A classifier consists of a set of rules for classifying packets based on header fields. Because core routers can have fairly large (e.g., 2000 rule) database and must use limited SRAM to meet OC-768 speeds, the best existing classification algorithms (RFC, HiCuts, ABV) are precluded because of the large amount of memory they need. Thus the general belief is that hardware solutions like CAMs are needed, despite the amount of board area and power they consume. In this paper, we provide an alternative to CAMs via an Extended Grid-of-Tries with Path Compression (EGT-PC) algorithm whose worst-case speed scales well with database size while using a minimal amount of memory. Our evaluation is based on real databases used by Tier 1 ISPs, and synthetic databases. EGT-PC is based on a observation that we found holds for all the Tier 1 databases we studied: regardless of database size, any packet matches only a small number of distinct source-destination prefix pairs. The code we wrote for EGT-PC, RFC, HiCuts, and ABV is publicly available [16], providing the first publicly available code to encourage experimentation with classification algorithms.

cTd[e<fhgWigj k eZl.m&kIn;oGpWqVjVfiEqVrZif&f&etsuqViMmIe<nlviMrZwnkIetmIdWxyqVir<r<jzo|{~} A  "'MOQ;`1I^Se<jFmIdWjFg[kIj Ge<npWf&rt3jVf_m;lWnz>liMrZwnkIetmIdWx rZwnkIetmIdW %Ggj k"^p[mIfEe<f 310 m;lWnz>liM eZf&e<nlm&kIjVjf_m&kIpWq"mIp[kIj~l[r<eZj eb^p[mIfVFd[n$^jVj kz^e<l>d[eZq*djViq*dl[n;o[j 70 l[r<eZj 28900-47310 kIj g[kIjVf&jVl.mIfid.Ggj kIgWrZiMlWjjziMq"d7l[n;o[jheZl7mIdWj%[gj"k"^p[mIf oGjVqVet f&e<nl8m&kIjVj%kIjVg[kIjVf&j l;mIfTi%o[e<xjVl[f&eZnluiMrd;Ggj kIq pWjOf&e<lWwmIdWe<f j"Gm&k*iEo[j wkIjVjnYkIjVjzoGnxyiMluo7i:lWj f&j"m n^dWjVpGkIe<f_mIeZq f~mInEsWluo ng[mIe<x:ird.Ggj kIqVpWj f 6nki4we<jVl|iMxnpWl.mnMFf_mInk*iMwj%Ggj k& ^pGmIf qziMlgGkIn$GeZoGjiMlnMk*o[j k~nx:iwlWetmIpuoGjhe<xgGkInMjVxjVl.m%nMj k j"[e<f_mIe<lWw7qVrZiMf&f&e<sWqziMmIe<nlir<wnkIetmIdWxfVGgj k"^pGmIfp[f&jVf8mIn|V mIe<xjVfrZj f&fOxjVxnk&mIduilh~eb^pGmIfngGmIeZxe<VjVoYnkxjVxnMk&.V>dWe<r<j mId[jFTnkIf_mqziMf&jf&jzi$kIq"d3mIe<xjFnMGgj k"^p[mIfe<fFM:j"m&mIj k mIdWilmIdWiMmhn%~eb^pGmIfng[mIe<xe<Vjzo6nMkf&gj jzoS^nxguiMkIjVo>e<mId iMlWnMmIdWj kkIjVq jVl.mf&q"d[jVxj^^ c^a^%Ggj k"^p[mIfpWf&jVf ^ - mIe<xjVf^rZj f&fTxjVxnk&f&guiMqVj~>dWe<r<jmId[j^nkIf_mFqziMf&j f&jzi$kIq"d:mIe<xje<f p[gmIn4:mIe<xjVf~f&x:ir<r<j kz4nkIj3e<xgnk&m*iMl.mIr<.Sp[lWr<e<j c^a^ %Ggj k"^p[mIf qViljhYpWr<rtg[e<gjVr<eZl[jzomIn8gGkInM;eZo[jhnl[jqVrZiMf&f&e<sWqziM mIe<nlkIjVf&p[r<mEjVj k&vguiMq"j"m:iMk&kIe<irFmIe<xjFiMluoiMr<f&n|ir<r<nz>fE6if_m p[goWi$mIjVfV Categories and Subject Descriptors . V;M;"huMS6u^%npGmIj kIfBJ%(*L"`~0<I* ^(I`1 General Terms r<wnkIetmId[xf Keywords OiMq"j m~^rbiMf&f&etsuqzi$mIeZnletkIj Tir<r<fV~n.

Packet classification is an enabling function for a variety of Internet applications including Quality of Service, security, monitoring, and multimedia communications. In order to classify a packet as belonging to a particular flow or set of flows, network nodes must perform a search over a set of filters using multiple fields of the packet as the search key. In general, there have been two major threads of research addressing packet classification: algorithmic and architectural. A few pioneering groups of researchers posed the problem, provided complexity bounds, and offered a collection of algorithmic solutions. Subsequently, the design space has been vigorously explored by many offering new algorithms and improvements upon existing algorithms. Given the inability of early algorithms to meet performance constraints imposed by high speed links, researchers in industry and academia devised architectural solutions to the problem. This thread of research produced the most widely-used packet classification device technology, Ternary Content Addressable Memory (TCAM). New architectural research combines intelligent algorithms and novel architectures to eliminate many of the unfavorable characteristics of current TCAMs. We observe that the community appears to be converging on a combined algorithmic and architectural approach to the problem. Using a taxonomy based on the high-level approach to the problem and a minimal set of running examples, we provide a survey of the seminal and recent solutions to the problem. It is our hope to foster a deeper understanding of the various packet classification techniques while providing a useful framework for discerning relationships and distinctions.

Firewalls are core elements in network security. However, managing firewall rules, particularly in multi-firewall enterprize networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered and distributed carefully in order to avoid firewall policy anomalies and might cause network vulnerability. Therefore, inserting or modifying filtering rules in any firewall requires a thorough intra- and inter-firewall analysis to determine the proper rule placement and ordering in firewalls. In this paper, we identify all anomalies that could exist in a single- or multi-firewall environments. We also present a set of techniques and algorithms to automatically discover and rectify policy anomalies in centralized and distributed legacy firewalls. These techniques are implemented in a tool called the “Firewall Policy Advisor” that simplifies the management of filtering rules and maintains the integrity and security of next-generation firewalls.

Due to the importance and complexity of the packet classification problem, a myriad of algorithms and resulting implementations exist. The performance and capacity of many algorithms and classification devices, including TCAMs, depend upon properties of the filter set and query patterns. Unlike microprocessors in the field of computer architecture, there are no standard performance evaluation tools or techniques available to evaluate packet classification algorithms and products. Network service providers are reluctant to distribute copies of real filter sets for security and confidentiality reasons, hence realistic test vectors are a scarce commodity. The small subset of the research community who obtain real filter sets either limit performance evaluation to the small sample space or employ ad hoc methods of modifying those filter sets. In response to this problem, we present ClassBench, a suite of tools for benchmarking packet classification algorithms and devices. ClassBench includes a Filter Set Generator that produces synthetic filter sets that accurately model the characteristics of real filter sets. Along with varying the size of the filter sets, we provide high-level control over the composition of the filters in the resulting filter set. The tools suite also includes a Trace Generator that produces a sequence of packet headers to exercise the synthetic filter set. Along with specifying the relative size of the trace, we provide a simple mechanism for controlling locality of reference in the trace. While we have already found ClassBench to be very useful in our own research, we seek to initiate a broader discussion and solicit input from the community to guide the refinement of the tools and codification of a formal benchmarking methodology.

Abstract—Emerging Internet applications create the need for advanced packet classifiers. We propose a novel multifield classification scheme, called € P g, which exploits the strengths of state-of-the-art memory technologies to provide wire-speed classification performance for OC-192 and beyond, in combination with very high storage efficiency and the support of fast incremental updates. Key features of the new scheme are its ability to adapt to the complexity of a classification rule set, whereas the storage requirements and update dynamics can be tuned at the granularity of individual rules. This makes € P g suitable for a broad spectrum of applications. Index Terms—Associative memories, communication system routing, communication systems, Internet, routing, search methods, table lookup, tree data structures, tree searching.

Ternary content-addressable memories (TCAMs) have gained wide acceptance in the industry for storing and searching Access Control Lists (ACLs). In this paper, we propose algorithms for addressing two important problems that are encountered while using TCAMs: reducing range expansion and multi-match classification. Our first algorithm addresses the problem of expansion of rules with range fields—to represent range rules in TCAMs, a single range rule is mapped to multiple TCAM entries, which reduces the utilization of TCAMs. We propose a new scheme called Database Independent Range PreEncoding (DIRPE) that, in comparison to earlier approaches, reduces the worst-case number of TCAM entries a single rule maps on to. DIRPE works without prior knowledge of the database, scales when a large number of ranges is present, and has good incremental update properties. Our second algorithm addresses the problem of finding multiple matches in a TCAM. When searched, TCAMs return the first matching entry; however, new applications require either the first few or all matching entries. We describe a novel algorithm, called Multi-match Using Discriminators (MUD), that finds multiple matches without storing any per-search state information in the TCAM, thus making it suitable for multi-threaded environments. MUD does not increase the number of TCAM entries needed, and hence scales to large databases. Our algorithms do not require any modifications to existing TCAMs and are hence relatively easy to deploy. We evaluate the algorithms using real-life and random databases.

Abstract—Firewalls are core elements in network security. However, managing firewall rules, particularly, in multifirewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered, and distributed carefully in order to avoid firewall policy anomalies that might cause network vulnerability. Therefore, inserting or modifying filtering rules in any firewall requires thorough intrafirewall and interfirewall analysis to determine the proper rule placement and ordering in the firewalls. In this paper, we identify all anomalies that could exist in a single- or multifirewall environment. We also present a set of techniques and algorithms to automatically discover policy anomalies in centralized and distributed firewalls. These techniques are implemented in a software tool called the “Firewall Policy Advisor ” that simplifies the management of filtering rules and maintains the security of next-generation firewalls. Index Terms—Firewall, packet filter, policy analysis, policy conflict, policy management, security management.

A wide variety of packet classification algorithms and devices exist in the research literature and commercial market. The existing solutions exploit various design tradeoffs to provide high search rates, power and space efficiency, fast incremental updates, and the ability to scale to large numbers of filters. There remains a need for techniques that achieve a favorable balance among these tradeoffs and scale to support classification on additional fields beyond the standard 5-tuple. We introduce Distributed Crossproducting of Field Labels (DCFL), a novel combination of new and existing packet classification techniques that leverages key observations of the structure of real filter sets and takes advantage of the capabilities of modern hardware technology. Using a collection of real and synthetic filter sets, we provide analyses of DCFL performance and resource requirements on filter sets of various sizes and compositions. An optimized implementation of DCFL can provide over 100 million searches per second and storage for over 200 thousand filters with current generation hardware technology.

Pipelined forwarding engines are used in core routers to meet speed demands. Tree-based searches are pipelined across a number of stages to achieve high throughput, but this results in unevenly distributed memory. To address this imbalance, conventional approaches use either complex dynamic memory allocation schemes or over-provision each of the pipeline stages. This paper describes the microarchitecture of a novel network search processor which provides both high execution throughput and balanced memory distribution by dividing the tree into subtrees and allocating each subtree separately, allowing searches to begin at any pipeline stage. The architecture is validated by implementing and simulating state of the art solutions for IPv4 lookup, VPN forwarding and packet classification. The new pipeline scheme and memory allocator can provide searches with a memory allocation efficiency that is within 1 % of non-pipelined schemes. 1