I. Field
The present invention relates generally to data communication, and more specifically to techniques for filtering and routing fragmented datagrams in a data network.
II. Background
Internet Protocol (IP) is a protocol that supports transmission of blocks of data, called datagrams, from sources to destinations in a packet-switched data network. The sources and destinations are hosts that are identified by fixed length IP addresses. In IP terminology, a “node” is a device that implements IP, a “host” is a node that terminates IP packets explicitly addressed to itself, and a “router” is a host that also forwards IP packets not explicitly addressed to itself. To transmit data to a destination, a source forms a datagram with an IP header and a payload portion. The IP header contains the IP addresses of the source and destination as well as other fields. The source then sends the datagram as an IP packet towards the destination based on routing information the source has for the destination.
A node may filter IP packets for various reasons, as described below. In the context of IP, “filtering” is a process to identify different types of IP packets based on certain characteristics of the IP packets. These characteristics are described or defined by one or more filter parameters, which may be carried in the IP header or the payload portion. In a protocol stack, IP resides at a network layer, which is below a transport layer, which in turn is below an optional session layer that is below an application layer. A data network may use a Transmission Control Protocol (TCP), a User Datagram Protocol (UDP), or some other protocol for the transport layer. The filter parameters may be carried in the IP header, a transport layer header (e.g., a TCP header), a session layer header, an application layer header, an application layer payload, and so on, or a combination thereof, all of which are encapsulated in the datagram.
In the context of IP, a “filter” may be viewed as a box that provides different outputs for different values of the filter parameters. As an example, a filter may be defined based on a destination IP address and a TCP destination port number of 23. (A TCP port refers to a logical channel for the associated data.) This filter may be used to identify all IP packets destined for a telnet server running on a host with that destination IP address. In general, filtering may be performed to differentiate certain IP packets from a stream of IP packets based on the characteristics defined by the filter parameters. The filtering allows for special handling of IP packets having these characteristics.
IP packet filtering is more challenging in the presence of IP fragmentation. IP supports fragmentation of datagrams into smaller fragments. IP fragmentation may be used, for example, if a datagram to be sent is too large to be carried by a protocol unit at a layer below the network layer. In this case, the large datagram may be divided into multiple smaller fragments, and each fragment may be sent as a separate IP packet. The IP packets for the fragments would contain appropriate header information that may be used by the destination to re-assemble these fragments.
If a datagram is divided into multiple fragments, then the filter parameters may be carried in only one fragment or a subset of the fragments, which then complicates IP packet filtering. For example, the filter parameters may be the source and destination port numbers in a TCP header, which is typically carried in the first fragment of a datagram. If a filtering node performs filtering separately on each IP packet, then IP packets that do not contain all of the filter parameters cannot be filtered properly. A filtering node is a node that performs IP packet filtering and may be a host or a router.
In one conventional scheme for filtering fragmented datagrams, a filtering node buffers all of the fragments of a datagram, re-assembles the datagram after all of the fragments have been received, performs filtering on the re-assembled datagram, and (if necessary) re-fragments the datagram into fragments and sends out the fragments as separate IP packets. This conventional filtering scheme has several disadvantages. First, prolonged buffering of all of the fragments of each datagram interrupts the normal flow of these fragments, introduces extra delays in the transmission of the datagram to its final destination, and may further cause uneven link usage. Second, the re-assembly and re-fragmentation of each datagram require additional processing by the filtering node. If the filtering node is a router, then the re-assembly and re-fragmentation would make routing very inefficient.
To reduce the amount of processing, the filtering node may perform filtering on fragmented datagrams without re-assembling the fragments of the datagrams. However, the node may still need to buffer all fragments of each datagram and apply the filter only after all fragments have been received. The disadvantages associated with prolonged buffering would still apply for this case.
There is therefore a need in the art for techniques to efficiently filter and route fragmented datagrams.