Fragment processing utilizing cross-linked tables

US 7,359,983 B1
Filed: 06/24/2003
Issued: 04/15/2008
Est. Priority Date: 06/24/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method for processing a fragmented packet with a firewalling device, comprising:

receiving fragments of the packet prior to processing of firewall policies at the firewalling device;

sorting the fragments according to the packet and order of the fragments;

storing the fragments in association with the packet and in order in a connection table (CT) and a Network Address Translation table (NT);

cross linking the NT and CT by storing a hash of at least a portion of the fragments in one of the NT and CT tables;

collecting and assembling all the fragments in order to fully reconstitute the packet prior to applying firewall policies;

storing an Address Research Table (ART) for a first packet of a connection to the firewall device in association with one of the NT and the CT, and the hashing each of the subsequent packets to determine a table entry to forward the packet; and

transferring the packet to the firewalling device to apply the firewall policies to the entire packet at one time.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and apparatus for reassembling a packet from fragments. The fragments of the packet are obtained by a device, such as a firewalling device. The fragments are sorted according to the packet and order of the fragments. The fragments are stored in association with the packet and in order. Once all the fragments to reconstitute the packet have been collected, the fragments are assembled in order to reconstitute the packet.

Citations

23 Claims

1. A method for processing a fragmented packet with a firewalling device, comprising:
- receiving fragments of the packet prior to processing of firewall policies at the firewalling device;
  
  sorting the fragments according to the packet and order of the fragments;
  
  storing the fragments in association with the packet and in order in a connection table (CT) and a Network Address Translation table (NT);
  
  cross linking the NT and CT by storing a hash of at least a portion of the fragments in one of the NT and CT tables;
  
  collecting and assembling all the fragments in order to fully reconstitute the packet prior to applying firewall policies;
  
  storing an Address Research Table (ART) for a first packet of a connection to the firewall device in association with one of the NT and the CT, and the hashing each of the subsequent packets to determine a table entry to forward the packet; and
  
  transferring the packet to the firewalling device to apply the firewall policies to the entire packet at one time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method, according to claim 1, further comprising:
    - obtaining source and destination address information for the fragments; and
      
      determining if the source and destination address information of the fragments matches of the other fragments.
  - 3. The method, according to claim 1, further comprising determining if the fragments have a valid checksum.
  - 4. The method, according to claim 1, wherein the sorting comprises obtaining packet and fragment identifiers.
  - 5. The method, according to claim 4, further comprising determining if any of the fragments needed to reconstitute the packet have not been stored.
  - 6. The method, according to claim 5, further comprising determining if the fragments stored collectively exceed a communication length threshold.
  - 7. The method, according to claim 6, further comprising purging the fragments responsive to the communication length threshold being exceeded.
  - 8. The method, according to claim 7, further comprising starting a timer in association with an initial one of the fragments received by the firewalling device.
  - 9. The method, according to claim 8, further comprising checking whether all the fragments needed to reconstitute the packet have not been received to the firewalling device within a threshold time period.
  - 10. The method, according to claim 1, wherein the storing comprises overwriting one of the fragments with a subsequently received fragment.
  - 11. The method of claim 1, including comparing information from each received packet to the previous received packet before forwarding the packet.
  - 12. The method of claim 1, wherein the hash function is based on the incoming packet 5-triple information.
  - 13. The method of claim 12, wherein the input to the hash function of the NT index uses public address information.

14. A computer readable medium containing instructions that, when executed by a processor, cause the processor to process a fragmented packet with a firewalling device, by performing the steps of:
- receiving fragments of the packet prior to processing of firewall policies at the firewalling device;
  
  sorting the fragments according to the packet and order of the fragments;
  
  storing the fragments in association with the packet and in order in a connection table (CT) and a Network Address Translation table (NT);
  
  cross linking the NT and CT by storing a hash of at least a portion of the fragments in one of the NT and CT tables;
  
  collecting and assembling all the fragments in order to fully reconstitute the packet prior to applying firewall policies;
  
  storing an Address Research Table (ART) for a first packet of a connection to the firewall device in association with one of the NT and the CT, and the hashing each of the subsequent packets to determine a table entry to forward the packet; and
  
  transferring the packet to the firewalling device to apply the firewall policies to the entire packet at one time.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The computer readable medium, according to claim 14, further comprising:
    - obtaining source and destination address information for the fragments; and
      
      determining if the source and destination address information of the fragments matches of the other fragments.
  - 16. The computer readable medium, according to claim 14, further comprising determining if the fragments have a valid checksum.
  - 17. The computer readable medium, according to claim 14, wherein the sorting comprises obtaining packet and fragment identifiers.
  - 18. The computer readable medium, according to claim 14, further comprising determining if any of the fragments needed to reconstitute the packet have not been stored.
  - 19. The computer readable medium, according to claim 18, further comprising determining if the fragments stored collectively exceed a communication length threshold.
  - 20. The computer readable medium, according to claim 19, further comprising purging the fragments responsive to the communication length threshold being exceeded.
  - 21. The computer readable medium, according to claim 20, further comprising starting a timer in association with an initial one of the fragments received by the firewalling device.
  - 22. The computer readable medium, according to claim 21, further comprising checking whether all the fragments needed to reconstitute the packet have not been received to the firewalling device within a threshold time period.
  - 23. The computer readable medium, according to claim 14, wherein the storing comprises overwriting one of the fragments with a subsequently received fragment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NVIDIA Corporation
Original Assignee
NVIDIA Corporation
Inventors
Sidenblad, Paul J., Nanda, Sameer, Maufer, Thomas A., Gyugyi, Paul J.
Primary Examiner(s)
Avellino; Joseph E.

Application Number

US10/606,064
Time in Patent Office

1,757 Days
Field of Search

709217-219, 709/236, 370/394, 370/474, 713/176, 713/179, 726/1, 726 11- 14
US Class Current

709/236
CPC Class Codes

H04L 61/2517   using port numbers

H04L 61/2564   for a higher-layer protocol...

H04L 61/2585   through application level g...

H04L 63/0227   Filtering policies mail mes...

H04L 63/12   Applying verification of th...

H04L 69/16   Implementation or adaptatio...

H04L 69/166   IP fragmentation; TCP segme...

Fragment processing utilizing cross-linked tables

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Fragment processing utilizing cross-linked tables

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links