The background description provided herein is for the purpose of generally presenting the context of the disclosure. Work of the presently named inventors, to the extent the work is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present disclosure.
A router is a device that forwards packets between computer networks. A router typically includes a processor that can process packets in a stateless manner or in a stateful manner.
FIG. 1A illustrates a conventional router 100 including a first port 104, a second port 108, and a stateless packet processor 112. Although only two ports 104, 108 are shown in FIG. 1A, the router 100 may include additional ports. The stateless packet processor 112 receives packets from the first port 104 and the second port 108 and transmits packets to the first port 104 and the second port 108. The stateless packet processor 112 applies, to the packets, one or more rules from a set of rules 116. Each of the applicable rules corresponds to a respective action from a set of actions 120. Multiple rules may apply to a single packet and the application of one of the rules to the packet may cause another of the rules to also become applicable to the packet. However, the actions performed on a given packet are not dependent on any previous packets. This is the definition of stateless for the stateless packet processor 112.
FIG. 1B illustrates a conventional router 140 that uses a software-based processing system to save state information and allow for stateful packet inspection. The router 140 includes a first port 144, a second port 148, and a processor 152 that communicates with the first port 144 and the second port 148. The processor 152 executes instructions 156 out of memory 160. The memory 160 also includes state information 164, sets of rules 168, and sets of actions 172.
The state information 164 tracks characteristics of previous packets, such as whether particular types of packets have been seen from or to particular addresses, or how many of a particular type of packet have been seen. Although the processor 152 is able to store the state information 164, the speed of a software system is limited. For example only, at the present time a processor may be capable of inspecting traffic at 4 to 8 Gbps. Meanwhile, network ports of 10 Gbps or 40 Gbps are common in enterprise switches, and a single switch may have a dozen ports or more. A software-based solution is therefore too slow to run at the wire speed (also known as line speed) of 10 Gbps or 40 Gbps per port.
FIG. 1C illustrates a conventional router 180 that includes a first port 184, a second port 188, and a programmable stateful network processor 192. The network processor 192 includes state information 196, sets of rules 200, and sets of actions 204. Network processors are special-purpose processors with instruction sets tailored to packet processing and specific hardware resources dedicated to packet processing tasks.
Network processors are therefore less flexible than software-based solutions. If a particular packet processing operation was not envisioned by, or implemented by, the designer of the network processor, that processing task may be difficult to implement on the network processor and/or may operate with decreased performance. A network processor must be programmed and the microprogramming required generally requires a very detailed understanding of the hardware components of the network processor and their interaction. Further, network processors are much more expensive than standard packet processors.