Multiplex communications – Pathfinding or routing – Switching a message which includes an address header
Reexamination Certificate
1999-06-17
2003-12-02
Pham, Chi (Department: 2667)
Multiplex communications
Pathfinding or routing
Switching a message which includes an address header
Reexamination Certificate
active
06658002
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention generally concerns data communications systems, in particular internetworking systems and specifically access control techniques for such systems.
2. Description of the Related Art
Introduction
The data communications field encompasses a wide range of technologies, but systems for connecting networks of computers to other networks, known generally as internetworking, are of increasing importance. As these networks of networks (e.g., the Internet) proliferate, increasing attention is required to the problem of maintaining network security. In particular, access control at the data packet level has become a concern. Also known as packet filtering, packet-level access control is a technique whereby individual data packets in the communications data stream are examined to determine the propriety of accepting, transmitting, or forwarding them. Several different filtering opportunities exist. A packet could be inbound to a “local” computer connected to the switch device (i.e., on the receiving network), inbound but destined to be forwarded to another network, or originating from the local network and destined for another network (outbound). Also, the packet could originate from the local network and be destined for the local network.
FIG. 1
illustrates a high-level schematic view of the operation of a prior art data communications device, such as a router or switch. The device is generally referred to as a “router,” although persons of ordinary skill in the art will recognize that other networked data communications devices may serve an equivalent function.
A number of flows
20
, i.e., simultaneous packet- or frame-based messages from multiple sources, are presented to router
10
. These flows each consist of multiple packets of data, in a variety of sizes and presented at a variety of rates. Flows may be presented in different protocols, such as the Transmission Control Protocol/Internet Protocol (TCP/IP) and the related User Datagram Protocol (UDP), File Transfer Protocol (FTP), Terminal Emulation Protocol (Telnet), and Hypertext Transfer Protocol (HTTP). Other internetworking protocols are found in the literature, such as Merilee Ford, et. al.,
Internetworking Technologies Handbook,
Cisco Press 1997, (hereinafter
Ford
) incorporated herein by reference in its entirety. The packets are buffered in a buffer pool
30
, which is typically random access memory (RAM). Buffering is accomplished according to the directives of a controller
60
and a buffer manager
25
. Controller
60
includes a forwarding engine, not shown, which determines on a packet-by-packet basis the proper destination (“routing”) of each packet. This determination is made from information contained within each packet. The flows are sent to the proper output port
70
by way of a set of output queues
40
and a port scheduler
50
. Controller
60
, buffer manager
25
, and port scheduler
50
are conventionally implemented as one or more high speed microprocessors or custom ASICs with associated interface circuitry.
Routers are described in greater detail in
Ford,
Chapter 5 and Karanjit S. Siyan,
Inside TCP/IP,
3d ed., New Riders Publishing 1997 (hereinafter
Siyan TCP/IP
), incorporated herein by reference in their entirety.
Access control functions in routers and related network communications devices are typically implemented in controller
60
with the co-operation of the forwarding engine. Access controls are discussed generally in Karanjit Siyan and Chris Hare,
Internet Firewalls and Network Security,
3d ed., New Riders Publishing 1995 (hereinafter
Siyan Firewalls
); and D. Brent Chapman and Elizabeth D. Zwicky,
Building Internet Firewalls,
O'Reilly & Associates, 1995 (hereinafter
Chapman
). Both
Sivan Firewalls
and
Chapman
are incorporated herein by reference in their entirety.
Understanding the background of the present invention requires familiarity with the terminology and organization of modern networking. In particular, an understanding of the functions performed at each layer of the communications hierarchy is required. These functions are generally described by the Open Systems Interconnection (OSI) reference model, well known in the art. See, e.g.,
Ford,
Chapter 1 and
Siyan TCP/IP
Chapter 2.
Packet Filtering With Access Control Lists
An access control list (ACL) is a set of rules for evaluating whether a packet should be permitted to pass or denied routing. As applied to routers, an ACL is implemented as a series of commands that program the router to permit or deny packet access to the routing function. Various classes or families of internetworking devices, such as the Cisco Systems® Catalyst® family of switches and the Cisco 7xxx family of routers, respectively, share common command sets and syntax for ACL programming. The command set and syntax used in Cisco routers is more fully described in
Network Protocols Configuration Guide. Cisco IOS® Release
12.0, Cisco Press, 1998, (hereinafter
IOS Guide
), incorporated herein by reference in its entirety.
The party controlling or maintaining the router (typically, the network administrator) must define the rules by which packet routing is to be controlled. The conventional process of defining these rules is further described in
Chapman,
Chap. 6 and
Siyan Firewalls,
Chap. 4. Rule definition is accomplished by commanding the router in accordance with the particular command syntax and programming method appropriate to the type of router used. The router's operational software (e.g., the Cisco IOS) then translates the access list commands into a form useable by the router. For example, the Cisco family of routers programming syntax is described in the
IOS Guide
referenced above. The complete Cisco IOS command set is described in further detail in Network
Protocols Command Reference, IOS Release
12.0, Cisco Press, 1998 (hereinafter
IOS Command Reference
), incorporated herein by reference in its entirety.
ACL rules can be simple when expressed in plain English, such as “Permit TCP packets from any source to host with IP address equal to 194.121.68.173 and TCP port number greater than 1023” or complex, such as “Permit UDP packets from any source to host with IP address equal to 142.175.12.40 and TCP port number less than 1023, but not equal to 21, 80, or 128.” In the first example, the corresponding Cisco IOS router command, for example, contains a single rule element:
permit tcp any host 194.121.68.173 gt 1023
where “gt” represents “greater than.” In the latter example, there are four elements to the rule, thus requiring four commands to the router:
deny udp any host 142.175.12.40 eq 21
deny udp any host 142.175.12.40 eq 80
deny udp any host 142.175.12.40 eq 128
permit udp any host 142.175.12.40 lt 1023
Another common rule example is “Deny TCP traffic going to host with IP address equal to 131.124.87.95 and TCP port number range from 6000 to 6002.” represented in command form as:
deny tcp any host 131.124.87.95 range 6000 60002
Rules may also be expressed in terms of permitting or denying access to or from certain destination or source IP addresses (respectively), e.g., “Deny IP traffic coming from subnet 173.201.0.0” In such situations, the rule command includes the IP address of interest:
deny 173.201.0.0 0.0.255.255
One prior art method used in relatively slow routers required the operational software to interpret the ACL programming commands into a series of conditional statements, such as the well-known software “CASE” statement. ACL filtering was thus accomplished in software using the interpreted commands directly. This method limited the packet throughput, however, because processing depended on software execution speed.
A faster and more compact method of applying ACL rules is to convert the rule elements into entries in a content-addressable memory (CAM). Content-addressable memories, well-known in the art, allow a simultaneous search of all entries by performing a bit-wise comparison of an input value (the key or comparand) ag
Bechtolsheim Andreas V.
Chen Sun-Den
Ross Mark A.
Cisco Technology Inc.
Hoang Thai
Pham Chi
The Law Office of Kirk D. Williams
LandOfFree
Logical operation unit for packet processing does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Logical operation unit for packet processing, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Logical operation unit for packet processing will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3148925