Method, Program and System for Efficiently Hashing Packet Keys into a Firewall Connection Table
0 Assignments
0 Petitions
Accused Products
Abstract
A method for increasing the capacity of a connection table in a firewall accelerator by means of mapping packets in one session with some common security actions into one table entry. For each of five Network Address Translation (NAT) configurations, a hash function is specified. The hash function takes into account which of four possible arrival types a packet at a firewall accelerator may have. When different arrival types of packets in the same session are processed, two or more arrival types may have the same hash value.
41 Citations
35 Claims
-
1-15. -15. (canceled)
-
16. A method to map packets comprising:
-
providing a search facility to which the packets are to be mapped; for each packet received, comparing with a comparator a first field value with a second field value corresponding with the first field value, wherein the first field value and the second field value are selected from a set of field values of said each packet, wherein the set of field values includes a concatenated arrival type; determining whether the comparison provides a first predetermined result; responsive to a determination of the first predetermined result, generating a first hashed value based upon the selected set of field values in the received packet absent the concatenated arrival type; and accessing a location in said search facility using the first hashed value and concatenated arrival type. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
-
24. A system including:
-
a bus; a random access memory connected to the bus; a read only memory connected to the bus; a central processing unit connected to the bus; an input/output adapter connected to the bus, wherein a device for detecting packets on a network is connected to the input/output adapter; a firewall accelerator in the device, in which a look-up facility, to store common information related to selected ones of a predefined set of traffic types and specific information relating to at least one of the selected ones of the predefined set of traffic types, is being provided; and a controller in the device, parsing received packets to determine whether a first predetermined relation between predetermined field values in the received packets exists wherein the predetermined field values includes a concatenated arrival type and wherein selected field values from said packet are hashed absent the concatenated arrival type and a hashed value is used with the concatenated arrival type as an index into said look-up facility. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
-
31. A program product comprising:
-
a memory in which is stored computer executable instructions, said computer executable instructions comprising; computer executable instructions for examining traffic arriving at ports of a firewall accelerator; computer executable instructions for selecting a first field value and a second field value from a set of field values in a packet in said traffic wherein the set of field values includes a concatenated arrival type; computer executable instructions for comparing the first field value with the second field value; and
determining whether the first field value is greater than the second field value, wherein the first field value represents a source address and the second field value represents a destination address,computer executable instructions responsive to a determination that the first field value is greater than the second field value, for generating a hashed value from the set of field values selected from the packet; and computer executable instructions for using the hashed value and concatenated arrival type to access a location in a look-up facility. - View Dependent Claims (32, 33, 34, 35)
-
Specification