A network flow, also referred to herein as simply a “flow,” is a sequence of network packets sharing certain characteristics. A common set of characteristics used to define a flow is referred to as a “5-tuple.” A 5-tuple is a sequence of packets sharing the same source and destination address, source and destination port, and protocol (5 values total, hence the “5-tuple” label.) Other combinations of flow characteristics may also be used to define a network flow.
Many network switches employ filters or other devices/mechanisms to control the flow of network traffic through the switch. One approach to filtering and/or control is a flow-based approach. In one example of a flow-based approach, a list/table of various flow entries (e.g., as defined by the 5-tuple) is maintained at the switch. When a packet enters the switch, the packet is checked to see if it matches a flow entry in the list/table. Based on the results of checking the packet, an action is then taken on the packet (e.g., blocking, forwarding, redirecting, etc.).
The list/table of flow entries is typically stored in a finite memory/cache. Thus, only a limited number of flow entries can be stored at a time. When the memory becomes full of entries, a decision must be made to determine how to handle new entries seeking inclusion in the list/table (i.e., whether to add or remove an entry from the list/table). This decision-making process and the subsequent actions associated with removing flow entries to make room for new entries is referred to herein as aging, or flow-aging.
Existing flow-aging mechanisms rely on packet counters or hardware refresh bits to decide whether a flow is to be aged out or not. These mechanisms are limited in that the aging process is typically based on simple packet-difference arithmetic, providing very little flexibility for aging out flows.