Computer system and network interface with hardware based rule checking for embedded firewall

US 7,894,480 B1
Filed: 08/27/2002
Issued: 02/22/2011
Est. Priority Date: 08/27/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method of managing packet transmission at an interface between a network and a host system the method comprising:

parsing an incoming packet comprising a data payload destined for a memory location in a host system;

generating one or more pointers to data fields in the parsed incoming packet;

storing the incoming packet in a buffer memory;

using the one or more pointers to retrieve data associated with the data fields from the buffer memory;

applying rules to the retrieved data; and

controlling the transfer of the data payload from the buffer memory to the memory location in the host system associated with the application running on the host system based on the outcome of the applying one or more rules to the retrieved data;

wherein each rule comprises a rule data value, the rule data value being masked and processed in parallel by rule parameters comprising of;

an “

equal to”

rule parameter for determining whether the masked rule data value is equal to the retrieved data;

a “

not equal to”

rule parameter for determining whether the masked rule data value is not equal to the retrieved data;

a “

greater than”

rule parameter for determining whether the masked rule data value is greater than the retrieved data; and

a “

less than”

rule parameter for determining whether the masked rule data value is less than the retrieved data.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data processing system adapted for high-speed network communications, a method for managing a network interface and a network interface for such system, are provided, in which processing of packets received over the network is achieved by embedded logic at the network interface level. Incoming packets on the network interface are parsed and classified as they are stored in a buffer memory. Functional logic coupled to the buffer memory on the network interface is enabled to access any data field within a packet in a single cycle, using pointers and packet classification information produced by the parsing and classifying step. Results of operations on the data fields in the packets are available before the packets are transferred out of the buffer memory. A data processing system, a method for management of a network interface and a network interface are also provided by the present invention that include an embedded firewall at the network interface level of the system, which protects against inside and outside attacks on the security of data processing system. Furthermore, a data processing system, a method for management of a network interface and a network interface are a provided by the present invention that support class of service management for packets incoming from the network, by applying priority rules at the network interface level of the system.

112 Citations

View as Search Results

20 Claims

1. A method of managing packet transmission at an interface between a network and a host system the method comprising:
- parsing an incoming packet comprising a data payload destined for a memory location in a host system;
  
  generating one or more pointers to data fields in the parsed incoming packet;
  
  storing the incoming packet in a buffer memory;
  
  using the one or more pointers to retrieve data associated with the data fields from the buffer memory;
  
  applying rules to the retrieved data; and
  
  controlling the transfer of the data payload from the buffer memory to the memory location in the host system associated with the application running on the host system based on the outcome of the applying one or more rules to the retrieved data;
  
  wherein each rule comprises a rule data value, the rule data value being masked and processed in parallel by rule parameters comprising of;
  
  an “
  
  equal to”
  
  rule parameter for determining whether the masked rule data value is equal to the retrieved data;
  
  a “
  
  not equal to”
  
  rule parameter for determining whether the masked rule data value is not equal to the retrieved data;
  
  a “
  
  greater than”
  
  rule parameter for determining whether the masked rule data value is greater than the retrieved data; and
  
  a “
  
  less than”
  
  rule parameter for determining whether the masked rule data value is less than the retrieved data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein parsing an incoming packet includes determining and storing a classifier for the incoming packet, wherein the classifier indicates which rule of the one or more rules will be applied to the retrieved data associated with the data fields of the incoming packet.
  - 3. The method of claim 1 wherein generating one more pointers to data fields in the incoming packet comprises generating a pointer to the start of the packet.
  - 4. The method of claim 1 wherein generating one more pointers to data fields in the incoming packet comprises generating a pointer to the Internet Protocol header of the packet.
  - 5. The method of claim 1 wherein generating one more pointers to data fields in the incoming packet comprises generating a pointer to the Transmission Control Protocol header of the packet.
  - 6. The method of claim 1 wherein generating one more pointers to data fields in the incoming packet comprises generating a pointer to the data payload portion of the packet.
  - 7. The method of claim 1 wherein generating one or more pointers to data fields in the incoming packet and storing the incoming packet in a buffer memory occurs contemporaneously.
  - 8. The method of claim 1 wherein using the one or more pointers to retrieve the data associated with the data fields from the buffer memory comprises using the one or more pointers in combination with one or more offset parameters to retrieve the data associated with the data fields of the incoming packet from the buffer memory.
  - 9. The method of claim 1 wherein applying one or more rules to the retrieved data associated with the data fields comprises, for each rule:
    - storing the rule data value;
      
      storing the retrieved data; and
      
      performing the function specified by the rule parameter.
  - 10. The method of claim 1 wherein controlling the transfer of the data payload from the buffer memory to the memory location in the host system associated with the application running on the host system based on the outcome of the applying one or more rules to the retrieved data comprises an action selected from the group of actions consisting of:
    - transferring the data payload associated with the retrieved data from the buffer memory to the memory location in the host memory associated with the application running on the host system;
      
      inhibiting the transfer of the data payload associated with the retrieved data from the buffer memory to the memory location in the host memory associated with the application running on the host system; and
      
      combining the outcome of the rule application to a next rule application.

11. A system to manage packet transmission at an interface between a network and a host system, the system comprising:
- a packet parser to generate a pointer to data fields in the incoming packet, wherein the incoming packet comprises a data payload destined for a memory location in the host system;
  
  a packet index queue to store the pointers to the data fields;
  
  a packet data buffer to store the parsed incoming packet;
  
  a packet index fetch engine to retrieve data associated with the data fields from the packet data buffer by using the pointers from the packet index queue; and
  
  a rule check engine to apply rules match operations on the retrieved data associated with the data fields and to control the transfer of the data payload from the buffer memory to the memory location in the host system associated with the application running on the host system based on the outcome of each rule match operation;
  
  wherein the rule check engine comprises a rule match block and a rule action block;
  
  wherein the rule match block comprises;
  
  a packet data register to store the retrieved data associated with the data fields for comparison; and
  
  a rule data register to specify a rule to be compared with the retrieved data associated with the data fields;
  
  wherein the rule in the rule data register to be compared with the retrieved data in the packet data register comprises a rule data value, the rule data value being masked and processed in parallel by rule parameters comprising of;
  
  an “
  
  equal to”
  
  rule parameter to determine whether the rule data value in the rule data register is equal to the retrieved data in the packet data register;
  
  a “
  
  not equal to”
  
  rule parameter to determine whether the rule data value in the rule data register is not equal to the retrieved data in the packet data register;
  
  a “
  
  greater than”
  
  rule parameter to determine whether the rule data value in the rule data register is greater than the retrieved data in the packet data register; and
  
  a “
  
  less than”
  
  rule parameter to determine whether the rule data value in the rule data register is less than the retrieved data in the packet data register.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11 wherein the packet parser generates a pointer to the start of the incoming packet.
  - 13. The system of claim 11 wherein the packet parser generates a pointer to the Internet Protocol header of the incoming packet.
  - 14. The system of claim 11 wherein the packet parser generates a pointer to the Transmission Control Protocol header of the incoming packet.
  - 15. The system of claim 11 wherein the packet parser generates a pointer to the data payload of the incoming packet.
  - 16. The system of claim 11 wherein the packet index queue stores the pointers and the packet data buffer stores the incoming packet contemporaneously.
  - 17. The system of claim 11 wherein the rule match block further comprises a rule mask register to mask any number of the lower bits between the rule data register and the packet data register.
  - 18. The system of claim 11 wherein the rule action block is coupled to the rule match block and generates a control signal in response to an output from the rule match block, wherein the control signal indicates a specified action selected from the group of actions consisting of:
    - transfer the data payload associated with the retrieved data from the buffer memory to the memory location in the host memory associated with the application running on the host system;
      
      inhibit the transfer of the data payload associated with the retrieved data from the buffer memory to the memory location in the host memory associated with the application running on the host system; and
      
      combine the outcome of the rule match operation to a next rule match operation.
  - 19. The system of claim 11 wherein a plurality of rule match blocks corresponding to a plurality of rules are cascaded to apply the plurality of rules to the data in the packet data register.

20. A non-transitory computer readable media with instructions to cause a microprocessor at a host system to perform the steps of:
- parsing an incoming packet comprising a data payload destined for a memory location in the host system associated with an application running on the host system;
  
  generating one or more pointers to data fields in the parsed incoming packet;
  
  storing the incoming packet in a buffer memory;
  
  using the one or more pointers to retrieve data associated with the data fields from the buffer memory;
  
  applying rules to the retrieved data associated with the data fields; and
  
  controlling the transfer of the data payload from the buffer memory to the memory location in the host memory associated with the application running on the host system based on the outcome of the applying one or more rules to the retrieved data;
  
  wherein each rule comprises a rule data value, the rule data value being masked and processed in parallel by rule parameters comprising of;
  
  an “
  
  equal to”
  
  rule parameter for determining whether the masked rule data value is equal to the retrieved data;
  
  a “
  
  not equal to”
  
  rule parameter for determining whether the masked rule data value is not equal to the retrieved data;
  
  a “
  
  greater than”
  
  rule parameter for determining whether the masked rule data value is greater than the retrieved data; and
  
  a “
  
  less than”
  
  rule parameter for determining whether the masked rule data value is less than the retrieved data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Company (HP Inc.)
Inventors
Hu, BaoDong, Wang, Chi-Lie, Mitchell, Scott W.
Primary Examiner(s)
Wong; Warner

Application Number

US10/228,492
Time in Patent Office

3,101 Days
Field of Search

370/389, 370/392, 370/401, 370/419, 370/463, 370/474, 370/475, 709/213
US Class Current

370/474
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0263   Rule management

H04L 69/16   Implementation or adaptatio...

Computer system and network interface with hardware based rule checking for embedded firewall

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

112 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Computer system and network interface with hardware based rule checking for embedded firewall

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links