1/9 february 2001 AN1337 application note ip address filtering using the m7010 and m7020 network search engine introduction this application note illustrates how ip address filtering can be effectively performed using st microelec- tronics m7010/20 search engines. summary there is a direct relationship between the value of the internet and the number of sites connected to the internet. as the internet grows, the value of each site's connection to the internet increases because it provides the organization with access to an ever-expanding user/customer population. in many situations, institutions agree to share limited-access resources with other institutions as part of consortia, financial associations, or other resource sharing collaborations. in such an agreement, an en- terprise defines a user community that has access to some network resource. this community is typically large, numbering perhaps in the tens of thousands of individuals, and membership may be volatile over time, reflecting for example the characteristics of a student body. the operator of the network resource, which may a web site, or a resource reached by other protocols such as telnet terminal emulation or other information retrieval protocol needs to decide whether users seeking access to the resource are actually members of the user community that the licensee institution defined as part of the license agreement. for this reason, we need to take the protection of information seriously. there are two major aspects to this: C access to information is controlled in an appropriate way, with people able to see the information ap- propriate to their roles inside and outside of the institution. also, compliance to "policies" set for man- aging the access to it resources is necessary. C ensuring that the integrity of information is maintained and that unauthorized changes are not made. ip filtering, which is still the predominant technology, can be used to control access to web resource. each computer connected to the internet has a unique address. these addresses are arranged in a hierarchy of domains, sub-domains and machine numbers. ip filtering works by restricting access to machines in a particular domain, sub-domain or even specific machine addresses. with ip filtering, the license institution guarantees to the resource operator that all traffic coming from a given set of ip addresses (perhaps all ip addresses on one or more networks) represent legitimate traffic on behalf of the license institution's user community. the resource operator then simply checks the source ip address of each incoming request. ip filtering compliments and leverages the capability of vpn, policy management, cos, qos, voip and other applications.
AN1337 - application note 2/9 ip address basics ip addressing scheme is an integral part in the process of routing ip data through the internet. each host on a tcp/ip network is assigned a unique 32-bit logical address. the ip address is divided into two main parts: the network number and the host number. the network number identifies the network. it is assigned by the internet network information center if the network is to be part of the internet. the host number identifies a host and is assigned by the local network administrator. ip address format dotted-decimal notation. in order to make internet addresses more user-friendly, ip addresses are of- ten expressed as four decimal numbers. each number is separated by a dot. this format is known as "dot- ted-decimal notation." dotted-decimal notation divides the 32-bit internet address into four 8-bit fields and specifies the value of each field independently as a decimal number with the fields separated by dots. the 32-bit ip address is grouped 8 bits at a time; each group of 8 bits being an octet. each of the four octets is separated by a dot, and represented in a decimal format. this is known as dotted decimal nota- tion. every bit in an octet has a binary weight (128, 64, 32, 16, 8, 4, 2, and 1). the minimum value for an octet is 0 (all bits set to 0), and the maximum value for an octet is 255 (all bits set to 1). as an example, the ip address can be represented as: 209.237.20.193. each of the decimal digits repre- sents a string of four binary digits. thus, the ip address is a string of 0s and 1s (see figure 1). figure 1. ip address bit # 0 31 11010001.11101101.00010100.11000001 209.237.20.193 ai04245
3/9 AN1337 - application note ip address classes. ip addressing supports the following five address classes: class a, class b, class c, class d, and class e. in a class a address, the first octet is the network portion. thus, the class a address of 209.237.20.193 has a major network address of 209. octets 2, 3, and 4 represent the hosts. class a addresses are used for networks that have more than 65,536 hosts. the class a address of 127 is for a special function called a loopback function. in a class b address, the first two octets identify the network portion. therefore the class b address of 135.11.21.7 has a major network address of 135.11. octets 3 and 4 (the next 16 bits) are for hosts. class b addresses are used for networks that have between 256 and 65,536 hosts. in a class c address, the first three octets represent the network portion. the class c address of 205.45.9.37 has a major network address of 205.45.9. octet 4 is for hosts. class c addresses are used for networks with less than 254 hosts (see table 1). class d addresses are known as multicast addresses and are used to send an ip datagram to a group of hosts on a network. class e addresses are reserved for experimental and future use. table 1. address classes address class first octal (decimal) high-order bits ip address example class a 1 - 126 0 111.49.79.16 class b 128 - 191 10 128.11.21.7 class c 192 - 223 110 209.237.20.193 class d 224 - 239 1110 230.100.80.0 class e 240 - 247 11110 245.16.92.7
AN1337 - application note 4/9 class full network masks. each of the address classes contains a set of class full network masks. the network mask defines which bits out of the 32 bit of the address are defined as the network portion and which is the host portion. the network mask is calculated by setting all bits to a value of 1 in the octets designated for the network portion and all bits to a value of 0 in the octets designated for the host portion. for example, the class a network mask is defined as 255.0.0.0. similarly the class b network mask is 255.255.0.0. and the class c network mask is 255.255.255.0. table 2 summarizes the network and host portion of each address class: table 2. address class network and host portions a subnet is an identifiably separate part of an organization's network. typically, a subnet may represent all the machines at one geographic location, in one building, or on the same local area network. having an organization's network divided into subnets allows it to be connected to the internet with a single shared network address. without subnets, an organization could get multiple connections to the internet, one for each of its physically separate subnetworks. however, this requires an unnecessary use of a limited num- ber of network numbers. subnet mask. once a packet has arrived at an organization's gateway or connection point with its unique network number, it can be routed within the organization's internal gateways using the subnet number. the router knows which bits to consider by looking at a subnet mask. using a mask saves the router hav- ing to handle the entire 32-bit address; it can simply look at the bits selected by the mask. ip subnet addressing. all classes of ip networks can be divided into smaller networks called subnet- works (or subnets). dividing the major class network is called subnetting. subnetting provides network ad- ministrators with several benefits. it provides extra flexibility, makes more efficient use of network address utilization, and contains broadcast traffic because a broadcast does not cross a router. ip subnet mask. "borrowing" bits from the host field and designating them as the subnet field creates a subnet address. the number of borrowed bits is variable and specified by the subnet mask. how a router routes a packet. when a router receives a packet, it makes a routing decision based on the destination address portion of the packet. it then looks up the destination address in its routing table. if the destination address is within a known network/subnetwork, the router forwards the packet to the next hop gateway for that destination network/subnetwork. once the packet leaves the router, it is the respon- sibility of the next hop gateway to forward the packet to its final destination. if the router does not have the destination network in its routing table, it may forward the packet to a predetermined default gateway (if configured) and let the default gateway handle getting the packet to the destination network. otherwise, it will drop the packet and inform the sending host that the network is not reachable. subnetting addresses the problem of expanding the routing table. it also ensure that the subnet structure of a network is not visible outside of the organization's private network. bit # 0 1 7 8 31 0 network # host # class a bit # 0 2 15 16 31 10 network # host # class b bit # 0 3 23 24 31 110 network # host # class c
5/9 AN1337 - application note m7010/20 search engines the m7010 and m7020 are high-performance, pipelined, synchronous, search engines designed using the associated processing technology (apt?). it is user configurable into tables as wide as 272-bits and cascaded depth of 992k 32-bit addresses. its high speed of 83 million lookups per second and high ca- pacity of incorporating nearly 1 million addresses can be employed in a variety of networking and commu- nications applications requiring fast searches of various tables. it provides performance advantage over other memory-based search algorithms, such as binary or tree-based searches, by comparing the desired information against the entire list of pre-stored entries in a single cycle, thereby giving orders-of-magnitude reduction in the search time. the m7010 is organized as 8k x 136-bit, but can also be configured as 4k x 272-bit, 16k x 68-bit, or 32k x 34-bit (see application note, an1339 - 32-bit applications using the m7010, m7020 network search engines). m7020 is organized as 16k x 136-bit, but can also be configured as 8k x 272-bit, 32k x 68-bit, or 64k x 34-bit (see application note, an1339 - 32-bit applications using the m7010, m7020 network search engines). the m7010 can sustain 83 million searches per second on any sub-field of a 68-bit or 136-bit field, making it the fastest search engine in the market. these high speed, high capacity chips can be employed in a variety of networking and communications applications that require fast searches of var- ious tables. figure 2. variable width table configuration the m7010/20 contains a mask register for each data location. in addition, the device contains 16 68-bit global mask registers that can be dynamically selected in every search operation to select the search subfield. these mask registers provide an easy way for moving data to masks and enable selective look- ups for subnets. data data data masks masks masks 16 k cfg = 00000000 cfg = 01010101 cfg = 10101010 68 136 272 8 k 4 k ai04264
AN1337 - application note 6/9 ip address filtering in table 3, eight different networks have been arbitrarily selected. C some of them will be allowed access to the network, hence they will be entered in the data array in the include table . table 3. ip address filtering example C i indicates include and e indicates exclude. C those ip addresses that are not permitted access to the network will be entered in the exclude table in the data array. network address mask # of mask bits # of hosts i 162.11.35.64 ffffffe0 27 32 e 181.22.14.124 ffffffe0 27 32 i 181.21.41.32 fffffff0 28 16 e 111.49.79.16 fffffff8 29 8 i 90.47.79.120 fffffff8 29 8 e 179.44.31.80 fffffff8 29 8 i 75.125.159.112 fffffffc 30 4 e 175.43.31.70 fffffffc 30 4
7/9 AN1337 - application note procedure for updating tables two array segments have been created (see figure 3). one part is for the authorized ip addresses to ac- cess the internet, and the other is to prevent access for unauthorized ip addresses. the corresponding mask is set in the mask array. upon initialization, the search engine data array should be written with all bits set to "0," and the mask array should be written with all bits set to "ff." upon receiving the new ip address over the databus, it is necessary to search for the entry in the allow table . initially, the entry will not be found; then, the table can be updated using the learn command, if the entry is not found in the deny table . figure 3. allow and deny tables for updating tables bit 1 is a table management bit. bit 1 is "0" in the include table and "1" in the exclude table . please note that in this example the table is 68-bit wide. if any ip address is encountered that is not a part of either the allow or deny tables, then a new entry of this ip address can be added in the last location of the deny table. the corresponding mask for this new ip address should be entered as ffffffff in the mask array. conclusion the need for filtering increases as we move higher up the network (osi) layers. the proliferation of inter- net services like: qos, cos, vpn are increasing demands, which cannot be met by the traditional software based algorithms alone. applying various algorithms for ip address filtering requires a considerable amount of processing time. the algorithms used currently add higher processing costs and have in- creased latency, unlike the m7010/20 devices, which offer ip filtering at 83 million times per second. performing ip filtering operation via the m7010/20 search engines provides higher speed and perfor- mance over legacy ip filtering approaches using algorithms. the m70x0 search engines offer a cost-ef- fective alternative for improving the device performance. 68 bit # 00 1 1 68 ai04246 1 1 1 1 1 1 1 1 ff ff ff fe ff ff ff f0 ff ff ff f8 ff ff ff f8 1 1 1 1 1 1 1 1 ff ff ff f8 ff ff ff f8 ff ff ff f8 ff ff ff f8 1 1 1 1 0 0 0 0 162.11.35.6 181.21.41.32 90.47.79.120 75.125.149.112 1 1 1 1 1 1 1 1 181.22.14.128 111.48.79.16 179.44.31.80 175.43.31.70 67 67 mask array data array 32 32 allow (include) deny (exclude)
AN1337 - application note 8/9 contact information if you have any questions or suggestions concerning the matters raised in this document, please send them to the following electronic mail addresses: please remember to include your name, company, location, telephone number, and fax number. apps.nvram@st.com (for application support) ask.memory@st.com (for general inquiries)
9/9 AN1337 - application note information furnished is believed to be accurate and reliable. however, stmicroelectronics assumes no responsibility for the co nsequences of use of such information nor for any infringement of patents or other rights of third parties which may result from its use. no license is granted by implication or otherwise under any patent or patent rights of stmicroelectronics. specifications mentioned in this publicati on are subject to change without notice. this publication supersedes and replaces all information previously supplied. stmicroelectronics prod ucts are not authorized for use as critical components in life support devices or systems without express written approval of stmicroelectro nics. the st logo is registered trademark of stmicroelectronics all other names are the property of their respective owners. ? 2001 stmicroelectronics - all rights reserved stmicroelectronics group of companies australia - brazil - china - finland - france - germany - hong kong - india - italy - japan - malaysia - malta - morocco - singapore - spain - sweden - switzerland - united kingdom - u.s.a. www.st.com
|
