Abstract: A root node of a decision tree data structure may cover all values of a search space used for packet classification. The search space may include a plurality of rules, the plurality of rules having at least one field. The decision tree data structure may include a plurality of nodes, the plurality of nodes including a subset of the plurality of rules. Scope in the decision tree data structure may be based on comparing a portion of the search space covered by a node to a portion of the search space covered by the node's rules. Scope in the decision tree data structure may be used to identify whether or not a compilation operation may be unproductive. By identifying an unproductive compilation operation it may be avoided, thereby improving compiler efficiency as the unproductive compilation operation may be time-consuming.

Abstract: A system, apparatus, and method are provided for receiving one or more incremental updates including adding, deleting, or modifying rules of a Rule Compiled Data Structure (RCDS) used for packet classification. Embodiments disclosed herein may employ at least one heuristic for maintaining quality of the RCDS. At a given one of the one or more incremental updates received, a section of the RCDS may be identified and recompilation of the identified section may be triggered, altering the RCDS shape or depth in a manner detected by the at least one heuristic employed. The at least one heuristic employed enables performance and functionality of an active search process using the RCDS to be improved by advantageously determining when and where to recompile one or more sections of the RCDS being searched.

Abstract: A system, apparatus, and method are provided for adding, deleting, and modifying rules in one update from the perspective of an active search process for packet classification. While a search processor searches for one or more rules that match keys generated from received packets, there is a need to add, delete, or modify rules. By organizing a plurality incremental updates for adding, deleting, or modifying rules into a batch update, several operations for incorporating the incremental updates may be made more efficient by minimizing a number of updates required.

Abstract: A packet classification system, methods, and corresponding apparatus are provided for enabling packet classification. A processor of a routing appliance coupled to a network compiles data structures to process keys associated with a particular block mask register (BMR) of a plurality of BMRs. For each BMR of the plurality of BMRs, the processor identifies at least one of or a combination of: i) at least a portion of a field of a plurality of rules and ii) a subset of fields of the plurality of fields to be masked. The processor also builds at least one data structure used to traverse a plurality of rules based on the identified at least one of or a combination of: i) at least a portion of a field of a plurality of rules and ii) a subset of fields of the plurality of fields to be masked.

Abstract: A packet classification system, methods, and corresponding apparatus are provided for enabling packet classification. A processor of a security appliance coupled to a network uses a classifier table having a plurality of rules, the plurality of rules having at least one field, to build a decision tree structure including a plurality of nodes, the plurality of nodes including a subset of the plurality of rules. The plurality of nodes may be stride nodes, mask nodes, or a combination thereof. A mask node may remove restrictions of stride nodes, such as markers and consumption of contiguous bits. As long as a bit of a field is a non-consumed bit, the bit may be used for cutting a field in a mask node. An advantage of a mask node is that the mask node may consume fewer resources (e.g., memory) than a stride node.

Abstract: A packet classification system, methods, and apparatus are provided for packet classification. A processor of a router coupled to a network compiles at least one search tree based on a rules set. The processor determines an x number of search phases needed to process an incoming key corresponding to the rules set, wherein the rules set includes a plurality of rules, where each of the plurality of rules includes an n number of rule fields and where the incoming key includes an n number of processing fields. The processor generates an x set of search trees, where each of the x set of search trees corresponds to a respective one of the x number of search phases. Also, the processor provides the x set of search trees to a search processor, where each of the x set of search trees is configured to process respective portions of the incoming key.

Abstract: A root node of a decision tree data structure may cover all values of a search space used for packet classification. The search space may include a plurality of rules, the plurality of rules having at least one field. The decision tree data structure may include a plurality of nodes, the plurality of nodes including a subset of the plurality of rules. Scope in the decision tree data structure may be based on comparing a portion of the search space covered by a node to a portion of the search space covered by the node's rules. Scope in the decision tree data structure may be used to identify whether or not a compilation operation may be unproductive. By identifying an unproductive compilation operation it may be avoided, thereby improving compiler efficiency as the unproductive compilation operation may be time-consuming.

Abstract: A method and corresponding system for providing a skip group rule feature is disclosed. When a search for a key matches a skip group rule in a group of prioritized rules, the search skips over rules having priorities lower than the skip group rule and the search continues to a next group. A convenient example of a compiler rewrites the lower priority rules by subtracting the skip group rule from them. The subtraction includes subtracting range, exact-match, mask, and prefix fields. The rewritten rules appear to a search processor as typical rules. Beneficially, the search processor requires no additional logic to process a skip group rule, skip over lower priority rules, and go on to search a next group of rules. Advantageously, this approach enables any number of skip group rules to be defined allowing for better classification of network data.

Abstract: A packet classification system, methods, and apparatus are provided for packet classification. A processor of a router coupled to a network processes data packets received from a network. The processor creates a request key using information extracted from a packet. The processor splits the request key into an n number of partial request keys if at least one predetermined criterion is met. The processor also sends a non-final request that includes an i-th partial request key to a corresponding search table of an n number of search tables, wherein i<n. Further, the processor receives a non-final search result from the corresponding search table. The processor sends a final request that includes an n-th partial request key and the non-final search result. The processor receives a final search result from the corresponding search table and processing the packet based on processing data included in the final search result.

Abstract: A packet classification system, apparatus, and corresponding apparatus are provided for enabling packet classification. A processor of a security appliance coupled to a network uses a classifier table having a plurality of rules, the plurality of rules having at least one field, to build a decision tree structure for packet classification. Duplication in the decision tree may be identified, producing a wider, shallower decision tree that may result in shorter search times with reduced memory requirements for storing the decision tree. A number of operations needed to identify duplication in the decision tree may be reduced, thereby increasing speed and efficiency of a compiler building the decision tree.

Abstract: A root node of a decision tree data structure may cover all values of a search space used for packet classification. The search space may include a plurality of rules, the plurality of rules having at least one field. The decision tree data structure may include a plurality of nodes, the plurality of nodes including a subset of the plurality of rules. Scope in the decision tree data structure may be based on comparing a portion of the search space covered by a node to a portion of the search space covered by the node's rules. Scope in the decision tree data structure may be used to identify whether or not a compilation operation may be unproductive. By identifying an unproductive compilation operation it may be avoided, thereby improving compiler efficiency as the unproductive compilation operation may be time-consuming.

Abstract: A packet classification system, methods, and corresponding apparatus are provided for enabling packet classification. A processor of a security appliance coupled to a network uses a classifier table having a plurality of rules, the plurality of rules having at least one field, to build a decision tree structure including a plurality of nodes, the plurality of nodes including a subset of the plurality of rules. The methods may produce wider, shallower trees that result in shorter search times and reduced memory requirements for storing the trees.

Abstract: A system, apparatus, and method are provided for modifying rules in-place atomically from the perspective of an active search process using the rules for packet classification. A rule may be modified in-place by updating a rule's definition to be an intersection of an original and new definition. The rule's definition may be further updated to the rule's new definition and a decision tree may be updated based on the rule's new definition. While a search processor searches for one or more rules that match keys generated from received packets the in-place rule modification prevents periods of incorrect rule matching of the keys thereby preventing packet loss and preserving throughput.

Abstract: A system, apparatus, and method are provided for adding, deleting, and modifying rules in one update from the perspective of an active search process for packet classification. While a search processor searches for one or more rules that match keys generated from received packets, there is a need to add, delete, or modify rules. By adding, deleting, and modifying rules in one update from the perspective of an active search process for packet classification, performance and functionality of the active search process may be maintained, thereby preventing packet loss and preserving throughput.

Abstract: An approach is provided in which a resolution manager stores a machine-readable problem, which includes a problem signature, and a human-readable solution in a document. The resolution manager receives an output file from a computer system and matches an output entry included in the output file to the problem signature. In turn, the resolution manager identifies the human-readable solution corresponding to the matched problem signature and provides the identified human-readable solution to the computer system.

Abstract: A packet classification system, methods, and corresponding apparatus are provided for enabling packet classification. A processor of a routing appliance coupled to a network compiles data structures to process keys associated with a particular block mask register (BMR) of a plurality of BMRs. For each BMR of the plurality of BMRs, the processor identifies at least one of or a combination of: i) at least a portion of a field of a plurality of rules and ii) a subset of fields of the plurality of fields to be masked. The processor also builds at least one data structure used to traverse a plurality of rules based on the identified at least one of or a combination of: i) at least a portion of a field of a plurality of rules and ii) a subset of fields of the plurality of fields to be masked.

Abstract: A packet classification system, methods, and apparatus are provided for packet classification. A processor of a router coupled to a network compiles at least one search tree based on a rules set. The processor determines an x number of search phases needed to process an incoming key corresponding to the rules set, wherein the rules set includes a plurality of rules, where each of the plurality of rules includes an n number of rule fields and where the incoming key includes an n number of processing fields. The processor generates an x set of search trees, where each of the x set of search trees corresponds to a respective one of the x number of search phases. Also, the processor provides the x set of search trees to a search processor, where each of the x set of search trees is configured to process respective portions of the incoming key.

Abstract: A packet classification system, methods, and apparatus are provided for packet classification. A processor of a router coupled to a network processes data packets received from a network. The processor creates a request key using information extracted from a packet. The processor splits the request key into an n number of partial request keys if at least one predetermined criterion is met. The processor also sends a non-final request that includes an i-th partial request key to a corresponding search table of an n number of search tables, wherein i<n. Further, the processor receives a non-final search result from the corresponding search table. The processor sends a final request that includes an n-th partial request key and the non-final search result. The processor receives a final search result from the corresponding search table and processing the packet based on processing data included in the final search result.

Abstract: A method and corresponding system for providing a skip group rule feature is disclosed. When a search for a key matches a skip group rule in a group of prioritized rules, the search skips over rules having priorities lower than the skip group rule and the search continues to a next group. A convenient example of a compiler rewrites the lower priority rules by subtracting the skip group rule from them. The subtraction includes subtracting range, exact-match, mask, and prefix fields. The rewritten rules appear to a search processor as typical rules. Beneficially, the search processor requires no additional logic to process a skip group rule, skip over lower priority rules, and go on to search a next group of rules. Advantageously, this approach enables any number of skip group rules to be defined allowing for better classification of network data.

Abstract: A packet classification system, methods, and corresponding apparatus are provided for enabling packet classification. A processor of a security appliance coupled to a network uses a classifier table having a plurality of rules, the plurality of rules having at least one field, to build a decision tree structure including a plurality of nodes, the plurality of nodes including a subset of the plurality of rules. The methods may produce wider, shallower trees that result in shorter search times and reduced memory requirements for storing the trees.