Methods of structuring data, pre-compiled exception list engines, and network appliances

US 8,468,220 B2
Filed: 07/27/2009
Issued: 06/18/2013
Est. Priority Date: 04/21/2009
Status: Active Grant

First Claim

Patent Images

1. A network appliance for connection to a first network, the appliance comprising:

at least one input coupled to the first network for receiving a data packet from the first network, the data packet including an internet protocol (IP) address;

at least one memory device storing instructions and data, the data including;

a plurality of pages storing a plurality of excepted IP addresses, the excepted IP addresses each having a numeric value within a range of numeric values, the range divided into a plurality of clusters representing a plurality of contiguous sub-ranges, each page including one or more of the excepted IP addresses assigned to at least one of the clusters associated with the sub-range that includes the numeric value of said IP address within one or more of the sub-ranges associated with that page, each page having a page size defined by a maximum number of IP addresses that can be assigned to that page, the IP addresses in each cluster assigned to each page are ordered by numeric value; and

at least one processor executing computer-executable instructions, said instructions comprising instructions to;

identify the IP address of the packet from the first network;

identify-a target page that will include the IP address if the IP address is one of the plurality of excepted IP addresses, wherein the excepted IP addresses include a plurality of allowable IP addresses and a plurality of blocked IP addresses;

search-the target page to determine if the IP address is one of the excepted IP addresses in the target page;

process-the packet from the first network according to whether the IP address is an excepted IP address in the target page; and

determine whether to allow the packet from the first network to proceed based on if the IP address is an allowable IP address in the target page and to deny the packet from the first network from proceeding if the IP address is a blocked IP address in the target page.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer executed method is disclosed for sorting a plurality of internet protocol (IP) addresses. The method includes dividing the range of IP addresses into a plurality of clusters representing a plurality of contiguous sub-ranges, assigning each IP address to the cluster associated with the sub-range that includes that IP address, and assigning the IP addresses in each cluster to one of a plurality of pages. If one of the pages has a size less than a page size limit, the method includes duplicating on that page at least one of the IP addresses assigned to that page. For each page, the IP addresses assigned to that page are ordered by numeric value. A network appliance incorporating aspects of the method is also disclosed.

40 Citations

View as Search Results

18 Claims

1. A network appliance for connection to a first network, the appliance comprising:
- at least one input coupled to the first network for receiving a data packet from the first network, the data packet including an internet protocol (IP) address;
  
  at least one memory device storing instructions and data, the data including;
  
  a plurality of pages storing a plurality of excepted IP addresses, the excepted IP addresses each having a numeric value within a range of numeric values, the range divided into a plurality of clusters representing a plurality of contiguous sub-ranges, each page including one or more of the excepted IP addresses assigned to at least one of the clusters associated with the sub-range that includes the numeric value of said IP address within one or more of the sub-ranges associated with that page, each page having a page size defined by a maximum number of IP addresses that can be assigned to that page, the IP addresses in each cluster assigned to each page are ordered by numeric value; and
  
  at least one processor executing computer-executable instructions, said instructions comprising instructions to;
  
  identify the IP address of the packet from the first network;
  
  identify-a target page that will include the IP address if the IP address is one of the plurality of excepted IP addresses, wherein the excepted IP addresses include a plurality of allowable IP addresses and a plurality of blocked IP addresses;
  
  search-the target page to determine if the IP address is one of the excepted IP addresses in the target page;
  
  process-the packet from the first network according to whether the IP address is an excepted IP address in the target page; and
  
  determine whether to allow the packet from the first network to proceed based on if the IP address is an allowable IP address in the target page and to deny the packet from the first network from proceeding if the IP address is a blocked IP address in the target page.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 18)
- - 2. The appliance of claim 1 wherein the data includes a page record indicating the page associated with each sub-range.
  - 3. The appliance of claim 2 wherein the at least one processor executes said instructions to search the page record to identify the target page and to determine the page associated with the sub-range encompassing-the IP address.
  - 4. The appliance of claim 3 wherein the at least one processor is configured via said instructions to identify that there are no excepted addresses in the sub-range encompassing the IP address by searching the page record.
  - 5. The appliance of claim 3 wherein the data includes a null page associated with any sub-ranges encompassing no excepted addresses.
  - 6. The appliance of claim 5 further wherein the at least one processor executes said instructions to identify a null page associated with any sub-range which does not encompass-any of the excepted IP addresses.
  - 7. The appliance of claim 6 wherein processing the packet from the first network according to whether the IP address is an excepted IP address in the target page includes allowing the packet from the first network to proceed if the IP address is not an excepted IP address in the target page or if the processor identified the null page.
  - 8. The appliance of claim 1 wherein processing the packet from the first network according to whether the IP address is an excepted IP address in the target page includes preventing the packet from the first network from proceeding if the IP address is not an excepted IP address in the target page.
  - 9. The appliance of claim 1 wherein processing the packet from the first network according to whether the IP address is an excepted IP address in the target page includes allowing the packet from the first network to proceed if the IP address is not an excepted IP address in the target page.
  - 10. The appliance of claim 1 further comprising at least one output coupled to a second network for transmitting the packet from the first network to the second network if the processor determines to allow the packet from the first network to proceed.
  - 18. The appliance of claim 1, wherein the first fit and the best fit algorithm determine the IP addresses in each cluster without causing the page size of said page to exceed the page size limit.

11. A network appliance for connection to a first network, the appliance comprising:
- at least one input coupled to the first network for receiving a packet from the first network, the packet including an internet protocol (IP) address;
  
  at least one memory device;
  
  a first engine stored in the memory device, the first engine including a plurality of pages storing a plurality of excepted IP addresses, the excepted IP addresses each having a numeric value within a range of numeric values, the range divided into a plurality of clusters representing a plurality of contiguous sub-ranges, each page including one or more of the excepted IP addresses assigned to at least one of the clusters associated with the sub-range that includes the numeric value of the IP address within one or more of the sub-ranges associated with that page; and
  
  at least one processor executing a first finite state machine (FSM), the first FSM including instructions executable by the processor to;
  
  determine the page associated with the sub-range encompassing the IP address;
  
  search the page associated with the sub-range encompassing the IP address to determine if the IP address is an excepted IP address; and
  
  process the packet from the first network according to the IP address being an excepted IP address, wherein the packet from the first network is allowed to proceed based on the IP address being an excepted IP address.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The appliance of claim 11 further comprisinga second engine stored in the-memory device, the second engine including a plurality of additional pages storing a plurality of additional excepted IP addresses, the additional excepted IP addresses each having a numeric value within a range of numeric values, the range divided into a plurality of contiguous sub-ranges, each page including one or more of the additional excepted IP addresses having numeric values within one or more of the sub-ranges associated with that page;
    - andwherein the processor executes a second FSM, the second FSM including instructions executable by the processor to;
      
      determine the additional page associated with the sub-range encompassing the IP address;
      
      search the additional page associated with the sub-range encompassing the IP address to determine if the IP address is an excepted IP address; and
      
      process the packet from the first network according to the IP address being an excepted IP address.
  - 13. The appliance of claim 12 further comprising at least one output coupled to a second network for transmitting the packet from the first network to the second network if the processor determines to allow the packet from the first network to enter the second network via processing the packet according to the indication from the first engine or the second engine.
  - 14. The appliance of claim 11 wherein processing the packet from the first network according to the indication from the first engine includes determining to prevent the packet from the first network from proceeding when the indication from the first FSM indicates the IP address is an excepted IP address.
  - 15. The appliance of claim 12 wherein processing the packet from the first network according to the indication from the second engine includes determining to allow the packet from the first network to proceed when the indication from the second engine indicates the IP address is an additional excepted IP address.
  - 16. The appliance of claim 15 wherein processing the packet from the first network according to the indication from the first engine includes determining to prevent the packet from the first network from proceeding when the indication from the first engine indicates the IP address is an excepted IP address.
  - 17. The appliance of claim 11 further comprising at least one output coupled to a second network for transmitting the packet from the first network to the second network if the processor determines to allow the packet from the first network to proceed via processing the packet according to the indication from the first engine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Threater Incorporated
Original Assignee
TechGuard Security LLC
Inventors
Maestas, David Edward
Primary Examiner(s)
Pollack, Melvin H

Application Number

US12/509,957
Publication Number

US 20100268799A1
Time in Patent Office

1,422 Days
Field of Search

709/220, 709/227
US Class Current

709/220
CPC Class Codes

G06F 16/9017   using directory or table lo...

G06F 16/90348   by searching ordered data, ...

H04L 41/08   Configuration management of...

H04L 61/4552   Lookup mechanisms between a...

H04L 61/5061   Pools of addresses

H04L 63/02   for separating internal fro...

Methods of structuring data, pre-compiled exception list engines, and network appliances

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Methods of structuring data, pre-compiled exception list engines, and network appliances

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others