Internet protocol address filtering methods and apparatus

US 10,389,631 B2
Filed: 04/28/2017
Issued: 08/20/2019
Est. Priority Date: 04/28/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a data packet, determining an IP address of the data packet, accessing an IP address map that stores set membership values indicative of whether an IP address is a member of a set of IP addresses for every possible IP address within an IP address space of the IP address, to determine set membership for the IP address of the data packet; and

determining a further action to be performed on the packet based on the set membership that is determined for the IP address of the data packet, wherein the determining comprises selecting between a preferred treatment action for the data packet based on the IP address of the data packet being a member of the set of IP addresses and a next stage of processing based on the IP address of the data packet not being a member of the set of IP addresses.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An IP address of a received data packet is determined. An IP address map that stores set membership values indicative of whether an IP address is a member of a set of IP addresses, for every possible IP address within an IP address space of the IP address, is accessed to determine set membership for the IP address of the data packet. A further action to be performed on the packet is determined based on the set membership that is determined for the IP address of the data packet. Embodiments could be applied to source IP address filtering, destination IP address filtering, or both. Blacklist and whitelist embodiments, and associated further actions that could be applied to packets in such embodiments, are contemplated.

4 Citations

20 Claims

1. A method comprising:
- receiving a data packet, determining an IP address of the data packet, accessing an IP address map that stores set membership values indicative of whether an IP address is a member of a set of IP addresses for every possible IP address within an IP address space of the IP address, to determine set membership for the IP address of the data packet; and
  
  determining a further action to be performed on the packet based on the set membership that is determined for the IP address of the data packet, wherein the determining comprises selecting between a preferred treatment action for the data packet based on the IP address of the data packet being a member of the set of IP addresses and a next stage of processing based on the IP address of the data packet not being a member of the set of IP addresses.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the IP address space comprises at least all the unreserved IP addresses in accordance with the IP version 4 protocol.
  - 3. The method of claim 1, wherein the IP address space comprises 2³²addresses.
  - 4. The method of claim 1, wherein the IP address of the data packet is a destination address.
  - 5. The method of claim 1, wherein the IP address of the data packet is a source address.
  - 6. The method of claim 1, wherein the determining comprises selecting between a set membership action for the data packet based on the IP address of the data packet being a member of the set of IP addresses and a next stage of processing based on the IP address of the data packet not being a member of the set of IP addresses.
  - 7. The method of claim 1, wherein the set of IP addresses comprises a whitelist.
  - 8. The method of claim 1, wherein the set of IP addresses comprises a blacklist.
  - 9. The method of claim 8, wherein the determining comprises selecting between a mitigation action for the data packet based on the IP address of the data packet being a member of the set of IP addresses and a next stage of processing based on the IP address of the data packet not being a member of the set of IP addresses.
  - 10. The method of claim 9, wherein the mitigation action comprises one of:
    - not transmitting the data packet, reducing the rate of transmission of the data packet or sending the data packet for inspection.
  - 11. The method of claim 1, wherein each of the set membership values comprises a single bit of information.
  - 12. The method of claim 1, wherein the IP address map is stored in a map memory, wherein the map memory comprises multiple memory devices that each store a copy of an IP address map including the set membership values, and wherein the accessing for successive received packets is distributed over the multiple memory devices and interleaved.
  - 13. The method of claim 1, wherein the set membership values comprise an IP address map, wherein the IP address map is stored in a map memory, the map memory comprising multiple memory devices, each memory device comprising multiple memory banks, each memory device storing multiple copies of a different portion of the IP address map in its memory banks, and wherein the accessing for successive received packets is distributed over the multiple memory banks of the multiple memory devices.
  - 14. The method of claim 1, further comprising:
    - storing in a map memory the IP address map comprising the set membership values.
  - 15. The method of claim 1, wherein the values comprise multi-bit set membership values indicative of which of multiple sets of IP addresses each possible IP address is a member.

16. An apparatus comprising:
- an interface to receive a data packet;
  
  a map memory storing set membership values indicative of whether an IP address is a member of a set of IP addresses for every possible IP address within an IP address space of the IP address; and
  
  a packet processor coupled to the interface and to the map memory to determine an IP address of the data packet, to access the map memory and determine set membership for the IP address of the data packet, and to determine a further action to be performed on the packet based on the set membership that is determined for the IP address of the data packet, wherein the packet processor is configured to determine the further action by selecting between a set membership action for the data packet based on the IP address of the data packet being a member of the set of IP addresses and a next stage of processing based on the IP address of the data packet not being a member of the set IP addresses.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, wherein the map memory comprises any one or more of:
    - Dynamic Random Access Memory (DRAM), Static Random Access Memory (SRAM), flash memory, and ferroelectric Random Access Memory (FRAM).
  - 18. The apparatus of claim 16, wherein the set membership values comprise an IP address map, wherein the map memory comprises multiple memory devices that each store a copy of the IP address map, and wherein the packet processor is configured to distribute and interleave access to the map memory over the multiple memory devices.
  - 19. The apparatus of claim 16, wherein the set membership values comprise an IP address map, wherein the map memory comprises multiple memory devices, each memory device comprising multiple memory banks, each memory device storing multiple copies of a different portion of the IP address map in its memory banks, and wherein the packet processor is configured to distribute successive read operations over the multiple memory banks of the multiple memory devices.
  - 20. The apparatus of claim 16, wherein the IP address space comprises at least all the unreserved IP addresses in accordance with the IP version 4 protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Corsa Technology, Inc.
Original Assignee
Corsa Technology, Inc.
Inventors
Sheldon, Stacey, Sewter, Jonathan
Primary Examiner(s)
Chery, Dady

Application Number

US15/581,454
Publication Number

US 20180316611A1
Time in Patent Office

844 Days
Field of Search
US Class Current
CPC Class Codes

H04L 45/72   Routing based on the source...

H04L 45/745   Address table lookup; Addre...

H04L 45/7453   using hashing

Internet protocol address filtering methods and apparatus

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

4 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Internet protocol address filtering methods and apparatus

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

4 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links