KR20130048092A - Apparatus and method for processing network packet - Google Patents

Apparatus and method for processing network packet Download PDF

Info

Publication number
KR20130048092A
KR20130048092A KR1020110113031A KR20110113031A KR20130048092A KR 20130048092 A KR20130048092 A KR 20130048092A KR 1020110113031 A KR1020110113031 A KR 1020110113031A KR 20110113031 A KR20110113031 A KR 20110113031A KR 20130048092 A KR20130048092 A KR 20130048092A
Authority
KR
South Korea
Prior art keywords
packet
processing
rule
inspection
network
Prior art date
Application number
KR1020110113031A
Other languages
Korean (ko)
Inventor
오상윤
Original Assignee
한국전자통신연구원
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 한국전자통신연구원 filed Critical 한국전자통신연구원
Priority to KR1020110113031A priority Critical patent/KR20130048092A/en
Publication of KR20130048092A publication Critical patent/KR20130048092A/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/50Queue scheduling
    • H04L47/62Queue scheduling characterised by scheduling criteria
    • H04L47/625Queue scheduling characterised by scheduling criteria for service slots or service orders
    • H04L47/627Queue scheduling characterised by scheduling criteria for service slots or service orders policing

Abstract

The present invention relates to a network packet processing apparatus, comprising: a packet buffer for temporarily storing a received network packet original, a rule storage unit for storing a processing rule of a packet, and a data pattern of a copy packet for an original temporarily stored in the packet buffer A packet inspection block including at least one packet inspection unit for generating a processing rule related to the processing of the received network packet source; And in the case of initialization, generate an initial processing rule and store it in the rule storage unit, generate a copy packet as a packet flows, and request a check to the packet check block, and before a processing rule is received from the packet check block. And a packet processing unit for processing the original network packet stored in the packet buffer according to a processing rule stored in the rule storage unit.

Description

Apparatus and Method for Processing Network Packet

The present invention relates to network packet processing, and more particularly, to a technology for inspecting and processing network packets having a plurality of coprocessors.

With the development of the Internet, various application services are emerging, and network traffic is rapidly increasing accordingly. In addition, attempts to compromise security, such as malicious access to network systems or hacking, are also increasing. Therefore, security issues are becoming more important as well as quality assurance of Internet services.

In order to confirm the safety of the network packet, the network equipment inspects the network packet and processes the network packet accordingly. To this end, network devices generally perform stateful inspection (SI) that processes the packet by grasping the state information known through the header area of the network packet.

Recently, in addition to the state information included in the header, a deep packet inspection (DPI) for inspecting a payload, which is an actual data area of a network packet, and processing a network packet may be performed according to the inspection result.

Through detailed packet inspection like this, it is possible to check the attack pattern and hacking authenticity which are not known only by the header of the network packet, and service information such as Voice over IP (VoIP) and Internet Protocol TV (IPTV). I can figure it out.

On the other hand, to perform detailed packet inspection, a pattern matching method is mainly used. In the case of various inspection patterns and long packets, it is necessary to process in parallel using several packet inspection units. However, there are cases where each packet inspecting unit performs packet inspection independently and its contents are different or there are many items to inspect. In this case, the same packet may be inspected by a plurality of packet inspectors by differently inspecting or inspecting items to be performed by each packet inspector.

In this case, all of the time points at which the inspection is completed in each packet inspection unit may be different, and since network packets to be processed are continuously received, bottlenecks may occur during packet processing, and thus overall network packet processing performance may be degraded.

In the patent "Network Packet Processing System and Method for Preventing Bottlenecks (Publication 10-2011-0003242)", a plurality of packet inspection units and one packet processor are used to inspect and process network packets in order to inspect and process incoming packets.

However, in this case, if a large number of packet inspection units are required and the inspection is delayed or there is an error in the packet inspection unit, if the inspection result does not arrive within the preset time, the packet processing unit processes the packet without checking the packet. The problem is that it should be printed. In addition, since the packet processing unit processes the packet after waiting for a predetermined time for the test result, the traffic is interrupted when there is an error in the predetermined time, and the video or voice traffic is intermittently deteriorated in screen or call quality. There is this.

The present invention processes the packet using the existing processing rule before the packet inspection result is received, and if the packet inspection result is received later, updates the existing processing rule to the received processing rule to convert the continuous packet data into the updated packet. The present invention provides a network packet processing apparatus and method which enables processing to improve packet processing performance degradation with respect to packet inspection delay.

The present invention relates to a network packet processing apparatus, comprising: a packet buffer for temporarily storing a received network packet original, a rule storage unit for storing a processing rule of a packet, and a data pattern of a copy packet for an original temporarily stored in the packet buffer A packet inspection block including at least one packet inspection unit for generating a processing rule related to the processing of the received network packet source; And in the case of system initialization, generate an initial processing rule and store it in the rule storage unit, generate a copy packet to check the packet inspection block as a packet is introduced, and before processing rule is received from the packet inspection block. And a packet processing unit for processing the original network packet stored in the packet buffer according to a processing rule stored in the rule storage unit.

According to the configuration of the present invention, it is possible to perform packet inspection using a packet inspection block having a small number of packet inspection units, improve packet processing performance by processing packets quickly without waiting for the packet inspection results, and subsequently receive the received packet inspection results. The packet processing reflecting the packet inspection result can be enabled by reflecting the packet processing rule.

1 is a block diagram of a network packet processing apparatus according to an embodiment of the present invention.
2 is a flowchart illustrating a network packet processing method according to an embodiment of the present invention.
3 is a detailed flowchart of a network packet inspection process performed by the packet inspection unit.

Hereinafter, the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily understand and solve the present invention.

In the following description of the present invention, when it is determined that the detailed description of the related well-known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted.

The terms used throughout the present specification are terms defined in consideration of functions in the embodiments of the present invention, and may be sufficiently changed according to the intention, custom, etc. of the user or operator, and the definitions of these terms are used throughout the present specification. It should be based on the content throughout.

1 is a block diagram of a network packet processing apparatus according to an embodiment of the present invention.

Referring to FIG. 1, a network packet processing apparatus includes a packet buffer 110, a rule storage unit 120, a packet processing unit 130, and a packet inspection block 140.

The packet buffer 110 temporarily stores the original of the network packet introduced into the packet processing apparatus of the present invention, and provides the data necessary for processing the header of the network packet in the packet processing unit 130.

The rule storage unit 120 stores the network packet processing rule. At this time, the network packet processing rule is stored based on the state information of the network packet. The status information may include a source address of a network packet, a destination address, a source port, a destination port, a transport protocol, and the like. The rule storage unit 120 stores processing rules according to the state information, and may retrieve the processing rules with these state information.

According to a preferred embodiment of the present invention, the rule storage unit 120 stores the initial processing rule according to the initialization of the system. However, since a processing rule corresponding to the same state information may be changed, when a new processing rule is received, the processing rule may be updated with the latest processing rule.

Upon initialization of the system, the packet processor 130 generates an initial processing rule of the network packet and stores it in the rule storage 120. Subsequently, a copy of the packet introduced later is generated and sent to the packet inspection block 140, and the packet is processed using a processing rule stored in the rule storage unit 120 without waiting for the inspection result. That is, in the present invention, since the packet is processed immediately using the existing processing rule without waiting for the packet inspection result, the packet drop due to the packet inspection delay is eliminated. In addition, since the packet processing unit 130 does not wait for the packet inspection result, the packet inspection unit can be inspected using a smaller number of packet inspection units as compared to the case where the packet processing unit waits for the packet inspection. Therefore, rapid packet processing can be performed irrespective of the packet inspection delay.

If a new processing rule is received from the packet inspecting unit 141 or 14N after processing the original packet or a series of packets, the packet processing unit 130 stores the result in the rule storage unit 120 to process the packet. Update the rule. If a new network packet is introduced, the new network packet is processed according to the updated processing rule. Through this, if the initial processing rule is wrong, the processing rule is modified by packet inspection, thereby enabling accurate packet processing. Therefore, some of the initial packets do not reflect the packet inspection result, but when the inspection result is received, the packet processing reflecting the packet inspection result is possible.

The packet inspection block 140 includes a plurality of packet inspection units 141 and 14N. Each packet checker 141, 14N receives a copy packet for the original network packet from the packet processor 130, checks the data pattern of the copy packet, and generates a processing rule related to the processing of the original network packet. More specifically, the payload portion of the data contained in the copy network packet may be examined, but the entire network packet including the header may be examined depending on the application.

This processing rule is used as a processing rule for a network packet which is received later. The generated packet processing rule is transmitted to the packet processing unit 130 in the form of summary information or in the form of a command and stored in the rule storage unit 120. . When the inspection of the copy network packet is completed, the copy network packet is discarded.

However, the per packet inspection rate of the packet inspection block 140 including the plurality of packet inspection units 141 and 14N is slower than the per packet processing speed of the packet processing unit 130, and the packet intermittently flows into the packet processing unit 130. If it is continuously introduced, the inspection of the packet received from the packet processing unit 130 is delayed and accumulated, so that the packet to be inspected is gradually increased, and there is a possibility of a problem such as insufficient memory. In addition, if the packet to be inspected is a packet of the past rather than the current packet type, there is a possibility that the processing rule becomes a past rule and the inspection result is invalid.

Therefore, in order to overcome the difference in the packet processing speed between the packet inspection block 140 and the packet processing unit 130, according to a preferred embodiment of the present invention, the packet inspection block 140 stores each packet inspection unit that stores the number of packets. And packet counters 151 and 15N connected to 141 and 14N. In other words, each time the packet to be inspected is received from the packet processor 130, the packet inspecting units 141 and 14N increase the value of the packet counters 151 and 15N corresponding to each packet inspecting unit by one. If the packet counter value is less than or equal to the maximum number, the oldest packet is examined in the memory of the packet inspecting unit, and the value of the packet counters 151 and 15N is decreased by one. That is, when the packet counter value is smaller than the maximum number, the check for the number of packet counters is performed in the oldest order. If the packet counter value is larger than the maximum number, the packet inspecting unit checks from the most recently received packet to the maximum number of packets in the memory of the packet inspecting unit and discards the previously received packet without inspecting it. Therefore, the packet inspection block 140 always inspects only a predetermined maximum number of packets, and the packets to be inspected are no longer increased. In addition, if a packet is not received by the packet processor 130, all packets are inspected and sequentially transmitted to the packet processor 130 without being discarded. In FIG. 1, a packet counter is provided for each packet inspecting unit. However, according to an application, a packet counter may be provided and a maximum number value may be set to inspect all packet inspecting units as much as the maximum number.

2 is a flowchart illustrating a network packet processing method according to an embodiment of the present invention shown in FIG. 1.

Referring to FIG. 2, in operation 210, the packet processor 130 generates an initial processing rule at system initialization and stores it in the rule storage 120. As the network packet flows into the packet processor, the packet processor 130 temporarily stores the packet in the packet buffer 110 in step 220. That is, before processing the received network packet, the network packet is temporarily stored for processing after completing the inspection of the header. In this embodiment, the network packet is stored after the header is inspected, but the application can be stored without inspection and later examined.

The packet processor 130 generates a copy network packet for the original network packet in step 230 and transmits it to the packet inspecting units 141 and 14N in step 240 to generate a processing rule.

The packet inspecting units 141 and 14N inspect the data pattern of the received copy network packet and generate processing rules related to the processing of the original network packet. In this case, according to a preferred embodiment of the present invention, the packet inspecting unit may inspect and process the maximum number of preset packets. This will be described later with reference to FIG. 3.

The packet processor 130 processes and outputs the network packet introduced in step 250 according to the initial processing rule stored in the rule storage unit 120. In other words, the network packet introduced before receiving the packet processing rule from the packet inspection units 141 and 14N is processed according to the stored processing rule. Depending on the application, the network header may be examined in step 250.

Next, when the processing rule generated from the packet inspecting units 141 and 14N is received, the packet processing unit 130 updates the rule storage unit 120 with the processing rule received in step 260. As a new network packet is introduced later, the packet processing unit 130 proceeds to step 220 and processes the network packet according to the updated processing rule in the rule storage unit 120. If a new network packet does not flow in, in step 260, each time a new processing rule is received from the packet inspecting units 141 and 14N, the rule storage unit 120 is updated with the received processing rule to process the packet flowing into the latest rule.

3 is a detailed flowchart of a network packet inspection process performed by each packet inspection unit.

Referring to FIG. 3, the packet inspecting unit 141 or 14N reads a packet counter in step 310 and determines whether a value of the packet counter is greater than zero in step 320. That is, it is determined whether a packet to be inspected exists.

If it is determined in step 320 that the inspection target packet is introduced, the packet inspecting units 141 and 14N determine whether the value of the packet counter is greater than a preset maximum number in step 330.

As a result of the determination in step 330, if the value of the packet counter is greater than the preset maximum number, the packet inspecting units 141 and 14N may inspect the packet received from the most recently received packet in the packet buffer, and the remaining packets Discard. Then, the value of the packet counter is set to the maximum number. Therefore, only the most recent packets of the maximum number are subject to inspection.

In operation 350, the packet inspecting units 141 and 14N decrease the value of the packet counter by 1, inspect the oldest packet in operation 360, discard the inspected packet, and proceed to operation 310.

However, if it is determined in step 330 that the value of the packet counter is less than or equal to the preset maximum number, the packet inspecting units 141 and 14N proceed to step 350.

Although not shown in the drawing, the packet inspecting unit 141 or 14N performs the packet inspection, and then transmits the generated processing rule to the packet processing unit 130 so that the rule storage unit 120 is updated.

So far I looked at the center of the preferred embodiment for the present invention. Those skilled in the art will appreciate that the present invention can be implemented in a modified form without departing from the essential features of the present invention. Therefore, the disclosed embodiments should be considered in an illustrative rather than a restrictive sense. The scope of the present invention is shown in the claims rather than the foregoing description, and all differences within the scope will be construed as being included in the present invention.

Claims (1)

A packet buffer for temporarily storing received network packet sources;
A rule storage unit for storing a packet processing rule,
A packet inspection block including at least one packet inspection unit for generating a processing rule related to the processing of the received network packet original by examining a data pattern of a copy packet for the original stored temporarily in the packet buffer; And
In case of initialization of the system, an initial processing rule is generated and stored in the rule storage unit, and as a packet is introduced, a copy packet is generated and a check request is made to the packet check block, and before a processing rule is received from the packet check block. And a packet processing unit for processing the original network packet stored in the packet buffer according to a processing rule stored in the rule storage unit.
KR1020110113031A 2011-11-01 2011-11-01 Apparatus and method for processing network packet KR20130048092A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020110113031A KR20130048092A (en) 2011-11-01 2011-11-01 Apparatus and method for processing network packet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020110113031A KR20130048092A (en) 2011-11-01 2011-11-01 Apparatus and method for processing network packet

Publications (1)

Publication Number Publication Date
KR20130048092A true KR20130048092A (en) 2013-05-09

Family

ID=48659313

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020110113031A KR20130048092A (en) 2011-11-01 2011-11-01 Apparatus and method for processing network packet

Country Status (1)

Country Link
KR (1) KR20130048092A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101334240B1 (en) * 2012-09-20 2013-11-28 한국전력공사 System for transferring data only in one direction

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101334240B1 (en) * 2012-09-20 2013-11-28 한국전력공사 System for transferring data only in one direction

Similar Documents

Publication Publication Date Title
US8767551B2 (en) System and method for flow table management
US11082308B2 (en) Multi-path aware tracing and probing functionality at service topology layer
US8059650B2 (en) Hardware based parallel processing cores with multiple threads and multiple pipeline stages
US9356844B2 (en) Efficient application recognition in network traffic
US10104043B2 (en) Method and system for analyzing a data flow
US10044802B2 (en) System for detection of content servers and caching popular content therein
US9065723B2 (en) Unaddressed device communication from within an MPLS network
CN108183893B (en) Fragment packet detection method, detection device, storage medium and electronic equipment
JP2007215182A (en) System and method for backward congestion notification in network
US9071545B2 (en) Network appliance that determines what processor to send a future packet to based on a predicted future arrival time
US20100157800A1 (en) Method for processing network traffic loading balance
CN108259364B (en) Network congestion determination method and device
US20160112337A1 (en) Dynamically Offloading Flows from a Service Chain
DK2460317T3 (en) System and method for identifying multiple paths between network nodes
US20220094711A1 (en) Data plane with connection validation circuits
CN107888710A (en) A kind of message forwarding method and device
US7990861B1 (en) Session-based sequence checking
US8644308B2 (en) Network interface card device and method of processing traffic using the network interface card device
US11356333B2 (en) Predicting forwarding destinations for packets
KR20130048092A (en) Apparatus and method for processing network packet
KR100864889B1 (en) Device and method for tcp stateful packet filter
CN106603426A (en) Message discarding method and device
CN108833282A (en) Data forwarding method, system, device and SDN switch
KR20110004248A (en) Apparatus and method of packet processing considering a network packet length
US20110019581A1 (en) Method for identifying packets and apparatus using the same

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination