214 results about "Packet matching" patented technology

A wireless communication network manages communication resources based on the types of packet data being carried by the network for each mobile station. Packet data for each use is matched to packet matching filters in defined flow type profiles. Each flow type profile corresponds to an expected application behavior and includes one or more resource control parameters having values set with regard to that expected behavior. An application activity profile is generated for each mobile station based on deriving resource control parameters using parameter values corresponding to the active flows for each mobile station. The network determines each mobile station's active flows based on matching that mobile station's packet data types to one or more of the defined flow type profiles. Thus, the network manages communication resources individually and/or jointly for its users based on the type of packet data traffic passing through the network for each of those users.

A network system of the present invention includes a switch and controllers. The switch processes on a received packet in accordance with a flow entry in which are defined a rule and an action. The controllers set the flow entry to a flow table of the switch. The switch assigns a flow table to each controller, searches when receiving a packet from outside for a flow table matching with the packet in all flow tables, ignores a flow entry set by a controller of which a status of connection is invalid among flow entries matching with the packet and processes the packet in accordance with an action of a flow entry set by a controller of which a status of connection is valid.

The invention relates to a method and a device for the multi-core parallel concurrent processing of network traffic flows. The method comprises the following steps: capturing a data pocket from a network; and unpacking the data pocket into a plurality of traffic flows and generating a traffic flow distribution list so that a multi-core processor processes the traffic flows according to the traffic flow distribution list. The method is characterized by also comprising following steps: acquiring the load condition of each processing core; and confirming the active level of each traffic flow after generating the traffic flow distribution list which is changed according to the load conditions and the active levels so as to dynamically distribute the traffic flows. The invention effectively adjusts the load of each processing core and fully utilizes the processing performance of the multi-core processor by dynamically distributing the network traffic flows into a plurality of processing cores.

Disclosed herewith is a communication system, which can solve the following conventional problem that if packets exchanged between a terminal and an HA are encapsulated with use of the mobile IPv6 protocol, the PDSN cannot identify any IP flows in the mobile IPv6 tunnel. Consequently, there is no QoS usable appropriately to the services in the EV-D0 RAN. To solve such a problem, the PCRF notifies the HA of the filter information used to specify each IP flow and the flow label assigned to each IP flow. The HA then sets the flow label in the outer IPv6 header of the packet matching with the filter information and transfers the packet to the object unit. The PDSN then refers to the flow label set in the outer IPv6 header to identify the object IP flow in the mobile IPv6 tunnel. Consequently, a proper QoS can be usable for the services respectively in the EV-D0 RAN.

The invention discloses a physical device and virtual network communication method and system based on an SDN (Software Defined Network). The communication method comprises the following steps that physical device nodes are registered, and virtual node information is synchronized; physical devices which access for the first time are authenticated, thereby enabling the physical devices to access data; a controller issues flow tables to a physical network SDN switch and a virtual network switch and instructs a communication process of the physical devices and virtual machines; the physical devices send request data packets, wherein destination IP addresses and destination MAC addresses are the virtual machines; the physical network SDN switch receives the request data packets from the physical devices, matches the flow tables, packages the request data packets into VXLAN (Virtual Extensible Local Area Network) tunnels and forwards packaged data packets to the virtual network SDN switch corresponding to the virtual machines; and the virtual network SDN switch receives the packaged data packets through utilization of the VXLAN tunnels, matches the flow tables and forwards the request data packets to corresponding interfaces of the virtual machines. According to the method and the system, the physical devices and the virtual machines are located in the same subnetwork, and the access of the physical devices to layer 2 and layer 3 networks through utilization of a virtual network is supported.

A virtual firewall (VFW) notifies a virtual switch (vSwitch) to establish a flow directing policy according to a security policy configured for the VFW. The vSwitch directs a received packet matching the flow directing policy to the VFW according to the flow directing policy. When receiving the packet forwarded from the vSwitch, the VFW performs security processing for the packet according to the security policy, and forwards the processed packet satisfying the security policy to a target virtual machine (VM). The VFW and the vSwitch are established in a same physical machine based on a virtual platform.

A method for a first network to receive a packet from a second network is provided, including a router at the first network receiving the packet from the second network, the packet addressed to a client reachable through the first network; the router inspecting the packet for a nonrepudiable marking provided by the second network; if the nonrepudiable marking is present and matches the packet, adding an indicator pointing to the second network in the packet; adding a second nonrepudiable marking to the packet, and transmitting the packet to a destination; and otherwise, dropping the packet.

A rule engine for a computer network traverses a rule mesh having path nodes and path edges in form of a tree part and a graph part. The rule engine evaluates data packets flowing through a network to determine rules matched for every packet. Subsequent packets having same expression values as an already checked packet are not rechecked against the same nodes in the rule mesh through the use of a session entry. The rule engine performs a search on every path node of rule mesh to determine the next path edge to traverse. A Tree-Id and Rule Confirmation Bitmap that are indicative of path traversed and rules matched by a packet are generated at the end of rule mesh traversal. These are appended in the packet extension for subsequent modules of Policy Agent.

A method for processing data packets in a gateway element comprises the steps of: comparing a data packet to screening information comprising a set of rules, and processing a data packet according to a rule belonging to the set of rules, the header information of said data packet matching the header information of said rule. The method is characterized in that said screening information is hierarchically structured so that it comprises a first rule, which specifies first header information, and a subset of rules relating to said first rule, and in that in said step of comparing a data packet, said data packet is compared to said subset of rules only if the header information of the data packet matches the header information of the first rule. A gateway element, an arrangement, and a data structure comprising screening information are also presented.

The invention discloses a multi-core paralleled network traffic load balancing method and a multi-core paralleled network traffic load balancing system, which can equally share network traffic load on processing cores of a processer according to the actual network loading condition. The system and the method mainly comprises the following steps: matching data packets in a network into the traffic; generating a traffic record according to a traffic spacial mapping mechanism to make the traffic uniformly mapped into an ID space; and according to the network loading condition, dividing the traffic space, and dispatching the traffic load to different processing cores by a dispatching core. The method utilizes the appeared multi-core technology to effectively meet the requirements on parallel processing and dispatching of the data packets and the traffic under high-speed links.

A flow communication system has: a node having a flow table; and a controller configured to set a flow entry in the flow table. Each flow entry that is set in the flow table specifies packet processing which is performed with respect to a packet matching a match condition. If a hit entry exists in the flow table, the node performs the packet processing specified by the hit entry with respect to a received packet. If a deletion condition with regard to a first flow entry in the flow table is satisfied, the node deletes the first flow entry from the flow table. The deletion condition includes that a sum of packet lengths of all the received packets matching the first flow entry after the first flow entry is set up exceeds a predetermined deletion unit length.

An uplink scheduling technique for accessing a priority service from a mobile device (14) via a network access point (13). The access point (13) sends a request for scheduling information (2-2) to the mobile device. The mobile device (14) returns the requested scheduling information (2-4). The access point uses the requested scheduling information to determine (2-6) a filter configured for a priority service which implies better than best-effort scheduling priority for the data packets related to the priority service. The access point sends a scheduling decision (2-7) to the mobile device. The mobile device sends data packets (2-8) to the access point according to the scheduling decision. The access point receives from the mobile device an uplink data packet, the received uplink data packet matching the filter configured for the priority service.

The application provides a security-detection-based data flow obtaining method and apparatus. The method comprises: after a to-be-detected data packet is received, mirror image processing is carried out on the to-be-detected data packet, a mirror image packet is stored into a buffer module, and matching of the to-be-detected data packet and a security detection rule in a rule base is carried out, wherein the security detection rule is used for detecting whether the data packet is a malicious packet; when to-be-detected data packet matches the security detection rule, relevant information of the to-be-detected data packet is obtained, wherein the relevant information includes five-element information; according to the relevant information, a first data flow where the mirror image data packet is located and a context data flow of the first data flow are read from the buffer module. According to the application, a malicious data packet matching the rule, a data flow of location of the malicious data packet, and a context data flow can be obtained; and on the basis of complete attack information provided by the data flows, an accurate analysis result can be obtained.

The present invention provides an internet of things environment large data-based information safety monitoring and managing method and system. The method comprises the steps of configuring the filtering rules, and establishing the mapping relation of the condition and the rule RULE_ID in a Hash table corresponding to each rule; analyzing the data packets uploaded by a plurality of environment monitoring devices, and extracting a plurality of keywords of the data in the data packets; generating each keyword into a Hash, and searching the Hash tables of the corresponding keywords to obtain thesearch result corresponding to the keywords; after all keywords are searched, obtaining a plurality of RULE_ID bitmaps, and carrying out the AND operation on the plurality of RULE_ID bitmaps to obtainthe final results matching the whole data packets; determining a final matching rule, and then outputting the corresponding data messages according to the filtering rules. According to the present invention, a cloud processing technology is utilized in a cloud data center to filter the environment index data, the performances of a multi-core processor are utilized fully, the real-time data filtering of high performance is realized, and the data safety is guaranteed.

The invention discloses a method for classifying data packets. The method comprises preprocessing a rule set by a CPU and classifying data packets by a GPU. The preprocessing is executed before the data packet classification, preprocesses the rule set in order that subsequent packet classification can be operated, and is completed in the CPU. The data packet classification is the core of the method, classifies the data packets, and outputs rule numbers with the highest priority and matching the data packets, and is completed in the GPU. The method fully utilizes the hardware features and advantages of the GPU and is superior to a conventional data packet classifying algorithm in performance.

The invention discloses a SDN-based security service chain system. The system comprises a control plane, flow classification nodes, service nodes and a service chain. The control plane mainly comprises core control components of the SDN service chain that are a SDN controller and an OpenFlow 1.3 switch. The SDN controller creates a service chain according to user requirements and deploys service logics of each service node on the service chain. The controller sends the characteristics of user messages that need to be processed in the service chain to the OpenFlow 1.3 switch. The OpenFlow 1.3 switch introduces data messages into the service chain according to the corresponding message characteristics. The invention also discloses a packet matching and forwarding method of the SDN-based security service chain system. The network service chain is constructed and deployed based on SDN technology, and the linkage between network visualization and service chain is realized through the feedback of information. Therefore, in the case of massive data and multi-service nodes, the method has high data forwarding efficiency and low processing time to improve network monitoring efficiency. Theinvention designs a SDN-based service chain architecture and provides a matching and forwarding process of the service chain data packets based on the architecture.

A policy control method and system are disclosed. The method includes: a 3rd Generation Partnership Project (3GPP) network entity sending outer IP packet header information to a Broadband Forum (BBF) access network entity; and the BBF access network entity scheduling a data packet matching the outer IP packet header information according to a Differentiated Services Code Point (DSCP) of the data packet. With the above technical scheme, service data flows without going through admission control will not occupy resources of other service data flows going through the admission control.

The invention discloses a switch system based on a service function chain. For the problems that a switch node data plane is fixed, the function expansibility is bad and the resource is over-configured, a flexible network processing function is provided for a data packet in a network function pool way by separating a non-general function from a line card. The data packet is divided into differenttypes by a classifier through a matching rule, for the data packet needing the non-general network function processing, the network function instance (non-general network function) needing to be processed is found in a network function instance list of a flow table according to a data packet matching domain, and the processing is performed by a service function chain composed of corresponding different network functions in the network function pool. Compared with the traditional switch system, P4 architecture and like existing research techniques, the switch system disclosed by the invention has the following advantages: the high-level network function is supported, the data traffic processing rule can be flexibly extended, the change is dynamic, the resource utilization efficiency is improved, and the capital expenditure and the operation cost are reduced.

The present application provides a method and an apparatus for configuring and delivering a flow table entry. The method comprises: a switch sending, to a controller, a request message for requesting delivering a flow table entry, the request message carrying a to-be-forwarded data packet; after the controller receives the request message, the controller generating all flow table entries matching the to-be-forwarded data packet, and returning, to the switch, a response message carrying all the flow table entries matching the to-be-forwarded data packet; after then switch receives the response message, the switch extracting all the flow table entries matching the to-be-forwarded data packet from the response message; and aggregating all the extracted flow table entries into flow table entries of a hardware layer, and when the switch supports the flow table entries of the hardware layer, the switch configuring the flow table entries of the hardware layer into a flow table of the hardware layer. The method and the apparatus for configuring and delivering a flow table entry in the present application can shorten the time of configuring flow table entries of a hardware layer into a flow table of the hardware layer, can shorten the delay of forwarding the data packets, and can reduce the number of lost packets of the data packets.