Patent Grant
7042886
1. Field of the Invention
The present invention relates generally to the monitoring and processing of Internet Protocol (IP) data transferred in an asynchronous transfer mode (ATM). More specifically, the present invention relates to the monitoring of data to determine if it complies with a certain set of rules for further processing, depending on the data flow classification, as the data is transmitted through an ATM switch. The application entitled “A Method and Apparatus for Wire-Speed Application Layer Classification of Data Packets” (U.S. patent application Ser. No. 09/547,034, now abandoned) is assigned to a common assignee. The '034 application is herein incorporated by reference for all purposes.
2. Description of the Related Art
Data flows between a network of computers carrying portions of digital information between different nodes. Generally, the results of an application running at one network node may be sent to a computer at another network node. In order to establish the transfer of data, the information is encapsulated in data packets and transmitted over the network. Some communication protocols transfer data packets in a half duplex mode, while others transfer data packets in a full duplex mode.
Two popular ways of transferring Internet Protocol (IP) data between network nodes are the asynchronous transfer mode (ATM) and the Ethernet packet format mode.
The ATM is a communication technology designed to address long distance communication at high speeds with different networking systems connected at the end points. Unlike other communications protocols, the ATM transfers cells of data using fixed-length cells, each containing 53 bytes. As shown in
In contrast to the ATM networks 120, Ethernet networks 110 use a scheme based on IP addresses of the data packets to route payloads through a network in accordance with a full duplex protocol. The IP uses a unique identification for a process flow, also known as the IP tuple, which is shown in
In certain applications the tuple can be extracted from up to 64 bytes. Hence, there are cases where an IP tuple must be split between two ATM cells, as one ATM cell may carry a payload of no more than 48 bytes.
In an Ethernet network, data packets may be monitored for basic qualities in order to apply certain rules regarding such packets. For example, the IP tuple 300 of each data packet may be analyzed to determine the process flow to which it belongs, how the packet should be processed, where the packet should be routed, etc. The application of certain rules to certain data packets ensures a high quality of the transmission of real-time applications such as video or voice over Ethernet, avoids the transmission of restricted applications, and/or applies sets of other rules. However, as higher transmission speeds are required and the number of rules increases, it is essential to design systems that are efficient in handling the stream of packetized data transmitted through the system and that quickly and accurately apply rules to data packets. Since there is a common need to connect between ATM and packetized networks for the purpose of transferring data from one node to another in a mixed network, various ways have been proposed to accomplish this connection. One manner to more efficiently monitor the data in a mixed network is to monitor the IP data when flowing through an ATM node as part of an ATM cell.
While IP data can be classified for purposes of rule checking and enforcing actions by uniquely identifying its characteristics based on information contained in the header, it is essential to extract the header information from the ATM cells. The trivial approach would be to segment and reassemble (SAR) the IP data from the data in each cell. However, although this straightforward approach is simplistic, it requires the reassembly of the entire IP data packet and/or IP tuple, and will degrade the wire-speed performance of the system.
In an illustrative, non-limiting embodiment of the invention, an apparatus that monitors data transported in ATM cells over an ATM communication network is provided. More specifically, the apparatus monitors IP packets transported over ATM networks.
In another illustrative, non-limiting embodiment of the invention, a method is provided, in which associated packets are recognized and grouped for further packet processing after a classification process, as well as the back annotation to the ATM cells. An important feature of this non-limiting embodiment is that the design allows for scaling the solution in order to efficiently address increasing traffic loads.
In another illustrative, non-limiting embodiment of the invention, a method is provided, in which load is balanced between packet processors, otherwise known as network processors, as well as the specific functionality of the data path and packet classifier units.
Various aspects of non-limiting embodiments of the present invention will become more apparent by describing such embodiments below in conjunction with the attached drawings, in which:
The following description of the embodiments discloses specific configurations, features, and operations. However, the embodiments are merely examples of the present invention, and thus, the specific features described below are merely used to more easily describe such embodiments and to provide an overall understanding of the present invention. Accordingly, one skilled in the art will readily recognize that the present invention is not limited to the specific embodiments described below. Furthermore, the descriptions of various configurations, features, and operations of the present invention that would have been known to one skilled in the art are omitted for the sake of clarity and brevity.
An illustrative embodiment of the present invention may be employed in a policy-based network system shown in
As will be described in more detail below, the Data Path Unit 420 and the Header Processor 430 may be employed to process data received in an ATM cell format rather than in an IP data packet format. Both the Data Path Unit 420 and Header Processor 430 are capable of ignoring cells that contain data other than IP data. One illustrative manner in which the Data Path Unit 420 and the Header Processor 430 determine whether or not the data in the cell is IP data is to examine the payload type identifier 230 contained within each header 205 of each cell. (See
In one implementation of the present embodiment, the Header Processor 430 performs wire-speed assembly of the IP tuple 300 from the ATM cell 200 to determine the remaining operations, if any, to be performed on the cells 200 belonging to an IP packet. One illustrative way to perform such assembly is to allocate certain memory space. For example, as shown in
00—invalid pointer
01—saved for future use
10—cell pointer
11—flow pointer
When the validity status field V has the value “00,” the data contained in the pointer field may not be used as a pointer and is useless information. When the field V has the value “10,” the pointer is used to point to the CIM 530, where the content of the current ATM cell 200 is stored as cell information 535. The storage of the current cell 200 is necessary when the cell 200 does not contain a full IP tuple. When the field V has the value “11,” the pointer is used to point to the FIM 540, where the information of the process flow is stored. The value of the field V remains valid until the last cell 200 of the data packet is received. Once the last cell 200 of the data packet is received, as indicated in the cell header 205, the value of the field V is invalidated by resetting it to “00”. Failure to reset the field to “00” may result in VCI/VPI data 215 and 220 (i.e. the pointer 510) pointing to the wrong process flow information. However, it is guaranteed that all the cells 200 with the same VCI/VPI data 215 and 220 between the first and last cell 200 all arrive in sequence and all belong to the same data packet. It should be noted that it is possible that cells containing packets with different VCI/VPI addresses 215 and 220 may be flowing through the system at the same time.
An illustrative, non-limiting embodiment of a method of the present invention will now be described.
A current cell 200 is received by the Header Processor 430 as shown in operation 610 of
In another illustrative, non-limiting embodiment of the present invention the entire content of the current cell 200 is saved in the CIM 530 at the location pointed to by the pointer field in the PM 520. In operation 640, the Header Processor 430 receives the next cell that contains the second part of the IP tuple 300.
If two cells 200 were necessary to create the full IP tuple 300, (i. e. if operations 630 and 640 were executed) then, in operation 650, the information previously stored in the CIM 530 as the cell information 535 is used in conjunction with the second cell payload 210 to reconstruct the full IP tuple 300. On the other hand, if the IP tuple 300 was contained within the first cell, (i.e. if operations 630 and 640 were not executed) the IP tuple 300 is extracted from the current cell 200.
The IP tuple 300 is then checked to identify whether or not it belongs to a process flow that has already been designated by a process flow identifier (operation 660). If the IP tuple 300 is part of a known flow, the Classifier 440 returns the flow information in operation 670, which includes the Flow-ID, the Packet Processor number and other control/status information. This information is required for the later packet processing and is stored in the FIM 540 as flow information 545. If the IP tuple 300 corresponds to the first data packet of a new process flow, a new process flow entry is generated during operation 680. The information is stored in the FIM 540, and a pointer is created to the stored information during operation 690. The pointer comprises a validity status field V, which equals “11” and a pointer field which contains a pointer to the beginning of the flow information 545. When identified as belonging to a certain flow, the data packet corresponding to the tuple 300 is scheduled to be processed via a designated Packet Processor from the available Packet Processors 450. Then, the data packet is made available to the designated processor via the Data Path Unit 420. The symmetrical and balanced architecture of the system 400 allows for additional Packet Processors 450 to be easily added in order to increase processing bandwidth and, hence, the performance of the entire system 400.
The Data Path Unit 420 operates at full wire speed. Therefore, the Data Path Unit 420 assists the Header Processor 430 in providing indications of how to construct the cells 200, and uses the information provided by the Classifier 440 with respect to the process flow affiliation of a reassembled packet. Moreover, it is beneficial for the overall system performance to ignore the cells 200 that require no reassembly, because the cells 200 that do not require reassembly may contain IP data packets. According to the system rules, these IP data packets may not require any processing, and, hence, it would be wasteful to reassemble them. Therefore, the Header Processor 430 and/or the Classifier 440 may generate commands to the Data Path Unit 420 with instructions on how to handle cells having a certain VCI/VPI data 215 and 220.
Once reassembled, the Data Path Unit 420 performs several consistency checks on each packet, including IP and TCP checksums, IPV4, and legality of packet length. The interface between the Data Path Unit 420 and the plurality of Packet Processors 450 provides the required information for further packet processing.
The operations shown in
Although the preferred embodiments of the present invention have been described, it will be understood by those skilled in the art that the present invention should not be limited to the described preferred embodiments, but various changes and modifications can be made within the spirit and scope of the present invention as defined by the appended claims.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4788656 | Sternberger | Nov 1988 | A |
| 5113392 | Takiyasu et al. | May 1992 | A |
| 5414702 | Kudoh | May 1995 | A |
| 5414704 | Spinney | May 1995 | A |
| 5457681 | Gaddis et al. | Oct 1995 | A |
| 5617421 | Chin et al. | Apr 1997 | A |
| 5673263 | Basso et al. | Sep 1997 | A |
| 5715250 | Watanabe | Feb 1998 | A |
| 5806086 | Kimmel et al. | Sep 1998 | A |
| 5842040 | Hughes et al. | Nov 1998 | A |
| 5898837 | Guttman et al. | Apr 1999 | A |
| 5946302 | Waclawsky | Aug 1999 | A |
| 5946313 | Allan et al. | Aug 1999 | A |
| 5956721 | Douceur et al. | Sep 1999 | A |
| 5995488 | Kalkunte et al. | Nov 1999 | A |
| 5995971 | Douceur et al. | Nov 1999 | A |
| 6041054 | Westberg | Mar 2000 | A |
| 6104696 | Kadambi et al. | Aug 2000 | A |
| 6185208 | Liao | Feb 2001 | B1 |
| 6275861 | Chaudri et al. | Aug 2001 | B1 |
| 6404752 | Allen et al. | Jun 2002 | B1 |
| 6434153 | Yazaki et al. | Aug 2002 | B1 |
| 6460120 | Bass et al. | Oct 2002 | B1 |
| 6542508 | Lin | Apr 2003 | B1 |
| 6590894 | Kerr et al. | Jul 2003 | B1 |
| 6633920 | Bass et al. | Oct 2003 | B1 |
| 6700889 | Nun | Mar 2004 | B1 |
| 20010016899 | Nei | Aug 2001 | A1 |
| 20020085563 | Mesh et al. | Jul 2002 | A1 |
| 20020122386 | Calvignal et al. | Sep 2002 | A1 |
| 20020165947 | Akerman et al. | Nov 2002 | A1 |
| 20040213222 | Assa et al. | Oct 2004 | A1 |
| Number | Date | Country | |
|---|---|---|---|
| 20030110284 A1 | Jun 2003 | US |
