Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
2000-11-29
2001-10-09
Beausoleil, Robert (Department: 2184)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C707S793000, C713S154000, C713S164000, C709S227000
Reexamination Certificate
active
06301669
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field of the Invention
This invention pertains to IP packet filtering. More specifically, it relates to a use of small, optimized sequences of binary 6-tuples representing filter rules to achieve very fast IP packet filtering.
2. Background Art
Internet protocol (IP) network address translation (NAT) and IP filtering are functions which provide firewall-type capability to an Internet gateway system. In one specific system, this is accomplished by providing means for the system administrator to specify specific NAT and filtering rules via an operational navigator graphical user interface (GUI).
IP packet filtering is the process of checking each Internet protocol (IP) packet that is going to be sent from or has just arrived at a gateway system, or node, in a communications network, and based upon that check of making a decision. The decision is (typically, and insofar as it relates to the preferred embodiment of this invention) whether the packet should be discarded or allowed to continue. These are termed the ‘deny’ and ‘permit’ actions. IP filtering is widely used in Internet firewall systems, by independent service providers (ISPs) and organizations connected to the Internet.
Filter rules are most commonly an ordered list of rules, processed sequentially from top to bottom (order is specified by the system administrator). Each rule permits a certain kind of IP traffic. Processing for an IP packet continues until the packet is permitted, explicitly denied, or there are no more rules, in which case it is denied. Usually a number of filter rules must be written for each protocol to be permitted.
It is important the IP filtering actions be particularly efficient and very fast because of the huge volume of IP packets a typical gateway system will handle each day, and because of the fairly large number of filter rules that might have to be processed for each IP packet. Typically, each IP packet that flows through the system must be processed by all the filter rules. A moderately busy system can easily be expected to process 10**6 packets per day. Hence, any unnecessary overhead might cause throughput problems.
It is an object of the invention to provide an improved IP packet filtering system and method.
It is a further object of the invention to provide a very fast IP packet filtering system and method.
SUMMARY OF THE INVENTION
In accordance with the invention, a system and method for filtering IP packets received from a caller at the physical interface to an operating system kernel is provided. Filtering is accomplished by processing FILTER rule statements entered by a user in a rules file to generate 6-tuple filtering rules, each of the 6-tuple filtering rules including an operator index; resolving relative and symbolic indexes in these 6-tuples filtering rules to form resolved filtering rules and loading the resolved filtering rules to the operating system kernel; and interpreting the resolved filtering rules for each IP packet received at the physical interface.
Other features and advantages of this invention will become apparent from the following detailed description of the presently preferred embodiment of the invention, taken in conjunction with the accompanying drawings.
REFERENCES:
patent: 5517622 (1996-05-01), Ivanoff et al.
patent: 5517628 (1996-05-01), Morrison et al.
patent: 5557798 (1996-09-01), Skeen et al.
patent: 5606668 (1997-02-01), Shwed
patent: 5634015 (1997-05-01), Chang et al.
patent: 5701316 (1997-12-01), Alferness et al.
patent: 5867666 (1999-02-01), Harvey
patent: 5968176 (1999-10-01), Nessett et al.
patent: 6092110 (2000-07-01), Maria et al.
patent: 6098172 (2000-08-01), Coss et al.
patent: 6147976 (2000-11-01), Shand et al.
patent: 854621 (1998-07-01), None
patent: 1070570 (1998-03-01), None
Boden Edward B.
Brzozowski Wesley A.
Gebler, Jr. Paul A.
Baderman Scott
Beausoleil Robert
Beskstrand Shelley M.
International Business Machines - Corporation
LandOfFree
System and method for very fast IP packet filtering does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for very fast IP packet filtering, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for very fast IP packet filtering will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2595690