JP2007005910A - Network processing apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a network processing apparatus capable of achieving a packet filter function with a small memory capacity without deteriorating the utilizing efficiency of the memory. <P>SOLUTION: Comparison data of parameters such as IP addresses are arranged and stored to a comparison data reference memory 103 in the unit of information in the same row. When a network I/F 101 receives a packet, a parameter extract section 102 references its header information to extract parameters, reads comparison reference data from a comparison data reference memory 103, compares the data with the parameters of the packet as to whether or not they are coincident, and a coincidence code output section 106 outputs and stores a code corresponding to a coincident entry. A filtering rule decision section 108 searches a filtering rule coincident with a filtering rule reference table section 107 from a set of codes corresponding to each of the stored parameters. When coincident, the filtering rule decision section 108 outputs a result of coincident comparison. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a network processing apparatus having a packet filter function for transferring or discarding a packet that satisfies a predetermined condition in an apparatus for receiving and processing a packet through a network interface such as the Internet.

  In network equipment, there is a need for a packet filter function that forwards or discards a packet when information in a received packet header satisfies a certain condition.

  The conventional network processing apparatus has an entry for storing the corresponding information for each type of various information constituting the packet filter condition, and holds information in which the information stored in each entry matches the corresponding type of information included in the input packet. A first content searchable memory (also referred to as a Content Addressable Memory: CAM) that outputs the address of the matched entry when there is a matching entry, and a packet filter condition consisting of a set of various information, A set of matching entry addresses in the first content search type memory is stored as a packet filter condition, and when a set of matching entry addresses output from each of the plurality of first content search type memories matches the packet filter condition, a match is found. Operates as a packet filter by using a second content search memory that outputs signals .

  In this way, a search is performed for each type of various information constituting the packet filter condition by the first content search type memory, and a set of matching entry addresses from the first content search type memory by the second content search type memory. The packet filtering operation is possible by determining the attribute of the input packet by determining whether or not matches the packet filter condition. Further, each of the first content search type memories does not need to store the same information repeatedly, and the amount of memory can be reduced as compared with the case where the filtering device is realized by one content search type memory (for example, Patent Document 1).

FIG. 12 shows a configuration of a conventional network processing apparatus described in Patent Document 1. In FIG. In FIG. 12, the individual information determination CAMs 501a to 501c search the entry of the type information and output the storage address of the matched entry for each type, and the output storage address is stored in the register 502. The filter condition determination CAM 503 Matching determination of filtering conditions is performed using a set of storage addresses of other information.
JP 2000-151627 A

  The conventional network processing apparatus is provided with a content search type memory (CAM) for each type of received packet, and it is necessary to set the CAM size to the maximum value that can be taken for each type. However, in reality, the possibility that a size corresponding to the maximum value is required for all types is extremely low, and thus there is a situation that the use efficiency is reduced and a large memory is required.

  The present invention has been made in view of the above-described conventional circumstances, and it is an object of the present invention to provide a network processing apparatus capable of realizing a packet filter function with a small amount of memory without reducing the use efficiency of the memory.

  The network processing apparatus of the present invention uses the comparison data for comparison with a parameter such as an IP address included in the arrival packet as an entry arranged in the same column, and the entry start position of the comparison data is on the same line for each parameter type. Access control means for controlling access to the comparison data reference memory held in a side-by-side format; and head address holding means for holding a head address indicating an entry head position for each type of the parameter on the comparison data reference memory; The comparison data is read from the position indicated by the head address, and the comparison result in the data match comparison means for comparing the read comparison data with the parameter extracted from the arrival packet is output. The comparison result output means and the comparison result output means The filtering rules represented by a set of comparison result, and a determining filtering rules determining means for processing the incoming packet.

  According to the above configuration, the comparison data of a plurality of parameter types can be arranged in the same row of the comparison data reference memory, and the unused area can be utilized for holding the comparison data. The amount can be reduced.

  The network processing apparatus of the present invention further includes valid entry holding means for holding information indicating a valid entry among the data read from the comparison data reference memory.

  According to the above configuration, even if the same value is set as the comparison data of a plurality of parameters of different types, only the comparison data of the necessary parameters is set as the comparison target by the valid entry information output by the valid entry holding means. Therefore, even when the comparison data values of a plurality of different parameters have the same value, a coincidence comparison can be performed.

  In the network processing apparatus of the present invention, the data match comparison unit masks a part of the entry using mask information and performs a match comparison.

  According to the above configuration, for example, it is possible to perform a coincidence comparison only on the network address portion of the IP address, thereby reducing the number of entries and shortening the time required for the comparison.

  In the network processing apparatus of the present invention, the data coincidence comparing means designates a data range and performs a coincidence comparison.

  According to the above configuration, the range designation comparison of port numbers and the like can be performed, and only the minimum value and the maximum value need be set in the table, so the number of entries in the table can be saved.

  Further, in the network processing apparatus of the present invention, the comparison result output means outputs a code corresponding to the matched entry or an address storing the matched entry as a comparison result.

  According to the present invention, the comparison data of a plurality of parameter types can be arranged in the same row of the comparison data reference memory, and the unused area can be used for holding the comparison data. The amount can be reduced.

  Hereinafter, a network processing apparatus according to an embodiment of the present invention will be described with reference to the drawings.

(Embodiment 1)
FIG. 13 is a configuration diagram of a network system including the network processing device according to the first embodiment of the present invention. The network processing apparatus 1300 according to the first embodiment of the present invention inputs a packet from the network interface 1301, classifies the packet, outputs a match comparison result to the received frame discarding unit 1302, and the match comparison result gives a discard instruction. In the case of the contents shown, the received frame discarding unit 1302 discards the received frame so that it does not reach the subsequent application processing apparatus 1303.

  FIG. 1 is a configuration diagram of a network processing apparatus according to Embodiment 1 of the present invention. In FIG. 1, a network processing device extracts a parameter from a network interface (also referred to as a network I / F) 101 that receives a packet from a network such as the connected Internet, and the received packet. A parameter extraction unit 102 that outputs a size, and as a parameter comparison unit, a comparison data reference memory 103 that stores comparison data for reference for matching comparison, and a parameter type received from the parameter extraction unit 102 The head address holding unit 104 that outputs the head position information of the corresponding comparison data set, and the comparison data entry corresponding to the parameter type received from the parameter extraction unit 102 out of one row of data read from the comparison data reference memory 103 Position A valid entry holding unit 105 that holds valid entry information, an access control unit 106 that controls access between the CPU and data match comparison unit 107, and the comparison data reference memory 103, and IPv4 (Internet Protocol Version 4) A data match comparison unit 107 that performs a byte unit match comparison of a parameter such as an address and a comparison data entry read from the comparison data reference memory 103, and a byte unit comparison result of the data match comparison unit 107 includes all parameters. A matching code output unit that outputs a code corresponding to the matched entry, and holds a filtering rule expressed using a set of codes obtained by converting each parameter value Refer to table section 109 and filtering rules Determining whether to forward or discard the received packet by referring to the Buru unit 109 includes a filtering rule determination unit 110 for outputting a coincidence signal or match comparison result means that implement the filtering as a determination result.

  The operation of the network processing apparatus configured as described above will be described with reference to FIGS. FIG. 2 is a flowchart showing a schematic operation of the network processing apparatus according to the first embodiment of the present invention. FIG. 3 is a flowchart showing the parameter comparison operation of the network processing apparatus according to the first embodiment of the present invention.

  In FIG. 2, it is determined whether or not the network I / F 101 has received a packet from the network (S201). If not received (N in S201), the process returns to the packet reception determination. On the other hand, when receiving (Y in S201), the parameter extracting unit 102 extracts parameters in order by referring to the header information of the received packet, and sets the parameter type such as the destination MAC address and IPv6 (Internet Protocol Version 6) address. Determine and output, and output the parameter size (S202).

  Next, the parameter comparison unit performs a match comparison with the data stored in the comparison data reference memory 103 using the parameters, parameter types, and parameter sizes extracted from the header information of the received packet, and matches the parameter values. The code is converted into a matching code corresponding to the entry (S203) and output to the filtering rule determination unit 110 (S204). Details of the operation of the parameter comparison unit will be described with reference to FIG.

  When the matching rule is received from the matching code output unit 108 of the parameter comparison unit, the filtering rule determination unit 110 searches the filtering rule reference table unit 109 for the corresponding parameter, and holds the search result (S205). Then, it is determined whether or not the parameter is the last parameter (S206). If it is not the last parameter, the process returns to S202 (N in S206), and if it is the last parameter (Y in S206), the matching comparison result corresponding to the searched filtering rule is output, and the process is terminated (S207). .

  The details of the operation of the parameter comparison unit will be described with reference to FIG. The data coincidence comparison unit 107 initializes an offset value indicating a data read row of the comparison data reference memory 103 to 0 (S301). The head address holding unit 104 outputs the head storage position information of the same type of data in the comparison data reference memory 103 based on the parameter type of the received packet (S302).

  The access control unit 106 reads the reference data for comparison from the comparison data reference memory 103 in units of one row at the position where the offset is added to the head storage address of the data (S303). Further, the access control unit 106 extracts the data at the position indicated by the valid entry holding unit 105 from the data read from the comparison data reference memory 103 and outputs the data to the data match comparison unit 107 (S304).

  The data match comparison unit 107 performs a match comparison in byte units between the comparison data entry received from the access control unit 106 and the parameter of the received packet (S305). The data match comparison unit 107 increases the offset value by 1 (S306). Then, it is confirmed from the parameter size whether it is the last byte data of the parameter (S307). If it is not the last byte data (N in S307), the process returns to S303, and if it is the last byte data (Y in S307), the coincidence code output unit 106 fully matches the match comparison results over all the bytes of the parameter. The code corresponding to is output and held (S308).

  FIG. 4 is a diagram showing an example of data arrangement on the comparison data reference memory 103 and the coincidence comparison operation in the network processing apparatus according to the present embodiment.

  In FIG. 4, a case where an IPv4 address, an IPv6 address, and a destination port number are arranged on the comparison data reference memory 103 is shown as an example. The memory width is 4 bytes, and the number of entries (holding number) of the IPv4 address, the IPv6 address, and the destination port number is 2. The IPv4 address, IPv6 address, and destination port number are set side by side in the memory column direction as shown in the figure. Any parameter (for example, a transmission source port number or a destination port number) may be used as an area for setting comparison data in the comparison data reference memory 103. As shown in the figure, by arranging the IPv4 address and the IPv6 address side by side in the same row, it is possible to reduce the unused area of the memory and improve the memory usage efficiency.

  The mechanism for reducing the unused area will be described in detail later with reference to FIG. 6. However, if not arranged in the same row, the area adjacent to the parameter comparison data having the number of entries smaller than the memory width is not used. It becomes a use area. On the other hand, when arranging on the same line, in order to place the comparison data for another parameter in the area next to the parameter comparison data, which has a smaller number of entries than the width of the memory, the memory area not originally used is It will be used and unused area will be reduced.

  When a packet arrives, the packet header or payload information (in the example shown, the first byte of the IPv6 address) is extracted, and the data match comparison is performed from the start address indicating the storage start position in the memory of the same type of information as the parameter of the arrival packet. The data at the position of offset n (offset 0 because it is the first byte of the IPv6 address in the case of the example) of the unit 107 is read from the memory, and among the read data, the valid entry register (for each information type) In the case of the figure, the data at the position indicated by the valid entry register for the IPv6 address) is extracted (in the case of the figure, the data for the right two bytes), and the header or payload information of the received packet (in the example of the figure) In this case, the comparison is made in byte units with the first byte of the IPv6 address). For all bytes of each parameter, a code corresponding to the entry whose match comparison result is a complete match is output.

  FIG. 5 is a diagram for explaining a series of operations of parameter comparison and filtering rule search. A description will be given by taking a destination MAC address (hereinafter referred to as DMAC) as an example. Reference numerals 4011 to 4016 indicate four entries 1, 2, 3, and 4 for each of the 6 bytes of the DMAC. Reference numeral 4017 denotes a parameter comparison result of each entry. The comparison data entry of the DMAC stored in the comparison data reference memory 103 is read out in units of one line, and sequentially matched and compared with the DMAC of the arrival packet over 6 bytes in units of bytes. The match / mismatch results are shown for each of the four entries 1, 2, 3, 4 for each byte. After completion of the match comparison of all bytes of the DMAC, 3 (the third from the top of 4017) is output as a code corresponding to an entry that matches all 6 bytes. The matching rule 3 is used to search the filtering rule reference table 109 to find the corresponding filtering rule. Although FIG. 5 shows the case of DMAC, this coincidence comparison is performed for all parameter types, and a matching filtering rule is finally searched for coincidence.

  FIG. 6 is a diagram illustrating the effect of the comparison data reference memory 103 in the network processing apparatus according to the present embodiment.

  In FIG. 6, a case where a destination MAC address, a destination IPv4 address, an IPv6 address, a Protocol number, a Next Header, and a destination port number are arranged on the comparison data reference memory 103 is shown as an example. If you simply try to place parameters in memory, it will be as shown on the left side of the figure. Since the memory is arranged so that the width of the memory is the maximum number of entries in the parameter, an unused area is generated in a portion storing a parameter whose number of entries is smaller than the maximum value. In order to reduce such unused areas, different parameters can be arranged side by side as shown on the right side of the figure. By arranging the parameters as shown on the right side of the figure, the memory amount on the left side required 30 × 4 = 120 bytes, but the memory amount on the right side is reduced to 18 × 4 = 72 bytes.

  That is, in the figure on the left side, the number of bytes 30 from the destination MAC address [1,1] to the destination port number [2,1] and the memory width 4 are required, but in the figure on the right side, the destination MAC address [1 , 1] through Next Header [1,1], the number of bytes is 18 and the memory width is 4. Therefore, in the left figure, an area of 120 bytes is occupied (including the unused area), whereas in the right figure, only an area of 72 bytes is occupied.

  According to such a configuration, compared to a method in which a content search type memory is provided for each packet information type, comparison data of a plurality of different parameter types is arranged in the same row of the comparison data reference memory, thereby reducing Since the used area can be used for holding comparison data, the memory use efficiency can be improved and the amount of memory can be reduced.

  In addition, the network processing apparatus according to the present embodiment includes a valid entry holding unit 105 that indicates valid entries among the data read from the comparison data reference memory 103, and stores comparison data of a plurality of different parameters in the comparison data reference memory. Even if the same value is set as the comparison data for multiple different parameters by placing them in an unused area, only the comparison data for the necessary parameters is compared with the valid entry output by the valid entry holding means. Even if the comparison data values of a plurality of different parameters take the same value, a coincidence comparison can be performed.

  In the present embodiment, the case where the parameter for matching comparison is an IPv6 address has been described. However, the present invention is not limited to this, and even an IPv4 address, a source MAC address, an Ethernet, Type may be used.

  Further, instead of the coincidence code output unit 108 outputting the code, the address of the matched entry may be output. Further, the parameter information is not limited to the header information, and may be information extracted from the payload that is the data body of the received packet.

(Embodiment 2)
FIG. 7 is a configuration diagram of the network processing apparatus according to the second embodiment of the present invention. In FIG. 7, the same components as those in FIG.

  In FIG. 7, the mask information reference table unit 711 performs a match comparison by masking a part of information such as an IP address, that is, a mask used for performing a match comparison only for some bits or bytes of information. Store information. The data match comparison unit 707 excludes the bit or byte portion specified by the mask information from the received packet information such as the IP address from the match comparison target, and then performs the match comparison using the remaining portion of the data. Do.

  FIG. 8 is a flowchart for explaining the parameter comparison operation of the network processing apparatus according to the second embodiment of the present invention.

  The details of the operation of the parameter comparison unit will be described with reference to FIG. The data coincidence comparison unit 107 initializes an offset value indicating a data read line of the comparison data reference memory 103 to 0 (S801). The head address holding unit 104 outputs the head storage position information of the same type of data in the comparison data reference memory 103 based on the parameter type of the received packet (S802). The access control unit 106 reads the comparison reference data from the comparison data reference memory 103 in units of one row at the position where the offset is added to the head storage address of the data (S803). Further, the access control unit 106 extracts the data at the position indicated by the valid entry holding unit 105 from the data read from the comparison data reference memory 103 and outputs the data to the data match comparison unit 107 (S804). The data match comparison unit 107 reads the mask information from the mask information reference table 711 and performs a match comparison using the mask information in byte units between the comparison data entry received from the access control unit 106 and the parameter of the received packet. (S805). The data match comparison unit 107 increases the offset value by 1 (S806). Then, it is confirmed from the parameter size information whether it is the last byte data of the parameter (S807). If it is not the last byte data (N in S807), the process returns to S803, and if it is the last byte data (Y in S807), the coincidence code output unit 106 has completely matched the coincidence comparison result over all the bytes of the parameter. The code corresponding to the entry is output and held (S808).

  FIG. 9 is a diagram showing an example of data arrangement on the comparison data reference memory 103 and the mask information reference table 711 and the coincidence comparison operation in the network processing apparatus according to the present embodiment.

  FIG. 9 shows an example in which the IPv4 address, the IPv6 address, and the destination port number are arranged on the comparison data reference memory 103, and the mask information of the IPv4 address and the IPv6 address is arranged on the mask information reference table 711. The memory width is 4 bytes, and the number of entries for each of the IPv4 address, the IPv6 address, and the destination port number is two. The IPv4 address, IPv6 address, and destination port number are set side by side in the memory column direction as shown in the figure. Any parameter (for example, a transmission source port number or a destination port number) may be used as an area for setting comparison data in the comparison data reference memory 103. As shown in the figure, by arranging the IPv4 address and the IPv6 address side by side in the same row, it is possible to reduce the unused area of the memory and improve the memory usage efficiency.

  When the packet arrives, the packet header or payload information (in the example shown, the first byte of the IPv6 address) is extracted, and the start address indicating the storage start position in the memory of the same type of information as the header or payload information of the arrival packet Further, the data at the position of the offset n (offset 0 because it is the first byte of the IPv6 address in the case of the figure) held by the data match comparison unit 107 is read from the comparison data reference memory 103 and the mask information reference table 711. Then, the data at the position indicated by the valid entry register (valid entry register for IPv6 address in the case of the figure) provided for each information type is extracted from the read data (in the case of the figure, the right 2 Bytes), the header or payload information of the received packet (in the case of the figure, the first byte of the IPv6 address) and the mask information are used for matching comparison, and the code corresponding to the matching entry is output.

  According to this configuration, the data match comparison unit 507 masks a part of the fixed-length data using the mask information and performs a match comparison, for example, to perform a match comparison only for the network address portion of the IP address. And the time required for comparison can be shortened.

(Embodiment 3)
FIG. 10 is a configuration diagram of the network processing apparatus according to the third embodiment of the present invention. 10, the same components as those in FIG. 1 are denoted by the same reference numerals, and description thereof is omitted.

  In FIG. 10, the range designation information reference table 1011 includes, for example, whether information such as a port number defined in the fourth layer of the layer constituting the received packet is included between the designated minimum value and maximum value. Stores range specification information used to compare and determine The data match comparison unit 1007 determines whether or not the received packet information such as the port number is included between the minimum value and the maximum value specified by the range specification information.

  FIG. 11 is a flowchart for explaining the parameter comparison operation of the network processing apparatus according to the third embodiment of the present invention.

  The details of the operation of the parameter comparison unit will be described with reference to FIG. The offset value indicating the data read line of the comparison data reference memory 103 is initialized to 0 (S1101). The head address holding unit 104 outputs the head storage position information of the same type of data in the comparison data reference memory 103 based on the type of header information of the received packet (S1102). The access control unit 106 reads out the reference data for comparison from the comparison data reference memory 103 in units of one line at the position where the offset is added to the head storage address of the data (S1103). Further, the access control unit 106 extracts the comparison data entry at the position indicated by the valid entry holding unit 105 from the data read from the comparison data reference memory 103, and outputs it to the match comparison unit 1007 (S1104). The data coincidence comparison unit 1007 reads a value obtained by dividing the minimum value and the maximum value as range designation information from the range designation information reference table unit 1011, and performs coincidence comparison of these data with the minimum value and the maximum value. If it is larger than the minimum value and smaller than the maximum value, it is determined that it is within the specified range. If it is less than the minimum value or greater than the maximum value, it is determined that it is outside the specified range. If it matches either the minimum value or the maximum value, the determination as to whether or not the next lower divided data is within the specified range is suspended (S1105), and the offset value is incremented by 1 (S1106). Then, it is confirmed from the parameter size information whether it is the last byte data of the parameter (S1107). If it is not the last byte data (N in S1107), the process returns to S1103, and if it is the last byte data (Y in S1107), the coincidence code output unit 106 fully matches the match comparison results over all the bytes of the parameter. The code corresponding to is output and held (S1108).

  According to such a configuration, the data coincidence comparing unit 707 can specify a range of data and perform a comparison by specifying a range of port numbers and the like, and only the minimum value and the maximum value need be set in the table. Therefore, the number of table entries can be saved. The parameter to be compared by specifying the range is not limited to the port number but may be an IPv4 address or the like.

  The network processing device of this embodiment can be applied as a network terminal device or a network relay device. The network processing apparatus of the present invention may be realized using an integrated circuit.

  In the present invention, comparison data of a plurality of parameter types can be arranged in the same row of the comparison data reference memory, and an unused area can be used for holding comparison data. This is useful for network processing devices that have a packet filtering function such as forwarding or discarding packets that satisfy a predetermined condition in devices that receive and process packets through a network interface such as the Internet. .

Configuration diagram of network processing apparatus according to Embodiment 1 of the present invention FIG. 3 is a flowchart showing the overall operation of the network processing apparatus according to the first embodiment of the present invention. The flowchart which shows the parameter comparison operation | movement of the network processing apparatus in Embodiment 1 of this invention The figure which shows the filtering operation | movement in the network processing apparatus in Embodiment 1 of this invention. The figure for demonstrating a series of operation | movement of parameter comparison and filtering rule search in Embodiment 1 of this invention. The figure which shows the structure of the comparison reference table part of the network processing apparatus in Embodiment 1 of this invention. Configuration diagram of network processing apparatus in Embodiment 2 of the present invention The flowchart which shows the parameter comparison operation | movement of the network processing apparatus in Embodiment 2 of this invention. The figure which shows coincidence comparison operation | movement with the example of data arrangement on the comparison data reference memory 103 of the network processing apparatus in Embodiment 2 of this invention, and the mask information reference table 711 Configuration diagram of network processing apparatus according to Embodiment 3 of the present invention A flowchart showing parameter comparison operation of the network processing device in Embodiment 3 of the present invention. Configuration diagram of a conventional network processing device 1 is a configuration diagram of a network system including a network processing device according to Embodiment 1 of the present invention.

Explanation of symbols

101 Network interface (network I / F)
DESCRIPTION OF SYMBOLS 102 Parameter extraction part 103 Comparison data reference memory 104 First address holding part 105 Effective entry holding part 106 Access control part 107,607,807 Data matching comparison part 108 Matching code output part 109 Filtering rule reference table part 110 Filtering rule determination part 711 Mask Information reference table unit 1011 Range designation information reference table unit 4011-4016 Four entries 1, 2, 3, 4 for each of 6 bytes of DMAC 4017 Parameter comparison result of each entry 1300 in Embodiment 1 of the present invention Network processing device 1301 Network interface 1302 Received frame discarding means 1303 Application processing device

Claims (5)

Comparison data for storing comparison data for comparison with a parameter such as an IP address included in an arrival packet in the same column, and holding the entry start position of the comparison data in the same row for each parameter type Access control means for controlling access to the reference memory;
Start address holding means for holding a start address indicating an entry start position for each parameter type on the comparison data reference memory;
Data matching comparison means for reading the comparison data from the position indicated by the head address, and performing matching comparison between the read comparison data and the parameter extracted from the arrival packet;
Comparison result output means for outputting a comparison result in the data match comparison means;
A network processing apparatus comprising: filtering rule determination means for determining processing of the arrival packet based on a filtering rule represented by a set of comparison results output from the comparison result output means.   2. The network processing device according to claim 1, further comprising valid entry holding means for holding information indicating a valid entry among data read from the comparison data reference memory.   The network processing device according to claim 1, wherein the data match comparison unit performs match comparison by masking a part of the entry using mask information.   The network processing apparatus according to claim 1, wherein the data match comparison unit performs a match comparison by designating a data range.   The network processing apparatus according to claim 1, wherein the comparison result output unit outputs a code corresponding to a matched entry or an address storing the matched entry as a comparison result.

Images