Content based overload protection

Abstract

Unit (1, eNB, SGW, PGW) comprising a processor (20) and interface means (10) adapted for receiving and transmitting packets (15, 17) to external units (1, eNB, SGW, PGW) over a communication interface. The interface means (10) comprises a first layer filtering means (101) operating according to first level filtering rules (1010) and first packet queues (Q1_1-Q1_n); while the processor (20) comprises at least one kernel (KL_1-KL_n), second layer filtering means (102) operating according to second level filtering rules (1020), second packet queues and applications. For a given packet received on the communication interface, the unit being adapted for —delivering (12) parts the packet to the first layer filtering means (101); —applying first level filtering (14); —performing first sorting (16) and delivering parts of the packet according to the first level filtering rules (201) and delivering parts of the packet to one of the first packet queues (Q1_1-Q1_n) in dependence on the first sorting; the unit further being adapted for —delivering (16, 18) the packet to second layer filtering means (102) from kernel or from first packet queues; —applying (24) second level filtering; —performing second sorting (26) of parts of the packet according to the second level filtering rules (201) and —delivering (28) parts of the packet to one of the applications in dependence on the second sorting (AP_1-AP_n).

Claims

1. An apparatus, comprising: a processor for running a plurality of applications; and a network interface that is separate and distinct from said processor, said network interface comprising a communication interface for receiving and transmitting packets to external units over a network, a first layer filter operating according to first level filtering rules, and a plurality of first: layer packet queues, wherein the processor comprises at least one kernel, a second layer filter operating according to second level filtering rules, and second packet queues, the apparatus is adapted for delivering at least a part of a packet from a first layer packet queue to the second layer filter and delivering at least a part of a packet in the second layer filter to a second layer packet queue and further to one of said plurality of applications running on the processor, for a packet received on the communication interface, the apparatus is further configured to: deliver at least a part of the packet to the first layer filter; apply first level filtering; perform first sorting according to the first level filtering rules, select one of said plurality of first layer packet queues in dependence on the first sorting, and deliver at least the part of the packet to said selected first layer packet queue; deliver at least the part of the packet to second layer filter from kernel or from said selected first layer packet queue; apply second level filtering; perform second sorting on at least the part of the packet according to the second level filtering rules and in dependence on the second sorting, deliver at least the part of the packet to one of the plurality of applications running on the processor, wherein the apparatus is further configured to deliver at least a part of a packet from a first packet queue (Q1_n) to a kernel and further to an application (AP_1-AP_n), in order to bypass the second layer filtering means.

2. A method in an apparatus for processing packets, the apparatus comprising processor for running a plurality of applications and a network interface separate and distinct from the processor, the network interface comprising a communication interface and a first layer filter, the method comprising: receiving a packet via the communication interface; delivering at least part of the packet to the first layer filter; the first layer filter performing first sorting according to first level filtering rules, selecting a first layer packet queue selected from among a plurality of first layer packet queues in dependence on the first sorting, and delivering at least the part of the packet to said selected first layer packet queue; delivering at least the part of the packet to a second layer filter from a kernel running on the processor or from the selected first layer packet queue; the second layer filter performing second sorting on at least part of the packet according to second level filtering rules and delivering at least the part of the packet to one of said plurality of applications running on the processor in dependence on the second sorting, and further comprising the steps of delivering at least a part of a packet from one of said first layer packet queues to a kernel and further to an application in order to bypass the second layer filter.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) FIG. 1 shows a unit according to an embodiment of the invention, in which incoming traffic paths are indicated,

(2) FIG. 2 shows further aspects of the unit of FIG. 1, in which outgoing traffic paths are indicated,

(3) FIG. 3 shows a network according to the invention in which the unit shown in FIGS. 1 and 2, is used for implementations on SGW/PGW nodes, and in which filtering is performed on a communication packet in the network,

(4) FIG. 4 shows an embodiment of a method for the unit shown in FIGS. 1 and 2,

(5) FIG. 5 shows an embodiment for first filtering rules according to an embodiment of the invention, and

(6) FIG. 6 shows an embodiment for second filtering rules according to an embodiment of the invention.

DETAILED DESCRIPTION

(7) In FIG. 1, a unit 1 according to an embodiment of the invention is shown. The unit 1 comprises a processor 20, PRC, and interface means 10, adapted for receiving and transmitting packets 15, 17 to external units 1 over a communication interface COM_INT.

(8) The interface means 10 comprises a first layer filtering means 101 operating according to first level filtering rules 1010 and first packet queues Q1_1-Q1_n.

(9) The processor 20 comprises at least one kernel KL_1-KL_n, second layer filtering means 102 operating according to second level filtering rules 1020, second packet queues Q2_1-Q2_n and applications AP_1-AP_n. The applications running in the processor could be virtually any applications. Purely by example, a hypertext transfer protocol, HTTP, web server application and a GSM application could form the applications shown in FIG. 1. The packet queues could be implemented both in hardware and in software. An Intel VMDq (Virtual Machine Device Queue) or SR-IOV (Single Root IO virtualization) could for instance be used as a hardware first layer packet filtering means. The interface means 10 could constitute a network interface card, NIC.

(10) The unit 1 is further being adapted for delivering at least parts of a packet from a first packet queue to the second layer filtering means, 102, possibly via a kernel KL_1-KL_n; and delivering at least part of a packet in the second layer filtering means to a second packet queue to an application AP_1-AP_n.

(11) The unit 1, could form an Evolved Node B node, eNB, a mobility Management Entity, MME, a Serving gateway, SGW, or a Packet Data Network Gateway node, PGW node, for operating in an evolved packet core, EPC, network. By example, the communication interface COM_INT could constitute an Ethernet (ETH) interface.

(12) FIG. 2 shows further means of the unit 1, in which additional means for outgoing traffic has been indicated, namely outgoing filter transmit queues TX_1-TX_n residing in the network interface card NIC, 10. Each application, AP_1-AP_n, may send its outgoing traffic according to its transmit queue, one by one, via respective kernels, KL_1-KL_n. For example, TX_1 has the highest priority, while TX_n may have the lowest priority. Instead of having several queues TX_1-TX_n, a single queue could be arranged (not shown). In that case, there will be no priority control to the outgoing traffic, and traffic is transmitted in a FIFO (First Input First Output) manner. The outgoing traffic may be transmitted through the communication interface COM_INT.

(13) FIG. 3, shows a network in which the unit 1 may advantageously be embodied as a Evolved Node B node, eNB, mobility Management Entity, MME, Serving gateway, SGW or a Packet Data Network Gateway node, PGW node, for instance in evolved packet core, EPC, networks as is known from the 3GPP release 11 suite of standards for mobile communication, c.f. for instance 3GPP TS 23.002 V11.4.0, 2012-09, 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Network architecture, FIG. 1b.

(14) In FIG. 3, a communication packet 15 is illustrated travelling from the user entity UE over the Uu interface to eNB, over S1-U interface to SGW, over 55/S8 interface to PGW of such an evolved packet core, EPC, network and further over interface SGi to a so-called Corresponding Node, CN.

(15) The communication packet, which comprises in part at least a TCP/UDP segment and an IP segment—here forming a packet data unit, PDU—is conveyed by means of a GPRS tunnel in the EPC network in which the packet is encapsulated in a communication packet, COM_INT 15, having an IP header, comprising further a UDP header and a GTP header. In the EPC network the PDU is considered as a T-PDU, Transport PDU, which corresponds to the payload of the packet conveyed. The content of the T-PDU is unknown.

(16) As illustrated in FIG. 3, the communication packet has also a Media Access Control header and a Virtual Local Area Network header is provided.

(17) It applies for a GTP-C (GPRS tunnel protocol-control plane) procedure (GTPv2):

(18) The MME will create session via S11 interface to SGW, from the SGW to the PGW. A create session request will be sent from the MME to the SGW and from the SGW to the PGW. A create session response message is sent from PGW to SGW, and then from SGW to MME via S11 interface. The PGW may create a bearer to SGW, from SGW to MME. A create bearer request is sent from PGW to SGW, and from SGW to MME. A create bearer response shall be sent from MME to SGW via S11, from SGW to PGW.

(19) For a GTP-U (GPRS tunnel protocol-control plane) (GTPv1 only):

(20) User entity UE packet data unit, PDU, traffic will be encapsulated into T-PDU by eNB, it will be sent to SGW via the S1-U interface. SGW will relay this message to PGW via the S5 or the S8 interface and vice versa. Echo request, echo response, error indication and version not supported messages are signaled between the adjacent nodes (eNB, MME, SGW and PGW), on both the GTP-C and the GTP-U path.

(21) So for the SGW node, the incoming packets are GTP-C (from MME or PGW) and GTP-U (eNB or PGW).

(22) For the PGW node, the incoming packets are GTP-C and GTP-U (from SGW).

(23) For the MME node, there appear GTP-C messages and S1-AP messages.

(24) For the eNB node, there appear GTP-U and S1-AP messages.

(25) According to embodiments of the invention, filtering according to first layer filtering rules 1010 is applied on the MAC, VLAN, IP, UDP and GTP segments, while filtering according to second layer filtering rules 1020 is applied on the payload, T-PDU as will be explained in the following. Different VLAN-id's may be used to indicate different priorities.

(26) Returning to FIG. 1, for a given packet received on the communication interface COM_INT, the unit is adapted for delivering 12 parts the received packet to the first layer filtering means 101; applying first level filtering 14; performing first sorting 16 and delivering parts of the packet according to the first level filtering rules 201 and delivering parts of the packet to one of the first packet queues Q1_1-Q1_n in dependence on the first sorting.

(27) Alternatively, parts of packets are delivered from a kernel to an application instead of to the second level filtering means 102, as shown from kernel KL_1 to application AP_1. Packets can moreover be transparently passed through kernel as a fast path solution to make applications read packets from hardware queues directly.

(28) Subsequently, the unit provides for delivering 16, 18 parts of the packet to second layer filtering means 102 from kernel or from first packet queues.

(29) Finally, the unit is applying 24 second level filtering; performing second sorting 26 of parts of the packet according to the second level filtering rules 201 and delivering 28 parts of the packet to one of the applications in dependence on the sorting AP_1-AP_n.

(30) The method, according to which the unit 1 may operate, has been further illustrated in FIG. 4.

(31) In step 8, an incoming packet is received in the unit 1 on the communication interface COM_INT which may for instance be an Ethernet interface, ETH.

(32) The packet or parts of the packet is delivered step 12 to first layer filtering means 102. In the first layer filtering means, 1'st layer filtering is performed according to first layer filtering rules 1010, step 14.

(33) Depending on the category in which the parts of the packet falls, parts of the packet is sorted and delivered to any of the first packet queues Q1_1-Q1_n, step 16.

(34) Depending on the tasks needed to be performed, the unit 1 delivers at least parts of the packet from a respective first packet queue where the packet resides to the second layer filtering means, step 22, possibly via a kernel KL_1-KL_n, step 18; and delivers at least part of a packet in the second layer filtering means to a second packet queue to an application AP_1-AP_n. Alternatively, parts of packets are delivered from a kernel to an application, thus by-passing the second level filtering means 102, as shown from kernel KL_1 to application AP_1. A first queue Q1_1 is arranged to be associated with a first kernel, KL_1, which leads exclusively to a given application, e.g. AP1, in dependence with an address resolution in that kernel. Thereby, the second level filtering is bypassed. This route, from step 18 to step 28, may pertain to high priority packet. In a still further embodiment, only a single first queue, Q1_n, represents a route to the second layer filtering means.

(35) In the second layer filtering means, second level filtering is applied, step 24; and second sorting step 26 of parts of the packet according to the second level filtering rules 201 is carried out, such that parts of a packet is distributed to any of the second packet queues in accordance with the second level filtering, 1020.

(36) Finally, parts of the packet are delivered 28 to one of the applications in dependence on the sorting AP_1-AP_n.

(37) Advantageously, the first packet queues Q1_1-Q1_n are associated with a set of respective first priority levels 0-6; and the second packet queues Q2_1-Q2_n are associated with a set of second priority levels 0-6.

(38) The first 1010 layer filtering rules are providing that lower priority packets are queued in respective queues of lower priority levels 4-6 while high priority packets are queued in respective queues of higher priority levels 0-3.

(39) The second layer rules 1020 are moreover arranged such that lower priority packets are queued in respective queues of lower priority levels 4-6 while high priority packets are queued in respective queues of higher priority levels 0-3.

(40) In this manner it is accomplished that for a given amount of high priority packets being accommodated for in queues of high priority levels, such high priority packets are delivered to applications AP_1-AP_n, despite queues of lower priority levels are being overflowed with low priority packets, and hence for situations where not all of such low priority packets can be delivered to applications.

(41) It is understood that it is a dimensioning task to secure that the queues can accommodate a sufficient amount of high priority packets to meet the above performance aspect. In this context, it is understood that the notion high priority in relation to low priority packets, are used in a relative sense i.e. that a high priority packet has a higher priority than a low priority packet.

(42) According to one embodiment of the invention, the first layer filtering in step 14 is applied on at least one field out of the Media Access Control, MAC, field, Virtual Local Area Network, VLAN, field, Internet Protocol, IP, field, User Datagram Protocol, UDP, field or GRPS Tunneling Protocol, GTP, field of a given packet received on the communication interface COM_INT.

(43) According to an embodiment of the invention, the distribution of packets to the second layer filtering is applied only for GTP-user, GTP-U, payload of a given packet received on the communication interface COM_INT.

(44) In FIG. 5, shows in tabular form the first layer filtering rules 1010 as expressed by message priorities and message types and the corresponding sorting into first packet queues, Q1_1-Q1_n.

(45) In an embodiment the filtering 14 is applied on one of 0—node internal control commands; 1—node internal messages; 2—Address Resolution Protocol, ARP; Open Shortest Path First, OSPF; Routing Information Protocol, RIP; Internet Control Message Protocol, ICMP; 3—echo request and echo response (both GTP-C and GTP-U); version not supported indication (GTP-C) 4—error indication (both GTP-C and GTP-U) and GTP-U end marker; 5—GTP-control plane, GTP-C, tunnel management and mobility management and others. 6—GTP-user plane, GTP-U, payload.

(46) In a further embodiment it is provided that node internal control commands; and node internal messages; have a higher priority than Address Resolution Protocol, ARP; Open Shortest Path First, OSPF; Routing Information Protocol, RIP; Internet Control Message Protocol, ICMP.

(47) In a further embodiment, the priorities are in the order mentioned above, such that Node internal control commands have the highest priority—message priority 0—and GTP-U payload has the lowest priority—message priority 6.

(48) For the context shown in FIG. 3, only the packet queue Q1_n—accommodating payload/T-PDU's—is subject to second layer filtering in the second layer filtering means 102. The other queues Q1_1-Q1_4 are delivered to kernels KL_1-KL_3, which may be further delivered to applications AP_1-AP-n without being subject to further filtering.

(49) In FIG. 6, the second layer filtering rules 1020 are shown as expressed by message priorities and message types and the corresponding sorting into second packet queues, Q2_1-Q2_n.

(50) The 2'nd layer filtering is applied on one of the following types of traffic:

(51) Conversational, —Streaming, —Interactive, —Background and others. Conversational traffic may be the SIP, instance messages or VOIP. Streaming traffic may be audio and video. Interactive may be the telnet and www or social network. Background traffic may be FTP, P2P, POP3 or SMTP. Generally speaking, conversational has the highest priority and background has the lowest priority.

(52) The 2'nd layer filtering may be applied on one of 0—ICMP, SNMP, Session Initiation Protocol, SIP; 1—Instant messages, Voice over IP, VOIP; 0 and 1 constituting conversational traffic; 2—Audio and Video; constituting streaming traffic: 3—Web, browsing/Global Positioning System, GPS, navigation, social network; 4—Game, Telnet and SSH; 3 and 4 constituting interactive services; 5—Picture and File share, Post Office Protocol, POP3, and Simple Mail Transfer Protocol, SMTP; 6—Peer to peer, P2P, File Transfer Protocol, FTP and further payload; 5 and 6 constituting background and other traffic.

(53) In a further embodiment it is provided that ICMP, SNMP, Session Initiation Protocol, SIP; Instant messages; have a higher priority than Post Office Protocol, POP3, and Simple Mail Transfer Protocol, SMTP; Peer to peer, P2P, File Transfer Protocol, FTP and further payload.

(54) In a still further embodiment, the priorities are in the order mentioned above, such that ICMP, Session Initiation Protocol, SIP control messages; have the highest priority—message priority 0; and Peer to peer, P2P, File Transfer Protocol, FTP and further payload has the lowest priority—message priority 6.

(55) On the SGW or PGW node, according to embodiments of the invention, packet classification or DPI technology is used to identify the T-PDU type, it may be SIP message, web browsing, social network, voice over IP, game, mail or file share, peer-to-peer, p2p, traffic. In the second layer filtering, GTP-U is being given the “right priority” in real time and based on relevant configurations for the application.

(56) Among the advantages for the embodiments above, it is noted that high priority messages in the system will not be dropped under overload. This improves system robustness and stability. According to embodiments of the invention, it is provided that only a certain type of messages is subject to second layer filtering. In case the second layer filtering constitutes a computational extensive processing—which may be the case for deep packet inspection—the overall system performance may be rendered substantially unaffected by such second layer filtering.