JP2019004398A - Packet identification device and packet identification method - Google Patents

Abstract

To provide a packet identification device capable of flexibly identifying a packet including a packet of an application layer at a higher speed.SOLUTION: The packet identification device includes a mask processing unit and a matching processing unit. The mask processing unit is configured to generate a first field value by acquiring part of packet data from a back of a variable length packet according to a given offset and mask length. The matching processing unit performs a comparison process between the first field value and a given first keyword.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a variable length packet identification apparatus and method using hardware.

  In the conventional packet identification method, the header area of the packet up to the fourth layer of the OSI reference model is identified in a mass-produced device such as a router device, and software executed on the server or an expensive dedicated device is used. In general, the packet identification processing of the application layer after the fifth layer is performed (see, for example, “Non-patent Document 1”).

K Oztoprak, MA Yazici, `` A hybrid asymmetric traffic classifier for deep packet inspection systems with route asymmetry '', Performance Computing and Communications Conference (IPCCC), 2016 IEEE 35th International

  However, as the amount of data communication in recent communication networks has increased, the demand for network control by more sophisticated packet identification has increased, and the processing capacity of packet identification processing in the application layer by conventional software is insufficient. However, there is a problem that the dedicated device for the identification processing is expensive and costly.

  The present invention has been made to solve the above problems, and an object of the present invention is to provide a packet identification device capable of performing identification processing of packets including packets in the application layer at higher speed and more flexibly. And

  In order to solve the above problems, the packet identification device of the present invention is a packet identification device including a mask processing unit and a matching processing unit, wherein the mask processing unit is configured according to a given offset and mask length. The first processing unit is configured to generate a first field value by acquiring a part of packet data from the back of the variable length packet, and the matching processing unit includes the first field value and a given first keyword. The comparison process is performed and the comparison result is output.

  The header processing unit further includes at least a part of packet data of the header data from the front of the variable length packet having a given packet format including header data and body data. The match processing unit is configured to perform a comparison process between the second field value and a given second keyword to generate the second field value. The comparison result relating to the second field value may be combined and output.

  The first keyword may include a Don't Care bit.

  In order to solve the above-described problem, a packet identification method of the present invention is a packet identification method in a packet identification device including a mask processing unit and a match processing unit, wherein the mask processing unit has a given offset and Generating a first field value by obtaining part of the packet data from the back of the variable-length packet according to the mask length, and wherein the match processing unit includes the first field value and a given first And a comparison process of the keywords and outputting a comparison result.

  A packet identification method in a packet identification apparatus comprising a header processing unit, a mask processing unit, and a matching processing unit, wherein the header processing unit has a given packet format consisting of header data and body data. Generating a second field value by obtaining at least a part of the packet data of the header data from the front of the packet; and the match processing unit includes the second field value and a given second value. Performing a comparison process of the keywords, and outputting a comparison result relating to the first field value and the second field value in combination.

  The first keyword may include a Don't Care bit.

  ADVANTAGE OF THE INVENTION According to this invention, it becomes possible to provide the packet identification apparatus which can perform the identification process of the packet containing the packet of an application layer more rapidly and flexibly.

FIG. 1 shows the configuration of the packet identification device according to the first embodiment of the present invention. FIG. 2 is a diagram for explaining packet identification processing according to the first embodiment of this invention. FIG. 3 is a flowchart of the packet identification method according to the first embodiment of the present invention. FIG. 4 shows the configuration of the packet identification device in the second exemplary embodiment of the present invention. FIG. 5 is a diagram for explaining packet identification processing according to the second embodiment of the present invention. FIG. 6 is a flowchart of the packet identification method according to the second embodiment of the present invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. However, the present invention can be implemented in many different forms, and is not construed as being limited to the description of the embodiments described below.

<First Embodiment>
FIG. 1 shows the configuration of the packet identification device according to the first embodiment of the present invention. FIG. 2 is a diagram for explaining packet identification processing according to the first embodiment of the present invention, and FIG. 3 is a flowchart of the packet identification method according to the first embodiment of the present invention.

  The packet identification device 1 in FIG. 1 includes a mask processing unit 2, a matching processing unit 3, and a control unit 5. 1 is implemented as a program or circuit data configured on an FPGA (Field Programmable Gate Array) or an ASIC (Application Specific Integrated Circuit), but is not limited thereto, and is generally used. It can also be configured using a program on a general-purpose device such as a switch or a router or a virtual switch on a general-purpose server.

  This embodiment assumes packet identification at the packet receiving end, and packet format data is input to the packet identification device 1. The input packet is a variable length packet having a given packet format composed of header data and body data.

  The mask processing unit 2 is preliminarily given offset and mask length information in accordance with the bit position on the packet of application data to be identified from the control unit 5, and in accordance with the information on the offset and mask length, the variable length A first field value # 1 is generated by acquiring part of the packet data from the back of the packet. Here, the field value is a value generated by extracting any one or a plurality of data blocks from the data blocks (each protocol field) each indicating a specific attribute in the packet. The same applies to the second embodiment.

  In variable-length packets, the data length of body data varies depending on the amount of data to be transmitted. Therefore, even if the packet format is known, the desired application data is identified by searching from the front of the packet. I can't. Therefore, in this embodiment, an offset and a mask length are set from the back of the packet according to the bit position on the packet of the application data to be identified, and the back of the variable length packet is determined according to the information of the offset and the mask length. Get a part of packet data from

  For example, when it is desired to identify a specific domain of a packet including URL information transmitted to a DNS (Domain Name Server), co. By setting the mask length from the position where the bit (12 bytes) corresponding to jp is offset and acquiring a part of the packet data according to these, it is possible to identify a packet whose application data includes a specific domain .

  Here, when the packet data acquired by the bit mask is shorter than the predetermined data length of the first field value # 1, the first field value is set for the portion other than the packet data acquired by the bit mask. A zero value is filled in according to the data length of # 1. The first field value # 1 generated in the mask processing unit 2 is transmitted to the matching processing unit 3, and the received packet is transmitted as it is to the external device.

  The match processing unit 3 is given in advance the first keyword # 1 that is the correct answer in the match processing target from the control unit 5, and the first keyword # 1 for comparison with the first field value # 1 is The Don'tcare bit is added to the bit string to be identified to have the same data length as the first field value # 1.

  The match processing unit 3 performs a ternary comparison process including the Don'tcare bit on the first field value # 1 and the first keyword # 1 generated by the mask processing unit 2, and outputs the comparison result to an external device (illustrated). Do not send). The external device can receive the packet identification result together with the packet data.

  As described above, according to the present embodiment, packet identification processing is realized by performing ternary identification processing on packet data acquired from the back of the packet. Identification processing for data can be performed at high speed by hardware processing. Furthermore, by making it possible to set an offset for identifying a packet and a mask length according to the packet to be identified, a more flexible packet identification process can be performed.

<Second Embodiment>
In the second embodiment, in addition to the identification process for the packet data including the application layer in the first embodiment, the identification process for the header data of the packet is performed, and the result obtained by combining both the processing results is output.

  FIG. 4 shows the configuration of the packet identification device in the second exemplary embodiment of the present invention. The packet identification device 1 includes a header processing unit 4, a mask processing unit 2, a matching processing unit 3, and a control unit 5. FIG. 5 is a diagram for explaining packet identification processing according to the second embodiment of the present invention, and FIG. 6 is a flowchart of a packet identification method according to the second embodiment of the present invention.

  In the packet identification device 1 of FIG. 4, a header processing unit 4 for identifying a packet by packet header data is added to the packet identification device 1 of FIG. Each component in the configuration of FIG. 4 is implemented as a program or circuit data configured on an FPGA (Field Programmable Gate Array) or ASIC (Application Specific Integrated Circuit) as in FIG. 1, but is not limited thereto. Alternatively, it can be configured using a program on a general-purpose device such as a commonly used switch or router, or a virtual switch on a general-purpose server.

  Also in the present embodiment, packet identification at the packet receiving end is assumed, and a variable-length packet having a given packet format composed of header data and body data is input to the packet identification device 1. Although the operation of the mask processing unit 2 is the same as that of the first embodiment, the packet processed by the mask processing unit 2 is configured to be supplied from the header processing unit 4 in this embodiment. .

  The header processing unit 4 is given in advance the packet format information of the packet to be identified from the control unit 5. The header processing unit 4 generates the second field value # 2 by acquiring a part of the header data from the front of the variable length packet according to the information of the packet format. Which field value of the header data of the packet is to be acquired may be set from the control unit 5. Even if the packet data length fluctuates, if the packet format of the packet is known, a part of the header data of the packet to be identified, such as a specific IP address, can be acquired.

  Here, the mask processing unit 2 performs the zero padding process in accordance with the data length of the field value # 1, but the header processing unit 4 acquires a predetermined field value of the header data of the packet. The length of the second keyword # 2 to be compared with the field length of # 2 is a preset value. The header processing unit 4 transmits the generated second field value # 2 to the matching processing unit 3, and the received packet is transmitted to the mask processing unit 2 as it is.

  In addition to the first keyword # 1 for comparison with the field value # 1 generated by the mask processing unit 2, the match processing unit 3 compares the field value # 2 generated by the header processing unit 4 with the first keyword # 1. The second keyword # 2 is given in advance, and the second keyword # 2 has the same data length as the second field value # 2.

  The matching processing unit 3 compares the first field value # 1 generated by the mask processing unit 2 with the first keyword # 1, and compares the second field value # 2 generated by the header processing unit 4 with the first field value # 2. The second keyword # 2 is compared, and the results of both comparison processes are combined and output. Thereby, it is possible to identify packet data at a higher level than in the first embodiment.

  For example, by combining IP address identification processing by the header processing unit 4 with processing for identifying a packet including a specific domain exemplified in the first embodiment, a packet in a target targeted for a specific URL Thus, processing such as identifying a packet having a specific source IP address can be performed.

  The match processing unit 3 transmits the combined comparison result to an external device (not shown), and the external device can receive the packet identification result together with the packet data.

  As described above, according to the present embodiment, it is possible to perform more advanced packet data identification processing by combining identification processing for packet data including an application layer and identification processing for packet header data.

DESCRIPTION OF SYMBOLS 1 ... Packet identification device, 2 ... Mask processing part, 3 ... Matching processing part, 4 ... Header processing part, 5 ... Control part.

Claims (6)

A packet identification device comprising a mask processing unit and a matching processing unit,
The mask processing unit is configured to generate a first field value by obtaining a portion of packet data from the back of a variable-length packet according to a given offset and mask length;
The packet identification device, wherein the matching processing unit is configured to perform a comparison process between the first field value and a given first keyword, and output a comparison result. A header processing unit;
The header processing unit obtains at least a part of the packet data of the header data from the front of the variable length packet having a given packet format including header data and body data, thereby obtaining a second field value. Configured to generate,
The matching processing unit performs a comparison process between the second field value and a given second keyword, and outputs a combination of the first field value and the comparison result relating to the second field value. To be configured into,
The packet identification device according to claim 1. The packet identification device according to claim 1, wherein the first keyword includes a Don't Care bit. A packet identification method in a packet identification device comprising a mask processing unit and a matching processing unit,
The mask processing unit generates a first field value by obtaining a part of packet data from the back of the variable-length packet according to a given offset and mask length; and
The matching processing unit includes a step of comparing the first field value with a given first keyword and outputting a comparison result. A packet identification method in a packet identification device comprising a header processing unit, a mask processing unit, and a matching processing unit,
The header processing unit obtains at least part of the packet data of the header data from the front of the variable length packet having a given packet format composed of header data and body data, thereby obtaining a second field value. Generating step;
The matching processing unit performs a comparison process between the second field value and a given second keyword, and outputs a combination of the first field value and a comparison result relating to the second field value; ,
The packet identification method according to claim 4, further comprising: The packet identification method according to claim 4 or 5, wherein the first keyword includes a Don't Care bit.

Images