Rule conflict detection method and system aimed at large-scale packet classification rule set

Abstract

The invention relates to a rule conflict detection method and system aimed at a large-scale packet classification rule set. The method includes the first step of receiving and analyzing a rule, the second step of dividing the analyzed rule into a full-prefix rule, a non-full-prefix rule and a non-prefix rule, the third step of organizing a full-prefix rule set in a source IP and target IP double-layer hash table HSIP-DIP or in a target IP hash table H*-DIP and correspondingly adding or deleting or inquiring the rules in the HSIP-DIP or the H*-DIP, the fourth step of organizing a non-full-prefix rule set in a source IP and target IP double-dimension Tire tree TSIP-TDIP and adding or deleting or inquiring the rules in the TSIP-TDIP, the fifth step of organizing a non-prefix rule set in a link table L*-* and adding or deleting or inquiring the rules in the L*-*, and the sixth step of traversing each rule in the HSIP-DIP, each rule in the H*-DIP, each rule in the TSIP-TDIP and each rule in the L*-* to serve as detected rules and detecting all rules which conflict with the detected rules. The rule conflict detection method and system solve the problem that in the prior art, a rule conflict algorithm has defects.

Description

technical field [0001] The invention relates to the field of network packet classification, in particular to a rule conflict detection method and system for a large-scale packet classification rule set. Background technique [0002] With the evolution of the Internet architecture and the development of Internet applications, the traditional routing technology based on a single IP address domain can no longer meet the needs of network services and network security. Packet classification technology, because it can perform fine-grained classification of network traffic based on multiple fields in the header of network data packets (usually source IP address, destination IP address, source port, destination port, protocol number), has been used in routers, It has been widely used in various network security devices such as firewalls and security gateways. [0003] The packet classification technology is realized based on the configuration rule set in the packet classification e...

AI Technical Summary

Problems solved by technology

The ASBV algorithm has two disadvantages: (1) the ASBV algorithm only supports the rules represented by prefixes; (2) there are too many bit vector operations

(3) The space complexity is too large

For the DBBV algorithm, when adding or deleting rules, the balanced binary tree also needs to be adjusted, so the efficiency of incremental update rules is low

For some applications, such as the UTM system, because it supports the coordination and linkage of various security modules, its rules are constantly added and deleted; Thousands of levels have risen to millions of levels, and the space complexity of these algorithms cannot meet the requirements

Images