A computer network is a collection of interconnected computing devices that exchange data and share resources. In a packet-based network, such as the Internet, the computing devices communicate data by dividing the data into small blocks called packets. The packets are individually routed across the network from a source device to a destination device. The destination device extracts the data from the packets and assembles the data into its original form. Dividing the data into packets enables the source device to resend only those individual packets that may be lost during transmission.
Certain devices within the network, such as routers, maintain routing information that describes routes through the network. Each route defines a path between two locations on the network. Upon receiving an incoming packet, the router examines information within the packet and forwards the packet in accordance with the routing information. When two routers initially connect, they typically exchange all of their routing information. The routers send control messages to incrementally update the routing information when the network topology changes. For example, the routers may send update messages to advertise newly available routes, and to withdraw routes that are no longer available.
From the routing information, the routers may generate forwarding information, which may be thought of as a subset of the information contained within the routing information. The routers use the forwarding information to relay packet flows through the network and, more particularly to relay the packet flows to appropriate next hops. In reference to forwarding a packet, the “next hop” from a network router typically refers to a neighboring device along a given route.
The routers may further apply packet filters to packet flows through the routers in order to take actions on a per-flow basis. For example, the router may compare header information within the packet to a set of filtering rules, sometimes referred to as “terms.” The filtering rules may specify, for example, particular source IP addresses, destination IP addresses, source port, destination port, protocol and other criteria for filtering (i.e., selecting) packets for particular packet flows. Specifically, the routers identify packets from the packet flows that match the filtering rules, and perform actions on the packets depending on which filtering rule(s) the packets matched. The actions may include dropping the packets, remarking the packets as lower or higher priority, counting packets that match the filtering rules, updating customer billing information, or performing any other suitable action.
Conventional routers typically apply the filters to packet flows on either incoming interfaces or outgoing interfaces, which may be physical or logical interfaces. For instance, a router may apply an interface-specific filter to each of the packet flows received or forwarded by a given interface. However, in some cases, per interface granularity may be too coarse for certain actions, such as applying filters to allow accurate billing and policing of the packet flows on an interface-by-interface basis. For example, traffic coming in on an input interface of a router from a virtual private network (VPN) customer site may be destined to any other site in the VPN. Similarly, traffic going out of an output interface of a router toward a network core may be coming in from any of the VPN customer sites connected to the router. As a result, the number of packets flows identified by a filter for a particular interface may be too voluminous and may erroneously include many unrelated packet flows.