Compilation of access control lists

US 7,646,771 B2
Filed: 09/28/2005
Issued: 01/12/2010
Est. Priority Date: 08/17/2005
Status: Active Grant

First Claim

Patent Images

1. A method of organizing classification tables for use in a packet classification algorithm in which incoming packets are matched with rules contained in access control data base, said method comprising the steps of:

(A) constructing, by one or more processors of a network device, a set of top-level equivalence tables, each of which contains bit vectors identifying the rules specifying a value or values in a field in the packet headers, each table entry containing a unique bit vector and a equivalence ID specifying the bit vector;

(B) constructing, by the one or more processors, a set of second-level of equivalence tables whose entries are indexed by a pair of equivalence ID'"'"'s in a pair of top-leveled tables, each entry in the second level containing(1) a bit vector resulting from the intersection of the bit vectors in the corresponding top-level equivalence ID'"'"'s, and(2) an equivalence ID specifying the bit vector;

(C) constructing, by the one or more processors, a third-level set of equivalence tables whose entries are indexed by pairs of equivalence ID'"'"'s in pairs of second-level tables, each entry in a third-level table containing(1) a bit vector resulting from the intersection of the bit vectors corresponding to the second-level equivalence ID'"'"'s, and(2) an equivalence ID specifying the bit vector;

(D) constructing, by the one or more processors, each of said third-level tables as a set of fragments, constructing a pointer array derived from the equivalence ID'"'"'s in a second-level table, the contents of the pointer array pointing to the respective third-level table fragments, and the equivalence ID'"'"'s of another of the second-level tables indicating depths of the entries in the table fragments;

(E) recording a time when at least some tables of the set of top-level equivalence tables, second-level of equivalence tables or third-level equivalence tables were last rebuilt in order to classify a new type of packet;

(F) accessing a minimum rebuild interval; and

(C) timing a new rebuilding of the at least some tables to occur only after the minimum rebuild interval has elapsed since the last rebuild.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improvement in the compilation of classification tables from across control lists increases the efficiency of memory utilization by fragments in the lower level tables and using the classification ID'"'"'s from a pair of higher-level tables as pointers to the fragments and as indicators of the depth of the entries in the fragments. A further improvement makes use of aggregate bit vectors, thereby simplifying construction of the lower-level tables. The bit-vector sections preferably coincide with the cache lines of the processing, thereby maximizing the speed with which the relevant bits in the bit vector can be identified from the aggregate bit vectors.

Citations

26 Claims

1. A method of organizing classification tables for use in a packet classification algorithm in which incoming packets are matched with rules contained in access control data base, said method comprising the steps of:
- (A) constructing, by one or more processors of a network device, a set of top-level equivalence tables, each of which contains bit vectors identifying the rules specifying a value or values in a field in the packet headers, each table entry containing a unique bit vector and a equivalence ID specifying the bit vector;
  
  (B) constructing, by the one or more processors, a set of second-level of equivalence tables whose entries are indexed by a pair of equivalence ID'"'"'s in a pair of top-leveled tables, each entry in the second level containing(1) a bit vector resulting from the intersection of the bit vectors in the corresponding top-level equivalence ID'"'"'s, and(2) an equivalence ID specifying the bit vector;
  
  (C) constructing, by the one or more processors, a third-level set of equivalence tables whose entries are indexed by pairs of equivalence ID'"'"'s in pairs of second-level tables, each entry in a third-level table containing(1) a bit vector resulting from the intersection of the bit vectors corresponding to the second-level equivalence ID'"'"'s, and(2) an equivalence ID specifying the bit vector;
  
  (D) constructing, by the one or more processors, each of said third-level tables as a set of fragments, constructing a pointer array derived from the equivalence ID'"'"'s in a second-level table, the contents of the pointer array pointing to the respective third-level table fragments, and the equivalence ID'"'"'s of another of the second-level tables indicating depths of the entries in the table fragments;
  
  (E) recording a time when at least some tables of the set of top-level equivalence tables, second-level of equivalence tables or third-level equivalence tables were last rebuilt in order to classify a new type of packet;
  
  (F) accessing a minimum rebuild interval; and
  
  (C) timing a new rebuilding of the at least some tables to occur only after the minimum rebuild interval has elapsed since the last rebuild.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 to further construct four levels of classification table levels, the fourth level consisting of a single table, the method including the steps of:
    - (A) constructing the fourth level table with entries indexed by pairs of equivalence ID'"'"'s in the third level tables, each entry in a fourth level table containing a bit vector resulting from the intersection of the bit vectors corresponding to the third level equivalence ID'"'"'s;
      
      (B) constructing each of said fourth-level tables as a set of fragments, constructing a pointer array derived from the equivalence ID'"'"'s in a third-level table, the contents of the pointer array pointing to the respective fourth-level table fragments, and the equivalence ID'"'"'s of another of the third-level tables indicating depths of the entries in the table fragments.
  - 3. The method of claim 1 in which, if the minimum rebuild interval has not expired, packet values are passed to a next lower level.
  - 4. The method of claim 1, including the steps of:
    - (A) generating aggregate bit vectors, wherein each bit in an aggregate bit vector corresponds with a section in a bit vector and is a ONE if, and only if, the corresponding section contains a ONE;
      
      (B) performing ANDing of aggregate bit vectors to provide aggregate bit vector intersections;
      
      (C) identifying bit vector sections corresponding to ONEs in the aggregate bit vectors; and
      
      (D) forming intersections of the bit vector sections containing the ONEs.
  - 5. The method of claim 4 in which the length of each bit vector section equals the length of a cache line in a processor of the one or more processors performing steps in the method of claim 4.

6. An apparatus for organizing classification tables for use in a packet classification algorithm in which incoming packets are matched with rules contained in an access control database, said apparatus comprising:
- (A) means for constructing a set of top level equivalence tables, each of which contains bit vectors identifying the rules specifying a value or values in a field in the packet headers, each table entry containing a unique bit vector and an equivalence ID specifying the bit vector;
  
  (B) means for constructing a set of second-level of equivalence tables whose entries are indexed by a pair of equivalence ID'"'"'s in a pair of top-leveled tables, each entry in the second level containing(1) a resultant bit vector resulting from the intersection of the bit vectors in the corresponding top-level equivalence ID'"'"'s, and(2) an equivalence ID specifying the resultant bit vector;
  
  (C) means for constructing a third-level set of equivalence tables whose entries are indexed by pairs of equivalence ID'"'"'s in pairs of second-level tables, each entry in a third-level table containing(1) a next resultant bit vector resulting in from the intersection of the bit vectors corresponding to the second-level equivalence ID'"'"'s, and(2) an equivalence ID specifying the next resultant bit vector; and
  
  (D) means for;
  
  (1) constructing each of said third-level tables as a set of fragments,(2) constructing a pointer array derived from the equivalence ID'"'"'s in a second-level table, the contents of the pointer array pointing to the respective third-level table fragments, and the equivalence ID'"'"'s of another of the second-level tables indicating depths of the entries in the table fragments.
- View Dependent Claims (7, 8)
- - 7. The apparatus of claim 6, including means for:
    - (A) recording the time when equivalence tables were last rebuilt;
      
      (B) recording a minimum rebuild interval; and
      
      (C) rebuilding tables to the extent necessary to classify packets when no previously classified packets have the same classifications if, and only if, the minimum rebuild interval has elapsed since the last rebuild.
  - 8. The apparatus of claim 6 including means for constructing four equivalence table levels, the fourth level consisting of a single table, said apparatus including:
    - (A) means for constructing the fourth level tables with entries indexed by pairs of equivalence ID'"'"'s in the third level tables, each entry in a fourth level table containing;
      
      (1) a bit vector resulting from the intersection of the bit vectors corresponding to the third level equivalence IDs; and
      
      (B) means for;
      
      (1) constructing each of said of fourth-level tables as a set of fragments, and(2) constructing a pointer array derived from the equivalence ID'"'"'s in a third-level table, the contents of the pointer array pointing to the respective fourth-level table fragments and the equivalence ID'"'"'s of another of the third-level tables indicating depths of the entries in the table fragments.

9. A method comprising:
- constructing, by one or more processors of a network device, a set of top-level tables associated with a top-level in a hierarchy of tables for use in a packet classification of incoming packets, each top-level table containing one or more top-level table entries, each top-level table entry associating a value, or values, of a section of a packet header with an equivalence-set index and a bit vector indicating one or more rules for classifying the incoming packets;
  
  constructing, by the one or more processors, one or more successive-level tables associated with a successive-level in the hierarchy of tables, at least some of the one or more successive-level tables arranged as a set of table fragments;
  
  recording a time at least some the tables in the hierarchy of tables were last rebuilt;
  
  accessing a minimum rebuild interval; and
  
  rebuilding, by the one or more processors, the at least some the tables in the hierarchy of tables only after the minimum rebuild interval has elapsed after the time the at least some of the tables in the hierarchy of tables were last rebuilt.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9 further comprising:
    - for each successive-level table arranged as an set of table fragments,(i) allocating a data structure storing a plurality of pointers, the data structure providing a pointer to a particular table fragment in response to a first equivalence-set index from a higher-level table in the hierarchy of tables, and(ii) indexing a depth into the particular table fragment in response to a second equivalence-set index from another higher-level table.
  - 11. The method of claim 9 further comprising:
    - generating an aggregate bit vector from the bit vector of at least some table entries.
  - 12. The method of claim 11 wherein each bit of an aggregate bit vector corresponds to a section in a corresponding bit vector, and is set if the section contains at least one bit that is set.
  - 13. The method of claim 12 further comprising:
    - forming intersections of two or more aggregate bit vectors.
  - 14. The method of claim 12 further comprising:
    - examining a section of a bit vector corresponding to a set bit in an aggregate bit vector, to ascertain a particular rule involved in a packet classification.
  - 15. The method of claim 9 further comprising:
    - aligning the bit vectors with boundaries of cache lines.
  - 16. The method of claim 9 wherein the step of constructing one or more successive-level tables comprises:
    - arranging the table fragments of the set of table fragments in substantially non-contiguous blocks of memory.
  - 17. The method of claim 9 wherein each section is a same length.

18. An apparatus comprising:
- a processor to construct a set of top-level tables associated with a top-level in a hierarchy of tables for use in a packet classification of incoming packets, each top-level table containing one or more top-level table entries, each top-level table entry arranged to associate a value, or values, of a section of a packet header with an equivalence-set index and a bit vector that indicates one or more rules for classifying the incoming packets, the processor further to construct one or more successive-level tables associated with a successive-level in the hierarchy of tables, at least some of the one or more successive-level tables arranged as a set of table fragments; and
  
  a memory to hold the hierarchy of tables,wherein the processor is further to record a time at least some the tables in the hierarchy of tables were last rebuilt, access a minimum rebuild interval, and rebuild the at least some the tables in the hierarchy of tables only after the minimum rebuild interval has elapsed after the time the at least some of the tables in the hierarchy of tables were last rebuilt.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The apparatus of claim 18 wherein the processor is further to, for each successive-level table arranged as an set of table fragments, allocate a data structure to store a plurality of pointers, the data structure providing a pointer to a particular table fragment in response to a first equivalence-set index from a higher-level table in the hierarchy of tables, and to index a depth into the particular table fragment in response to a second equivalence-set index from another higher-level table.
  - 20. The apparatus of claim 18 wherein the processor is further to generate an aggregate bit vector from the bit vector of at least some table entries.
  - 21. The apparatus of claim 20 wherein each bit of an aggregate bit vector corresponds to a section in a corresponding bit vector, and is set if the section contains at least one bit that is set.
  - 22. The apparatus of claim 21 wherein the processor is further to form intersections of two or more aggregate bit vectors.
  - 23. The apparatus of claim 21 wherein the processor is further to examine a section of a bit vector corresponding to a set bit in an aggregate bit vector, to ascertain a particular rule involved in a packet classification.
  - 24. The apparatus of claim 18 wherein the memory is a cache, and the bit vectors are aligned with boundaries of cache lines.
  - 25. The apparatus of claim 18 wherein the memory is further to store the table fragments of the set of table fragments in substantially non-contiguous blocks.
  - 26. The apparatus of claim 18 wherein each section is a same length.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kumar, Vinodh, Guru, Parthibhan Parama, McRae, Andrew
Primary Examiner(s)
Shah; Chirag G
Assistant Examiner(s)
NGUYEN, MINH TRANG T

Application Number

US11/236,890
Publication Number

US 20070041318A1
Time in Patent Office

1,567 Days
Field of Search

370/351, 370/392, 370/395.31, 709/242, 709/245
US Class Current

370/392
CPC Class Codes

H04L 47/10 Flow control; Congestion co...

H04L 47/2441 relying on flow classificat...

Compilation of access control lists

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Compilation of access control lists

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links