Classifying packets in a single pass

Packet classification and inspection - categorizing packets into flows and checking headers to determine how to handle data blocks - are essential for services processing. Traditional routers classify packets by checking their headers against access control lists (ACL ) to determine where the packets should go next. But without ACL uniformity for different services, one packet must be classified and inspected multiple times.

Today, vendors are consolidating multiple services onto a single device, yet these devices still classify packets one service at a time. As a result, consolidated devices incur more processing inefficiencies and overhead with every additional service. Single-pass classification and inspection can overcome these problems and increase CPU efficiency by classifying packets for all services in a single pass.

At the heart of one-pass packet classification is a single, flexible, extensible syntax that administrators can use to define a common classification and specify policies for all services, down to an application's payload level. This syntax also can define complex classifications for QoS, anti-virus, VoIP and other applications - something older syntaxes cannot do.

For single-pass packet classification to work well, packets must flow through a multi-function services gateway in a certain order to ensure that all services are performed at the correct points. In multiple-pass classification, services gateways send a packet first to a router, where the first classification occurs, but this exposes the router to denial-of-service attacks or other security problems. Once the packet leaves the router and goes to a firewall, it is classified again, and so on for every service in the consolidated device.This uses up CPU cycles, increases system latency and introduces more possibilities for errors.

With single-pass packet classification, a packet enters a firewall first, thus protecting all other services in a gateway. In the firewall, the IPSec service decrypts and classifies the packet - just once, using the common classification - and attaches a tag that contains information about which services need to process the packet. The packet then passes to a filter in the services gateway that accepts or denies it based on information in the tag.

From the filter, the packet undergoes a denial-of-service check and on to an intrusion-prevention/intrusion-detection system (IPS/IDS), which not only inspects packet content for signs of intrusion but also extracts, normalizes and processes information about the content and stores it in a centralized content management repository.

The content repository is especially useful when the packet passes to the network address translation (NAT ) service, since NAT applications require a deep packet inspection that searches content for illegal statements. Only after the packet has been classified, inspected and verified as safe does the gateway forward it to the router and on to the internal network.

One-pass classification and content inspection is a simple and elegant solution to the piecemeal processing approach used by consolidated multi-service devices, dramatically increasing CPU efficiency, decreasing risk of errors and minimizing latency.