Network protocol processing for filtering packets

US 7,913,294 B1
Filed: 06/24/2003
Issued: 03/22/2011
Est. Priority Date: 06/24/2003
Status: Active Grant

First Claim

Patent Images

1. A method for network protocol filtering of a packet using an address resolution table that is cross-linked with a state table associating data structures with NAT address information and that is indexed with an address resolution table index (ART index), the packet having a Media Access Control (MAC) destination address, the method comprising:

determining a packet type for the packet;

obtaining packet information for the packet including the MAC destination address;

determining that the MAC destination address is included in an entry in the address resolution table;

obtaining the ART index associated with the MAC destination address from the entry in the address resolution table, wherein the ART index is an index into the state table for locating an entry in the state table associating data structures with NAT address information; and

storing the ART index and the packet information in a data structure associated with the state table associating data structures with NAT address information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and apparatus for network protocol filtering of a packet is described. An index to a table is obtained and stored to travel with the packet. The index is obtainable to access the table to obtain packet information. In particular, a method for inbound network address translation packet filtering and a method for outbound packet filtering are described.

180 Citations

21 Claims

1. A method for network protocol filtering of a packet using an address resolution table that is cross-linked with a state table associating data structures with NAT address information and that is indexed with an address resolution table index (ART index), the packet having a Media Access Control (MAC) destination address, the method comprising:
- determining a packet type for the packet;
  
  obtaining packet information for the packet including the MAC destination address;
  
  determining that the MAC destination address is included in an entry in the address resolution table;
  
  obtaining the ART index associated with the MAC destination address from the entry in the address resolution table, wherein the ART index is an index into the state table for locating an entry in the state table associating data structures with NAT address information; and
  
  storing the ART index and the packet information in a data structure associated with the state table associating data structures with NAT address information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method, according to claim 1, further comprising:
    - determining whether the packet is for a new connection; and
      
      responsive to the packet not being for the new connection, determining whether the packet information is in the address resolution table.
  - 3. The method, according to claim 2, wherein the packet type is a Transmission Control Protocol type.
  - 4. The method, according to claim 1, wherein the packet type is a User Datagram Protocol type.
  - 5. The method, according to claim 1, wherein the packet information is a five-tuple including source and destination addresses, source and destination ports, and a packet type identifier.
  - 6. The method, according to claim 1, wherein the packet type is a Generic Routing Encapsulation type.
  - 7. The method, according to claim 6, wherein the packet information is a five-tuple including source and destination addresses, an apportioned Generic Routing Encapsulation identifier, and a packet type identifier.
  - 8. The method, according to claim 1, wherein the packet type is an Internet Protocol Security type.
  - 9. The method, according to claim 8, wherein the packet information is a five-tuple including source and destination addresses, an apportioned security parameter string, and a packet type identifier.

10. A method for inbound network address translation packet filtering using an address resolution table that is cross-linked with a state table associating data structures with NAT address information and that is indexed with an address resolution table index (ART index), the packet having a Media Access Control (MAC) destination address, the method comprising:
- obtaining a packet;
  
  determining whether type of the packet is one of a Transmission Control Protocol, a User Datagram Protocol, a Generic Routing Encapsulation, an Internet Protocol Security and an Internet Control Message Protocol type;
  
  if the type is the Transmission Control Protocol type, determining if the packet is an initial packet for a connection;
  
  if the type is the Transmission Control Protocol type and the packet is for an existing connection or if the type is one of the User Datagram Protocol type, the Generic Routing Encapsulation type and the Internet Protocol Security type,obtaining packet information from the packet including the MAC destination address;
  
  determining that the MAC destination address is included in the address resolution table;
  
  obtaining the ART index associated with the MAC destination address from the entry in the address resolution table, wherein the ART index is an index into the state table for locating an entry in the state table associating data structures with NAT address information; and
  
  storing the ART index and the product information in the data structure associated with the state table associating data structures with NAT address information.
- View Dependent Claims (11, 12, 13)
- - 11. The method, according to claim 10, further comprising:
    - checking validity of layers of the packet;
      
      checking Internet Protocol options for the packet; and
      
      determining whether the packet is a fragment.
  - 12. The method, according to claim 10, wherein the data structure is for a plurality of canonical frame headers.
  - 13. The method, according to claim 10, wherein the state table is a connection table.

14. A method for outbound packet filtering using an address resolution table that is cross-linked with a state table associating data structures with NAT address information and that is indexed with an address resolution table index (ART index), the packet having a Media Access Control (MAC) destination address, the method comprising:
- obtaining a packet;
  
  determining whether an incoming interface for the packet is running network address translation;
  
  if the incoming interface is running the network address translation,obtaining a first index from a data structure associated with the packet; and
  
  obtaining packet information in a first table using the first index;
  
  determining whether type of the packet is one of a Transmission Control Protocol, a User Datagram Protocol, a Generic Routing Encapsulation, an Internet Protocol Security and an Internet Control Message Protocol type;
  
  if the type is the Transmission Control Protocol type, determining if the packet is an initial packet for a connection;
  
  if the type is the Transmission Control Protocol type and the packet is for an existing connection or if the type is the User Datagram Protocol type,obtaining the packet information from the packet including the MAC destination address,determining that the MAC destination address is included in the address resolution table,obtaining the ART index associated with the MAC destination address from the entry in the address resolution table, wherein the ART index is an index into the state table for locating an entry in the state table associating data structures with NAT address information, andstoring the ART index and the packet information in a data structure associated with the state table associating data structures with NAT address information;
  
  if the type is the Internet Control Message Protocol type, determining whether the Internet Control Message Protocol type is on a list of Internet Control Message Protocol types;
  
  if the type is not the Internet Control Message Protocol type,determining if the outgoing interface is running the network address translation;
  
  responsive to the outgoing interface running the network address translation,obtaining the second index from the data structure; and
  
  obtaining the packet information from the first table using the second index.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method, according to claim 14, wherein the packet information is a five-tuple including source and destination addresses, source and destination ports, and a packet type identifier.
  - 16. The method, according to claim 14, wherein the packet type is a Generic Routing Encapsulation type.
  - 17. The method, according to claim 16, wherein the packet information is a five-tuple including source and destination addresses, an apportioned Generic Routing Encapsulation identifier, and a packet type identifier.
  - 18. The method, according to claim 14, wherein the packet type is an Internet Protocol Security type.
  - 19. The method, according to claim 18, wherein the packet information is a five-tuple including source and destination addresses, an apportioned security parameter string, and a packet type identifier.
  - 20. The method, according to claim 14, further comprising:
    - checking validity of layers of the packet;
      
      checking Internet Protocol options for the packet; and
      
      determining whether the packet is a fragment.
  - 21. The method, according to claim 14, wherein the data structure is for a plurality of canonical frame headers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NVIDIA Corporation
Original Assignee
NVIDIA Corporation
Inventors
Sidenblad, Paul J., Nanda, Sameer, Maufer, Thomas A., Gyugyi, Paul J.
Primary Examiner(s)
Orgad; Edan
Assistant Examiner(s)
Jackson; Jenise E

Application Number

US10/603,416
Time in Patent Office

2,828 Days
Field of Search

726/1, 726/3, 726/11, 726 13- 14, 713/151, 370/395.31, 370/395.54, 370/392
US Class Current

726/3
CPC Class Codes

H04L 12/66   Arrangements for connecting...

H04L 61/2514   between local and global IP...

H04L 63/0227   Filtering policies mail mes...

Network protocol processing for filtering packets

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

180 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Network protocol processing for filtering packets

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

180 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links