is the BLOCK RAM inside FPGA, writes enabled wen, write address waddr, writes data wdata, read address Raddr, the input/output port that data rdata is RAM is read;& is indicated and operation;Porttype is the agreement word of IP five-tuple Section, srcip are the source IP field of IP five-tuple, and 4 bytes of srcip0-srcip3 corresponding source IP, dstip is IP five-tuple Destination IP field, dstip0-dstip3 correspond to 4 bytes of destination IP, and srcport is the source port field of IP five-tuple, Srcport0-srcport1 corresponds to 2 bytes of source port, and dstort is the destination port field of IP five-tuple, dstport0- Dstport1 corresponds to 2 bytes of destination port;_ c indicates that the IP five-tuple of user configuration, _ s indicate practical received five yuan of IP Group;The enable signal of config_en expression user configuration IP five-tuple;Matching result (0/1) indicates whether IP five-tuple matches, 0 indicates not match, and 1 indicates matching.
The present invention is illustrated below by example and in conjunction with Fig. 1.
Such as user wants to carry out (6,192.168.1.1,121.14.88.76,10000,80) five-tuple as rule Matching.Method is to regard the byte 6 of tcp field as RAM0 write address, the first byte 192 of source IP field writes ground as RAM1 Location, the second byte 168 of source IP field are used as RAM2 write address, and the third byte 1 of source IP field is used as RAM3 write address, source IP The nybble 1 of field is used as RAM4 write address, and the first byte 121 of destination IP field is used as RAM5 write address, destination IP word Second byte 14 of section is used as RAM6 write address, and the third byte 88 of destination IP field is used as RAM7 write address, destination IP field Nybble 76 be used as RAM8 write address, the first byte 39 of source port field is used as RAM9 write address, source port field Second byte 16 is used as RAM10 write address, and the first byte 0 of destination port field is used as RAM11 write address, destination port field The second byte 80 as RAM12 write address (note: the first byte of source port 10000 be 39, the second byte be 16;Destination First byte of mouth 80 is 0,80) the second byte is;The data of writing of RAM0-RAM12 are fixed as 1, indicate the IP of user demand Five-tuple rule is stored in RAM;When user configures, config_en draws high a clock cycle and then drags down, and indicates to deposit Enter a five-tuple rule, if needing to be stored in if there is N five-tuple rule, it is right that config_en just draws high N number of clock cycle It drags down again afterwards.Each byte section of the received IP five-tuple of reality and the corresponding method of RAM read address are identical as foregoing description, work as reception When also there are (6,192.168.1.1,121.14.88.76,10000,80) in IP five-tuple in message, then the reading of RAM0-RAM12 Value is 1, indicates the equal successful match of each byte section of IP five-tuple.With computing module by the result of 13 block RAMs take with, if respectively RAM reading value is 1, then is also 1 with operation result, indicates all fields match successes of IP five-tuple, that is, the IP five-tuple Successful match;It is 0 with operation result if the reading result of one block RAM of any of them is 0, indicates in practical received message In without there is IP five-tuple predetermined rule.
When having mask in each byte section of IP five-tuple of user configuration, that is, there is a unconcerned bit, such as (6, 192.168.1.x, 121.14.88.76,10000,80) five-tuple, user wish to screen 192.168.1.0- 192.168.1.255 the source IP in section, at this time when carrying out configuration storage, the address that RAM4 is written traverses 256 times from 0-255, It indicates for the source IP in the section 192.168.1.0-192.168.1.255 to be all stored in RAM.Go out when receiving IP five-tuple in message When existing (6,192.168.1.1,121.14.88.76,10000,80), the value read from each RAM also all 1, process and operation Afterwards also it is 1, indicates the IP five-tuple successful match.
From it is above-mentioned can be seen that by this method and can cover for the matched process of IP five-tuple arbitrarily want five yuan of matched IP Group only need to correspond to the address write-in value 1 of RAM in each field, and there is no the limitations of storage rule item number;To practical reception IP five-tuple when being matched, only need simply from each RAM corresponding address reading value and do with operation, there is no matchings Slow-footed problem;This method is accurate matching way to the matching of IP five-tuple rule, and there is no be similar in hash table The problem of existing matching conflict;In addition, this method supports user to carry out mask to IP five-tuple.
To sum up, method provided by the invention provides beneficial reference for network data processing.

Claims (1)

1. a kind of IP five-tuple matching filtering implementation method based on FPGA, which is characterized in that this method divides IP five-tuple For 13 byte sections { porttype, srcip0.srcip1.srcip2.
Srcip3, dstip0.dstip1.dstip2.dstip3, srcport0.srcport1, dstport0. dstport1 }, Each byte section is as one piece of BLOCK RAM inside address access FPGA;
Every piece of BLOCK RAM write address is 13 byte sections that the IP five-tuple of user demand divides, and BLOCK RAM write enables as use When family is configured, and BLOCK RAM write data are that this IP five-tuple rule is stored in BLOCK RAM by 1 expression;
BLOCK RAM read address is 13 byte sections that practical received IP five-tuple divides, and it is 0 or 1 table that BLOCK RAM, which reads data, Show whether this BLOCK RAM has matched byte section;
It by the output progress and operation of 13 pieces of BLOCK RAM, is meant that: only when the corresponding IP five-tuple of all BLOCK RAM The equal successful match of byte section, this IP five-tuple stream ability successful match.
CN201910450488.0A 2019-05-28 2019-05-28 A kind of IP five-tuple matching filtering implementation method based on FPGA Pending CN110166300A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910450488.0A CN110166300A (en) 2019-05-28 2019-05-28 A kind of IP five-tuple matching filtering implementation method based on FPGA

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910450488.0A CN110166300A (en) 2019-05-28 2019-05-28 A kind of IP five-tuple matching filtering implementation method based on FPGA

Publications (1)

Publication Number Publication Date
CN110166300A true CN110166300A (en) 2019-08-23

Family

ID=67629372

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910450488.0A Pending CN110166300A (en) 2019-05-28 2019-05-28 A kind of IP five-tuple matching filtering implementation method based on FPGA

Country Status (1)

Country Link
CN (1) CN110166300A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117633551A (en) * 2023-12-07 2024-03-01 武汉中航通用科技有限公司 Method for carrying out matching detection on real-time message
CN118427408A (en) * 2024-07-04 2024-08-02 国家计算机网络与信息安全管理中心 Five-tuple keyword matching method and device for prefix mask

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7760733B1 (en) * 2005-10-13 2010-07-20 Chelsio Communications, Inc. Filtering ingress packets in network interface circuitry
CN103297296A (en) * 2013-05-30 2013-09-11 大连梯耐德网络技术有限公司 FPGA-based logical operation search method and system
CN103812860A (en) * 2014-01-20 2014-05-21 北京赛博兴安科技有限公司 FPGA based high-speed network strategy matching method
CN108881036A (en) * 2018-07-03 2018-11-23 电信科学技术第五研究所有限公司 A kind of network communication fast matching method and equipment based on table lookup operations

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7760733B1 (en) * 2005-10-13 2010-07-20 Chelsio Communications, Inc. Filtering ingress packets in network interface circuitry
CN103297296A (en) * 2013-05-30 2013-09-11 大连梯耐德网络技术有限公司 FPGA-based logical operation search method and system
CN103812860A (en) * 2014-01-20 2014-05-21 北京赛博兴安科技有限公司 FPGA based high-speed network strategy matching method
CN108881036A (en) * 2018-07-03 2018-11-23 电信科学技术第五研究所有限公司 A kind of network communication fast matching method and equipment based on table lookup operations

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117633551A (en) * 2023-12-07 2024-03-01 武汉中航通用科技有限公司 Method for carrying out matching detection on real-time message
CN118427408A (en) * 2024-07-04 2024-08-02 国家计算机网络与信息安全管理中心 Five-tuple keyword matching method and device for prefix mask

Similar Documents

Publication Publication Date Title
CN1874313B (en) Method of processing packet and metwork device
CN105337991B (en) A kind of integrated message flow is searched and update method
CN110166300A (en) A kind of IP five-tuple matching filtering implementation method based on FPGA
CN108563796A (en) Data compressing method, device and the electronic equipment of block chain
CN101594299B (en) Method for queue buffer management in linked list-based switched network
US20050021491A1 (en) Apparatus and method for classifier identification
Kumar et al. CAMP: fast and efficient IP lookup architecture
CN106533992A (en) PCI express fabric routing for a fully-connected mesh topology
CN101095308A (en) Method and apparatus for generic interface, packet cut-through, overbooking, queue concatenation, and logical identification priority for a system packet interface device
CN103812860B (en) A kind of high speed network strategy matching method based on FPGA
US20120163392A1 (en) Packet processing apparatus and method
CN106656200B (en) A kind of program counter compression method and its hardware circuit
CN106656948A (en) Data packet modification method and related network device
CN108037725A (en) A kind of method and apparatus for reading and writing plc data
EP2096832A1 (en) Reconfigurable hardware-based parser for packet-oriented protocols
EP1491995A3 (en) first-in-first-out memory
Doi et al. Characterization of minimum error linear coding with sensory and neural noise
CN102571609B (en) Fast serial interface PCI E protocol datas complete the restructuring sort method of bag
Govind et al. Packet reordering in network processors
WO2018153332A1 (en) Packet classification using multi-dimensional splitting
Zach et al. Analysing linkage between ICT and US State tourism websites
CN109086815A (en) Floating point number discretization method in decision tree model based on FPGA
Zhang et al. Data behaviours model for Big Data visual analytics
Smiljanić et al. A comparative review of scalable lookup algorithms for IPv6
Li et al. P4gpu: Acceleration of programmable data plane using a cpu-gpu heterogeneous architecture

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20190823