Efficiently hashing packet keys into a firewall connection table
First Claim
Patent Images
1. A method to map packets comprising:
- providing a table for mapping packet values for packets received at a network device;
receiving a packet at the network device;
identifying an arrival type of the packet from a list of arrival types comprising client to server, server to client, firewall to client, and firewall to server;
creating a key for the packet, the key including a set of values followed by a set of bits encoding the arrival type of the packet, wherein in the set of values comprises a source address, a source port, a destination address, and a destination port for the packet;
providing the set of values from the key to a hash function to generate an index value;
searching a tree structure associated with the table for a leaf in the tree matching the index value, wherein the leaf includes a set of actions common to each arrival type in the list; and
using the set of bits to identify actions particular to the arrival type of the packet.
0 Assignments
0 Petitions
Accused Products
Abstract
A method for increasing the capacity of a connection table in a firewall accelerator by means of mapping packets in one session with some common security actions into one table entry. For each of five Network Address Translation (NAT) configurations, a hash function is specified. The hash function takes into account which of four possible arrival types a packet at a firewall accelerator may have. When different arrival types of packets in the same session are processed, two or more arrival types may have the same hash value.
47 Citations
15 Claims
-
1. A method to map packets comprising:
-
providing a table for mapping packet values for packets received at a network device; receiving a packet at the network device; identifying an arrival type of the packet from a list of arrival types comprising client to server, server to client, firewall to client, and firewall to server; creating a key for the packet, the key including a set of values followed by a set of bits encoding the arrival type of the packet, wherein in the set of values comprises a source address, a source port, a destination address, and a destination port for the packet; providing the set of values from the key to a hash function to generate an index value; searching a tree structure associated with the table for a leaf in the tree matching the index value, wherein the leaf includes a set of actions common to each arrival type in the list; and using the set of bits to identify actions particular to the arrival type of the packet. - View Dependent Claims (2, 3, 4)
-
-
5. A system comprising:
-
a bus; a storage device connected to the bus, the storage device storing program code to map packets; a processing unit connected to the bus, wherein the processing unit is configured to execute the program code to provide a table for mapping packet values for packets received at a network device;
receive a packet at the network device;
identify an arrival type of the packet from a list of arrival types comprising client to server, server to client, firewall to client, and firewall to server;
create a key for the packet, the key including a set of values followed by a set of bits encoding the arrival type of the packet, wherein in the set of values comprises a source address, a source port, a destination address, and a destination port for the packet;
provide the set of values from the key to a hash function to generate an index value;
search a tree structure associated with the table for a leaf in the tree matching the index value, wherein the leaf includes a set of actions common to each arrival type in the list; and
use the set of bits to identify actions particular to the arrival type of the packet. - View Dependent Claims (6, 7, 8, 9, 10, 11)
-
-
12. A program product comprising:
-
a storage device storing computer executable instructions, said computer executable instructions comprising; computer executable instructions for providing a table for mapping packet values for packets received at a network device; computer executable instructions for receiving a packet at the network device; computer executable instructions for identifying an arrival type of the packet from a list of arrival types comprising client to server, server to client, firewall to client, and firewall to server; computer executable instructions for creating a key for the packet, the key including a set of values followed by a set of bits encoding the arrival type of the packet, wherein in the set of values comprises a source address, a source port, a destination address, and a destination port for the packet; computer executable instructions for providing the set of values from the key to a hash function to generate an index value; computer executable instructions for searching a tree structure associated with the table for a leaf in the tree matching the index value, wherein the leaf includes a set of actions common to each arrival type in the list; and computer executable instructions for using the set of bits to identify actions particular to the arrival type of the packet. - View Dependent Claims (13, 14, 15)
-
Specification