CN114492621A - Multi-domain network packet classification processing method and device - Google Patents

Multi-domain network packet classification processing method and device Download PDF

Info

Publication number
CN114492621A
CN114492621A CN202210080521.7A CN202210080521A CN114492621A CN 114492621 A CN114492621 A CN 114492621A CN 202210080521 A CN202210080521 A CN 202210080521A CN 114492621 A CN114492621 A CN 114492621A
Authority
CN
China
Prior art keywords
network packet
module
information
domain network
classification rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210080521.7A
Other languages
Chinese (zh)
Inventor
李军
贾成君
李一凡
胡效赫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN202210080521.7A priority Critical patent/CN114492621A/en
Publication of CN114492621A publication Critical patent/CN114492621A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/213Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a multi-domain network packet classification processing method and device. The method comprises the following steps: determining configuration information of a search engine based on a preset multi-domain network packet classification rule set, and configuring the configuration information into the search engine; inputting a multi-domain network packet to be processed into the search engine to obtain a corresponding classification rule matching result so as to finish classification processing of the multi-domain network packet based on the classification rule matching result; the search engine is a circuit structure model obtained by connecting a top layer search module and an execution search module to a network on chip. The classification processing method of the multi-domain network packet provided by the invention classifies the input multi-domain network packet through the search engine, reduces the time delay of classification, improves the throughput speed of network packet classification, and can be configured according to the network on chip, thereby being suitable for different network packet classification requirements.

Description

Multi-domain network packet classification processing method and device
Technical Field
The invention relates to the technical field of network data processing, in particular to a multi-domain network packet classification processing method and device. In addition, an electronic device and a processor-readable storage medium are also related.
Background
Multi-domain network packet classification is a basic function in network devices. Based on the classification rule set, the network device can determine a target classification rule in the classification rule set matched with the network packet by checking related domains defined by the classification rule set in the network packet flowing through the network device, so as to realize multi-domain network packet classification processing. Wherein, the multi-domain network packet classification mode directly influences the performance of the network equipment. At present, for the multi-domain network packet matching problem, a tcam (ternary content addressable memory) hardware scheme and a decision tree software scheme are mostly adopted for implementation. However, the classification method of the multi-domain network packet is limited by technology, and cannot simultaneously realize the requirements of high throughput, low time delay, high rule capacity and rule updating support, and the search engine can only be realized by using a single search algorithm, cannot integrate the advantages of multiple algorithms, and cannot flexibly select a network packet search scheme according to the characteristics of a rule set. Therefore, how to improve the classification performance of multi-domain network packets to achieve the requirements of high throughput, low delay and rule updating of network packet classification in the massive rule scene becomes a difficult problem to be solved urgently.
Disclosure of Invention
Therefore, the invention provides a multi-domain network packet classification processing method and device, which aim to overcome the defect that the multi-domain network packet classification performance and stability of network equipment are poor due to the fact that a multi-domain network packet classification processing scheme in the prior art is high in limitation.
In a first aspect, the present invention provides a method for classifying and processing packets in a multi-domain network, including: determining configuration information of a search engine based on a preset multi-domain network packet classification rule set, and configuring the configuration information into the search engine;
inputting a multi-domain network packet to be processed into the search engine to obtain a corresponding classification rule matching result so as to finish classification processing of the multi-domain network packet based on the classification rule matching result; the search engine is a circuit structure model obtained by connecting a top search module and an execution search module to a network on chip.
Further, the inputting the multi-domain network packet to be processed into the search engine to obtain a corresponding classification rule matching result specifically includes:
inputting the acquired network packet information of the multi-domain network packet into a top layer searching module, and sending the processed information to a network on chip based on the top layer searching module so as to determine a corresponding execution searching module according to the information through the network on chip; the execution searching module comprises a decision tree searching module, a linear searching module, a neural network searching module or an out-of-order rearranging module;
when the execution searching module is a decision tree searching module, performing step-by-step matching in corresponding configuration information based on the network packet information and the multistage pipeline structure of the decision tree searching module to determine a corresponding classification rule matching result; alternatively, the first and second liquid crystal display panels may be,
when the executing search module is a linear search module, matching in corresponding configuration information based on the network packet information and a linear search strategy of the linear search module to determine a corresponding classification rule matching result; alternatively, the first and second electrodes may be,
when the execution searching module is a neural network searching module, matching is carried out in corresponding configuration information based on the network packet information and a network searching strategy of the neural network searching module so as to determine a corresponding classification rule matching result; alternatively, the first and second electrodes may be,
and when the execution searching module is a disorder rearrangement module, rearranging the classification rule matching result of the multi-domain network packet based on the disorder rearrangement module so as to enable the classification rule matching result to be the same as the input sequence of the multi-domain network packet, and outputting the rearranged classification rule matching result.
Furthermore, the decision tree searching module is obtained by mapping a decision tree searching process into a multi-stage pipeline structure so as to realize that the network packet information is subjected to step-by-step matching in the multi-stage pipeline structure according to corresponding configuration information to determine a corresponding classification rule matching result; each level of the multi-level pipeline structure is used for processing a corresponding layer in the decision tree searching process; the information transmitted between each stage of pipeline includes network packet information, identification information of the next stage of pipeline structure, address line information corresponding to the node information to be read by the next stage of pipeline structure, and identification information of whether each stage of pipeline structure is used for completing the matching processing task.
Furthermore, the out-of-order rearrangement module carries out congestion control based on a go-back-N mechanism or a selective ACK mechanism so as to realize out-of-order rearrangement processing.
Further, the determining, based on a preset multi-domain network packet classification rule set, configuration information of a lookup engine, and configuring the configuration information into the lookup engine specifically includes:
and compiling the multi-domain network packet classification rule set aiming at the search engine, and configuring configuration information corresponding to a compiling result into the search engine so that the search engine analyzes and processes the input multi-domain network packet according to the configuration information.
Further, the method for classifying and processing multi-domain network packets further includes: and when the classification rules in the multi-domain network packet classification rule set are updated, corresponding updating operation is executed on the search engine.
In a second aspect, the present invention further provides a device for classifying and processing packets in a multi-domain network, including:
the information configuration unit is used for determining configuration information of a search engine based on a preset multi-domain network packet classification rule set and configuring the configuration information into the search engine;
a multi-domain network packet classification unit, configured to input a multi-domain network packet to be processed into the search engine, so as to obtain a corresponding classification rule matching result, and to complete classification processing of the multi-domain network packet based on the classification rule matching result; the search engine is a circuit structure model obtained by connecting a top layer search module and an execution search module to a network on chip.
Further, the multi-domain network packet classification unit is specifically configured to:
inputting the acquired network packet information of the multi-domain network packet into a top layer searching module, and sending the processed information to a network on chip based on the top layer searching module so as to determine a corresponding execution searching module according to the information through the network on chip;
the execution searching module is a decision tree searching module, a linear searching module, a neural network searching module or an out-of-order rearrangement module;
when the execution searching module is a decision tree searching module, performing step-by-step matching in corresponding configuration information based on the network packet information and the multi-stage pipeline structure of the decision tree searching module to determine a corresponding classification rule matching result; alternatively, the first and second electrodes may be,
when the executing search module is a linear search module, matching is carried out in the configuration information based on the network packet information and a linear search strategy of the linear search module so as to determine a corresponding classification rule matching result; alternatively, the first and second electrodes may be,
when the execution searching module is a neural network searching module, matching is carried out in the configuration information based on the network packet information and the network searching strategy of the neural network searching module so as to determine a corresponding classification rule matching result; alternatively, the first and second electrodes may be,
and when the execution searching module is a disorder rearrangement module, rearranging the classification rule matching result based on a preset congestion control mechanism in the disorder rearrangement module so that the classification rule matching result is the same as the input sequence of the multi-domain network packet, and outputting the rearranged classification rule matching result.
Furthermore, the decision tree searching module is obtained by mapping a decision tree searching process into a multi-stage pipeline structure so as to realize that the network packet information is subjected to step-by-step matching in the multi-stage pipeline structure according to corresponding configuration information to determine a corresponding classification rule matching result; each level of the multi-level pipeline structure is used for processing a corresponding layer in the decision tree searching process; the information transmitted between each stage of pipeline includes network packet information, identification information of the next stage of pipeline structure, address line information corresponding to the node information to be read by the next stage of pipeline structure, and identification information of whether each stage of pipeline structure is used for completing the matching processing task.
Furthermore, the out-of-order rearrangement module carries out congestion control based on a go-back-N mechanism or a selective ACK mechanism so as to realize out-of-order rearrangement processing.
Further, the information configuration unit is specifically configured to:
and compiling the multi-domain network packet classification rule set aiming at the search engine, and configuring configuration information corresponding to a compiling result into the search engine so that the search engine analyzes and processes the input multi-domain network packet according to the configuration information.
Further, the apparatus for classifying and processing packets in a multi-domain network further includes: and the rule updating processing module is used for executing corresponding updating operation on the search engine when the classification rules in the multi-domain network packet classification rule set are updated.
In a third aspect, the present invention also provides an electronic device, including: the device comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the computer program to realize the steps of the multi-domain network packet classification processing method according to any one of the above items.
In a fourth aspect, the present invention further provides a processor-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the multi-domain network packet classification processing method according to any one of the above items.
According to the multi-domain network packet classification processing method provided by the invention, the input multi-domain network packets are classified by the search engine, so that the classification time delay is reduced, the throughput speed of network packet classification is improved, and meanwhile, the free configuration of the search engine module can be carried out according to the network on chip to adapt to different network packet classification requirements, so that the multi-domain network packet classification capability with stability, high throughput and low time delay is provided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic flowchart of a multi-domain network packet classification processing method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an application architecture of a multi-domain network packet classification processing method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a circuit structure model of a lookup engine provided by an embodiment of the invention;
FIG. 4 is a schematic diagram of a circuit structure of a decision tree lookup module according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a circuit structure of an out-of-order rearrangement module according to an embodiment of the present invention;
FIG. 6 is a diagram illustrating a decision tree for a multi-domain packet classification rule set according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a multi-domain network packet classification processing apparatus according to an embodiment of the present invention;
fig. 8 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The multi-domain network packet classification processing method can be applied to various network policy matching such as Access control (ACL, Access List) rule matching, Quality of Service (QoS) rule matching, Firewall (FW) rule matching, Service Chain (IPC, IP Chain) rule matching and the like, and can also be applied to (Open Flow) packet header matching in a software defined network and a custom packet header matching engine in a modern programmable switch. It should be noted that, the multi-domain packet classification problem generally refers to that the search engine selects a classification rule with the highest priority corresponding to the input multi-domain packet from all rules in a preset rule set. For example, a typical classification rule set of the multi-domain network packets is shown in table 1, each row of the table represents a classification rule, and taking classification rule R3 as an example, the classification rule R3 represents the set of multi-domain network packets with source IP address 95.105.142.0/23 in the subnet, destination IP address 193.4.164.231/32, source port number 0-65535 (i.e. any 16-bit port number), destination port number 0-65535, and protocol number 6(TCP protocol number). If the input multi-domain network packet X is the source IP address 95.105.142.3, the destination IP address 193.4.164.231, the source port number 1000, the destination port number 32, and the TCP protocol (as shown in table 2), it means that the multi-domain network packet X is in the region indicated by the classification rule R3, i.e. the multi-domain network packet X is matched to the classification rule R3. Similarly, it can be seen that the multi-domain packet X does not match the classification rule R1, nor does it match the classification rule R2. Therefore, the classification rule matching the highest priority of the multi-domain network packet X is R3, that is, the final classification rule matching result of the multi-domain network packet X on the multi-domain network packet classification rule set is R3.
Table 1: typical multi-domain network packet classification rule set
Figure BDA0003485922500000071
Table 2: example of packet header
Figure BDA0003485922500000072
Figure BDA0003485922500000081
The following describes an embodiment of the multi-domain network packet classification processing method based on the present invention in detail. As shown in fig. 1, which is a schematic flow chart of a multi-domain network packet classification processing method provided in the embodiment of the present invention, a specific implementation process includes the following steps:
step 101: determining configuration information of a search engine based on a preset multi-domain network packet classification rule set, and configuring the configuration information into the search engine.
In the embodiment of the present invention, a circuit structure model of the lookup engine needs to be predetermined before executing this step, the lookup engine may be implemented by an fpga (field Programmable Gate array) or an asic (application Specific Integrated circuit), and the design architecture of the lookup engine is shown in fig. 3. The core part of the circuit structure model is a network on chip. The top layer searching module, the decision tree searching module and the linear searching module are connected to the network on chip to obtain a circuit structure model.
As shown in FIG. 2, in the implementation of the present invention, the system may be implemented by a system consisting of a processor, a lookup engine, and a system bus. The processor is used for compiling the multi-domain network packet classification rule set into configuration information of a search engine, the configuration information is issued to the search engine through a system bus, the search engine reads network packet information such as network packet headers and the like, and classification rule matching results corresponding to the multi-domain network packets are output based on the configuration information. When the rule is updated, the processor can also acquire the condition of the rule update and guide the search engine to carry out corresponding update operation. The rule processing process is carried out by the processor, so that the updating of the hardware module can be directly guided, and the hardware module corresponding to the search engine does not need to be used for processing the updating of the classification rule, thereby reducing the complexity of the hardware module. The system bus may be a conventional, existing standard (PCIe) bus and is not specifically limited thereto.
In this step, the multi-domain network packet classification rule set may be compiled for the search engine, and the configuration information corresponding to the compilation result is configured in the search engine, so that the search engine can analyze and process the input multi-domain network packet according to the configuration information. The multi-domain network packet classification rule set may include an access control rule, a quality of service rule, a firewall rule, a service chain rule, and the like.
Step 102: inputting a multi-domain network packet to be processed into the search engine to obtain a corresponding classification rule matching result so as to finish classification processing of the multi-domain network packet based on the classification rule matching result; the search engine is a circuit structure model obtained by connecting a top layer search module and an execution search module to a network on chip. And the search engine is used for carrying out rule matching on the network packet information read from the multi-domain network packet and the configuration information to obtain a classification rule matching result and carrying out classification processing on the multi-domain network packet.
In the implementation process of the invention, the acquired network packet information of the multi-domain network packet can be input into the top layer searching module, and the processed information is sent to the network on chip based on the top layer searching module, so that the corresponding execution searching module is determined according to the information through the network on chip. The execution searching module can comprise a decision tree searching module, a linear searching module or a neural network searching module, and an out-of-order rearranging module; when the execution searching module is a decision tree searching module, performing step-by-step matching in corresponding configuration information based on the network packet information and the multi-stage pipeline structure of the decision tree searching module to determine a corresponding classification rule matching result; or, when the executing search module is a linear search module, matching is performed in the configuration information based on the network packet information and the linear search strategy of the decision tree search module to determine a corresponding classification rule matching result; or, when the executing search module is a neural network search module, matching is performed in the configuration information based on the network packet information and the network search strategy of the decision tree search module to determine a corresponding classification rule matching result; or, when the executing search module is a disorder rearrangement module, rearranging the classification rule matching result of the multi-domain network packet based on the disorder rearrangement module so that the classification rule matching result is the same as the input sequence of the multi-domain network packet, and outputting the rearranged classification rule matching result.
Specifically, the classification processing procedure of the search engine for the read network packet information (i.e. network packet header information) of the multi-domain network packet based on the decision tree search module is as follows: (1) and inputting the network packet information into a top layer searching module, processing the network packet information by the top layer searching module to obtain information, and sending the information to a network on chip (a network on chip switching network). (2) The subsequent processing module a1 of the network packet information is determined by the network on chip according to the information of the top-level lookup module. A1 may be a decision tree lookup module, a neural network lookup module, a linear lookup module, or an out-of-order rearrangement module. (3) If A1 is determined not to be the out-of-order reorder module, when the packet leaves A1, the next processing module A2 is designated; the network packet information forwarding process is completed by the network on chip. A2 can also be a decision tree lookup module, a neural network lookup module, a linear lookup module, or an out-of-order rearrangement module. (4) If it is determined that A2 is not an out-of-order reorder module, step (3) is repeated. (5) If A2 is the disorder rearrangement module, the classification rule matching result corresponding to the multi-domain network packet is rearranged through the disorder rearrangement module, so that the classification rule matching result corresponding to the multi-domain network packet is consistent with the input sequence of the multi-domain network packet; and finally, outputting the multi-domain network packet and the classification rule matching result from the disorder rearrangement module. By connecting various search modules (such as a decision tree search module, a linear search module, a neural network search module and an out-of-order rearrangement module) by using the on-chip network, a more free and flexible search processing process can be realized. The linear search module and the neural network search module can be realized by using a circuit design corresponding to a tree-shaped label classification manager (TabTree) in the prior art and a search strategy thereof.
Aiming at the decision tree searching module, the invention makes additional circuit design. The decision tree searching module is obtained by mapping a decision tree searching process into a multi-stage pipeline structure so as to realize step-by-step matching of the network packet information in the multi-stage pipeline structure according to corresponding configuration information and determine a corresponding classification rule matching result. Each level of the multi-level pipeline structure is used for processing a corresponding layer in the decision tree searching process; the information transmitted between each stage of pipeline includes network packet information, identification information of the next stage of pipeline structure, address line information corresponding to the node information to be read by the next stage of pipeline structure, and identification information of whether each stage of pipeline structure is used for completing the matching processing task.
Specifically, as shown in fig. 4, it is a circuit structure of the decision tree searching module according to the present invention. It maps the decision tree lookup process into a multi-level pipeline structure (Layer 0 and Layer1 … … LayerD in FIG. 4 represent one-level pipeline structures, respectively), where each level of pipeline structure is used to process one level of decision tree lookup. There are four types of information passed between various levels of pipeline structures: pkt _ header, layer _ id, ram _ id, and found _ in. By using the pipeline architecture, the flexibility of hardware execution can be improved, thereby more matching various decision tree forms. Wherein, pkt _ header is network packet information, such as: the source ip (internet protocol) address, protocol number, vlan (virtual Local Area network) number, and packet id (identity document) of the multi-domain packet are necessary packet information for rule lookup. layer _ id is identification information of the next level pipeline structure (i.e. layer id). The ram _ id is address line information corresponding to the node information to be read by the next-level pipeline structure (i.e., the address line for the layer to read the node information). The found _ in is identification information of whether each level of pipeline structure completes the matching processing task, and is used for judging whether the decision tree searching module completes the processing.
In each stage of the pipeline layer, the processing procedure of the decision tree lookup module (decision tree lookup engine) comprises the following steps: (1) and judging whether the input layer _ id is equal to the id of the layer, if not, indicating that the incoming network packet information is not processed by the layer, copying the input network packet information to output, transmitting the output network packet information to a next layer, and finishing the calculation of the current layer. (2) And judging whether the found _ in signal is true, if so, indicating that the searching task in the decision tree searching module is completed, directly copying the input network packet information to the output and continuously transmitting the network packet information backwards. (3) If the input layer _ id is judged to be the id of the level and the found _ in signal is false, the decision tree searching module reads the node information from the specified address (the input ram _ id signal), and calculates the corresponding processing result by using the node information and the corresponding network packet information: whether to end the lookup in the decision tree lookup module (found _ in), get the location of the next node to read (which layer is located and which address in the layer). The module for calculating by using the Node information and the network packet information is a Node Engine module, which can be freely configured according to different types of decision tree algorithms. In a specific implementation process, the decision tree search engine can actually select a position for executing a next operation while pipelining a computation process by adding a nop operation (null operation).
In addition, the out-of-order rearrangement module carries out congestion control based on a go-back-N mechanism or a selective ACK mechanism so as to realize out-of-order rearrangement processing. Specifically, as shown in FIG. 5, the out-of-order reorder module uses RAM to store elements, each element being stored at an address in RAM. When an element is inserted, the corresponding address location (Push in) is written directly. For sequential output of elements, performing cyclic sequential reading using a circuit; in consideration of the extra time delay of data reading brought by wiring and the like, the invention adopts a go-back-N mode to read to eliminate the influence of the time delay. The reading step comprises the following steps: (1) determining the highest sequence number, ind, among all elements that have successfully left the queuem(ii) a The last address command ind sent to RAMl(ii) a (2) When ind is returned from RAMrIf ind is an element ofr=indm+1 and the element read was successful (element is not null); in other words, the next element of the output is exactly indr(ii) a Then update indm=indm+1、indl=indl+1, sending new indlAnd giving the RAM and continuing reading backwards. If it fails (ind)r≠indm+1), or the element is empty, then compare indrAnd indlIf indr≥indm+ delay clock number, then update indl=indm+1, otherwise update indl=indl+1, sending new indlTo the RAM. It should be noted that, the out-of-order rearrangement module regards the sent read signal as a sender end, and the RAM as a receiver end; successful element read is considered an ACK for the corresponding sequence number. Thereby achieving a read speed close to the full clock frequency. The out-of-order rearrangement module is designed by a go-back-N mechanism; if the delay is not large and there is enough register space in the circuit result, the Selective ACK mechanism may also be used, which is not specifically limited herein. By using the congestion control mechanism of go-back-N or selective ACK, high-speed order-preserving reading can be realized,thereby realizing rapid out-of-order rearrangement processing.
The following describes the specific embodiments of the present invention in further detail by taking the intelligent network card as an example. A configurable FPGA (field programmable gate array) is arranged on an intelligent network card (such as Alevo) and serves as an acceleration module, and the FPGA can be inserted into a standard peripheral component interconnect express (PCIe) bus slot of a server to complete communication with a CPU (central processing unit) of the server.
For the multi-domain packet classification rule set shown in table 1 above, the decision tree shown in fig. 6 can be constructed. Different decision trees can be constructed by using different algorithms, and the number of rules at the internal nodes and the leaf nodes of the decision trees is different. The decision tree of fig. 5 is taken as an example below. The decision tree has 4 internal nodes and 7 leaf nodes. In the case that a single classification rule R7 exists in a leaf node, the leaf node does not need to perform further linear matching search on the network packet, and can directly output the result as the classification rule R7 (because the classification rule R7 can match any multi-domain network packet).
As shown in table 3, the module name corresponds to the names in the diagrams of fig. 3 and 4. The multi-domain network packet in table 2 is used as input, and when the multi-domain network packet X is searched, the specific searching steps are as follows: (1) and the multi-domain network packet X enters the Layer0, directly reads the node with the position of 0, and calculates the output Layer _ id (the id of the next Layer) and ram _ id (the id of the address of the next node) according to the node information and the network packet information. Since srcIP [0] of the multi-domain network packet X is 0, its output is < L1, 0 >. (2) The multi-domain network packet advances to the next stage pipeline structure along with the clock movement, and reaches layer 1. At this time, the input layer _ id is L1, and ram _ id is 0. Node engine calculation on Layer1, finding that Layer _ id is the id of this level, reads node from address 0, i.e.: t2. According to the information of T2 and the packet information of the multi-domain packet X, since the protocol number of the multi-domain packet X is 6 and is not equal to 1, the output is < L2, 1 >. Ending the processing on Layer1 stage pipeline. (3) The multi-domain network packet continues to Layer2, and similarly reads the node with address 1, i.e. T5. Since dstIP [14:15] of multi-domain packet X is 0, < linear lookup, 3> is output. (4) And the multi-domain network packet X enters Layer3, the multi-domain network packet X is judged to be not equal to the current level id, the multi-domain network packet X is not processed, and the output is kept to be < linear search, 3 >. (4) Therefore, the multi-domain network packet X directly copies the input to the output in each layer (namely each level of flow structure) of the subsequent decision tree searching module until reaching the network on chip. (5) And forwarding the network packet information to the linear search module through the network on chip according to the address requirement of the network on chip. (6) Reading a leaf node with the address of 3 based on a linear lookup module, namely N4; then parallel search is carried out on the { R3, R7} rule, and the matching of R3 and R7 is found. And combining the priority requirements to finally obtain a matching result of R3, and sending the result to the out-of-order rearrangement module.
The following description takes the multi-domain network packet Y in table 2 as an example, and the specific searching step of the multi-domain network packet Y includes: (1) and the multi-domain network packet Y enters Layer0, and the output < L1,1> is obtained by calculation according to the information of T1 and the srcIP of the multi-domain network packet Y as 1. (2) And the multi-domain network packet Y enters Layer1, and the output < linear search, 1> is obtained by calculation according to the T3 information and the protocol number of Y being 6. (3) And the multi-domain network packet Y enters Layer2, and if the linear search module is determined not to be matched with the id of the current Layer, the original input to the output is kept. (4) The multi-domain network package Y copies the input to the output of each layer (namely each level of flow structure) of the subsequent decision tree searching module until the output is output to the network on chip. (5) And forwarding the network packet information to the linear search module through the on-chip network according to the address requirement. (6) Based on the N2 information read by the linear search module, parallel comparison is carried out in the { R1, R6 and R7} rule, and the final matching result is calculated to be R1 by combining the priority.
Table 3: configuration of hardware classification module
Figure BDA0003485922500000141
The following description takes the configuration in table 4 and the multi-domain network packet Z in table 2 as an example, and the specific searching step of the multi-domain network packet Z includes: (1) and the multi-domain network packet Z enters Layer0, and the output < L1,1> is obtained through calculation according to the information of T1 and the srcIP of the multi-domain network packet Z as 1. (2) And the multi-domain network packet Z enters Layer1, and the output < L2, 2> is obtained by calculation according to the T3 information and the protocol number of the multi-domain network packet Z as 0x 11. (3) The multi-domain network package Z enters Layer2, and according to the T6 information, the matching result is directly obtained as R7. (4) The multi-domain network package Y copies the input to the output of each layer (namely each level of flow structure) of the subsequent decision tree searching module until the output is output to the network on chip. (5) The network packet information is directly forwarded to the out-of-order rearrangement module through the network on chip according to the address requirement without passing through a linear search module.
Table 4: alternative configuration of hardware classification module
Figure BDA0003485922500000151
Figure BDA0003485922500000161
The embodiment of the invention is based on a hardware unloading technology, separates the analysis and compilation of a multi-domain network packet classification rule set from the network packet classification searching process, provides a hardware circuit structure model based on classification structure decoupling and flexible substructure scheduling, and provides a searching module (such as a top layer searching module, a decision tree searching module, a linear searching module, a neural network searching module and a disorder rearrangement module) which can be freely combined with the circuit structure model, so that a network packet classification function can be realized by freely and flexibly collocating various algorithms. The method can be applied to network intermediate equipment such as a hardware switch, a hardware firewall, a hardware intrusion detection system and the like in an operator network, a data center network and an enterprise network, can also be applied to an end-side server with the cooperation of an intelligent network card, provides a multi-domain network packet classification function with stability, high throughput and low time delay for a user, and saves the hardware overhead of an engine.
By adopting the multi-domain network packet classification processing method provided by the embodiment of the invention, the input multi-domain network packets are classified by the search engine, so that the classification time delay is reduced, the throughput speed of network packet classification is improved, and meanwhile, the free configuration of the search engine module can be carried out according to the network on chip to adapt to different network packet classification requirements, thereby providing the multi-domain network packet classification capability with stability, high throughput and low time delay.
Corresponding to the multi-domain network packet classification processing method, the invention also provides a multi-domain network packet classification processing device. Since the embodiment of the apparatus is similar to the above method embodiment, the description is relatively simple, and please refer to the description of the above method embodiment, and the following embodiment of the multi-domain packet classification processing apparatus is only exemplary. Fig. 7 is a schematic structural diagram of a multi-domain network packet classification processing apparatus according to an embodiment of the present invention.
The multi-domain network packet classification processing device specifically comprises the following parts:
an information configuration unit 701, configured to determine configuration information of a lookup engine based on a preset multi-domain network packet classification rule set, and configure the configuration information into the lookup engine;
a multi-domain network packet classifying unit 702, configured to input a multi-domain network packet to be processed into the search engine, so as to obtain a corresponding classification rule matching result, so as to complete classification processing of the multi-domain network packet based on the classification rule matching result; the search engine is a circuit structure model obtained by connecting a top layer search module and an execution search module to a network on chip.
Further, the multi-domain network packet classification unit is specifically configured to:
inputting the acquired network packet information of the multi-domain network packet into a top layer searching module, and sending the processed information to a network on chip based on the top layer searching module so as to determine a corresponding execution searching module according to the information through the network on chip;
the execution searching module can be a decision tree searching module, a linear searching module, a neural network searching module or an out-of-order rearrangement module;
when the execution searching module is a decision tree searching module, performing step-by-step matching in corresponding configuration information based on the network packet information and the multi-stage pipeline structure of the decision tree searching module to determine a corresponding classification rule matching result; alternatively, the first and second electrodes may be,
when the executing search module is a linear search module, matching is carried out in the configuration information based on the network packet information and a linear search strategy of the linear search module so as to determine a corresponding classification rule matching result; alternatively, the first and second electrodes may be,
when the execution searching module is a neural network searching module, matching is carried out in the configuration information based on the network packet information and the network searching strategy of the neural network searching module so as to determine a corresponding classification rule matching result; alternatively, the first and second electrodes may be,
and when the execution searching module is a disorder rearrangement module, rearranging the classification rule matching result of the multi-domain network packet based on the disorder rearrangement module so as to enable the classification rule matching result to be the same as the input sequence of the multi-domain network packet, and outputting the rearranged classification rule matching result.
Furthermore, the decision tree searching module is obtained by mapping the decision tree searching process into a multi-stage pipeline structure; each level of the multi-level pipeline structure is used for processing a corresponding layer in the decision tree searching process; the information transmitted between each stage of pipeline includes network packet information, identification information of the next stage of pipeline structure, address line information corresponding to the node information to be read by the next stage of pipeline structure, and identification information of whether each stage of pipeline structure is used for completing the matching processing task.
Furthermore, the out-of-order rearrangement module carries out congestion control based on a go-back-N mechanism or a selective ACK mechanism so as to realize out-of-order rearrangement processing.
Further, the information configuration unit is specifically configured to:
and compiling the multi-domain network packet classification rule set aiming at the search engine, and configuring configuration information corresponding to a compiling result into the search engine so that the search engine analyzes and processes the input multi-domain network packet according to the configuration information.
Further, the search engine is configured to perform rule matching based on the network packet information read from the multi-domain network packet and the configuration information to obtain a classification rule matching result, and perform classification processing on the multi-domain network packet.
Further, the apparatus for classifying and processing packets in a multi-domain network further includes: and the rule updating processing module is used for executing corresponding updating operation on the search engine when the classification rules in the multi-domain network packet classification rule set are updated.
By adopting the multi-domain network packet classification processing device provided by the embodiment of the invention, the input multi-domain network packets are classified by the search engine, so that the classification time delay is reduced, the throughput speed of network packet classification is improved, and meanwhile, the free configuration of the search engine module can be carried out according to the network on chip to adapt to different network packet classification requirements, thereby providing the multi-domain network packet classification capability with stability, high throughput and low time delay.
Corresponding to the multi-domain network packet classification processing method, the invention also provides electronic equipment. Since the embodiment of the electronic device is similar to the above method embodiment, the description is simple, and please refer to the description of the above method embodiment, and the electronic device described below is only schematic. Fig. 8 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention. The electronic device may include: a processor (processor)801, a memory (memory)802, a communication bus 803 (i.e. the system bus), and a lookup engine 805, wherein the processor 801 and the memory 802 communicate with each other through the communication bus 803 and communicate with the outside through a communication interface 804. The processor 801 may invoke logic instructions in the memory 802 to perform a multi-domain packet classification processing method comprising: determining configuration information of a search engine based on a preset multi-domain network packet classification rule set, and configuring the configuration information into the search engine; inputting a multi-domain network packet to be processed into the search engine to obtain a corresponding classification rule matching result so as to finish classification processing of the multi-domain network packet based on the classification rule matching result; the search engine is a circuit structure model obtained by connecting a top layer search module and an execution search module to a network on chip.
Furthermore, the logic instructions in the memory 802 may be implemented in software functional units and stored in a computer readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a Memory chip, a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
In another aspect, an embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program stored on a processor-readable storage medium, where the computer program includes program instructions, and when the program instructions are executed by a computer, the computer is capable of executing the multi-domain network packet classification processing method provided by the above-mentioned method embodiments. The method comprises the following steps: determining configuration information of a search engine based on a preset multi-domain network packet classification rule set, and configuring the configuration information into the search engine; inputting a multi-domain network packet to be processed into the search engine to obtain a corresponding classification rule matching result so as to finish classification processing of the multi-domain network packet based on the classification rule matching result; the search engine is a circuit structure model obtained by connecting a top layer search module and an execution search module to a network on chip.
In still another aspect, an embodiment of the present invention further provides a processor-readable storage medium, where a computer program is stored on the processor-readable storage medium, and when the computer program is executed by a processor, the computer program is implemented to perform the multi-domain network packet classification processing method provided in the foregoing embodiments. The method comprises the following steps: determining configuration information of a search engine based on a preset multi-domain network packet classification rule set, and configuring the configuration information into the search engine; inputting a multi-domain network packet to be processed into the search engine to obtain a corresponding classification rule matching result so as to finish classification processing of the multi-domain network packet based on the classification rule matching result; the search engine is a circuit structure model obtained by connecting a top layer search module and an execution search module to a network on chip.
The processor-readable storage medium can be any available medium or data storage device that can be accessed by a processor, including, but not limited to, magnetic memory (e.g., floppy disks, hard disks, magnetic tape, magneto-optical disks (MOs), etc.), optical memory (e.g., CDs, DVDs, BDs, HVDs, etc.), and semiconductor memory (e.g., ROMs, EPROMs, EEPROMs, non-volatile memory (NAND FLASH), Solid State Disks (SSDs)), etc.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A multi-domain network packet classification processing method is characterized by comprising the following steps:
determining configuration information of a search engine based on a preset multi-domain network packet classification rule set, and configuring the configuration information into the search engine;
inputting a multi-domain network packet to be processed into the search engine to obtain a corresponding classification rule matching result so as to complete classification processing of the multi-domain network packet based on the classification rule matching result; the search engine is a circuit structure model obtained by connecting a top search module and an execution search module to a network on chip.
2. The method according to claim 1, wherein the step of inputting the multi-domain network packet to be processed into the search engine to obtain a corresponding classification rule matching result includes:
inputting the acquired network packet information of the multi-domain network packet into a top layer searching module, and sending the processed information to a network on chip based on the top layer searching module so as to determine a corresponding execution searching module according to the information through the network on chip; the execution searching module is a decision tree searching module, a linear searching module, a neural network searching module or an out-of-order rearrangement module;
when the execution searching module is a decision tree searching module, performing step-by-step matching in corresponding configuration information based on the network packet information and the multi-stage pipeline structure of the decision tree searching module to determine a corresponding classification rule matching result; alternatively, the first and second electrodes may be,
when the executing search module is a linear search module, matching in corresponding configuration information based on the network packet information and a linear search strategy of the linear search module to determine a corresponding classification rule matching result; alternatively, the first and second electrodes may be,
when the execution searching module is a neural network searching module, matching is carried out in corresponding configuration information based on the network packet information and a network searching strategy of the neural network searching module so as to determine a corresponding classification rule matching result; alternatively, the first and second electrodes may be,
and when the execution searching module is a disorder rearrangement module, rearranging the classification rule matching result based on a preset congestion control mechanism in the disorder rearrangement module so that the classification rule matching result is the same as the input sequence of the multi-domain network packet, and outputting the rearranged classification rule matching result.
3. The method as claimed in claim 1, wherein the decision tree lookup module maps a decision tree lookup process to a multi-stage pipeline structure, so as to implement a step-by-step matching of the network packet information in the multi-stage pipeline structure according to corresponding configuration information to determine a corresponding classification rule matching result;
each level of the multi-level pipeline structure is used for processing a corresponding layer in the decision tree searching process; the information transmitted between each stage of pipeline includes network packet information, identification information of the next stage of pipeline structure, address line information corresponding to the node information to be read by the next stage of pipeline structure, and identification information of whether each stage of pipeline structure is used for completing the matching processing task.
4. The method as claimed in claim 2, wherein the out-of-order reordering module performs congestion control based on go-back-N mechanism or selective ACK mechanism to achieve out-of-order reordering.
5. The method according to claim 1, wherein the determining configuration information of a lookup engine based on a preset multi-domain network packet classification rule set and configuring the configuration information into the lookup engine specifically includes:
and compiling the multi-domain network packet classification rule set aiming at the search engine, and configuring configuration information corresponding to a compiling result into the search engine so that the search engine analyzes and processes the input multi-domain network packet according to the configuration information.
6. The method for classifying packets in a multi-domain network according to claim 1, further comprising: and when the classification rules in the multi-domain network packet classification rule set are updated, corresponding updating operation is executed on the search engine.
7. A multi-domain network packet classification processing device is characterized by comprising:
the information configuration unit is used for determining configuration information of a search engine based on a preset multi-domain network packet classification rule set and configuring the configuration information into the search engine;
a multi-domain network packet classification unit, configured to input a multi-domain network packet to be processed into the search engine, so as to obtain a corresponding classification rule matching result, so as to complete classification processing of the multi-domain network packet based on the classification rule matching result; the search engine is a circuit structure model obtained by connecting a top search module and an execution search module to a network on chip.
8. The device according to claim 7, wherein the multi-domain packet classifying unit is specifically configured to:
inputting the acquired network packet information of the multi-domain network packet into a top layer searching module, and sending the processed information to a network on chip based on the top layer searching module so as to determine a corresponding execution searching module according to the information through the network on chip; the execution searching module is a decision tree searching module, a linear searching module, a neural network searching module or an out-of-order rearrangement module;
when the execution searching module is a decision tree searching module, performing step-by-step matching in corresponding configuration information based on the network packet information and the multi-stage pipeline structure of the decision tree searching module to determine a corresponding classification rule matching result; alternatively, the first and second electrodes may be,
when the executing search module is a linear search module, matching is carried out in the configuration information based on the network packet information and a linear search strategy of the linear search module so as to determine a corresponding classification rule matching result; alternatively, the first and second electrodes may be,
when the execution searching module is a neural network searching module, matching is carried out in the configuration information based on the network packet information and the network searching strategy of the neural network searching module so as to determine a corresponding classification rule matching result; alternatively, the first and second electrodes may be,
and when the execution searching module is a disorder rearrangement module, rearranging the classification rule matching result based on a preset congestion control mechanism in the disorder rearrangement module so that the classification rule matching result is the same as the input sequence of the multi-domain network packet, and outputting the rearranged classification rule matching result.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the multi-domain network packet classification processing method according to any one of claims 1 to 6 when executing the computer program.
10. A processor-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the multi-domain network packet classification processing method according to any one of claims 1 to 6.
CN202210080521.7A 2022-01-24 2022-01-24 Multi-domain network packet classification processing method and device Pending CN114492621A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210080521.7A CN114492621A (en) 2022-01-24 2022-01-24 Multi-domain network packet classification processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210080521.7A CN114492621A (en) 2022-01-24 2022-01-24 Multi-domain network packet classification processing method and device

Publications (1)

Publication Number Publication Date
CN114492621A true CN114492621A (en) 2022-05-13

Family

ID=81474037

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210080521.7A Pending CN114492621A (en) 2022-01-24 2022-01-24 Multi-domain network packet classification processing method and device

Country Status (1)

Country Link
CN (1) CN114492621A (en)

Similar Documents

Publication Publication Date Title
US11418632B2 (en) High speed flexible packet classification using network processors
US7246102B2 (en) Method of improving the lookup performance of three-type knowledge base searches
US8051085B1 (en) Determining regular expression match lengths
US8165125B2 (en) Apparatus and method of classifying packets
US8014390B2 (en) Policy based routing using a fast filter processor
US7237058B2 (en) Input data selection for content addressable memory
US7177978B2 (en) Generating and merging lookup results to apply multiple features
US20100067535A1 (en) Packet Router Having Improved Packet Classification
US10944675B1 (en) TCAM with multi region lookups and a single logical lookup
US8352391B1 (en) Fast update filter
US20050021491A1 (en) Apparatus and method for classifier identification
US10397116B1 (en) Access control based on range-matching
US7554984B2 (en) Fast filter processor metering and chaining
US8555374B2 (en) High performance packet processing using a general purpose processor
US8024787B2 (en) Packet firewalls of particular use in packet switching devices
US10277511B2 (en) Hash-based packet classification with multiple algorithms at a network processor
US10623316B2 (en) Scaling of switching tables with high bandwidth
US9093151B2 (en) Programmable regular expression and context free grammar matcher
US6961808B1 (en) Method and apparatus for implementing and using multiple virtual portions of physical associative memories
CN114492621A (en) Multi-domain network packet classification processing method and device
US20070255676A1 (en) Methods and apparatus for performing tree-based processing using multi-level memory storage
US20150003237A1 (en) Traffic Data Pre-Filtering
US7523251B2 (en) Quaternary content-addressable memory
US20220141136A1 (en) Optimizing entries in a contentaddressable memory of a network device
EP3809639A1 (en) Network processing device and networks processing method of communication frames

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination