JP6306441B2 - Packet analysis apparatus and packet analysis method - Google Patents

Description

  The present invention relates to a packet analysis device and a packet analysis method for analyzing a packet of a communication flow.

  In the current IP (Internet Protocol) network, a packet transfer device such as a switch or an IP router is arranged between a server and a user terminal or between user terminals, and the packet transfer device analyzes a communication flow, thereby improving efficiency. Packet transfer control is performed.

  As one method for analyzing a packet that is a substance of a communication flow, a technique called DPI (Deep Packet Inspection) is known, and various apparatuses that execute DPI processing are realized. In the DPI processing, the communication flow is identified by comparing the payload pattern of the packet passing through the packet transfer device with a preset pattern and determining whether or not they match.

  Non-Patent Document 1 discloses a device configuration for realizing high-speed complex DPI processing for searching for a specific bit sequence in a packet payload. According to the device configuration of Non-Patent Document 1, a plurality of DPI processors are arranged in parallel, a bit sequence process with a large calculation amount in DPI is divided into a plurality of stages, and each divided process is executed by a plurality of DPI processors. . As a result, the load of DPI processing can be distributed to a plurality of DPI processors, so that efficient and high-speed DPI processing can be realized (hereinafter, a plurality of DPI processors are connected in parallel as in Non-Patent Document 1). A function that is arranged in (1) and causes a plurality of DPI processors to execute DPI processing is referred to as a hierarchical flow identification function).

  One example of a device that executes DPI processing is a network processor. Non-Patent Document 2 illustrates a high-performance network processor. Some network processors include a coprocessor that performs DPI processing, and a network processor is often implemented as a DPI processor in a packet transfer apparatus. From these facts, those skilled in the art can easily conceive of using the network processor as the DPI processor to realize the hierarchical flow identification function.

  However, as shown in Non-Patent Document 2, high-performance network processors generally consume many tens of watts or more of power per chip. Therefore, when realizing the hierarchical flow identification function using a network processor, if the parallelism of the network processor is N, it is necessary to supply several tens of watts × N power supplies, so the operation cost of the packet transfer apparatus is reduced. The rising point becomes a problem.

  In addition, the network processor has a large-scale logic circuit that can be used for general network processing other than DPI processing, and the chip size is as large as several tens of millimeters square. Densification becomes difficult.

  As described above, realizing the hierarchical flow identification function using the network processor increases the power consumption of the packet transfer device, increases the operation cost, and makes it difficult to increase the density. Absent.

Osaka et al., “Examination of scalable extended function implementation method on edge node”, Proceedings of Society Conference of IEICE, B-6-16, Aug. 2011 MICROPROCESSOR report, Oct. 2012, [Search May 23, 2014], Internet <URL: http: // www. linleygroup. com / mpr / article. php? id = 10946> Yamazaki et al., “Examination of Design of Dedicated Instruction Set for Packet Scanning”, IEICE Society Conference Proceedings, C-12-29, Sep. 2013

  As described above, when a hierarchical flow identification function is realized using a network processor as a DPI processor, the economic efficiency deteriorates due to a linear increase in power consumption as the parallelism N of the network processor increases. To do.

  On the other hand, when the DPI processing is executed by a single DPI processor, a large load is applied to the DPI processor, and the processing performance of the packet transfer apparatus may be degraded. In addition, a large-scale TCAM (Ternary Content Addressable Memory) is required to cope with a search for a long bit sequence, which increases the power consumption and mounting cost of the packet transfer apparatus.

  The present invention has been made in consideration of the above-described problems, and an object of the present invention is to realize a hierarchical flow identification function in a packet transfer apparatus using a plurality of DPI processors, thereby improving processing performance and power consumption. It is another object of the present invention to provide a technique capable of suppressing the mounting density.

In order to achieve the above object, the packet analysis apparatus of the present invention provides:
A packet analysis device for analyzing a packet of a communication flow,
A plurality of DPI units each comprising a DPI signature table;
A search condition management unit that manages each search condition of the plurality of DPI units;
A dedicated command section,
When the search condition management unit instructs the DPI unit to register the search condition, the DPI unit registers the search condition instructed to be registered by the search condition management unit, and the dedicated command unit A signature that represents the characteristics of the bit sequence of the search pattern included in the search condition as a bit string is calculated, and the DPI unit is instructed to register the calculated signature in the DPI signature table. Register the signature instructed to register in the DPI signature table,
When the DPI unit receives a packet of a communication flow, the dedicated command unit extracts a bit sequence from the payload of the packet, calculates a signature of the extracted bit sequence, and the calculated signature is registered in the DPI signature table. It is determined whether it matches the signature of the bit sequence of the retrieved pattern.

In order to achieve the above object, the packet analysis method of the present invention provides:
A packet analysis method by a packet analysis device for analyzing a packet of a communication flow,
In the packet analysis device,
A plurality of DPI units each comprising a DPI signature table;
A search condition management unit that manages each search condition of the plurality of DPI units;
A dedicated command section,
When the search condition management unit instructs the DPI unit to register the search condition, the DPI unit registers the search condition instructed to be registered by the search condition management unit, and the dedicated command unit A signature that represents the characteristics of the bit sequence of the search pattern included in the search condition as a bit string is calculated, and the DPI unit is instructed to register the calculated signature in the DPI signature table. Register the signature instructed to register in the DPI signature table,
When the DPI unit receives a packet of a communication flow, the dedicated command unit extracts a bit sequence from the payload of the packet, calculates a signature of the extracted bit sequence, and the calculated signature is registered in the DPI signature table. It is determined whether it matches the signature of the bit sequence of the retrieved pattern.

  According to the present invention, a hierarchical flow identification function is realized using a plurality of DPI units, while a dedicated command unit is provided, and the dedicated command unit includes a bit sequence of a search pattern and a payload of a packet of a communication flow. After calculating the signature expressing the characteristics of the bit sequence extracted from the above in the form of a bit string, the matching between the two is determined. As a result, it is possible to execute an instruction necessary for signature matching determination, which is frequently calculated in the packet analysis process, in one to two cycles. Therefore, it is possible to reduce the delay of packet analysis processing by the DPI unit, and the DPI unit does not need to have any unnecessary functions or hardware, and high-density mounting is possible with a small logic circuit. In addition, since it is not necessary to configure the DPI unit with a network processor, the power consumption of the DPI unit can be reduced, and even when the number of DPI units is increased to increase the parallelism of DPI processing, the power consumption can be reduced. Can be suppressed.

  Therefore, by realizing the hierarchical flow identification function using a plurality of DPI units, the processing performance can be improved and the power consumption and the mounting density can be suppressed, and the power performance ratio (the ratio of the processing performance to the power consumption) ) Can be dramatically improved.

It is a figure which shows the structure of the packet transfer apparatus containing the packet analysis apparatus of this invention. It is a figure which shows the structure of the packet analysis apparatus of a 1st comparative example. It is a figure which shows the structure of the packet analysis apparatus of the 2nd comparative example. It is a figure which shows the structure of the packet analysis apparatus of the 3rd comparative example. It is a figure which shows the structure of the packet analysis apparatus of the 1st Embodiment of this invention. It is a figure which shows the structure of the exclusive command part in the packet analysis apparatus of the 1st-3rd embodiment of this invention. It is a sequence diagram showing the packet analysis method in the packet analysis apparatus of the 1st Embodiment of this invention. It is a figure which shows the structure of the packet analysis apparatus of the 2nd Embodiment of this invention. It is a figure which shows the structure of the packet analysis apparatus of the 3rd Embodiment of this invention.

EMBODIMENT OF THE INVENTION Below, the form for implementing this invention is demonstrated with reference to drawings.
(1) Packet Transfer Device FIG. 1 is a diagram showing a configuration of a packet transfer device including a packet analysis device of the present invention.

  As shown in FIG. 1, the packet transfer device 10 of the present invention includes an input unit 110, an output unit 120, and a packet analysis device 11.

  The input unit 110 receives an input signal from an external device (not shown) such as a server or a user terminal, and extracts a packet from the received input signal. Each extracted packet includes a header that accommodates control data and a payload that accommodates actual data. The header is typically fixed-length data, and the source IP address (SIP), the destination IP address (DIP), the IP protocol type (PR), and the source port number (SPT) are fixed at the fixed position of the data. And five elements (5 tuples) of destination port number (DPT).

  The packet analysis device 11 analyzes the packet extracted by the input unit 110, and performs processing such as determining the transfer destination of the packet based on the analysis result. Details of the packet analysis device 11 will be described later.

The output unit 120 transmits the packet to the transfer destination determined by the packet analysis device 11.
(2) Packet Analysis Device Hereinafter, the packet analysis device of the present invention will be described in comparison with a comparative example. Note that the packet analysis devices of the present invention and the comparative example described below are incorporated as the packet analysis device 11 in the packet transfer device 10 shown in FIG.

First, a packet analysis device of a comparative example will be described.
(2-1) Packet Analysis Device of Comparative Example (2-1-1) Packet Analysis Device of First Comparative Example FIG. 2 is a diagram illustrating a configuration of a packet analysis device 1100A of the first comparative example.

  As shown in FIG. 2, the packet analysis apparatus 1100A of the first comparative example includes a basic transfer function unit 130 and primary DPI units 140-1 to N (N is a natural number greater than or equal to 2), next DPI unit 140-N ( Hereinafter, when it is not specified which DPI unit is specified, it is referred to as a DPI unit 140) and a packet analysis function unit 150.

  The basic transfer function unit 130 has a transfer table (not shown) and a transfer signature table (not shown). In the transfer table, a transfer destination corresponding to the 5-tuple in the header of the packet is registered as the transfer destination of the packet. In the transfer signature table, five tuples of headers serving as search patterns and actions (ACT) that are processing contents to be executed on packets for which the search patterns are searched are registered. The basic transfer function unit 130 checks the header of each packet extracted by the input unit 110, and determines whether the 5-tuple of the confirmed header matches the 5-tuple of the search pattern registered in the transfer signature table. To do. If they do not match, the basic transfer function unit 130 determines that the packet is a normal packet, specifies the transfer destination registered in the transfer table, and transfers the packet to the output unit 120. On the other hand, if they match, the basic transfer function unit 130 selects and executes a process (action) registered in the transfer signature table for the packet. As processing contents of the accompanying conditions, typically, transfer to the DPI unit 140, execution of a predetermined process and transfer to the output unit 120, and the like may be set. When transferring a packet to the DPI unit 140, the basic transfer function unit 130 transfers the packet in parallel to each of the primary DPI unit 140-1 to the N-order DPI unit 140-N.

  Each DPI unit 140 has a DPI signature table (not shown). Registered in the DPI signature table are a bit sequence having a predetermined bit length as a search pattern and an action (ACT) which is a processing content to be executed on a packet in which the search pattern is searched. The DPI unit 140 extracts a bit sequence having a predetermined bit length included in each payload of the packet received from the basic transfer function unit 130, and matches the bit sequence of the search pattern registered in its own DPI signature table. Determine. If they do not match, the DPI unit 140 sends the packet back to the basic transfer function unit 130 and transfers the packet to an appropriate transfer destination via the output unit 120. On the other hand, if they match, the DPI unit 140 selects and executes a process (action) registered in its own DPI signature table for the packet. As processing contents of this incidental condition, typically, transfer to the packet analysis function unit 150, execution of predetermined processing and transfer to the output unit 120 via the basic transfer function unit 130, and the like are set. Good.

  The packet analysis function unit 150 has a packet analysis signature table (not shown). In the packet analysis signature table, a bit sequence serving as a search pattern and an action (ACT) that is a processing content to be executed on a packet for which the search pattern is searched are registered. The packet analysis function unit 150 extracts a bit sequence included in each payload of the packet received from the DPI unit 140, and determines whether or not it matches the bit sequence of the search pattern registered in the DPI signature table. If they do not match, the packet analysis function unit 150 sends the packet back to the basic transfer function unit 130 and transfers it to an appropriate transfer destination via the output unit 120. On the other hand, if they match, the packet analysis function unit 150 selects and executes a process (action) registered in the packet analysis signature table for the packet. As processing contents of this accompanying condition, typically, discarding of a packet, control of QoS (Quality of Service), and the like may be set. Since two or more bit sequences can be registered as search patterns in the packet analysis signature table, bit sequences having different bit lengths can be registered.

However, in the configuration of the first comparative example, it is necessary to manage search conditions distributed to each part in a multi-factorial manner, and it takes a lot of time to set the search conditions for each part consistently.
(2-1-2) Packet Analysis Device of Second Comparative Example FIG. 3 is a diagram illustrating a configuration of a packet analysis device 1100B of the second comparative example.

  As shown in FIG. 3, the packet analysis device 1100B of the second comparative example has a search condition management unit 160 added as compared to the first comparative example.

  3, not only the packet analysis function unit 150 but also the basic transfer function unit 130 and each DPI unit 140 are connected to the output unit 120 as in FIG. 2 (hereinafter, FIG. 4). , FIG. 5, FIG. 8, and FIG. 9).

  The search condition management unit 160 is a part that integrally manages the search conditions of the basic transfer function unit 130, the DPI unit 140, and the packet analysis function unit 150, and these search conditions can be set and changed centrally. .

In each DPI unit 140, a bit sequence having a unique bit length is set as the bit sequence of the search pattern. That is, a bit sequence with a bit length m ₁ is set in the primary DPI unit 140-1, a bit sequence with a bit length m ₂ is set in the secondary DPI unit 140-2,... bit sequence having a bit length _{m N} is set to 140-1. For example, when the bit length mi of the i (natural number of 1 ≦ i ≦ N) order DPI unit 140- _i is 5 (m _i = 5) and the bit sequence “abcde” is set as the search pattern, The i-th DPI unit 140-i checks each bit sequence having a bit length of 5 included in the payload of the received packet, and determines whether there is a match with the bit sequence “abcde” of the search pattern.

  In this manner, each DPI unit 140 is set with a unique bit length, and only the bit sequence having the set bit length is searched. That is, by providing the number of DPI units 140 corresponding to the number of bit sequences having different bit lengths to be searched in the packet payload, a plurality of types of bit sequences having arbitrary bit lengths can be searched quickly and easily. Is possible. For example, when there are three types of bit sequences having a bit length to be searched in the packet payload (bit length = 32, 64, 128), the DPI unit 140 is configured in three stages.

The search condition management unit 160 sets a search pattern as a search condition for the basic transfer function unit 130, each DPI unit 140, and the packet analysis function unit 150, and changes these set values as necessary. be able to. Here, the search pattern set in the basic transfer function unit 130 is a 5-tuple value of the header, the search pattern set in the DPI unit 140 is the value of the payload bit sequence (bit length m _{1 to N} ), and the packet The search pattern set in the analysis function unit 150 is a value of the payload bit sequence (bit length n).

  The search condition management unit 160 redefines from the program an extraction method that specifies values such as the bit length, extraction position, and mask length of the payload, particularly for the DPI unit 140 and the packet analysis function unit 150. The extraction method can be set as a search condition. In this case, for example, the DPI unit 140 extracts the bit sequence to be analyzed from the payload of the packet based on the extraction method set as the search condition, and the extracted bit sequence is the search pattern set as the search condition. It will be determined whether it matches the bit sequence.

  By providing the search condition management unit 160, it is possible to maintain consistency among the search conditions distributed in each unit. Further, by setting an extraction method as a detection condition, it is possible to filter actual data that is not analyzed, and set only the bit sequence to be analyzed in the DPI unit 140 and the packet analysis function unit 150. Thus, by managing a plurality of search conditions in an integrated manner, inconsistencies between search conditions can be prevented and setting work can be saved.

  The bit sequence that is the search pattern in the packet analysis function unit 150 is typically set to a bit length n that is larger than the bit length m of the bit sequence that is the search condition in the DPI unit 140 (m <n). That is, a relatively short bit sequence is searched by the DPI unit 140, and a relatively long bit sequence is searched by the packet analysis function unit 150. Since a relatively short bit sequence is more often included in a fixed-length packet, the number of matching determinations with the bit pattern of the search pattern increases during search, and the amount of calculation increases. The search condition management unit 160 leaves such a relatively short bit sequence search process to the DPI unit 140 to reduce the processing load on the packet analysis function unit 150.

  Further, when the packet analysis apparatus 1100B receives an unanalyzed packet, the packet analysis function unit 150 that can deal with a relatively complicated search condition sequentially analyzes the packet, and the search condition specified by the analysis is determined as the basic transfer function unit 130. The search condition management unit 160 controls to automatically set the DPI unit 140 so that packet transfer control can be performed even for an unanalyzed packet of an unknown communication flow.

  The DPI unit 140 is typically composed of individual DPI processors including a CPU (Central Processing Unit) and a memory, and can operate independently of each other. The DPI unit 140 may be added as necessary in consideration of the load balance between the DPI unit 140 and the packet analysis function unit 150.

However, when the DPI unit 140 is added as necessary, the processing performance and power consumption of the packet analysis device 1100B vary greatly depending on the device configuration method.
(2-1-3) Packet Analysis Device of Third Comparative Example FIG. 4 is a diagram illustrating a configuration of a packet analysis device 1100C of the third comparative example.

  As illustrated in FIG. 4, the packet analysis apparatus 1100C of the third comparative example deletes the search condition management unit 160 and compares the primary DPI unit 140-1 to the N-th order DPI as compared to the second comparative example. Unit 140-N is composed of a network processor, and basic instruction units 170-1 to 170-N (hereinafter, which basic instruction units correspond to primary DPI unit 140-1 to N-order DPI unit 140-N, respectively). And general-purpose instruction units 180-1 to 180-N (hereinafter, referred to as general-purpose instruction unit 180 when not specifying which general-purpose instruction unit). ing.

  The network processor constituting the DPI unit 140 is typically configured with an architecture suitable for packet processing. As a network processor that performs packet processing, there are a packet buffer for storing a large number of packets, a TCAM for executing a search for matching with a search pattern at high speed, a main storage unit, a cache, and packets held in these. On the other hand, many have one or more calculation cores for calculating instructions given from a basic instruction section 170 and a general-purpose instruction section 180 described later.

  The basic instruction unit 170 is an instruction set of a minimum basic instruction necessary to operate the DPI unit 140 as a processor, that is, typically four arithmetic operations, arithmetic operations, logical operations, comparisons, load stores, shifts, and An instruction group such as a conditional branch is included, and these are given to the DPI unit 140. The format and language processing system of these basic instructions vary depending on the network processor, but these basic instructions include many common instructions provided as basic functions in any network processor.

  The general-purpose command unit 180 is a command set of general-purpose commands necessary for realizing a function that can be used universally for packet processing in an IP network, that is, typically, a media access control address (MAC), an IPv4 (Internet Protocol). header operations such as version 4), IPv6 (Internet Protocol version 6), TCP (Transmission Control Protocol), and UDP (User Datagram Protocol) (MPR (Multi Protocol QuinQ), MPLS (Q) (General Routing Encapsul tion) encapsulation operations, such as having a set of instructions such as error checking operations, such as checksum or CRC (Cyclic Redundancy Check), giving them to the DPI 140. The formats and language processing systems of these general-purpose instructions for packet processing vary depending on the network processor, but these general-purpose instructions include many common instructions that are provided as basic functions for any type of network processor. It is.

The configuration of the third comparative example shown in FIG. 4 can obtain a certain level of processing performance even in the DPI unit 140 by using an internal structure suitable for packet processing and a general-purpose instruction set. However, as shown in Non-Patent Document 2, since the power consumption of a high-performance network processor is generally several tens of watts or more per chip, the power consumption of the DPI unit 140 increases as the parallelism N of the DPI unit 140 increases. To do. In addition, since the configuration of the third comparative example does not have the search condition management unit 160, it is necessary to manage the search conditions distributed to each part in a multi-dimensional manner, and it takes a lot of trouble to set the search conditions for each part consistently. It becomes. Furthermore, the network processor is equipped with a large-scale logic circuit that can be used for general network processing other than DPI processing, and the chip size is as large as several tens of millimeters square. Densification becomes difficult. Therefore, it is not economical to realize a hierarchical flow identification function using a plurality of network processors.
(2-2) Packet Analysis Device of the Present Invention Next, an embodiment of the packet analysis device of the present invention will be described.
(2-2-1) Packet Analysis Device According to First Embodiment of the Present Invention FIG. 5 is a diagram illustrating a configuration of a packet analysis device 11A according to the first embodiment.

  As shown in FIG. 5, the packet analysis device 11A according to the first embodiment is configured by configuring the primary DPI unit 140-1 to the N-th order DPI unit 140-N with dedicated embedded processors as compared with the third comparative example. In addition, the search condition management unit 160 is added, and the dedicated command units 190-1 to 190-N (hereinafter, which dedicated command unit is specified) instead of the general command units 180-1 to 180-N When not, it is referred to as a dedicated instruction unit 190).

  The dedicated embedded processor constituting the DPI unit 140 is typically configured with a RISC (Reduced Instruction Set Computer) architecture having an orthodox pipeline structure. Initially, it does not have a large-scale packet buffer, TCAM, main memory, cache, etc. unlike a network processor, and has a general-purpose command part that can be used for packet processing. In addition, only elements that execute the minimum basic instructions necessary for operating the DPI unit 140 as a processor are provided. In general, an ASIP (Application Specific Instruction-set Processor) design method that can dedicate a primitive embedded processor for a specific application according to the application is known. As mentioned above, the processor configuration that is based on a certain level is specified, depending on the method, from the method that allows the design of dedicated instructions and the expansion of the data path for specific applications to the method that can design the arithmetic core with almost full scratches. Although the design procedure varies, a desired function can be realized while optimizing the processing performance and power consumption from a single processor to a multiprocessor. Moreover, you may add a buffer, a cache, and TCAM later as needed.

  The search condition management unit 160 is the same as that shown in FIG.

  The basic command unit 170 has the same configuration as that for the network processor shown in FIG. That is, the basic instruction unit 170 is an instruction set of a minimum basic instruction necessary for operating the DPI unit 140 as a processor, that is, typically four arithmetic operations, arithmetic operations, logical operations, comparisons, load stores, shifts. , And an instruction group such as a conditional branch, and these are given to the DPI unit 140. The types and language processing systems of these basic instructions vary depending on the embedded processor, but these basic instructions include many common instructions provided as basic functions in any embedded processor.

  The dedicated instruction unit 190 is different from the general-purpose instruction unit 180 for the network processor shown in FIG. The dedicated instruction unit 190 does not have a general-purpose instruction set necessary for realizing a function that can be used for general purposes for packet processing in the IP network, but instead of a dedicated instruction necessary for realizing the DPI unit 140. It can be composed of an instruction set, an optimized arithmetic unit, and a data path. Non-Patent Document 3 discloses a schematic configuration of a dedicated embedded processor having a coarse-grained packet scanning function using an ASIP design method. The above configuration of the dedicated instruction unit 190 can be realized by applying the ASIP design method disclosed in Non-Patent Document 3. Therefore, the packet analysis process in the DPI unit 140 can be executed with the minimum number of cycles. Therefore, the DPI unit 140 does not need to have any unnecessary functions and hardware, and high-density mounting is possible with a small-scale logic circuit. Further, depending on the application, the power consumption per embedded processor can be configured to be several hundred milliwatts or less, so even if the parallelism N of the DPI unit 140 is increased, the power consumption of the DPI unit 140 is reduced by the DPI unit 140 using the network processor. As compared with the case of configuring the above, it is possible to suppress to about one hundredth.

  The dedicated instruction unit 190 is held in a command RAM (Random Access Memory (not shown)) on the corresponding DPI unit 140.

  FIG. 6 is a diagram illustrating a configuration of the dedicated instruction unit 190. FIG. 6 shows the configuration of the arithmetic unit of the dedicated instruction unit 190.

  As illustrated in FIG. 6, the dedicated instruction unit 190 includes a signature calculation unit 191, a signature setting unit 192, a signature collation unit 193, and an action selection unit 194.

  The operation of each component in the dedicated command unit 190 shown in FIG. 6 will be described in detail in the following description of FIG.

  FIG. 7 is a sequence diagram illustrating a packet analysis method in the packet analysis device 11A of the first embodiment. The packet analysis method shown in FIG. 7 is not disclosed in Non-Patent Document 3.

  The packet analysis method shown in FIG. 7 includes a search condition setting step S101, a search condition update step S102, a signature calculation step S103, a signature setting step S104, a signature update step S105, a signature calculation step S106, and a signature verification Step S107, match determination step S108, and action selection step S109 are included.

  In step S101, the search condition management unit 160 sets search conditions desired by the user for the basic transfer function unit 130, each i-th order DPI unit 140-i, and the packet analysis function unit 150, and sets the search conditions. Instruct to register.

At this time, the search condition management unit 160 sets a search pattern as a search condition for the basic transfer function unit 130, each i-th order DPI unit 140-i, and the packet analysis function unit 150. Specifically, the search condition management unit 160 sets a 5-tuple value of the header for the basic transfer function unit 130 as a search pattern, and a payload bit for each i-th order DPI unit 140-i. The value of the sequence (bit length m _{1 to N} ) is set, and the value of the bit sequence (bit length n) of the payload is set for the packet analysis function unit 150.

  The search condition management unit 160 sets the extraction method as a search condition together with the above search pattern for the i-th DPI unit 140-i and the packet analysis function unit 150. Specifically, the search condition management unit 160 sets the value of the payload bit length L, the offset value O that specifies the extraction position of the bit sequence, and the mask length M, which are redefined from the program, as the extraction method. The operation of extracting the bit sequence from the communication flow packet based on the extraction method specified by the bit length L, the offset value O, and the mask length M will be described later.

  In step S102, the i-th DPI unit 140-i uses the search condition management unit 160 to set the current search condition value held in its own data RAM (not shown) in step S101. Compared with the value of the condition, if there is a change, the value of the search condition held in the data RAM is updated.

In step S103, the signature computation unit 191 of the dedicated instruction unit 190-i computes a signature bit sequences having a bit length _{m i} included in the search condition is updated in the i-th order DPI unit 140-i as a search pattern. The signature represents the characteristics of the bit sequence as a bit string, and the bit sequence to be analyzed in the packet actually analyzed in the communication flow (hereinafter referred to as “flow”) is the bit sequence of the search pattern (hereinafter referred to as “pattern”). Is calculated in order to perform a high-speed search. As a specific signature, a hash value that is widely used can be used, but it may be a value calculated using a coarse-grained calculation means disclosed in Non-Patent Document 3.

  In step S104, the signature setting unit 192 of the dedicated instruction unit 190-i instructs the i-th DPI unit 140-i to set the signature (pattern) calculated in step S103 and register the signature (pattern). To do.

  In step S105, the i-th DPI unit 140-i registers the signature (pattern) instructed to be registered in step S104 by the dedicated instruction unit 190-i in its own DPI signature table, and stores it in its own DPI signature table. The signature (pattern) registered as the search pattern is updated. The DPI signature table is held in its own data RAM, as is the value of the search condition.

  Thereafter, steps S101 to S105 are repeated, and when the desired number of signatures (patterns) has been registered, the presetting of the packet analysis device 11A is completed.

  The procedure after step S106 is a procedure that occurs every time the communication flow passes through the packet analysis device 11A.

  In step S106, when the packet of the communication flow from the basic transfer function unit 130 is received by the i-th order DPI unit 140-i, the signature calculation unit 191 of the dedicated instruction unit 190-i receives the i-th order DPI unit 140-i. Based on the extraction method included in the search condition updated in step S102, the bit sequence to be analyzed is extracted from the received packet.

Specifically, the signature calculation unit 191 of the dedicated instruction unit 190-i firstly, based on the bit length L and the offset value O, from the position specified by the offset value O in the packet payload, the bit length L. A bit sequence is extracted as a base bit sequence to be analyzed. The bit length L can be specified as a predetermined length in words. For example, 32 bits may be one word, or 64 bits or 128 bits may be one word (L = 32, 64, 128). The offset value O is specified in bit units. Next, based on the mask length M, the signature calculation unit 191 extracts a detailed bit sequence to be analyzed in bit units from the bit sequence that is the basis of the analysis target extracted above. For example, when only the first 8 bits are analyzed in the state where the 32-bit-based bit sequence 01010101010101010101010101010101 is extracted as described above, the mask data is 111111111000000000000000000000 (M = 8), and the first 8-bit bit sequence 01010101 is analyzed. This is a specific value of the target bit sequence. In this way, it is possible to extract and filter the real data without analyzing, only the bit sequence of the bit length m _i to be analyzed as an analysis target.

  In step S106, the signature calculation unit 191 of the dedicated instruction unit 190-i further calculates the signature (flow) of the analysis target bit sequence extracted from the packet in the same procedure as in step S103.

  In step S107, the signature collation unit 193 of the dedicated instruction unit 190-i collates the signature (flow) calculated in step S106 with the signature (pattern) in the DPI signature table updated in step S105.

  In step S108, the signature collation unit 193 of the dedicated instruction unit 190-i determines whether the signature (flow) calculated in step S106 matches the signature (pattern) updated in step S105. If there is no matching signature (pattern) (S108: N), the signature verification unit 193 sends the packet back to the basic transfer function unit 130 and transfers it to an appropriate transfer destination via the output unit 120. On the other hand, if there is a matching signature (pattern) (S108: Y), the process proceeds to step S109.

  In step S109, the action selection unit 194 of the dedicated instruction unit 190-i refers to the DPI signature table, selects the processing content (action) corresponding to the matched signature (pattern), and packetizes the selected processing. The packet is transferred to the packet analysis function unit 150 in the subsequent stage.

The DPI signature table according to the first embodiment, the signature sequence of bits of the bit length m _i as a search pattern, an action (ACT) is a processing content to be performed on that signature is search packet, Is registered. For example, the bit sequence ““ a ₁ a ₂ ... A _m ”→ ACT =“ fff ”” having a bit length x is registered in the DPI signature table. In this case, when the bit sequence to be analyzed is “a ₁ a ₂ ... A _m ”, this indicates that the process “ggg” that is an accompanying condition is executed.

As described above, in the first embodiment, the matching of the signature (flow) and the signature (pattern) is executed in parallel in each part of the i-th DPI unit 140-i, and an appropriate processing content (action) is selected. Is done. Of the above steps executed by each i-th order DPI unit 140-i and each dedicated instruction unit 190-i, steps S103 to S109 are processes with a particularly high calculation frequency in packet analysis. According to the configuration of the embodiment, each process of packet analysis can be executed with a minimum number of cycles of 1 to 2 cycles. As a technique that enables the low-delay processing described above, there is a reduction in the hash calculation by a dedicated instruction disclosed in Non-Patent Document 3. In this case, the hash value corresponds to the signature. In addition, by using the ASIP design method disclosed in Non-Patent Document 3, the dedicated instruction unit 190-i is configured with an arithmetic unit and a data path dedicated to hash calculation, thereby designing an instruction that can be processed in one to two cycles. can do. Therefore, high-speed flow identification and packet transfer control can be realized by the configuration of the first embodiment of the present invention.
(2-2-2) Packet analysis apparatus according to the second embodiment of the present invention The packet analysis apparatus 11B according to the second embodiment has the same packet analysis method as the sequence diagram shown in FIG. In the following, differences in configuration from the packet analysis apparatus 11A of the first embodiment shown in FIG. 5 will be mainly described.

  FIG. 8 is a diagram illustrating a configuration of the packet analysis device 11B according to the second embodiment.

  As shown in FIG. 8, in the packet analysis device 11B of the second embodiment, N dedicated embedded processors that respectively configure the N DPI units 140 are integrated on a single chip.

  That is, the packet analysis apparatus 11A of the first embodiment shown in FIG. 5 has a multichip configuration in which N dedicated embedded processors that respectively configure the N DPI units 140 are made independent. On the other hand, the packet analysis device 11B of the second embodiment shown in FIG. 8 integrates N dedicated embedded processors that respectively configure the N DPI units 140, and serves as a single-chip multi-core processor. The point which comprises is a feature. By adopting such a configuration, the packet analysis device 11B of the second embodiment has a higher mounting density and power performance ratio (processing for power consumption) of the DPI unit 140 than the packet analysis device 11B of the first embodiment. It can be expected that the performance ratio) will be further increased.

  Further, regarding the storage area holding the DPI signature table, in the packet analysis device 11A of the first embodiment, each DPI signature table of the DPI unit 140 is divided into physically unique data RAMs (not shown). It had been. On the other hand, in the packet analysis device 11B of the second embodiment, physically the same data RAM (not shown) is connected to each DPI unit 140, and each DPI unit 140 shares this data RAM. To do. In such a configuration, each DPI unit 140 is connected to each port of a multi-port shared memory (not shown), the shared memory is divided into banks in order to prevent data destruction, and the above steps S104 to S105 are performed. It is sufficient to control a memory controller (not shown) to configure a storage area that holds each DPI signature table.

  The configurations of the basic command unit 170 and the dedicated command unit 190 are also changed. In the packet analysis device 11A of the first embodiment, each DPI unit 140 has a configuration in which a set of basic command unit 170 and a dedicated command unit 190 are attached. On the other hand, since the packet analysis apparatus 11B of the second embodiment has a single-chip multi-core configuration, the DPI unit 140 as a whole may include one set of basic instruction unit 170 and dedicated instruction unit 190. This can be realized by separately incorporating a language processing system corresponding to the multi-core.

Furthermore, it is also possible to configure the DPI unit 140 that compromises the configuration of the packet analysis device 11A of the first embodiment and the configuration of the packet analysis device 11B of the second embodiment. That is, each DPI unit 140 in a multichip configuration may be configured in a multicore configuration. The plurality of configuration modes as described above may be determined in consideration of various requirements such as processing performance, power consumption, mounting density, and maintainability in the DPI unit 140, and various modifications and applications are possible.
(2-2-3) Packet analysis apparatus according to the third embodiment of the present invention The packet analysis apparatus 11C according to the third embodiment will be described because its packet analysis method is the same as the sequence diagram shown in FIG. In the following, differences in configuration from the packet analysis apparatus 11A of the first embodiment shown in FIG. 5 will be mainly described.

  FIG. 9 is a diagram illustrating a configuration of a packet analysis device 11C according to the third embodiment of this invention.

  As shown in FIG. 9, the packet analysis apparatus 11C according to the third embodiment of the present invention includes N DPI units 140 each composed of N dedicated embedded processors formed into a single chip, and has a packet analysis function. The unit 150 is configured by a single network processor, and is configured to be a heterogeneous multi-core that operates both complementarily.

  Since the packet analysis function unit 150 is configured by a network processor, in the third comparative example illustrated in FIG. 3, the basic command unit 170A and the general-purpose command unit 180A are the same as when the DPI unit 140 is configured by a network processor. Comes with. The basic command unit 170A and the general command unit 180A are the same as the basic command unit 170 and the general command unit 180 shown in FIG.

  According to Non-Patent Document 3, the method of analyzing a packet can be broadly divided into two types: a coarse-grain method (Coarse DPI) and a fine-grain method (Fine DPI). The former is an analysis method that performs simple matching using an efficient data structure such as a Bloom filter. Since the space efficiency in the storage area that holds the signature table is good, it is efficient that the communication flow does not match the search pattern. Can be distinguished well. On the other hand, the latter is an analysis method that realizes detailed pattern matching using a regular expression or the like, and can realize high-functional DPI processing such as handling complicated search conditions. However, in the latter method, when a single DPI unit 140 is responsible for processing, there is a problem that it is difficult to ensure performance due to concentration of loads. Therefore, an effect of reducing the load of the fine-grain method can be expected by combining both methods, and an efficient packet analysis device 11C can be configured (Coarse-to-Fine DPI).

  Although a single packet analysis function unit 150 is provided in FIG. 9, the present invention is not limited to this, and a plurality of packet analysis function units 150 may be provided. In this case, when a packet to be transferred to the packet analysis function unit 150 is detected, the DPI unit 140 confirms the traffic amount of each packet analysis function unit 150 and is detected by the packet analysis function unit 150 with a small traffic amount. The packet may be transferred. Alternatively, the DPI unit 140 may transfer the detected packet to the packet analysis function unit 150 that is preset as a transfer destination for each DPI unit 140.

  The embodiments of the present invention have been shown and described above. What is described as “˜unit” in the description of the embodiment (basic transfer function unit 130, DPI unit 140, packet analysis function unit 150, inspection condition management unit 160, basic command unit 170, general-purpose command unit 180, and dedicated The command unit 190) may be “˜circuit”, “˜device”, “˜device”, “˜means”, and may be “˜step” and “˜processing”. Although the configuration in which the dedicated embedded processor has an instruction set that dramatically increases the power performance ratio shown in the present embodiment is regarded as the best mode, what is described as “˜part” is the ROM It may be realized by firmware stored in (Read Only Memory) and hardware such as a reconfigurable device, element, substrate, and wiring. Alternatively, a combination of software and hardware, or a combination of firmware may be used. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD (Digital Versatile Disc). The program is read and executed by the CPU. That is, the program causes the computer to function as “to means” corresponding to “to part” of the embodiment of the present invention. Alternatively, the computer executes the procedure and method of “to part” of the embodiment of the present invention.

  The present invention can be applied to a general design method for a processor for a specific application regardless of whether the design tool or the IP (Intellectual Property) is different.

10: packet transfer device 11: packet analysis device 110: input unit 120: output unit 130: basic transfer function unit 140: DPI unit 150: packet analysis function unit 160: search condition management unit 170: basic command unit 180: general command unit 190: Dedicated command part 191: Signature calculation part 192: Signature setting part 193: Signature verification part 194: Action selection part

Claims (7)

A packet analysis device for analyzing a packet of a communication flow,
A plurality of DPI units each comprising a DPI signature table;
A search condition management unit that manages each search condition of the plurality of DPI units;
A dedicated command section,
When the search condition management unit instructs the DPI unit to register the search condition, the DPI unit registers the search condition instructed to be registered by the search condition management unit, and the dedicated command unit a hash value that represents the characteristics of the bit sequence of the search pattern that is included in the search condition is calculated as the signature, the registration to the DPI signature table computed hash value instructed to the DPI portion, the DPI unit, the dedicated Register the hash value instructed to be registered by the command part in the DPI signature table,
If the DPI unit receives a packet of the communication flow, the dedicated instruction unit extracts the bit sequence from the payload of the packet, calculates a hash value of the extracted bit sequence, the calculated hash value DPI signature table A packet analysis device that determines whether or not a hash value of a bit sequence of a registered search pattern matches. In the DPI signature table, a hash value of a bit sequence of a search pattern and an action that is a processing content to be executed on a packet in which the hash value is searched are registered.
The dedicated command section is
A signature calculation unit for calculating a hash value of a bit sequence;
When the DPI unit registers a search condition instructed to be registered by the search condition management unit, the signature calculation unit calculates a hash value of a bit sequence of a search pattern included in the search condition, and the calculated hash value A signature setting unit for instructing the DPI unit to register in the DPI signature table;
When the DPI unit receives a packet of a communication flow, the hash value of the bit sequence extracted from the payload of the packet is calculated by the signature calculation unit, and the calculated hash value is a search pattern registered in the DPI signature table. A signature matching unit that determines whether the hash value of the bit sequence matches,
The packet analysis device according to claim 1, further comprising: an action selection unit that selects an action to be performed on the packet with reference to the DPI signature table when the signature collating unit determines that they match.   The packet analysis apparatus according to claim 1, wherein each of the plurality of DPI units includes an embedded processor.   The packet analysis device according to claim 3, wherein the plurality of DPI units are configured as a multi-core processor in which a plurality of embedded processors constituting each of the plurality of DPI units are integrated on a single chip. A packet analysis function unit that is arranged at a subsequent stage of the plurality of DPI units, is configured by a single network processor, and includes a packet analysis signature table;
The search condition management unit also manages the search conditions of the packet analysis function unit,
The packet analysis function unit
When the search condition management unit instructs the packet analysis function unit to register search conditions, the bit sequence of the search pattern included in the search conditions is registered in the packet analysis signature table,
When the packet analyzing function unit receives a packet of the communication flow, determine extracting bit sequences from the payload of the packet, the extracted bit sequence matches the bit sequence of the search patterns registered in the packet analysis Signature table The packet analysis device according to claim 4. A packet analysis method by a packet analysis device for analyzing a packet of a communication flow,
In the packet analysis device,
A plurality of DPI units each comprising a DPI signature table;
A search condition management unit that manages each search condition of the plurality of DPI units;
A dedicated command section,
When the search condition management unit instructs the DPI unit to register the search condition, the DPI unit registers the search condition instructed to be registered by the search condition management unit, and the dedicated command unit a hash value that represents the characteristics of the bit sequence of the search pattern that is included in the search condition is calculated as the signature, the registration to the DPI signature table computed hash value instructed to the DPI portion, the DPI unit, the dedicated Register the hash value instructed to be registered by the command part in the DPI signature table,
If the DPI unit receives a packet of the communication flow, the dedicated instruction unit extracts the bit sequence from the payload of the packet, calculates a hash value of the extracted bit sequence, the calculated hash value DPI signature table A packet analysis method for determining whether or not a hash value of a bit sequence of a registered search pattern matches. In the DPI signature table, a hash value of a bit sequence of a search pattern and an action that is a processing content to be executed on a packet in which the hash value is searched are registered.
When the DPI unit registers a search condition instructed to be registered by the search condition management unit, the dedicated instruction unit calculates a hash value of a bit sequence of a search pattern included in the search condition, and calculates the calculated hash value And instructing the DPI part to register in the DPI signature table,
When the DPI unit receives a packet of a communication flow, the dedicated command unit calculates a hash value of a bit sequence extracted from the payload of the packet, and a search pattern in which the calculated hash value is registered in the DPI signature table Whether it matches the hash value of the bit sequence of
The packet analysis method according to claim 6, wherein, when it is determined that the dedicated instruction unit matches, the dedicated command unit refers to the DPI signature table and selects an action to be performed on the packet.

Images