Access control based on range-matching
First Claim
1. A network device, comprising:
- a register memory storing indications of a range of values;
a content-addressable memory (CAM) comprising a plurality of portions, each portion comprising one or more access control entries;
memory storing actions to take on network packets;
key assembler circuitry coupled to the register memory and the CAM, the key assembler circuitry configured to;
receive data for a network packet received by the network device, the data including fields;
determine that a value of a first one of the fields is within a first numerical range;
generate a compare key including a first field corresponding to the first numerical range and a second field corresponding to a second numerical range, a first value stored in the first field indicating that the value is within the first numerical range and a second value stored in the second field indicating that the value is not within the second numerical range, the compare key having a pre-determined size; and
provide, to the CAM, the compare key to search for an access control entry in a number of portions of the plurality of portions of the CAM, the number of portions being based on the size of the compare key; and
action control circuitry coupled to the CAM and the memory storing actions, the action control circuitry configured to;
receive, from the CAM, an address of the access control entry found using the compare key;
select, using the access control entry, from the memory, one of the actions to perform on the network packet; and
perform the selected action on the network packet.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are techniques that can be used within network devices to implement access control functionality. The techniques can include use of a content-addressable memory configured including an access control entry stored therein. Circuitry can be coupled to the content-addressable memory and configured to determine that a value is within a range of values. The circuitry can generate a compare key including a field that is set indicating that the value is within the range of values. The circuitry can provide, to the content-addressable memory, the compare key for locating a corresponding access control entry within the content-addressable memory. The circuitry can receive, from the content-addressable memory, an index of the access control entry stored within the content-addressable memory. The circuitry can select, based on the index of the access control entry, an action.
65 Citations
27 Claims
-
1. A network device, comprising:
-
a register memory storing indications of a range of values; a content-addressable memory (CAM) comprising a plurality of portions, each portion comprising one or more access control entries; memory storing actions to take on network packets; key assembler circuitry coupled to the register memory and the CAM, the key assembler circuitry configured to; receive data for a network packet received by the network device, the data including fields; determine that a value of a first one of the fields is within a first numerical range; generate a compare key including a first field corresponding to the first numerical range and a second field corresponding to a second numerical range, a first value stored in the first field indicating that the value is within the first numerical range and a second value stored in the second field indicating that the value is not within the second numerical range, the compare key having a pre-determined size; and provide, to the CAM, the compare key to search for an access control entry in a number of portions of the plurality of portions of the CAM, the number of portions being based on the size of the compare key; and action control circuitry coupled to the CAM and the memory storing actions, the action control circuitry configured to; receive, from the CAM, an address of the access control entry found using the compare key; select, using the access control entry, from the memory, one of the actions to perform on the network packet; and perform the selected action on the network packet. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A device, comprising:
-
a content-addressable memory (CAM) comprising a plurality of access control entries, each access control entry being associated with an index and storing a value representing a numerical range; circuitry coupled to the CAM, the circuitry configured to; determine that an input value is within a first numerical range, the input value being related to a network packet received by the device; generate a compare key including a first field corresponding to the first numerical range and a second field corresponding to a second numerical range, a first value stored in the first field indicating that the input value is within the first numerical range and a second value stored in the second field indicating that the input value is not within the second numerical range; provide, to the CAM, the compare key for locating a first access control entry within the CAM that stores a value representing the first numerical range corresponding to the first field of the compare key; receive, from the CAM, the index associated with the first access control entry; and select, based on the index associated with the first access control entry, an action to be performed on the network packet. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 24, 25, 26)
-
-
20. A method, comprising:
-
receiving, at a device, a network packet; and determining, by the device, to perform an access control action on the network packet, the determining to perform the access control action including; determining that a value corresponding to a portion of the network packet is within a first range of values; generating a compare key for the network packet, the compare key including an array including a first element indicating that the value is within the first range of values and a second element indicating that the value is not within a second range of values, the compare key and having a pre-determined size; locating, within a portion of content-addressable memory (CAM) of the device, an access control entry corresponding to the compare key, a size of the portion of the CAM being based on the size of the compare key; receiving, from the CAM, an index corresponding to the access control entry; and selecting, based on the index, the access control action. - View Dependent Claims (21, 22, 23, 27)
-
Specification