Packet classification is a key part and core technology of firewall and security gateway systems. Packets are filtered by inspecting and handling the packet header in OSI (Open System Interconnection) network protocol layers 2 to 4in the packet classification. The most common application is the 5-tuple filter, that is, the source/destination network layer address (32-bit each for IPv4), source/destination transport layer port (16-bit each) and transport layer protocol flag (8 bits).
Now, specialized hardware solutions like ASIC/FPGA are used to solve performance bottlenecks in packet classification in the above gigabit firewall and security gateway devices; however, due to the disadvantages of a long time-to-market, large silicon area, high power consumption, and difficult upgrades high-performance packet classification are not yet widely implemented on none-hardware network devices. To this end, a series of packet classification methods based on a general-purpose processor (CPU) have been extensively researched and developed. American academic institutions such as Stanford University, University of California San Diego, and Washington University, as well as companies such as Cisco, IBM have made a number of studies and experiments in this regard. They have set forth an array of solutions to solve the packet classification issue, which can be divided into two main categories based on general-purpose processors: a packet classification method using decision tree structures, such as HiCuts, P. Gupta and N. McKeown, “Packet Classification Using Hierarchical Intelligent Cuttings,” Proc. Hot Interconnects, 1999, and a packet classification method using hierarchical list structures, such as RFC, P. Gupta and N. McKeown, “Packet Classification On Multiple Fields,” Proc. ACM SIGCOMM 99, 1999. These two categories of methods eliminate redundant search space and increase the speed of packet classification through a variety of heuristic algorithms by exploiting different aspects of the structural characteristics of classifier rule sets.
FIG. 1 shows a flow chart of packet classification using the prior decision tree structure. This method includes the following steps: the management unit performs pre-process, that is the construction of the classifier data structure (also known as a decision tree) according to the structural characteristics of the classifier rule set, and the output of the constructed classifier data structure to the classifier unit; the classifier unit receives the input packet and obtains 5-tuple information of the packets, then classifies the packets according to the classification data structure, and locates the node matched by the packets to get the classification results; the forwarding unit handles packets according to the classification results to achieve the storage, forwarding, abandonment, or recording of packets and so on.
However, since the design of the existing methods is developed from the rules' characteristics without consideration of memory hierarchy and processor architecture, the classifier data structure in the prior structure is relatively redundant, and thus cannot work effectively for multi-core processors.