Abstract: A method and apparatus for comparing a search key with a plurality of rules of an access control list (ACL) stored in a plurality of content addressable memory (CAM) blocks of a content search system are disclosed. The search key is compared with a plurality of covering prefix entries stored in a covering prefix table, wherein a respective covering prefix entry includes first and second common prefix values. The first common prefix value is shared by all of the rules stored in a first of the CAM blocks, and the second common prefix value is shared by all of the rules stored in a second of the CAM blocks. A bitmap associated with a matching covering prefix entry selectively enables a subset of the CAM blocks for comparison with the search key to determine the highest priority matching rule.

Abstract: Methods, systems, and computer readable storage medium embodiments for configuring a lookup table, such as an access control list (ACL) for a network device are disclosed. Aspects of these embodiments include storing a plurality of data entries in a memory, each of the stored plurality of data entries including a header part and a body part, and encoding each of a plurality of bit-sequences in the header part of a stored data entry from the plurality of data entries to indicate a bit comparing action associated with a respective bit sequence in the body part of the stored data entry. Other embodiments include searching a lookup table in a network device.

Abstract: A content addressable memory (CAM)-based search engine is disclosed that reduces power consumption during a plurality of different search operations concurrently performed in a plurality of device pipelines by selectively applying one of a number of different power reduction techniques for each pipeline in response to configuration data indicating the type of search operation that is being performed in the pipeline.

Abstract: A content search system for determining whether an input string matches one or more of a number of patterns embodied by a deterministic finite automaton (DFA) includes a plurality of DFA engines that simultaneously compare sequential overlapping segments of the input string. The overlap region shared by adjacent pairs of input string segments is of a predetermined size. Initially, the first DFA engine is designated as the master engine, and the remaining DFA engines are designated as slave engines whose state results are speculative. Resolution logic compares the state results of the master engine with the state results of the adjacent slave engine to selectively validate the state results of the successor engine, which upon validation becomes the new master engine.

Abstract: A content addressable memory (CAM) device to dynamically reduces power consumption between a search key and data stored in a plurality of CAM blocks by selectively disabling a number of CAM blocks, requested for the search operation by an external network processor, based upon the contents of the search key.

Abstract: A content search system for determining whether an input string matches one or more rules includes a parser, a rules database, and a search engine. The parser, which has an input to receive the input string, is to extract one or more selected portions of the input string to form a filtered input string, and is to generate a rule select signal in response to the selected portions of the input string. The rules database stores a plurality of sets of rules. The search engine is to compare the filtered input string with a selected set of rules selected in response to the rule select signal.

Abstract: A content search system includes multiple pipelined search engines that implement different portions of a regular expression search operations. For some embodiments, the search pipeline includes a DFA engine, an NFA engine, and a token stitcher that combines partial match results generated by the DFA and NFA engines in a manner that prevents either engine from becoming a bottleneck. In addition, the token stitcher can be configured to implement unbounded sub-expressions without utilizing resources of the DFA or NFA engines.

Abstract: A CAM-based search engine is disclosed that reduces power consumption during a plurality of different search operations concurrently performed in a plurality of device pipelines by selectively applying one of a number of different power reduction techniques for each pipeline in response to configuration data indicating the type of search operation that is being performed in the pipeline.

Abstract: A content search system includes multiple pipelined search engines that implement different portions of a regular expression search operation. For some embodiments, the search pipeline includes a DFA engine, an NFA engine, and a token stitcher that combines partial match results generated by the DFA and NFA engines. The token stitcher can be configured to implement unbounded sub-expressions without utilizing resources of the DFA or NFA engines. A token stitcher may comprise an input line for receiving tokens that indicate a partial match between an input string and a regular expression, a flag bank that stores flags which, when activated, identify one or more of the sub-expressions that match the input string, a program memory that stores programs that each comprises instructions for processing tokens, and an engine configured to identify programs that are associated with a newly received token.

Abstract: A content search system includes multiple pipelined search engines that implement different portions of a regular expression search operation. For some embodiments, the search pipeline includes a DFA engine, an NFA engine, and a token stitcher that combines partial match results generated by the DFA and NFA engines. The token stitcher can be configured to implement unbounded sub-expressions without utilizing resources of the DFA or NFA engines. The token stitcher may comprise a flag bank for storing a number of flags. Each flag may identify a sub-expression that matches the input string. The flag bank may be configured to discard one or more flags upon satisfaction of a predetermined condition for purposes of recapturing hardware resources to provide a certain level of performance.

Abstract: Methods, systems, and computer readable storage medium embodiments for configuring a lookup table for a network device are disclosed. Aspects in these embodiments include generating a decision tree based upon bit representations of respective data entries from a plurality of data entries where one or more of the plurality of data entries are represented at respective nodes of the decision tree, storing a first bit pattern corresponding to a selected node from the decision tree in a content addressable memory (CAM) at a location associated with an index, and storing one or more second bit patterns at an address in a second memory. The one or more second hit patterns correspond to the one or more data entries represented at the selected node, and the address is associated with the index. Embodiments also include searching a lookup table in a network device.

Abstract: Methods, systems, and computer readable storage medium embodiments for configuring a lookup table, such as an access control list (ACL) for a network device are disclosed. Aspects of these embodiments include storing a plurality of data entries in a memory, each of the stored plurality of data entries including a header part and a body part, and encoding each of a plurality of bit-sequences in the header part of a stored data entry from the plurality of data entries to indicate a bit comparing action associated with a respective bit sequence in the body part of the stored data entry. Other embodiments include searching a lookup table in a network device.

Abstract: A computer-implemented method for classifying received packets using a hardware cache of evolving rules and a software cache having an original rule set. The method including receiving a packet, processing the received packet through a hardware-based packet classifier having at least one evolving rule to identify at least one cache miss packet, and processing the cache miss packet through a software based packet classifier including an original rule set. Processing the cache miss packet includes determining whether to expand at least one of the at least one evolving rules in the hardware-based packet classifier based on the cache miss packet. The determination includes determining whether an evolving rule has both the same action and lies entirely within one of the rule of the original rule set.

Abstract: Deterministic finite automata (DFAs) are popular solutions to deep packet inspection because they are fast and DFAs corresponding to multiple signatures are combinable into a single DFA. Combining such DFAs causes an explosive increase in memory usage. Extended finite automata (XFAs) are an alternative to DFAs that avoids state-space explosion problems. XFAs extend DFAs with a few bytes of “scratch memory” used to store bits and other data structures that record progress. Simple programs associated with automaton states and/or transitions manipulate this scratch memory. XFAs are deterministic in their operation, are equivalent to DFAs in expressiveness, and require no custom hardware support. Fully functional prototype XFA implementations show that, for most signature sets, XFAs are at least 10,000 times smaller than the DFA matching all signatures. XFAs are 10 times smaller and 5 times faster or 5 times smaller and 20 times faster than systems using multiple DFAs.

Abstract: An architecture for a specialized electronic computer for high-speed data lookup employs a set of tiles each with independent processors and lookup memory portions. The tiles may be programmed to interconnect to form different memory topologies optimized for the particular task.

Abstract: An architecture for a specialized electronic computer for high-speed data lookup employs a set of tiles each with independent processors and lookup memory portions. The tiles may be programmed to interconnect to form different memory topologies optimized for the particular task.

Abstract: A computer-implemented method for classifying received packets using a hardware cache of evolving rules and a software cache having an original rule set. The method including receiving a packet, processing the received packet through a hardware-based packet classifier having at least one evolving rule to identify at least one cache miss packet, and processing the cache miss packet through a software based packet classifier including an original rule set. Processing the cache miss packet includes determining whether to expand at least one of the at least one evolving rules in the hardware-based packet classifier based on the cache miss packet. The determination includes determining whether an evolving rule has both the same action and lies entirely within one of the rule of the original rule set.

Abstract: Deterministic finite automata (DFAs) are popular solutions to deep packet inspection because they are fast and DFAs corresponding to multiple signatures are combinable into a single DFA. Combining such DFAs causes an explosive increase in memory usage. Extended finite automata (XFAs) are an alternative to DFAs that avoids state-space explosion problems. XFAs extend DFAs with a few bytes of “scratch memory” used to store bits and other data structures that record progress. Simple programs associated with automaton states and/or transitions manipulate this scratch memory. XFAs are deterministic in their operation, are equivalent to DFAs in expressiveness, and require no custom hardware support. Fully functional prototype XFA implementations show that, for most signature sets, XFAs are at least 10,000 times smaller than the DFA matching all signatures. XFAs are 10 times smaller and 5 times faster or 5 times smaller and 20 times faster than systems using multiple DFAs.

Abstract: Super-user privileges are virtualized by designating a virtual super-user for each of a plurality of virtual processes and intercepting system calls for which actual super-user privileges are required, which are nevertheless desirable for a virtual super-user to perform in the context of his or her own virtual process. In one embodiment, a computer operating system includes multiple virtual processes, such as virtual private servers. Each virtual process can be associated with one or more virtual super-users. When an actual process makes a system call that requires actual super-user privileges, the call is intercepted by a system call wrapper.

Abstract: Super-user privileges are virtualized by designating a virtual super-user for each of a plurality of virtual processes and intercepting system calls for which actual super-user privileges are required, which are nevertheless desirable for a virtual super-user to perform in the context of his or her own virtual process. In one embodiment, a computer operating system includes multiple virtual processes, such as virtual private servers. Each virtual process can be associated with one or more virtual super-users. When an actual process makes a system call that requires actual super-user privileges, the call is intercepted by a system call wrapper.