1. Field of the Invention
The invention relates generally to communication networks, and more particularly to an apparatus, method, and data structure for providing secure internetworking of packet-based LAN and WAN segments by establishing temporary connections which are protocol independent and transparent to the end systems.
2. Discussion of the Related Art
Secure Fast Packet Switching is a new technology that provides the same or better reliability and security as routers and with much greater packet switching performance, without an increase in cost.
SFPS provides for high performance packet switching based on source and destination MAC IDs--the unique medium access control (MAC) address assigned to each end system by the IEEE. End-to-end connections are determined by a network management application that provides security and best path routing determinations based on a number of constraints. By switching packets based only on MAC layer information, the network infrastructure can remain protocol insensitive. This allows the network to provide an equal QOS to users sending packets based on NetBIOS, LAT, IP, IPX, SNA, or any other protocol. As protocols evolve the network and its management infrastructure will not have to be reworked to support the new protocols.
More specifically, the system uses source and destination MAC addresses (i.e., physical layer addresses) which alone, or in combination with the input port on the switch, form a unique "connection identifier" for any communication exchange between end systems to be connected through an SFPS device. A specific example is as follows:
input port=2 PA1 source MAC address=00:00:1D:01:02:03 PA1 destination MAC address=00:00:1D:11:22:33;
together, these form a "tuple" bound to a specific uni-directional flow from source address to destination address. All packets that have this tuple are automatically switched according to the operation of the SFPS.
A secure fast packet switch is described in U.S. Pat. No. 5,485,455, which is incorporated herein by reference in its entirety.
In the '455 patent, a connection database containing connection table is disclosed that contains entries for each end system pair (i.e., source address (SA)/destination address (DA)) that can communicate with each other.
It would be desirable to provide a way of reducing the number of connection table entries required so as to in turn reduce the amount of memory required in the secure fast packet switch.