The Community for Technology Leaders
RSS Icon
Issue No.04 - April (2010 vol.21)
pp: 424-437
Alex X. Liu , Michigan State University, East Lansing
Mohamed G. Gouda , University of Texas at Austin, Austin
Packet classification is the core mechanism that enables many networking services on the Internet such as firewall packet filtering and traffic accounting. Using Ternary Content Addressable Memories (TCAMs) to perform high-speed packet classification has become the de facto standard in the industry. TCAMs classify packets in constant time by comparing a packet with all classification rules of ternary encoding in parallel. Despite their high speed, TCAMs suffer from the well-known interval expansion problem. As packet classification rules usually have fields specified as intervals, converting such rules to TCAM-compatible rules may result in an explosive increase in the number of rules. This is not a problem if TCAMs have large capacities. Unfortunately, TCAMs have very limited capacity, and more rules means more power consumption and more heat generation for TCAMs. Even worse, the number of rules in packet classifiers have been increasing rapidly with the growing number of services deployed on the Internet. In this paper, we propose to address the interval expansion problem of TCAMs by removing redundant rules in classifiers. This equivalent transformation can significantly reduce the number of TCAM entries needed by a classifier. Our experiments on real-life classifiers show an average reduction of 58.2 percent in the number of TCAM entries by removing redundant rules. Given the logical interleaving nature of packet filtering rules, identifying redundant rules in classifiers is by no means trivial, and to achieve the guarantee of no redundant rules in resulting classifiers is even more challenging. In this paper, for the first time, we give a necessary and sufficient condition for identifying all redundant rules in a classifier. Based on this condition, we categorize redundant rules into upward redundant rules and downward redundant rules. Second, we present two algorithms for detecting and removing the two types of redundant rules, respectively. Third, we formally prove that the resulting classifiers have no redundant rules after running the two algorithms. Last, we conduct extensive experiments on both real-life and synthetic classifiers. The experimental results show that our redundancy removal algorithms are both effective and efficient.
Packet classification, Ternary Content Addressable Memory (TCAM), redundant rules.
Alex X. Liu, Mohamed G. Gouda, "Complete Redundancy Removal for Packet Classifiers in TCAMs", IEEE Transactions on Parallel & Distributed Systems, vol.21, no. 4, pp. 424-437, April 2010, doi:10.1109/TPDS.2008.216
[1] Cypress Semiconductor Corp., Content Addressable Memory, http:/, 2008.
[2] A Guide to Search Engines and Networking Memory,, 2008.
[3] Integrated Device Technology, Inc., Content Addressable Memory, http:/, 2008.
[4] Netlogic Microsystems, Content Addressable Memory, http:/, 2008.
[5] D.A. Applegate, G. Calinescu, D.S. Johnson, H. Karloff, K. Ligett, and J. Wang, "Compressing Rectilinear Pictures and Minimizing Access Control Lists," Proc. 18th Ann. ACM-SIAM Symp. Discrete Algorithms (SODA '07), Jan. 2007.
[6] A. Bremler-Barr and D. Hendler, "Space-Efficient TCAM-Based Classification Using Gray Coding," Proc. IEEE INFOCOM '07, May 2007.
[7] H. Che, Z. Wang, K. Zheng, and B. Liu, "DRES: Dynamic Range Encoding Scheme for TCAM Coprocessors," IEEE Trans. Computers, vol. 57, no. 7, pp. 902-915, 2008.
[8] Q. Dong, S. Banerjee, J. Wang, D. Agrawal, and A. Shukla, "Packet Classifiers in Ternary CAMs Can Be Smaller," Proc. ACM SIGMETRICS '06, pp. 311-322, 2006.
[9] R. Draves, C. King, S. Venkatachary, and B. Zill, "Constructing Optimal IP Routing Tables," Proc. IEEE INFOCOM '99, pp. 88-97, 1999.
[10] M. Frantzen, F. Kerschbaum, E. Schultz, and S. Fahmy, "A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals," Computers and Security, vol. 20, no. 3, pp. 263-270, 2001.
[11] M. Gouda, A.X. Liu, and M. Jafry, "Verification of Distributed Firewalls," Proc. IEEE Global Comm. Conf. (GLOBECOM), 2008.
[12] M.G. Gouda and A.X. Liu, "Firewall Design: Consistency, Completeness and Compactness," Proc. 24th IEEE Int'l Conf. Distributed Computing Systems (ICDCS '04), pp. 320-327, Mar. 2004.
[13] M.G. Gouda and A.X. Liu, "A Model of Stateful Firewalls and its Properties," Proc. IEEE Int'l Conf. Dependable Systems and Networks (DSN '05), pp. 320-327, June 2005.
[14] M.G. Gouda and A.X. Liu, "Structured Firewall Design," Computer Networks J., vol. 51, no. 4, pp. 1106-1120, Mar. 2007.
[15] P. Gupta, "Algorithms for Routing Lookups and Packet Classification," PhD thesis, Stanford Univ., 2000.
[16] P. Gupta and N. McKeown, "Packet Classification on Multiple Fields," Proc. ACM SIGCOMM '99, pp. 147-160, 1999.
[17] P. Gupta and N. McKeown, "Packet Classification Using Hierarchical Intelligent Cuttings," Proc. Seventh Symp. High-Performance Interconnects (Hot Interconnects '99), Aug. 1999.
[18] P. Gupta and N. McKeown, "Algorithms for Packet Classification," IEEE Network, vol. 15, no. 2, pp. 24-32, 2001.
[19] J. Hwang, T. Xie, F. Chen, and A.X. Liu, "Systematic Structural Testing of Firewall Policies," Proc. 27th IEEE Int'l Symp. Reliable Distributed Systems (SRDS), 2008.
[20] Java, http:/, Sept. 2004.
[21] S. Kamara, S. Fahmy, E. Schultz, F. Kerschbaum, and M. Frantzen, "Analysis of Vulnerabilities in Internet Firewalls," Computers and Security, vol. 22, no. 3, pp. 214-232, 2003.
[22] K. Lakshminarayanan, A. Rangarajan, and S. Venkatachary, "Algorithms for Advanced Packet Classification with Ternary CAMs," Proc. ACM SIGCOMM '05, pp. 193-204, Aug. 2005.
[23] A.X. Liu, "Change-Impact Analysis of Firewall Policies," Proc. 12th European Symp. Research Computer Security (ESORICS '07), pp. 155-170, Sept. 2007.
[24] A.X. Liu, "Firewall Policy Verification and Troubleshooting," Proc. IEEE Int'l Conf. Comm. (ICC '08), May 2008.
[25] A.X. Liu and M.G. Gouda, "Diverse Firewall Design," Proc. Int'l Conf. Dependable Systems and Networks (DSN '04), pp. 595-604, June 2004.
[26] A.X. Liu and M.G. Gouda, "Complete Redundancy Detection in Firewalls," Proc. 19th Ann. IFIP Conf. Data and Applications Security, pp. 196-209, Aug. 2005.
[27] A.X. Liu and M.G. Gouda, "Diverse Firewall Design," IEEE Trans. Parallel and Distributed Systems, vol. 19, no. 8, 2008.
[28] A.X. Liu, M.G. Gouda, H.H. Ma, and A.H. Ngu, "Firewall Queries," Proc. Eighth Int'l Conf. Principles of Distributed Systems (OPODIS '04), T. Higashino, ed., pp. 124-139, Dec. 2004.
[29] A.X. Liu, C.R. Meiners, and Y. Zhou, "All-Match Based Complete Redundancy Removal for Packet Classifiers in TCAMs," Proc. IEEE INFOCOM '08, Apr. 2008.
[30] A.X. Liu, E. Torng, and C. Meiners, "Firewall Compressor: An Algorithm for Minimizing Firewall Policies," Proc. IEEE INFOCOM '08, Apr. 2008.
[31] H. Liu, "Efficient Mapping of Range Classifier into Ternary-CAM," Proc. 14th Symp. High-Performance Interconnects (Hot Interconnects '02), pp. 95-100, 2002.
[32] C.R. Meiners, A.X. Liu, and E. Torng, "TCAM Razor: A Systematic Approach towards Minimizing Packet Classifiers in TCAMs," Proc. 15th IEEE Conf. Network Protocols (ICNP '07), pp. 266-275, Oct. 2007.
[33] M.H. Overmars and A.F. van der Stappen, "Range Searching and Point Location among Fat Objects," J. Algorithms, vol. 21, no. 3, pp. 629-656.
[34] D. Pao, P. Zhou, B. Liu, and X. Zhang, "Enhanced Prefix Inclusion Coding Filter-Encoding Algorithm for Packet Classification with Ternary Content Addressable Memory," IET Computers & Digital Techniques, vol. 1, pp. 572-580, Apr. 2007.
[35] E. Spitznagel, D. Taylor, and J. Turner, "Packet Classification Using Extended TCAMs," Proc. 11th IEEE Int'l Conf. Network Protocols (ICNP '03), pp. 120-131, Nov. 2003.
[36] S. Suri, T. Sandholm, and P. Warkhede, "Compressing Two-Dimensional Routing Tables," Algorithmica, vol. 35, pp. 287-300, 2003.
[37] D.E. Taylor, "Survey & Taxonomy of Packet Classification Techniques," ACM Computing Surveys, vol. 37, no. 3, pp. 238-275, 2005.
[38] J. van Lunteren and T. Engbersen, "Fast and Scalable Packet Classification," IEEE J. Selected Areas in Comm., vol. 21, no. 4, pp. 560-571, 2003.
[39] T.Y.C. Woo, "A Modular Approach to Packet Classification: Algorithms and Results," Proc. IEEE INFOCOM '00, pp. 1213-1222, 2000.
[40] F. Yu, T.V. Lakshman, M.A. Motoyama, and R.H. Katz, "SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification," Proc. Symp. Architectures for Networking and Comm. Systems (ANCS '05), pp. 105-113, Oct. 2005.
[41] K. Zheng, H. Che, Z. Wang, B. Liu, and X. Zhang, "DPPC-RE: TCAM-Based Distributed Parallel Packet Classification with Range Encoding," IEEE Trans. Computers, vol. 55, no. 8, pp. 947-961, 2006.
[42] K. Zheng, C. Hu, H. Lu, and B. Liu, "A TCAM-Based Distributed Parallel IP Lookup Scheme and Performance Analysis," IEEE/ACM Trans. Networking, vol. 14, no. 4, pp. 863-875, 2006.
19 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool