[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

US20070195714A1 - Network data packet classification and demultiplexing - Google Patents

Network data packet classification and demultiplexing Download PDF

Info

Publication number
US20070195714A1
US20070195714A1 US11/678,228 US67822807A US2007195714A1 US 20070195714 A1 US20070195714 A1 US 20070195714A1 US 67822807 A US67822807 A US 67822807A US 2007195714 A1 US2007195714 A1 US 2007195714A1
Authority
US
United States
Prior art keywords
packet
node
classification
external information
disposition
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/678,228
Inventor
Douglas Schales
Srinivasan Seshan
Miriam Zohar
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US11/678,228 priority Critical patent/US20070195714A1/en
Publication of US20070195714A1 publication Critical patent/US20070195714A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/04Selecting arrangements for multiplex systems for time-division multiplexing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/1305Software aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/13296Packet switching, X.25, frame relay
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/13343Neural networks

Definitions

  • the present invention is directed to the field of packet communication. It is more particularly directed to classification and demultiplexing of network communication packets processed in a network protocol stack.
  • Packets are transported across the physical communication network.
  • the information originating from an application program becomes packetized into network communication packets by passing through various software components before arriving at the network interface card for transmission on the physical communications network.
  • These software components are typically layered to form what is known as the network protocol stack.
  • Each layer is responsible for a different facet of communication.
  • the TCP/IP protocol stack is normally split into four layers: link, network, transport and application.
  • FIG. 1 shows the relationship between the protocol layers and the TCP/IP protocol stack.
  • the link layer 101 is responsible for placing data on the physical network.
  • the network layer 102 is responsible for routing.
  • the transport layer 103 is responsible for the communication between two hosts.
  • the application layer 104 is responsible for processing the application specific data.
  • FIG. 2 illustrates the stages of an HTTP request being encapsulated before being sent to a web server.
  • each layer 201 - 204 encapsulates the packet adding its own header.
  • each protocol layer uses information within its header to classify the incoming packet amongst all the protocols in the layer above it. This process is commonly referred to as demultiplexing.
  • the packet is demultiplexed or “classified” based on information about the packet that is contained in the headers or from information inside the data portion of the packet itself.
  • the packet is processed differently based on its classification.
  • FIG. 3 illustrates how this classification is done for an incoming HTTP request 301 .
  • the Ethernet driver 302 in the link layer 300 , classifies the packet based on frame type in the Ethernet header and passes it to IPv4 312 in the network layer 310 .
  • IPv4 312 classifies the packet based on the IP header protocol value in the IP header and passes it to TCP 323 in the transport layer 320 .
  • TCP classifies the packet based on the destination port number in the TCP header and passes it to the HTTP server 332 in the application layer 330 .
  • Another aspect of the present invention provides easier extendibility for packet processing in the network protocol stack by defining a standard method for adding new functionality or support for new protocols and applications.
  • Another aspect of the present invention provides methods and apparatus to obtain external information, from an application scheduled outside of the forwarding or interrupt context of the kernel, in order to augment packet classification and/or disposition.
  • An example embodiment of the present invention is a method for classifying a data packet.
  • the method includes the steps of: receiving the packet at a root node of a classification tree; passing the packet to a first child node of a first tree level of the classification tree indicating a satisfaction of a node-criteria of the first child node; the first child node forming the data packet into a matched packet; and repeating the step of passing and forming for a next tree level until no first child node of the next level at a succeeding next level indicates satisfaction of the node-criteria of the first child node of the next level.
  • the step of indicating includes the step of executing a set of code which returns a status indication of the type; and/or the step of indicating satisfaction of a criteria includes the steps of executing a set of code which identifies the desired packet and returning a status indication; and/or the step of forming the data packet into a matched packet includes the step of indicating satisfaction; and/or the step of repeating the step of passing and the step forming includes the steps of indicating and returning a status indication of NO_Match.
  • the method further includes: the step of adding at least one new child node; and/or one new child node is a Real Audio node; and/or the method is extendible such that one or more nodes are dynamically added at any level; parsing the matched packet and generating relevant information; transforming the matched packet into a transformed packet; and/or associating the packet at a last first child node indicating satisfaction; executing a set of code in accordance with the last first child node; and/or the step of forming includes the first child node specifying a set of code to be run subsequently; and/or the step specifying specifies the set of code to be run following classification.
  • Another example embodiment of the present invention is a method which uses an external process for classifying a packet.
  • This method includes the steps of suspending a classification process in progress for the packet, and obtaining external information employed in the classifying. This is performed by an application scheduled outside of the forwarding or interrupt context of the kernel.
  • the step of suspending includes the steps of queuing any data, including information about the packet or its present classification; and/or transferring said data to an application that is scheduled outside of the forwarding or interrupt context of the kernel.
  • the step of obtaining external information includes augmenting a node-criteria of a node in a classification tree with additional information; and/or the external information includes authentication of an originator of the packet; the classification process is an extendible classifier process (In one application, a process is extendible by adding a new child node); and/or the step of specifying includes enforcement of a site policy.
  • a site policy is composed of a number of different aspects including security. The security aspect of a site policy may be based on packet classification and authentication information.
  • Another aspect of the present invention is a method for determining disposition of an original packet received at a child node.
  • the method includes the step of passing the original packet and a first disposition of the original packet to an external process, and the external process augmenting the original packet and/or augmenting the first disposition by employing a process specific means and returning an augmented packet and an augmented disposition to the child node.
  • Some embodiments of the method include suspending a disposition process in progress for the original packet; and/or the augmented disposition includes identification of and/or authentication of an originator of said packet.
  • FIG. 1 shows the relationship between the protocol layers and the TCP/IP protocol stack
  • FIG. 2 illustrates the stages of an HTTP request being encapsulated before being sent to a web server
  • FIG. 3 illustrates how classifying is done for an incoming HTTP request
  • FIG. 4 shows an example of how to organize modules in the classification tree in accordance with the present invention
  • FIG. 5 shows an example of a packet classification and demultiplexing process in classifying a packet in accordance with the present invention
  • FIG. 6 shows an example of steps to determine the packet disposition in accordance with the present invention
  • FIG. 7 shows an example of pm_t return codes in accordance with the present invention.
  • FIG. 8 shows an example of application dependent nodes in accordance with the present invention.
  • FIG. 9 shows an example of pp_t return codes in accordance with the present invention.
  • FIG. 10 shows an example of paction_t return codes in accordance with the present invention.
  • FIG. 11 shows an example of an apparatus in accordance with the present invention.
  • FIG. 1 depicts for the network layers of the TCP/IP protocol.
  • the associated call graph created by the standard UNIX protocol stack is arranged like a tree as described for FIG. 3 . Each level of the tree corresponds to a different layer in the networking protocol stack.
  • the present invention mimics the call graph of the UNIX protocol stack and organizes the different modules competing for packets at the IP layer in a tree structure herein referred to as a classification tree.
  • FIG. 4 shows each node in the classification tree as a separate module.
  • each node is composed of 4 packet traversal functions (matcher, preprocessor, action, and post processing) and 3 node management functions (callback, heartbeat and management). Only the packet matching function, which identifies the packets to process, and the packet action function, which determines the packet disposition, are required.
  • the packet matching function is herein referred to as the node-criteria of the node.
  • the remaining traversal and management function pointers can default to NULL.
  • each of the nodes is a separate dynamically loadable module, the classification tree organization is flexible.
  • the modules are loaded into memory during the initialization process. Based upon configuration information the modules are then arranged to form a classification tree. The ordering of the modules is important since the packet traversal is governed by this ordering.
  • each node is initialized by executing a set of code.
  • this set of code is a function referred to as the management function(mm).
  • the input parameter to the mm function is generally a single pointer to a buffer containing the node specific configuration data.
  • FIG. 4 shows an example of how to organize modules in the classification tree.
  • the IPv4 503 , IPv6 504 , UDP 506 , HTTP 507 and TCP 508 modules each wish to observe or modify packets that use the protocol for which they are named.
  • These ways include: providing a transparent HTTP proxy function, using a specialized TCP for HTTP like Transaction TCP(T/TCP), doing content filtering based on site policy, or limiting packet traffic based on a service contract.
  • T/TCP Transaction TCP
  • differing modules are loaded into memory.
  • a site policy is composed of a number of different aspects including security. The security aspect of a site policy may be based on packet classification and authentication information.
  • the present invention includes methods for implementing a packet classification process and/or an augmented packet disposition process.
  • the packet to be classified and/or augmented is herein referred to as the original packet.
  • the resulting packet is referred to as the augmented packet.
  • the disposition of the original packet is herein referred to as the first disposition, and the disposition resulting from the augmented disposition process is herein referred to as the augmented disposition. Anything outside of the forwarding or interrupt context of the kernel is herein said to be external.
  • An example embodiment has 7 steps to classify a packet and determine the augmented packet disposition. These steps are in the interrupt context except where noted. Steps 1 - 4 describe the packet classification process shown in FIG. 5 . Steps 5 - 7 describe augmenting the packet disposition process. A flow diagram for these seven steps is shown in FIG. 6 . Refer to FIGS. 5 & 6 for the following description.
  • Step 1 After receiving a packet from the physical network, the Link Layer passes the packet to the root node 502 .
  • a network driver receives a packet from the physical network, which it classifies based on frame type in the MAC header and passes it to the root node of the classification tree.
  • Step 2 The packet is passed to a first child node of the first level 521 of the classification tree, indicating a satisfaction of a node-criteria of the child node.
  • the root node asks each child node from left to right whether the packet matches its node-criteria, until a child node's node-criteria is satisfied. The root node then passes the packet to that first child node which satisfies the node-criteria and forms the data packet into a matched packet.
  • the root node 502 first passes the packet to the IPv4 node 503 .
  • a child node's node-criteria includes a set of code used to identify the packets desired. This set of code is implemented as a function referred to as the packet matching function (pm) 603 .
  • the input parameters to the pm function are: the PBUF, an operating system independent data structure containing the packet, the options memory area, and a pointer to the packet filter node.
  • the result of the packet matching function, indicating satisfaction or lack there of, of the child node's node-criteria, is of type pm_t.
  • FIG. 7 enumerates a sample group of type pm_t return code values 700 .
  • the packet matching function results indicating satisfaction of a child node's node-criteria include: Match_OK, Match_This, Match_Discard, and Match_Forward.
  • the result indicating lack of satisfaction is NO_Match.
  • the packet matching function may be as simplistic as matching a static fixed offset, such as the IPv4 node, or as complex as identifying the packets for applications which negotiate additional connections, such as FTP, Real-Audio and H.323.
  • additional connections such as FTP, Real-Audio and H.323.
  • FIG. 8 For each additional connection, a dynamic filter rule is created.
  • These dynamic filter rules and other state information for the negotiated connections are stored locally in the application specific node.
  • One implementation uses a hashtable structure for storing this data. Based on the well known services port and the application specific data, the packet matching function identifies the packets desired enabling application level classification.
  • Step 3 Repeat the process of ‘passing the packet’ starting with a first child node of a next tree level of the classification tree which satisfies a node-criteria of that first child node, as described in step 2 , and form the packet into a matched packet, until no child of a next tree level of the classification tree succeeds in satisfying a node-criteria (NO_Match).
  • the traversal path is defined as the set of nodes from the root to the last first child node satisfying a node-criteria of the child node.
  • Step 4 For each first child node, satisfying a node-criteria of the child node form the data packet into a matched packet. This may be performed as in steps 4 A, 4 B and/or 4 C.
  • Step 4 A The current node is added to the node traversal path 605 .
  • Step 4 B The node may execute a set of code, if such a code exists, which may parse and transform the packet 607 . If the set of code exists, the packet is parsed and transformed 617 . If not, flow continues with 609 .
  • the packet's traversal of the classification tree is limited to the node's descendants. The remainder of the classification tree is not traversed. But before traversing a node's subtree, the node may execute a set of code. In the present embodiment, this set of code is referred to as the packet preprocessor function (pp).
  • the input parameters are the same as the packet matching function. This includes: the PBUF, an operating system independent data structure containing the packet, the options memory area, and a pointer to the packet filter node.
  • the return code of the pp function is of type pp_t. Examples of type pp_t 900 are enumerated in FIG. 9 .
  • the packet preprocessor function may perform actions such as parsing a packet and transforming a packet. Parsing a packet generates information that may need to be made available to the node's descendants and ancestors. Transforming a packet takes place for example, when the IPSEC node's preprocessor transforms an encrypted packet into a decrypted packet. IPSec tunnel information and other information is created that can be used by other nodes in the classification tree.
  • the present invention thus provides a generic mechanism for retaining or passing state information between nodes by a mechanism we referred to herein as options passing.
  • options passing an options memory segment is attached to each packet during its tree traversal.
  • Each node may store and retrieve state using the APIs: fw_add_option, fw_next_option. Since a node may not understand all options that are passed to it, the node will process the options it understands and ignore those which it does not understand.
  • Step 4 C The node may also suspend the classification process in order to obtain additional external information so as to augment packet classification and demultiplexing 615 .
  • Suspending the classification process involves queueing any data, including information about the packet or its present classification, and transferring the data to an application that is scheduled outside of the forwarding or interrupt context of the kernel.
  • One embodiment augments packet classification by suspending the packet classification process until the application, scheduled outside of the forwarding or interrupt context of the kernel, completes.
  • the resulting external information is used to augment the packet classification.
  • Examples of applications which may augment packet classification include packet identification and authentication agents.
  • An identification/authentication agent may use s/ident for out of band identification and authentication.
  • Authentication may use s/ident for out of band authentication in order to correlate the packet with a userid.
  • Another example of authentication is to correlate a VPN tunnel id with a userid.
  • This external information permits packets to be handled differently. For example, assume that a site connected to the Internet is severely bandwidth limited. As a result only a limited number of employees at any given moment can run applications with high bandwith demands, such as streaming media. Based on the external information a site policy can be implemented which gives preferential treatment to a set of employees.
  • Step 5 After packet classification completes, a set of code associated with the last child node which satisfied the node-criteria, is executed.
  • this set of code is referred to as the packet action function (pa).
  • the packet action input parameters are: the PBUF, a pointer to the node, a pointer to the node traversal path, and the options memory area.
  • An example of return codes of the pa function, of type paction_t are enumerated in FIG. 10 1000 .
  • the return code obtained determines the packet disposition.
  • the packet action function 621 monitors the packet data in order to obtain application specific state information used by the other node functions. For example, a packet action function with application specific knowledge could monitor the packet data for new negotiated data connections. These new dynamic connections are stored locally in the application specific node.
  • the packet matching function uses the dynamic data as part of the node-criteria for application level packet classification.
  • packet action function usage include: modifying packets, which may be used to implement NAT; queueing packets, which may be used to shape traffic; dropping packets, which may be used for rate limiting; and redirecting packets, which may be used for load balancing.
  • the packet action function may also suspend kernel packet processing and transfer any data (including information about the packet or its classification) to an application that is scheduled outside of the forwarding or interrupt context of the kernel, and/or to obtain external information in order to augment the packet disposition (i.e. discard, forward, process locally or redirect) decision 631 .
  • Suspending the packet disposition decision process involves queueing any data, including information about the packet or its classification, and transferring the data to an application employing a process specific means that is scheduled outside of the forwarding or interrupt context of the kernel.
  • An example method of augmenting the packet disposition decision is to suspend any in progress packet disposition decision process until the application scheduled outside of the forwarding or interrupt context of the kernel completes.
  • the resulting external information is used to augment the packet disposition decision.
  • applications which may augment the packet disposition decision are policy enforcement and content filtering agents based on any combination of the packet classification, identification and authentication.
  • process specific means include s/identd and external LDAP servers.
  • the application passes the original data, the external information and the results to the kernel, which issues a call to the node's callback function.
  • the callback function(cb) reinserts the packet at the node which suspended the processing.
  • dynamic rules may be created 621 .
  • VPN tunnels Differing policies based on the VPN callee are enforceable using dynamic rules. With application level classification, these rules are no longer limited to fixed pattern matches, such as protocol, but may be written in terms of applications. An example of an application level rule would be ‘permit John Doe Real-Audio’. Application level rules would also simplify firewall rule definitions in firewall applications.
  • Step 6 After the set of code associated with the last child node, which satisfied the node-criteria (referred to as the packet action code) completes, a set of code associated with each node in the node traversal path, is executed 623 .
  • this set of code is referred to as the packet post processor function(px) 625 .
  • the packet postprocessing input parameters are the PBUF, the options memory area and the packet action disposition.
  • the return code of the px function is of type paction_t. Examples of type paction_t are enumerated in FIG. 10 .
  • the packet postprocessing may perform actions such as encrypting a packet 627 .
  • the node traversal path was created. Before returning to the base operating system, in reverse node traversal order, packet postprocessing is executed.
  • the packet disposition is maintained through postprocessing. Only in unusual circumstances does the postprocessing not follow the recommended packet action and previous post processing disposition. For example, with VPN tunnels the outbound tunnel may have been torn down during the classification tree traversal.
  • Step 7 After the packet processing completes, control returns to the base operating system, which discards, forwards, redirects or locally processes the packet, based on the final disposition 633 .
  • FIG. 11 shows an example embodiment of the present invention as an apparatus to classify and/or augment the disposition of a data packet shown in FIG. 11 .
  • the apparatus includes a network interface device ( 1101 ) to receive a packet from the physical network and pass the packet to a root node of a classification tree, and the reverse, to receive a packet from the root node and send a packet to the physical network.
  • the apparatus also includes a packet module ( 1103 ) to successively pass the packet from child node to child node on each tree level until a first child node of a tree level of the classification tree indicates a satisfaction of a node-criteria of that first child node.
  • the first child node forms the data packet into a matched packet until no first child node of a next level at a succeeding next level indicates satisfaction of the node-criteria of the first child node of the next level.
  • an accelerator chip can be used to implement the packet module ( 1103 ).
  • This chip can be used as the basis of a firewall box, a border server, or as an application level classification system such as needed when diagnosing high speed networking problems.
  • the invention may be implemented using an apparatus for classifying a data packet.
  • This apparatus includes: means for receiving the data packet at a root node of a classification tree; means for successively passing the data packet to each child of a first tree level until a first child node of the first tree level of the classification tree indicates a satisfaction of a node-criteria of said first child node, and the first child node forming said data packet into a matched packet; and means for repeating the steps of passing and forming for a next tree level until no first child node of said next tree level at a succeeding next level indicates satisfaction of the node-criteria of said first child node of said succeeding next level.
  • This apparatus may, for example, be in the form of a floppy or hard disk, flash memory, or external magnetic media, etc.
  • Another example embodiment of the present invention is an apparatus for determining disposition of a packet received at a child node.
  • This apparatus includes: an interrupt context of a control program, with the child node existing within the interrupt context; an external process outside of the interrupt context of the control program; means for passing said packet and a first disposition of said packet to the external process, the external process to augment the packet disposition by employing a process specific means and to return an augmented packet with an augmented disposition to the child node; and the interrupt context including means for receiving the augmented packet and the augmented disposition from the external process.
  • This apparatus may, for example, also be in the form of a hard disk, a floppy disk, or external magnetic media, etc.
  • a control program may be implemented as software that manages the example apparatus.
  • the present invention can be realized in hardware, software, or a combination of hardware and software.
  • the present invention can be realized in a centralized fashion in one computer system, or in a distributed fashion where different elements are spread across several interconnected computer systems. Any kind of computer system—or other apparatus adapted for carrying out the methods described herein—is suited.
  • a typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein.
  • the present invention can also be embedded in a computer program product, which comprises all the features enabling the implementation of the methods described herein, and which—when loaded in a computer system—is able to carry out, or cause the carrying out of these methods.
  • Computer program means or computer program in the present context mean any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following:

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Communication Control (AREA)

Abstract

The present invention provides methods and apparatus for classifying and demultiplexing packets in a network protocol stack. It provides extendibility for packet processing in the network protocol stack by defining a standard method for adding new functionality. It provides a method to obtain external information, from an application scheduled outside of the forwarding or interrupt context of the kernel, in order to augment packet classification and/or augment packet disposition. In some embodiments, external information augments a criteria of a node in a classification tree with additional information. It presents a way of augmenting which suspends the classification process until an application, scheduled outside of the forwarding or interrupt context of the kernel, completes. The resulting external information is used to augment the packet classification. In some embodiments of the method, the external information includes authentication of an originator of the packet by correlating a tunnel id with a userid, and/or using s/ident for out of band authentication. The classification process enables enforcement of a site policy.

Description

    FIELD OF THE INVENTION
  • The present invention is directed to the field of packet communication. It is more particularly directed to classification and demultiplexing of network communication packets processed in a network protocol stack.
  • BACKGROUND OF THE INVENTION
  • Communication over a network often requires the information that is to be transported from one computer to another be divided into network communication packets. These network communication packets, simply referred to as “packets”, are transported across the physical communication network.
  • The information originating from an application program becomes packetized into network communication packets by passing through various software components before arriving at the network interface card for transmission on the physical communications network. These software components are typically layered to form what is known as the network protocol stack. Each layer is responsible for a different facet of communication. For example, the TCP/IP protocol stack is normally split into four layers: link, network, transport and application. FIG. 1 shows the relationship between the protocol layers and the TCP/IP protocol stack. The link layer 101 is responsible for placing data on the physical network. The network layer 102 is responsible for routing. The transport layer 103 is responsible for the communication between two hosts. The application layer 104 is responsible for processing the application specific data.
  • For example, FIG. 2 illustrates the stages of an HTTP request being encapsulated before being sent to a web server. As the request descends the protocol stack, each layer 201-204 encapsulates the packet adding its own header. When the HTTP packet arrives at the destination address, each protocol layer uses information within its header to classify the incoming packet amongst all the protocols in the layer above it. This process is commonly referred to as demultiplexing.
  • At each layer in the network protocol stack, the packet is demultiplexed or “classified” based on information about the packet that is contained in the headers or from information inside the data portion of the packet itself. The packet is processed differently based on its classification.
  • For example, FIG. 3 illustrates how this classification is done for an incoming HTTP request 301. The Ethernet driver 302, in the link layer 300, classifies the packet based on frame type in the Ethernet header and passes it to IPv4 312 in the network layer 310. IPv4 312 classifies the packet based on the IP header protocol value in the IP header and passes it to TCP 323 in the transport layer 320. TCP classifies the packet based on the destination port number in the TCP header and passes it to the HTTP server 332 in the application layer 330.
  • Traditional packet classification systems, as found in BPF, DPF, Pathfinder, Router Plugins, operating systems and many firewalls, are limited to a set of fixed pattern matching rules. This allows a user to intercept/process any packet that matches the desired set of values in the appropriate byte ranges (usually a combination of the IP and the protocol header fields, such as source/destination address, protocol or source/destination ports). These packets are then passed to a software module that processes the packets and can modify, forward, drop or delay them. Stateful packet filtering systems generally have the ability to generate and add rules dynamically based on application traffic. However, such systems do not provide simple methods to extend packet processing to understand new application protocols.
  • These traditional systems may work well for applications that use a single connection to a well known destination address and port. However, many modern applications initially use a well known service port for the control session and then use additional connections on ephemeral port numbers for each data stream. Examples of such applications are FTP, Real Audio and H.323. To support these applications efficiently, the traditional systems must allow packet matching filter rules to be updated dynamically and quickly. In addition, some modern protocols have abandoned using fixed format headers and fixed sized fields. For example, HTTP makes its header human readable by encoding them as strings.
  • SUMMARY OF THE INVENTION
  • It is thus an aspect of the present invention to provide greater flexibility in classifying and demultiplexing packets in the network protocol stack. As a result, it provides a method for application level classification. This is due to classifying techniques and a modular structure described subsequently.
  • Another aspect of the present invention provides easier extendibility for packet processing in the network protocol stack by defining a standard method for adding new functionality or support for new protocols and applications.
  • Another aspect of the present invention provides methods and apparatus to obtain external information, from an application scheduled outside of the forwarding or interrupt context of the kernel, in order to augment packet classification and/or disposition.
  • An example embodiment of the present invention is a method for classifying a data packet. The method includes the steps of: receiving the packet at a root node of a classification tree; passing the packet to a first child node of a first tree level of the classification tree indicating a satisfaction of a node-criteria of the first child node; the first child node forming the data packet into a matched packet; and repeating the step of passing and forming for a next tree level until no first child node of the next level at a succeeding next level indicates satisfaction of the node-criteria of the first child node of the next level.
  • In some embodiments the step of indicating includes the step of executing a set of code which returns a status indication of the type; and/or the step of indicating satisfaction of a criteria includes the steps of executing a set of code which identifies the desired packet and returning a status indication; and/or the step of forming the data packet into a matched packet includes the step of indicating satisfaction; and/or the step of repeating the step of passing and the step forming includes the steps of indicating and returning a status indication of NO_Match.
  • In some embodiments of the method, the method further includes: the step of adding at least one new child node; and/or one new child node is a Real Audio node; and/or the method is extendible such that one or more nodes are dynamically added at any level; parsing the matched packet and generating relevant information; transforming the matched packet into a transformed packet; and/or associating the packet at a last first child node indicating satisfaction; executing a set of code in accordance with the last first child node; and/or the step of forming includes the first child node specifying a set of code to be run subsequently; and/or the step specifying specifies the set of code to be run following classification.
  • Another example embodiment of the present invention is a method which uses an external process for classifying a packet. This method includes the steps of suspending a classification process in progress for the packet, and obtaining external information employed in the classifying. This is performed by an application scheduled outside of the forwarding or interrupt context of the kernel.
  • In some embodiments of the method, the step of suspending includes the steps of queuing any data, including information about the packet or its present classification; and/or transferring said data to an application that is scheduled outside of the forwarding or interrupt context of the kernel.
  • In some embodiments of the method, the step of obtaining external information includes augmenting a node-criteria of a node in a classification tree with additional information; and/or the external information includes authentication of an originator of the packet; the classification process is an extendible classifier process (In one application, a process is extendible by adding a new child node); and/or the step of specifying includes enforcement of a site policy. A site policy is composed of a number of different aspects including security. The security aspect of a site policy may be based on packet classification and authentication information.
  • Another aspect of the present invention is a method for determining disposition of an original packet received at a child node. The method includes the step of passing the original packet and a first disposition of the original packet to an external process, and the external process augmenting the original packet and/or augmenting the first disposition by employing a process specific means and returning an augmented packet and an augmented disposition to the child node. Some embodiments of the method include suspending a disposition process in progress for the original packet; and/or the augmented disposition includes identification of and/or authentication of an originator of said packet.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • These and other aspects, features, and advantages of the present invention will become apparent upon further consideration of the following detailed description of the invention when read in conjunction with the drawing figures, in which:
  • FIG. 1 shows the relationship between the protocol layers and the TCP/IP protocol stack;
  • FIG. 2 illustrates the stages of an HTTP request being encapsulated before being sent to a web server;
  • FIG. 3 illustrates how classifying is done for an incoming HTTP request;
  • FIG. 4 shows an example of how to organize modules in the classification tree in accordance with the present invention;
  • FIG. 5 shows an example of a packet classification and demultiplexing process in classifying a packet in accordance with the present invention;
  • FIG. 6 shows an example of steps to determine the packet disposition in accordance with the present invention;
  • FIG. 7 shows an example of pm_t return codes in accordance with the present invention;
  • FIG. 8 shows an example of application dependent nodes in accordance with the present invention;
  • FIG. 9 shows an example of pp_t return codes in accordance with the present invention;
  • FIG. 10 shows an example of paction_t return codes in accordance with the present invention; and
  • FIG. 11 shows an example of an apparatus in accordance with the present invention.
  • DETAILED DESCRIPTION OF THE INVENTION
  • Networking protocols are normally divided into layers which are responsible for different facets of communication as FIG. 1 depicts for the network layers of the TCP/IP protocol. The associated call graph created by the standard UNIX protocol stack is arranged like a tree as described for FIG. 3. Each level of the tree corresponds to a different layer in the networking protocol stack. The present invention mimics the call graph of the UNIX protocol stack and organizes the different modules competing for packets at the IP layer in a tree structure herein referred to as a classification tree.
  • An example of a classification tree 400 is shown in FIG. 4. FIG. 4 shows each node in the classification tree as a separate module. In an embodiment of the present invention each node is composed of 4 packet traversal functions (matcher, preprocessor, action, and post processing) and 3 node management functions (callback, heartbeat and management). Only the packet matching function, which identifies the packets to process, and the packet action function, which determines the packet disposition, are required. The packet matching function is herein referred to as the node-criteria of the node. The remaining traversal and management function pointers can default to NULL. These functions associated with each node are stored in a PacketFilter structure.
  • Since each of the nodes is a separate dynamically loadable module, the classification tree organization is flexible. In an embodiment of the present invention, the modules are loaded into memory during the initialization process. Based upon configuration information the modules are then arranged to form a classification tree. The ordering of the modules is important since the packet traversal is governed by this ordering. As the classification tree is created, each node is initialized by executing a set of code. In the embodiment, this set of code is a function referred to as the management function(mm). The input parameter to the mm function is generally a single pointer to a buffer containing the node specific configuration data.
  • FIG. 4 shows an example of how to organize modules in the classification tree. The IPv4 503, IPv6 504, UDP 506, HTTP 507 and TCP 508 modules each wish to observe or modify packets that use the protocol for which they are named. However, in this example, there are multiple ways one could imagine wanting to process HTTP requests. These ways include: providing a transparent HTTP proxy function, using a specialized TCP for HTTP like Transaction TCP(T/TCP), doing content filtering based on site policy, or limiting packet traffic based on a service contract. Depending on the intended purpose of the classification tree, differing modules are loaded into memory. A site policy is composed of a number of different aspects including security. The security aspect of a site policy may be based on packet classification and authentication information. Once initialization completes, the classification tree may be modified by adding, deleting or moving a node. This ability of modifying the classification tree makes the packet classification process extendible.
  • The present invention includes methods for implementing a packet classification process and/or an augmented packet disposition process. The packet to be classified and/or augmented is herein referred to as the original packet. The resulting packet is referred to as the augmented packet. The disposition of the original packet is herein referred to as the first disposition, and the disposition resulting from the augmented disposition process is herein referred to as the augmented disposition. Anything outside of the forwarding or interrupt context of the kernel is herein said to be external.
  • An example embodiment has 7 steps to classify a packet and determine the augmented packet disposition. These steps are in the interrupt context except where noted. Steps 1-4 describe the packet classification process shown in FIG. 5. Steps 5-7 describe augmenting the packet disposition process. A flow diagram for these seven steps is shown in FIG. 6. Refer to FIGS. 5 & 6 for the following description.
  • Step 1: After receiving a packet from the physical network, the Link Layer passes the packet to the root node 502.
  • In this step, a network driver receives a packet from the physical network, which it classifies based on frame type in the MAC header and passes it to the root node of the classification tree.
  • Step 2: The packet is passed to a first child node of the first level 521 of the classification tree, indicating a satisfaction of a node-criteria of the child node.
  • The root node asks each child node from left to right whether the packet matches its node-criteria, until a child node's node-criteria is satisfied. The root node then passes the packet to that first child node which satisfies the node-criteria and forms the data packet into a matched packet. In FIG. 5, the root node 502 first passes the packet to the IPv4 node 503. A child node's node-criteria includes a set of code used to identify the packets desired. This set of code is implemented as a function referred to as the packet matching function (pm) 603.
  • The input parameters to the pm function are: the PBUF, an operating system independent data structure containing the packet, the options memory area, and a pointer to the packet filter node. The result of the packet matching function, indicating satisfaction or lack there of, of the child node's node-criteria, is of type pm_t. FIG. 7 enumerates a sample group of type pm_t return code values 700. The packet matching function results indicating satisfaction of a child node's node-criteria include: Match_OK, Match_This, Match_Discard, and Match_Forward. The result indicating lack of satisfaction is NO_Match.
  • The packet matching function may be as simplistic as matching a static fixed offset, such as the IPv4 node, or as complex as identifying the packets for applications which negotiate additional connections, such as FTP, Real-Audio and H.323. Unfortunately, since each of these application has its own method for negotiating additional connections, application dependent nodes are required. This is as illustrated in FIG. 8 for H.323 831, Real-Audio 832, and FTP 833. For each additional connection, a dynamic filter rule is created. These dynamic filter rules and other state information for the negotiated connections are stored locally in the application specific node. One implementation uses a hashtable structure for storing this data. Based on the well known services port and the application specific data, the packet matching function identifies the packets desired enabling application level classification.
  • Step 3: Repeat the process of ‘passing the packet’ starting with a first child node of a next tree level of the classification tree which satisfies a node-criteria of that first child node, as described in step 2, and form the packet into a matched packet, until no child of a next tree level of the classification tree succeeds in satisfying a node-criteria (NO_Match).
  • A determination is made if there is a next child 604. If there is, flow continues with 601. If not, flow continues with 621. Thus, when the packet matching function of all of the children nodes of the next tree layer result in a lack of satisfaction, (NO_Match), the packet is said to have fully traversed the classification tree. The traversal path is defined as the set of nodes from the root to the last first child node satisfying a node-criteria of the child node. Thus packet classification has completed and flow continues with 621.
  • Step 4: For each first child node, satisfying a node-criteria of the child node form the data packet into a matched packet. This may be performed as in steps 4A, 4B and/or 4C.
  • Step 4A: The current node is added to the node traversal path 605.
  • Step 4B: The node may execute a set of code, if such a code exists, which may parse and transform the packet 607. If the set of code exists, the packet is parsed and transformed 617. If not, flow continues with 609.
  • Once a node's node-criteria is satisfied, the packet's traversal of the classification tree is limited to the node's descendants. The remainder of the classification tree is not traversed. But before traversing a node's subtree, the node may execute a set of code. In the present embodiment, this set of code is referred to as the packet preprocessor function (pp). The input parameters are the same as the packet matching function. This includes: the PBUF, an operating system independent data structure containing the packet, the options memory area, and a pointer to the packet filter node. The return code of the pp function is of type pp_t. Examples of type pp_t 900 are enumerated in FIG. 9. The packet preprocessor function may perform actions such as parsing a packet and transforming a packet. Parsing a packet generates information that may need to be made available to the node's descendants and ancestors. Transforming a packet takes place for example, when the IPSEC node's preprocessor transforms an encrypted packet into a decrypted packet. IPSec tunnel information and other information is created that can be used by other nodes in the classification tree.
  • The present invention thus provides a generic mechanism for retaining or passing state information between nodes by a mechanism we referred to herein as options passing. In an example of option passing, an options memory segment is attached to each packet during its tree traversal. Each node may store and retrieve state using the APIs: fw_add_option, fw_next_option. Since a node may not understand all options that are passed to it, the node will process the options it understands and ignore those which it does not understand.
  • Step 4C: The node may also suspend the classification process in order to obtain additional external information so as to augment packet classification and demultiplexing 615.
  • Suspending the classification process involves queueing any data, including information about the packet or its present classification, and transferring the data to an application that is scheduled outside of the forwarding or interrupt context of the kernel.
  • One embodiment augments packet classification by suspending the packet classification process until the application, scheduled outside of the forwarding or interrupt context of the kernel, completes. The resulting external information is used to augment the packet classification.
  • Examples of applications which may augment packet classification include packet identification and authentication agents. An identification/authentication agent, may use s/ident for out of band identification and authentication. Authentication may use s/ident for out of band authentication in order to correlate the packet with a userid. Another example of authentication is to correlate a VPN tunnel id with a userid.
  • This external information, such as packet identification and/or authentication, permits packets to be handled differently. For example, assume that a site connected to the Internet is severely bandwidth limited. As a result only a limited number of employees at any given moment can run applications with high bandwith demands, such as streaming media. Based on the external information a site policy can be implemented which gives preferential treatment to a set of employees.
  • Step 5: After packet classification completes, a set of code associated with the last child node which satisfied the node-criteria, is executed.
  • In an embodiment, this set of code is referred to as the packet action function (pa). The packet action input parameters are: the PBUF, a pointer to the node, a pointer to the node traversal path, and the options memory area. An example of return codes of the pa function, of type paction_t are enumerated in FIG. 10 1000. The return code obtained determines the packet disposition.
  • Normally the packet action function 621 monitors the packet data in order to obtain application specific state information used by the other node functions. For example, a packet action function with application specific knowledge could monitor the packet data for new negotiated data connections. These new dynamic connections are stored locally in the application specific node. The packet matching function uses the dynamic data as part of the node-criteria for application level packet classification.
  • Other examples of packet action function usage include: modifying packets, which may be used to implement NAT; queueing packets, which may be used to shape traffic; dropping packets, which may be used for rate limiting; and redirecting packets, which may be used for load balancing.
  • The packet action function may also suspend kernel packet processing and transfer any data (including information about the packet or its classification) to an application that is scheduled outside of the forwarding or interrupt context of the kernel, and/or to obtain external information in order to augment the packet disposition (i.e. discard, forward, process locally or redirect) decision 631. Suspending the packet disposition decision process involves queueing any data, including information about the packet or its classification, and transferring the data to an application employing a process specific means that is scheduled outside of the forwarding or interrupt context of the kernel.
  • An example method of augmenting the packet disposition decision is to suspend any in progress packet disposition decision process until the application scheduled outside of the forwarding or interrupt context of the kernel completes. The resulting external information is used to augment the packet disposition decision. Examples of applications which may augment the packet disposition decision are policy enforcement and content filtering agents based on any combination of the packet classification, identification and authentication. Examples of process specific means include s/identd and external LDAP servers.
  • Once the application completes, it passes the original data, the external information and the results to the kernel, which issues a call to the node's callback function. The callback function(cb) reinserts the packet at the node which suspended the processing. Based on the application's results, dynamic rules may be created 621.
  • For example, an especially advantageous usage is with VPN tunnels. Differing policies based on the VPN callee are enforceable using dynamic rules. With application level classification, these rules are no longer limited to fixed pattern matches, such as protocol, but may be written in terms of applications. An example of an application level rule would be ‘permit John Doe Real-Audio’. Application level rules would also simplify firewall rule definitions in firewall applications.
  • Step 6: After the set of code associated with the last child node, which satisfied the node-criteria (referred to as the packet action code) completes, a set of code associated with each node in the node traversal path, is executed 623.
  • In the present embodiment, this set of code is referred to as the packet post processor function(px) 625. The packet postprocessing input parameters are the PBUF, the options memory area and the packet action disposition. The return code of the px function is of type paction_t. Examples of type paction_t are enumerated in FIG. 10.
  • Just as the packet preprocessing may decrypt a packet, the packet postprocessing may perform actions such as encrypting a packet 627. As the packet originally traversed the classification tree, the node traversal path was created. Before returning to the base operating system, in reverse node traversal order, packet postprocessing is executed.
  • Normally, the packet disposition is maintained through postprocessing. Only in unusual circumstances does the postprocessing not follow the recommended packet action and previous post processing disposition. For example, with VPN tunnels the outbound tunnel may have been torn down during the classification tree traversal.
  • Step 7: After the packet processing completes, control returns to the base operating system, which discards, forwards, redirects or locally processes the packet, based on the final disposition 633.
  • FIG. 11 shows an example embodiment of the present invention as an apparatus to classify and/or augment the disposition of a data packet shown in FIG. 11. The apparatus includes a network interface device (1101) to receive a packet from the physical network and pass the packet to a root node of a classification tree, and the reverse, to receive a packet from the root node and send a packet to the physical network. The apparatus also includes a packet module (1103) to successively pass the packet from child node to child node on each tree level until a first child node of a tree level of the classification tree indicates a satisfaction of a node-criteria of that first child node. The first child node forms the data packet into a matched packet until no first child node of a next level at a succeeding next level indicates satisfaction of the node-criteria of the first child node of the next level.
  • It is noted that an accelerator chip can be used to implement the packet module (1103). This chip can be used as the basis of a firewall box, a border server, or as an application level classification system such as needed when diagnosing high speed networking problems.
  • Other apparatus embodiments of the present invention may be implemented in ways known to those familiar with the art. For example, the invention may be implemented using an apparatus for classifying a data packet. This apparatus includes: means for receiving the data packet at a root node of a classification tree; means for successively passing the data packet to each child of a first tree level until a first child node of the first tree level of the classification tree indicates a satisfaction of a node-criteria of said first child node, and the first child node forming said data packet into a matched packet; and means for repeating the steps of passing and forming for a next tree level until no first child node of said next tree level at a succeeding next level indicates satisfaction of the node-criteria of said first child node of said succeeding next level. This apparatus may, for example, be in the form of a floppy or hard disk, flash memory, or external magnetic media, etc.
  • Another example embodiment of the present invention is an apparatus for determining disposition of a packet received at a child node. This apparatus includes: an interrupt context of a control program, with the child node existing within the interrupt context; an external process outside of the interrupt context of the control program; means for passing said packet and a first disposition of said packet to the external process, the external process to augment the packet disposition by employing a process specific means and to return an augmented packet with an augmented disposition to the child node; and the interrupt context including means for receiving the augmented packet and the augmented disposition from the external process. This apparatus may, for example, also be in the form of a hard disk, a floppy disk, or external magnetic media, etc. A control program may be implemented as software that manages the example apparatus.
  • The present invention can be realized in hardware, software, or a combination of hardware and software. The present invention can be realized in a centralized fashion in one computer system, or in a distributed fashion where different elements are spread across several interconnected computer systems. Any kind of computer system—or other apparatus adapted for carrying out the methods described herein—is suited. A typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein. The present invention can also be embedded in a computer program product, which comprises all the features enabling the implementation of the methods described herein, and which—when loaded in a computer system—is able to carry out, or cause the carrying out of these methods.
  • Computer program means or computer program in the present context mean any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following:
  • 1. conversion to another language, code or notation; and/or
  • 2. reproduction in a different material form.
  • It is noted that the foregoing has outlined some of the more pertinent objects and embodiments of the present invention. The concepts of this invention may be used for many applications. Thus, although the description is made for particular arrangements and methods, the intent and concept of the invention is suitable and applicable to other arrangements and applications. For example, although reference is made to a data packet, the invention is similarly applicable to a non-data packet. It will be clear to those skilled in the art that other modifications to the disclosed embodiments can be effected without departing from the spirit and scope of the invention. The described embodiments ought to be construed to be merely illustrative of some of the more prominent features and applications of the invention. Other beneficial results can be realized by applying the disclosed invention in a different manner or modifying the invention in ways known to those familiar with the art. Thus, it should be understood that the embodiments has been provided as an example and not as a limitation. The scope of the invention is defined by the appended claims.

Claims (9)

1-6. (canceled)
7. A method for classifying a packet, said method comprising suspending a packet classification process in progress for said packet; and obtaining external information employed in said classifying.
8. A method in claim 7, wherein the step of obtaining includes augmenting a node-criteria of a node in a classification tree with external information.
9. A method as in claim 8, wherein the external information includes identification of the originator of said packet.
10. A method as in claim 8, wherein the external information includes authentication of an originator of said packet.
11. A method as recited in claim 7, wherein the classification process is an extendible classifier process.
12-35. (canceled)
36. An article of manufacture comprising a computer usable medium having computer readable program code means embodied therein for causing classification of a data packet, the computer readable program code means in said article of manufacture comprising computer readable program code means for causing a computer to effect the steps of claim 8.
37-39. (canceled)
US11/678,228 2000-04-13 2007-02-23 Network data packet classification and demultiplexing Abandoned US20070195714A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11/678,228 US20070195714A1 (en) 2000-04-13 2007-02-23 Network data packet classification and demultiplexing

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US09/548,141 US7200684B1 (en) 2000-04-13 2000-04-13 Network data packet classification and demultiplexing
US11/678,228 US20070195714A1 (en) 2000-04-13 2007-02-23 Network data packet classification and demultiplexing

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US09/548,141 Division US7200684B1 (en) 2000-04-13 2000-04-13 Network data packet classification and demultiplexing

Publications (1)

Publication Number Publication Date
US20070195714A1 true US20070195714A1 (en) 2007-08-23

Family

ID=24187592

Family Applications (2)

Application Number Title Priority Date Filing Date
US09/548,141 Expired - Lifetime US7200684B1 (en) 2000-04-13 2000-04-13 Network data packet classification and demultiplexing
US11/678,228 Abandoned US20070195714A1 (en) 2000-04-13 2007-02-23 Network data packet classification and demultiplexing

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US09/548,141 Expired - Lifetime US7200684B1 (en) 2000-04-13 2000-04-13 Network data packet classification and demultiplexing

Country Status (3)

Country Link
US (2) US7200684B1 (en)
JP (1) JP2002271396A (en)
GB (1) GB2365668B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080240140A1 (en) * 2007-03-29 2008-10-02 Microsoft Corporation Network interface with receive classification
US20100110936A1 (en) * 2008-10-30 2010-05-06 Bailey Kevin R Method and system for classifying data packets
US20120039332A1 (en) * 2010-08-12 2012-02-16 Steve Jackowski Systems and methods for multi-level quality of service classification in an intermediary device
US20120039337A1 (en) * 2010-08-12 2012-02-16 Steve Jackowski Systems and methods for quality of service of encrypted network traffic
CN102474457A (en) * 2009-07-22 2012-05-23 思科技术公司 Packet classification
CN104023000A (en) * 2013-09-05 2014-09-03 田玥 Network intrusion detection method
US8990380B2 (en) 2010-08-12 2015-03-24 Citrix Systems, Inc. Systems and methods for quality of service of ICA published applications

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7660902B2 (en) * 2000-11-20 2010-02-09 Rsa Security, Inc. Dynamic file access control and management
US8700781B2 (en) * 2001-06-12 2014-04-15 Verizon Business Global Llc Automated processing of service requests using structured messaging protocols
US20020188688A1 (en) * 2001-06-12 2002-12-12 Bice Richard S. Automated message handling system and process
US7522627B2 (en) * 2001-09-14 2009-04-21 Nokia Corporation System and method for packet forwarding
US7389537B1 (en) 2001-10-09 2008-06-17 Juniper Networks, Inc. Rate limiting data traffic in a network
US7894480B1 (en) * 2002-08-27 2011-02-22 Hewlett-Packard Company Computer system and network interface with hardware based rule checking for embedded firewall
JP4598354B2 (en) 2002-09-30 2010-12-15 株式会社エヌ・ティ・ティ・ドコモ COMMUNICATION SYSTEM, RELAY DEVICE, AND COMMUNICATION CONTROL METHOD
CA2500305A1 (en) * 2002-10-02 2004-04-15 Richard Reiner Rule creation for computer application screening; application error testing
US7451310B2 (en) * 2002-12-02 2008-11-11 International Business Machines Corporation Parallelizable authentication tree for random access storage
MY141160A (en) * 2003-01-13 2010-03-31 Multimedia Glory Sdn Bhd System and method of preventing the transmission of known and unknown electronic content to and from servers or workstations connected to a common network
US20040249958A1 (en) * 2003-06-04 2004-12-09 Ozdemir Hasan Timucin Method and apparatus for secure internet communications
EP1838635A2 (en) * 2004-12-20 2007-10-03 Corning Incorporated Method of making a glass envelope
EP1744515B1 (en) * 2005-07-12 2011-07-13 Fujitsu Siemens Computers, Inc. Method, cluster system and computer-readable medium for distributing data packets
US8879388B2 (en) * 2006-05-30 2014-11-04 Broadcom Corporation Method and system for intrusion detection and prevention based on packet type recognition in a network
US20090178140A1 (en) * 2008-01-09 2009-07-09 Inventec Corporation Network intrusion detection system
US20140369363A1 (en) * 2013-06-18 2014-12-18 Xpliant, Inc. Apparatus and Method for Uniquely Enumerating Paths in a Parse Tree
CN103685224A (en) * 2013-09-05 2014-03-26 北京安博达通科技有限责任公司 A network invasion detection method
CN103491069A (en) * 2013-09-05 2014-01-01 北京科能腾达信息技术股份有限公司 Filtering method for network data package
CN103841096A (en) * 2013-09-05 2014-06-04 北京科能腾达信息技术股份有限公司 Intrusion detection method with matching algorithm automatically adjusted
US9661080B2 (en) 2014-10-21 2017-05-23 Helium Systems, Inc. Systems and methods for smart device networking with an endpoint and a bridge

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5297239A (en) * 1989-01-25 1994-03-22 Hitachi, Ltd. Compile type knowledge processing tool, a high-speed inference method therefor and a system using the tool
US6587466B1 (en) * 1999-05-27 2003-07-01 International Business Machines Corporation Search tree for policy based packet classification in communication networks
US6600744B1 (en) * 1999-03-23 2003-07-29 Alcatel Canada Inc. Method and apparatus for packet classification in a data communication system
US6697352B1 (en) * 1998-07-15 2004-02-24 Telefonaktiebolaget Lm Ericsson Communication device and method

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1993006676A1 (en) * 1991-09-26 1993-04-01 Communications Satellite Corporation Nonblocking point-to-point fast packet/circuit switching networks
JPH05324726A (en) * 1992-05-25 1993-12-07 Fujitsu Ltd Document data classifying device and document classifying function constituting device
AU4661793A (en) * 1992-07-02 1994-01-31 Wellfleet Communications Data packet processing method and apparatus
GB9326476D0 (en) * 1993-12-24 1994-02-23 Newbridge Networks Corp Network
US5509006A (en) * 1994-04-18 1996-04-16 Cisco Systems Incorporated Apparatus and method for switching packets using tree memory
US6292465B1 (en) * 1997-05-27 2001-09-18 Ukiah Software, Inc. Linear rule based method for bandwidth management
US6041053A (en) * 1997-09-18 2000-03-21 Microsfot Corporation Technique for efficiently classifying packets using a trie-indexed hierarchy forest that accommodates wildcards
US5995971A (en) * 1997-09-18 1999-11-30 Micdrosoft Corporation Apparatus and accompanying methods, using a trie-indexed hierarchy forest, for storing wildcard-based patterns and, given an input key, retrieving, from the forest, a stored pattern that is identical to or more general than the key
AU1421799A (en) * 1997-11-25 1999-06-15 Packeteer, Inc. Method for automatically classifying traffic in a packet communications network
US6591299B2 (en) * 1997-11-25 2003-07-08 Packeteer, Inc. Method for automatically classifying traffic with enhanced hierarchy in a packet communications network
DE69819301D1 (en) * 1998-05-01 2003-12-04 Hewlett Packard Co Procedure for managing dynamic decision trees
EP0954139B1 (en) * 1998-05-01 2005-04-06 Hewlett-Packard Company, A Delaware Corporation Methods of altering dynamic decision trees
US6498795B1 (en) * 1998-11-18 2002-12-24 Nec Usa Inc. Method and apparatus for active information discovery and retrieval

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5297239A (en) * 1989-01-25 1994-03-22 Hitachi, Ltd. Compile type knowledge processing tool, a high-speed inference method therefor and a system using the tool
US6697352B1 (en) * 1998-07-15 2004-02-24 Telefonaktiebolaget Lm Ericsson Communication device and method
US6600744B1 (en) * 1999-03-23 2003-07-29 Alcatel Canada Inc. Method and apparatus for packet classification in a data communication system
US6587466B1 (en) * 1999-05-27 2003-07-01 International Business Machines Corporation Search tree for policy based packet classification in communication networks

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080240140A1 (en) * 2007-03-29 2008-10-02 Microsoft Corporation Network interface with receive classification
US20100110936A1 (en) * 2008-10-30 2010-05-06 Bailey Kevin R Method and system for classifying data packets
US7872993B2 (en) * 2008-10-30 2011-01-18 Alcatel Lucent Method and system for classifying data packets
CN102474457A (en) * 2009-07-22 2012-05-23 思科技术公司 Packet classification
CN103384991A (en) * 2010-08-12 2013-11-06 思杰系统有限公司 Systems and methods for quality of service of encrypted network traffic
US20120039337A1 (en) * 2010-08-12 2012-02-16 Steve Jackowski Systems and methods for quality of service of encrypted network traffic
US20120039332A1 (en) * 2010-08-12 2012-02-16 Steve Jackowski Systems and methods for multi-level quality of service classification in an intermediary device
US8638795B2 (en) * 2010-08-12 2014-01-28 Citrix Systems, Inc. Systems and methods for quality of service of encrypted network traffic
US20140185482A1 (en) * 2010-08-12 2014-07-03 Citrix Systems, Inc. Systems and methods for quality of service of encrypted network traffic
US8792491B2 (en) * 2010-08-12 2014-07-29 Citrix Systems, Inc. Systems and methods for multi-level quality of service classification in an intermediary device
US8990380B2 (en) 2010-08-12 2015-03-24 Citrix Systems, Inc. Systems and methods for quality of service of ICA published applications
US9071542B2 (en) 2010-08-12 2015-06-30 Citrix Systems, Inc. Systems and methods for multi-level quality of service classification in an intermediary device
US9294378B2 (en) * 2010-08-12 2016-03-22 Citrix Systems, Inc. Systems and methods for quality of service of encrypted network traffic
US9602577B2 (en) 2010-08-12 2017-03-21 Citrix Systems, Inc. Systems and methods for quality of service of ICA published applications
CN104023000A (en) * 2013-09-05 2014-09-03 田玥 Network intrusion detection method

Also Published As

Publication number Publication date
JP2002271396A (en) 2002-09-20
US7200684B1 (en) 2007-04-03
GB2365668A (en) 2002-02-20
GB2365668B (en) 2003-10-15
GB0108676D0 (en) 2001-05-30

Similar Documents

Publication Publication Date Title
US7200684B1 (en) Network data packet classification and demultiplexing
US10148577B2 (en) Network service header metadata for load balancing
US10680951B2 (en) System and method for processing and forwarding transmitted information
US6654373B1 (en) Content aware network apparatus
US7089294B1 (en) Methods, systems and computer program products for server based type of service classification of a communication request
US20190028384A1 (en) Application identifier in service function chain metadata
US7031316B2 (en) Content processor
US9571405B2 (en) Metadata augmentation in a service function chain
US10225270B2 (en) Steering of cloned traffic in a service function chain
US7290028B2 (en) Methods, systems and computer program products for providing transactional quality of service
US7764678B2 (en) Routing based on dynamic classification rules
US7315892B2 (en) In-kernel content-aware service differentiation
US7522581B2 (en) Overload protection for SIP servers
US6721272B1 (en) Method and apparatus for generating an RSVP message for a non-RSVP-enabled network device
US20160301603A1 (en) Integrated routing method based on software-defined network and system thereof
US20030231632A1 (en) Method and system for packet-level routing
JP2001053789A (en) System for preparing multilayer wide band in computer network
GB2399725A (en) Resolving conflicts between network service rules from multiple network services
US20030229710A1 (en) Method for matching complex patterns in IP data streams
Davoli et al. Implementation of service function chaining control plane through OpenFlow
Bremler-Barr et al. Openbox: Enabling innovation in middlebox applications
US20030229708A1 (en) Complex pattern matching engine for matching patterns in IP data streams
Cardoe et al. LARA: A prototype system for supporting high performance active networking
Kind et al. The role of network processors in active networks
USRE48131E1 (en) Metadata augmentation in a service function chain

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION