Abstract:

Flowbased packets processing is a main function of many network security applications like firewalls and NIDS. And flow tables are the key data structure for flow processing, so their scale and access performance directly affect the flow processing capability and speed. In this article, we focus on the hardware implementation of largescale flow tables in highspeed networks. We present a hardware based hash flowtable lookup scheme accommodating for ten millions of flows, which has been implemented and tested on an FPGA platform. The proposed scheme is good at avoiding hash collisions while maintaining memory access efficiency. It can support up to 49 million flows lookup operations with limited storage resources. In the prototyped test, a lookup speed of 92Mdesc/s is achieved, which sustains the Ethernet processing capability of approximately 220 Gbps.

Key words: network security, flow processing, flowtable, Hash, FPGA