Network interface and firewall device
First Claim
Patent Images
1. A network processing device, comprising:
- a processor associating packets with different levels of trusted communication and managing the packets that are part of a Denial of Service (DoS) attack according to the associated levels of trusted communication.
3 Assignments
0 Petitions
Accused Products
Abstract
A network processing device provides a novel architecture for conducting firewall and other network interface management operations. In another aspect of the invention, a Unified Policy Management (UPM) architecture uses a same memory and processing structure to integrate firewall policy management with routing and switching decisions. In another embodiment, a Reconfigurable Semantic Processor (RSP) uses a parser to identify different syntactic elements that are then used by one or more Semantic Processing Units (SPUs) to carry out different firewall, network interface, routing, switching, and other packet processing operations.
234 Citations
44 Claims
-
1. A network processing device, comprising:
a processor associating packets with different levels of trusted communication and managing the packets that are part of a Denial of Service (DoS) attack according to the associated levels of trusted communication. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13)
-
11. A method for tracking rate limits for packets, comprising:
-
receiving packets having different associated packet addresses;
using different counters to track a number of packets received for the different associated packet addresses;
assigning timestamps for the different packet addresses; and
resetting the different counters only upon receiving a packet corresponding with a packet address that has an expired timestamp value.
-
-
14. A method for monitoring and filtering Denial of Service (DoS) attacks, comprising:
-
identifying a packet associated with a possible DoS attack;
tracking the status of the packet as a DoS entry in a memory;
allowing a new packet to pass when there is no previous DoS entry in the memory; and
adding a new DoS entry into the memory for the new packet after the new packet has already been allowed to pass. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A firewall, comprising:
-
a processor identifying Denial of Service (DoS) candidate packets that are associated with a possible Denial of Service (DoS) attack;
a Content Addressable Memory (CAM) containing DoS entries that index the DoS candidate packets according to an associated destination address; and
a status memory indexed by the CAM and containing DoS status for the different DOS entries. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A network processing device, comprising:
a processor configured to use a same memory subsystem as a Forwarding Information Base (FIB) and for firewall policy management. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34)
-
35. A semantic processor, comprising:
-
a parser that parses packets to identify syntactic elements associated with network interface operations, the parser then launching microinstructions according to the identified syntactic elements; and
one or more Semantic Processing Units (SPUs) that conduct the network interface operations by executing the microinstructions launched by the direct execution parser. - View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44)
-
-
36. The semantic processor according 35 including:
-
an input port configured to receive data symbols;
a direct execution parser stack storing stack symbols, the parser processing stack symbols in response to the received data symbols;
a parser table populated with production rule codes indexable by the combination of at least one received data symbol and a symbol supplied by the parser;
a production rule table populated with production rules indexable by production rule codes; and
a semantic code table accessible by the SPUs and populated with machine instructions indexed by the production rule codes.
-
Specification