摘要:
A method may include counting the number of times each of a plurality of entries in a content addressable memory (CAM) matches one or more searches; grouping entries in the CAM into a first subset and a second subset based on the number of times each of the plurality of entries in the CAM matches one or more searches; and searching the first subset for a matching entry and, if no matching entry is found, searching the second subset for the matching entry.
摘要:
A method may include counting the number of times each of a plurality of entries in a content addressable memory (CAM) matches one or more searches; grouping entries in the CAM into a first subset and a second subset based on the number of times each of the plurality of entries in the CAM matches one or more searches; and searching the first subset for a matching entry and, if no matching entry is found, searching the second subset for the matching entry.
摘要:
A method may include counting the number of times each of a plurality of entries in a content addressable memory (CAM) matches one or more searches; grouping entries in the CAM into a first subset and a second subset based on the number of times each of the plurality of entries in the CAM matches one or more searches; and searching the first subset for a matching entry and, if no matching entry is found, searching the second subset for the matching entry.
摘要:
Methods for performing packet classification via prefix pair bit vectors. Unique prefix pairs in an access control list (ACL) are identified, with each prefix pair comprising a unique combination of a source prefix and a destination prefix. Corresponding prefix pair bit vectors (PPBVs) are defined for each unique source prefix and unique destination prefix in the ACL, with each PPBV including a string of bits and each bit position in the string associated with a corresponding prefix pair. A list of transport field value combinations are associated with each prefix pair based on corresponding entries in the ACL. During packet-processing operations, PPBV lookups are made using the source and destination prefix header values, and the PPBVs are logically ANDed to identify applicable prefix pairs. A search is then performed on transport field value combinations corresponding to the prefix pairs and the packet header to identify a highest priority rule.
摘要:
Methods for performing packet classification via partitioned bit vectors. Rules in an access control list (ACL) are partitioned into a plurality of partitions, wherein each partition is defined by a meta-rule comprising a set of filter dimension ranges and/or values covering the rules in that partition. Filter data structures comprising rule bit vectors are then built, each including multiple filter entries defining packet header filter criteria corresponding to one or more filter dimensions. Partition bit vectors identifying, for each filter entry, any partition having a meta-rule defining a filter dimension range or value that covers that entry's packet header filter criteria are also generated and stored in a corresponding data structure.
摘要:
Methods for performing packet classification. In one embodiment, packets are classified using a rule bit vector optimization scheme, wherein original rule bit vectors in recursive flow classification (RFC) chunks are optimized by removing useless bits that have no effect on the ultimate rule identified by an associated RFC lookup process. The unique optimized rule bit vectors for associated chunks are then cross-producted to produce an optimized downstream chunk. In another embodiment, a rule database splitting scheme is employed. Under this technique, split criteria is defined to split a rule database, such as splitting based on a particular field value or range. A respective set of downstream chunks is then generated for each partition, beginning with the chunks in a split phase. The applicable rule bit vectors for the chunks associated with a common group and partition are identified, and then unique applicable rule bit vectors for those chunks are cross-producted to produce downstream chunks.
摘要:
Techniques for highly parallel evaluation of XACML policies are described herein. In one embodiment, attributes are extracted from a request for accessing a resource including at least one of a user attribute and an environment attribute. Multiple individual searches are concurrently performed, one for each of the extracted attributes, in a policy store having stored therein rules and policies written in XACML, where the rules and policies are optimally stored using a bit vector algorithm. The individual search results associated with the attributes are then combined to generate a single final result using a predetermined policy combination algorithm. It is then determined whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, where the network element operates as an application service gateway to the datacenter. Other methods and apparatuses are also described.
摘要:
Techniques for highly parallel evaluation of XACML policies are described herein. In one embodiment, attributes are extracted from a request for accessing a resource including at least one of a user attribute and an environment attribute. Multiple individual searches are concurrently performed, one for each of the extracted attributes, in a policy store having stored therein rules and policies written in XACML, where the rules and policies are optimally stored using a bit vector algorithm. The individual search results associated with the attributes are then combined to generate a single final result using a predetermined policy combination algorithm. It is then determined whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, where the network element operates as an application service gateway to the datacenter. Other methods and apparatuses are also described.