RU2781916C1 - Data modification method in network packet switching - Google Patents

Abstract

FIELD: routing systems.

SUBSTANCE: invention relates to the field of building routing systems in network packet switching systems. To achieve the effect, a method for modifying data in network packet switching is proposed, which consists in specifying a mask and a pattern. The data packet to be modified is stored in a memory area with a fixed address space. The package control block is initialized, including the address of the first cell in memory containing the specified data packet, the address A1 of the first data cell to be modified, and the address A2 of the last cell containing the data packet in memory. Initialization of the control blocks of the cell of the memory area containing the specified data packet is performed, and the control blocks of the cell are initialized for each data cell with the address An. Each of the cell control blocks contains a set of two bytes, the first of which contains a mask, and the second - a pattern, moreover, the k-th bit of the mask corresponds to the k-th bit of the pattern.

EFFECT: providing data modification of network packets at the level of individual bytes with a minimum processing delay and high bandwidth, as well as the elimination of vulnerabilities.

1 cl, 4 dwg

Description

The proposed method relates to the field of building routing systems in network packet switching systems, namely to methods for processing data during routing, and is aimed at solving the problem of preliminary modification of data transmitted as part of network packets in order to reduce the computational load on deep data analysis systems during transmission large amounts of data transmitted over the network, as well as ensuring information protection by depersonalizing part of the network traffic and can be implemented, for example, as part of Ethernet network switches that support the TCP / IP protocol stack based on FPGA or VLSI.

Achievable technical result - providing data modification of network packets at the level of individual bytes with a minimum processing delay and high bandwidth, as well as the exclusion of vulnerabilities from intruders operating over the network.

Currently, most local area networks are connected to the Internet. Expanding the range and increasing the requirements for the level of confidentiality requires the use of special technical tools for in-depth analysis of data transmitted over the network, as well as delimiting access to information resources.

One of the ways to reduce the computational load on deep data analysis systems when transmitting large amounts of network traffic (more than 1.5 Tbps) is to perform preliminary modification of data in the transmitted packets, for example, headers, in the node switches of computer networks at the level of individual bytes.

In existing packet switches running operating systems, packet processing includes the sequence of the following operations of reading, modifying and writing data. Data through the driver is first loaded into system memory, which is usually implemented on the basis of DRAM, where they are sequentially processed by the central processor, and upon completion of processing, they are reloaded into the network interface memory, from where they are further transferred to the consumer. In this case, the switch introduces a significant time delay associated with the limited bandwidth of the system memory, and as a result, it does not provide sufficient bandwidth to transfer the required volumes of network traffic (the maximum achievable bandwidth for such switches is no more than 40 Gb / s).

In addition, the operating systems used in switches can potentially contain vulnerabilities that can be used by attackers to disrupt the proper functioning of the firewall.

There is a known method for modifying network packets ("System for user-space network packet modification"), described in US patent 6,675,218 B1 dated January 6, 2004 [1], which does not have significant common features with the proposed invention, but has a similar functional purpose.

The main disadvantages of this method are that it is intended for implementation in switches running operating systems that can potentially be vulnerable to vulnerabilities. With its practical implementation, there will be significant time delays for processing and forwarding information packets between network interfaces and a decrease in throughput when transmitting large amounts of network traffic.

Also known is a method for effectively modifying network data frames, described in US patent 7,522,621 B2 dated 04/21/2009 "Apparatus and method for efficiently modifying network data frames" [2], according to the functionality, as well as the similarity of a number of features selected as a prototype.

The prototype method includes the following operations: storing the specified data frame in a plurality of buffers; creating a frame control block identifying a first buffer containing said data frame; creating a buffer management unit for each of said buffers containing data, said buffer management unit identifying the next buffer in the sequence of said buffers containing frame data; changing data in at least two of said buffer control blocks to identify a new sequence of buffers containing the data frame; changing the data of a first control block that points to a buffer in a specified sequence where data is to be deleted to point to a second buffer control block and to indicate that the data of said buffer ends at a point where the deleted data is deleted; creating a second buffer control block corresponding to the empty buffer pointed to by said first buffer control block and which points to the buffer previously pointed to by the first control block.

The prototype method also further includes modifying the frame data to remove data stored in one of the specified buffers, as well as modifying the frame data by including additional data stored in the additional buffer by including additional steps: changing the data in one of the specified buffer control blocks for identification specified additional buffer; creating a new control block to identify the buffer previously identified in said modified buffer control block and creating a new buffer sequence including said additional buffer.

As described in [2], the packages in the prototype under consideration are modified by making appropriate changes to the control blocks, without copying and modifying the data itself. By changing certain control blocks, it is possible to associate data with a data frame, as well as remove data stored in buffers from a frame without the need to copy, move or change the stored data itself [2]. In total, the following types of package modification are provided [2]: inserting another data package into one package, deleting a package included in it from the data package, combining multiple packages into one or dividing the package into many composite packages.

The prototype [2] provides the minimum delay for filtering frame data. However, this is achieved due to the fact that in it data modification is performed only at the packet level and there is no possibility of its modification at the level of individual bytes, which is necessary for deep data analysis systems. This property is the main significant drawback of the considered prototype.

The disadvantages inherent in the considered prototypes are overcome in the proposed method for modifying data in network packet switching, which consists in the fact that in a method containing the features of the prototype: saving the data packet to be modified in the memory area, initializing the packet control unit, including the address of the first cell in the mentioned memory area containing the specified data packet, the initialization of the control blocks of the cell of the mentioned memory area containing the specified data packet, new features are included: each of the cells of the mentioned memory area contains one byte of the data packet, the package control block additionally contains the address A1 of the first data cell, subject to modification, as well as the address A2 of the last cell containing the specified data packet in the mentioned memory area, the cell control blocks are initialized for each data cell with the address An, in the mentioned memory area, which varies in the range from A1 to A2 inclusive, each of the control blocks cell contains a set of two bytes, the first of which contains a mask, and the second - a pattern, moreover, the k -th bit of the mask corresponds to the k -th bit of the pattern, the modification of data in each cell with the address An in the mentioned memory area is carried out according to the rule: if the k -th bit of the mask in the cell control block corresponding to this cell is "1", then the k -th bit of this cell is set equal to the k -th bit of the pattern in the cell control block corresponding to this cell, and if the k -th bit of the mask in the cell control block corresponding to this cell is "0", then the k -th bit of this cell is not modified, the modified data packet is supplemented with a checksum calculated using the CRC-32 algorithm in accordance with the IEEE 802.3 standard and delivered to the recipient, and the block packet control and cell control blocks are set by the operator through a non-networked configuration interface and remain unchanged for each data packet to be modified, and modi fication of data in each cell in the mentioned memory area, calculation of the check sequence and addition of the data delivered to the recipient with it, is performed by hardware based on hard logic.

Therefore, the proposed method satisfies the criterion of "novelty".

Comparison with other technical solutions shows that the proposed method has features that make it possible to achieve modification of data packets at the level of individual bytes as part of network switches, for example, the Ethernet standard that supports the TCP/IP protocol stack.

Since the implementation of the proposed method is carried out in hardware, based on rigid logic, without the use of an operating system and a central processor, the network switches in which it will be implemented will have a minimum delay in data processing and high bandwidth, and taking into account the fact that the mask and the pattern in the cell control blocks is set by the operator through a trusted interface not connected to the network, the possibility of interference in the operation of data modification tools from the network is excluded.

The invention is illustrated by the following graphics:

fig. 1 - Scheme explaining the claimed method of data modification in network packet switching;

fig. 2 - Functional diagram of a network switch that implements the proposed method;

fig. 3 - Structural diagram - an example of hardware implementation of the data modification block;

fig. 4 - An example of data processing, explaining the claimed method.

The data modification method for network packet switching (Fig. 1) is that the operator loads the mask and pattern through a trusted configuration interface that is not connected to the network, stores it in the switch memory and remains unchanged for all transmitted packets until they are will be changed by the operator.

The data packet to be modified is stored in a memory area of the switch with a fixed address space, each of the cells of said memory area containing one byte of the data packet.

The package control block is initialized, including the address A0 of the first cell in the mentioned memory area containing the specified data packet, the address A1 of the first data cell to be modified, and the address A2 of the last cell containing the specified data packet in the mentioned memory area.

The cell control blocks of the mentioned memory area containing the specified data packet are initialized, and the cell control blocks are initialized for each data cell with the address An in the mentioned memory area (the address An varies in the range from A1 to A2 inclusive). Each of the cell control blocks contains a set of two bytes, the first of which contains a mask, and the second - a pattern, moreover, the k -th bit of the mask corresponds to the k -th bit of the pattern.

Modification of data in each cell with the address An in the mentioned memory area is carried out according to the rule: if the k -th bit of the mask in the cell control block corresponding to this cell is "1", then the k -th bit of this cell is set equal to the k -th bit pattern in the cell control block corresponding to this cell, and if the k -th bit of the mask in the cell control block corresponding to this cell is "0", then the k -th bit of this cell is not modified.

The modified data packet is supplemented with a checksum calculated using the CRC-32 algorithm in accordance with the IEEE 802.3 standard [3] and delivered to the recipient.

Modification of the data in each cell in the mentioned memory area, calculation of the check sequence and addition of the data delivered to the recipient with it, is performed by hardware based on hard logic.

The packets to be modified and the modified packets can be formatted according to the network protocol used in the switch, for example, IEEE 802.3 [3].

The number of cell control blocks, including mask and pattern, is determined by the number of memory cells to be modified (equal to the difference between A2 and A1 ), is limited by the amount of memory used in the network switch, and when using the IEEE 802.3 protocol, can be in the range from 8 to 16000 bytes.

AddressesA1,A0,A2remain constant for modifiable packages and may, for example, be set by the operator via a non-network-related, trusted configuration interface.

The length of the check sequence calculated using the CRC-32 algorithm in accordance with the IEEE 802.3 network protocol standard is 4 bytes.

The claimed method can be implemented in hardware in the form of a device that includes serially connected: an input network interface, a memory unit for storing modified packets, a data modification unit, a unit for calculating and adding a checksum, an output network interface, a serially connected configuration interface and a memory unit for storing a set cell control blocks, the output of which is connected to the input of the modification block for loading the mask and pattern, and also includes a package control block, the address output of which is connected to the address input of the memory block for storing modified packages, and the output of the modification enable signal is connected to the input of the data modification block of the same name .

The device functions as follows. A set of cell control blocks is loaded by the operator through a non-networked configuration interface and stored in a memory block for storing cell control blocks.

Modifiable data packet is fed through the input network interface and loaded into the memory area of the memory block for storing modified packets. The current, starting and ending addresses of said memory area, An , A0 and A2 , respectively, as well as the address of the first data cell to be modified, A1 , are formed by the packet control unit.

After the download of the modified data packet is completed, the latter begins to be unloaded byte by byte. At this time, the next modifiable package is loaded into the freed memory area.

During the unloading of data from memory cells for storing modified packets with addresses from A1 to A2 , a mask and a pattern are supplied to the modification block from the memory block for storing cell control blocks.

The data modification block functions as follows: if the packet data comes from the memory location for storing modified packets with address An , and An is in the range from A0 to ( A1-1 ), then the indicated data is not modified; if the packet data comes from a memory cell for storing modified packets with the address An , and An is in the range from A1 to A2 , then the specified data is modified according to the rule: if the k -th bit of the mask corresponding to the cell with the address An is "1", then the k -th bit of the specified data is set equal to the k -th bit of the pattern corresponding to the cell with the address An , and if the k -th bit of the mask corresponding to the cell with the address An is "0", then the k -th bit of the specified data is not modified .

To the data taken from the output of the modification block, a checksum is added in the corresponding block, calculated from them in accordance with the IEEE 802.3 protocol, after which the packet is issued to the consumer through the output network interface.

The memory block for storing modifiable packets must provide simultaneous reading/writing from cells with different addresses, and can be implemented, for example, in the form of a two-port static RAM.

The volume of the specified RAM block is determined by the length of the package being modified. For example, when using the IEEE 802.3 protocol, the amount of RAM for storing modified packages must be at least 16000 bytes.

The memory block for storing cell control blocks may be, for example, static random access memory.

The size of the memory block for storing cell control blocks is determined by the amount of data being modified.

The input and output network interfaces of the switch can be, for example, the Ethernet standard.

As a configuration interface, depending on the element base on the basis of which the device in question is implemented, any digital interface, for example, JTAG, can be used.

The check sequence padding block is a standard device implemented in network switches operating in accordance with the IEEE 802.3 standard.

The package control block performs the following functions: generating addresses in the memory block for storing modifiable packages for loading and unloading modifiable data from it; storage of addresses: the first cell to be modified (A1), first (A0) and last (A2) memory cells containing the modified data packet; generating a data modification enable signal and can be implemented, for example, in the form of a digital logic machine.

The data modification block can be implemented as a digital logic device (Fig. 3) having inputs: a bus for supplying data of a modified packet, a bus for supplying a mask, a bus for supplying a pattern, an input for supplying a data modification enable signal, and an output - a bus for removing the data bytes of the modified packet, and consisting of eight single-bit multiplexers (SW0,…, SW7), each of which has two one-bit data inputs (P0, D0),…, (P7, D7), one single-bit address input (M0,…M7) and one single-bit output (D'0,…D'7), and one eight-bit multiplexer (SW8) with two eight-bit data inputs (D', D), eight-bit outputOut and a one-bit input of the address En, the outputs of one-bit multiplexers (D'0,…D'7) are combined into a common bus, which is bit-by-bit connected to the first data input (D') eight-bit multiplexer (SW8), the second data input (D) eight-bit multiplexer (SW8) and second inputs (D0,…D7) of each of the eight single-bit multiplexers (SW0,…, SW7) are bit-wise combined with each other and are the input bus for supplying data of the modified package of the modification block, and the first inputs (P0,…P7) single-bit multiplexers (SW0,…, SW7) are combined into a common bus, which is the input bus for supplying the pattern of the data modification block, address inputs (M0,…M7) single-bit multiplexers (SW0,…, SW7) are combined into a common bus, which is the input bus for supplying the data modification block mask, the output of an eight-bit multiplexer (SW8) is the output bus of the modification block, from which the data of the modified package is taken, and the address input (En) eight-bit multiplexer (SW8) is the input for the enable signal of the data modification block, and each of the specified multiplexers (SW0,…, SW8) outputs data at its output from its first input when the signal at its address input is "1" and from its second input otherwise.

Packet data enters the modification block byte by byte and sequentially. When data is received from the memory cells for storing modifiable packets with an address in the range from A0 to (A1-1), the data modification enable signal is set to "0", and the eight-bit multiplexer ( SW8 ) transfers the bytes of the modifiable package from the input to the output of the modification block data unchanged. When the packet data comes from the RAM for storing modified packets with an address in the range from A1 to A2, the data modification enable signal is set to "1", and the eight-bit multiplexer ( SW8 ) switches to output the modification block of data taken from the outputs ( D'0, ... D'7 ) of eight one-bit multiplexers ( SW0, ... , SW7 ), each of which is controlled by the corresponding k-th bit of the mask at the inputs ( M0, ... M7 ), depending on the value of which, the output of the corresponding one-bit multiplexer is given either the k-th bit of the pattern (with the k-th bit of the mask equal to "1"), or the k-th bit of the processed data byte of the modified packet.

Used sources

1. Patent US 6,675,218 B1 dated 01/06/2004. System for user-space network packet modification.

2. Patent US 7,522,621 B2 dated April 21, 2009. Apparatus and method for efficiently modifying network data frames.

3. IEEE Std 802.3-2012. IEEE Standard for Ethernet (https://standards.ieee.org/ieee/802.3/5084/).

Claims (1)

A method for modifying data in network packet switching, comprising: storing a data packet to be modified in a memory area, initializing a packet control block that includes the address of the first cell in the said memory area containing the specified data packet, initializing control blocks for a cell of the said memory area containing the specified a data packet, characterized in that each of the cells of the said memory area contains one byte of the data packet, the packet control block additionally contains the address A1 of the first data cell to be modified, as well as the address A2 of the last cell containing the specified data packet in the said memory area, blocks cell controls are initialized for each data cell with address An in the mentioned memory area, which varies in the range from A1 to A2 inclusive, each of the cell control blocks contains a set of two bytes, the first of which contains a mask, and the second - a pattern, and k- th bit of the mask corresponds to k- th bit of the pattern, data modification in each cell with the address An in the mentioned memory area is carried out according to the rule: if the k-th bit of the mask in the cell control block corresponding to this cell is “1”, then the k-th bit of this cell is set equal to k the -th bit of the pattern in the cell control block corresponding to this cell, and if the k-th bit of the mask in the cell control block corresponding to this cell is "0", then the k-th bit of this cell is not modified, the modified data packet is supplemented with a control the amount calculated by the CRC-32 algorithm in accordance with the IEEE 802.3 standard and delivered to the recipient, with the packet control unit and cell control units being set by the operator through a configuration interface not connected to the network and remain unchanged for each data packet to be modified, and the data modification in each cell in the mentioned memory area, calculation of the control sequence and addition to it of the data delivered by the received telya, is performed by hardware based on hard logic.

Images