The present invention is in the field of routing digital data over a data-packet-network (DPN) and pertains more particularly to methods and apparatus for intelligent process determination of data packets encountered by a router CPU during router operation.
In the art of routing digital data through data-packet networks, research and development of methods for more efficient handling of data packets continues. Generally speaking, a data packet is a digitized and organized block of binary data that is a xe2x80x9cpackagedxe2x80x9d portion of a specific communication or data transfer from a source location to an ultimate destination on a network. A data packet typically has a header, and a data body. The packet header is used for data routing through the network. During routing from a source location to a routed destination, data packets may be processed at one or more stops or routing points along the way. These hops, as they are often termed, are between data routers and, in some cases, server nodes distributed through the network. Common types of data packets routed, for example, over the Internet network and most commonly dealt with in data routing include transfer control protocol (TCP) packets and Internet protocol (IP) data packets.
Among TCP packets there are packets carrying data and also others carrying other information such as error messages, and control messages. Some TCP packets are generated by routers and communicated to other routers, as well as generated by routers and communicated to source/destination locations other than routers. TCP communication is a substantial part of all network communication or load.
It will be appreciated by the skilled artisan that many TCP and IP data packets comprising router-to-router communications and internal router communications are generated in the network and are destined for a central processing unit adapted to process them. For example, router-to-router communications, such as request and response messages related to routing are prevalent. Error packets related to control errors and the like are also prevalent.
Prior-art data routers typically utilize a central processing unit (CPU), which is separate from the router""s data packet processor or processors in order to process error messages, control messages, and data packets that for some reason require special handling. A network access controller (NAC) is (typically) hardware that reads and routes CPU-destined data packets to the router CPU for processing.
In some instances, CPU-destined data packets are corrupted packets or damaged packets. Still other CPU-destined packets are addressed to the router by another router or computer. In some cases these are fraudulent data packets purposely and repeatedly generated and sent to a network destination (CPU) with the mission being to compromise the CPU of the destination machine. Computer network hackers, working alone or in conjunction with others have been known to launch such attacks, wherein an overload of erroneous data is generated and routed to a single point in the network for processing, causing that point to fail from CPU overload. One common form of attack is known in the art as a denial-of-service (DOS) attack wherein repeated requests are sent to one network location, causing the location to overload while processing and responding to all of the requests.
A problem with prior art CPU handling of data packets is that the CPU has no means of determining priority in packet handling. For example, all packets directed thereto by a NAC are processed on a first-come, first-processed basis. There is no method of sorting good packets from bad packets or sorting packets by the type of request they carry. This problem has led to occurrences of failure for routers and, in many cases, loss of traffic to network servers connected in their paths. In some cases servers themselves are targeted. In the case of an attack on a router, the affected router may fail or become compromised as the CPU works in overload conditions to process all of the erroneous or spurious data sent. Moreover, a server connected to that router may suffer lack of data traffic due to failure of the router in front of it.
What is clearly needed is a method and apparatus that enables a router or server to quickly identify and sort data packets that require special handling by category and priority so that the CPU is able to adequately process legitimate and useful packets, even in the presence of an overload of erroneous or spurious packets.
In a preferred embodiment of the invention, in a network node having one or more packet processors and at least one CPU required to process specific types of packets, a system for managing the specific types of packets for CPU processing is provided, the system comprising one or more packet processors enabled to sort the specific types of packets into two or more categories for processing, and a queue set for queuing the packets according to category. The system is characterized in that the CPU processes the queued packets according to category.
In some embodiments the queues into which the specific packets are sorted are hardware components of a network access controller (NAC). Also in some embodiments the network is the Internet network. The network node may be one of a packet router, a computer, or an information server, wherein the network is the Internet network. There may further be a software component for monitoring CPU load, and for configuring the system to select from the queues for processing according to a scheme considering the CPU load. In some embodiments the queues are assigned priorities and the CPU always processes the highest level of priority regardless of CPU load. In other embodiments each queue can be assigned a rate limit and the CPU observes this limit so that CPU resources are available for the other queues.
In another aspect of the invention a network data router capable of categorizing data packets for CPU processing is provided, the router comprising at least one data port for sending and receiving data, at least one packet processor, and a queue set of two or more queues for managing packets destined to the CPU for processing. The router is characterized in that the at least one packet processor sorts packets destined for processing according to two or more categories or priorities into the two or more queues, and the CPU takes from queues for processing.
In some embodiments the queues into which the specific packets are sorted are hardware components of a network access controller (NAC), and also in some embodiments the network is the Internet network.
In some embodiments of the router there may be a software component for monitoring CPU load, and for configuring the system to select from the queues for processing according to a scheme considering the CPU load. Also in some embodiments the queues may be assigned priorities and the CPU will always process the highest level of priority regardless of CPU load. Further, in some embodiments each queue can be assigned a rate limit and the CPU observes this limit so that CPU resources are available for the other queues.
In still another aspect of the invention a method for processing CPU-destined data packets in a network node, the node having at least one data port for sending and receiving data, and at least one packet processor coupled to the node is provided, comprising steps of (a) receiving data packets at the data port, (b) determining those packets to be sent to the CPU for processing, (c) sorting the CPU-destined packets into two or more queues by category, and (d) selecting packets from the queues for CPU.
In some embodiments of this method, in step (c), the queues into which the specific packets are sorted are hardware components of a network access controller (NAC), and network may be the Internet network. The network node may be one of a packet router, a computer, or an information server.
In other preferred embodiments there may be a step for configuring the queues and setting a selection protocol for processing by a software component executing on the network node. There may be a software component for monitoring CPU load, and for configuring the system to select from the queues for processing according to a scheme considering the CPU load. In some cases each queue has an associated priority and the CPU always processes the highest level of priority regardless of CPU load. In other cases of the method each queue can be assigned a rate limit and the CPU observes this limit so that CPU resources are available for the other queues.
In embodiments of the invention, described in enabling detail below, method and apparatus is provided that makes it possible for the first time to categorize packets received at a network node and destined for a CPU, and to exercise discretion in how those packets are managed and processed.