Flow ownership assignment in a distributed processor system

摘要

A security device for processing network flows includes one or more packet processors configured to receive incoming data packets associated with one or more network flows where a packet processor is assigned as an owner of one or more network flows and each packet processor processes data packets associated with flows for which it is the assigned owner; and a packet processing manager configured to assign ownership of network flows to the one or more packet processors where the packet processing manager includes a global flow table containing entries mapping network flows to packet processor ownership assignments. The packet processing manager informs a packet processor of an ownership assignment after one or more packets are received, and the one or more packet processors learns of ownership assignments of network flows from the packet processing manager.

主权项

1. A security device for processing a plurality of network flows, comprising:
one or more packet processing cards, each packet processing card having one or more packet processors formed thereon, each packet processing card having a data port for receiving and transmitting data packets and a local flow table, the one or more packet processors on each packet processing card being configured to receive incoming data packets associated with one or more network flows, at least one of the packet processors being assigned as an owner of one or more network flows, and each packet processor processing data packets associated with network flows for which it is the assigned owner and each network flow being assigned to only one owner packet processor, each owner packet processor processing data packets associated with a network flow to enforce a security policy; a packet processing manager configured to assign ownership of network flows to the one or more packet processors on the one or more packet processing cards, the packet processing manager comprising a global flow table containing entries mapping network flows to packet processor ownership assignments; and a switching fabric in communication with the one or more packet processing cards and the packet processing manager, wherein, in response to the packet processing manager receiving a first data packet belonging to a first network flow for which no entry for the first network flow is found in the global flow table, the packet processing manager assigns a first packet processor on a first packet processing card as the owner of the first network flow and adds an entry to the global flow table mapping the first network flow to the first packet processor as the owner of the first network flow, the entry being in a tentative state, the packet processing manager informs the first packet processor of the ownership assignment and forwards the first data packet to the first packet processor; and, in response to the first packet processor accepting the ownership assignment and in response to receiving at a second packet processor a second data packet belonging to the first network flow, the packet processing manager store a binding entry in the global flow table mapping the first network flow to the owner packet processor, the second packet processor learns of the ownership assignment of the first network flow from the packet processing manager, the packet processing card associated with the second packet processor storing in the local flow table an entry mapping the first network flow to the first packet processor ownership assignment and the second packet processor forwards the second data packet to the first packet processor for processing.