Parallel lookup method for high-capacity access control list

Abstract

The invention discloses a parallel lookup method for a high-capacity access control list, and relates to the technical field of communication. The method comprises the following steps: setting the linked list storage structure of the access control list into a bidirectional linked list way, and establishing a structural relation among list items in the access control list; performing flow division on primarily entering data flow by using a multi-core processor to establish a flow table, and meanwhile, looking up an appropriate access control list item to establish correlation between the flow table and the list item of the access control list; acquiring the execution action of the access control list from the table items of the flow table by using subsequently entering data flow. By adopting the parallel lookup method, the matching efficiency of the access control list is increased, the technical bottleneck of the multi-core processor on the function item of the access control list is eliminated, and the resource utilization ratio and the task execution efficiency are increased.

Description

technical field [0001] The invention relates to the technical field of communication, in particular to a method for searching a parallel large-capacity access control list. Background technique [0002] The processing capability of traditional single-core processors is restricted by factors such as main frequency and power consumption, and it is difficult to meet the increasing requirements of network data processing tasks in terms of performance. High-performance multi-core processors can achieve parallel processing in the data processing process, with low network delay and large data throughput, and are widely used in current routers, firewalls and other network devices. [0003] ACL (Access Control List, Access Control List) is one of the methods to solve and improve network security, and it is mostly used in network devices such as routers and firewalls. The access control list is applied to the interface of the network device. When the number of entries reaches a certa...

AI Technical Summary

Problems solved by technology

However, compared with the linear search algorithm, the data structure organization of this algorithm is complex, and the ability to support mask search is weak. At the same time, the operation efficiency of the algorithm is also not high in environments such as parallel search and frequent table item updates. These algorithms are generally only applicable to In a device environment with a single-core processor and a relatively stable table entry structure

[0007] The above search algorithms are suitable for different environments. Each algorithm is suitable for different occasions. It needs to be combined with specific environments to give full play to its performance advantages. However, the network environment where current network devices are located is complex, requiring parallel search and large-capacity tables. Under strict application requirements such as item storage, frequent table item updates, high search speed, and support for mask matching, it is difficult to meet the needs of practical applications simply by applying the above-mentioned traditional algorithms.

At the same time, the data plane of the network device is extremely sensitive to the average number of matching times in the algorithm search process. Doubling the number of matching times may directly reduce the performance of the device by 50%. Therefore, network data devices generally hope to control the number of matching times within 1 to 3 times. It is impossible for any of the above software algorithms to complete and realize in the case of large-capacity entries

Images