Method, Program and System for Efficiently Hashing Packet Keys into a Firewall Connection Table
0 Assignments
0 Petitions
Accused Products
Abstract
A method for increasing the capacity of a connection table in a firewall accelerator by means of mapping packets in one session with some common security actions into one table entry. For each of five Network Address Translation (NAT) configurations, a hash function is specified. The hash function takes into account which of four possible arrival types a packet at a firewall accelerator may have. When different arrival types of packets in the same session are processed, two or more arrival types may have the same hash value.
-
Citations
35 Claims
-
1-15. -15. (canceled)
-
16. A method to map packets comprising:
-
providing a search facility to which the packets are to be mapped; for each packet received, comparing with a comparator a first field value with a second field value corresponding with the first field value, wherein the first field value and the second field value are selected from a set of field values of said each packet, wherein the set of field values includes a concatenated arrival type; determining whether the comparison provides a first predetermined result; responsive to a determination of the first predetermined result, generating a first hashed value based upon the selected set of field values in the received packet absent the concatenated arrival type; and accessing a location in said search facility using the first hashed value and concatenated arrival type. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
-
24. A system including:
-
a bus; a random access memory connected to the bus; a read only memory connected to the bus; a central processing unit connected to the bus; an input/output adapter connected to the bus, wherein a device for detecting packets on a network is connected to the input/output adapter; a firewall accelerator in the device, in which a look-up facility, to store common information related to selected ones of a predefined set of traffic types and specific information relating to at least one of the selected ones of the predefined set of traffic types, is being provided; and a controller in the device, parsing received packets to determine whether a first predetermined relation between predetermined field values in the received packets exists wherein the predetermined field values includes a concatenated arrival type and wherein selected field values from said packet are hashed absent the concatenated arrival type and a hashed value is used with the concatenated arrival type as an index into said look-up facility. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
-
31. A program product comprising:
-
a memory in which is stored computer executable instructions, said computer executable instructions comprising; computer executable instructions for examining traffic arriving at ports of a firewall accelerator; computer executable instructions for selecting a first field value and a second field value from a set of field values in a packet in said traffic wherein the set of field values includes a concatenated arrival type; computer executable instructions for comparing the first field value with the second field value; and
determining whether the first field value is greater than the second field value, wherein the first field value represents a source address and the second field value represents a destination address,computer executable instructions responsive to a determination that the first field value is greater than the second field value, for generating a hashed value from the set of field values selected from the packet; and computer executable instructions for using the hashed value and concatenated arrival type to access a location in a look-up facility. - View Dependent Claims (32, 33, 34, 35)
-
Specification