Field
Embodiments of the present invention generally relate to packet classification. More particularly, embodiments of the present invention relate to packet classification using a hardware accelerator that enables scalable, fast, and efficient packet/network traffic classification/analysis.
Description of the Related Art
Access control, traffic engineering and intrusion detection, among other network security services, seek to protect Internet-connected users/devices from threats posed by malicious users. Such security services typically require discrimination/filtering of packets based on multiple fields of the packets. This process is typically referred to as packet classification. A classifier, using a set of filters or rules, specifies the flows, or classes. For example, each rule in a firewall might specify a set of source and destination addresses and associate a corresponding deny or permit action. Alternatively, the rules might be based on several fields of a packet header potentially spanning multiple layers of the OSI model and each of which may contain addressing and protocol information. Firewalls perform packet classification and filtering to secure a private network or computer. Firewalls may be implemented as hardware devices, as a software application or a combination of hardware and software. Regardless of the implementation, the firewall is logically situated between the external network and the protected network. For example, the firewall may be located between a private network and the Internet to protect the private network from intrusion through the Internet connection. A packet-filtering network security device, such as a firewall, uses a packet filter to inspect each Internet Protocol (IP) packet or datagram entering or leaving the network. A packet is accepted or rejected based on a set of user-defined rules. A packet filter intercepts each data packet and compares each packet to the set of rules before the packet is forwarded to its destination. The comparison may be implemented by comparing various IP packet header fields to values in a look-up table, for example. The relevant packet header field(s) are compared to values in the look up table until either a matching rule is found, or until no match is found and a default rule is selected. Typically, the comparison performed by the packet filter involves one or more of the source address, the source port, the destination address, the destination port and the transport protocol.
On some types of proprietary hardware, an Access Control List (ACL) refers to rules that are applied to port numbers or network daemon names that are available on a host or layer 3 device, each with a list of hosts and/or networks permitted to use a service. Both individual servers as well as routers can have network ACLs. ACLs can be configured to control both inbound and outbound traffic.
In network communication, efforts to continuously improve the efficiency and security of network operation is an important goal for Internet users. Packet classification may distinguish or classify data packets based on multiple dimensions of information carried in packet headers, and thereby implement access control, traffic engineering, intrusion detection, and many other network services. More specifically, a network router may classify incoming packets into different flows and then to perform appropriate actions depending on the classification.
Major packet classification techniques known in the art can be broadly categorized into two approaches, namely, a ternary content addressable memory (TCAM) approach, and an algorithmic approach, wherein TCAMs allow use of wildcards in performing their matching, and thus are more flexible than binary content-addressable memories (CAMs). When a bank of TCAMs is properly programmed, the TCAMs are able to perform a match in a single lookup. However, TCAMs consume a lot of power, are of limited size, cost more than conventional memories, have high device cost, high energy cost, require ranges to be expressed using multiple TCAM entries, and poor scalability in terms of both rule set size and throughput.
The algorithmic approach, on the other hand, offers the advantage that decision-trees can be implemented through software. However, existing algorithmic approaches suffer from the disadvantage of requiring a large memory footprint and relatively low throughput.
There is therefore a need in the art for a low cost, high throughput, and scalable packet classification system that can improve the speed and efficiency of traffic flow through network devices.