RU2807656C1 - Balancing method while maintaining integrity of data flows - Google Patents

Abstract

FIELD: computing systems.

SUBSTANCE: systems for analyzing data networks, namely methods for balancing while maintaining the integrity of data flows, taking into account the membership of TCP/UDP protocol sessions. The technical result is achieved by proposing a balancing method while preserving the integrity of data streams, in which the fields of packets are allocated in the form of a bit vector - descriptor, the body of the packet is stored in SRAM memory for the duration of processing, then a 5-tuple session hash is constructed from the generated vector of packet headers, which is supplied as an address to the DDR memory of the session store. The data received from memory is the saved session parameters, if it is noted that the session has already been encountered, then the output used the previous time is reused, and if the output interface for the session in the parameters received from the DDR memory of the session store is not defined or the session timeout has passed - a new output for the session is determined. At the same time, session parameters are recorded/updated in the DDR session storage. The output of the balancing table is the number of the output interface for the session, on which the packet body is retrieved from the packet buffer and issued to the selected output interface.

EFFECT: ensuring the functioning of traffic pre-processing devices with packet balancing without breaking sessions when balancing parameters change.

2 cl, 4 dwg

Description

Technical field

The invention relates to the field of constructing systems for analyzing data networks, namely to methods for high-speed search and tracking of TCP/UDP sessions in high-load networks, and can be used in preprocessing devices for deep analysis systems of network traffic that support the TCP/IP protocol stack. The inventive method is aimed at providing functions for balancing data flows of network packets while maintaining the integrity of data flows.

State of the art

There is a well-known classical balancing method, in which for each incoming packet a bit vector is built - a descriptor with a description of the 5-tuple fields. The resulting vector is compressed by hashing to a bit vector of the selected balancing resolution dimension N. The balancing algorithm ensures the preservation of session integrity - packets belonging to the same session have the same 5-tuple vector and, accordingly, end up on the same output/port.

However, if a new output is added to the balancing algorithm, some of the entries in the balancing table will be rewritten to the new output. This will cause established sessions whose output has been overwritten to be terminated. A similar situation is observed when removing an output from balancing, where sessions of remote outputs will be redirected to other outputs/ports, which will also lead to session termination.

Also from the application US 20100149966 A1 pub. 2010.07.17, a method of load balancing between multiple hosts is known, which preserves the binding of the session to a given host. Forwarders generate a routing function that takes host availability into account and distributes session packets according to that routing function (e.g., hash functions). The session is distributed to the same host to maintain session similarity. When a host's availability changes, a new routing function is created so that any new session is routed according to the new routing function, and existing sessions are routed according to the old routing function. Given the same information about the state/availability of hosts in the system, forwarders independently generate identical routing functions based on a pre-agreed static protocol.

The disadvantage of known solutions is that the session is broken when balancing packets in the case of adding a new output/port or deleting an already used output/port.

The technical result of the proposed invention is to ensure the functioning of traffic pre-processing devices with packet balancing without breaking sessions when balancing parameters change.

The stated technical result is achieved by the fact that a balancing method is proposed while preserving the integrity of network packet data flows, which consists in the fact that the packet, after being received through the input interface (101), is transferred to the packet analysis unit (102), where the necessary packet fields are extracted from the packet - source IP address, source port, destination IP address, destination port and protocol type, and the formation on their basis of a bit vector - descriptor, where the body of the packet is stored in a packet buffer in SRAM memory (103) until the decision is made to dial actions performed on the packet, and the descriptor is passed to the hash calculation block of the 5-tuple session (104), where, based on the mentioned packet fields, the descriptor is compressed by hashing to a bit vector of the selected balancing resolution dimension N, where for each possible of 2 ^∧ N values the compressed balancing vector is mapped to the number of the output interface - a balancing table of size 2 ^∧ N, where packets belonging to the same session have the same 5-tuple hash vector and, accordingly, must then go to the same output interface.Hash The 5-tuple session is supplied as an address to the DDR memory (105) of the session store, where the data received from the memory are the remembered session parameters, if it is noted that the session has already been encountered, then the output interface used the previous time is reused, and if the output for the session in the parameters received from the DDR memory (105) of the session store is not defined or the session timeout has passed - a new output for the session is determined, and the 5-tuple hash of the session (104) of length N bits calculated by the calculation block is supplied as an address to the packet buffer on SRAM memory (103) - a balancing table, where the output of the balancing table is the number of the output interface (107), and the body of the packet is extracted from the packet buffer on SRAM memory (103) and the balancing block (106) is issued to the selected output interface (108).

The analysis of the level of technology allows us to determine that the proposed technical solution is “new” and has an “inventive step”, and the possibility of its use in industry determines its industrial applicability.

These and other aspects will become apparent and will be explained with reference to the drawing and embodiment described hereinafter.

The invention is illustrated by the following graphic materials:

Fig. 1 is a diagram illustrating a known balancing method.

Fig. 2 is a diagram illustrating the structure of a descriptor.

Fig. 3 - diagram illustrating the algorithm - a method of balancing while maintaining the integrity of information sessions.

Fig. 4 is a diagram illustrating functional blocks that implement a balancing method while maintaining the integrity of information sessions.

Carrying out the invention

The proposed method allows balancing without interrupting sessions when balancing parameters change.

Packet session - a set of packets that have the same source and recipient addresses, sender and recipient ports and protocol (IP and TCP/UDP headers, L4 protocol code). The IP packet format is described in detail in the specification RFC 791 "Internet Protocol DARPA Internet Program Protocol Specification"), September 1981. The TCP protocol is described in the specification RFC 793 "Transmission Control Protocol"), September 1980, the UDP protocol is described in the specification RFC 768 "User Datagram Protocol), August 1980.

To achieve the desired technical result, the following stages of operations are performed:

Receiving a packet through the input interface (101), after receiving the packet, the packet headers are analyzed and extracted. To do this, the packet is transmitted to the packet analysis block (102), in which the necessary fields of the packets are extracted, for example, IP and TCP/UDP headers (source IP address, source port, destination IP address, destination port and protocol type), and the formation on their basis of an information block - a bit vector (descriptor) shown in Fig.2. The information includes the recipient IP address (201), the sender IP address (202), the recipient port (203), the sender port (204), the protocol type (205). The body of the packet is stored in static random access memory (SRAM) - a packet buffer for the duration of processing until a decision is made on the set of actions to be performed on the packet.

The body of the packet is stored in a packet buffer in SRAM memory (103) until a decision is made on the set of actions to be performed on the packet. Based on the packet information and its headers, the packet descriptor shown in FIG. 2. From the generated vector of packet headers (descriptor), the 5-tuple session hash calculation block (104) calculates the 5-tuple session hash, which is supplied as an address to the DDR memory (105) of the session storage.

The descriptor is compressed by hashing to a bit vector of the selected balancing resolution dimension N, where for each possible of 2 ^∧ N values of the compressed balancing vector, an output/port number is assigned to a balancing table of size 2 ^∧ N, where packets belonging to the same session , have the same hash vector 5-tuple and, accordingly, must then go to the same output interface. To do this, the 5-tuple session hash calculation block (104) calculates hash sessions based on the descriptor fields (recipient and sender IP addresses, recipient and sender TCP/UDP ports, L4 protocol code), where the tuple consists of the original IP address, source port, destination IP address, destination port and protocol type as shown in FIG. 2. A tuple of five parameters uniquely identifies a TCP/UDP session. Based on the five fields of the descriptor, a hash sum is calculated, for example, using a Galois counter algorithm (GCM) or performing a bitwise logical XOR operation on the corresponding bits of the recipient IP address (32 bits), the sender IP address ( 32 bits), destination port (16 bits), source port (16 bits), protocol type (8 bits) and sends the results of a bitwise XOR operation and generates a hash sum having Y bits where Y is a positive integer . In the Galois counter algorithm (GCM), the input byte vector blocks are numbered sequentially, the block number is encoded by the block algorithm. The output of the encryption function is used to XOR the plaintext to obtain the hash sum. The scheme is a stream cipher, so using a unique vector of bytes guarantees a unique hash sum. The bit size of the Galois counter (GCM) is selected based on the condition that the larger the bit size, the better the distribution uniformity and, therefore, the higher the traffic flow balancing identity.

At the same time, the generated session parameters are written to DDR memory (105). The data received from DDR memory is the stored session parameters. If it is noted that the session has already been encountered, then the output used the previous time is reused. If the output for the session in the parameters received from the DDR memory (105) is not defined or the session timeout has passed, a new output for the session is determined. Thus, in the session SRAM memory cell, the address of which is equal to the hash-sum, the presence of information consisting of the packet header fields used to calculate the hash-sum is checked, about an already received packet with the same hash-sum, if the cell already contains there is information, then it is compared with the data from the descriptor; if the information matches, then the output used the previous time is reused for the packet.

In the TCP protocol, the beginning of a session is determined either by the SYN flag of the beginning of the session, or, if the flag is not set, by a timeout - if there were no packets for this session during the “Limit_T” time, the session is considered to be new. When a session is opened, information about it is written to memory. The end of the session is determined by the RST, FIN flag or the “Limit_T” timeout. The UDP protocol does not use a similar flag, so a decision is made if during the “Limit_T” time the output/port for the session in the parameters received from the DDR memory (105) is not defined or the session timeout has passed - a new output is determined /port for the session.

The time interval between session packets is checked, and if it exceeds the “Limit_T” timeout threshold (for example, more than 30 seconds), then a new output/port is determined for the session. To do this, the 5-tuple session hash (104) of length N bits calculated by the calculation unit is supplied as an address to the packet buffer - SRAM balancing table, where the output of the balancing table is the number of the output interface (107) for the session. The balancing unit (106) based on the 5-tuple session hash distributes packets between output interfaces (107). Each interface corresponds to a fixed set of 5-tuple session hashes. Identical balancing is ensured by the fact that all flows of one network session have the same hash sum. The packet body is retrieved from the packet buffer on the SRAM memory (103) and issued by the balancing unit (106) to the selected output interface (107).

In the preferred embodiment of the invention, the specified logical blocks: packet analysis block, 5-tuple session hash calculation block, balancing block are implemented on the basis of a reprogrammable logic integrated circuit (FPGA) or very large-scale integrated circuit (VLSI). The blocks can be implemented by a finite state machine and several registers with corresponding internal logic and are implemented automatically, for example, from the presented XML description of the network protocol, they are controlled by microcode stored in the built-in memory. It is obvious to a person skilled in the art that the above logical blocks, processing circuits/algorithms can be implemented using a memory element that records the processed data and the processing process, which can be used: a general purpose processor, computer-readable media, a state machine or other hardware-programmable logic device , transistor logic or any combination thereof to perform the functions described above.

The proposed method of balancing while maintaining the integrity of data streams is aimed at use in devices based on FPGAs or VLSIs, for example, in network packet brokers (NPBs), which operate at the packet level, where the rules for distribution and aggregation of traffic are completely determined by the settings. NPB does not have standards for constructing forwarding tables (MAC tables) and exchange protocols with other switches (such as STP), and therefore the range of possible user settings and interpreted fields in them is much wider. The broker can evenly distribute traffic from one or more input ports to a specified range of output ports with an output load balancing feature. You can also set rules for copying, filtering, classification, deduplication and modification of traffic to different groups of NPB input ports, and apply them sequentially one after another in the device itself. An FPGA or VLSI can be programmed to perform the proposed method and placed at any hierarchical location in a data center or NPB computer network.

The balancing method proposed by the invention while maintaining the integrity of data streams can be performed by one or more computer programs containing program code or pieces of software for execution on a computer/processor. A computer program contains elements of program code that cause a computer to perform the claimed method.

The embodiments of the invention are not exhaustive and are provided only for the purpose of explanation and confirmation of industrial applicability, and those skilled in the art are able to create alternative embodiments without departing from the scope of the claims, but within the spirit of the invention as reflected in the description.

Claims (2)

1. A method of balancing while maintaining the integrity of data streams of network packets, in which the packet, after receiving through the input interface (101), is transmitted to the packet analysis unit (102), where the necessary packet fields are extracted from the packet - source IP address, source port, destination IP address, target port and protocol type and the formation on their basis of a bit vector - a descriptor, characterized in that the body of the packet is stored in a packet buffer in SRAM memory (103) until a decision is made on the set of actions performed on the packet, and the descriptor is passed to the hash calculation block of the 5-tuple session (104), where the descriptor is compressed using the hashing method to a bit vector of the selected balancing resolution dimension N, where for each possible of 2^N values of the compressed balancing vector, the descriptor is associated with the output interface number, and packets belonging to the same session have the same 5-tuple hash vector and, accordingly, must then go to the same output interface; the result of the calculation of the 5-tuple hash of the session is supplied as an address to the DDR memory (105) of the storage sessions, where the data received from the memory are the remembered session parameters, if it is noted that the session has already been encountered, then the output interface used the previous time is reused, and if the output for the session is in the parameters received from the DDR memory (105) of the session store is not defined or the session timeout has passed - a new output for the session is determined, while the 5-tuple session hash (104) of length N bits calculated by the calculation block is supplied as an address to the packet buffer on SRAM memory (103) - the balancing table, where the output The balancing table is the number of the output interface for the session (107), and the body of the packet is retrieved from the packet buffer on the SRAM memory (103) and the balancing block (106) is issued to the selected output interface (107). 2. The method according to claim 1, characterized in that when checking the session timeout, the time interval between session packets is checked, and if it exceeds the timeout threshold “Limit_T” for more than 30 seconds, then a new output interface for the session is determined.

Images