Patent Grant
9667446
The Open Systems Interconnection (OSI) Reference Model defines seven network protocol layers (L1-L7) used to communicate over a transmission medium. The upper layers (L4-L7) represent end-to-end communications and the lower layers (L1-L3) represent local communications.
Networking application aware systems need to process, filter and switch a range of L3 to L7 network protocol layers, for example, L7 network protocol layers such as, HyperText Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP), and L4 network protocol layers such as Transmission Control Protocol (TCP). In addition to processing the network protocol layers, the networking application aware systems need to simultaneously secure these protocols with access and content based security through L4-L7 network protocol layers including Firewall, Virtual Private Network (VPN), Secure Sockets Layer (SSL), Intrusion Detection System (IDS), Internet Protocol Security (IPSec), Anti-Virus (AV) and Anti-Spam functionality at wire-speed.
Improving the efficiency and security of network operation in today's Internet world remains an ultimate goal for Internet users. Access control, traffic engineering, intrusion detection, and many other network services require the discrimination of packets based on multiple fields of packet headers, which is called packet classification.
Internet routers classify packets to implement a number of advanced internet services such as routing, rate limiting, access control in firewalls, virtual bandwidth allocation, policy-based routing, service differentiation, load balancing, traffic shaping, and traffic billing. These services require the router to classify incoming packets into different flows and then to perform appropriate actions depending on this classification.
A classifier, using a set of filters or rules, specifies the flows, or classes. For example, each rule in a firewall might specify a set of source and destination addresses and associate a corresponding deny or permit action with it. Alternatively, the rules might be based on several fields of a packet header including layers 2, 3, 4, and 5 of the OSI model, which contain addressing and protocol information.
On some types of proprietary hardware, an Access Control List (ACL) refers to rules that are applied to port numbers or network daemon names that are available on a host or layer 3 devices, each with a list of hosts and/or networks permitted to use a service. Both individual servers as well as routers can have network ACLs. ACLs can be configured to control both inbound and outbound traffic.
In accordance with an example, a method for comparing dimension match data of a rule with corresponding data in a key is provided. The method includes, in a rule match engine provided with dimension match data divided into a first portion and a second portion, comparing the first portion of the dimension match data with a corresponding first portion of data in a key. The method further includes setting a first condition code to equal to, greater than, or less than based on the comparison of the first portion of the dimension match data with the corresponding first portion of data in the key. The method further includes comparing the second portion of the dimension match data with a corresponding second portion of data in the key and setting a second condition code to equal to, greater than, or less than based on the comparison of the second portion of the dimension match data with the corresponding second portion of data in the key. The method further includes determining whether the dimension match data is equal to, greater than, or less than the corresponding data in the key based on the first and second condition codes and returning a response indicating whether the dimension match data and the corresponding data in the key match based on the determination.
In accordance with another example, a system for comparing dimension match data of a rule with corresponding data in a key is provided. The system includes memory and at least one interface for receiving dimension match data divided into a first portion and a second portion. The system further includes a rule match engine communicatively coupled to the memory and the at least one interface. The rule match engine is configured to compare the first portion of the dimension match data with a corresponding first portion of data in a key and set a first condition code to equal to, greater than, or less than based on the comparison of the first portion of the dimension match data with the corresponding first portion of data in the key. The rule match engine is further configured to compare the second portion of the dimension match data with a corresponding second portion of data in the key and set a second condition code to equal to, greater than, or less than based on the comparison of the second portion of the dimension match data with the corresponding second portion of data in the key. The rule match engine is further configured to determine whether the dimension match data is equal to, greater than, or less than the corresponding data in the key based on the first and second condition codes return a response indicating whether the dimension match data and the corresponding data in the key match based on the determination.
In accordance with yet another example, a tangible computer-readable storage medium having computer readable instructions stored therein for comparing dimension match data of a rule with corresponding data in a key is provided. The computer readable instructions when executed by a rule matching engine, provided with dimension match data divided into a first portion and a second portion, cause the rule match engine to compare the first portion of the dimension match data with a corresponding first portion of data in a key. The rule match engine further caused to set a first condition code to equal to, greater than, or less than based on the comparison of the first portion of the dimension match data with the corresponding first portion of data in the key. The rule match engine further caused to compare the second portion of the dimension match data with a corresponding second portion of data in the key and to set a second condition code to equal to, greater than, or less than based on the comparison of the second portion of the dimension match data with the corresponding second portion of data in the key. The rule match engine further caused to determine whether the dimension match data is equal to, greater than, or less than the corresponding data in the key based on the first and second condition codes and to return a response indicating whether the dimension match data and the corresponding data in the key match based on the determination.
In some examples, any of the aspects above can include one or more of the following features.
In other examples of the method, given a minimum value and a maximum value of a range match that are interleaved into an interleaved minimum/maximum value, the method further includes comparing the first portion of the interleaved minimum/maximum value to the corresponding first portion of data in the key. The method still further includes setting a first condition code for the minimum value and a first condition code for the maximum value to equal to, greater than, or less than based on the comparison. The method further includes comparing the second portion of the interleaved minimum/maximum value to the corresponding second portion of data in the key, and setting a second condition code for the minimum value and a second condition code for the maximum value to equal to, greater than, or less than based on the comparison. The method still further includes determining whether the key is within the minimum and maximum values of the range match based on the first and second condition codes for the minimum value and the first and second condition codes for the maximum value.
In some examples of the method, each of the condition codes includes a first bit and a second bit. In these examples, setting a respective condition code includes setting the first and second bits forming a first value, a second value different than the first value or a third value different than the first and second values. The first, second, and third values correspond to equal to, greater than, and less than comparisons, respectively.
In other examples of the method, setting the first condition code further includes setting the first condition code to equal to, greater than, or less than based on the determination, the first condition code being a running condition code keeping a status of prior comparisons.
In some examples of the method, comparing the second portion of the dimension match data, further includes determining whether to compare the second portion of the dimension match data with the corresponding second portion of data in the key based on the setting of the first condition code. These examples further include, comparing the second portion of the dimension match data with the corresponding second portion of data in the key based on the determination
In other examples of the method, determining includes, determining that the dimension match data and the corresponding data in the key are equal when the first and second condition codes are set to equal.
In some examples of the method, determining includes, determining the dimension match data is less than the corresponding data in the key when the first condition code is set to less than or when the first condition code is set to equal to and the second condition codes is set to less than.
In other examples of the method, determining includes, determining that the dimension match data is greater than the corresponding data in the key when the first condition code is set to greater than or when the first condition code is set to equal to and the second condition codes is set to greater than.
Another example of the method further includes, given a value and a mask of a mask match, each provided in a first portion and a second portion, applying the first portion of the mask to the first portion of the value and to the corresponding first portion of data in the key resulting in a masked first portion of the value and a masked corresponding first portion of data in the key, respectively. The method further includes comparing the masked first portion of the value to the masked corresponding first portion of data in the key, and setting a first condition code to equal to or not equal to based on the comparison. The method still further includes applying the second portion of the mask to the second portion of the value and to the corresponding second portion of data in the key resulting in a masked second portion of the value and a masked corresponding second portion of data in the key, respectively. The method further includes comparing the masked second portion of the value to the masked corresponding second portion of data in the key, and setting a second condition code to equal to or not equal to based on the comparison. The method still further includes determining whether the masked value is equal to or not equal to the masked corresponding data in the key based on the first and second condition codes, and returning a response indicating whether the masked value and the masked corresponding data in the key match based on the determination.
These and other features and characteristics, as well as the methods of operation and functions of the related elements of structure and the combination of parts and economies of manufacture, will become more apparent upon consideration of the following description and the appended claims with reference to the accompanying drawings, all of which form a part of this specification, wherein like reference numerals designate corresponding parts in the various figures. It is to be expressly understood, however, that the drawings are for the purpose of illustration and description only and are not intended as a definition of the limits of claims. As used in the specification and in the claims, the singular form of “a”, “an”, and “the” include plural referents unless the context clearly dictates otherwise.
The foregoing will be apparent from the following more particular description of example embodiments of the invention, as illustrated in the accompanying drawings in which like reference characters refer to the same parts throughout the different views. The drawings are not necessarily to scale, emphasis instead being placed upon illustrating embodiments of the present invention.
The core routers 104a-h are configured to operate in the Internet core 102 or Internet backbone. The core routers 104a-h are configured to support multiple telecommunications interfaces of the Internet core 102 and are further configured to forward packets at a full speed of each of the multiple telecommunications protocols.
The edge routers 106a-f are placed at the edge of the Internet core 102. Edge routers 106a-f bridge access routers 108a-e outside the Internet core 102 and core routers 104a-h in the Internet core 102. Edge routers 106a-f can be configured to employ a bridging protocol to forward packets from access routers 108a-e to core routers 104a-h and vice versa.
The access routers 108a-e can be routers used by an end user, such as a home user or an office, to connect to one of the edge routers 106a-f, which in turn connects to the Internet core 102 by connecting to one of the core routers 104a-h. In this manner, the access routers 108a-e can connect to any other access router 108a-e via the edge routers 106a-f and the interconnected core routers 104a-h.
A search processor described herein can reside in any of the core routers 104a-h, edge routers 106a-f, and access routers 108a-e. The search processor described herein, within each of these routers, is configured to analyze Internet protocol (IP) packets based on a set of rules and forward the IP packets along an appropriate network path.
Likewise, the second host processor 214 is an egress host processor. The second host processor 214 receives egress packets to send from the network 216. The second host processor 214 forwards a lookup request with a packet header (or field) from the egress packets 216 to the search processor 202 over a second Interlaken interface 218. The search processor 202 then processes the packet header using a plurality of rule processing engines employing a plurality of rules to determine a path to forward the packets on the network. The second host processor 214 forwards the processed egress packets 220 to another network element in the network.
As an example, a packet is received by the line card 306a at the MAC layer 326a. The MAC layer 326a sends the packet to the forwarding table 324a. Then, the packet and appropriate forwarding table information is stored in the local buffer memory 322a. Based on the determination, the router selects an appropriate line card 306b, stores the packet and forwarding information in the local buffer memory 322b of the appropriate line card, and forwards the packet out to the network.
Generally speaking, packets received are matched with rules that determine actions to take with a matched packet. Generic packet classification requires a router to classify a packet on the basis of multiple fields in a header of the packet. Each rule of the classifier specifies a class that a packet may belong to, according to criteria on ‘F’ fields of the packet header, and associates an identifier (e.g., class ID) with each class. For example, each rule in a flow classifier is a flow specification, in which each flow is in a separate class. The identifier uniquely specifies an action associated with each rule. Each rule has multiple fields. An ith field of a rule R, referred to as R[i], is a regular expression on the ith field of the packet header. A packet P matches a particular rule R if for every i, the ith field of the header of P satisfies the regular expression R[i].
With reference to
Classes specified by the rules may overlap. For instance, one key may match several rules. In this case, when several rules overlap, an order in which the rules appear in the classifier may determine the relative priority of the rule. In other words, a key that matched multiple rules belongs to the class identified by the identifier (class ID) of the rule among them that appears first in the classifier. Alternatively, a unique priority associated with a rule may determine its priority, for example, the rule with the highest priority.
The search processor 202 (
As the example of
In one approach to the challenge, the RME waits to receive all portions of the dimension match data before comparing the key to the dimension match data. This causes idle resources and wastes cycles that could be doing useful work. Even worse, a lot of additional hardware is required to handle maximum width dimension data all at once instead of an individual portion at a time. Preferably, the RME processes as much dimension match data as provided each cycle.
In another approach, according to the examples described herein, the RME performs a partial compare per cycle. In one cycle, the RME compares a portion of the dimension match data of the rule to a corresponding portion of data in the key. The RME carries the result of the comparison forward into a next cycle by setting a condition code. In the next cycle, the RME performs another partial compare with another portion of the dimension match data (e.g., the remaining portion of the dimension match data) and sets another condition code. The RME repeats until it compares all portions of the dimension match data (or in some examples, the RME repeats depending on the condition code of a prior comparison, as described below in greater detail). The RME uses the condition code(s) to determine the result of a comparison of the rule and key. Advantageously, with this “condition code” approach, the RME processes the amount of dimension match data provided to it during a given cycle. In turn, this keeps the RME at or near line rate.
The combining block 715 combines the current condition code 730a with a condition code of a prior comparison (prior condition code) 735. In the initial cycle, the prior condition code 735 is EQ by default. The combining block 715 outputs a combined condition code 740. The RME 700 stores the combined condition code 740 in the condition code register 705.
In cycle-2 (next cycle), the comparing block 710 compares a second portion of the dimension match data 720b to a corresponding second portion of the key data 725b. The comparing block 710 sets a current condition code 730b to EQ, GT, or LT based on the current comparison. As before, the combining block 715 combines the current condition code 730b with a condition code of a prior comparison. In cycle-2, the comparison code for the prior comparison is the condition code 740 from cycle-1 stored in the condition code register 705.
The RME 700 determines whether the dimension match data is equal to, greater than, or less than the corresponding data in the key based on combined condition codes 745. Based on determination 750, the RME 700 returns a response indicating whether the dimension match data and the corresponding data in the key match each other.
As the example of
Consider the example shown in
In cycle-3, the comparing block 710 performs another partial compare and sets a condition code for the current comparison (3-CC). The combining block 715 combines the condition code 3-CC with the condition code P-CC and makes a determination of GT, as shown.
The operation of the combining block 715 (
In a convenient example of the condition code approach, the RME 700 (
In another example of the condition code approach, the RME 700 (
Continuing with reference to the examples shown in
According to a convenient example of the condition code approach shown in
The interleaved value 1115 is provided to the RME 700 (
With reference to
With reference to
As shown, the RME, determines whether the key is within the minimum and maximum values of the range match based on the first and second condition codes for the minimum value (1-CC-LO AND 2-CC-LO); and the first and second condition codes for the maximum value (1-CC-HI AND 2-CC-HI).
The dimension match data (value 1205 and mask 1210) and key data 1215 are provided to the RME in respective first portions and second portions. In cycle-1, the first portion of the mask 1210a identifies that the four left bits of the first portion of the value 1205a are used to match against the first portion of the key data 1215a. The RME applies the first portion of the mask 1210a to the first portion of the value 1205a and to the first portion of the key data 1215a resulting in a masked first portion of the value 1220a and a masked first portion of the key data 1225a, respectively, as shown.
The RME compares the masked first portion of the value 1220a to the masked first portion of the key data 1225a. The RME sets a condition code for the partial compare of cycle-1 (1-CC) to equal to (EQ) or not equal to (!EQ) based on the comparison. In the example of
In cycle-2, the second portion of the mask 1210b identifies that the two left bits of the second portion of the value 1205b are used to match against the second portion of the key data 1215b. The two right bits of the second portion of the value 1205b are “don't care” bits. The RME applies the second portion of the mask 1210b to the second portion of the value 1205b and to the second portion of the key data 1215b resulting in a masked second portion of the value 1220b and a masked second portion of the key data 1225b, respectively, as shown.
The RME compares the masked second portion of the value 1220b to the masked second portion of the key data 1225b. The RME sets a condition code for the partial compare in cycle-2 (2-CC) to equal to (EQ) or not equal to (!EQ) based on the comparison. In the example of
The RME combines the condition codes 1-CC and 2-CC and the RME makes a determination 1230 based on the combination in a manner similar to the other examples of the condition code approaches described above. In the example of
The foregoing application of the condition code to a mask match also applies to prefix and exact matches. (Prefix match and exact match are described above with the reference to
The above-described methods and systems can be implemented in digital electronic circuitry, in computer hardware, firmware, and/or software. The implementation can be as a computer program product (i.e., a computer program tangibly embodied in an information carrier medium). The implementation can, for example, be in a machine-readable storage device for execution by, or to control the operation of, data processing apparatus. The implementation can, for example, be a programmable processor, a computer, and/or multiple computers.
In one example, a computer program can be written in any form of programming language, including compiled and/or interpreted languages, and the computer program can be deployed in any form, including as a stand-alone program or as a subroutine, element, and/or other unit suitable for use in a computing environment to carry out the features and functions of various examples discussed herein. A computer program can be deployed to be executed on one computer or on multiple computers at one site.
Method steps or operations can be performed as processes by one or more programmable processors executing a computer program to perform functions of various examples by operating on input data and generating output. Method steps can also be performed by and an apparatus can be implemented as special purpose logic circuitry. The circuitry can, for example, be a field programmable gate array (FPGA) and/or an application specific integrated circuit (ASIC). Modules, subroutines, and software agents can refer to portions of the computer program, the processor, the special circuitry, software, and/or hardware that implements that functionality.
The rule match engine (RME) 700 of
Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices. The information carriers can, for example, be EPROM, EEPROM, flash memory devices, magnetic disks, internal hard disks, removable disks, magneto-optical disks, CD-ROM, and/or DVD-ROM disks. The processor and the memory can be supplemented by, and/or incorporated in special purpose logic circuitry.
To provide for interaction with a user, the above described techniques can be implemented on a computing device having a display device. The display device can, for example, be a cathode ray tube (CRT) and/or a liquid crystal display (LCD) monitor, and/or a light emitting diode (LED) monitor. The interaction with a user can, for example, be a display of information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the computing device (e.g., interact with a user interface element). Other kinds of devices can be used to provide for interaction with a user. Other devices can, for example, be feedback provided to the user in any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback). Input from the user can, for example, be received in any form, including acoustic, speech, and/or tactile input.
The above described systems and techniques can be implemented in a distributed computing system that includes a back-end component. The back-end component can, for example, be a data server, a middleware component, and/or an application server. The above described techniques can be implemented in a distributing computing system that includes a front-end component. The front-end component can, for example, be a client computing device having a graphical user interface, a Web browser through which a user can interact with an example implementation, and/or other graphical user interfaces for a transmitting device. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network (LAN), a wide area network (WAN), the Internet, wired networks, and/or wireless networks.
The system may be coupled to and/or include clients and servers. A client and a server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computing devices and having a client-server relationship to each other.
Communication networks may include packet-based networks, which can include, for example, the Internet, a carrier internet protocol (IP) network (e.g., local area network (LAN), wide area network (WAN), campus area network (CAN), metropolitan area network (MAN), home area network (HAN)), a private IP network, an IP private branch exchange (IPBX), a wireless network (e.g., radio access network (RAN), 802.11 network, 802.16 network, general packet radio service (GPRS) network, HiperLAN), and/or other packet-based networks. Circuit-based networks may include, for example, the public switched telephone network (PSTN), a private branch exchange (PBX), a wireless network (e.g., RAN, Bluetooth, code-division multiple access (CDMA) network, time division multiple access (TDMA) network, global system for mobile communications (GSM) network), and/or other circuit-based networks.
The computing device may include, for example, a computer, a computer with a browser device, a telephone, an IP phone, a mobile device (e.g., cellular phone, personal digital assistant (PDA) device, laptop computer, electronic mail device), and/or other communication devices. The browser device includes, for example, a computer (e.g., desktop computer, laptop computer) with a World Wide Web browser (e.g., INTERNET EXPLORER® available from Microsoft Corporation, of Redmond, Wash.). The mobile computing device includes, for example, a BLACKBERRY® provided by Research In Motion Limited of Waterloo, Ontario, Canada.
“Comprise,” “include,” and/or plural forms of each are open ended and include the listed parts and can include additional parts that are not listed. “And/or” is open ended and includes one or more of the listed parts and combinations of the listed parts.
Although the above disclosure discusses what is currently considered to be a variety of useful examples, it is to be understood that such detail is solely for that purpose, and that the appended claims are not limited to the disclosed examples, but, on the contrary, are intended to cover modifications and equivalent arrangements that are within the spirit and scope of the appended claims.
One skilled in the art will realize the invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The foregoing embodiments are therefore to be considered in all respects illustrative rather than limiting of the invention described herein. Scope of the invention is thus indicated by the appended claims, rather than by the foregoing description, and all changes that come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5107361 | Kneidinger et al. | Apr 1992 | A |
| 5214653 | Elliott et al. | May 1993 | A |
| 5463777 | Bialkowski et al. | Oct 1995 | A |
| 5584026 | Knudsen et al. | Dec 1996 | A |
| 5682535 | Knudsen | Oct 1997 | A |
| 5893142 | Moyer et al. | Apr 1999 | A |
| 5893911 | Piskiel et al. | Apr 1999 | A |
| 6212184 | Venkatachary et al. | Apr 2001 | B1 |
| 6233575 | Agrawal et al. | May 2001 | B1 |
| 6298340 | Calvignac et al. | Oct 2001 | B1 |
| 6341130 | Lakshman et al. | Jan 2002 | B1 |
| 6467019 | Washburn | Oct 2002 | B1 |
| 6473763 | Corl et al. | Oct 2002 | B1 |
| 6476763 | Allen | Nov 2002 | B2 |
| 6510509 | Chopra et al. | Jan 2003 | B1 |
| 6539394 | Calvignac et al. | Mar 2003 | B1 |
| 6567408 | Li et al. | May 2003 | B1 |
| 6587466 | Bhattacharya et al. | Jul 2003 | B1 |
| 6636480 | Walia et al. | Oct 2003 | B1 |
| 6658002 | Ross et al. | Dec 2003 | B1 |
| 6735600 | Andreev | May 2004 | B1 |
| 6868414 | Khanna et al. | Mar 2005 | B2 |
| 6918031 | Wilson | Jul 2005 | B2 |
| 6980555 | Mar | Dec 2005 | B2 |
| 7039641 | Woo | May 2006 | B2 |
| 7046848 | Olcott | May 2006 | B1 |
| 7110407 | Khanna | Sep 2006 | B1 |
| 7133409 | Willardson | Nov 2006 | B1 |
| 7225188 | Gai et al. | May 2007 | B1 |
| 7260558 | Cheng et al. | Aug 2007 | B1 |
| 7350040 | Marinescu | Mar 2008 | B2 |
| 7366728 | Corl et al. | Apr 2008 | B2 |
| 7370361 | de los Santos et al. | May 2008 | B2 |
| 7392349 | Mathur et al. | Jun 2008 | B1 |
| 7415472 | Testa | Aug 2008 | B2 |
| 7441022 | Schuba et al. | Oct 2008 | B1 |
| 7509300 | Sahni et al. | Mar 2009 | B2 |
| 7536476 | Alleyne | May 2009 | B1 |
| 7546234 | Deb et al. | Jun 2009 | B1 |
| 7571156 | Gupta et al. | Aug 2009 | B1 |
| 7594081 | Bouchard et al. | Sep 2009 | B2 |
| 7613926 | Edery et al. | Nov 2009 | B2 |
| 7634408 | Mohri | Dec 2009 | B1 |
| 7636717 | Gupta et al. | Dec 2009 | B1 |
| 7702629 | Cytron et al. | Apr 2010 | B2 |
| 7710988 | Tripathi et al. | May 2010 | B1 |
| 7711893 | Venkatachary | May 2010 | B1 |
| 7761890 | Harvey et al. | Jul 2010 | B1 |
| 7870161 | Wang | Jan 2011 | B2 |
| 7873992 | Daily et al. | Jan 2011 | B1 |
| 7937355 | Corl et al. | May 2011 | B2 |
| 7949683 | Goyal | May 2011 | B2 |
| 7962434 | Estan et al. | Jun 2011 | B2 |
| 7990893 | Singh | Aug 2011 | B1 |
| 7992169 | Harvey et al. | Aug 2011 | B1 |
| 8005869 | Corl et al. | Aug 2011 | B2 |
| 8015085 | Srinivasan et al. | Sep 2011 | B2 |
| 8024802 | Preston | Sep 2011 | B1 |
| 8051085 | Srinivasan et al. | Nov 2011 | B1 |
| 8111697 | Panwar et al. | Feb 2012 | B1 |
| 8156507 | Brjazovski et al. | Apr 2012 | B2 |
| 8165125 | Kim et al. | Apr 2012 | B2 |
| 8180803 | Goyal | May 2012 | B2 |
| 8301788 | Bouchard et al. | Oct 2012 | B2 |
| 8352391 | Kapadia | Jan 2013 | B1 |
| 8392590 | Bouchard et al. | Mar 2013 | B2 |
| 8407794 | Kim et al. | Mar 2013 | B2 |
| 8447120 | Ji et al. | May 2013 | B2 |
| 8473523 | Goyal | Jun 2013 | B2 |
| 8477611 | Lim | Jul 2013 | B2 |
| 8543528 | Lunteren | Sep 2013 | B2 |
| 8554698 | Bando et al. | Oct 2013 | B2 |
| 8566344 | Bando et al. | Oct 2013 | B2 |
| 8800021 | Swaminathan et al. | Aug 2014 | B1 |
| 8856203 | Schelp et al. | Oct 2014 | B1 |
| 8934488 | Goyal et al. | Jan 2015 | B2 |
| 8937952 | Goyal et al. | Jan 2015 | B2 |
| 8937954 | Goyal et al. | Jan 2015 | B2 |
| 8990259 | Billa et al. | Mar 2015 | B2 |
| 9137340 | Goyal et al. | Sep 2015 | B2 |
| 9183244 | Bullis et al. | Nov 2015 | B2 |
| 9344366 | Bouchard et al. | May 2016 | B2 |
| 20010006520 | Moulsley et al. | Jul 2001 | A1 |
| 20020023089 | Woo | Feb 2002 | A1 |
| 20030005144 | Engel et al. | Jan 2003 | A1 |
| 20030028674 | Boden | Feb 2003 | A1 |
| 20030108043 | Liao | Jun 2003 | A1 |
| 20030126272 | Cori et al. | Jul 2003 | A1 |
| 20030156586 | Lee et al. | Aug 2003 | A1 |
| 20030223421 | Rich et al. | Dec 2003 | A1 |
| 20040006668 | Park et al. | Jan 2004 | A1 |
| 20040158744 | Deng et al. | Aug 2004 | A1 |
| 20040162826 | Wyschogrod et al. | Aug 2004 | A1 |
| 20040172234 | Dapp et al. | Sep 2004 | A1 |
| 20040193563 | Hagelin | Sep 2004 | A1 |
| 20040225999 | Nuss | Nov 2004 | A1 |
| 20040258067 | Irish et al. | Dec 2004 | A1 |
| 20040264384 | Deval et al. | Dec 2004 | A1 |
| 20050013293 | Sahita | Jan 2005 | A1 |
| 20050028114 | Gould et al. | Feb 2005 | A1 |
| 20050035784 | Gould et al. | Feb 2005 | A1 |
| 20050157641 | Roy | Jul 2005 | A1 |
| 20050177736 | de los Santos et al. | Aug 2005 | A1 |
| 20050238010 | Panigrahy et al. | Oct 2005 | A1 |
| 20050240604 | Corl et al. | Oct 2005 | A1 |
| 20050278781 | Zhao et al. | Dec 2005 | A1 |
| 20060002386 | Yik et al. | Jan 2006 | A1 |
| 20060026138 | Robertson et al. | Feb 2006 | A1 |
| 20060029104 | Jungck | Feb 2006 | A1 |
| 20060039372 | Sarkinen et al. | Feb 2006 | A1 |
| 20060059165 | Bosloy et al. | Mar 2006 | A1 |
| 20060059314 | Bouchard et al. | Mar 2006 | A1 |
| 20060069872 | Bouchard et al. | Mar 2006 | A1 |
| 20060075206 | Bouchard et al. | Apr 2006 | A1 |
| 20060085533 | Hussain et al. | Apr 2006 | A1 |
| 20060101195 | Jain | May 2006 | A1 |
| 20060130142 | Mester et al. | Jun 2006 | A1 |
| 20060136570 | Pandya | Jun 2006 | A1 |
| 20060155915 | Pereira | Jul 2006 | A1 |
| 20060288024 | Braica | Dec 2006 | A1 |
| 20070011734 | Balakrishnan et al. | Jan 2007 | A1 |
| 20070115966 | Tzeng | May 2007 | A1 |
| 20070168377 | Zabarsky | Jul 2007 | A1 |
| 20070192863 | Kapoor et al. | Aug 2007 | A1 |
| 20070240229 | Yoon et al. | Oct 2007 | A1 |
| 20080031258 | Acharya et al. | Feb 2008 | A1 |
| 20080034427 | Cadambi et al. | Feb 2008 | A1 |
| 20080059464 | Law et al. | Mar 2008 | A1 |
| 20080071783 | Langmead et al. | Mar 2008 | A1 |
| 20080082946 | Zilic et al. | Apr 2008 | A1 |
| 20080097959 | Chen et al. | Apr 2008 | A1 |
| 20080101371 | Law et al. | May 2008 | A1 |
| 20080109392 | Nandy | May 2008 | A1 |
| 20080109431 | Kori | May 2008 | A1 |
| 20080140600 | Pandya | Jun 2008 | A1 |
| 20080140631 | Pandya | Jun 2008 | A1 |
| 20080209540 | Deng et al. | Aug 2008 | A1 |
| 20080229415 | Kapoor et al. | Sep 2008 | A1 |
| 20080262991 | Kapoor et al. | Oct 2008 | A1 |
| 20080270833 | McMillen et al. | Oct 2008 | A1 |
| 20080271147 | Mohanan et al. | Oct 2008 | A1 |
| 20080310440 | Chen et al. | Dec 2008 | A1 |
| 20090006847 | Abzarian et al. | Jan 2009 | A1 |
| 20090034530 | Basso et al. | Feb 2009 | A1 |
| 20090063825 | McMillen et al. | Mar 2009 | A1 |
| 20090119279 | Goyal et al. | May 2009 | A1 |
| 20090119399 | Hussain et al. | May 2009 | A1 |
| 20090125470 | Shah et al. | May 2009 | A1 |
| 20090138440 | Goyal | May 2009 | A1 |
| 20090138494 | Goyal | May 2009 | A1 |
| 20090185568 | Cho et al. | Jul 2009 | A1 |
| 20090217341 | Sun et al. | Aug 2009 | A1 |
| 20090262659 | Sturges et al. | Oct 2009 | A1 |
| 20090274384 | Jakobovits | Nov 2009 | A1 |
| 20090323383 | Mondaeev et al. | Dec 2009 | A1 |
| 20100034202 | Lu et al. | Feb 2010 | A1 |
| 20100037056 | Follis et al. | Feb 2010 | A1 |
| 20100067535 | Ma et al. | Mar 2010 | A1 |
| 20100094906 | Della-Libera et al. | Apr 2010 | A1 |
| 20100095162 | Inakoshi | Apr 2010 | A1 |
| 20100110936 | Bailey et al. | May 2010 | A1 |
| 20100114973 | Goyal | May 2010 | A1 |
| 20100146623 | Namjoshi et al. | Jun 2010 | A1 |
| 20100153326 | Bernardes et al. | Jun 2010 | A1 |
| 20100153420 | Yang et al. | Jun 2010 | A1 |
| 20100158394 | Chang et al. | Jun 2010 | A1 |
| 20100175124 | Miranda | Jul 2010 | A1 |
| 20100192225 | Ma et al. | Jul 2010 | A1 |
| 20100199355 | Ouddan et al. | Aug 2010 | A1 |
| 20100281532 | Deng et al. | Nov 2010 | A1 |
| 20110016154 | Goyal et al. | Jan 2011 | A1 |
| 20110038375 | Liu et al. | Feb 2011 | A1 |
| 20110090842 | Hirano et al. | Apr 2011 | A1 |
| 20110093484 | Bando et al. | Apr 2011 | A1 |
| 20110093496 | Bando et al. | Apr 2011 | A1 |
| 20110113191 | Pandya | May 2011 | A1 |
| 20110119440 | Pandya | May 2011 | A1 |
| 20110137930 | Hao et al. | Jun 2011 | A1 |
| 20110173149 | Schon | Jul 2011 | A1 |
| 20110173490 | Narayanaswamy et al. | Jul 2011 | A1 |
| 20110185077 | Bremler-Barr et al. | Jul 2011 | A1 |
| 20110219010 | Lim | Sep 2011 | A1 |
| 20110238855 | Korsunsky et al. | Sep 2011 | A1 |
| 20110264822 | Ferguson et al. | Oct 2011 | A1 |
| 20110295779 | Chen et al. | Dec 2011 | A1 |
| 20120017262 | Kapoor et al. | Jan 2012 | A1 |
| 20120078832 | Lunteren | Mar 2012 | A1 |
| 20120143854 | Goyal et al. | Jun 2012 | A1 |
| 20120203718 | Biran et al. | Aug 2012 | A1 |
| 20120215569 | Bauchot et al. | Aug 2012 | A1 |
| 20120221494 | Pasetto et al. | Aug 2012 | A1 |
| 20120221497 | Goyal et al. | Aug 2012 | A1 |
| 20120311529 | Beveridge et al. | Dec 2012 | A1 |
| 20120331007 | Billa et al. | Dec 2012 | A1 |
| 20120331554 | Goyal et al. | Dec 2012 | A1 |
| 20130034100 | Goyal et al. | Feb 2013 | A1 |
| 20130034106 | Goyal et al. | Feb 2013 | A1 |
| 20130036083 | Goyal | Feb 2013 | A1 |
| 20130036102 | Goyal et al. | Feb 2013 | A1 |
| 20130036471 | Bouchard et al. | Feb 2013 | A1 |
| 20130036477 | Goyal | Feb 2013 | A1 |
| 20130039366 | Goyal et al. | Feb 2013 | A1 |
| 20130060727 | Goyal et al. | Mar 2013 | A1 |
| 20130070753 | Sahni et al. | Mar 2013 | A1 |
| 20130085978 | Goyal et al. | Apr 2013 | A1 |
| 20130133064 | Goyal et al. | May 2013 | A1 |
| 20130191916 | Yao et al. | Jul 2013 | A1 |
| 20130212484 | Joshi | Aug 2013 | A1 |
| 20130218853 | Bullis et al. | Aug 2013 | A1 |
| 20130232104 | Goyal et al. | Sep 2013 | A1 |
| 20130282766 | Goyal et al. | Oct 2013 | A1 |
| 20140079063 | Edsall et al. | Mar 2014 | A1 |
| 20140214749 | Ruehle | Jul 2014 | A1 |
| 20140229386 | Tervo et al. | Aug 2014 | A1 |
| 20140279850 | Goyal et al. | Sep 2014 | A1 |
| 20140280357 | Billa et al. | Sep 2014 | A1 |
| 20140281809 | Billa et al. | Sep 2014 | A1 |
| 20150066927 | Goyal et al. | Mar 2015 | A1 |
| 20150067123 | Goyal et al. | Mar 2015 | A1 |
| 20150067200 | Goyal et al. | Mar 2015 | A1 |
| 20150067776 | Billa et al. | Mar 2015 | A1 |
| 20150067836 | Billa et al. | Mar 2015 | A1 |
| 20150117461 | Goyal et al. | Apr 2015 | A1 |
| 20150186786 | Goyal et al. | Jul 2015 | A1 |
| 20150189046 | Worrell et al. | Jul 2015 | A1 |
| 20150193689 | Worrell | Jul 2015 | A1 |
| 20150220454 | Goyal et al. | Aug 2015 | A1 |
| 20150220845 | Goyal et al. | Aug 2015 | A1 |
| 20160248739 | Bouchard et al. | Aug 2016 | A1 |
| Number | Date | Country |
|---|---|---|
| 2 276 217 | Jan 2011 | EP |
| 2004013777 | Feb 2004 | WO |
| 2007109445 | Sep 2007 | WO |
| 2008005772 | Jan 2008 | WO |
| 2009145712 | Dec 2009 | WO |
| 2012177736 | Dec 2012 | WO |
| 2012177752 | Dec 2012 | WO |
| 2013020002 | Feb 2013 | WO |
| 2013020003 | Feb 2013 | WO |
| 2013078053 | May 2013 | WO |
| Entry |
|---|
| Abdelghani et al. (2005) “Packet Classification Using Adaptive Rule Cutting,” In; The IEEE Proc. of Adv. Indus. Conf. on Telecom. pp. 28-33. |
| Aho et al. (1977) Ch. 3 In; Principles of Compiler Design. Addison-Wesley. pp. 73-124. |
| Baboescu et al. (2001) “Scalable Packet Classification,” In; The Proceedings of the ACM SIGCOMM '01 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication. pp. 199-210. |
| Baboescu et al. (2003) “Packet Classification for Core Routers: Is there an alternative to CAMs?” In; The Twenty-Second Annual Joint Conference of the IEEE Computer and Communications, INFOCOM 2003. vol. 1. pp. 53-63. |
| Becchi et al (2008) “Extending Finite Automata to Efficiently Match Perl-compatible Regular Expressions,” In; The Proceedings of the 2008 CoNext Conference. Dec. 9-12, 2008. |
| Becchi et al. (2007) “A Hybrid Finite Automaton for Practical Deep Packet Inspection,” In; The Proceedings of the International Conference on emerging Networking EXperiments and Technologies (CoNEXT), New York, New York. Dec. 2007. |
| Becchi et al. (2009) “Data Structures, Algorithms and Architechtures for Efficient Regular Expression Evaluation,” Washington University. Dissertation for the degree of Doctor of Philosophy. Saint Louis, Missouri. |
| Branch et al. (2002) “Denial of Service Intrusion Detection Using Time Dependent Deterministic Finite Automata,” In; The Proc. Research Conference, Troy, NY, Oct. 2002. |
| Chodnicki (2011) “An Introduction to Regular Expressions/Adventures with Open Source BI,” Adventures with Open Source BI. Accessible on the Internet at URL: available at http://type-exit.org/adventures-with-open-source-bi/2011/05/an-introduction-to-regular-expressions. [Last Accessed Aug. 21, 2015]. |
| Faro et al. (2008) “Efficient Variants of the Backward-Oracle-Matching Algorithm,” In; The Proceedings of Prague Stringology Conference, 2008, pp. 146-160. |
| Gupta et al. (1999) “Packet Classification on Multiple Fields,” In; The Proceedings of SIGCOMM '99 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication (SIGCOMM '99). pp. 147-160. |
| Gupta et al. (2000) “Classifying Packets With Hierarchical Intelligent Cuttings,” IEEE Micro. 20(1):34-41. |
| Gupta (2000) “Algorithms for Packet Routing Lookups and Packet Classification,” Stanford University. Dissertation for be degree of Doctor of Philosophy. |
| Hoperoft et al. (1979) Ch. 2 In; Introduction to Automata Theory, Languages, and Computation. Addison-Wesley. Reading, Massachusetts. |
| Wikipedia “Access control list,” Wikimedia Foundation, Inc. Accessible on the Internet at URL: https://en.wikipedia.org/wiki/Access—control—list. [Last Accessed Aug. 21, 2015]. |
| Klarlund (1992) “Progress Measures, Immediate Determinacy, and a Subset Construction for Tree Automata,” In; The Proceedings of the Seventh Annual IEEE Symposium on Logic in Computer Science, 1992. LICS '92. pp. 382-393. |
| Navarro (2001) “NR-grep: A Fast and Flexible Pattern Matching Tool,” Software Practice and Experience (SPE). 31:1265-1312. |
| Navarro (2004) “Pattern Matching,” Journal of Applied Statistics. 31(8):925-949. |
| Pong et al. (2011) “HARP: Rapid Packet Classification via Hashing Round-Down Prefixes,” IEEE Transactions on Parallel and Distributed Systems. 22(7):1105-1119. |
| Qi et al. (2009) “Packet Classification Algorithms: From Theory to Practice,” In; The Proceedings of the 28th IEEE conference on Computer Communications (INFOCOM '09). pp. 648-656. |
| Rabin et al. (1959) “Finite Automata and their Decision Problems,” IBM Journal of Research and Development. 3(2):114-125. |
| Singh (2002)“Regular Expressions,” Seeing With C. Accessible on th Internet at URL: http://www.seeingwithc.org/topic7html.html. [Last Accessed Aug. 24, 2014]. |
| Singh et al. (2003) “Packet Classification Using Multidimensional Cutting,” In; The Proceedings of the ACMSIGCOMM 03 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication (SIGCOMM 03). pp. 213-224. |
| Sipser (1997) “Introduction to the Theory of Computation,” PWS Nondeterminism. Section 1.2 pp. 47-63. |
| Sun et al. (2008) “HFilter: Hybrid Finite Automaton Based Stream Filtering for Deep and Recursive XML Data,” Database and Expert Systems Applications Lecture Notes in Computer Science. 5181:566-580. |
| Theiling (2001) “Generating Decision Trees for Decoding Binaries” In; The OM '01 Proceedings of the 2001 ACM SIGPLAN workshop on Optimization of middleware and distributed systems. pp. 112-120. |
| Yu et al. (2006) “A Novel IP Packet Classification Algorithm Based on Hierarchical Intelligent Cuttings,” In; The Proceedings of the IEEE 6th International Conference on ITS Telecom. pp. 1033-1036. |
| Zhang et al. (2010) “On Constructing Efficient Shared Decision Trees for Multiple Packet Filters,” In; IEEE INFOCOM'10. San Diego, California. |
| International Search Report with Written Opinion corresponding to International Patent Application No. PCT/US2012/043307, mailed Dec. 6, 2012. |
| International Search Report with Written Opinion corresponding to International Patent Application No. PCT/US2012/049406, mailed Oct. 18, 2010. |
| Office Action corresponding to U.S. Appl. No. 13/168,395, mailed Apr. 20, 2015. |
| Office Action corresponding to U.S. Appl. No. 13/168,395, mailed Dec. 24, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/168,395, mailed Dec. 27, 2013. |
| Office Action corresponding to U.S. Appl. No. 13/168,395, mailed Jun. 10, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/168,450, mailed Apr. 25, 2013. |
| Office Action corresponding to U.S. Appl. No. 13/168,450, mailed Feb. 28, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/168,450, mailed Jun. 6, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/168,450, mailed Oct. 8, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/565,775, mailed Aug. 26, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/565,775, mailed Feb. 9, 2015. |
| Office Action corresponding to U.S. Appl. No. 13/831,191, mailed Dec. 12, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/831,191, mailed May 21, 2015. |
| Office Action corresponding to U.S. Appl. No. 13/831,232, mailed Nov. 21, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/831,415, mailed Dec. 18, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/831,415, mailed Jun. 4, 2015. |
| Office Action corresponding to U.S. Appl. No. 14/145,918, mailed Aug. 19, 2016. |
| Office Action corresponding to U.S. Appl. No. 14/145,918, mailed Jan. 26, 2016. |
| Number | Date | Country | |
|---|---|---|---|
| 20150193689 A1 | Jul 2015 | US |
