Stateful Inspection firewall session table processing

Stateful Inspection is a key technology to network devices such as routers and firewalls. Existed session table architectures of Stateful Inspection devices store all session information in a single entry, which causes high time cost of session table timeout processing. In this paper we present a new architecture which divides a session entry into two parts, and designs different data structures for each other. The new architecture can improve the performance of session table greatly. A new PATRICIA algorithm is proposed to organize session table, which is proved to be an optimal 2-ary trie for fixed-length match. An ASIC is implemented for the architecture and corresponding algorithms. Both theoretical and experimental results show that the new architecture has better performance than existed architectures, and can work well in Gigabit Ethernet network.

[1]  Jun-Ichi Aoe An Efficient Digital Search Algorithm by Using a Double-Array Structure , 1989, IEEE Trans. Software Eng..

[2]  Jun-ichi Aoe,et al.  Computer Algorithms: Key Search Strategies , 1991 .

[3]  Masami Shishibori,et al.  An efficient compression method for Patricia tries , 1997, 1997 IEEE International Conference on Systems, Man, and Cybernetics. Computational Cybernetics and Simulation.

[4]  Marcus Goncalves,et al.  Check Point Firewall-1 Administration Guide , 1999 .

[5]  Jun-Ichi Aoe A fast digital search algorithm using a double-array structure , 1989, Systems and Computers in Japan.

[6]  Paul Douglas,et al.  Proceedings International Conference on Information Technology: Coding and Computing , 2002, Proceedings. International Conference on Information Technology: Coding and Computing.