Skip to Main Content
Legal filtering is common practice in many countries to avoid access to websites with criminal or violent content. This kind of filtering is typically implemented at the edge routers of ISP's core networks, so it is mandatory to support very high bit rates. This paper proposes a hardware-software solution based on FPGAs, which scales up to 100 Gbps Ethernet. A FPGA-based PCIe board equipped with two network interfaces is used to intercept ISP traffic. The FPGA performs an initial filtering of the packets whose destination is potentially forbidden, based on a hash of the destination IP address. Filtered packets are sent to the software application, which inspects them and decides if the URL is actually forbidden or not. This two-level filtering allows for the scalability of the proposed solution to very high bit rates, not only because it simplifies FPGA design, but also because it significantly reduces software load, since potentially forbidden destinations are few. Additionally, this solution adds a minimal latency to most of the packets, and also allows for updating filtering rules without interrupting ISP traffic. The paper presents a proof-of-concept 10GbE implementation of the proposed architecture, as well as an analysis of its scalability up to 100GbE.