Patent Grant
9544402
The Open Systems Interconnection (OSI) Reference Model defines seven network protocol layers (L1-L7) used to communicate over a transmission medium. The upper layers (L4-L7) represent end-to-end communications and the lower layers (L1-L3) represent local communications.
Networking application aware systems need to process, filter and switch a range of L3 to L7 network protocol layers, for example, L7 network protocol layers such as, HyperText Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP), and L4 network protocol layers such as Transmission Control Protocol (TCP). In addition to processing the network protocol layers, the networking application aware systems need to simultaneously secure these protocols with access and content based security through L4-L7 network protocol layers including Firewall, Virtual Private Network (VPN), Secure Sockets Layer (SSL), Intrusion Detection System (IDS), Internet Protocol Security (IPSec), Anti-Virus (AV) and Anti-Spam functionality at wire-speed.
Improving the efficiency and security of network operation in today's Internet world remains an ultimate goal for Internet users. Access control, traffic engineering, intrusion detection, and many other network services require the discrimination of packets based on multiple fields of packet headers, which is called packet classification.
Internet routers classify packets to implement a number of advanced internet services such as routing, rate limiting, access control in firewalls, virtual bandwidth allocation, policy-based routing, service differentiation, load balancing, traffic shaping, and traffic billing. These services require the router to classify incoming packets into different flows and then to perform appropriate actions depending on this classification.
A classifier, using a set of filters or rules, specifies the flows, or classes. For example, each rule in a firewall might specify a set of source and destination addresses and associate a corresponding deny or permit action with it. Alternatively, the rules might be based on several fields of a packet header including layers 2, 3, 4, and 5 of the OSI model, which contain addressing and protocol information.
On some types of proprietary hardware, an Access Control List (ACL) refers to rules that are applied to port numbers or network daemon names that are available on a host or layer 3 device, each with a list of hosts and/or networks permitted to use a service. Both individual servers as well as routers can have network ACLs. ACLs can be configured to control both inbound and outbound traffic.
In accordance with an example, a method for encoding one or more key matching rules grouped in a chunk is provided. The method includes a rule encoding engine, communicatively coupled to memory and provided with a chunk of key matching rules, building a multi-rule corresponding to the chunk. The multi-rule is built by storing in the memory a multi-rule header of the multi-rule. The multi-rule header represents headers of the key matching rules.
In accordance with another example, a system for encoding one or more key matching rules grouped in a chunk is provided. The system includes memory and at least one interface receiving a chunk of key matching rules. The system further includes a rule encoding engine communicatively coupled to the memory and the at least one interface. The rule encoding engine configured to build a multi-rule corresponding to the chunk. The rule encoding engine builds the multi-rule by storing in the memory, storing in the memory a multi-rule header of the multi-rule. The multi-rule header represents headers of the key matching rules.
In accordance with yet another example, a tangible computer-readable storage medium having computer readable instructions stored therein for encoding one or more key matching rules grouped in a chunk is provided. The computer readable instructions when executed by a rule encoding engine, provided with a chunk of each key matching rules, cause the rule encoding engine to build a multi-rule corresponding to the chunk. The rule encoding engine builds the multi-rule by storing in the memory, a multi-rule header of the multi-rule. The multi-rule header representing headers of the key matching rules.
In some examples, any of the aspects above can include one or more of the following features.
In other examples of the method, storing the multi-rule header of the multi-rule further includes storing, consecutively, a rule validity value for each of the key matching rules of the chunk. Storing a first value for a rule validity value corresponding to a subject key matching rule enables matching of the subject key matching rule and storing a second value different than the first value disables matching of the subject key matching rule.
In some examples of the method, storing the rule validity values includes, given a key matching rule that always matches, storing a rule validity having a third value; and given a key matching rule that never matches, storing a rule validity having a fourth value different than the third value.
In other examples of the method, storing the multi-rule header of the multi-rule further includes, given key matching rules each having at least one dimension, storing, consecutively, an enable value for each dimension of the key matching rules of the chunk. Storing a first value for an enable value corresponding to a subject dimension enables matching of the subject dimension and storing a second value different than the first value disables matching of the subject dimension.
In some examples of the method, disabling matching of the subject dimension further includes instructing a decoder to provide an always match dimension result.
In other examples of the method, disabling matching of the subject dimension further includes instructing a decoder not to assign a dimension match engine to the subject dimension.
In some examples of the method, disabling matching of the subject dimension further includes masking the subject dimension for a decoder.
In other examples of the method, storing the multi-rule header of the multi-rule further includes storing, consecutively, a priority value for each of the key matching rules of the chunk in which storing a priority value for subject key matching rule indicates a priority of the subject key matching rule relative to the key matching rules of the chunk.
Some examples of the method further includes, given a key matching rule having at least one dimension, storing in the memory, dimension data of the multi-rule. The dimension data includes, for each key matching rule, a value associated with the at least one dimension of a subject key matching rule.
In some examples of the method, storing the dimension data of the multi-rule further includes for a given key matching rule of the chunk, storing a priority value at the end of the dimension data stored for the rule in the multi-rule.
In other examples of the method, storing the dimension data of the multi-rule includes, given the one dimension of the subject key matching rule is a range field with a minimum value and a maximum value, interleaving the minimum value with the maximum value to form an interleaved value. The examples further include storing in the memory the interleaved value of the range field associated with the subject key matching rule.
In some examples of the method, storing the dimension data of the multi-rule includes, given the one dimension of the subject key matching rule is a mask field with a value and a mask, interleaving the value with the mask to form an interleaved value. The examples include storing in the memory the interleaved value of the mask field associated with the subject key matching rule.
In some examples of the method, the chunk includes one key matching rule.
These and other features and characteristics, as well as the methods of operation and functions of the related elements of structure and the combination of parts and economies of manufacture, will become more apparent upon consideration of the following description and the appended claims with reference to the accompanying drawings, all of which form a part of this specification, wherein like reference numerals designate corresponding parts in the various figures. It is to be expressly understood, however, that the drawings are for the purpose of illustration and description only and are not intended as a definition of the limits of claims. As used in the specification and in the claims, the singular form of “a”, “an”, and “the” include plural referents unless the context clearly dictates otherwise.
The foregoing will be apparent from the following more particular description of example embodiments of the invention, as illustrated in the accompanying drawings in which like reference characters refer to the same parts throughout the different views. The drawings are not necessarily to scale, emphasis instead being placed upon illustrating embodiments of the present invention.
The core routers 104a-h are configured to operate in the Internet core 102 or Internet backbone. The core routers 104a-h are configured to support multiple telecommunications interfaces of the Internet core 102 and are further configured to forward packets at a full speed of each of the multiple telecommunications protocols.
The edge routers 106a-f are placed at the edge of the Internet core 102. Edge routers 106a-f bridge access routers 108a-e outside the Internet core 102 and core routers 104a-h in the Internet core 102. Edge routers 106a-f can be configured to employ a bridging protocol to forward packets from access routers 108a-e to core routers 104a-h and vice versa.
The access routers 108a-e can be routers used by an end user, such as a home user or an office, to connect to one of the edge routers 106a-f, which in turn connects to the Internet core 102 by connecting to one of the core routers 104a-h. In this manner, the access routers 108a-e can connect to any other access router 108a-e via the edge routers 106a-f and the interconnected core routers 104a-h.
A search processor described herein can reside in any of the core routers 104a-h, edge routers 106a-f, and access routers 108a-e. The search processor described herein, within each of these routers, is configured to analyze Internet protocol (IP) packets based on a set of rules and forward the IP packets along an appropriate network path.
Likewise, the second host processor 214 is an egress host processor. The second host processor 214 receives egress packets to send from the network 216. The second host processor 214 forwards a lookup request with a packet header (or field) from the egress packets 216 to the search processor 202 over a second Interlaken interface 218. The search processor 202 then processes the packet header using a plurality of rule processing engines employing a plurality of rules to determine a path to forward the packets on the network. The second host processor 214 forwards the processed ingress packets 220 to another network element in the network.
As an example, a packet is received by the line card 306a at the MAC layer 326a. The MAC layer 326a sends the packet to the forwarding table 324a. Then, the packet and appropriate forwarding table information is stored in the local buffer memory 322a. Based on the determination, the router selects an appropriate line card 306b, stores the packet and forwarding information in the local buffer memory 322b of the appropriate line card, and forwards the packet out to the network.
Generally speaking, packets received are matched with rules that determine actions to take with a matched packet. Generic packet classification requires a router to classify a packet on the basis of multiple fields in a header of the packet. Each rule of the classifier specifies a class that a packet may belong to, according to criteria on ‘F’ fields of the packet header, and associates an identifier (e.g., class ID) with each class. For example, each rule in a flow classifier is a flow specification, in which each flow is in a separate class. The identifier uniquely specifies an action associated with each rule. Each rule has multiple fields. An ith field of a rule R, referred to as R[i], is a regular expression on the ith field of the packet header. A packet P matches a particular rule R if for every i, the ith field of the header of P satisfies the regular expression R[i].
With reference to
Classes specified by the rules may overlap. For instance, one key may match several rules. In this case, when several rules overlap, an order in which the rules appear in the classifier may determine the relative priority of the rule. In other words, a key that matched multiple rules belongs to the class identified by the identifier (class ID) of the rule among them that appears first in the classifier. Alternatively, a unique priority associated with a rule may determine its priority, for example, the rule with the highest priority.
The search processor 202 (
The RME 600 can be logically divided into three blocks. First, the RME 600 includes a formatting block 615 configured to format rules 610 for processing. Second, the RME 600 includes dimension match engine (DME) blocks 620a-n configured to match dimensions with the key. Third, the RME 600 includes a post processing block 625 that receives all of the processing from the DME block 620a-n and issues a final result 630. The final result 630 is a Boolean ‘and’ of all dimensions results.
The formatting block 615 receives the key 605 and rules 610. The formatting block 615, based on the key 605, rule 610, and rule format info, outputs formatted dimensions 635a-n to the DME blocks 620a-n. The formatting block 615 outputs as many formatted dimensions 635a-n as there are the DME's in a particular clock cycle. For example, in an RME 600 that includes twelve DME's, the format block 615 can issue twelve formatted dimensions 635a-n to each of the twelve DME's 620a-n. However, the RME 600 can contain any number of DME's. The DME's 620a-n receive the formatted dimension 635a-n and the key 605. The DME's 620a-n process the key 605, comparing it to the formatted dimension 635a-n, and output a respective dimension result 640a-n. The post processing block 615 receives all of the dimension results 640a-n, and performs the Boolean ‘and’ of all of the dimension results 640a-n to output results 630. Therefore results 630 indicate whether the key 605 matches a particular rule across all of its dimensions.
There are several challenges to encoding and decoding a group of rules. There is the challenge of encoding the rules to take the least amount of space in memory, i.e., storage efficiency. There is also the challenge of decoding the encoded rules, so that the decoded rules can be used to match a key, in the least amount of time using the least amount of processing resources, i.e., runtime lookup efficiency. There are trade-offs in addressing storage efficiency and runtime lookup efficiency.
Consider the example shown in
As shown, encoding the key matching rule 700, which includes adding a variable length header, priority field, and user data takes at least 228 bits. The large bit size of the key matching rule 700, compared to the key 705, clearly demonstrates the motivation for approaches to encoding key matching rules efficiently. One such approach is to store only the relevant bits of a given dimension in a key matching rule. The approach reduces the size of the key matching rule. It may be convenient to think about such an approach as being a compression technique.
Decoding the “compressed” rule, however, requires more processing than compared to decoding the key matching rule 700 shown in the
Continuing with the figure, the rule encoding engine 800 is communicatively coupled to memory 805 as shown. A chunk of key matching rules 810 is provided to the rule encoding engine 800. The chunk 810 includes a number of key matching rules. Each key matching rule includes a header (Header1, Header2, . . . HeaderN) and dimension data (Dim. Data1, Dim. Data2, . . . Dim. DataN). (Dimension data of a key matching rule is described above with the reference to
In operation, the rule encoding engine 800 builds a multi-rule 815 for the rules provided. The multi-rule 815 includes a multi-rule header 820 and dimension data 825. The multi-rule header 820 represents the headers of the key matching rules (Header1, Header2, . . . HeaderN). The dimension data 825 includes the dimension data of the key matching rules (Dim. Data1, Dim. Data2, . . . Dim. DataN). The rule encoding engine 800 stores the multi-rule 815 with multi-rule header 820 and dimension data 825 in the memory 805.
With additional reference to
In contrast, according to a prior approach, multiple key matching rules are encoded, sequentially, one rule after the other. The header and dimension data for a first key matching rule (H1 and DD1) are stored first. The header and dimension data for a second key matching rule (H2 and DD2) are then stored after the header and dimension data of the first key matching rule (H1 and DD 1), and so on, resulting in the pattern H1, DD1, H2, DD2 . . . HN, and DDN). In this way, headers of multiple key matching rules are separated by dimension data of multiple key matching rules and are not stored, collectively.
An example of the sequential encoding process includes determining the length of a key matching rule, calculating the start of a next key matching rule based on the determination, and repeating the foregoing steps for as many times as there are number of the key matching rules to be encoded. Decoding multiples key matching rules encoded in the aforementioned manner includes decoding up to N number of headers, extracting fields from up to N number of headers, and calculating up to N number of header lengths. Comparative studies of the sequential approach and the multi-rule approach show that multi-rule header formatting can reduce the area and power of the RME 600 (
Continuing with
In another example of the multi-rule approach shown in
When the decoder 615 (
A convenient example of the multi-rule 1005, as shown, further includes a length field 1015, number of rules field 1020, padding field 1025, and priority field 1030. The length field 1015 stores the length of the multi-rule 1005. The number of rules field 1020 stores the number of rules in the multi-rule 1005. The priority field 1030 stores a priority of the always/never match rule, which may or may not be present. The padding field 1025 stores a number of bits to nibble align the priority field 1030. (The advantage of nibble alignment is described below.)
Returning to
Consider the example shown in
The encoded rule R1 includes for each of the dimensions X and Y, a dimension field (dim_X and dim_Y) and enable field (e_X and e_Y) associated with the dimension field. The dimension and enable fields have the values as shown. In a convenient example of the multi-rule approach, the rule encoding engine 800 (
With respect to the encoded rule R2, the rule encoding engine 800 (
According to an example of the multi-rule approach, the rule encoding engine 800 (
In one example of the multi-rule approach, in processing the encoded rule R2, when the decoder 615 (
In a convenient example of the multi-rule approach, rule encoding engine 800 (
Disabling dimension matching, as described above, is particular advantageous when resources to match key and rule dimensions are limited. With reference to
With the multi-rule approach, by setting enable values of some of the dimensions and disabling matching, some dimensions are not assigned to DME's. With DME's available to process other dimensions, it is possible with the multi-rule approach to process an entire rule chunk in one clock cycle. Also with the multi-rule approach, a number of DME's in the RME can be reduced and advantageously still do a same amount of work as a number of DME's processing every dimensions, including always matching dimensions.
Returning to
In some examples of the multi-rule approach, the rule encoding engine does not store bits for a dimension having an associated enable value of 0 and dimension matching disabled. For example, if an enable field of a rule with four dimensions (dim_0, dim_1, dim_2, and dim_3) has a binary value of 1011 (i.e., dim_1 has an enable value of 0) the rule encoding engine includes bits (content) for dim_0, dim_2, and dim_3 in a multi-rule and leaves out bits for dim_1. It may be convenient to say that the rule encoding engine 800 (
In another example of the multi-rule approach, the rule encoding engine packs bits of a given dimension into the dimension data of a multi-rule based on a match type of that dimension (i.e., exact match, prefix match, range match, and mask match). For a range type match with the maximum value and minimal value, the rule encoding engine interleaves the maximum and minimum values in a range field.
In the example shown in
The foregoing process of interleaving maximum and minimum values of a range (e.g., 4 bits at time) may be referred to as nibble interleaving range match data. Mask match data, a pairing of value and mask, may also be nibble interleaved as described above. Nibble interleaving range and mask match data in a multi-rule is advantageous because it enables a single shifter in a DME to extract two fields. Without interleaving, two shifters are required to extract two fields. Eliminating one shifter from each of the DME's 620a-n (
Returning to
The approach of encoding a priority field at the end of a rule is advantageous compared to the prior approach of placing priority fields in the rule headers of key matching rules. To process priority fields in rule headers it is necessary to extract up to N priority fields for N rules, manage these priority fields and store them in a FIFO (first in, first out) or other expensive data structure until rules that match are found at (or near) the end of a match pipeline.
With the multi-rule approach, by moving priority fields to the ends of the rules, it is not necessary to extract, manage and store multiple priority fields. A single priority payload for a successful match of a rule can be found right after the last dimension of such a matching rule. A convenient example of the multi-rule approach eliminates the FIFO structure of the prior approach and 75% of the shifters needed to extract priority fields from rule headers.
In another example of the multi-rule approach, the rule encoding engine 800 (
A convenient example of the multi-rule includes the following fields: LEN, N, VLD, {DIM_VLD}, M×PL, N×(DIMs {PRI}). The LEN field includes a length of the multi-rule. The N field includes a number of key matching rule in the multi-rule. The VLD field includes validity values indicating which key matching rules in the multi-rule are valid and which are invalid, as described with reference to
The expression N×(DIMs {PRI}) represents the dimension data of the multi-rule. As described above with reference to
Provided with a multi-rule with the format described above, an example of the decoder 615 (
The above-described methods and systems can be implemented in digital electronic circuitry, in computer hardware, firmware, and/or software. The implementation can be as a computer program product (i.e., a computer program tangibly embodied in an information carrier medium). The implementation can, for example, be in a machine-readable storage device for execution by, or to control the operation of, data processing apparatus. The implementation can, for example, be a programmable processor, a computer, and/or multiple computers.
In one example, a computer program can be written in any form of programming language, including compiled and/or interpreted languages, and the computer program can be deployed in any form, including as a stand-alone program or as a subroutine, element, and/or other unit suitable for use in a computing environment to carry out the features and functions of various examples discussed herein. A computer program can be deployed to be executed on one computer or on multiple computers at one site.
Method steps or operations can be performed as processes by one or more programmable processors executing a computer program to perform functions of various examples by operating on input data and generating output. Method steps can also be performed by and an apparatus can be implemented as special purpose logic circuitry. The circuitry can, for example, be a field programmable gate array (FPGA) and/or an application specific integrated circuit (ASIC). Modules, subroutines, and software agents can refer to portions of the computer program, the processor, the special circuitry, software, and/or hardware that implements that functionality.
The rule encoding engine 800 (
Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices. The information carriers can, for example, be EPROM, EEPROM, flash memory devices, magnetic disks, internal hard disks, removable disks, magneto-optical disks, CD-ROM, and/or DVD-ROM disks. The processor and the memory can be supplemented by, and/or incorporated in special purpose logic circuitry.
To provide for interaction with a user, the above described techniques can be implemented on a computing device having a display device. The display device can, for example, be a cathode ray tube (CRT) and/or a liquid crystal display (LCD) monitor, and/or a light emitting diode (LED) monitor. The interaction with a user can, for example, be a display of information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the computing device (e.g., interact with a user interface element). Other kinds of devices can be used to provide for interaction with a user. Other devices can, for example, be feedback provided to the user in any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback). Input from the user can, for example, be received in any form, including acoustic, speech, and/or tactile input.
The above described systems and techniques can be implemented in a distributed computing system that includes a back-end component. The back-end component can, for example, be a data server, a middleware component, and/or an application server. The above described techniques can be implemented in a distributing computing system that includes a front-end component. The front-end component can, for example, be a client computing device having a graphical user interface, a Web browser through which a user can interact with an example implementation, and/or other graphical user interfaces for a transmitting device. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network (LAN), a wide area network (WAN), the Internet, wired networks, and/or wireless networks.
The system may be coupled to and/or include clients and servers. A client and a server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computing devices and having a client-server relationship to each other.
Communication networks may include packet-based networks, which can include, for example, the Internet, a carrier internet protocol (IP) network (e.g., local area network (LAN), wide area network (WAN), campus area network (CAN), metropolitan area network (MAN), home area network (HAN)), a private IP network, an IP private branch exchange (IPBX), a wireless network (e.g., radio access network (RAN), 802.11 network, 802.16 network, general packet radio service (GPRS) network, HiperLAN), and/or other packet-based networks. Circuit-based networks may include, for example, the public switched telephone network (PSTN), a private branch exchange (PBX), a wireless network (e.g., RAN, Bluetooth, code-division multiple access (CDMA) network, time division multiple access (TDMA) network, global system for mobile communications (GSM) network), and/or other circuit-based networks.
The computing device may include, for example, a computer, a computer with a browser device, a telephone, an IP phone, a mobile device (e.g., cellular phone, personal digital assistant (PDA) device, laptop computer, electronic mail device), and/or other communication devices. The browser device includes, for example, a computer (e.g., desktop computer, laptop computer) with a World Wide Web browser (e.g., INTERNET EXPLORER® available from Microsoft Corporation, of Redmond, Wash.). The mobile computing device includes, for example, a BLACKBERRY® provided by Research In Motion Limited of Waterloo, Ontario, Canada.
“Comprise,” “include,” and/or plural forms of each are open ended and include the listed parts and can include additional parts that are not listed. “And/or” is open ended and includes one or more of the listed parts and combinations of the listed parts.
Although the above disclosure discusses what is currently considered to be a variety of useful examples, it is to be understood that such detail is solely for that purpose, and that the appended claims are not limited to the disclosed examples, but, on the contrary, are intended to cover modifications and equivalent arrangements that are within the spirit and scope of the appended claims.
One skilled in the art will realize the invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The foregoing embodiments are therefore to be considered in all respects illustrative rather than limiting of the invention described herein. Scope of the invention is thus indicated by the appended claims, rather than by the foregoing description, and all changes that come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5107361 | Kneidinger et al. | Apr 1992 | A |
| 5214653 | Elliott et al. | May 1993 | A |
| 5463777 | Bialkowski et al. | Oct 1995 | A |
| 5584026 | Knudsen et al. | Dec 1996 | A |
| 5682535 | Knudsen | Oct 1997 | A |
| 5893142 | Moyer et al. | Apr 1999 | A |
| 5893911 | Piskiel et al. | Apr 1999 | A |
| 6212184 | Venkatachary et al. | Apr 2001 | B1 |
| 6233575 | Agrawal et al. | May 2001 | B1 |
| 6298340 | Calvignac et al. | Oct 2001 | B1 |
| 6341130 | Lakshman et al. | Jan 2002 | B1 |
| 6467019 | Washburn | Oct 2002 | B1 |
| 6473763 | Corl et al. | Oct 2002 | B1 |
| 6476763 | Allen | Nov 2002 | B2 |
| 6510509 | Chopra et al. | Jan 2003 | B1 |
| 6539394 | Calvignac et al. | Mar 2003 | B1 |
| 6567408 | Li et al. | May 2003 | B1 |
| 6587466 | Bhattacharya et al. | Jul 2003 | B1 |
| 6636480 | Walla et al. | Oct 2003 | B1 |
| 6658002 | Ross et al. | Dec 2003 | B1 |
| 6735600 | Andreev | May 2004 | B1 |
| 6868414 | Khanna et al. | Mar 2005 | B2 |
| 6918031 | Wilson | Jul 2005 | B2 |
| 6980555 | Mar | Dec 2005 | B2 |
| 7039641 | Woo | May 2006 | B2 |
| 7046848 | Olcott | May 2006 | B1 |
| 7110407 | Khanna | Sep 2006 | B1 |
| 7133409 | Willardson | Nov 2006 | B1 |
| 7225188 | Gai et al. | May 2007 | B1 |
| 7260558 | Cheng et al. | Aug 2007 | B1 |
| 7350040 | Marinescu | Mar 2008 | B2 |
| 7366728 | Corl et al. | Apr 2008 | B2 |
| 7370361 | de los Santos et al. | May 2008 | B2 |
| 7392349 | Mathur et al. | Jun 2008 | B1 |
| 7415472 | Testa | Aug 2008 | B2 |
| 7441022 | Schuba et al. | Oct 2008 | B1 |
| 7509300 | Sahni et al. | Mar 2009 | B2 |
| 7536476 | Alleyne | May 2009 | B1 |
| 7546234 | Deb et al. | Jun 2009 | B1 |
| 7554949 | Chen | Jun 2009 | B2 |
| 7571156 | Gupta et al. | Aug 2009 | B1 |
| 7590860 | Leporini | Sep 2009 | B2 |
| 7594081 | Bouchard et al. | Sep 2009 | B2 |
| 7613926 | Edery et al. | Nov 2009 | B2 |
| 7634408 | Mohri | Dec 2009 | B1 |
| 7636717 | Gupta et al. | Dec 2009 | B1 |
| 7702629 | Cytron et al. | Apr 2010 | B2 |
| 7710988 | Tripathi et al. | May 2010 | B1 |
| 7711893 | Venkatachary | May 2010 | B1 |
| 7761890 | Harvey | Jul 2010 | B1 |
| 7870161 | Wang | Jan 2011 | B2 |
| 7873992 | Daily | Jan 2011 | B1 |
| 7937355 | Corl et al. | May 2011 | B2 |
| 7949683 | Goyal | May 2011 | B2 |
| 7962434 | Estan et al. | Jun 2011 | B2 |
| 7990893 | Singh | Aug 2011 | B1 |
| 7992169 | Harvey | Aug 2011 | B1 |
| 8005869 | Corl et al. | Aug 2011 | B2 |
| 8015085 | Blagg et al. | Sep 2011 | B2 |
| 8024802 | Preston | Sep 2011 | B1 |
| 8051085 | Srinivasan et al. | Nov 2011 | B1 |
| 8111697 | Panwar et al. | Feb 2012 | B1 |
| 8156507 | Brjazovski et al. | Apr 2012 | B2 |
| 8165125 | Kim et al. | Apr 2012 | B2 |
| 8180803 | Goyal | May 2012 | B2 |
| 8301788 | Bouchard et al. | Oct 2012 | B2 |
| 8352391 | Kapadia | Jan 2013 | B1 |
| 8392590 | Bouchard et al. | Mar 2013 | B2 |
| 8407794 | Kim et al. | Mar 2013 | B2 |
| 8447120 | Ji et al. | May 2013 | B2 |
| 8473523 | Goyal | Jun 2013 | B2 |
| 8477611 | Lim | Jul 2013 | B2 |
| 8477773 | Sundstrom | Jul 2013 | B2 |
| 8543528 | Lunteren | Sep 2013 | B2 |
| 8554698 | Bando et al. | Oct 2013 | B2 |
| 8566344 | Bando et al. | Oct 2013 | B2 |
| 8800021 | Swaminathan | Aug 2014 | B1 |
| 8856203 | Schelp et al. | Oct 2014 | B1 |
| 8934488 | Goyal et al. | Jan 2015 | B2 |
| 8937952 | Goyal et al. | Jan 2015 | B2 |
| 8937954 | Goyal et al. | Jan 2015 | B2 |
| 8990259 | Billa et al. | Mar 2015 | B2 |
| 9137340 | Goyal et al. | Sep 2015 | B2 |
| 9183244 | Bullis et al. | Nov 2015 | B2 |
| 9344366 | Bouchard et al. | May 2016 | B2 |
| 20010006520 | Moulsey et al. | Jul 2001 | A1 |
| 20020023089 | Woo | Feb 2002 | A1 |
| 20030005144 | Engel et al. | Jan 2003 | A1 |
| 20030028674 | Boden | Feb 2003 | A1 |
| 20030108043 | Liao | Jun 2003 | A1 |
| 20030126272 | Corl, Jr. et al. | Jul 2003 | A1 |
| 20030156586 | Lee et al. | Aug 2003 | A1 |
| 20030223421 | Rich et al. | Dec 2003 | A1 |
| 20040006668 | Park et al. | Jan 2004 | A1 |
| 20040158744 | Deng et al. | Aug 2004 | A1 |
| 20040162826 | Wyschogrod et al. | Aug 2004 | A1 |
| 20040172234 | Dapp et al. | Sep 2004 | A1 |
| 20040193563 | Hagelin | Sep 2004 | A1 |
| 20040225999 | Nuss | Nov 2004 | A1 |
| 20040258067 | Irish | Dec 2004 | A1 |
| 20040264384 | Deval et al. | Dec 2004 | A1 |
| 20050013293 | Sahita | Jan 2005 | A1 |
| 20050028114 | Gould et al. | Feb 2005 | A1 |
| 20050035784 | Gould et al. | Feb 2005 | A1 |
| 20050157641 | Roy | Jul 2005 | A1 |
| 20050177736 | de los Santos et al. | Aug 2005 | A1 |
| 20050238010 | Panigrahy et al. | Oct 2005 | A1 |
| 20050240604 | Corl et al. | Oct 2005 | A1 |
| 20050278781 | Zhao et al. | Dec 2005 | A1 |
| 20060002386 | Yik et al. | Jan 2006 | A1 |
| 20060026138 | Robertson et al. | Feb 2006 | A1 |
| 20060029104 | Jungck | Feb 2006 | A1 |
| 20060039372 | Sarkinen et al. | Feb 2006 | A1 |
| 20060059165 | Bosloy et al. | Mar 2006 | A1 |
| 20060059314 | Bouchard et al. | Mar 2006 | A1 |
| 20060069872 | Bouchard et al. | Mar 2006 | A1 |
| 20060075206 | Bouchard et al. | Apr 2006 | A1 |
| 20060085533 | Hussain et al. | Apr 2006 | A1 |
| 20060101195 | Jain | May 2006 | A1 |
| 20060130142 | Mester et al. | Jun 2006 | A1 |
| 20060136570 | Pandya | Jun 2006 | A1 |
| 20060155915 | Pereira | Jul 2006 | A1 |
| 20060221954 | Narayan | Oct 2006 | A1 |
| 20060288024 | Braica | Dec 2006 | A1 |
| 20070011734 | Balakrishnan et al. | Jan 2007 | A1 |
| 20070115966 | Tzeng | May 2007 | A1 |
| 20070168377 | Zabarsky | Jul 2007 | A1 |
| 20070192863 | Kapoor et al. | Aug 2007 | A1 |
| 20070240229 | Yoon | Oct 2007 | A1 |
| 20080031258 | Acharya et al. | Feb 2008 | A1 |
| 20080034427 | Cadambi et al. | Feb 2008 | A1 |
| 20080059464 | Law et al. | Mar 2008 | A1 |
| 20080071783 | Langmead et al. | Mar 2008 | A1 |
| 20080082946 | Zilic et al. | Apr 2008 | A1 |
| 20080097959 | Chen et al. | Apr 2008 | A1 |
| 20080101371 | Law et al. | May 2008 | A1 |
| 20080109392 | Nandy | May 2008 | A1 |
| 20080109431 | Kori | May 2008 | A1 |
| 20080140600 | Pandya | Jun 2008 | A1 |
| 20080140631 | Pandya | Jun 2008 | A1 |
| 20080209540 | Deng et al. | Aug 2008 | A1 |
| 20080229415 | Kapoor et al. | Sep 2008 | A1 |
| 20080262991 | Kapoor et al. | Oct 2008 | A1 |
| 20080270833 | McMillen | Oct 2008 | A1 |
| 20080271147 | Mohanan et al. | Oct 2008 | A1 |
| 20080291916 | Xiong | Nov 2008 | A1 |
| 20080310440 | Chen et al. | Dec 2008 | A1 |
| 20090006847 | Abzarian et al. | Jan 2009 | A1 |
| 20090034530 | Basso et al. | Feb 2009 | A1 |
| 20090063825 | McMillen et al. | Mar 2009 | A1 |
| 20090119279 | Goyal et al. | May 2009 | A1 |
| 20090119399 | Hussain et al. | May 2009 | A1 |
| 20090125470 | Shah et al. | May 2009 | A1 |
| 20090138440 | Goyal | May 2009 | A1 |
| 20090138494 | Goyal | May 2009 | A1 |
| 20090185568 | Cho et al. | Jul 2009 | A1 |
| 20090217341 | Sun et al. | Aug 2009 | A1 |
| 20090262659 | Sturges et al. | Oct 2009 | A1 |
| 20090274384 | Jakobovits | Nov 2009 | A1 |
| 20090323383 | Mondaeev et al. | Dec 2009 | A1 |
| 20100034202 | Lu et al. | Feb 2010 | A1 |
| 20100037056 | Follis et al. | Feb 2010 | A1 |
| 20100067535 | Ma et al. | Mar 2010 | A1 |
| 20100094906 | Della-Libera et al. | Apr 2010 | A1 |
| 20100095162 | Inakoshi | Apr 2010 | A1 |
| 20100110936 | Bailey et al. | May 2010 | A1 |
| 20100114973 | Goyal | May 2010 | A1 |
| 20100146623 | Namjoshi et al. | Jun 2010 | A1 |
| 20100153326 | Bernardes et al. | Jun 2010 | A1 |
| 20100153420 | Yang et al. | Jun 2010 | A1 |
| 20100158394 | Chang et al. | Jun 2010 | A1 |
| 20100175124 | Miranda | Jul 2010 | A1 |
| 20100192225 | Ma et al. | Jul 2010 | A1 |
| 20100199355 | Ouddan et al. | Aug 2010 | A1 |
| 20100281532 | Deng et al. | Nov 2010 | A1 |
| 20110016154 | Goyal et al. | Jan 2011 | A1 |
| 20110038375 | Liu et al. | Feb 2011 | A1 |
| 20110090842 | Hirano et al. | Apr 2011 | A1 |
| 20110093484 | Bando et al. | Apr 2011 | A1 |
| 20110093496 | Bando et al. | Apr 2011 | A1 |
| 20110113191 | Pandya | May 2011 | A1 |
| 20110119440 | Pandya | May 2011 | A1 |
| 20110137930 | Hao et al. | Jun 2011 | A1 |
| 20110173149 | Schon | Jul 2011 | A1 |
| 20110173490 | Narayanaswamy et al. | Jul 2011 | A1 |
| 20110185077 | Bremler-Barr et al. | Jul 2011 | A1 |
| 20110219010 | Lim | Sep 2011 | A1 |
| 20110238855 | Korsunsky et al. | Sep 2011 | A1 |
| 20110264822 | Ferguson et al. | Oct 2011 | A1 |
| 20110295779 | Chen et al. | Dec 2011 | A1 |
| 20120017262 | Kapoor et al. | Jan 2012 | A1 |
| 20120078832 | Lunteren | Mar 2012 | A1 |
| 20120143854 | Goyal et al. | Jun 2012 | A1 |
| 20120203718 | Biran et al. | Aug 2012 | A1 |
| 20120215569 | Bauchot et al. | Aug 2012 | A1 |
| 20120221494 | Pasetto et al. | Aug 2012 | A1 |
| 20120221497 | Goyal et al. | Aug 2012 | A1 |
| 20120311529 | Beveridge et al. | Dec 2012 | A1 |
| 20120331007 | Billa et al. | Dec 2012 | A1 |
| 20120331554 | Goyal et al. | Dec 2012 | A1 |
| 20130034100 | Goyal et al. | Feb 2013 | A1 |
| 20130034106 | Goyal | Feb 2013 | A1 |
| 20130036083 | Goyal | Feb 2013 | A1 |
| 20130036102 | Goyal | Feb 2013 | A1 |
| 20130036471 | Bouchard et al. | Feb 2013 | A1 |
| 20130036477 | Goyal | Feb 2013 | A1 |
| 20130039366 | Goyal et al. | Feb 2013 | A1 |
| 20130060727 | Goyal et al. | Mar 2013 | A1 |
| 20130070753 | Sahni et al. | Mar 2013 | A1 |
| 20130085978 | Goyal et al. | Apr 2013 | A1 |
| 20130133064 | Goyal et al. | May 2013 | A1 |
| 20130191916 | Yao et al. | Jul 2013 | A1 |
| 20130218853 | Bullis et al. | Aug 2013 | A1 |
| 20130232104 | Goyal et al. | Sep 2013 | A1 |
| 20130282766 | Goyal et al. | Oct 2013 | A1 |
| 20140013104 | Vinnik | Jan 2014 | A1 |
| 20140079063 | Edsall | Mar 2014 | A1 |
| 20140214749 | Ruehle | Jul 2014 | A1 |
| 20140229386 | Tervo | Aug 2014 | A1 |
| 20140279850 | Goyal et al. | Sep 2014 | A1 |
| 20140280357 | Goyal et al. | Sep 2014 | A1 |
| 20140281809 | Goyal et al. | Sep 2014 | A1 |
| 20150066927 | Goyal et al. | Mar 2015 | A1 |
| 20150067123 | Goyal et al. | Mar 2015 | A1 |
| 20150067200 | Goyal et al. | Mar 2015 | A1 |
| 20150067776 | Goyal et al. | Mar 2015 | A1 |
| 20150067836 | Billa et al. | Mar 2015 | A1 |
| 20150117461 | Goyal et al. | Apr 2015 | A1 |
| 20150186786 | Goyal et al. | Jul 2015 | A1 |
| 20150189046 | Worrell et al. | Jul 2015 | A1 |
| 20150193689 | Worrell | Jul 2015 | A1 |
| 20150220454 | Goyal et al. | Aug 2015 | A1 |
| 20150220845 | Goyal et al. | Aug 2015 | A1 |
| Number | Date | Country |
|---|---|---|
| 2 276 217 | Jan 2011 | EP |
| 2004013777 | Feb 2004 | WO |
| 2007109445 | Sep 2007 | WO |
| 2008005772 | Jan 2008 | WO |
| 2009145712 | Dec 2009 | WO |
| 2012177736 | Dec 2012 | WO |
| 2012177752 | Dec 2012 | WO |
| 2013020002 | Feb 2013 | WO |
| 2013020003 | Feb 2013 | WO |
| 2013078053 | May 2013 | WO |
| Entry |
|---|
| Abdelghani et al. (2005) “Packet Classification Using Adaptive Rule Cutting,” In; The IEEE Proc. of Adv. Indus. Conf. on Telecom. pp. 28-33. |
| Aho et al. (1977) Ch. 3 In; Principles of Compiler Design. Addison-Wesley. pp. 73-124. |
| Baboescu et al. (2001) “Scalable Packet Classification,” In; The Proceedings of the ACM SIGCOMM '01 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication. pp. 199-210. |
| Baboescu et al. (2003) “Packet Classification for Core Routers: Is there an alternative to CAMs?” In; The Twenty-Second Annual Joint Conference of the IEEE Computer and Communications, INFOCOM 2003. vol. 1. pp. 53-63. |
| Becchi et al (2008) “Extending Finite Automata to Efficiently Match Perl-compatible Regular Expressions,” In; The Proceedings of the 2008 CoNext Conference. Dec. 9-12, 2008. |
| Becchi et al. (2007) “A Hybrid Finite Automaton for Practical Deep Packet Inspection,” In; The Proceedings of the International Conference on emerging Networking EXperiments and Technologies (CoNEXT), New York, New York. Dec. 2007. |
| Becchi et al. (2009) “Data Structures, Algorithms and Architechtures for Efficient Regular Expression Evaluation,” Washington University. Dissertation for the degree of Doctor of Philosophy. Saint Louis, Missouri. |
| Branch et al. (2002) “Denial of Service Intrusion Detection Using Time Dependent Deterministic Finite Automata,” In; The Proc. Research Conference, Troy, NY, Oct. 2002. |
| Chodnicki (2011) “An Introduction to Regular Expressions/Adventures with Open Source BI,” Adventures with Open Source BI. Accessible on the Internet at URL: available at http://type-exit.org/adventures-with-open-source-bi/2011/05/an-introduction-to-regular-expressions. [Last Accessed Aug. 21, 2015]. |
| Faro et al. (2008) “Efficient Variants of the Backward-Oracle-Matching Algorithm,” In; The Proceedings of Prague Stringology Conference, 2008, pp. 146-160. |
| Gupta et al. (1999) “Packet Classification on Multiple Fields,” In; The Proceedings of SIGCOMM '99 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication (SIGCOMM '99). pp. 147-160. |
| Gupta et al. (2000) “Classifying Packets With Hierarchical Intelligent Cuttings,” IEEE Micro. 20(1):34-41. |
| Gupta (2000) “Algorithms for Packet Routing Lookups and Packet Classification,” Stanford University. Dissertation for the degree of Doctor of Philosophy. |
| Hoperoft et al. (1979) Ch. 2 In; Introduction to Automata Theory, Languages, and Computation. Addison-Wesley. Reading, Massachusetts. |
| Wikipedia “Access control list,” Wikimedia Foundation, Inc. Accessible on the Internet at URL: https://en.wikipedia.org/wiki/Access—control—list. [Last Accessed Aug. 21, 2015]. |
| Klarlund (1992) “Progress Measures, Immediate Determinacy, and a Subset Construction for Tree Automata,” In; The Proceedings of the Seventh Annual IEEE Symposium on Logic in Computer Science, 1992. LICS '92. pp. 382-393. |
| Navarro (2001) “NR-grep: A Fast and Flexible Pattern Matching Tool,” Software Practice and Experience (SPE). 31:1265-1312. |
| Navarro (2004) “Pattern Matching,” Journal of Applied Statistics. 31(8):925-949. |
| Pong et al. (2011) “HARP: Rapid Packet Classification via Hashing Round-Down Prefixes,” IEEE Transactions on Parallel and Distributed Systems. 22(7):1105•1119. |
| Qi et al. (2009) “Packet Classification Algorithms: From Theory to Practice,” In; The Proceedings of the 28th IEEE Conference on Computer Communications (INFOCOM '09). pp. 648-656. |
| Rabin et al. (1959) “Finite Automata and their Decision Problems,” IBM Journal of Research and Development. 3(2)114-125. |
| Singh (2002)“Regular Expressions,” Seeing With C. Accessible on th Internet at URL: http://www.seeingwithc.org/topic7html.html. [Last Accessed Aug. 24, 2014]. |
| Singh et al. (2003) “Packet Classification Using Multidimensional Cutting,” In; The Proceedings of the ACMSIGCOMM '03 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication (SIGCOMM '03). pp. 213-224. |
| Sipser (1997) “Introduction to the Theory of Computation,” PWS Nondeterminism. Section 1.2 pp. 47-63. |
| Sun et al. (2008) “HFilter: Hybrid Finite Automaton Based Stream Filtering for Deep and Recursive XML Data,” Database and Expert Systems Applications Lecture Notes in Computer Science. 5181:566-580. |
| Theiling (2001) “Generating Decision Trees for Decoding Binaries” In; The OM '01 Proceedings of the 2001 ACM SIGPLAN workshop on Optimization of middleware and distributed systems. pp. 112-120. |
| Yu et al. (2006) “A Novel IP Packet Classification Algorithm Based on Hierarchical Intelligent Cuttings,” In; The Proceedings of the IEEE 6th International Conference on ITS Telecom. pp. 1033-1036. |
| Zhang et al. (2010) “On Constructing Efficient Shared Decision Trees for Multiple Packet Filters,” In; IEEE INFOCOM'10. San Diego, California. |
| International Search Report with Written Opinion corresponding to International Patent Application No. PCT/US2012/043307, mailed Dec. 6, 2012. |
| International Search Report with Written Opinion corresponding to International Patent Application No. PCT/US2012/049406, mailed Oct. 18, 2010. |
| Office Action corresponding to U.S. Appl. No. 13/168,395, mailed Apr. 20, 2015. |
| Office Action corresponding to U.S. Appl. No. 13/168,395, mailed Dec. 24, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/168,395, mailed Dec. 27, 2013. |
| Office Action corresponding to U.S. Appl. No. 13/168,395, mailed Jun. 10, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/168,450, mailed Apr. 25, 2013. |
| Office Action corresponding to U.S. Appl. No. 13/168,450, mailed Feb. 28, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/168,450, mailed Jun. 6, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/168,450, mailed Oct. 8, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/565,775, mailed Aug. 26, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/565,775, mailed Feb. 9, 2015. |
| Office Action corresponding to U.S. Appl. No. 13/831,191, mailed Dec. 12, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/831,191, mailed May 21, 2015. |
| Office Action corresponding to U.S. Appl. No. 13/831,232, mailed Nov. 21, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/831,415, mailed Dec. 18, 2014. |
| Office Action corresponding to U.S. Appl. No. 13/831,415, mailed Jun. 4, 2015. |
| Number | Date | Country | |
|---|---|---|---|
| 20150189046 A1 | Jul 2015 | US |
