Efficiently hashing packet keys into a firewall connection table
First Claim
Patent Images
1. A method to map packets comprising:
- providing a table for mapping packet values for packets received at a network device;
receiving a packet at the network device;
identifying an arrival type of the packet from a list of arrival types comprising client to server, server to client, firewall to client, and firewall to server;
creating a key for the packet, the key including a set of values followed by a set of bits encoding the arrival type of the packet, wherein in the set of values comprises a source address, a source port, a destination address, and a destination port for the packet;
providing the set of values from the key to a hash function to generate an index value;
searching a tree structure associated with the table for a leaf in the tree matching the index value, wherein the leaf includes a set of actions common to each arrival type in the list; and
using the set of bits to identify actions particular to the arrival type of the packet.
0 Assignments
0 Petitions
Accused Products
Abstract
A method for increasing the capacity of a connection table in a firewall accelerator by means of mapping packets in one session with some common security actions into one table entry. For each of five Network Address Translation (NAT) configurations, a hash function is specified. The hash function takes into account which of four possible arrival types a packet at a firewall accelerator may have. When different arrival types of packets in the same session are processed, two or more arrival types may have the same hash value.
-
Citations
15 Claims
-
1. A method to map packets comprising:
-
providing a table for mapping packet values for packets received at a network device; receiving a packet at the network device; identifying an arrival type of the packet from a list of arrival types comprising client to server, server to client, firewall to client, and firewall to server; creating a key for the packet, the key including a set of values followed by a set of bits encoding the arrival type of the packet, wherein in the set of values comprises a source address, a source port, a destination address, and a destination port for the packet; providing the set of values from the key to a hash function to generate an index value; searching a tree structure associated with the table for a leaf in the tree matching the index value, wherein the leaf includes a set of actions common to each arrival type in the list; and using the set of bits to identify actions particular to the arrival type of the packet. - View Dependent Claims (2, 3, 4)
-
-
5. A system comprising:
-
a bus; a storage device connected to the bus, the storage device storing program code to map packets; a processing unit connected to the bus, wherein the processing unit is configured to execute the program code to provide a table for mapping packet values for packets received at a network device;
receive a packet at the network device;
identify an arrival type of the packet from a list of arrival types comprising client to server, server to client, firewall to client, and firewall to server;
create a key for the packet, the key including a set of values followed by a set of bits encoding the arrival type of the packet, wherein in the set of values comprises a source address, a source port, a destination address, and a destination port for the packet;
provide the set of values from the key to a hash function to generate an index value;
search a tree structure associated with the table for a leaf in the tree matching the index value, wherein the leaf includes a set of actions common to each arrival type in the list; and
use the set of bits to identify actions particular to the arrival type of the packet. - View Dependent Claims (6, 7, 8, 9, 10, 11)
-
-
12. A program product comprising:
-
a storage device storing computer executable instructions, said computer executable instructions comprising; computer executable instructions for providing a table for mapping packet values for packets received at a network device; computer executable instructions for receiving a packet at the network device; computer executable instructions for identifying an arrival type of the packet from a list of arrival types comprising client to server, server to client, firewall to client, and firewall to server; computer executable instructions for creating a key for the packet, the key including a set of values followed by a set of bits encoding the arrival type of the packet, wherein in the set of values comprises a source address, a source port, a destination address, and a destination port for the packet; computer executable instructions for providing the set of values from the key to a hash function to generate an index value; computer executable instructions for searching a tree structure associated with the table for a leaf in the tree matching the index value, wherein the leaf includes a set of actions common to each arrival type in the list; and computer executable instructions for using the set of bits to identify actions particular to the arrival type of the packet. - View Dependent Claims (13, 14, 15)
-
Specification