RU2795295C1 - Method for filtering network traffic based on rules with a mask during packet switching - Google Patents

Abstract

FIELD: data networks.

SUBSTANCE: in the method, after receiving the packet, the Ethernet, IP and TCP/UDP headers are extracted from it and the header fields that are not involved in filtering are changed to a value equal to 0, thus forming a masked key. RAM is used to store filtering/switching rules, consisting of patterns with which the masked key is compared, and the code of the action that is performed if the masked key and pattern match, and if the corresponding filtering/switching rule is triggered, then the action is extracted from it, according to the result of which the package is either removed or transferred to the output interface.

EFFECT: filtering function with a mask that determines which fields in the network headers are involved in filtering in pre-processing devices.

2 cl, 2 dwg

Description

Technical field

The invention relates to the field of building systems for monitoring and analyzing data transmission networks, namely to methods for filtering network traffic in high-load networks, and can be used in pre-processing devices for deep network traffic analysis systems that support the TCP/IP protocol stack. The claimed method is aimed at providing the function of filtering network packets and can be applied in network traffic preprocessing devices.

State of the art

There are known methods for filtering network packets on processor systems (patent RU 2697698C2 "Method of processing network traffic using firewall", patent RU 159041 U1 "Firewall with filtering traffic by mandatory labels", patent RU 2580004 C2 "Automatic firewall"), their the disadvantages are: the impossibility of providing a filtering function with a mask that determines which fields in the network headers are involved in filtering in pre-processing devices, as well as the impossibility of implementing traffic pre-processing devices based on a reprogrammable logic integrated circuit (FPGA) or very large integrated circuit (VLSI).

The technical result of the proposed invention is to provide a filtering function with a mask that determines which fields in the network headers are involved in filtering in preprocessing devices.

The stated technical result is achieved by the fact that a method for filtering network traffic based on rules with a mask in packet switching is proposed, which consists in filtering network packets, where the packet, after receiving, is transmitted to the packet analysis unit, in which Ethernet, IP and TCP / UDP are separated from the packet -headers and the formation of an information block - a descriptor on their basis, then the packet is stored in the packet buffer, and the descriptor - in the descriptor buffer and then transferred to the masking block, in which the header fields that are not involved in filtering are changed to a value equal to 0, forming thus, the masked key, while filtering/switching rules are written to the RAM memory in advance, consisting of patterns with which the masked key is compared, and an action code that is performed if the masked key and the pattern match, then the matching block compares the pattern with the calculated masked key, if a corresponding filtering/switching rule is found, then the action is extracted from the filtering/switching rule and passed as a result to the filtering block, which, in accordance with the result, either removes the packet from the packet buffer or passes it to the output interface.

The analysis of the prior art makes it possible to determine that the proposed technical solution is new and has an inventive step, and the possibility of its use in industry determines it as industrially applicable.

These and other aspects will become apparent and will be explained with reference to the drawing and the embodiment described hereinafter.

The invention is illustrated by the following graphics:

Fig. 1 is a diagram illustrating functional blocks that implement the proposed method for filtering network traffic based on rules with a mask in packet switching.

Fig. 2 is a diagram illustrating the application of the mask.

Implementation of the invention

To achieve the set technical result, the following stages of operations are performed:

The packet is received via the input interface (101). After the packet is received, it is analyzed and the Ethernet, IP and TCP / UDP headers of the packet are extracted in the packet analysis block (102) and an information block is formed on their basis - a descriptor, which is stored in the descriptor buffer (104).

The packet is stored in the packet buffer (103) until a decision is made on the set of actions to be performed on the packet.

The descriptor is passed to the masking block (105), in which the header fields that are not involved in filtering are changed to a value equal to 0.

The traffic filtering algorithm is reduced to determining the compliance of the packet parameters with the specified conditions and is carried out according to the following packet parameters: MAC address of the sender and recipient (2×48 bits); IP address of the sender and recipient (2×32 bits); TCP / UDP ports of the sender and recipient (16 × 2 bits); protocol identifier (contained in the IP packet header, 8 bits); whether the packet is an IP packet (1 bit); the logical number of the interface from which the packet was received (3 bits). Together, these parameters form a packet descriptor - a 204-bit key.

The RAM memory (107) stores the rules for filtering (switching) and distributing packets over the output interfaces (109) or removing them (filtering) in accordance with finely tuned filtering rules. The filtering rules determine whether to forward the packet to a specific egress interface or reject/drop the packet, if the filtering rule is not found, then the result is that the rule is not found, and the preconfigured default rule is executed: send the packet to the specified egress interface (109) or delete. For example, if it is known that packets are coming from an insecure network, for example, during a DDOS attack, then the filtering / switching rule will determine that it is necessary to discard all packets from this source address to the address of a specific recipient. If the task is to aggregate traffic, then all packets with a certain field content will be sent to one specific output interface (109).

The matcher (106) searches the RAM memory (107) for filter rules (based on mask and pattern) that match the masked headers. The search for matches is performed by sequential comparison until the first match. If a matching filter rule is found, then the action is extracted from the filter rule and passed as a result to the filter block (108).

The filtering unit (108), in accordance with the result of the action, either removes the packet from the packet buffer, or transfers it to the corresponding output interface (109).

Setting up the proposed filtering method consists of two stages.

The first step is that masks are set in the masking block (105), where the size of the mask is the same as the size of the key descriptor. The mask is a fixed-length bit sequence superimposed on the key descriptor to change the header fields that are not involved in filtering to values equal to "0", thereby forming a masked key, which allows you to hide packet parameters that are not of interest.

The second step is to record the pattern. The pattern is a pattern that is compared to the masked key. The pattern is written in advance through a non-network configuration interface, which defines the filtering/switching rules depending on the contents of the packet fields. The pattern is written initially when setting up the initialization of the network packet broker. Then, during the entire time of the network packet broker, the packets are processed in accordance with the patterns.

Patterns are stored in RAM memory (107) with an action code - the number of the output interface (109) to which the packet should be sent if the masked key and the pattern match, or the action code - deleting the packet.

For example

There is a group of filtering rules united by a single mask, for example, the mask of the ip-address 0.0.0.255 and the rules: 0.0.0.1 - skip, 0.0.0.5 - skip, 0.0.0.10 - discard, 0.0.0.11 - skip.

The masked key (key) is supplied to the input of the matching block (106), which imposes a mask on it according to the "AND" function. The pattern includes a masked key and a filter action code (filter_result). Having received the pattern from the RAM memory (107), the matcher (106) compares the computed masked key with that received in the pattern. A match means the filter is triggered. In this case, the output signal filter_result is assigned the value of the trigger result from the pattern. If the pattern does not match the masked key, then the preconfigured default action is applied - delete the packet or forward it to a specific output interface (109).

In a preferred embodiment of the invention, the above logical blocks: packet analysis block (102), masking block (105), matcher (106), filtering block (108) can be implemented or implemented on the basis of an FPGA or VLSI. Blocks can be implemented by a state machine and several registers with appropriate internal logic and are implemented automatically, for example, from the provided XML description of the network protocol, they are controlled by microcode stored in on-chip memory. It will be obvious to the person skilled in the art that the above logical blocks, processing circuits/algorithms can be implemented using a memory element that records the data to be processed and a processing processor, which can be a general purpose processor, a computer-readable medium, a state machine, or other hardware-programmable logic device, a discrete logic element or transistor logic, a discrete hardware component, or any combination thereof, to perform the functions described above.

As a configuration interface for setting, depending on the element base, a standard digital interface can be used, for example, PCIe, PCI, SPI, etc.

The proposed method for filtering network traffic based on rules with a mask in packet switching is focused on use in devices based on FPGA or VLSI, for example, in network packet brokers (NPB), which operate at the packet level, where the rules for distribution and aggregation of traffic in network packet brokers completely determined by the settings. In NPB, there are no standards for building forwarding tables (MAC tables) and exchange protocols with other switches (such as STP), and therefore the range of possible user settings and interpreted fields in them is much wider. A broker can evenly distribute traffic from one or more ingress interfaces to a given range of egress interfaces with an egress load balancing function. You can also set rules for copying, filtering, classifying, deduplicating and modifying traffic. These rules can be applied to different groups of input / output interfaces of the network packet broker, as well as applied sequentially one after another in the device itself. An FPGA or VLSI can be programmed to perform the proposed method and placed anywhere on the computer network of the data center or NPB.

The inventive method of tracking sessions in network traffic may be performed by one or more computer programs containing computer program code or pieces of software executing on a computer or processor. The computer program contains computer program code elements or portions of program code that cause the computer to perform the proposed method.

Embodiments of the invention are not exhaustive and are provided only for the purpose of explaining and confirming industrial applicability, and those skilled in the art are able to create alternative embodiments without departing from the scope of the claims, but within the essence of the invention reflected in the description.

Claims (2)

1. A method for filtering network traffic based on rules with a mask in packet switching, implemented on the basis of a reprogrammable logic integrated circuit (FPGA) or a very large integrated circuit (VLSI), consisting in filtering network packets, where the packet, after receiving, is transmitted to the analysis unit, in which the Ethernet, IP and TCP / UDP headers are extracted from the packet and an information block - a descriptor is formed on their basis, then the packet is stored in the packet buffer, and the descriptor - in the descriptor buffer and then transferred to the masking block, in which the header fields are changed, not participating in filtering to a value equal to 0, thus forming a masked key, while filtering/switching rules are pre-recorded in RAM memory, consisting of patterns with which the masked key is compared, and an action code that is performed if the masked key matches key and pattern, then the input of the matching block receives a masked key, which imposes a mask on it using the "AND" function, and the matching block compares the pattern with the calculated masked key, if the corresponding filtering/switching rule is found, then from the filtering/switching rule the action is retrieved and passed as a result to the filtering block, which, according to the result, either removes the packet from the packet buffer or passes it to the output interface. 2. The method of filtering network traffic according to claim 1, characterized in that the action code determines for the filtering unit the number of the corresponding output interface to which the packet should be directed if the masked key and pattern match, or determines to delete the packet.

Images