KR100776115B1 - Ternary Content Addressable Memory with Negation and Start Flags - Google Patents

Abstract

In the present invention, a packet filtering system essential to network equipment such as a router, an intrusion detection system, a charging system, and the like in a packet network is implemented by using a TCAM (Ternary Content Addressable Memory) semiconductor chip. The hardware structure and the method to accommodate the rules more efficiently. The range rule is to use the gray code symmetry and TCAM matching characteristics to convert TCAM entry values more efficiently than the existing packet classification system. For the negation rule, a new TCAM hardware structure having a final matching result calculation block including a negation flag and a start flag and a code conversion unit, and thus a TCAM entry conversion procedure for negation rules is presented.

By using the invented TCAM structure and the corresponding entry conversion procedure, the packet classification system can be classified using a smaller TCAM semiconductor chip than the conventional TCAM for the same packet filtering rule without affecting the retrieval time. Can reduce the cost.

Packet Classification System, Packet Filtering, TCAM, Negative Rule, Range Rule

Description

Ternary Content Addressable Memory with Negation and Start Flags}

1 is a block diagram showing a system for performing packet filtering according to the present invention;

2 is an example of a rule used for packet filtering;

3 is a hardware structure for producing a gray code used in the present invention,

4 is a flow diagram of converting a range field defined in the present invention into a TCAM entry value;

5 is an example of converting a prescribed range rule performed by the present invention to a TCAM entry value,

FIG. 6 is a flow diagram of converting a rule having an indefinite field or a range field into a plurality of TCAM entry values. FIG.

7 is a circuit diagram showing one cell of a TCAM according to the present invention;

8 is a circuit diagram of a TCAM according to the present invention;

9 is a flow diagram showing overall performance of packet classification performed by the present invention;

10 is an example of a general TCAM entry structure;

11 is an example of converting a range value into a prefix value that can represent a range.

12 is an example of an existing method for searching for negation rules;

<Description of Symbols for Main Parts of Drawings>

100: network 200: packet receiver

300: TCAM semiconductor chip 310: code conversion unit

320: TCAM entry 330: matching result calculation block

340: priority encoder 400: control unit

500: application server

The present invention relates to a new TCAM structure and a TCAM entry expansion procedure of a rule that can solve the problem of inefficient retrieval of range rules and negative rules when using a TCAM semiconductor chip as a packet filtering system.

Packet classification or packet filtering compares the specified rule with the packet input from the network to determine the match between the header field data of the input packet and the rule, and if so, searches which rule matches and classifies the packet according to the matched rule. In determining the next action, for example, in case of an intrusion detection system, if an input packet meets a prescribed rule, the rule decides whether to discard or accept the packet. In the above, packet filtering is generally used in the same way as packet classification, and packet search is used in the same sense as packet matching.

The header fields of the packet used for packet filtering include five fields such as a source address, a destination address, a source port number, a destination port number, a protocol, and a field used for matching depending on an application area where a packet filtering system is used. Different. For example, a general router system typically searches only the destination address field, and all five fields are used for a flow-aware router, an intrusion detection system, or a billing system.

Matching methods include searching all bits of an input packet header field, prefix matching method if a rule is given in a prefix form, and range matching method for searching if a rule is defined in a decimal range.

The types of fields used in the rule include the normal fields that are determined to be matched if the fields used in the rule and the corresponding fields in the input packet match, and the header fields of the input packet will not be the same as the fields defined in the rule. A negation field that is determined to be a match, a range field in which the field used in the rule is given in decimal range, and a don't care field that doesn't care what the corresponding field of the input packet is. There is this. The general or negative fields are mainly used for the address field or the port number field, the range field is mainly used for the port number field, and the undefined field is a field that does not care what the header value of the input packet is. In this case, an indefinite condition is used to exclude the match. Also, rules with one or more negative fields are called negative rules, and rules with one or more negative fields are called range rules.

FIG. 2 shows an example of a commonly used rule. In rule 1, a general field is a source port number, a destination port number, and a protocol field, and a source address field and a destination address prefixed with! (Negative meaning) in the rule field. The field is a negative field, and rule 2 is a range field that means that the rule 1, the address field, the destination port number, and the protocol field are the same, but the source port number is 0 to 63. Also, the number 24 written at the end of the address field is a prefix value indicating the effective address bit of the address.

The packet filtering system can be classified into an algorithmic method and a hardware method. The algorithmic method is a method of searching an input packet by creating a specific data structure such as a tree structure according to the system in which packet filtering is used. The hardware method is generally implemented using a TCAM semiconductor chip that can search for 0, 1 and indeterminate conditions.

The biggest difference between the algorithm and the hardware method is the search speed. In the algorithm method, the search speed increases in proportion to the number of bits of the packet to be searched. Searches can always be performed on one clock regardless of the number of bits, making them suitable for high-speed traffic environments and IPv6 environments where the number of header bits in a packet increases.

The TCAM semiconductor chip used in the hardware method is composed of a TCAM entry, an address decoder, a priority encoder, various registers, etc., and the actual search part is a TCAM entry, and the entry stores a value that stores a rule ( It consists of a value field, a mask field for searching for an undefined condition, and a comparison logic block, and has a structure in which a search can be performed in only one clock (cycle) through parallel processing.

The mask field is different depending on the implementation method, but if the mask value is 0, the corresponding bit of the value and the corresponding bit of the input packet header field data are searched. If the mask value is 1, it means an undefined condition. do. Referring to the TCAM entry example of FIG. 10, in the example, the value is "01111000" and the mask value is "00001111". Therefore, only the upper 4 bits of the input data are matched with the upper 4 bits of the value and the remaining lower Four bits do not perform matching. Therefore, even if the lower 4 bits of the input data ("01110111") are different from the lower 4 bits of the value field, the result determines that the input data and the rule match.

Such a TCAM is efficient in retrieving a prefix type rule in hardware structure. However, there is a problem that if a rule contains a range field or a negative field, the rule cannot be retrieved as a single TCAM entry.

The existing search method for the range field converts a range into a plurality of prefix type values that can represent a range by using binary binary code. FIG. 11 shows an example of a conventional prefix conversion method. As in this example, if a given range is from 2 to 11, the range can be represented by three prefix values, and the converted prefix value is stored in a TCAM entry for searching.

If the range rule is converted to a prefix value using the above method, a maximum of 30 entries are required assuming that the range is 16 bits, and one rule has a maximum of 900 (= 30x30) TCAMs when considering two 16-bit header fields. This requires an entry, which wastes TCAM entries. As a result, converting a range rule to a prefix form and storing it in the TCAM for retrieval takes up a large number of TCAM entries, which is economically inefficient.

Another problem to solve the problem of the negation field is to represent the negation field value in binary and then expand it to a TCAM entry using a complement of one.

FIG. 12 shows a case in which a negation field is used in an address field as an example of the conventional method. Since a negation rule is given as! 120.0.0.0/8, the address of the input packet is matched if it is not 120.0.0.0/8. The number 8 after the address field value indicates a valid bit of the address, and means that only the upper 8 digits of the address bits of the input packet are compared. As shown in FIG. 10, a method of extending a negation rule to a plurality of TCAM entry values in FIG. 10 _{is performed} by converting 01111000 ₍₂₎ , which _is a binary value of 120 _{(10) ,} to a complement value of 1, 10000111 ₍₂₎ , for each bit. It extends to a single TCAM entry value. If the address field of the input packet matches any of the extended TCAM entries, it is determined that the input packet matches the negation rule. That is, if one bit of the upper 8 bits of the input address field is matched _, this means that it is not 120 ₍₁₀₎ , and thus it is determined to be matched.

Using the above method, since the number of valid address bits is required for the negative address field, up to 32 TCAM entries are required if one address field is a negative field in the IPv4 environment, and up to 128 for IPv6. TCAM entries are required. In addition, if both the source and destination addresses are negative fields, a maximum of 1,024 entries (= 32 x 32) for IPv4 and 16,384 entries (= 128 x 128) are required for IPv6.

As described above, the presence of a negative field in a rule increases the number of TCAM entries occupied by a rule, which increases the cost of a packet filtering system. In intrusion detection systems, for example, more than 90% of rules have negative fields, which is the main reason for the increased cost of packet filtering systems.

As described above, when a rule has a range field or a negative field, one rule may occupy many TCAM entries, resulting in a decrease in the number of rules that can be searched with the same TCAM capacity.

SUMMARY OF THE INVENTION An object of the present invention is to solve such a problem of the prior art, and in the case of a range field, first converts a rule into a gray code instead of a binary binary code, and uses a converted gray code to represent a range rule. The number of TCAM entries can be reduced by converting the packet into an entry value, thereby reducing the number of TCAM entries. Therefore, when configuring a packet classification system using the same capacity of TCAM, more rules can be searched than the conventional method.

In the case of the negation field, the present invention provides a TCAM semiconductor chip which can reduce the cost of a packet filtering system by reducing the number of TCAM entries expanded by the negation field without affecting the search speed.

In order to achieve the above object of the present invention, the present invention first converts a prescribed rule to a gray code and converts a range field into a TCAM entry value that can represent a range using the converted code. For the negation field, the procedure includes extending the negation rule to the TCAM entry value.

The converted TCAM entry value and the extended TCAM entry value are stored in the TCAM entry according to the present invention. The next step includes hardware-converting the header field value of the packet input from the network to gray code, and inputting the converted value into the TCAM entry to search for a rule.

The TCAM is a TCAM semiconductor chip having a new structure including a code conversion unit and a matching result calculation block circuit using an illegal flag / start flag.

In order to achieve the above technical problem, the present invention provides a procedure for converting a range rule including a range field into a TCAM entry value using gray code. In addition, the present invention provides a procedure for converting a negation rule including a negation field into a TCAM entry value and includes a circuit for calculating a match between an input packet and a rule using a negation flag and a start flag. to provide.

In the present invention, a method of extending a range rule to a TCAM entry converts a range represented by a gray code into a TCAM entry value that can represent a range using characteristics of a gray code and a TCAM matching characteristic, and converts a negation rule into a TCAM entry. The method of extending to is characterized by separating a negation field and a general field and assigning one TCAM entry value to each negation field, and extending the remaining general fields into a plurality of TCAM entries to have one TCAM entry value.

In the present invention, the negation flag is characterized by inverting the matching result of the entry when the field stored in the TCAM entry is a negative field, and maintaining the matching result of the entry as it is when the general field is stored.

In the present invention, when the start flag is extended to a plurality of TCAM entries, the start flag is used to determine whether it is the first entry of the extended TCAM entry, and the start flag of the first entry is set to 1, and the other flags are set to 0. And a negative rule can be searched through a plurality of TCAM entries through the flag.

 Embodiments of the present invention will be described below with reference to the accompanying drawings. Those skilled in the art will appreciate the objects, features and advantages of the present invention.

1 is a block diagram showing a system for performing packet filtering according to the present invention, FIG. 2 shows an example of a rule used for packet filtering, and FIG. 3 shows a hardware structure for producing gray codes used in the present invention. It is shown. 4 and 5 illustrate a flow chart and an example of converting a range rule defined in the present invention to a TCAM entry value, and FIG. 6 illustrates a flow diagram of converting a negation rule and a range rule into a plurality of TCAM entry values in the present invention. 7 and 8 are circuit diagrams showing one cell of the TCAM according to the present invention and a circuit diagram of the TCAM according to the present invention. 9 is a flow diagram showing the overall performance of packet classification performed by the present invention, FIG. 10 shows the structure of a TCAM entry, FIG. 11 is an example of an existing method of converting a given range value into a prefix value, and FIG. 12 is an example of an existing method for searching for negation rules.

Referring to FIG. 1, a packet filtering system includes a packet network 100, a packet receiver 200, a TCAM 300 according to the present invention, a controller 400 for controlling a TCAM, and an application server 500. It is composed. The packet input from the packet network 100 is received by the packet receiving unit 200, and when the received packet is transferred to the TCAM 300 according to the present invention, first, the code is converted into a gray code through the code conversion unit 310 in the TCAM. After the conversion, the converted packet header field value is input to the TCAM entry 320 for matching with the rule, and the search is performed. The final matching result is calculated in the matching result calculation block 330 using the first search result. After inputting this to the priority encoder 340, the TCAM entry address of the matched rule is output as a result, and when the output is outputted to the control unit 400, the control unit notifies the application server 500 of the matched rule. In FIG. 1, the code conversion unit 310 and the matching result calculation block 330 inside the TCAM semiconductor chip are the core blocks of the present invention, which are not present in the packet filtering system using the conventional TCAM.

FIG. 2 shows an example of a rule used in a packet filtering system. In Rule 1, a negative field and a general field are used together, and rule 2 is an example in which a range field, a negative field, and a general field are mixed.

FIG. 3 shows a circuit for converting a rule defined by binary binary code into a gray code. In order to produce the gray code, the most significant bit of the binary binary code is the most significant bit of the gray code as it is, and from the next bit, the first bit The upper bits are converted to gray code bits through exclusive logical operations (XOR). For example, if the binary binary code is "1010", converting it to gray code will result in "1111". The gray code generated in this way is always one bit different from the neighboring value, the remaining bits are the same, and have symmetry between the codes.

For example, the binary binary code for decimals 3 and 4 cannot represent two values as one, '0011' and '0100', but when converted to gray code, the two values are converted to '0010' and '0110' because only one bit is different. Representative '0 * 10' (* denotes an indeterminate condition), and the symmetrical nature of the gray code is centered around the center value 8 of 0 and 15, for example for 4-bit code If you compare gray codes from 0 to 7 and codes from 8 to 15, you will have the same value except for the most significant bit. If you compare 0 and 15 with binary binary code, '0000' and '1111' but gray code value is Since '0000' and '1000' have the same value except the most significant bit, they can be represented as '* 000' which can represent two values.

4 illustrates a process of converting range rules into TCAM entry values using gray code having the above characteristics. The rule is divided into up to three sub-fields and the TCAM entry value as the final result in each sub-area. Calculation flow chart.

Referring to the conversion process, first, a range rule value is input (S101), and when the input range is converted into a gray code (S102), a center value for the first subregion is calculated using a dichotomy (S103). The first detail range is determined to have a symmetrical characteristic about the center value, and the number of TCAM entries can be reduced due to the symmetrical nature.

When the center value is calculated, it is determined whether the center value is the center value of the input range (S104). If the center value is the same, the entire input range is set to one detail area (S105). If the center value is not the center value, it is determined that there is a remaining area of the input range. First, the first subregion is set based on the calculated center value (S106).

When the first detail region is set, the second center value for calculating the second detail region is calculated (S107), and the second region is set to have symmetry around the center value (S108). If there is a remaining area except for the area and the second detail area (S109), if there is a remaining area, the remaining area is set as the third area (S110), and if there is no remaining area, two detail areas are selected for the input range. Set it.

When the number of TCAM entries is calculated for each region in the divided region (S111), and the TCAM entry value is calculated for each region, the final TCAM entry value that can represent the input range is calculated (S112).

By the above method, the application server 500 calculates the TCAM entry value for the range, stores the calculated value through the control unit 400 in the TCAM entry 320 in the TCAM semiconductor chip 300, and then the packet is stored in the network ( When received from the 100, the received packet data is converted into a gray code through the code conversion unit 310 in the TCAM semiconductor chip 300, and then input to the TCAM entry 320 to perform matching.

FIG. 5 shows an example of dividing a range rule into sub-regions and finding a center value in the above method. For example, when a prescribed range is 5 bits and an application range is 6 to 13, 2 of the range is divided using a dichotomy. Find the 1st point.

In this example, one-half is 16 in decimal, and 16 is below the range of the rule. Since the center value 8 is within the given range, if 8 is the center value of the first range, and the detail range is calculated to have symmetry around 8, the first detail range is 6 to 9.

If you calculate the center value using dichotomy for the remaining area to find the second range, it becomes 12. If you calculate the range to have symmetry around 12, the second subrange is 10 to 13.

The range 6 through 13 ([6..13]) defined by the above process is divided into two subfields, and the TCAM entry value is calculated in each subfield.

Converting the first detail area to a TCAM entry results in '0 * 10 *' and the second area becomes '01 * 1 * '.

Converting the prescribed range into TCAM entries by the existing method using binary binary code results in '0011 *', '010 **' and '0110 *', which suggest that the proposed method can reduce the number of entries. The proposed method has the same number of entries in the worst case than the previous method, but generally one or more.

In the above example, the difference in the number of entries is one, but considering that the number of rules generally used in the network system is about 2,000 to 34,000, it can be seen that the reduction of the number of entries by the proposed method is large.

6 is a procedure of extending a rule having a range field or a negative field to a TCAM entry value. First, if there is a range field in the rule (S201), the range field is converted to a TCAM entry expansion method using gray codes according to the procedure of FIG. After step S202, the field used in the rule is divided into a negative field and a general field (S203), and one negative field has one TCAM entry value (S204). For example, when a rule is defined as shown in Rule 1 of FIG. 2, since the source address and the destination address are negative (!) Fields, the source address and the destination address fields are assigned to one TCAM entry value. In the TCAM entry value of the source address, since the effective address bit is 24 bits, enter 200.0.0.0 ₍₁₀₎ in place of the source address field of the value field of the TCAM entry _, and enter 000000FF ₍₁₆₎ in place of the source address field of the mask field. Enter 1 in the remaining fields to search only for source addresses.

As described above, after one negative field has one TCAM entry value, the other general fields are set to one TCAM entry value (S205). Using this procedure, two TCAM entries are used for one negative field in a rule, three TCAM entries for two negative fields, and a maximum of five if all five fields are used in a rule. TCAM entries are required.

In the case of rule 1 of FIG. 2, the source address field and the destination address field are negative fields, and the remaining three fields are general fields. When the TCAM entry extension procedure for the negative rules of FIG. 6 is used, the TCAM entry values are converted into three TCAM entry values. That is, the source address and destination address values are stored in the first and second TCAM entries, respectively, and the third entry contains the source port number, the destination port number, and the protocol fields. When the packet is input from the network, the search is performed. In this case, if the search results of the first and second TCAM entries do not match and the search results of the third entry match, it may be said that the input packet matches the rule. In other words, since the first and second entries contain negative fields, if the search result is 1, it means that the corresponding field of the input packet matches the field of the rule. If the search result is 0, it means that the negative field and the corresponding field of the input packet are different, and thus are determined to be matched. However, since the third entry has a general field stored, if the matching result of the TCAM entry is 1, it means that the corresponding field of the input packet is matched with the rule field, and if it is 0, it means that it is not matched. As a result, the final matching result is an inverted middle matching result of the entry using a negative flag in the case of an entry in which a negative field is input, and the general field outputs the middle matching result of the entry as it is, and then performs an AND operation on the outputted three values. The matching result is calculated.

FIG. 7 is a circuit diagram for calculating a TCAM entry value extended by the procedure of FIG. 6 as described above, and is a circuit diagram cell1 for calculating a final result using an intermediate matching result S301 of a TCAM entry. The input of the circuit is the N1 input terminal for setting the intermediate matching result (S301) and the negative flag (D2) input from the TCAM entry, the S1 terminal for setting the start flag (D1), and the clock (clk) terminal for setting two flags. There is a matching calculation result C2 inputted from the lower TCAM entry calculation block, and as the output terminal, the M1 terminal outputting the result calculated by the final result calculation block cell1 and the result calculated from the calculation block There is a C1 terminal for output.

In the above circuit, the negation flag is 1 when the value stored in the TCAM entry entry1 is a negation field, 0 when it is a general field, and the start flag is the first entry of the TCAM entry extended by the procedure of FIG. Is 1, or 0 if it is not the first entry.

If the negative flag is 1, the value of the entry means a negative field value, and the result value S301 output from the TCAM entry entry1 is inverted using the XOR gate xor1 and the result S302 is sub-calculated. The final result is calculated by performing an AND operation (and1) with the value C2 input from the block.

The output of the calculated result value is determined by the start flag D1. If the currently calculated entry is the first entry expanded by the procedure of FIG. 6, the start flag is 1, and the final calculated result value (S303). ) And AND (and2) to output the calculated value (M1). If the start flag is 0, M1 is always outputted 0 due to the characteristics of the AND operation. In addition, in the case of the C1 terminal that outputs the currently calculated result value S303 to the upper entry matching result calculation block, if the start flag is 0 by using the OR gate or1, the currently calculated result is not the final result and thus is output to the upper entry. If the start flag is 1, since the currently calculated value is the final matching result, 1 is always output to C1 so as not to affect the calculation of the final matching result in the upper calculation block.

Such a circuit is intended to allow the circuit for the final result calculation to be flexibly calculated according to the changed number of entries since the number of TCAM entries expanded by the procedure of FIG. 6 depends on the number of negative fields in the rule. That is, using a circuit as shown in FIG. 7 including a negative flag and a start flag, a matching result can be flexibly calculated regardless of the number of TCAM entries required for matching.

FIG. 8 is a diagram illustrating a part of a circuit of a TCAM according to the present invention, in which a code conversion unit for largely converting a binary code into a gray code, a matching to calculate a final matching result using an intermediate matching result matched by a TCAM entry, and a TCAM entry It is composed of a result calculation block and a priority encoder for outputting the result of the matched entry using the final matching result.Each entry (E1, E2, E3) calculates the final matching result using the intermediate calculation result of the entry. It has one cell (cell1, cell2, cell3).

In order to explain the operation of the circuit, the rule 1 of FIG. 2 will be described. First, rule 1 of FIG. 2 has two negative fields as described above, and thus extends to three TCAM entries. The source address field, which is the first negation field, is input, the negation flag N1 is 1, and the start flag S1 is also 1. In the second entry E2, the destination address field value, which is the second negation field, is input, the negation flag N2 is 1, and the start flag S2 is 0, since it is not the first entry. The third entry E3 stores general fields, and both the negative flag N3 and the start flag S3 are zero.

After setting each entry and flag value as above, if a packet is input from the network, the code conversion unit converts to a cray code, performs a matching on the TCAM entry, and outputs an intermediate matching result. The final match is calculated. As shown in FIG. 8, the final matching result M1 is obtained by performing an XOR operation on the intermediate matching results S401, S402, and S403 of the entry and the negative flags N1, N2, and N3, respectively, and then performing an AND operation on each result. Result.

9 shows the flow of the entire system, and before the packet matching, the application server converts a rule into a TCAM entry value (S501) as a preprocessing process. First, the value of the rule is converted to gray code, and if there is a range field in the rule, the range field is converted to a plurality of TCAM entry values by the TCAM entry conversion procedure for the range value of FIG. In this case, the TCAM entry is converted into a TCAM entry value by the TCAM entry extension procedure of FIG. 6.

After converting the rule to the TCAM entry value as described above, the converted entry value is stored in the TCAM entry 320 in the TCAM semiconductor chip 300, and the negative flag and the start flag value in the matching result calculation block 330 are set. (S502).

The above procedure is a preprocessing process for packet matching. When a packet is input after the process is finished (S503), the packet is transmitted to the code conversion unit 310 in the TCAM semiconductor chip and the packet header value required for matching is converted into a gray code. After conversion (S504), the converted packet header value is transmitted to the TCAM semiconductor chip (S505) to perform rule matching (S506).

If the packet input by the above procedure matches the rule, the matching result is transmitted to the controller (S507). If the packet is not matched, the next packet input is awaited. The controller transmits the matching result to the application server (S508).

Using the above procedure, it is determined whether the rule matches the input packet.

As described above, the TCAM and matching procedure according to the present invention can search for a rule having a range field or a negation field using a smaller number of TCAM entries than the conventional method. General rules can be searched just like traditional TCAMs.

In the above embodiment, the circuit has been described using one rule, but this is merely illustrative and the present invention is not limited thereto.

As described above, when a TCAM semiconductor chip is used in a packet filtering system, a TCAM entry expansion procedure for a range field and a TCAM entry expansion procedure for a negation rule, a new TCAM having a code conversion unit, a negation flag, and a start flag according to the present invention. The hardware architecture reduces the cost of the packet filtering system because it can perform packet filtering using the TCAM entry expansion method for the existing range rule and the negation rule and fewer TCAM entries than the existing TCAM. Can be.

For example, using the existing TCAM entry extension method and the existing TCAM, if one address field is a negative field in the rule and the effective address bit is 32, 32 TCAM entries are required, but using the TCAM according to the present invention, two TCAMs are required. You can search for negative rules by entry. If two address fields are negative fields, the conventional method requires 1,024 TCAM entries. However, the invention can be used to search with only three TCAM entries. That is, a packet filtering system can be implemented with a smaller capacity TCAM for the same rule, and more rules can be searched for a TCAM of the same capacity. In addition, for range rules, TCAM entries can be saved by using the TCAM entry conversion method using gray code instead of the existing binary binary code, and this gray code conversion is performed only with an exclusive logic gate (XOR). When you save TCAM entries, they are easy to implement in hardware and do not affect search time.

As an example, the proposed method and the TCAM can save 93% of TCAM entries compared to the existing method when applied to the SNORT program rule (version 2.4). This can effectively lower the cost of a packet filtering system.

Claims (8)

The present invention relates to a TCAM semiconductor chip having a negation and a start flag in a packet classification system. A code converter 310 for converting binary codes to gray codes; Matching result calculation block 330 for determining whether to match using the TCAM entry 320 matching result and the negative flag (N1) and the start flag (S1) and And a priority encoder for outputting the address of the matched TCAM as a matching result. delete The method of claim 1, wherein the code conversion unit 310 And converting the binary code into a gray code using an XOR gate before storing the input packet header value in the entry E1 of the TCAM semiconductor chip. delete The method of claim 1, wherein the matching result calculation block (330, cell1) is It consists of a cell unit (cell1), one cell (cell1) for each TCAM entry (E1), One cell has a negative flag (N1) and one start flag (S1), And a gate circuit for calculating a matching result by calculating the result of the current entry E1 and the result of the entries E2 or E2 and E3 at the lower stage. The negative flag N1 of claim 5, wherein: If the rule stored in the TCAM entry E1 is a negative rule, set the negative flag N1 to 1, otherwise set the flag to 0, The negative flag N1 is 1, the search result S301 of the TCAM entry enrty1 or E1 is inverted (S302), and if 0, the search result of the TCAM entry is retained (S302). The method of claim 5, wherein the start flag (S1) is Set the start flag to 1 if the current TCAM entry is the first entry in the rule, or 0 if not the first entry. If the start flag S1 is 1, the calculation result S302 by the negative flag and the result C2 of the matching result calculation circuit at the lower stage are calculated to output the final matching result S303 (M1), And if the start flag S1 is 0, outputs the result S303 of the matching result calculating circuit to the matching result calculating circuit of the upper entry C1 and outputs 0 as the final matching result M1. The method of claim 5, And a circuit cell1 for calculating a matching result regardless of the number of TCAM entries using the start flag S1 of the matching result calculating circuit cell1 when searching for a rule using a plurality of TCAM entries. TCAM semiconductor chip.

Images