Search

EP-4075754-B1 - NETWORK SWITCH

EP4075754B1EP 4075754 B1EP4075754 B1EP 4075754B1EP-4075754-B1

Inventors

  • HERBER, Christian
  • PANNELL, DONALD ROBERT
  • KUNZ, MANFRED

Dates

Publication Date
20260506
Application Date
20220323

Claims (10)

  1. A network switch (100), comprising: an input port and an output port; a rule logic (102); a rule controller (104); a system timer (108) configured to reset or decrement a counter at configurable intervals; and a memory (106) for storing the counter; wherein the network switch is configured to inspect a packet, using deep packet inspection, DPI, received via the input port and wherein the rule controller (104) is configured to perform a look up in the memory of the rule logic (102) to find a DPI rule for the packet, wherein the DPI rule includes a flag to indicate active or de-active status of the DPI rule; wherein during a search for a DPI rule for the packet, the rule controller (104) is configured to check if the flag of the DPI rule is active; wherein if the DPI rule is found and the flag is active, the counter is reset and the rule controller (104) is configured to process the packet according to a preconfigured follow up action associated with the DPI rule; wherein if the DPI rule is not found or the DPI rule is in a de-active state, the rule controller (104) is configured to process the packet according to a default DPI rule, wherein the rule logic (102) is configured to identify the packet for a follow up action based at least on a subset of content of the packet including a header and a payload of the packet; and wherein the flag is set to indicate the de-active status when the counter reaches a preconfigured threshold value.
  2. The network switch of claim 1, wherein the rule logic is implemented using content addressable memory that is configured to perform a memory look up based on contents of the packet.
  3. The network switch of any of the preceding claims, wherein the counter holds a time value, a timer counter, a number of packets received from a same source to a same destination, or a number of bytes received from the same source to a same destination, or a user configurable parameter.
  4. The network switch of any of the preceding claims, wherein the default DPI rule includes forwarding the packet to an external firewall.
  5. The network switch of any of the preceding claims, wherein the received packet includes a sub packet and the at least the subset of content includes data from the received packet and the sub packet.
  6. The network switch of any of the preceding claims, wherein the default DPI rule includes dropping the packet or closing a connection from a source of the packet.
  7. The network switch of claim 6, wherein the default DPI rule includes setting up a DPI rule for processing future packets from a same source as a source of the packet.
  8. A method of routing a packet, the method comprising: inspecting the packet, using deep packet inspection, DPI, and performing, by a rule controller (104), a look up in a memory (106) of a rule logic (102) to find a DPI rule for the packet, wherein the DPI rule includes a flag to indicate active or de-active status of the DPI rule; if the DPI rule is found and the flag is active, resetting a counter associated with the DPI rule and processing, by the rule controller (104), the packet according to a preconfigured follow up action associated with the DPI rule; if the DPI rule is not found or the DPI rule is in a de-active state, processing, by the rule controller (104), the packet according to a default DPI rule, wherein the packet is identified, by the rule logic (102), for a follow up action based at least on a subset of content of the packet including a header and a payload of the packet, wherein the method further comprises setting the flag to indicate the de-active status when the counter reaches a preconfigured threshold value.
  9. The method of claim 8, wherein the default DPI rule includes forwarding the packet to an external firewall.
  10. The method of claim 8 or claim 9, wherein the default DPI rule includes dropping the packet or closing connection from a source of the packet.

Description

BACKGROUND A network switch is a device that typically operates at the Data Link layer of the OSI model-Layer 2. The network switch takes in packets being sent by devices that are connected to its physical ports and sends the packets out again, through the ports that lead to the devices the packets are intended to reach. Some network switches also operate at the network layer-Layer 3 where routing occurs. Network switches are a common component of networks based on Ethernet, Fiber Channel, Asynchronous Transfer Mode (ATM), and InfiniBand, among others. In general, though, most network switches today use Ethernet. Once a device is connected to a network switch, the network switch notes the media access control (MAC) address of the device. The network switch uses the MAC address to identify which attached device outgoing packets are being sent from and where to deliver incoming packets. When a device sends a packet to another device, the packet enters the network switch and the network switch reads its header to determine what to do with the packet. The network switch matches the destination address along with other fields in some cases and sends the packet out through the appropriate ports that leads to the destination devices. EP 3297228 (A1) discloses a flow entry aging method, a switch, and a controller. US 2014/0098669 (A1) discloses A network element acting as a forwarding plane within a software-defined network to reduce negative effects of slowpath packet processing. SUMMARY The present invention is set out in the appended set of claims. This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. In one embodiment, a network switch is disclosed. The network switch includes an input port and an output port. The network switch also includes a rule logic and a memory for storing a counter . The rule logic is configured to inspect a packet received via the input port and attempt to find a rule for the packet and if the rule is found, to reset the counter and process the packet according to the rule or according to a preconfigured follow up action associated with the rule and if the rule is not found, to process the packet according to a default rule. The rule logic is configured to identify the packet for a follow up action based at least on a subset of content of the packet, including header and payload of the packet. In some examples, if no matching rule is found the packet may be sent to an external system for further processing. In another example, a default rule may be used if no matching rule for the received packet is found and the default rule may include sending the received packet to an external system such as but not limited to a firewall. The counter may hold a time value or the number of packets from a same source to a same destination or a number of bytes received from the same source to a same destination or a user configurable parameter to control the rule validity period. In some examples, the rule logic is implemented using content addressable memory that is configured to perform a memory look up based on contents of the packet. The inspection may include verifying that the counter has not reached a predefined rule expiry time. The timer may hold one of a time value, a number of bytes received, and a number of packets received. The default rule may include forwarding the packet to an external firewall. In another example, the default rule includes dropping the packet or closing the connection from the source of the packet. The received packet may include a sub packet and the at least the subset of content includes data from the received packet and the sub packet. In some examples, the default rule includes setting up a rule for processing future packets from a same source as a source of the packet. In some examples, the default rule includes setting up a rule for processing future packets from a same source as a source of the packet when the packet is accepted by the external system such as a firewall. The rule may include a flag to indicate active or de-active status of the rule. In some examples, the attempt to find includes checking if the flag is set to the active status. The rule logic may be configured to use a system timer to alter the counter in configurable intervals. The rule logic may also be configured to set the flag to indicate the de-active status when the countdown reaches a preconfigured value, in particular a preconfigured threshold value. In another embodiment, a method for processing a packet by a network switch is disclosed. The method may include inspecting the packet and attempt to find a rule for the packet and if the rule is found, to reset a counter associated with the rule and route the packet