Filtering with packet payload scanning
Message filters are placed in the middle of a TCP / TLS session to scan application data, and discard unwanted messages and security-issue packets, reducing unnecessary traffic without increasing CPU load or latency.
Unlike filters by IP address or port, which scan the data content and discard or pass through packets, DPI (Deep Packet Inspection) and other methods tend to cause CPU processing load and packet processing delays. However, Message Filter IP avoids CPU load and processing delays by using a hardware logic pipeline to process packets, maintain sessions, and encrypt and decrypt data.
In stateless communication such as UDP, unnecessary packets can be simply removed by dropping, but in communication such as TCP, which maintains session state, and in encrypted communication such as SSL/TLS and DTLS, it is not simple to remove unnecessary packets.
TCP uses sequence numbers for data exchange and has a mechanism to retransmit packets lost in the network. Therefore, if you simply remove the packets and do not return an ACK, the sender will try to retransmit the packets forever, and the receiver will wait forever for the packets that are missing teeth. In encrypted secure protocols, there are further packet counting and encryption key issues.
Message Filter IP allows this session identification while maintaining full hardware session state maintenance. This technique reduces traffic without increasing latency and without impacting the network.
Specification
| Protocol |
TCP |
|---|---|
| Performance in TCP |
Throughput: Max 100Gbps |
| Performance in TLS 1.3 |
Throughput: 50-100Gbps |
