KR20130048092A - Apparatus and method for processing network packet - Google Patents
Apparatus and method for processing network packet Download PDFInfo
- Publication number
- KR20130048092A KR20130048092A KR1020110113031A KR20110113031A KR20130048092A KR 20130048092 A KR20130048092 A KR 20130048092A KR 1020110113031 A KR1020110113031 A KR 1020110113031A KR 20110113031 A KR20110113031 A KR 20110113031A KR 20130048092 A KR20130048092 A KR 20130048092A
- Authority
- KR
- South Korea
- Prior art keywords
- packet
- processing
- rule
- inspection
- network
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/50—Queue scheduling
- H04L47/62—Queue scheduling characterised by scheduling criteria
- H04L47/625—Queue scheduling characterised by scheduling criteria for service slots or service orders
- H04L47/627—Queue scheduling characterised by scheduling criteria for service slots or service orders policing
Abstract
The present invention relates to a network packet processing apparatus, comprising: a packet buffer for temporarily storing a received network packet original, a rule storage unit for storing a processing rule of a packet, and a data pattern of a copy packet for an original temporarily stored in the packet buffer A packet inspection block including at least one packet inspection unit for generating a processing rule related to the processing of the received network packet source; And in the case of initialization, generate an initial processing rule and store it in the rule storage unit, generate a copy packet as a packet flows, and request a check to the packet check block, and before a processing rule is received from the packet check block. And a packet processing unit for processing the original network packet stored in the packet buffer according to a processing rule stored in the rule storage unit.
Description
The present invention relates to network packet processing, and more particularly, to a technology for inspecting and processing network packets having a plurality of coprocessors.
With the development of the Internet, various application services are emerging, and network traffic is rapidly increasing accordingly. In addition, attempts to compromise security, such as malicious access to network systems or hacking, are also increasing. Therefore, security issues are becoming more important as well as quality assurance of Internet services.
In order to confirm the safety of the network packet, the network equipment inspects the network packet and processes the network packet accordingly. To this end, network devices generally perform stateful inspection (SI) that processes the packet by grasping the state information known through the header area of the network packet.
Recently, in addition to the state information included in the header, a deep packet inspection (DPI) for inspecting a payload, which is an actual data area of a network packet, and processing a network packet may be performed according to the inspection result.
Through detailed packet inspection like this, it is possible to check the attack pattern and hacking authenticity which are not known only by the header of the network packet, and service information such as Voice over IP (VoIP) and Internet Protocol TV (IPTV). I can figure it out.
On the other hand, to perform detailed packet inspection, a pattern matching method is mainly used. In the case of various inspection patterns and long packets, it is necessary to process in parallel using several packet inspection units. However, there are cases where each packet inspecting unit performs packet inspection independently and its contents are different or there are many items to inspect. In this case, the same packet may be inspected by a plurality of packet inspectors by differently inspecting or inspecting items to be performed by each packet inspector.
In this case, all of the time points at which the inspection is completed in each packet inspection unit may be different, and since network packets to be processed are continuously received, bottlenecks may occur during packet processing, and thus overall network packet processing performance may be degraded.
In the patent "Network Packet Processing System and Method for Preventing Bottlenecks (Publication 10-2011-0003242)", a plurality of packet inspection units and one packet processor are used to inspect and process network packets in order to inspect and process incoming packets.
However, in this case, if a large number of packet inspection units are required and the inspection is delayed or there is an error in the packet inspection unit, if the inspection result does not arrive within the preset time, the packet processing unit processes the packet without checking the packet. The problem is that it should be printed. In addition, since the packet processing unit processes the packet after waiting for a predetermined time for the test result, the traffic is interrupted when there is an error in the predetermined time, and the video or voice traffic is intermittently deteriorated in screen or call quality. There is this.
The present invention processes the packet using the existing processing rule before the packet inspection result is received, and if the packet inspection result is received later, updates the existing processing rule to the received processing rule to convert the continuous packet data into the updated packet. The present invention provides a network packet processing apparatus and method which enables processing to improve packet processing performance degradation with respect to packet inspection delay.
The present invention relates to a network packet processing apparatus, comprising: a packet buffer for temporarily storing a received network packet original, a rule storage unit for storing a processing rule of a packet, and a data pattern of a copy packet for an original temporarily stored in the packet buffer A packet inspection block including at least one packet inspection unit for generating a processing rule related to the processing of the received network packet source; And in the case of system initialization, generate an initial processing rule and store it in the rule storage unit, generate a copy packet to check the packet inspection block as a packet is introduced, and before processing rule is received from the packet inspection block. And a packet processing unit for processing the original network packet stored in the packet buffer according to a processing rule stored in the rule storage unit.
According to the configuration of the present invention, it is possible to perform packet inspection using a packet inspection block having a small number of packet inspection units, improve packet processing performance by processing packets quickly without waiting for the packet inspection results, and subsequently receive the received packet inspection results. The packet processing reflecting the packet inspection result can be enabled by reflecting the packet processing rule.
1 is a block diagram of a network packet processing apparatus according to an embodiment of the present invention.
2 is a flowchart illustrating a network packet processing method according to an embodiment of the present invention.
3 is a detailed flowchart of a network packet inspection process performed by the packet inspection unit.
Hereinafter, the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily understand and solve the present invention.
In the following description of the present invention, when it is determined that the detailed description of the related well-known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted.
The terms used throughout the present specification are terms defined in consideration of functions in the embodiments of the present invention, and may be sufficiently changed according to the intention, custom, etc. of the user or operator, and the definitions of these terms are used throughout the present specification. It should be based on the content throughout.
1 is a block diagram of a network packet processing apparatus according to an embodiment of the present invention.
Referring to FIG. 1, a network packet processing apparatus includes a
The
The rule storage unit 120 stores the network packet processing rule. At this time, the network packet processing rule is stored based on the state information of the network packet. The status information may include a source address of a network packet, a destination address, a source port, a destination port, a transport protocol, and the like. The rule storage unit 120 stores processing rules according to the state information, and may retrieve the processing rules with these state information.
According to a preferred embodiment of the present invention, the rule storage unit 120 stores the initial processing rule according to the initialization of the system. However, since a processing rule corresponding to the same state information may be changed, when a new processing rule is received, the processing rule may be updated with the latest processing rule.
Upon initialization of the system, the
If a new processing rule is received from the
The
This processing rule is used as a processing rule for a network packet which is received later. The generated packet processing rule is transmitted to the
However, the per packet inspection rate of the
Therefore, in order to overcome the difference in the packet processing speed between the
2 is a flowchart illustrating a network packet processing method according to an embodiment of the present invention shown in FIG. 1.
Referring to FIG. 2, in
The
The
The
Next, when the processing rule generated from the
3 is a detailed flowchart of a network packet inspection process performed by each packet inspection unit.
Referring to FIG. 3, the
If it is determined in
As a result of the determination in
In
However, if it is determined in
Although not shown in the drawing, the
So far I looked at the center of the preferred embodiment for the present invention. Those skilled in the art will appreciate that the present invention can be implemented in a modified form without departing from the essential features of the present invention. Therefore, the disclosed embodiments should be considered in an illustrative rather than a restrictive sense. The scope of the present invention is shown in the claims rather than the foregoing description, and all differences within the scope will be construed as being included in the present invention.
Claims (1)
A rule storage unit for storing a packet processing rule,
A packet inspection block including at least one packet inspection unit for generating a processing rule related to the processing of the received network packet original by examining a data pattern of a copy packet for the original stored temporarily in the packet buffer; And
In case of initialization of the system, an initial processing rule is generated and stored in the rule storage unit, and as a packet is introduced, a copy packet is generated and a check request is made to the packet check block, and before a processing rule is received from the packet check block. And a packet processing unit for processing the original network packet stored in the packet buffer according to a processing rule stored in the rule storage unit.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020110113031A KR20130048092A (en) | 2011-11-01 | 2011-11-01 | Apparatus and method for processing network packet |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020110113031A KR20130048092A (en) | 2011-11-01 | 2011-11-01 | Apparatus and method for processing network packet |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20130048092A true KR20130048092A (en) | 2013-05-09 |
Family
ID=48659313
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020110113031A KR20130048092A (en) | 2011-11-01 | 2011-11-01 | Apparatus and method for processing network packet |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20130048092A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101334240B1 (en) * | 2012-09-20 | 2013-11-28 | 한국전력공사 | System for transferring data only in one direction |
-
2011
- 2011-11-01 KR KR1020110113031A patent/KR20130048092A/en not_active Application Discontinuation
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101334240B1 (en) * | 2012-09-20 | 2013-11-28 | 한국전력공사 | System for transferring data only in one direction |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8767551B2 (en) | System and method for flow table management | |
US11082308B2 (en) | Multi-path aware tracing and probing functionality at service topology layer | |
US8059650B2 (en) | Hardware based parallel processing cores with multiple threads and multiple pipeline stages | |
US9356844B2 (en) | Efficient application recognition in network traffic | |
US10104043B2 (en) | Method and system for analyzing a data flow | |
US10044802B2 (en) | System for detection of content servers and caching popular content therein | |
US9065723B2 (en) | Unaddressed device communication from within an MPLS network | |
CN108183893B (en) | Fragment packet detection method, detection device, storage medium and electronic equipment | |
JP2007215182A (en) | System and method for backward congestion notification in network | |
US9071545B2 (en) | Network appliance that determines what processor to send a future packet to based on a predicted future arrival time | |
US20100157800A1 (en) | Method for processing network traffic loading balance | |
CN108259364B (en) | Network congestion determination method and device | |
US20160112337A1 (en) | Dynamically Offloading Flows from a Service Chain | |
DK2460317T3 (en) | System and method for identifying multiple paths between network nodes | |
US20220094711A1 (en) | Data plane with connection validation circuits | |
CN107888710A (en) | A kind of message forwarding method and device | |
US7990861B1 (en) | Session-based sequence checking | |
US8644308B2 (en) | Network interface card device and method of processing traffic using the network interface card device | |
US11356333B2 (en) | Predicting forwarding destinations for packets | |
KR20130048092A (en) | Apparatus and method for processing network packet | |
KR100864889B1 (en) | Device and method for tcp stateful packet filter | |
CN106603426A (en) | Message discarding method and device | |
CN108833282A (en) | Data forwarding method, system, device and SDN switch | |
KR20110004248A (en) | Apparatus and method of packet processing considering a network packet length | |
US20110019581A1 (en) | Method for identifying packets and apparatus using the same |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WITN | Withdrawal due to no request for examination |