Edge adapter architecture apparatus and method

US 7,114,008 B2
Filed: 05/15/2001
Issued: 09/26/2006
Est. Priority Date: 06/23/2000
Status: Expired due to Term

First Claim

Patent Images

1. An architecture for intercepting and processing packets transmitted from a source to a destination over a network, the architecture comprising:

a packet interceptor coupled with said network and operative to selectively intercept said packets prior to receipt by said destination based on a first criteria;

at least one primary processor coupled with said packet interceptor and operative to perform stateless processing tasks on said intercepted packets, said stateless processing tasks comprising tasks which are not directly dependent on a previously intercepted packet, said at least one primary processor including;

at least two stateless packet processors coupled in parallel, said processing of said intercepted packets being distributed among said at least two stateless packet processors;

at least one secondary processor coupled with said at least one primary processor and operative to perform stateful processing tasks on said statelessly processed intercepted packets, said stateful processing tasks comprising tasks which are based at least on a previously intercepted packet, said at least one secondary processor including;

at least two stateful packet processors coupled in series with each other, each of said at least two stateful packet processors operative to perform a portion of said stateful processing tasks on said statelessly processed intercepted packets, a last one in said series of said at least two stateful packet processors being coupled with said network and operative to selectively release said statefully processed and statelessly processed intercepted packet back to said network.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An architecture for intercepting and processing packets from a network is disclosed. The architecture provides both stateful and stateless processing of packets in the bi-directional network flow. Further, stateless processing is provided by a parallel arrangement of network processors while stateful processing is provided by a serial arrangement of network processors. The architecture permits leveraging existing bi-directional devices to process packets in a uni-directional flow, thereby increasing the throughput of the device. The ability to share state among the stateless processor, among the stateful processors of each packet flow direction and between the stateless and stateful processors provides for dynamic adaptability and analysis of both historical and bi-directional packet activity.

214 Citations

40 Claims

1. An architecture for intercepting and processing packets transmitted from a source to a destination over a network, the architecture comprising:
- a packet interceptor coupled with said network and operative to selectively intercept said packets prior to receipt by said destination based on a first criteria;
  
  at least one primary processor coupled with said packet interceptor and operative to perform stateless processing tasks on said intercepted packets, said stateless processing tasks comprising tasks which are not directly dependent on a previously intercepted packet, said at least one primary processor including;
  
  at least two stateless packet processors coupled in parallel, said processing of said intercepted packets being distributed among said at least two stateless packet processors;
  
  at least one secondary processor coupled with said at least one primary processor and operative to perform stateful processing tasks on said statelessly processed intercepted packets, said stateful processing tasks comprising tasks which are based at least on a previously intercepted packet, said at least one secondary processor including;
  
  at least two stateful packet processors coupled in series with each other, each of said at least two stateful packet processors operative to perform a portion of said stateful processing tasks on said statelessly processed intercepted packets, a last one in said series of said at least two stateful packet processors being coupled with said network and operative to selectively release said statefully processed and statelessly processed intercepted packet back to said network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 38)
- - 2. The architecture of claim 1, wherein said network further comprises a bi-directional network having an upstream flow and a downstream flow, said architecture further comprising at least two of said at least one primary processor and at least two of said at least one secondary processor, a first of said at least two primary and secondary processors being coupled with said upstream flow and a second of said at least two primary and secondary processors being coupled with said downstream flow.
  - 3. The architecture of claim 2, wherein said at least two secondary processors are capable of sharing state information between each other.
  - 4. The architecture of claim 1, wherein said at least two primary packet processors are coupled together and operative to share data.
  - 5. The architecture of claim 4, wherein said at least two primary packet processors are coupled together with at least one co-processor.
  - 6. The architecture or claim 5, wherein said co-processor comprises a classification co-processor.
  - 7. The architecture of claim 5, wherein said co-processor comprises a content addressable memory.
  - 8. The architecture of claim 1, wherein said at least two secondary packet processors are coupled with said at least two primary packet processors and operative to share state information.
  - 9. The architecture of claim 1, wherein said at least two secondary packet processors and said at least two primary packet processors comprise network processors.
  - 10. The architecture of claim 9, wherein said network processor is capable of bi-directional operation and characterized by a bi-directional throughput, said architecture comprising utilizing said network processor uni-directionally wherein said bi-directional throughput is devoted to uni-directional processing.
  - 11. The architecture of claim 1, wherein said stateless processing tasks comprise filtering said intercepted packets based on a second criteria.
  - 12. The architecture of claim 1, wherein one portion of said stateful processing tasks comprises inspection and analysis of said intercepted packets and another portion of said stateful processing tasks comprises performing an action on said intercepted packets.
  - 13. The architecture of claim 12, wherein said action comprises at least one of modifying, deleting, storing information about and releasing said intercepted packets.
  - 14. The architecture of claim 1, wherein said packet interceptor is capable of interfacing with an optical network.
  - 15. The architecture of claim 14, wherein said optical network is characterized by compliance with an OC-48 standard.
  - 16. The architecture of claim 1, wherein said packet interceptor is capable of operating substantially at wire speed.
  - 17. The architecture of claim 1, wherein said stateless and stateful processing tasks are capable of processing any portion of said intercepted packets.
  - 18. The architecture of claim 1, wherein said packet interceptor is coupled with said network via a router.
  - 19. The architecture of claim 18, further comprising a router blade including said packet interceptor, said at least one primary processor and said at least one secondary processor.
  - 38. The architecture of claim 2, wherein said previously intercepted packet was intercepted from one of said upstream or downstream flow.

20. A method of intercepting and processing packets transmitted from a source to a destination over a network, said method comprising:
- (a) intercepting, selectively, said packets prior to receipt by said destination based on a first criteria;
  
  (b) distributing said intercepted packets to at least two primary packet processors each operative to perform a stateless processing task on said intercepted packets, said stateless processing task comprising a task which is not directly dependent on a previously intercepted packet;
  
  (c) performing said stateless processing task on said distributed said intercepted packets in parallel by said at least two stateless packet processors;
  
  (d) receiving said statelessly processed intercepted packets from said at least two primary packet processors by a first secondary packet processor operative to perform a first portion of a stateful packet processing task on said statelessly processed intercepted packets;
  
  (e) receiving said partially statefully processed and statelessly processed intercepted packets from said first secondary packet processor by a second secondary packet processor operative to perform a second portion of the stateful processing task on said partially statefully processed and statelessly processed intercepted packets, said stateful processing task comprising a task which is based at least on a previously intercepted packet; and
  
  (f) releasing, selectively, said statefully processed and statelessly processed intercepted packets upon completion of said stateful processing task.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 39)
- - 21. The method of claim 20, wherein said network further comprises a bi-directional network having an upstream flow and a downstream flow, said method further comprising performing (a)–
    - (f) on each of said upstream and downstream flows independently.
  - 22. The method of claim 21, further comprising:
    - (g) sharing state information between said secondary packet processors of said upstream flow and said secondary packet processors of said downstream flow.
  - 23. The method of claim 20, wherein said at least two primary packet processors are coupled together, said method further comprising sharing data between said coupled at least two primary packet processors.
  - 24. The method of claim 23, wherein said at least two primary packet processors are coupled together with at least one co-processor, said method further comprising executing a portion of said stateless processing task by said co-processor.
  - 25. The method or claim 24, wherein said executing further comprises executing a portion of said stateless processing task by said co-processor comprising a classification co-processor.
  - 26. The method of claim 24, wherein said executing further comprises executing a portion of said stateless processing task by said co-processor comprising a content addressable memory.
  - 27. The method of claim 20, wherein said at least two secondary packet processors are coupled with said at least two primary packet processors, said method further comprising sharing state information between said at least two primary packet processors and said at least two secondary packet processors.
  - 28. The method of claim 20, wherein said at least two secondary packet processors and said at least two primary packet processors comprise network processors.
  - 29. The method of claim 28, wherein said network processor is capable of bi-directional operation and characterized by a bi-directional throughput, said method comprising utilizing said network processor uni-directionally wherein said bi-directional throughput is devoted to uni-directional processing.
  - 30. The method of claim 20, wherein said stateless processing task comprises filtering said intercepted packets based on a second criteria.
  - 31. The method of claim 20, wherein said first portion of said stateful processing task comprises inspection and analysis of said statefully processed intercepted packets and said second portion of said stateful processing task comprises performing an action on said partially statefully processed and statelessly processed intercepted packets.
  - 32. The method of claim 31, wherein said action comprises at least one of modifying, deleting, storing information about and releasing said statefully processed and statelessly processed intercepted packets.
  - 33. The method of claim 20, where (a) further comprises intercepting said packets from an optical network.
  - 34. The method of claim 33, wherein said optical network is characterized by compliance with an OC-48 standard.
  - 35. The method of claim 20, said method further comprising performing (a)–
    - (f) substantially at wire speed.
  - 36. The method of claim 20, wherein said stateless and stateful processing task are capable of processing any portion of said intercepted packets.
  - 39. The method of claim 21, wherein said previously intercepted packet was intercepted from one of said upstream or downstream flow.

37. An apparatus for intercepting and processing packets transmitted from a source to a destination over a network, the apparatus comprising:
- means for selectively intercepting said packets prior to receipt by said destination based on a first criteria;
  
  means for performing stateless processing tasks on said intercepted packets, said stateless processing tasks comprising tasks which are not directly dependent on a previously intercepted packet, said means for performing stateless processing tasks including;
  
  parallel processing means for distributing and processing said intercepted packets in parallel coupled with said stateless processing means;
  
  means for performing stateful processing tasks on said statelessly processed intercepted packets, said stateful processing tasks comprising tasks which are based at least on a previously intercepted packet, said means for performing stateful processing tasks including;
  
  serial processing means operative to distribute said stateful processing tasks on said statelessly processed intercepted packets and selectively release said statefully processed and statelessly processed intercepted packet back to said network.
- View Dependent Claims (40)
- - 40. The apparatus of claim 37, wherein said network further comprises a bi-directional network having an upstream flow and a downstream flow, said architecture further comprising at least two of said means for performing stateless processing tasks and at least two of said means for performing stateful processing tasks, a first of said at least two means for performing stateless processing tasks and means for performing stateful processing tasks being coupled with said upstream flow and a second of said at least two means for performing stateless processing tasks and means for performing stateful processing tasks being coupled with said downstream flow, and wherein said previously intercepted packet was intercepted from one of said upstream or downstream flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookingglass Cyber Solutions, LLC
Original Assignee
CloudShield Technologies, Inc. (ZeroFox Holdings, Inc.)
Inventors
Jungck, Peder J., Nguyen, Andrew T., Najam, Zahid, Penke, Ramachandra-Rao
Primary Examiner(s)
Winder, Patrice
Assistant Examiner(s)
CHOUDHURY, AZIZUL Q

Application Number

US09/858,323
Publication Number

US 20020065938A1
Time in Patent Office

1,960 Days
Field of Search

None
US Class Current

709/246
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/19   at layers above the network...

H04L 63/0263   Rule management

H04L 69/22   Parsing or analysis of headers

Edge adapter architecture apparatus and method

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

214 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Edge adapter architecture apparatus and method

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

214 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links