Stateful Inspection Firewall Session Table

Abstract

Stateful Inspection is a key technology to network devices such as routers and firewalls. Existing session table architectures of Stateful Inspection devices store all session information in a single entry, which causes high time cost of session table timeout processing. In this paper we present a new architecture which divides a session entry into two parts, and designs different data structures for each other. The new architecture can improve the performance of session table greatly. A new PATRICIA algorithm is proposed to organize session table, which is proved to be an optimal 2-ary trie for fixed-length match. An ASIC is implemented for the architecture and corresponding algorithms. Both theoretical and experimental results show that the new architecture has bette