Storing and searching a hierarchy of policies and associations thereof of particular use with IP security policies and security associations
First Claim
1. A method for processing packets based on a hierarchy of policies, the method comprising:
- performing a lookup operation on a plurality of associative memory entries of an associative memory based on a lookup word derived from a packet in order to identify a lookup result, the associative memory entries corresponding to a plurality of policies of the hierarchy of policies and a plurality of associations corresponding to said policies, wherein the associative memory is configured to identify the highest-priority, in a predetermined priority ordering, associative memory entry of the associative memory entries matching the lookup word, with said policies programmed into said associative memory entries such that said hierarchy of the policies matches said predetermined priority ordering of the associative memory entries, with each associative memory entry corresponding to a particular association of the plurality of associations being programmed into said associative memory entries prior to, in said predetermined priority ordering, the associative memory entry corresponding to the particular association'"'"'s policy of said policies and after any associative memory entry corresponding to another of said policies higher in said hierarchy of policies; and
processing the packet based on the lookup result.
0 Assignments
0 Petitions
Accused Products
Abstract
Mechanisms for storing and searching a hierarchy of policies and associations thereof are disclosed which may be particularly useful for implementing security protocols, such as, but not limited to Internet Protocol security (IPsec). For example, a hierarchy of policies is stored in a search priority order in an associative memory, with each association of a particular policy stored higher in the search priority than its associated policy and after any other policy. Therefore, a lookup operation on the associative memory will identify a matching association, if one, else its matching policy. A match of a policy instead of an association may result in a corresponding association being added in the appropriate location. For IPsec implementations, the lookup word is typically derived from the packet, with this packet being typically processed based on the identified policy or association.
-
Citations
17 Claims
-
1. A method for processing packets based on a hierarchy of policies, the method comprising:
-
performing a lookup operation on a plurality of associative memory entries of an associative memory based on a lookup word derived from a packet in order to identify a lookup result, the associative memory entries corresponding to a plurality of policies of the hierarchy of policies and a plurality of associations corresponding to said policies, wherein the associative memory is configured to identify the highest-priority, in a predetermined priority ordering, associative memory entry of the associative memory entries matching the lookup word, with said policies programmed into said associative memory entries such that said hierarchy of the policies matches said predetermined priority ordering of the associative memory entries, with each associative memory entry corresponding to a particular association of the plurality of associations being programmed into said associative memory entries prior to, in said predetermined priority ordering, the associative memory entry corresponding to the particular association'"'"'s policy of said policies and after any associative memory entry corresponding to another of said policies higher in said hierarchy of policies; and
processing the packet based on the lookup result. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus for processing packets based on a hierarchy of policies, the apparatus comprising:
-
a plurality of associative memory entries of an associative memory, the associative memory entries being programmed to correspond to a plurality of policies of the hierarchy of policies and a plurality of associations corresponding to said policies, wherein the associative memory is configured to identify the highest-priority, in a predetermined priority ordering, associative memory entry of the associative memory entries matching a lookup word, with said policies programmed into said associative memory entries such that said hierarchy of the policies matches said predetermined priority ordering of the associative memory entries, with each associative memory entry corresponding to a particular association of the plurality of associations being programmed into said associative memory entries prior to, in said predetermined priority ordering, the associative memory entry corresponding to the particular association'"'"'s policy of said policies and after any associative memory entry corresponding to another of said policies higher in said hierarchy of policies; and
a packet processing mechanism for initiating a lookup operation on the plurality of associative memory entries based on the lookup word derived from a packet in order to identify a lookup result, and to process the packet based on the lookup result. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
Specification