SECURITY DEVICE IMPLEMENTING NETWORK FLOW PREDICTION
First Claim
1. A security device for processing a plurality of network flows, comprising:
- one or more packet processors configured to receive incoming data packets associated with one or more network flows, at least one of the packet processors being assigned as an owner of one or more network flows, and each packet processor processing data packets associated with flows for which it is the assigned owner; and
a packet processing manager configured to assign ownership of network flows to the one or more packet processors, the packet processing manager comprising a global flow table containing global flow table entries mapping network flows to packet processor ownership assignments and a predict flow table containing predict flow entries mapping predicted network flows to packet processor ownership assignments,wherein each predict flow entry comprising a predict key and associated packet processor ownership assignment, the predict key comprising a plurality of data fields identifying a predicted network flow where the value of one or more of the data fields is unknown.
1 Assignment
0 Petitions
Accused Products
Abstract
A security device for processing network flows is described, including: one or more packet processors configured to receive incoming data packets associated with network flows where a packet processor is assigned as an owner of network flows and each packet processor processes data packets associated with flows for which it is the assigned owner; and a packet processing manager configured to assign ownership of network flows to the packet processors where the packet processing manager includes a global flow table containing global flow table entries mapping network flows to packet processor ownership assignments and a predict flow table containing predict flow entries mapping predicted network flows to packet processor ownership assignments. A predict flow entry includes a predict key and associated packet processor ownership assignment. The predict key includes multiple data fields identifying a predicted network flow where one or more of the data fields have a wildcard value.
-
Citations
16 Claims
-
1. A security device for processing a plurality of network flows, comprising:
-
one or more packet processors configured to receive incoming data packets associated with one or more network flows, at least one of the packet processors being assigned as an owner of one or more network flows, and each packet processor processing data packets associated with flows for which it is the assigned owner; and a packet processing manager configured to assign ownership of network flows to the one or more packet processors, the packet processing manager comprising a global flow table containing global flow table entries mapping network flows to packet processor ownership assignments and a predict flow table containing predict flow entries mapping predicted network flows to packet processor ownership assignments, wherein each predict flow entry comprising a predict key and associated packet processor ownership assignment, the predict key comprising a plurality of data fields identifying a predicted network flow where the value of one or more of the data fields is unknown. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for processing a plurality of network flows in a security device comprising a plurality of packet processing cards communicating through a switching fabric, each packet processing card including one or more packet processors, the method comprising:
-
receiving a first data packet at a packet processing card; sending a message to a packet processing manager to add a predict flow entry; adding the predict flow entry in a predict flow table using a predict key having a plurality of data fields identifying a predicted network flow where the value of one or more of the data fields is unknown, the predict key being associated with a packet processor ownership assignment of the first data packet; receiving a second data packet at a packet processing card; forwarding the second data packet to the packet processing manager; looking up a network flow for the second data packet in the predict flow table; when the network flow for the second data packet is found in the predict flow table, adding an entry in a global flow table of the packet processing manager, the global flow table is containing entries mapping network flows to packet processor ownership assignments, the entry identifying the owner packet processor of the first data packet as the owner packet processor of the second data packet; sending a message from the packet processing manager to the owner packet processor informing the assigned packet processor of the ownership assignment of the second data packet; receiving a message at the packet processing manager from the owner packet processor indicating acceptance of the ownership assignment; storing a binding entry in the global flow table mapping the network flow to the owner packet processor; and processing the second data packet at the owner packet processor. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification