1. Technical Field
The present invention relates in general to the field of data processing systems. More particularly, the present invention relates to communication between data processing systems. Still more particularly, the present invention relates to a system and method of optimizing communication between data processing systems.
2. Description of the Related Art
In the past, so-called “hackers” have accessed and compromised private networks through direct dialing of modems coupled to the private network. With the advent of the Internet, individuals, business, and government have discovered that communication between networks could be established via the Internet instead of relying on connections between private networks. However, connecting a private network to the Internet introduces significant security problems for the data stored on a private network.
When a private network is coupled to the Internet, hackers may utilize the Internet as a means of accessing the private network. Therefore, many businesses, individuals, and the government utilize protective software and/or hardware known as a “firewall” to protect the private network from unauthorized access. A firewall is typically a hardware and/or software module that provides secure access to and from the private network by examining any packet of data that attempts to enter or leave the private network at some entry point. Depending on the configuration of an individual packet, the firewall determines whether the packet should proceed on its way or be discarded. To perform this function, the firewall includes a sequence of rules, which are in the form <predicate>→<decision>, where <predicate> is a Boolean expression over the different fields of a packet, and the <decision> of this rule is an operation applied to the packet.
Most routers implemented on the Internet have packet classification capabilities. “Packet classification” is a function that enables routers to perform many services, such as routing, active networking, firewall access control, quality of service, differential service, and other network services. A packet classifier maps each packet to a decision based on a sequence of rules. A packet can be viewed as a tuple with a finite number of fields. Examples of such fields are source/destination IP address, source/destination port number, and protocol type. A packet classifier can map a packet to a variety of application-specific decisions. For example, possible decisions include “accept” or “discard”, as utilized in the context of a firewall.
Each packet classifier also includes a sequence of rules. Each rule in a packet classifier is implemented as <predicate>→<decision>, which are in the form <predicate>→<decision>, where <predicate> is a Boolean expression over the different fields of a packet, and the <decision> of this rule is an operation applied to the packet. A packet “matches” a rule if and only if the packet satisfies the predicate of the rule. A packet may match more than one rule in a packet classifier. Therefore, a packet classifier maps each packet to the decision of the first (i.e., highest priority) rule that the packet matches.
A packet classifier may have redundant rules. A rule in a packet classifier is redundant if and only if removing the rule does not change the decision of the packet classifier for each packet. The presence of redundant rules increases the processing time required for packet routing and decreases system performance. Therefore, there is a need for a system and method for addressing the aforementioned limitations of the prior art.