The process of categorizing packets into "flows" in an Internet router is called packet classification. All packets belonging to the same flow obey a pre-defined rule and are processed in a similar manner by the router. For example, all packets with the same source and destination IP addresses may be defined to form a flow. Packet classification is needed for non "best-effort" services, such as firewalls and quality of service; services that require the capability to distinguish and isolate traffic in different flows for suitable processing. In general, packet classification on multiple fields is a difficult problem. Hence, researchers have proposed a variety of algorithms which, broadly speaking, can be categorized as "basic search algorithms," geometric algorithms, heuristic algorithms, or hardware-specific search algorithms. In this tutorial we describe algorithms that are representative of each category, and discuss which type of algorithm might be suitable for different applications. 1

Packet classification is important for applications such as firewalls, intrusion detection, and differentiated services. Existing algorithms for packet classification reported in the literature scale poorly in either time or space as filter databases grow in size. Hardware solutions such as TCAMs do not scale to large classifiers. However, even for large classifiers (say 100,000 rules), any packet is likely to match a few (say 10) rules. Our paper seeks to exploit this observation to produce a scalable packet classification scheme called Aggregated Bit Vector (ABV). Our paper takes the bit vector search algorithm (BV) described in [11] (which takes linear time) and adds two new ideas, recursive aggregation of bit maps and filter rearrangement, to create ABV (which can take logarithmic time for many databases). We show that ABV outperforms BV by an order of magnitude using simulations on both industrial firewall databases and synthetically generated databases.

A classifier consists of a set of rules for classifying packets based on header fields. Because core routers can have fairly large (e.g., 2000 rule) database and must use limited SRAM to meet OC-768 speeds, the best existing classification algorithms (RFC, HiCuts, ABV) are precluded because of the large amount of memory they need. Thus the general belief is that hardware solutions like CAMs are needed, despite the amount of board area and power they consume. In this paper, we provide an alternative to CAMs via an Extended Grid-of-Tries with Path Compression (EGT-PC) algorithm whose worst-case speed scales well with database size while using a minimal amount of memory. Our evaluation is based on real databases used by Tier 1 ISPs, and synthetic databases. EGT-PC is based on a observation that we found holds for all the Tier 1 databases we studied: regardless of database size, any packet matches only a small number of distinct source-destination prefix pairs. The code we wrote for EGT-PC, RFC, HiCuts, and ABV is publicly available [16], providing the first publicly available code to encourage experimentation with classification algorithms.

cTd[e<fhgWigj k eZl.m&kIn;oGpWqVjVfiEqVrZif&f&etsuqViMmIe<nlviMrZwnkIetmIdWxyqVir<r<jzo|{~} A  "'MOQ;`1I^Se<jFmIdWjFg[kIj Ge<npWf&rt3jVf_m;lWnz>liMrZwnkIetmIdWx rZwnkIetmIdW %Ggj k"^p[mIfEe<f 310 m;lWnz>liM eZf&e<nlm&kIjVjf_m&kIpWq"mIp[kIj~l[r<eZj eb^p[mIfVFd[n$^jVj kz^e<l>d[eZq*djViq*dl[n;o[j 70 l[r<eZj 28900-47310 kIj g[kIjVf&jVl.mIfid.Ggj kIgWrZiMlWjjziMq"d7l[n;o[jheZl7mIdWj%[gj"k"^p[mIf oGjVqVet f&e<nl8m&kIjVj%kIjVg[kIjVf&j l;mIfTi%o[e<xjVl[f&eZnluiMrd;Ggj kIq pWjOf&e<lWwmIdWe<f j"Gm&k*iEo[j wkIjVjnYkIjVjzoGnxyiMluo7i:lWj f&j"m n^dWjVpGkIe<f_mIeZq f~mInEsWluo ng[mIe<x:ird.Ggj kIqVpWj f 6nki4we<jVl|iMxnpWl.mnMFf_mInk*iMwj%Ggj k& ^pGmIf qziMlgGkIn$GeZoGjiMlnMk*o[j k~nx:iwlWetmIpuoGjhe<xgGkInMjVxjVl.m%nMj k j"[e<f_mIe<lWw7qVrZiMf&f&e<sWqziMmIe<nlir<wnkIetmIdWxfVGgj k"^pGmIfp[f&jVf8mIn|V mIe<xjVfrZj f&fOxjVxnk&mIduilh~eb^pGmIfngGmIeZxe<VjVoYnkxjVxnMk&.V>dWe<r<j mId[jFTnkIf_mqziMf&jf&jzi$kIq"d3mIe<xjFnMGgj k"^p[mIfe<fFM:j"m&mIj k mIdWilmIdWiMmhn%~eb^pGmIfng[mIe<xe<Vjzo6nMkf&gj jzoS^nxguiMkIjVo>e<mId iMlWnMmIdWj kkIjVq jVl.mf&q"d[jVxj^^ c^a^%Ggj k"^p[mIfpWf&jVf ^ - mIe<xjVf^rZj f&fTxjVxnk&f&guiMqVj~>dWe<r<jmId[j^nkIf_mFqziMf&j f&jzi$kIq"d:mIe<xje<f p[gmIn4:mIe<xjVf~f&x:ir<r<j kz4nkIj3e<xgnk&m*iMl.mIr<.Sp[lWr<e<j c^a^ %Ggj k"^p[mIf qViljhYpWr<rtg[e<gjVr<eZl[jzomIn8gGkInM;eZo[jhnl[jqVrZiMf&f&e<sWqziM mIe<nlkIjVf&p[r<mEjVj k&vguiMq"j"m:iMk&kIe<irFmIe<xjFiMluoiMr<f&n|ir<r<nz>fE6if_m p[goWi$mIjVfV Categories and Subject Descriptors . V;M;"huMS6u^%npGmIj kIfBJ%(*L"`~0<I* ^(I`1 General Terms r<wnkIetmId[xf Keywords OiMq"j m~^rbiMf&f&etsuqzi$mIeZnletkIj Tir<r<fV~n.

Packet classification is an enabling function for a variety of Internet applications including Quality of Service, security, monitoring, and multimedia communications. In order to classify a packet as belonging to a particular flow or set of flows, network nodes must perform a search over a set of filters using multiple fields of the packet as the search key. In general, there have been two major threads of research addressing packet classification: algorithmic and architectural. A few pioneering groups of researchers posed the problem, provided complexity bounds, and offered a collection of algorithmic solutions. Subsequently, the design space has been vigorously explored by many offering new algorithms and improvements upon existing algorithms. Given the inability of early algorithms to meet performance constraints imposed by high speed links, researchers in industry and academia devised architectural solutions to the problem. This thread of research produced the most widely-used packet classification device technology, Ternary Content Addressable Memory (TCAM). New architectural research combines intelligent algorithms and novel architectures to eliminate many of the unfavorable characteristics of current TCAMs. We observe that the community appears to be converging on a combined algorithmic and architectural approach to the problem. Using a taxonomy based on the high-level approach to the problem and a minimal set of running examples, we provide a survey of the seminal and recent solutions to the problem. It is our hope to foster a deeper understanding of the various packet classification techniques while providing a useful framework for discerning relationships and distinctions.

We consider rule sets for internet packet routing and filtering, where each rule consists of a range of source addresses, a range of destination addresses, a priority, and an action. A given packet should be handled by the action from the maximum priority rule that matches its source and destination. We describe new data structures for quickly finding the rule matching an incoming packet, in near-linear space, and a new algorithm for determining whether a rule set contains any conflicts, in time O(n 3/2 ). 1 Introduction The working of the current Internet and its posited evolution depend on efficient packet filtering mechanisms: databases of rules, maintained at various parts of the network, which use patterns to filter out sets of IP packets and specify actions to be performed on those sets. Typical filter patterns are based on packet header information such as the source or destination IP addresses. The actions to be performed depend on where the packet filtering is performed i...

he primary role of routers is to forward packets toward their final destinations. To this purpose, a router must decide for each incoming packet where to send it next. More exactly, the forwarding decision consists of finding the address of the next-hop router as well as the egress port through which the packet should be sent. This forwarding information is stored in a forwarding table that the router computes based on the information gathered by routing protocols. To consult the forwarding table, the router uses the packet’s destination address as a key; this operation is called address lookup. Once the forwarding information is retrieved, the router can transfer the packet from the incoming link to the appropriate outgoing link, in a process called switching. The exponential growth of the Internet has stressed its routing system. While the data rates of links have kept pace with the increasing traffic, it has been difficult for the packet processing capacity of routers to keep up with these increased data rates. Specifically, the address lookup operation is a major bottleneck in the forwarding performance of today’s routers. This article presents a survey of the latest algorithms for efficient IP address lookup. We start by tracing the evolution of the IP addressing architecture. The addressing architecture is of fundamental importance to the routing architecture, and reviewing it will help us to understand the address lookup problem. The Classful Addressing Scheme In IPv4, IP addresses are 32 bits long and, when broken up into 4 groups of 8 bits, are normally represented as four decimal numbers separated by dots. For example, the address 10000010_01010110_00010000_01000010 corresponds in dotted-decimal notation to 130.86.16.66. One of the fundamental objectives of the Internet Protocol is to interconnect networks, so routing on a network basis was a natural choice (rather than routing on a host basis). Thus,

Abstract not found

Due to the importance and complexity of the packet classification problem, a myriad of algorithms and resulting implementations exist. The performance and capacity of many algorithms and classification devices, including TCAMs, depend upon properties of the filter set and query patterns. Unlike microprocessors in the field of computer architecture, there are no standard performance evaluation tools or techniques available to evaluate packet classification algorithms and products. Network service providers are reluctant to distribute copies of real filter sets for security and confidentiality reasons, hence realistic test vectors are a scarce commodity. The small subset of the research community who obtain real filter sets either limit performance evaluation to the small sample space or employ ad hoc methods of modifying those filter sets. In response to this problem, we present ClassBench, a suite of tools for benchmarking packet classification algorithms and devices. ClassBench includes a Filter Set Generator that produces synthetic filter sets that accurately model the characteristics of real filter sets. Along with varying the size of the filter sets, we provide high-level control over the composition of the filters in the resulting filter set. The tools suite also includes a Trace Generator that produces a sequence of packet headers to exercise the synthetic filter set. Along with specifying the relative size of the trace, we provide a simple mechanism for controlling locality of reference in the trace. While we have already found ClassBench to be very useful in our own research, we seek to initiate a broader discussion and solicit input from the community to guide the refinement of the tools and codification of a formal benchmarking methodology.

Abstract—Emerging Internet applications create the need for advanced packet classifiers. We propose a novel multifield classification scheme, called € P g, which exploits the strengths of state-of-the-art memory technologies to provide wire-speed classification performance for OC-192 and beyond, in combination with very high storage efficiency and the support of fast incremental updates. Key features of the new scheme are its ability to adapt to the complexity of a classification rule set, whereas the storage requirements and update dynamics can be tuned at the granularity of individual rules. This makes € P g suitable for a broad spectrum of applications. Index Terms—Associative memories, communication system routing, communication systems, Internet, routing, search methods, table lookup, tree data structures, tree searching.