Compressing Network Access Control Lists

C. R. Meiners; A. X. Liu; E. Torng

doi:10.1109/TPDS.2011.114

Publication
2011
Issue No. 12 - December
Abstract - Compressing Network Access Control Lists

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by C. R. Meiners Articles by A. X. Liu Articles by E. Torng

Compressing Network Access Control Lists

December 2011 (vol. 22 no. 12)

pp. 1969-1977

	ASCII Text	x
	C. R. Meiners, A. X. Liu, E. Torng, "Compressing Network Access Control Lists," IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 12, pp. 1969-1977, December, 2011.

	BibTex	x
	@article{ 10.1109/TPDS.2011.114, author = {C. R. Meiners and A. X. Liu and E. Torng}, title = {Compressing Network Access Control Lists}, journal ={IEEE Transactions on Parallel and Distributed Systems}, volume = {22}, number = {12}, issn = {1045-9219}, year = {2011}, pages = {1969-1977}, doi = {http://doi.ieeecomputersociety.org/10.1109/TPDS.2011.114}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - JOUR JO - IEEE Transactions on Parallel and Distributed Systems TI - Compressing Network Access Control Lists IS - 12 SN - 1045-9219 SP1969 EP1977 EPD - 1969-1977 A1 - C. R. Meiners, A1 - A. X. Liu, A1 - E. Torng, PY - 2011 KW - telecommunication security KW - authorisation KW - dynamic programming KW - Internet KW - packet classification KW - network access control lists KW - ACL compressor KW - network policy KW - Internet KW - malicious attacks KW - management complexity KW - dynamic programming KW - 1D range-based access control lists KW - multidimensional access control lists KW - Access control KW - Packet switching KW - Dynamic programming KW - IP networks KW - Heuristic algorithms KW - Firewalls KW - algorithm. KW - Access control list KW - packet classification KW - firewall VL - 22 JA - IEEE Transactions on Parallel and Distributed Systems ER -

C. R. Meiners, Dept. of Comput. Sci. & Eng., Michigan State Univ., East Lansing, MI, USA

A. X. Liu, Dept. of Comput. Sci. & Eng., Michigan State Univ., East Lansing, MI, USA

E. Torng, Dept. of Comput. Sci. & Eng., Michigan State Univ., East Lansing, MI, USA

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TPDS.2011.114

Web Extra: View Supplemental Material(PDF)

An access control list (ACL) provides security for a private network by controlling the flow of incoming and outgoing packets. Specifically, a network policy is created in the form of a sequence of (possibly conflicting) rules. Each packet is compared against this ACL, and the first rule that the packet matches defines the decision for that packet. The size of ACLs has been increasing rapidly due to the explosive growth of Internet-based applications and malicious attacks. This increase in size degrades network performance and increases management complexity. In this paper, we propose ACL Compressor, a framework that can significantly reduce the number of rules in an access control list while maintaining the same semantics. We make three major contributions. First, we propose an optimal solution using dynamic programming techniques for compressing one-dimensional range-based access control lists. Second, we present a systematic approach for compressing multidimensional access control lists. Last, we conducted extensive experiments to evaluate ACL Compressor. In terms of effectiveness, ACL Compressor achieves an average compression ratio of 50.22 percent on real-life rule sets. In terms of efficiency, ACL runs in seconds, even for large ACLs with thousands of rules.

[1] D.A. Applegate, G. Calinescu, D.S. Johnson, H. Karloff, K. Ligett, and J. Wang, "Compressing Rectilinear Pictures and Minimizing Access Control Lists," Proc. ACM-SIAM Symp. Discrete Algorithms (SODA), Jan. 2007.
[2] Q. Dong, S. Banerjee, J. Wang, D. Agrawal, and A. Shukla, "Packet Classifiers in Ternary CAMs Can Be Smaller," Proc. ACM Joint Int'l Conf. Measurement and Modeling of Computer Systems (SIGMETRICS), pp. 311-322, 2006.
[3] D. Eastlake and P. Jones, "US Secure Hash Algorithm 1 (SHA1)," RFC 3174, 2001.
[4] M.G. Gouda and A.X. Liu, "Firewall Design: Consistency, Completeness and Compactness," Proc. IEEE 24th Int'l Conf. Distributed Computing Systems, pp. 320-327, Mar. 2004.
[5] M.G. Gouda and A.X. Liu, "Structured Firewall Design," Computer Networks: The Int'l J. Computer and Telecomm. Networking, vol. 51, no. 4, pp. 1106-1120, Mar. 2007.
[6] A.X. Liu and M.G. Gouda, "Complete Redundancy Detection in Firewalls," Proc. 19th Ann. IFIP Conf. Data and Applications Security, pp. 196-209, Aug. 2005.
[7] A.X. Liu and M.G. Gouda, "Diverse Firewall Design," IEEE Trans. Parallel and Distributed Systems, vol. 19, no. 8, pp. 1237-1251, Sept. 2008.
[8] A.X. Liu and M.G. Gouda, "Complete Redundancy Removal for Packet Classifiers in TCAMs," IEEE Trans. Parallel and Distributed Systems, vol. 21, no. 4, pp. 424-437, Apr. 2010.
[9] A.X. Liu, C.R. Meiners, and E. Torng, "TCAM Razor: A Systematic Approach towards Minimizing Packet Classifiers in TCAMs," IEEE Trans. Networking, vol. 18, no. 2, pp. 490-500, Apr. 2010.
[10] A.X. Liu, Y. Zhou, and C.R. Meiners, "All-Match Based Complete Redundancy Removal for Packet Classifiers in TCAMs," Proc. IEEE INFOCOM, Apr. 2008.
[11] R. McGeer and P. Yalagandula, "Minimizing Rulesets for TCAM Implementation," Proc. IEEE INFOCOM, 2009.
[12] C.R. Meiners, A.X. Liu, and E. Torng, "TCAM Razor: A Systematic Approach towards Minimizing Packet Classifiers in TCAMs," Proc. IEEE 15th Int'l Conf. Network Protocol (ICNP), pp. 266-275, Oct. 2007.
[13] C.R. Meiners, A.X. Liu, and E. Torng, "Bit Weaving: A Non-Prefix Approach to Compressing Packet Classifiers in TCAMs," Proc. IEEE Int'l Conf. Network Protocol (ICNP), 2009.
[14] R. Rivest, "The MD5 Message-Digest Algorithm," RFC 1321, 1992.
[15] D. Rovniagin and A. Wool, "The Geometric Efficient Matching Algorithm for Firewalls," technical report, http://www.eng. tau.ac.il/yashees2003-6.ps , July 2003.
[16] Y.-W. E. Sung, X. Sun, S.G. Rao, G.G. Xie, and D.A. Maltz, "Towards Systematic Design of Enterprise Networks," Proc. ACM CoNEXT Conf., 2008.
[17] Y.-W.E. Sung, X. Sun, S.G. Rao, G.G. Xie, and D.A. Maltz, "Towards Systematic Design of Enterprise Networks," IEEE Trans. Networking, vol. 19, no. 3, pp. 695-708, June 2011.
[18] M. Yu, J. Rexford, M.J. Freedman, and J. Wang, "Scalable Flow-Based Networking with DIFANE," Proc. ACM SIGCOMM, 2010.

Index Terms:

telecommunication security,authorisation,dynamic programming,Internet,packet classification,network access control lists,ACL compressor,network policy,Internet,malicious attacks,management complexity,dynamic programming,1D range-based access control lists,multidimensional access control lists,Access control,Packet switching,Dynamic programming,IP networks,Heuristic algorithms,Firewalls,algorithm.,Access control list,packet classification,firewall

Citation:

C. R. Meiners, A. X. Liu, E. Torng, "Compressing Network Access Control Lists," IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 12, pp. 1969-1977, Dec. 2011, doi:10.1109/TPDS.2011.114

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.