A typical network switch (or router) has a hardware-based fast path for forwarding packets, and a software/CPU-based slower path for learning packet addresses and connections. Specifically, a network switch (or router) typically includes dedicated hardware for forwarding network packets at high speed by using forwarding table lookups (e.g., hashing, content addressable memories or CAMS, etc.), and one or more central processing unit (CPU) subsystems that are used to program the forwarding tables. The CPU is also responsible for maintaining network operation by using specific network protocols (e.g., handling route updates, address resolution protocol (ARP) queries/replies, Internet Control Message Protocol (ICMP) messages, spanning tree related packets, etc.) as well as user interface functionality. Thus it is vital that traffic is not sent to the CPU(s) at too great a rate, as a high rate can impact the normal functionality that the CPU should perform.
A network switch or router forwards traffic by performing a number of lookups (typically in dedicated hardware tables) on the addresses in packets. Examples of such lookups include the following:
(i) A lookup on the Media Access Control source address (MAC SA) of a packet, which is used to associate hosts with a specific physical port on the switch (or router). This type of lookup is used to detect new hosts (a learn) or a host that has moved ports (a move).
(ii) A lookup on the MAC destination address (MAC DA) of a packet, which is used to determine which port of the switch (or router) the packets should be sent to for a bridged packet. If the packet is to be routed, then this will be indicated from the data returned by the MAC DA lookup.
(iii) For packets that are to be routed, a lookup on the Internet Protocol destination address (IP DA) of the packet is needed. This is used to determine which port of the switch (or router) the packet should be sent to, and also to determine the new MAC DA of the packet.
(iv) Other lookups can be performed for security or other types of functionality, such as IP source address (IP SA) lookups or flow-based lookups (based on both IP SA and IP DA).
If a lookup operation fails, then a packet can be copied to one of the CPUs (a copy operation) for further analysis and forwarding. This so-called software forwarding is a much slower operation than hardware forwarding, and so an entry is usually then made in the hardware tables by the CPU. Thus subsequent packets with identical addresses will then be processed solely by hardware.
Packets that are sent to a CPU (i.e., packets that are “copied”) are typically prioritized into one of a number of CPU queues (typically from 2 to 8 queues). The memory space of the CPU will typically contain these queues that will be serviced in priority order, i.e., packet traffic placed in the highest priority queue will be processed first before processing packet traffic placed in the lower priority queues. Packets in the lower priority queues may even be discarded should the packet rate to the CPU exceed the packet rate which the CPU can actually process. Thus it is important to correctly prioritize packets into the correct CPU queue.
There are a variety of reasons for copying packets to a CPU for further processing. The one of concern here is that when a new address is seen by the switch (or router), then the new address must be examined by the CPU (for address validation and learning) and programmed into the hardware forwarding tables to permit hardware forwarding on future packets with the same address.
However, such a method is susceptible to Denial of Services (DoS) type attacks which typically involve a malicious host sending packets with a stream of new addresses. When these packets arrive at a switch (or router), these packets are sent to the CPU, which results in the CPU being overloaded by many packets, and as a result the CPU spends almost all of its time operating on these packets at the expense of genuine (i.e., non-DoS) packets. This can result in a severe performance penalty and even total loss of certain switch or router functionalities (e.g., if route updates are continually missed, then routing functionality can be negatively impacted).
Prior solutions attempt to mitigate some of the CPU overload by implementing more specific queuing strategies, such that “problem” packets are re-directed to a low priority CPU queue as discussed in, for example, commonly-assigned U.S. patent application Ser. No. 11/198,056, by Mark Gooch, Robert L. Faulk, Jr. & Bruce LaVigne, filed on Aug. 5, 2005, and entitled “PRIORITIZATION OF NETWORK TRAFFIC SENT TO A PROCESSOR BY USING PACKET IMPORTANCE”, which is hereby fully incorporated by reference herein. This method can have some success, but it is generally preferable to not copy such packets to the CPU at all.
Therefore, the current technology is limited in its capabilities and suffers from at least the above constraints and deficiencies.