Worst-Case TCAM Rule Expansion Ori Rottenstreich (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel)

Packet Classification Action ---- RuleAction Policy Database (classifier) Packet Classification Forwarding Engine Incoming Packet HEADERHEADER

Power Consumption in a Router Sources: R.S. Tucker, based on Cisco CRS-1, 2009; D. Hay Packet Classification }

Ternary Content-Addressable Memory (TCAM) Encoder Match lines Packet Header (Search Key) accept deny accept TCAM Array Each entry is a word in {0,1,  } W

Example Encoder Match lines deny log accept deny limit deny accept  00   11  00   0   10   0    1110  010  01   0  11   01  0010  10  01       

Range Rules RuleSource address Source port Dest- address Dest- port Prot ocol Action Rule / /32 80TCP Accept Rule /24> / TCP Deny Rule / UDP Accept Rule / TCP Limit Rule ICMP Log  Range rule = rule that contains range field  Usually source-port or dest-port

Range Rule Representation in TCAM  Assume we want to represent a range in a single field of W bits  Our objective: minimize the number of TCAM entries needed to encode the range  More TCAM entries represent more power consumption  Some ranges are easy to represent Example: W=3: [4, 7] = {100,101,110,111} = 1   But what about [1,6] ?

 Range [1,6] in tree of all elements with W=3 bits: (Internal) Encoding of [1,6] Known result: expansion in 2W-2 TCAM entries Here: 2W-2=4 TCAM entries

Outline  Introduction  Worst-case range expansion  New TCAM architectures

External Encoding Here: W=3 TCAM entries (instead of 4) Idea to reduce number of TCAM entries: exploit TCAM entry order by encoding range complimentary as well

New upper bounds on the worst-case rule expansion  Theorem 1: Expansion of W-bit range in at most W TCAM entries  Note: W instead of 2W-2  Note: also in next talk  Theorem 2: W TCAM entries is optimal among prefix codes (not shown in this paper)  Theorem 3: Expansion of k W-bit ranges in k·W TCAM entries

Union of k ranges in kW R 1 =[1,5], R 2 =[7,7] R=R 1 UR 2 can be encoded using k·W=2·3=6 TCAM entries  Theorem 3: Expansion of k W-bit ranges in k·W TCAM entries  Example:

Multi-field Ranges Known result: range expansion in d W-bit fields in (2W-2) d TCAM entries Theorem 4: Expansion in O(d·W) TCAM entries (i.e. linear in d) without any additional logic

Outline  Introduction  Worst-case range expansion  New TCAM architectures

New TCAM architectures  Using additional logic to reduce expansion  Example for W=4

(a) Known Architecture: Internal – Product  Expansion of 6·5 + 3·1 = 33

(a) Internal - Product header (range 1) PE (0) (1) (0)  Worst-case expansion of k·(2W-2)^d

(b) Combined - Product  Expansion of 3·4 + 3·1 = 15

(0) (1) header PE (range 1) (0) (1) (0) (b) Combined - Product  Worst-case expansion of k·W^d

(c) Combined – Sum  Expansion of =11

(0) (1) (0) header PE (range 1) (1) (c) Combined – Sum  Worst-case expansion of k·d·W

Architecture Summary known new

Experimental Results  On real-life rule set  120 separate rule files from various applications Firewalls, ACL-routers, Intrusion Prevention systems  215K rules  280 unique ranges  Used as a common benchmark in literature

Experimental Results 39% Better 57% Better

Summary  Expansion of W-bit range in at most W TCAM entries (instead of 2W-2)  Optimal (among prefix codes)  Linear expansion for multi-field ranges  New TCAM architectures  Up to 39% less TCAM entries

Thank You