Prioritization For Time-Deterministic Firewalls

Information

  • Patent Application
  • 20250158960
  • Publication Number
    20250158960
  • Date Filed
    February 17, 2023
    2 years ago
  • Date Published
    May 15, 2025
    2 months ago
Abstract
The invention relates to a method for allowing data packets in a network to arrive at the recipient at definable times. The method requires a firewall in a computer network. Each data packet is processed within the firewall according to filter rules. Each data packet which is transmitted through the firewall to a recipient is assigned a prioritization for processing in the firewall. Each data packet is transmitted after the filter rules have been processed, but this transmission can be interrupted as soon as another data packet with a higher prioritization arrives at the firewall. The data packet, the processing of which was interrupted, is then stored in the buffer for processing at a later time.
Description

The present invention relates to a method for realizing prioritizations for time-deterministic firewalls.


Firewalls are required in computer networks for filtering the data packets transmitted in the network and for forwarding or discarding them according to rules.


Packet filters (firewall, switch with ACL rules) examine packets and make decisions based upon a set of rules. The increased volume of real-time traffic means that firewalls must also be able to process packets in real time (i.e., with a specified delay or processing time). The available time budget may be too small for a complete analysis of the packet with regard to all firewall rules. This can depend upon the load on the firewall (for example, firewall takes too long because other computing operations were processed with priority) or upon parallel processes on the firewall (CPU is being used for something else).


Today, firewalls have no time budgets. Therefore, this leads to firewalls forwarding packets with too high a delay/latency, causing time-critical packets to arrive too late at the recipient in the network. A strongly varying processing time also causes problems, since this can lead to intermittent packet processing and the accumulation of packets. Therefore, a constant processing time is advantageous in many cases, in particular for the precise prediction and planning of packet flows in the network.


So far, this problem has not been considered more intensively in the research, since firewalls have not been used in conjunction with time-critical traffic. This invention describes a method for handling this situation.


Therefore, the object of the present invention is to realize a method for ensuring that time-critical packets arrive at the recipient on a timely basis. Accordingly, the invention sets itself the object of presenting a method for time-deterministic firewalls.


This object is achieved by the features of the main claim.


A method with a computer network, a firewall, and a buffer in the firewall is proposed for this purpose.


According to the method, each data packet is initially assigned a prioritization. The data packet is to be transmitted as usual after the filter rules have been fully processed in the firewall.


During the filtering of packets, it can occur that a packet with low prioritization is already located in the filtering process, while a packet with high prioritization arrives at the firewall. In this case, the slow packet delays the processing of the high-priority packet. This can be prevented by using a buffer to interrupt the processing of the slow packet when an urgent packet arrives, and to resume it later.


For this purpose, the firewall monitors the incoming packets and places them in a queue (this is still quite normal behavior). If a high-priority packet is received while a packet with a lower priority is already being filtered, the high-priority packet can be filtered by priority by a) placing it at the front of the queue and b) stopping the processing of the low-priority packet.


The processing of the low-priority data packet is interrupted when a high-priority data packet is received, if filtering is still ongoing. The low-priority packet is then written to a buffer with a note of the last rule tested. Filtering is thereupon aborted. The high-priority packet can now be filtered directly.


Once the high-priority data packet has been finally processed by the firewall, the processing of the low-priority data packet in the buffer can continue.


If further high-priority packets are available, they can also be filtered by priority. Once filtering of all prioritized packets has been completed, the filtering of the low-priority packet can be resumed at the point of interruption. Any time budgets can be taken into account when deciding how long the low-priority packet can be parked in the buffer.


It is also possible to define a rule position, from which no further interruptions are to occur. In this way, it can be avoided that a low-priority packet, which, for instance, is at position 99 of 100 in the processing of rules, is buffered with higher effort due to a single remaining rule.


The prioritization of data packets can be defined as a function of the traffic class of the network (LAN, WAN, etc.). The prioritization can also be defined according to a property of the data packet (size, content, etc.). It is also possible to define the origin or destination (port, network, VLAN, etc.).





Further features are shown in the attached figures. The following are shown:



FIG. 1: Time diagram for packet filtering with two differently prioritized data packets;



FIG. 2: Time diagram for packet filtering with three differently prioritized data packets;



FIG. 3: Time diagram for packet filtering with four differently prioritized data packets.






FIG. 1 shows a method according to the invention with a firewall 2 in a network 1. The firewall 2 contains definable rules according to which incoming data packets 3 are examined. Depending upon the result of the examination, a firewall action is subsequently executed, which may involve transmitting the data packets 3 or discarding the data packets 3.


The first data packet 3 arriving at the input 4 of the firewall 2 is forwarded for processing 5. The processing 5 includes working through the rules defined in the firewall. The point in time at which standard processing begins is recorded as the start of processing 7.


Depending upon the workload of the firewall, its performance, and the number of the data packets 3, 3′ to be processed, the processing of the filter rules requires a certain amount of time, which can vary and is defined with tprocess. tprocess0 is thus defined for the data packet 3.


According to previous firewalls, a data packet is forwarded to the output 6 of the firewall 2 at the end of processing and thus transmitted to network 1, or the data packet 3 is discarded, depending upon the result of the processing. It would also be conceivable to mark the data packet as a firewall action.


According to the invention, each data packet is now assigned a prioritization for processing in the firewall. This can depend upon the source from which the data packet was transmitted, the destination to which it is to be transmitted, or the class of the network. In an automation network, for example, connected controllers are more time-critical than normal network participants, such as monitoring devices or PC's.


If a data packet 3′ with a higher priority than the data packet 3 currently in processing 5 is now received at the input 4 of the firewall 2, the processing 5 of the rules for the data packet 3 with the lower priority is interrupted according to the invention. The processing 5 of the data packet 3 is paused, and the processing 5 of the data packet 3′ starts 8.


So that the processing of a data packet 3 can be interrupted and resumed later, it is proposed that a buffer be integrated into the firewall 2. The data packet 3 along with further data packets can be placed here as long as they are not in processing 5.


The processing 5 takes the time tprocess1 for the high-priority data packet 3′. After all rules have been worked through by the processing 5 in the firewall 2 for the data packet 3′, the end of processing 9 is reached. According to the result of the processing, a firewall action is now carried out, which can, for example, be the forwarding of the data packet 3′ to the output of the firewall 2.


After the high-priority data packet 3′ has been worked through, the data packet 3 can now be removed from the buffer and transmitted for further processing 5. For this purpose, the processing 5 is continued at the point 7′ where it was aborted. This means that not all rules are now worked through, but only the rules that have not yet been processed. Thus, only the difference in time that is defined by tprocess0 and the processing time previously required for data packet 3 (t1−t0) is now required.


Subsequently, all rules are also processed for the data packet 3, and, according to the result of the processing, a firewall action is now carried out, which can, for example, be the forwarding of the data packet 3 to the output of the firewall 2.



FIG. 2 shows a method according to the invention with a firewall 2 in a network 1, but with three data packets 3, 3′, 3″ with increasing priority. The firewall 2 contains definable rules according to which incoming data packets 3 are examined. Depending upon the result of the examination, a firewall action is subsequently executed, which may involve transmitting the data packets 3 or discarding the data packets 3.


The first data packet 3 arriving at the input 4 of the firewall 2 is forwarded for processing 5. The processing 5 includes working through the rules defined in the firewall.


Depending upon the workload of the firewall, its performance, and the number of the data packets 3, 3′, 3″ to be processed, the processing of the filter rules requires a certain amount of time, which can vary and is defined with tprocess. tprocess0 designates the processing time for data packet 3.


If a data packet 3′ with a higher priority than the data packet 3 currently in processing 5 is now received at the input 4 of the firewall 2, the processing 5 of the rules for the data packet 3 with the lower priority is interrupted according to the invention. The processing 5 of the data packet 3 is paused, and the processing 5 of the data packet 3′ starts. The processing time previously required for data packet 3 is defined as tprocess0.1.


So that the processing of a data packet 3 can be interrupted and resumed later, it is proposed that a buffer be integrated into the firewall 2. The data packet 3 along with further data packets can be placed here as long as they are not in processing 5.


The processing 5 takes the time tprocess1.1 for the higher-priority data packet 3′. If a data packet 3″ with a higher priority than the data packet 3′ currently in processing 5 is now received at the input 4 of the firewall 2, the processing 5 of the rules for the data packet 3′ is interrupted according to the invention. The processing 5 of the data packet 3′ is paused, and the processing 5 of the data packet 3″ starts. The processing time previously required for data packet 3′ is defined as tprocess1.1.


So that the processing of a data packet 3′ can also be interrupted and resumed later, it is proposed that the data packet 3′ also be stored in the buffer. The data packet 3′ and other data packets can be placed here as long as they are not in processing 5.


After all rules have been worked through by the processing 5 in the firewall 2 for the data packet 3″, the end of processing is reached. According to the result of the processing, a firewall action is now carried out, which can, for example, be the forwarding of the data packet 3″ to the output of the firewall 2. The processing time for data packet 3″ is defined as tprocess2.


After the high-priority data packet 3″ has been worked through, the next-highest-priority data packet 3′ can now be removed from the buffer and transmitted for further processing 5. For this purpose, the processing 5 is continued at the point where it was aborted. This means that not all rules are now worked through, but only the rules that have not yet been processed.


Thus, only the difference in time tprocess1.2 that is defined by tprocess1 and the processing time previously required for data packet 3′ tprocess1.1 is now required.


Subsequently, all rules are also worked through for the data packet 3′, and a firewall action is now carried out according to the result of the processing, which can, for example, be the forwarding of the data packet 3′ to the output of the firewall 2.


After the higher-priority data packet 3′ has been worked through, the lower-priority data packet 3 can now be removed from the buffer and transmitted for further processing 5. For this purpose, the processing 5 is continued at the point where it was aborted. This means that not all rules are now worked through, but only the rules that have not yet been processed. Thus, only the difference in time tprocess0.2 that is defined by tprocess0 and the processing time previously required for data packet 3 tprocess0.1 is now required.


Subsequently, all rules are also processed for the data packet 3, and, according to the result of the processing, a firewall action is now carried out, which can, for example, be the forwarding of the data packet 3 to the output of the firewall 2.



FIG. 3 shows a method according to the invention with a firewall 2 in a network 1, but with four data packets 3, 3′, 3″, 3″ with different priorities. The data packet 3″ is the highest-priority packet, data packet 3′ is the next-highest-priority packet, data packet 3″ is the second-lowest-priority packet, and data packet 3 is the lowest-priority packet. The firewall 2 contains definable rules according to which incoming data packets 3 are examined. Depending upon the result of the examination, a firewall action is subsequently executed, which may involve transmitting the data packets 3 or discarding the data packets 3.


The first data packet 3 arriving at the input 4 of the firewall 2 is forwarded for processing 5. The processing 5 includes working through the rules defined in the firewall.


Depending upon the workload of the firewall, its performance, and the number of the data packets 3, 3′, 3″, 3″ to be processed, the processing of the filter rules requires a certain amount of time, which can vary and is defined with tprocess. tprocess0 designates the processing time for data packet 3.


If a data packet 3′ with a higher priority than the data packet 3 currently in processing 5 is now received at the input 4 of the firewall 2, the processing 5 of the rules for the data packet 3 with the lower priority is interrupted according to the invention. The processing 5 of the data packet 3 is paused, and the processing 5 of the data packet 3′ starts. The processing time previously required for data packet 3 is defined as tprocess0.1.


So that the processing of a data packet 3 can be interrupted and resumed later, it is proposed that a buffer be integrated into the firewall 2. The data packet 3 along with further data packets can be placed here as long as they are not in processing 5.


If a data packet 3″ with a higher priority than the data packet 3′ currently in processing 5 is now received at the input 4 of the firewall 2, the processing 5 of the rules for the data packet 3′ with the lower priority is interrupted according to the invention. The processing 5 of the data packet 3′ is paused, and the processing 5 of the data packet 3″ starts. The processing time previously required for data packet 3′ is defined as tprocess1.1.


So that the processing of a data packet 3′ can be interrupted and resumed later, it is proposed that the data packet 3 and other data packets be placed in the buffer as long as they are not in processing 5.


If a data packet 3″ with a lower priority than the data packet 3″ currently in processing 5 is now received at the input 4 of the firewall 2, the processing is not interrupted, and the data packet 3″ is stored in the buffer for later processing.


Advantageously, it is proposed that the previous processing times and/or the rules already processed for the data packets be stored in the buffer, in order to be able to determine the rules still to be processed when the data packets are removed from the buffer.


After all rules have been worked through by the processing 5 in the firewall 2 for the data packet 3″, the end of processing is reached. According to the result of the processing, a firewall action is now carried out, which can, for example, be the forwarding of the data packet 3″ to the output of the firewall 2. The processing time for data packet 3″ is defined as tprocess2.


After the high-priority data packet 3″ has been worked through, the next-highest-priority data packet 3′ can now be removed from the buffer and transmitted for further processing 5. For this purpose, the processing 5 is continued at the point where it was aborted. This means that not all rules are now worked through, but only the rules that have not yet been processed. Thus, only the difference in time tprocess1.2 that is defined by tprocess1 and the processing time previously required for data packet 3′ tprocess1.1 is now required.


Subsequently, all rules are also worked through for the data packet 3′, and a firewall action is now carried out according to the result of the processing, which can, for example, be the forwarding of the data packet 3′ to the output of the firewall 2.


After the data packet 3′ has been worked through, the next highest-priority data packet 3″ can now be removed from the buffer and transmitted for further processing 5. The processing 5 is for this purpose started from the beginning, since the data packet 3′″ has not yet been processed. Thus, full processing time, tprocess3, is now required.


Subsequently, all rules are also worked through for the data packet 3″, and, according to the result of the processing, a firewall action is now carried out, which can, for example, be the forwarding of the data packet 3′″ to the output of the firewall 2.


After the data packet 3″ has been worked through, the lowest-priority data packet 3 can now be removed from the buffer and transmitted for further processing 5. For this purpose, the processing 5 is continued at the point where it was aborted. This means that not all rules are now worked through, but only the rules that have not yet been processed. Thus, only the difference in time tprocess0.2 that is defined by tprocess0 and the processing time previously required for data packet 3 tprocess0.1 is now required.


Subsequently, all rules are also processed for the data packet 3, and, according to the result of the processing, a firewall action is now carried out, which can, for example, be the forwarding of the data packet 3 to the output of the firewall 2.


LIST OF REFERENCE SIGNS






    • 1 Network


    • 2 Firewall


    • 3 Data packet


    • 3′ Data packet


    • 3″ Data packet


    • 3′″ Data packet


    • 4 Input


    • 5 Processing


    • 6 Output


    • 7 Start of processing of 3


    • 7 Continue processing 7


    • 8 Pause of 3, start of processing of 3


    • 9 End of processing of 3


    • 10 End of processing of 3




Claims
  • 1.-14. (canceled)
  • 15. A method for allowing data packets in a network to arrive at the recipient at definable times, with a firewall in a computer network, which contains filter rules, with a buffer in the firewall, wherein each data packet is assigned a prioritization for processing in the firewall,wherein a firewall action is provided for each data packet after the filter rules have been processed,wherein the processing of the filter rules is interrupted as soon as a further data packet with a higher prioritization than the prioritization of the data packet currently in processing arrives at the firewall, and the data packet for which processing was interrupted is stored in the buffer for later processing.
  • 16. The method according to claim 15, wherein the firewall action includes forwarding the data packet to an output of the firewall.
  • 17. The method according to claim 15, wherein the firewall action includes discarding the data packet.
  • 18. The method according to claim 15, wherein the firewall action includes marking the data packet.
  • 19. The method according to claim 18, wherein the marking contains the outstanding filter rules that have not yet been processed by the firewall.
  • 20. The method according to claim 15, wherein a respective data packet is deleted from the buffer after removal from the latter.
  • 21. The method according to any claim 15, wherein a time recording of the data packets takes place upon arrival at the input of the firewall.
  • 22. The method according to claim 15, wherein the data packets stored in the buffer are ordered according to their prioritization.
  • 23. The method according to claim 15, wherein the prioritization of the data packets is carried out by the firewall.
  • 24. The method according to claim 15, wherein the prioritization of the data packets is carried out by further network participants.
  • 25. The method according to claim 15, wherein the prioritization is added to the data packet.
  • 26. The method according to claim 15, wherein a plurality of processing operations are carried out simultaneously by the firewall.
  • 27. The method according to claim 26, wherein the interruption of the processing of a data packet takes place if one of the processing operations is processing a lower-priority data packet.
  • 28. The method according to claim 15, wherein the buffer is designed as a non-volatile memory.
Priority Claims (1)
Number Date Country Kind
10 2022 103 928.5 Feb 2022 DE national
PCT Information
Filing Document Filing Date Country Kind
PCT/EP2023/054108 2/17/2023 WO