Signature checking using deterministic finite state machines
    1.
    发明授权
    Signature checking using deterministic finite state machines 有权
    使用确定性有限状态机进行签名检查

    公开(公告)号:US08331404B2

    公开(公告)日:2012-12-11

    申请号:US11923869

    申请日:2007-10-25

    IPC分类号: H04J1/02

    摘要: The occurrence of false positives and the post-processing of digital streams subjected to examination by a deterministic finite state machine for character strings are reduced by combining location-based pattern matching, e.g. on packet headers, and content-based pattern matching, e.g. on payloads of packets. One scheme allows automatic transition from a header match state into an initial state of a content matching machine. Another scheme is based on a rules graph defining strings of match states and the examination of a list of match states (rather than characters) which have been previously determined, for example by means of header matching and content matching. The latter is also capable of comparing offset and depth values associated with the match states with offset and depth criteria.

    摘要翻译: 通过组合基于位置的模式匹配,例如,通过组合基于位置的模式匹配来减少误报的发生和经过用于字符串的确定性有限状态机检查的数字流的后处理。 分组报头和基于内容的模式匹配,例如, 在包的有效载荷上。 一种方案允许从头匹配状态自动转换到内容匹配机器的初始状态。 另一种方案是基于定义匹配状态串的规则图,并且例如通过标题匹配和内容匹配来检查先前确定的匹配状态(而不是字符)的列表。 后者还能够将与匹配状态相关联的偏移和深度值与偏移和深度标准进行比较。

    Content addressable memory organized to share entries between different entities such as ports of a network unit
    2.
    发明授权
    Content addressable memory organized to share entries between different entities such as ports of a network unit 有权
    内容可寻址存储器被组织以在诸如网络单元的端口的不同实体之间共享条目

    公开(公告)号:US07480300B2

    公开(公告)日:2009-01-20

    申请号:US11064258

    申请日:2005-02-22

    IPC分类号: H04L12/28 G06F7/04

    摘要: A content addressable memory stores entries each comprising a rule and as part of the entry a mask identifying all the entities to which the rule is applicable. A search pattern of data and a bit mask identifying the actual entity (or entities) associated with the data is applied as a search word along with a comparison mask that excludes all the other entities from the comparison of the search word with the entry. The CAM can thereby store efficiently in a single entry a rule that may be applicable to some but not all of a multiplicity of entities such as possible ingress ports of a network unit.

    摘要翻译: 内容可寻址存储器存储每个包括规则的条目,并且作为该条目的一部分,掩码标识规则所适用的所有实体。 将与数据相关联的实际实体(或实体)的搜索模式和位掩码应用为搜索词,以及将搜索词与条目的比较排除所有其他实体的比较掩码。 因此,CAM可以在单个条目中有效地存储可适用于多个实体中的一些而不是全部的规则,例如网络单元的可能入口端口。

    Packet diversion in switching fabrics and multiple forwarding instructions for packets
    3.
    发明授权
    Packet diversion in switching fabrics and multiple forwarding instructions for packets 有权
    交换结构中的数据包转移和数据包的多个转发指令

    公开(公告)号:US08081630B2

    公开(公告)日:2011-12-20

    申请号:US11121192

    申请日:2005-05-03

    IPC分类号: H04L12/56

    摘要: A cascade system of network units includes forwarding units which have external ports, a communication fabric connecting the units and at least one processing unit which needs no forwarding database. The processing unit may perform a security operation such as intrusion prevention or encryption. Each forwarding unit on receipt of a packet performs a look-up to determine an egress port, to determine whether the packet must be diverted to a processing unit, to provide the packet with a first forwarding instruction identifying the egress port uniquely within the system and a second forwarding instruction identifying a diversion port by which the packet can reach the processing unit and to set an order field which determines which of the forwarding instructions shall be performed first. The processing unit is operative on receipt of the packet by way of the diversion port to change the order field to specify that the packet should now be sent to the egress port.

    摘要翻译: 网络单元的级联系统包括具有外部端口的转发单元,连接单元的通信结构以及不需要转发数据库的至少一个处理单元。 处理单元可以执行诸如入侵防御或加密的安全操作。 每个转发单元在接收到分组时执行查找以确定出口端口,以确定分组是否必须被转移到处理单元,以向分组提供识别系统内唯一的出口端口的第一转发指令,以及 识别分组可以到达处理单元的转移端口的第二转发指令,以及设置首先执行哪个转发指令的顺序字段。 处理单元通过转移端口接收到分组,以改变订单字段以指定该分组现在应该被发送到出口端口。

    Rules engine for access control lists in network units
    4.
    发明授权
    Rules engine for access control lists in network units 有权
    以网络为单位的访问控制列表的规则引擎

    公开(公告)号:US07480299B2

    公开(公告)日:2009-01-20

    申请号:US11064227

    申请日:2005-02-22

    IPC分类号: H04L12/28 G06F7/04

    摘要: A rules engine for the examination of selected fields in an addressed data packet has an access control list table of which the entries each define an access control list rule, an action and a chain identifier. The access control list rule may be a basic rule which refers to network addresses and transport layer port numbers. The rules engine also has an extension rule table of which the entries each define an extension rule, a respective action and a respective rule identifier. The extension rule may refer to a particular TCP flag. When a packet arrives, the engine searches both tables. This search is made independently of the ordinary network layer or link layer address lookup. If there is a match in both tables, and the chain identifier matches the extension rule identifier, the rules engine prescribes the action associated with the extension rule. If the chain identifier of a matched access control list rule does not match a rule identifier of a matched extension rule the rules engine prescribes the action associated with the basic rule. In the absence of a match with any access control list rule the action on a packet is based on the result from the ordinary address lookup.

    摘要翻译: 用于检查寻址数据分组中的所选字段的规则引擎具有访问控制列表,其中条目各自定义访问控制列表规则,动作和链标识符。 访问控制列表规则可以是参考网络地址和传输层端口号的基本规则。 规则引擎还具有扩展规则表,其中条目各自定义扩展规则,相应的动作和相应的规则标识符。 扩展规则可以指特定的TCP标志。 当数据包到达时,引擎将搜索两个表。 该搜索独立于普通网络层或链路层地址查找。 如果两个表中都有匹配,并且链标识符与扩展规则标识符匹配,则规则引擎规定与扩展规则相关联的操作。 如果匹配的访问控制列表规则的链标识符与匹配的扩展规则的规则标识符不匹配,则规则引擎规定与基本规则相关联的动作。 在没有与任何访问控制列表规则匹配的情况下,数据包上的操作基于普通地址查找的结果。

    CASCADE SYSTEM FOR NETWORK UNITS
    5.
    发明申请
    CASCADE SYSTEM FOR NETWORK UNITS 有权
    网络单元的CASCADE系统

    公开(公告)号:US20080037531A1

    公开(公告)日:2008-02-14

    申请号:US11857512

    申请日:2007-09-19

    IPC分类号: H04L12/50

    CPC分类号: H04L12/433

    摘要: A network stack includes a plurality of network units each of which includes a multiplicity of ports for receiving and forwarding addressed data packets, at least two cascade ports and a switching engine for forwarding received packets to at least one port in accordance with address data in the packets and a cascade connection including, for each of two opposite directions around the stack, at least one unidirectional path for data packets composed of links each between a respective cascade port on a network unit and a corresponding cascade port on the next network unit.

    摘要翻译: 网络堆栈包括多个网络单元,每个网络单元包括用于接收和转发寻址的数据分组的多个端口,至少两个级联端口和用于根据所述数据分组中的地址数据将接收的分组转发到至少一个端口的交换引擎 分组和级联连接包括针对堆叠周围的两个相反方向中的每一个,至少一个用于由网络单元上的相应级联端口和下一个网络单元上的对应级联端口之间的链路组成的数据分组的单向路径。

    SIGNATURE CHECKING USING DETERMINISTIC FINITE STATE MACHINES
    6.
    发明申请
    SIGNATURE CHECKING USING DETERMINISTIC FINITE STATE MACHINES 有权
    使用确定性有限状态机器进行签名检查

    公开(公告)号:US20080101371A1

    公开(公告)日:2008-05-01

    申请号:US11923869

    申请日:2007-10-25

    IPC分类号: H04L12/56

    摘要: The occurrence of false positives and the post-processing of digital streams subjected to examination by a deterministic finite state machine for character strings are reduced by combining location-based pattern matching, e.g. on packet headers, and content-based pattern matching, e.g. on payloads of packets. One scheme allows automatic transition from a header match state into an initial state of a content matching machine. Another scheme is based on a rules graph defining strings of match states and the examination of a list of match states (rather than characters) which have been previously determined, for example by means of header matching and content matching. The latter is also capable of comparing offset and depth values associated with the match states with offset and depth criteria.

    摘要翻译: 通过组合基于位置的模式匹配,例如,通过组合基于位置的模式匹配来减少误报的发生和经过用于字符串的确定性有限状态机检查的数字流的后处理。 分组报头和基于内容的模式匹配,例如, 在包的有效载荷上。 一种方案允许从头匹配状态自动转换到内容匹配机器的初始状态。 另一种方案是基于定义匹配状态串的规则图,并且例如通过标题匹配和内容匹配来检查先前确定的匹配状态(而不是字符)的列表。 后者还能够将与匹配状态相关联的偏移和深度值与偏移和深度标准进行比较。

    Cascade system for network units
    7.
    发明授权
    Cascade system for network units 有权
    级联系统为网络单元

    公开(公告)号:US08879444B2

    公开(公告)日:2014-11-04

    申请号:US13526251

    申请日:2012-06-18

    IPC分类号: H04B7/00 H04L12/433

    CPC分类号: H04L12/433

    摘要: In one embodiment, a method is described for detecting an operational failure between the network unit and an adjacent network unit in the stack; controlling the switching engine to redirect packets which would otherwise be sent from a particular port to the adjacent network unit to be forwarded from another port to be sent to a different network unit in the stack; and entering the switching engine into a bypass mode in response to control data indicating an operational failure between at least two other network units in the stack to cause packets to be forwarded without being re-directed by the switching engine.

    摘要翻译: 在一个实施例中,描述了一种用于检测网络单元和堆叠中的相邻网络单元之间的操作故障的方法; 控制交换引擎将否则将从特定端口发送到相邻网络单元的分组,以从要发送到堆栈中的不同网络单元的另一端口转发; 以及响应于指示所述堆叠中的至少两个其他网络单元之间的操作故障的控制数据,将所述交换引擎进入旁路模式,以使转发引擎不重新引导分组。

    Network units for use in and organisation of cascade systems
    8.
    发明授权
    Network units for use in and organisation of cascade systems 有权
    用于级联系统的网络单元和组织

    公开(公告)号:US07522589B2

    公开(公告)日:2009-04-21

    申请号:US10337299

    申请日:2003-01-07

    IPC分类号: H04L12/28

    摘要: A multi-port network unit for use in a cascade system of network units sends from a cascade port a packet including a special header having a source port ID, a destination port ID and a ‘destination port known’ field. The port IDs identify both a unit and a port within a unit. A routing database is set up, optionally by a discovery protocol, in terms of ports and either destination units (within the cascade) or source units (within the cascade). The database includes a mesh table, indicating from which cascade port a packet with a known destination port ID should be forwarded, without needing a fresh look-up. The database also includes a multicast exclusion table which allows ingress of packets with source unit IDs matched to an ingress port. The scheme allows a general mesh type of cascade while dynamically preventing closed loops.

    摘要翻译: 用于网络级联系统的多端口网络单元从级联端口发送包括具有源端口ID,目的端口ID和“目的端口已知”字段的特殊报头的分组。 端口ID标识单元中的单元和端口。 根据端口和目标单元(级联)或源单元(级联内),路由数据库可选地由发现协议来设置。 数据库包括网格表,指示哪个级联端口具有应该转发具有已知目的地端口ID的分组,而不需要新的查找。 该数据库还包括一个组播排除表,允许进入与进入端口匹配的源单元ID的数据包。 该方案允许一般网格类型的级联,同时动态地防止闭环。

    Cascade control system for network units
    9.
    发明授权
    Cascade control system for network units 有权
    网络单元级联控制系统

    公开(公告)号:US07167441B2

    公开(公告)日:2007-01-23

    申请号:US10067965

    申请日:2002-02-08

    IPC分类号: H04L12/28 H04L12/56 H04J3/00

    CPC分类号: H04L12/433

    摘要: Cascade control logic for use in a switch or other network unit that can be used in a cascaded stack can maintain normally a point-to-point half-duplex connection for control data with each of the next preceding and next succeeding units in the cascade. Each cascade logic device is organised so that for one direction, conveniently called the up direction, a device is a master and in the other direction the device is a slave in respect of the control path. A control device will generate master control frames in the up direction and deliver slave control frames in the down direction. The control device is organised so that in the absence of reception of valid control frames on a control link control data which would otherwise be sent out on that link is looped back within the control device. In this manner the control device can maintain under normal circumstances two virtual control channels which can ‘self-heal’ notwithstanding the failure or powering-down of a unit in the cascade.Status information represented by the control frames can be used to control a switching engine to provide self healing of the data path in the cascade.

    摘要翻译: 用于在级联堆叠中使用的交换机或其他网络单元中的级联控制逻辑可以正常地维护级联中的下一个前一个和后续单元中的每一个的控制数据的点对点半双工连接。 每个级联逻辑器件被组织成使得对于一个方向,方便地称为向上方向,器件是主器件,并且在另一方向上,器件是关于控制路径的从器件。 控制装置将沿向上方向产生主控制帧,并向下传送从控制帧。 控制装置被组织成使得在没有接收到控制链路上的有效控制帧的情况下,否则将在该链路上发送的控制数据环回到控制装置内。 以这种方式,控制装置可以在正常情况下维持两个虚拟控制通道,即使在级联中的单元发生故障或断电,它们也可“自愈”。 由控制帧表示的状态信息可用于控制切换引擎以提供级联中的数据路径的自愈。

    CASCADE SYSTEM FOR NETWORK UNITS
    10.
    发明申请
    CASCADE SYSTEM FOR NETWORK UNITS 有权
    网络单元的CASCADE系统

    公开(公告)号:US20120314564A1

    公开(公告)日:2012-12-13

    申请号:US13526251

    申请日:2012-06-18

    IPC分类号: H04L12/24 H04L12/56

    CPC分类号: H04L12/433

    摘要: In one embodiment, a method is described for detecting an operational failure between the network unit and an adjacent network unit in the stack; controlling the switching engine to redirect packets which would otherwise be sent from a particular port to the adjacent network unit to be forwarded from another port to be sent to a different network unit in the stack; and entering the switching engine into a bypass mode in response to control data indicating an operational failure between at least two other network units in the stack to cause packets to be forwarded without being re-directed by the switching engine.

    摘要翻译: 在一个实施例中,描述了一种用于检测网络单元和堆叠中的相邻网络单元之间的操作故障的方法; 控制交换引擎将否则将从特定端口发送到相邻网络单元的分组,以从要发送到堆栈中的不同网络单元的另一端口转发; 以及响应于指示所述堆叠中的至少两个其他网络单元之间的操作故障的控制数据,将所述交换引擎进入旁路模式,以使转发引擎不重新引导分组。