Senior Fitness - Exercise and Nutrition for Aging Men and Women
FREE Article Feed for your website.
Home Ownership Magazine
Party Planning Information
Article Marketing Resources
Bio-Medical Research Article Database
Informative Articles on Life, Love and Happiness
Tutorials on Business to Writing
Famous Quotes from Famous People
Song Lyric Information
New US Patent Information
Comprehensive List of Content by Category
Online Auctions and Shopping Related Articles
Article Search
Most Recent Articles
Title: Orthogonal electrical connection using a ball edge array
Patent Number: 6,784,372 Issued on 08/31/2004 to Yuen,   et al.

Title: Low temperature geothermal system
Patent Number: 6,820,421 Issued on 11/23/2004 to Kalina

Title: Amorphous silicon photovoltaic devices
Patent Number: 6,784,361 Issued on 08/31/2004 to Carlson,   et al.

Title: Ball formation method and ball forming device used in a wire bonding apparatus
Patent Number: 6,784,394 Issued on 08/31/2004 to Nishiura

Title: CHEMICALLY AMPLIFIED PHOTORESIST AND PROCESS FOR STRUCTURING SUBSTITUENTS USING TRANSPARENCY ENHANCEMENT OF RESIST COPOLYMERS FOR 157 NM PHOTOLITHOGRAPHY THROUGH THE USE OF FLUORINATED CINNAMI
Patent Number: 6,806,027 Issued on 10/19/2004 to Hohle,   et al.

Title: Solar-based power generating system
Patent Number: 6,820,420 Issued on 11/23/2004 to Hebert

Title: Portable information terminal device
Patent Number: 6,942,060 Issued on 09/13/2005 to Sugiura,   et al.

Title: Combustor module
Patent Number: 6,820,424 Issued on 11/23/2004 to Oechsle,   et al.

Title: Mold release and anti-blocking coating for powder-free natural of synthetic rubber articles
Patent Number: 6,784,397 Issued on 08/31/2004 to Li,   et al.

Title: MRAM cell having frustrated magnetic reservoirs
Patent Number: 6,807,092 Issued on 10/19/2004 to Braun

Title: Map image processing apparatus and method for forming birds-eye view from two-dimensional map image
Patent Number: 6,900,817 Issued on 05/31/2005 to Uesugi

Title: Process of manufacturing a semiconductor device
Patent Number: 6,780,681 Issued on 08/24/2004 to Aoki

Title: Apparatus and method for providing items of value in cooperation with operation of a companion device
Patent Number: 6,990,392 Issued on 01/24/2006 to Meister,   et al.

Title: Folding baby stroller system and method
Patent Number: 6,991,248 Issued on 01/31/2006 to Valdez,   et al.

Title: Seatback audio system
Patent Number: 6,991,289 Issued on 01/31/2006 to House

Title: Shield connection structure of cable
Patent Number: 6,784,368 Issued on 08/31/2004 to Imai,   et al.

Title: Hydraulic braking system operated by an external force
Patent Number: 6,991,303 Issued on 01/31/2006 to Woll

Title: Method for solubilising asphaltenes in a hydrocarbon mixture
Patent Number: 7,122,113 Issued on 10/17/2006 to Cornelisse

Title: Apparatus for needling a non-woven material
Patent Number: 6,948,221 Issued on 09/27/2005 to Fuchs

Title: Stacked multi-chip semiconductor package improving connection reliability of stacked chips
Patent Number: 7,119,425 Issued on 10/10/2006 to Jeong,   et al.

Title: Device for displaying images by projection, comprising dichroic filters with a gradient
Patent Number: 6,956,551 Issued on 10/18/2005 to Sacre,   et al.

Title: Fish gelatin compositions containing a hydrocolloid setting system
Patent Number: 6,770,294 Issued on 08/03/2004 to Scott,   et al.

Title: Method and related circuitry for buffering output signals of a chip with even number driving circuits
Patent Number: 6,888,392 Issued on 05/03/2005 to Wei,   et al.

Title: Luminaire globe having low glare bandless seam
Patent Number: 6,796,687 Issued on 09/28/2004 to Hudak,   et al.

Title: Settee with a foldable tray-support unit
Patent Number: 6,767,056 Issued on 07/27/2004 to Tseng

Title: Wireless mobile call location and delivery for non-geographic numbers using a wireline SSP+SCP/wireless HLR interface
Patent Number: 6,909,900 Issued on 06/21/2005 to Howe

Title: Snowmobile front suspension system and method
Patent Number: 6,942,050 Issued on 09/13/2005 to Honkala,   et al.

Title: Semiconductor memory capable of being driven at low voltage and its manufacture method
Patent Number: 6,927,133 Issued on 08/09/2005 to Takahashi

Title: Hair roller with a ceramic coating
Patent Number: 6,945,255 Issued on 09/20/2005 to Kampel,   et al.

Title: Method of forming a shared global word line MRAM structure
Patent Number: 6,927,092 Issued on 08/09/2005 to Lee,   et al.

Title: Priority encoder for successive encoding of multiple matches in a CAM
Patent Number: 6,934,172 Issued on 08/23/2005 to Regev,   et al.

Title: Schottky diode
Patent Number: 6,885,077 Issued on 04/26/2005 to Dietl,   et al.

Title: Expansion unit, portable data processing apparatus and imaging device
Patent Number: 6,873,356 Issued on 03/29/2005 to Kanbe,   et al.

Title: Page information display method and device and storage medium storing program for displaying page information
Patent Number: 6,765,559 Issued on 07/20/2004 to Hayakawa

Title: Flexible orifice for wet wipes dispenser
Patent Number: 6,766,919 Issued on 07/27/2004 to Huang,   et al.

Title: Method and device for controlling the brake(s) of a device for transporting people
Patent Number: 6,766,893 Issued on 07/27/2004 to Neumann,   et al.

Title: Document printing, staging, and presentation device and associated methods
Patent Number: 6,767,093 Issued on 07/27/2004 to Martin,   et al.

Title: Electrode capture of nucleic acid
Patent Number: 6,794,130 Issued on 09/21/2004 to Pollard-Knight,   et al.

Title: Dual mode data field
Patent Number: 6,765,595 Issued on 07/20/2004 to Lee,   et al.

Title: Clip-less rasterization using line equation-based traversal
Patent Number: 6,765,575 Issued on 07/20/2004 to Voorhies,   et al.

Title: Multisample dithering with shuffle tables
Patent Number: 6,765,588 Issued on 07/20/2004 to Kirkland,   et al.

Title: Display panel
Patent Number: 6,765,630 Issued on 07/20/2004 to Nakajima,   et al.

Title: Electromagnetic valve actuation
Patent Number: 6,948,461 Issued on 09/27/2005 to Kotwicki

Title: Portable elevated platform
Patent Number: 6,948,587 Issued on 09/27/2005 to Griffiths

Title: Two-key input per character text entry apparatus and method
Patent Number: 6,765,556 Issued on 07/20/2004 to Kandogan,   et al.

Title: Method for measuring channel characteristics with the internet control message protocol
Patent Number: 6,816,463 Issued on 11/09/2004 to Cooper,   et al.

Title: Fluid inspection apparatus with vibrator
Patent Number: 6,765,675 Issued on 07/20/2004 to Dragotta

Title: Projection display device
Patent Number: 6,796,659 Issued on 09/28/2004 to Schaareman,   et al.

Title: Dental floss holder and method of making a dental floss holder
Patent Number: 6,766,808 Issued on 07/27/2004 to Gwen

Title: Chemical concentration control device
Patent Number: 6,766,818 Issued on 07/27/2004 to Kashkoush,   et al.

Title: Web inspection method and device
Patent Number: 6,950,547 Issued on 09/27/2005 to Floeder,   et al.

Title: Tear-away container top
Patent Number: 6,766,941 Issued on 07/27/2004 to Tokarski

Title: Segmented weight and exerciser
Patent Number: 6,780,144 Issued on 08/24/2004 to Stevens

Title: Memory management using object pointer structure
Patent Number: 6,907,437 Issued on 06/14/2005 to Trotter

Title: Electromagnetic flowmeter for lines for conveying and distributing electrically conducting liquids
Patent Number: 6,789,432 Issued on 09/14/2004 to Guazzoni,   et al.

Title: Apparatus for reducing exposing time of an image processing system
Patent Number: 6,765,615 Issued on 07/20/2004 to Chen,   et al.

Title: Method and system for music recommendation
Patent Number: 7,081,579 Issued on 07/25/2006 to Alcalde,   et al.

Title: Method of manufacturing spring assembly
Patent Number: 7,127,792 Issued on 10/31/2006 to Wakamori,   et al.

Title: Apparatus and method for blocking television commercials with a content interrogation program
Patent Number: 6,983,481 Issued on 01/03/2006 to Fellenstein,   et al.

Title: Button
Patent Number: 7,127,780 Issued on 10/31/2006 to Kimoto

Title: Printing methods and apparatus for multi-pass printing
Patent Number: 6,938,970 Issued on 09/06/2005 to Van den Bergen

Title: Scraping method
Patent Number: 6,769,962 Issued on 08/03/2004 to Kinbara,   et al.

Title: Paint roller assembly
Patent Number: 6,941,609 Issued on 09/13/2005 to Woodruff,   et al.

Title: Apparatus for manufacturing billet for thixocasting
Patent Number: 6,942,009 Issued on 09/13/2005 to Hong

Title: Spacer for windshield wiper
Patent Number: 6,785,931 Issued on 09/07/2004 to Lee,   et al.

Title: Power control device, apparatus and method of controlling the power supplied to a discharge lamp
Patent Number: 7,141,938 Issued on 11/28/2006 to Buij,   et al.

Title: Bathing aid
Patent Number: 6,941,592 Issued on 09/13/2005 to Castillo

Title: Method and apparatus for sync hunting signals
Patent Number: 6,941,381 Issued on 09/06/2005 to McClary,   et al.

Title: Pulley and bearing assembly and a method and apparatus for inserting and fastening a bearing within a pulley
Patent Number: 6,941,651 Issued on 09/13/2005 to Radocaj

Title: Universal vacuum extension kit
Patent Number: 6,785,934 Issued on 09/07/2004 to Bruno,   et al.

Title: Real-time compensation apparatus and method for digital television receiver
Patent Number: 7,116,889 Issued on 10/03/2006 to Kweon

Title: Cable and apparatus interface environmental seal
Patent Number: 6,948,976 Issued on 09/27/2005 to Goodwin,   et al.

Title: Method and line for the continuous stretching of hides and other similar products
Patent Number: 6,957,553 Issued on 10/25/2005 to Polato

Title: Method and apparatus for providing optimal acceleration feedback
Patent Number: 7,141,946 Issued on 11/28/2006 to Rehm,   et al.

Title: Digital device for correcting the image formed on the screen of a cathode ray tube
Patent Number: 7,141,942 Issued on 11/28/2006 to Petit,   et al.

Method for managing multi-field classification rules relating to ingress Number:7,412,431 from the United States Patent and Trademark Office (PTO) owispatent

Home    Author Login    Submit Article    Article Search    Add Your Link    Edit Your Link    Contact Us    Advertising    Disclaimer

   

 
Web LinkGrinder.com

Top Breaking News
     Greek, Cypriot Leaders Resume Unification Talks in Nicosia by Nathan Morley
     Indonesia Tobacco Sales Grow, Raising Health Fears
     South Korea Allows Top Defector to Travel Overseas by VOA News

Title: Method for managing multi-field classification rules relating to ingress

Abstract: The present invention relates to a method for managing a plurality of multi-field classification rules. The method includes providing a first table that includes a plurality of entries corresponding to a plurality of rules relating to an ingress context and providing a second table that includes a plurality of entries corresponding to a plurality of rules relating to an egress context. The method also includes utilizing the first table and the second table to identify any rules relating to the ingress context and any rules relating to the egress context that match a search key.

Patent Number: 7,412,431 Issued on 08/12/2008 to Corl, Jr.,   et al.

Inventors: Corl, Jr.; Everett A. (Raleigh, NC), Davis; Gordon T. (Chapel Hill, NC), Heddes; Marco (Shelton, CT), Patel; Piyush C. (Cary, NC), Sabhikhi; Ravinder K. (Cary, NC)
Assignee: International Business Machines Corporation (Armonk, NY)
Appl. No.: 10/832,958
Filed: April 27, 2004

Current U.S. Class: 706/47 ; 706/45; 706/46
Current International Class: G06F 17/00 (20060101); G06N 5/02 (20060101)
Field of Search: 706/47,46,45 707/100

References Cited [Referenced By]
U.S. Patent Documents
4868570 September 1989 Davis
5373290 December 1994 Lempel et al.
5374928 December 1994 Moore et al.
5469161 November 1995 Bezek
5485550 January 1996 Dalton
5546575 August 1996 Potter et al.
5680619 October 1997 Gudmundson et al.
5805796 September 1998 Finch et al.
6070166 May 2000 Whittaker et al.
6192051 February 2001 Lipman et al.
6298340 October 2001 Calvignac et al.
6389386 May 2002 Hetherington et al.
6473763 October 2002 Corl et al.
6529897 March 2003 Corl et al.
6633883 October 2003 Koskas
6675163 January 2004 Bass et al.
6886073 April 2005 Davis et al.
7039641 May 2006 Woo
7043467 May 2006 Milito et al.
2001/0014890 August 2001 Liu et al.
2002/0178335 November 2002 Selkirk et al.
2002/0191605 December 2002 Lunteren et al.
2003/0005248 January 2003 Selkirk et al.
2003/0123459 July 2003 Davis et al.
2003/0233516 December 2003 Davis et al.

Other References

"Multi-Field Packet Classification Using Ternary CAM," Electronics Letters, Jan. 3, 2002, vol. 38, No. 1, pp. 21-23. cited by other .
"Ternary CAM with Range Match Capacities," Research Disclosure, Apr. 2001, pp. 651. cited by other .
"Hybrid Direct Table and LPM Searches," Research Disclosure, Mar. 2001, pp. 456. cited by other .
"Ternary Read-Only Memory," IBM Technical Disclosure Bulletin, Sep. 1971, vol. 14, No. 4, pp. 1337-1338. cited by other .
Sarawagi et al., Intergrating Association Rule Mining with Relational Database Systems: Alternatives and Implications, 1998, ACM, 0-8979d1-995-5/98, 343-354. cited by other .
IEEE, The Authoritive Dictionary of IEEE Standards & Terms, 2000, IEEE 7th Edition. cited by other.

Primary Examiner: Hirl; Joseph P
Attorney, Agent or Firm: Sawyer Law Group LLP
Claims


What is claimed is:

1. A method for managing a plurality of multi-field classification rules used by a network switch to classify packets being transmitted via a network, the method comprising: providing a first table, the first table including a plurality of entries, each of the plurality of entries in the first table corresponding to a plurality of ingress rules relating to an ingress context and defining a tree structure to distinguish between the plurality of ingress rules related to the ingress context, wherein each ingress context refers to one or more session identification parameters of a packet that are used to determine whether any of the plurality of ingress rules related to the respective ingress context is applicable to the packet; providing a second table separate from the first table the second table including a plurality of entries, each of the plurality of entries in the second table corresponding to a plurality of egress rules relating to an egress context and defining a tree structure to distinguish between the plurality of egress rules related to the egress context, wherein each egress context refers to one or more session identification parameters of a packet that are used to determine whether any of the plurality of egress rules related to the respective egress context is applicable to the packet; and storing the first table and the second table in a storage of the network switch.

2. The method of claim 1, wherein each tree structure comprises one or more nodes.

3. The method of claim 2, wherein each node is a single bit test node that includes a next bit to test field and an address field, the address field including a pointer to a leaf node or a pair of nodes.

4. The method of claim 2, wherein the one or more nodes of each tree structure comprise a root node.

5. The method of claim 1, wherein the plurality of entries in first table correspond to every possible ingress context, and the plurality of entries in the second table correspond to every possible egress context.

6. The method of claim 1, further comprising: receiving a search command, the search command comprising a search key, the search key including an ingress context and an egress context; and utilizing the first table and the second table to determine whether the ingress context of the search key matches any ingress context in the first table and whether the egress context of the search key matches any egress context in the second table.

7. The method of claim 6, further comprising: generating a first key from the search key, the first key including an ingress context field that stores the ingress context of the search key; and generating a second key from the search key, the second key including an egress context field that stores the egress context of the search key, wherein utilizing the first table and the second table comprises utilizing the first table and the second table to determine whether the first key matches any ingress context in the first table and whether the second key matches any egress context in the second table.

8. The method of claim 6, wherein utilizing the first table and the second table includes: selecting one of the plurality of entries in the first table corresponding to an ingress context that matches the ingress context of the search key; traversing the tree structure defined in the one entry of the first table; and returning data associated with at least one of the plurality of ingress rules relating to the ingress context based on traversal of the tree structure defined in the one entry of the first table.

9. The method of claim 8, wherein returning data associated with the at least one ingress rule relating to the ingress context includes: comparing a portion of a rule definition for the at least one ingress rule with the search key, the portion of the rule definition excluding specifications for the ingress context.

10. The method of claim 8, wherein utilizing the first table and the second table further includes: selecting one of the plurality of entries in the second table corresponding to an egress context that matches the egress context of the search key; traversing the tree structure defined in the one entry of the second table; and returning data associated with at least one of the plurality of egress rules relating to the egress context based on traversal of the tree structure defined in the one entry of the second table.

11. The method of claim 10, wherein returning data associated with the at least one egress rule relating to the egress context includes: comparing a portion of a rule definition for the at least one egress rule with the search key, the portion of the rule definition excluding specifications for the egress context.

12. The method of claim 10, wherein traversal of the tree structure defined in the one entry of the first table and traversal of the tree structure defined in the one entry of the second table are performed in parallel.
Description


FIELD OF THE INVENTION

The present invention relates to computer systems, and more particularly to a method and system for managing multi-field classification rules relating to ingress and egress contexts.

BACKGROUND OF THE INVENTION

FIG. 1 depicts conventional networks 10 and 20 which may be connected to the Internet 30. Each network 10 and 20 includes host 12, 14 and 16 and 22 and 24, respectively. Each network 10 and 20 also includes a switch 18 and 26, respectively, and may include one or more servers such as the servers 17, 19 and 28, respectively. In addition, each network 10 and 20 may include one or more gateways 13 and 25, respectively, to the Internet 30. Not explicitly shown are routers and other portions of the networks 10 and 20 which may also control traffic through the networks 10 and 20 and which will be considered to be inherently depicted by the switches 18 and 26, respectively, and the networks 10 and 20 in general.

FIG. 2 depicts a portion of a typical switch 50, which may be used for the switches 18 and 26 (FIG. 1) and/or a router (not shown). The switch 50 includes a network processor 52 and storage 54. The switch 50 typically also includes other components (not shown). The network processor 52 manages functions of the switch 50, including the classification of packets using the rules described below. The storage 54 retains data relating to the rules.

Referring to FIGS. 1 and 2, in order to manage communications in a network, such as the network 10 or 20, filter rules are used. Filter rules are typically employed by switches, routers and other portions of the network to perform packet classification. Each filter rule is used to classify packets which are being transmitted via a network in order to determine how the packet should be treated and what services should be performed. For example, a filter rule may be used in testing packets entering the network from an outside source to ensure that attempts to break into the network can be thwarted. For example, traffic from the Internet 30 entering the network 10 may be tested in order to ensure that packets from unauthorized sources are denied entrance.

Similarly, packets from one portion of a network may be prevented from accessing another portion of the network. For example, a packet from some of the hosts 12, 14 or 16 may be prevented access to either the server 17 or the server 19. The fact that the host attempted to contact the server may also be recorded so that appropriate action can be taken by the owner of the network.

Such filter rules may also be used to transmit traffic based on the priorities of packets. For example, packets from a particular host, such as the host 12, may be transmitted because the packets have higher priority even when packets from the hosts 14 or 16 may be dropped. The filter rules may also be used to ensure that new sessions are not permitted to be started when congestion is high even though traffic from established sessions is transmitted. Other functions could be achieved based on the filter rule as is well known to those skilled in the art.

In order to determine whether a particular rule will operate on a particular packet, a key is tested. The key typically includes selected fields, known collectively as the TCP/IP 5-tuple or just the 5-tuple, extracted from the Internet Protocol (IP) and TCP headers of the packet. The IP and TCP headers typically contain five fields of interest: the source address (SA), the destination address (DA), the source port (SP), the destination port (DP) and the protocol. These fields are typically thirty-two bits, thirty-two bits, sixteen bits, sixteen bits and eight bits, respectively. Rules typically operate on one or more of these fields. For example, based on the source and/or destination addresses, the rule may determine whether a packet from a particular host is allowed to reach a particular destination address.

In addition to the fields of the TCP/IP 5-tuple, the key can also include additional fields that are related to service-level agreements, e.g., Quality of Service (QoS). In particular, the key can include fields for an ingress context and an egress context. A context may refer to a port number, a VLAN number, VPN number, ATM Virtual Circuit Number, or some combination of these and other possible session identification parameters. Thus, filter rules relating to an ingress or egress context also include additional bits (fields) corresponding to the ingress and egress contexts.

In testing a key against a filter rule, it is determined whether the filter rule should be enforced against the packet associated with the key. The key is tested by comparing specified fields for the key of the packet with a range(s) of values defined by the filter rule. Each rule contains a range of values in one or more dimensions. Each dimension corresponds to a field of the key (typically the IP header). One type of filter rule has a range consisting of a single value or a spread of values. In such a case, a "Range-rule" search is performed to determine whether the key exactly matches the value for the rule. Other rules have ranges which can be expressed using a single prefix. The prefix is a binary number containing a number of ones and zeroes (1 or 0), followed by place holders, or wildcards (*). In this case, a "Wildcard-match" is performed to determine whether the rule applies to the packet.

Testing the key against a filter rule can be a tedious and time consuming procedure, which is multiplied several times over when the number of filter rules increases. In order to expedite this process, a search facility known as a "Software-managed tree" (SMT) search engine is utilized. Generally, the SMT search engine analyzes a collection of filter rules, and based on the rules' conditions, builds a plurality of binary tree structures. Each tree structure is a binary tree that includes a series of hierarchical single bit test nodes and leaf nodes. At each single bit test node, a specified bit of the key is tested, and depending on the value of the test bit, a path is followed, which terminates at a leaf. Each leaf includes a filter rule that includes the rule specification and defines an action to be taken with regard to a packet. The SMT search engine is described in more detail in U.S. Pat. No. 6,298,340, entitled, "SYSTEM AND METHOD AND COMPUTER PROGRAM FROM FILTERING USING TREE STRUCTURE" issued on Oct. 2, 2001, and assigned to the assignee of the present invention.

The SMT search engine enables a search on multiple fields within the key, and within each field, looks for either a pattern under a mask (Wildcard match), or a range specified by a minimum or a maximum (Range-rule), as the criteria for declaring a match. The search engine can utilize standard memory structures resulting in an economical implementation. Nevertheless, utilizing such memory structures presents issues. For example, characteristics of the tree structures contribute to excessive latency in completing the searches and contribute to an inefficient use of storage space. Thus, utilizing standard memory structures, while economical, makes it very difficult to support multi-field classification in an SMT engine.

Current solutions to this issue include utilizing a ternary content addressable memory (TCAM). TCAMs include logic, such as a comparator, for each location. The logic allows the entries of the TCAM to be searched in parallel. Nevertheless, although TCAMs provide high-performance multi-field classification, they also add significant costs to a system.

Accordingly, what is needed is a system and method for providing high-performance multi-field classification utilizing standard memory structures. The system and method should implement an improved search facility that maintains the cost advantage of using standard memory structures, while improving performance to approach that of a more expensive TCAM solution. The present invention addresses such a need.

SUMMARY OF THE INVENTION

The present invention relates to a method and system for managing a plurality of multi-field classification rules. The method includes providing a first table that includes a plurality of entries corresponding to a plurality of rules relating to an ingress context and providing a second table that includes a plurality of entries corresponding to a plurality of rules relating to an egress context. The method also includes utilizing the first table and the second table to identify any rules relating to the ingress context and any rules relating to the egress context that match a search key.

Through aspects of the method and system of the present invention, a direct table of filter rules is partitioned into two tables, one for filter rules relating to an ingress context and another for rules relating to an egress context. The ingress context or the egress context is used as an index into each respective table. By partitioning the filter rules relating to a context in such a manner, the duplication of tree sub-structures is eliminated, thereby reducing the total number of nodes in binary tree structure. Moreover, the number of nodes that need to be traversed to distinguish among ingress rules and among egress rules are significantly reduced. Accordingly, with the method and system of the present invention, performance levels utilizing standard memory structures approach those in systems utilizing a TCAM.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of computer systems of networks in which the present invention can be used.

FIG. 2 is a diagram of a switch in which the present invention can be used.

FIG. 3 is a block diagram of an SMT binary tree structure.

FIG. 4 is a block diagram of separate ingress and egress binary tree structures according to a preferred embodiment of the present invention.

FIG. 5 is a block diagram illustrating the restructured search key according to a preferred embodiment of the present invention.

FIG. 6 is a flowchart illustrating a method for filtering according to a preferred embodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

The present invention relates to computer systems, and more particularly to a method and system for managing multi-field classification rules related to ingress and egress contexts. The following description is presented to enable one of ordinary skill in the art to make and use the invention and is provided in the context of a patent application and its requirements. Various modifications to the preferred embodiment will be readily apparent to those skilled in the art and the generic principles herein may be applied to other embodiments. For example, although the present invention will be described in the context of filter rules, one of ordinary skill in the art will readily recognize that the method and system can operate effectively for other multi-field classification rules. Likewise, while the present invention is described in the context of a DRAM memory subsystem, one of ordinary skill in the art will readily recognize that the method and system can operate effectively for other types of memory subsystems (e.g., SRAM). Thus, the present invention is not intended to be limited to the embodiment shown, but is to be accorded the widest scope consistent with the principles and features described herein.

FIG. 3 is a block diagram of an SMT binary search tree structure 300. As is shown, the tree structure 300 comprises a plurality of single bit test nodes, referred to as pattern search control block (PSCB) nodes, e.g., 300a-300m, and leaf nodes, e.g., 310f-311m. Although only 13 PSCB nodes and 7 leaf nodes are depicted, those skilled in the art readily appreciate that the tree structure 300 can include fewer than or greater than 13 PSCBs and 7 leafs, and that the tree structure 300 depicted in FIG. 3 is merely illustrative.

The tree structure 300 in FIG. 3 begins with PSCB Node 0 (300a), i.e., PSCB Node 0 (300a) is the root node of the tree structure 300. Typically, root nodes, e.g., 300a, are stored in entries (30x, 30y) of a table, known as a Direct Table 30. Each PSCB node, e.g., 300b, is typically 36 bits and includes a Next Bit to Test (NBT) field 302b and an address field 304b. The NBT field 302b indicates which bit in the key to test. The address field 304b includes a pointer that points to either a pair of PSCB nodes, e.g., 300d, 300e, or a leaf, e.g., 310a.

Pointers that point to PSCBs are referred to as next pattern address (NPA) pointers (e.g., 304b) and pointers that point to a leaf are referred to as leaf control block address (LCBA) pointers (e.g., 306f). For example, the address field 304a for PSCB Node 0 (300a) includes an NPA pointer (304a) to a pair of PSCB nodes, Node 1 (300b) and PSCB Node 2 (300c), which are stored in adjacent address spaces. Which PSCB node (Node 1 (300b) or Node 2 (300c)) to follow depends on the value of the key bit indicated by the NBT field 302a. Inevitably, a PSCB node, e.g., 300f, includes an LCBA pointer 306f that points to a leaf 310a. As stated above, the leaf 310a includes the filter rule that defines the action to be taken with regard to a packet.

Typically, the Direct Table 30 includes entries for all filter rules regardless of whether they are related to ingress contexts (referred to as ingress rules) or egress contexts (referred to as egress rules). This organization, however, presents problems because ingress and egress rules do not generally overlap relative to search key bits used to distinguish one entry from another. For example, in FIG. 3, two (2) ingress rules (IR1 and IR2) and two (2) egress rules (ER1 and ER2) are analyzed. The first bit test, as defined in the NBT field 302a of the DT entry corresponding to Node 0 (300a), determines which one of two PSCB nodes (300b or 300c) is selected, and distinguishes between IR1 and IR2. The test bit, however, is irrelevant as to which egress rule (ER1 or ER2) is valid. Therefore, both egress rules (ER1 and ER2) may still be valid choices regardless of which PSCB node (Node 1 (300b) or Node 2 (300c)) is selected.

From PSCB Node 1 (300b), the NPA 304b points to Node 3 (300d) and Node 4 (300e), where ER1 is distinguished from ER2. Nevertheless, because the test bit (302b) used in this decision is irrelevant to IR1, IR1 may still be a valid choice regardless of which PSCB node (Node 3 (300d) or Node 4 (300e)) is selected. Only at the next level is IR1 distinguished from ER1 and ER2. For instance, from Node 3 (300d), the NPA 304a points to Node 7 (300h) and Node 8 (300i), where IR1 is distinguished from ER1. The test bit (302d) determines which node (300h or 300i) is selected. Node 7 (300h) includes an LCBA pointer 306h to a leaf node 310h including IR1 and Node 8 (300i) includes a pointer 306i to the leaf node 310i including ER1.

From Node 2 (300c), the NPA 304c points to Node 5 (300f) and Node 6 (300g), where IR2 is separated from ER1 and ER2. Node 5 (300f) includes an LCBA pointer 306f to a leaf node 310f including IR2, but Node 6 (300g) does not distinguish ER1 and ER2. Accordingly, Node 6 (300g) includes an NPA pointer 304g to Node 13 (300l) and Node 14 (300m), where ER1 is distinguished from ER2. The test bit 302g in Node 6 (300g) determines which node (300l or 300m) is selected. Node 13 (300l) includes an LCBA pointer 3061 to a leaf node 3101 including ER1 and Node 14 (300m) includes a pointer 306m to the leaf node 310m including ER2.

For the simple four rule example above, three (3) decision nodes are required in order to resolve the four rules. For any one search, at least two (2) decision nodes (e.g., Node 2 (300c) and Node 5 (300f)) must be traversed. As is shown in FIG. 3, the tree structure 300 requires six node pairs, and a typical search would require traversing three (3) node pairs. Moreover, several PSCB nodes point to the same rule, e.g., Node 7 (300h) and Node 9 (300j) point to leaf nodes (310h, 310j) including IR1. This duplication consumes memory.

Depending on the number of ingress and egress rules and other factors, the SMT tree structure 300 can be much more complex than the tree structure 300 depicted in FIG. 3. Indeed, in practical implementations, hundreds (and even thousands) of rules are managed, thereby increasing the tree structure's complexity exponentially and creating significant storage and performance problems (e.g., excess latency). Accordingly, the existing binary tree structure 300 depicted in FIG. 3 contributes to excessive latency, and also inefficiently utilizes memory.

According to a preferred embodiment of the present invention, a method and system is provided for improving latency and memory utilization by partitioning ingress and egress rules into separate Direct Tables. By separating ingress rules and egress rules, the resulting tree structures for each type of rule is significantly simplified. In particular, sub-tree structures are not duplicated and the number of nodes traversed is greatly reduced. Accordingly, memory utilization and latency are improved.

To describe more fully the method and system of the present invention, please refer to FIG. 4, which is a block diagram of separate ingress and egress binary search tree structures according to a preferred embodiment of the present invention. As is shown, the direct table 30 in FIG. 3 is divided into two separate tables, an ingress context direct table 40 and an egress context direct table 40'. The ingress context direct table 40 includes a plurality of entries (40x, 40y) corresponding to every possible ingress context. Although not shown, the direct table 40 can also include null entries that do not correspond to an ingress context. According to the preferred embodiment of the present invention, each of the plurality of entries comprises a root PSCB node, e.g., Ingress Node 0 (400a), of a small tree structure. The small tree structure includes one or more leaf nodes (410a, 410b), where each leaf, e.g., 410a, is associated with at least one ingress rule. Each PSCB node in the tree structure, including the root (400a), comprises the NBT field 402a and pointer field, as usual. Here, however, each test bit, e.g., 402a, explicitly distinguishes between ingress rules if the pointer field includes an NPA pointer 404a. Accordingly, if two ingress rules (IR1 and IR2) are presented, only one node pair (Ingress Node 1 (400b) and Ingress Node 2 (400c)) is required to distinguish between IR1 and IR2. Notably, none of the sub-tree structures are duplicated. Naturally, if any of the nodes, including the root (400a), includes an LCBA pointer 406b, the node points directly to the leaf node.

Similarly, the egress rule direct table 40' includes a plurality of entries (40x', 40y') corresponding to every possible egress context, as well as null entries (not shown). Each of the plurality of entries includes a root node, e.g., Egress Node 0 (400a'), of a tree structure for at least one egress rule. Similarly, each test bit, e.g., 402a', in an Egress Node, e.g., 400a', explicitly distinguishes between egress rules if the pointer field includes an NPA pointer 404a'. Accordingly, if two egress rules (ER1 and ER2) are presented, only one node pair (Egress Node 1 (400b') and Egress Node 2 (400c')) is required to distinguish between ER1 and ER2. Again, none of the sub-tree structures are duplicated.

The direct table (DT) for either the ingress rules 40 or egress rules 40' is sized according to the number of bits in the context field of the rule. Thus, if the ingress context is 12 bits, the ingress rule DT 40 has 4096 (2.sup.12) entries, where each entry (40x, 40y) defines a small tree structure for distinguishing ingress rules related to a corresponding ingress context.

By providing a separate ingress context DT 40 and egress context DT 40', ingress and egress rules, e.g., IR1, IR2, ER1 and ER2, can be fully distinguished in fewer node pairs. For example, FIG. 4 illustrates that four (4) rules are distinguished in two node pairs, in contrast to the six node pairs depicted in FIG. 3. Fewer nodes need to be traversed to resolve a search for either an ingress rule or egress rule match, thereby reducing latency. Also, none of the sub-tree structures are duplicated, thereby reducing memory consumption. While two searches are required for an ingress/egress rule pair, such searches can be performed in parallel, further minimizing overall latency. Thus, the improvement in performance and savings in memory consumption far outweigh any issues related to performing two parallel searches, particularly when applied to large rule sets. Moreover, because the context can be quite large, e.g., between 16 and 20 bits, resolving those bits in the respective DT (40, 40') rather than one bit at a time in a tree structure (FIG. 3) significantly accelerates the search process.

To further improve performance and reduce memory consumption, the preferred embodiment of the present invention restructures the search key. FIG. 5 is a block diagram illustrating the restructured search key according to a preferred embodiment of the present invention. Typically, as stated above, the key 500 includes the TCP/IP 5-tuple fields 502, e.g., SA, DA, SP, DP and Protocol, and fields for ingress context 504 and egress context 506. According to the preferred embodiment of the present invention, an ingress context key 500' and an egress context key 500'' are constructed from the original key 500. The ingress context key 500' is formed by placing the ingress context 504 at the beginning of the key 500' and removing the egress context 506. The egress context key 500'' is formed similarly except that the egress context 506 is placed at the beginning of the key 500'' and the ingress context 504 is removed.

According to a preferred embodiment of the present invention, the ingress 504 and egress 506 contexts are mapped directly to the ingress context DT 40 and the egress context DT 40', respectively. Thus, the ingress context 504 in the ingress context key 500' is used to index directly into the ingress context DT 40. Likewise, the egress context 506 in the egress context key 500'' is used to access the egress context DT 40'. Indexing directly into the ingress or egress context DT (40, 40') via the respective ingress 504 or egress 506 context significantly accelerates the search process because the context is resolved in the ingress or egress context DT (40, 40').

Moreover, because the ingress 504 or egress 506 context is mapped to the respective direct table (40, 40'), neither context needs to be stored in the rules. Accordingly, specifications corresponding to the ingress context 504 and egress context 506 in a rule definition can be eliminated, thereby reducing the size of the rule definition. Such a reduction allows more capacity for action data or packing multiple rule definitions in a common structure, such as a leaf node. In addition, because the rule definition now has fewer bits, validation is simpler, i.e., a full compare between the rule definition and the key is easier because fewer bits are required, thereby accelerating the search process.

FIG. 6 is a flowchart illustrating a method for filtering according to a preferred embodiment of the present invention. Referring to FIG. 5 and FIG. 6, in step 600, the search engine receives a search command that includes the search key 500. The search key 500 is then used to generate the ingress context key 500' (step 602) and the egress context key 500'' (step 604). The search engine then utilizes the ingress context key 500' to perform a first multi-field classification search from the ingress context DT 40 in step 606. Likewise, the search engine utilizes the egress context key 500'' to perform a second multi-field classification search from the egress context DT 40' in step 608. Because the first and second searches are independent, i.e., there are no interdependences between the two searches, the first and second searches (steps 606 and 608) can be performed in parallel in order to minimize overall latency for completion of the process. The results, i.e., action data corresponding to the rule(s) matching the keys (500' and 500''), from the first and second searches are returned in step 610.

A method and system for managing multi-field classification rules related to ingress and egress contexts is disclosed. In a first aspect, the direct table is partitioned into separate ingress context and egress context direct tables for rules relating to ingress and egress contexts respectively. By partitioning the direct table in this manner, the number of nodes needed to fully distinguish ingress or egress rules is significantly reduced and the duplication of sub-tree structures is eliminated. This reduction in the number of nodes simplifies the tree structure and requires less memory to store the tree structure. Moreover, because fewer nodes need to be traversed to resolve the search, the search process is accelerated, thereby improving performance.

According to another aspect, the search key is restructured into two keys, an ingress context key and an egress context key. The ingress context key includes the ingress context at the beginning of the key. The ingress context is used to index directly into the ingress context DT. Likewise, the egress context key is used to index directly into the egress context DT. By using the full context to index directly into the respective DT, the context is resolved in the DT and the search process is accelerated.

Although the present invention has been described in accordance with the embodiments shown, one of ordinary skill in the art will readily recognize that there could be variations to the embodiments and those variations would be within the spirit and scope of the present invention. Accordingly, many modifications may be made by one of ordinary skill in the art without departing from the spirit and scope of the appended claims.

*


Free Web Sudoku Puzzles.
Solve with your browser.
    6 5 4     9  
  3           1  
5       1       8
    4 2          
1   9 4   8 3   2
          1 9    
7       9       3
  6           5  
  4     6 5 1    
What is it?



Add Your Site · Terms Of Service · Privacy Policy


DISCLAIMER
Linkgrinder is a free service that searches the Internet and indexes all files found so that you may search quickly and easily for shared files. These files are created and made available individually by users whose identity we are not aware of and who we have no control over. In essence we function like a search engine tool; these files ARE NOT STORED OR SERVED BY OUR NETWORK. We are not responsible for any materials obtained by using our service. We do not monitor any of the contents of these files. These files may contain viruses, illegal materials, materials inappropriate for minors, offensive files and the like. BY USING OUR SERVICE, YOU ASSUME FULL RESPONSIBILITY FOR DOWNLOADING THESE MATERIALS AND WILL INDEMNIFY US FOR ANY DAMAGES THAT MAY BE INCURRED.

For More Specific Information VIEW OUR TERMS OF SERVICE.

Thank you and Enjoy!