The present invention relates to the field of computer networking. In particular the present invention discloses methods and apparatus for network gateway devices that implement firewall, IP routing, quality of service, load balancing, and/or network address translation rules.
The Internet is a worldwide interconnection of computer networks that share a common set of well-defined data communication protocols. Specifically, most computer networks that are coupled to the global Internet communicate using the Transport Control Protocol (TCP) and Internet Protocol (IP) commonly known as TCP/IP.
There is no central controlling authority for the global Internet. The individual entities coupled to the global Internet are responsible for their own interaction with the Internet. To protect private networks, such as Local Area Networks (LANs), most private networks use an Internet Gateway that regulates communication with the global Internet. An Internet gateway handles all communication between computers on a local area network and computers out on the global Internet. The Internet gateway may perform many different functions such as network address translation, firewall protection, IP routing, quality of service, and/or load balancing.
Network address translation is used to translate addresses from a first address domain into addresses within a second address domain. A typical device with network address translation has two different network ports. The first network port is coupled to an internal network with an xe2x80x9cinternalxe2x80x9d network address and the second network port is coupled to the global Internet with a legally allocated Internet protocol address. The two-port network address translation device thus handles all Internet communication between internal computer nodes having internal network addresses and an Internet computer system having fully qualified Internet Protocol addresses.
Firewall protection attempts to prevent unauthorized accesses. Firewall protections are implemented using a set of packet filtering rules. Each packet-filtering rule specifies a particular packet filtering policy. For example, all packets incoming from the Internet addressed to vulnerable server ports may be discarded in order to protect the internal servers on the local area network. The firewall device examines each packet and applies any applicable firewall packet-filtering rule.
Routing is the process of locating the path to be taken by a packet in the Internet. Routing rules specify a next hop address and the port number associated with the next hop to be taken by a packet. For example, all packets which are destined to a particular IP network can be sent to a LAN port (a port attached to the local area network) and all other packets may be sent to WAN port (a port attached to the wide area network)
Quality of Service is the common term used to indicate different levels of service for different customers or different protocol streams. For example, packets from a high-paying commercial customer may receive a higher grade of service than packets from a low-paying customer. Similarly, packets from a real-time video or audio streaming application may receive more prompt service than packets from a large file transfer operation.
Load balancing is the task of selecting a least utilized resource such that a xe2x80x9cloadxe2x80x9d is balanced among all the available resources. For example, a popular web page will be placed on a large number of similarly configured server systems. When a web client requests a popular web page, a load-balancing device will select the server system that is currently experiencing a light load.
These common Internet gateway tasks are often performed by general-purpose computer systems running firewall software for small LANs coupled to the Internet. However, an Internet gateway for a very large LAN or an internet service provider (ISP) with a high bandwidth communication channel will need to process thousands of packets each second using thousands of rules that implement the gateway features. In such environments, simple general-purpose computer systems will be inadequate. It would be desirable to have an Internet gateway device that can perform packet processing at wire-speed.
The present invention introduces a high-speed rule processing apparatus that may be used to implement a wide variety of rule processing tasks such as network address translation, firewall protection, quality of service, IP routing, and/or load balancing. The high-speed rule processor uses an array of compare engines that operate in parallel. Each compare engine includes memory for storing instructions and operands, an arithmetic-logic for performing comparisons, and control circuitry for interpreting the instructions and operands. The results from the array of compare engines is prioritized using a priority encoding system.
Other objects, features, and advantages of present invention will be apparent from the company drawings and from the following detailed description.