Multiplex communications – Pathfinding or routing – Switching a message which includes an address header
Reexamination Certificate
2006-04-04
2006-04-04
Duong, Frank (Department: 2666)
Multiplex communications
Pathfinding or routing
Switching a message which includes an address header
Reexamination Certificate
active
07023853
ABSTRACT:
The invention provides for hardware processing of ACLs and thus hardware enforcement of access control. A sequence of access control specifiers from an ACL are recorded in a CAM, and information from the packet header is used to attempt to match selected source and destination IP addresses or subnets, ports, and protocols, against all the ACL specifiers at once. Successful matches are input to a priority selector, which selects the match with the highest priority (that is, the match that is first in the sequence of access control specifiers). The specified result of the selected match is used to permit or deny access for the packet without need for software processing, preferably at a rate comparable to wirespeed. The CAM includes an ordered sequence of entries, each of which has an array of ternary-elements for matching “0”, “1”, or any value, and each of which generates a match signal. The ACL entered for recording in the CAM can be optimized to reduce the number of separate entries in the CAM, such as by combining entries which are each special cases of a more general access control specifier. A router including the CAM can also include preprocessing circuits for certain range comparisons which have been found both to be particularly common and to be otherwise inefficiently represented by the ternary nature of the CAM, such as comparisons of the port number against known special cases such as “greater than 1023” or “within the range 6000 to 6500”.
REFERENCES:
patent: 5386413 (1995-01-01), McAuley et al.
patent: 5414704 (1995-05-01), Spinney
patent: 5509006 (1996-04-01), Wilford et al.
patent: 5920886 (1999-07-01), Feldmeier
patent: 5938736 (1999-08-01), Muller et al.
Alessandri, Access Control List Processing in Hardware, Diploma Thesis, pp. 1-85, Oct. 1997.
Miei et al, Parallelization of IP-Packet Filter Rules, IEEE, pp. 381-388, 1997.
McAuley et al, Fast Routing Table Lookup Using CAMs, Bellcore, pp. 1-10, 1993.
Doeringer et al, Routing on Longest-Matching Prefixes, IEEE, pp. 86-97, 1996.
Shaffer, Designing Very Large Content-Addressable Memories, University of Pennsylvania, pp. 1-38, 1992.
Molitor, Architecture for Advanced Packet Filtering, USENIX UNIX Security Symposium, pp. 1-13, 1995.
Bechtolsheim Andreas V.
Cheriton David R.
Campbell Stephenson Ascolese LLP
Cisco Technology Inc.
Duong Frank
LandOfFree
Access control list processing in hardware does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Access control list processing in hardware, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Access control list processing in hardware will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3547955