This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Wire-Speed TCAM-Based Architectures for Multimatch Packet Classification
January 2009 (vol. 58 no. 1)
pp. 5-17
Miad Faezipour, University of Texas at Dallas, Richardson
Mehrdad Nourani, University of Texas at Dallas, Richardson,
Most conventional packet classifiers find only the highest priority filter that matches the arriving packet. However, new networking applications such as network intrusion detection systems and load balancers require all (or the first few) matching packets during classification. In this paper, two TCAM-based architectures for multi-match search are introduced. The first one is a renovated TCAM design that can find all or the first r matches in a packet filter set. The second architecture is a novel partitioning scheme based on filter intersection properties allowing us to use off-the-shelf TCAMs for multi-match packet classification. Our classifier engine finds all matches in exactly one conventional TCAM cycle while reducing the power consumption by at least two orders of magnitude, which is far better than the existing hardware based designs.

[1] K. Zheng, H. Che, Z. Wang, and B. Liu, “TCAM-Based Distributed Parallel Packet Classification Algorithm with Range-Matching Solution,” Proc. IEEE INFOCOM, 2005.
[2] K. Lakshminarayanan, A. Rangarajan, and S. Venkatachary, “Algorithms for Advanced Packet Classification with Ternary CAMs,” Proc. ACM SIGCOMM '05, Aug. 2005.
[3] SNORT Network Intrusion Detection System, www.snort.org, 2008.
[4] F. Yu, R.H. Katz, and T.V. Lakshman, “Efficient Multimatch Packet Classification and Lookup with TCAM,” Proc. 12th Ann. IEEE Symp. High Performance Interconnects (HOTI '04), pp. 28-34, Aug. 2004.
[5] D.E. Taylor and E.W. Spitznagel, “On Using Content Addressable Memory for Packet Classification,” Technical Report WUCSE-2005-9, Mar. 2005.
[6] E. Spitznagel, D. Taylor, and J. Turner, “Packet Classification Using Extended TCAMs,” Proc. 11th IEEE Int'l Conf. Network Protocols (ICNP '03), pp. 120-131, Nov. 2003.
[7] F. Yu, R.H. Katz, and T.V. Lakshman, “Gigabit Rate Packet Pattern-Matching Using TCAM,” Proc. 12th IEEE Int'l Conf. Network Protocols (ICNP '04), pp. 174-183, 2004.
[8] H. Song and J.W. Lockwood, “Efficient Packet Classification for Network Intrusion Detection Using FPGA,” Proc. ACM/SIGDA 13th Int'l Symp. Field-Programmable Gate Arrays (FPGA '05), Feb. 2005.
[9] N.F. Huang, W.E. Chen, J.Y. Luo, and J.M. Chen, “Design of Multi-Field IPv6 Packet Classifiers Using Ternary CAMs,” Proc. IEEE Conf. Global Telecomm. (GLOBECOM '01), vol. 3, pp.1877-1881, Nov. 2001.
[10] N.F. Huang, K.B. Chen, and W.E. Chen, “Fast and Scalable Multi-TCAM Classification Engine for Wide Policy Table Lookup,” Proc. 19th IEEE Int'l Conf. Advanced Information Networking and Applications (AINA '05), vol. 1, pp. 792-797, Mar. 2005.
[11] F. Yu, T.V. Lakshman, M.A. Motoyama, and R.H. Katz, “SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification,” Proc. ACM Symp. Architecture for Networking and Comm. Systems (ANCS '05), pp. 105-113, Oct. 2005.
[12] F. Yu, T.V. Lakshman, M.A. Motoyama, and R.H. Katz, “Efficient Multimatch Packet Classification for Network Security Applications,” IEEE J. Selected Areas in Comm., vol. 24, no. 10, pp. 1805-1816, Oct. 2006.
[13] C. Kun, S. Quan, and A. Mason, “A Power Optimized 64-Bit Priority Encoder Utilizing Parallel Priority Look-Ahead,” Proc. IEEE Int'l Symp. Circuits and Systems (ISCAS '04), vol. 2, pp.753-756, May 2004.
[14] M. Faezipour and M. Nourani, “A Customized TCAM Architecture for Multi-Match Packet Classification,” Proc. IEEE Global Telecomm. Conf. (GLOBECOM '06), pp. 1-5, Nov. 2006.
[15] C.H. Huang, J.S. Wang, and Y.C. Huang, “Design of High-Performance CMOS Priority Encoders and Incrementer/Decrementers Using Multilevel Lookahead and Multilevel Folding Techniques,” IEEE J. Solid-State Circuits, vol. 37, no. 1, pp. 63-76, Jan. 2002.
[16] J.S. Wang and C.H. Huang, “High-Speed and Low-Power CMOS Priority Encoders,” IEEE J. Solid-State Circuits, vol. 35, no. 10, pp.1511-1514, Oct. 2000.
[17] M. Faezipour, “High Speed Multi-Match Packet Classification Using TCAM,” master's thesis, UTDEE-11-2006, Nov. 2006.
[18] M. Nourani and M. Faezipour, “A Single-Cycle Multi-Match Packet Classification Engine Using TCAMs,” Proc. 14th IEEE Symp. High-Performance Interconnects (HOTI '06), pp. 73-78, Aug. 2006.
[19] User Manuals for SYNOPSYS Toolset Version 2005.06, Sy nopsys, 2005.
[20] User Manuals for NIOS II IDE Version 6.0 Toolset, ALTERA, 2006.
[21] User Manuals for Quartus II Version 6.0 Toolset, ALTERA, 2006.
[22] User Manuals for Matlab 7.0 Toolset, MathWorks, 2005.
[23] IDT: Integrated Device Technology, www.idt.com, 2008.
[24] Y.-K. Chang, “Power-Efficient TCAM Partitioning for IP Lookups with Incremental Updates,” Proc. Int'l Conf. Information Networking (ICOIN '05), pp. 531-540, Jan./Feb. 2005.
[25] M.J. Akhbarizadeh, M. Nourani, and C.D. Cantrell, “Segregating the Encompassing Prefixes to Enhance the Performance of Packet Forwarding Engines,” Proc. IEEE Global Telecomm. Conf. (GLOBECOM '04), pp. 1612-1616, Nov./Dec. 2004.

Index Terms:
Network-level security and protection, Network monitoring, Classifier design and evaluation, System architectures, integration and modeling
Citation:
Miad Faezipour, Mehrdad Nourani, "Wire-Speed TCAM-Based Architectures for Multimatch Packet Classification," IEEE Transactions on Computers, vol. 58, no. 1, pp. 5-17, Jan. 2009, doi:10.1109/TC.2008.159
Usage of this product signifies your acceptance of the Terms of Use.