FIG. 1 depicts conventional networks 10 and 20 which may be connected to the Internet 30. Each network 10 and 20 includes host 12, 14 and 16 and 22 and 24, respectively. Each network 10 and 20 also includes a switch 18 and 26, respectively, and may include one or more servers such as the servers 17, 19 and 28, respectively. In addition, each network 10 and 20 may include one or more gateways 13 and 25, respectively, to the Internet 30. Not explicitly shown are routers and other portions of the networks 10 and 20 which may also control traffic through the networks 10 and 20 and which will be considered to be inherently depicted by the switches 18 and 26, respectively, and the networks 10 and 20 in general.
FIG. 2 depicts a portion of a typical switch 50, which may be used for the switches 18 and 26 and/or a router (not shown). The switch 50 includes a network processor 52 and storage 54. The switch 50 typically also includes other components (not shown). The network processor 52 manages functions of the switch, including the classification of packets using the rules described below. The storage 54 retains data relating to the rules.
Referring to FIGS. 1 and 2, in order to manage communications in a network, such as the network 10 or 20, rules are used. Rules are typically employed by switches, routers and other portions of the network to perform packet classification. Each rule is used to classify packets which are being transmitted via a network in order to determine how the packet should be treated and what services should be performed. For example, a rule may be used in testing packets entering the network from an outside source to ensure that attempts to break into the network can be thwarted. For example, traffic from the Internet 30 entering the network 10 may be tested in order to ensure that packets from unauthorized sources are denied entrance. Similarly, packets from one portion of a network may be prevented from accessing another portion of the network. For example, a packet from some of the hosts 12, 14 or 16 may be prevented access to either the server 17 or the server 19. The fact that the host attempted to contact the server may also be recorded so that appropriate action can be taken by the owner of the network. Such rules may also be used to transmit traffic based on the priorities of packets. For example, packets from a particular host, such as the host 12, may be transmitted because the packets have higher priority even when packets from the hosts 14 or 16 may be dropped. The rules may also be used to ensure that new sessions are not permitted to be started when congestion is high even though traffic from established sessions is transmitted. Other functions could be achieved based on the rule. The rules can also interact, based on the priority for the filter rule. For example, a first rule may be a default rule, which treats most cases. A second rule can be an exception the first rule. The second rule would typically have a higher priority than the first rule to ensure that where a packet matches both the first and the second rule, the second rule will control.
A key is tested in order to determine whether a particular rule will operate on a particular packet. The key that is typically used is the Internet Protocol (IP) header of the packet. The IP header typically contains five fields of interest: the source address, the destination address, the source port, the destination port and the protocol. These fields are typically thirty-two bits, thirty-two bits, sixteen bits, sixteen bits and eight bits, respectively. Rules typically operate on one or more of these fields. For example, based on the source and/or destination addresses, the rule may determine whether a packet from a particular host is allowed to reach a particular destination address.
Furthermore, the key often contains additional bits other than the fields of the IP header. For example, a TCP SYN (start of session) packet, which starts a session, may be characterized differently than a TCP packet for an existing session. This characterization is accomplished using bits in addition to those in the IP header. The additional bits may be used by a rule which manages traffic through a network. For example, when the network is congested, the filter rule may proactively drop the TCP SYN packet while transmitting TCP packets for existing sessions. These operations allow the network to continue to operate and help reduce congestion. In order to perform this function, however, the rule utilizes a SYN packet or the additional bits which characterize a packet as a start packet or a packet from an existing session. Thus, the rules typically operate using a key that includes at least some fields of the IP header of a packet and may include additional bits.
In testing a key, it is determined whether to enforce a rule against a particular packet and thus classify the packet. The key is tested by determining whether certain fields for key of the packet exactly match range(s) of the rule. Each rule contains a range of values in one or more dimensions. Each dimension corresponds to a field of the key (typically the IP header). One type of rule has a range consisting of a single value. In such a case, the key would have to exactly match the value for the rule to operate on the packet. Other rules have ranges which can be expressed using a prefix. The prefix is a binary number containing a number of ones and zeroes (1 or 0) followed by wildcards (*). The lower bound of the range is obtained by replacing all of the wildcards by zeros. The upper bound of the range is determined by replacing all of the wildcards by a one). Other rules have arbitrary ranges. Arbitrary ranges are ranges that cannot be expressed using a single prefix. For example, one such range would be 00000000–10101001.
In performing packet classification, testing of keys for rules having ranges described by prefixes or a single value is well established. Typically, a conventional method for finding a longest prefix match is used. A longest prefix match for a key returns the longest prefix which matches the key. Such conventional methods are well established, relatively efficient and optimized. In addition, relatively little memory may be used for storing data relating to such rules because a prefix need only be stored. Moreover, testing of keys from packets against the prefixes is relatively fast. Consequently,
However, one of ordinary skill in the art will readily recognize that conventional testing of keys against arbitrary ranges is significantly more time consuming. In addition, conventional methods for storing data describing the ranges may require a relatively large amount of memory. Consequently, conventional storage and testing of keys for rules having arbitrary ranges is relatively inefficient. Thus, classification of packets for rules having arbitrary ranges is typically difficult and time consuming. As a result, managing traffic for rules which have arbitrary ranges is problematic.
Accordingly, what is needed is an improved system and method for classifying packets using rules having arbitrary ranges. The present invention addresses such a need.