1. Field
The present invention relates to a packet transfer controlling apparatus and packet transfer controlling method.
2. Description of the Related Art
Apparatuses such as network devices and computers connected to a network generally set an Access Control List (ACL) for the purpose of, for example, preventing unauthorized access via the network (for example, refer to Japanese Patent Application Laid-open No. H11-88436). Also, such apparatuses as network devices and computers set the access control list for the purpose of, for example, changing a destination of packet transfer according to communication.
For example, as depicted in FIG. 14, a switch, which is a network device, sets an access control list on a receiving port side connecting to a Local Area Network (LAN). At this time, the switch sets the access control list with a rule described according to a pattern. Here, the pattern means, for example, a selection of pieces of information included in the packet to be compared for matching, and a way of combination of the selected pieces of information to be compared for matching. The switch then compares the information included in the packet input to the switch with the rule, thereby preventing unauthorized access or changing a server of a transfer destination. FIG. 14 is a drawing for explaining an access control list.
Techniques for implementing an access control list into an apparatus include a technique of implementing by software and a technique of implementing by hardware, the latter being suitable for high-speed processing. Also, the technique of implementing by hardware is classified as a Content Addressable Memory (CAM) type and a Flip-Flop (FF) circuit type as depicted in FIGS. 15A and 15B. FIGS. 15A (CAM type) and 15B (FF type) are drawings for explaining conventional technologies.
Meanwhile, the conventional technologies explained above have a problem such that a reduction in circuitry size and an access control with various and complex patterns cannot both be achieved. That is, the apparatus set with an access control list has to perform a high-speed access control with patterns having various comparison targets and complex combinations of these comparison targets. This is because, in an access control with patterns having restricted comparison targets and restricted combinations of these comparison targets, functions of the access control are restricted and processing by a higher-level processor is required.
In this regard, in the CAM type, the comparison targets are restricted by the width of memory, and the combinations of the comparison targets are also restricted by the width of memory (refer to FIG. 15A). Therefore, the CAM type cannot achieve an access control with various and complex patterns. On the other hand, in the FF circuit type, the comparison targets and the combinations of the comparison targets are not restricted by the width of memory. However, diversification of the comparison targets invites an increase in the number of comparators, which further invites an increase of a storage unit that stores a rule (refer to FIG. 15B). For this reason, in the FF circuit type, a reduction in circuitry size cannot be achieved, even though an access control with various and complex patterns can be achieved.