Efficient Multi-Match Packet Classification with TCAM Fang Yu

Slides:



Advertisements
Similar presentations
1 SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu 1 T. V. Lakshman 2 Marti Austin Motoyama 1 Randy H. Katz 1 1 EECS.
Advertisements

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.
August 17, 2000 Hot Interconnects 8 Devavrat Shah and Pankaj Gupta
Fast Updating Algorithms for TCAMs Devavrat Shah Pankaj Gupta IEEE MICRO, Jan.-Feb
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
1 An Efficient, Hardware-based Multi-Hash Scheme for High Speed IP Lookup Hot Interconnects 2008 Socrates Demetriades, Michel Hanna, Sangyeun Cho and Rami.
Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.
Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.
Outline Introduction Related work on packet classification Grouper Performance Empirical Evaluation Conclusions.
Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.
Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,
Power Efficient IP Lookup with Supernode Caching Lu Peng, Wencheng Lu*, and Lide Duan Dept. of Electrical & Computer Engineering Louisiana State University.
Packet Classification on Multiple Fields Pankaj Gupta and Nick McKeown Stanford University {pankaj, September 2, 1999.
1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
CS 268: Lectures 13/14 (Route Lookup and Packet Classification) Ion Stoica April 1/3, 2002.
Efficient Multidimensional Packet Classification with Fast Updates Author: Yeim-Kuan Chang Publisher: IEEE TRANSACTIONS ON COMPUTERS, VOL. 58, NO. 4, APRIL.
1 Partition Filter Set for Power- Efficient Packet Classification Authors: Haibin Lu, MianPan Publisher: IEEE GLOBECOM 2006 Present: Chen-Yu Lin Date:
1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman
1 A Fast IP Lookup Scheme for Longest-Matching Prefix Authors: Lih-Chyau Wuu, Shou-Yu Pin Reporter: Chen-Nien Tsai.
Two stage packet classification using most specific filter matching and transport level sharing Authors: M.E. Kounavis *,A. Kumar,R. Yavatkar,H. Vin Presenter:
SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu 1 T. V. Lakshman 2 Martin Austin Motoyama 1 Randy H. Katz 1 1 EECS.
An Efficient IP Lookup Architecture with Fast Update Using Single-Match TCAMs Author: Jinsoo Kim, Junghwan Kim Publisher: WWIC 2008 Presenter: Chen-Yu.
Packet Classification George Varghese. Original Motivation: Firewalls Firewalls use packet filtering to block say ssh and force access to web and mail.
Algorithms for Advanced Packet Classification with TCAMs Karthik Lakshminarayanan UC Berkeley Joint work with Anand Rangarajan and Srinivasan Venkatachary.
EaseCAM: An Energy And Storage Efficient TCAM-based IP-Lookup Architecture Rabi Mahapatra Texas A&M University;
A High Throughput String Matching Architecture for Intrusion Detection and Prevention Lin Tan U of Illinois, Urbana Champaign Tim Sherwood UC, Santa Barbara.
Deep Packet Inspection with Regular Expression Matching Min Chen, Danny Guo {michen, CSE Dept, UC Riverside 03/14/2007.
Chapter 9 Classification And Forwarding. Outline.
1 Efficient packet classification using TCAMs Authors: Derek Pao, Yiu Keung Li and Peng Zhou Publisher: Computer Networks 2006 Present: Chen-Yu Lin Date:
CSE7701: Research Seminar on Networking
ECE 526 – Network Processing Systems Design Network Processor Architecture and Scalability Chapter 13,14: D. E. Comer.
CoPTUA: Consistent Policy Table Update Algorithm for TCAM without Locking Zhijun Wang, Hao Che, Mohan Kumar, Senior Member, IEEE, and Sajal K. Das.
Layered Interval Codes for TCAM-based Classification David Hay, Politecnico di Torino Joint work with Anat Bremler-Barr (IDC), Danny Hendler (BGU) and.
Applied Research Laboratory Edward W. Spitznagel 7 October Packet Classification for Core Routers: Is there an alternative to CAMs? Paper by: Florin.
Author: Haoyu Song, Fang Hao, Murali Kodialam, T.V. Lakshman Publisher: IEEE INFOCOM 2009 Presenter: Chin-Chung Pan Date: 2009/12/09.
Wire Speed Packet Classification Without TCAMs ACM SIGMETRICS 2007 Qunfeng Dong (University of Wisconsin-Madison) Suman Banerjee (University of Wisconsin-Madison)
Fast Packet Classification Using Bloom filters Authors: Sarang Dharmapurikar, Haoyu Song, Jonathan Turner, and John Lockwood Publisher: ANCS 2006 Present:
Packet Classification on Multiple Fields 참고 논문 : Pankaj Gupta and Nick McKeown SigComm 1999.
Packet Classifiers In Ternary CAMs Can Be Smaller Qunfeng Dong (University of Wisconsin-Madison) Suman Banerjee (University of Wisconsin-Madison) Jia Wang.
Multi-Field Range Encoding for Packet Classification in TCAM Author: Yeim-Kuan Chang, Chun-I Lee and Cheng-Chien Su Publisher: INFOCOM 2011 Presenter:
Applied Research Laboratory Edward W. Spitznagel 24 October Packet Classification using Extended TCAMs Edward W. Spitznagel, Jonathan S. Turner,
Balajee Vamanan and T. N. Vijaykumar School of Electrical & Computer Engineering CoNEXT 2011.
1. Outline Introduction Related work on packet classification Grouper Performance Analysis Empirical Evaluation Conclusions 2/42.
StrideBV: Single chip 400G+ packet classification Author: Thilan Ganegedara, Viktor K. Prasanna Publisher: HPSR 2012 Presenter: Chun-Sheng Hsueh Date:
Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.
1 Fast packet classification for two-dimensional conflict-free filters Department of Computer Science and Information Engineering National Cheng Kung University,
A Smart Pre-Classifier to Reduce Power Consumption of TCAMs for Multi-dimensional Packet Classification Yadi Ma, Suman Banerjee University of Wisconsin-Madison.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection Sailesh Kumar Sarang Dharmapurikar Fang Yu Patrick Crowley Jonathan.
TCAM –BASED REGULAR EXPRESSION MATCHING SOLUTION IN NETWORK Phase-I Review Supervised By, Presented By, MRS. SHARMILA,M.E., M.ARULMOZHI, AP/CSE.
High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.
Cross-Product Packet Classification in GNIFS based on Non-overlapping Areas and Equivalence Class Author: Mohua Zhang, Ge Li Publisher: AISS 2012 Presenter:
CS 740: Advanced Computer Networks IP Lookup and classification Supplemental material 02/05/2007.
A Scalable Architecture For High-Throughput Regular-Expression Pattern Matching Yao Song 11/05/2015.
1 Bit Weaving: A Non-Prefix Approach to Compressing Packet Classifiers in TCAMs Author: Chad R. Meiners, Alex X. Liu, and Eric Torng Publisher: IEEE/ACM.
Packet Classification Using Multidimensional Cutting Sumeet Singh (UCSD) Florin Baboescu (UCSD) George Varghese (UCSD) Jia Wang (AT&T Labs-Research) Reviewed.
Hierarchical packet classification using a Bloom filter and rule-priority tries Source : Computer Communications Authors : A. G. Alagu Priya 、 Hyesook.
Packet Classification Using Multi- Iteration RFC Author: Chun-Hui Tsai, Hung-Mao Chu, Pi-Chung Wang Publisher: 2013 IEEE 37th Annual Computer Software.
DRES: Dynamic Range Encoding Scheme for TCAM Coprocessors 2008 YU-ANTL Lab Seminar June 11, 2008 JeongKi Park Advanced Networking Technology Lab. (YU-ANTL)
IP Routers – internal view
CSE7701: Research Seminar on Networking
Transport Layer Systems Packet Classification
Yotam Harchol The Hebrew University of Jerusalem, Israel
Jason Klaus, Duncan Elliott Confidential
Scalable Multi-Match Packet Classification Using TCAM and SRAM
Yotam Harchol The Hebrew University of Jerusalem, Israel
Author: Yaron Weinsberg ,Shimrit Tzur-David ,Danny Dolev and Tal Anker
Worst-Case TCAM Rule Expansion
Presentation transcript:

Efficient Multi-Match Packet Classification with TCAM Fang Yu

Outline New applications demand Multi-Match Classification Multi-Match classification using TCAM  Order rules in TCAM  Remove negations Simulations results Conclusions

Today’s Packet Classification Systems A classifier consists of N rules, each with F fields  Next hop routing using destination IP (F=1)  Filters from firewall (F=5) Given a packet, report the highest priority match  E.g., longest prefix match  Single-Match Classification Source IPDestination IPSource PortDestination PortProtocolActionPriority **15Tcpdrop2 128.* *25tcpallow1

New Applications Intrusion Detection Systems (e.g., SNORT)  Rule header: a 5 fields classification rule for packet header  Rule options: specify intrusion patterns for entire packet scanning. Packet header Match A packet may be related to multiple rules (matching rule headers) Multi-Match Classification: Identify all the matching rule headers Packet Payload Scan

In current network, a packet sequentially traverses multiple network devices, e.g., firewall, HTTP load balancing, intrusion detection, NAT etc.  Each box introduces extra delay  Common functions like classification are repeatedly applied  Highly inefficient! Programmable Network Element  Support multiple functions in one device  Each packet may related to different set of functions E.g., HTTP packets related to firewall and HTTP load balancer E.g., VPN packets related to encryption / decryption  Multi- Match Classification : identify the all the relevant functions New Applications (cont.)

Multi-Match Classification A classifier consists of N rules, each with F fields  Goal: Reporting all the matching rules Software solution for single-match classification  O(logN) query time with O(N F ) storage  Real rule sets are simpler than theoretical worst case State of art heuristic algorithms: memory accesses Multi-Match Classification  More complex than single-match  Complex follow-up processing  Tighter time requirements memory accesses  slow Can hardware solution help?

Ternary-CAM (TCAM) Fully associative memory: compares input string with all the entries in parallel  If multiple matches, report index of the first match Each cell takes one of three logic states  ‘0’, ‘1’, and ‘X’(don’t care) Current TCAM technology  Fast Match Time: 4 ns  Size: 1-2MB  Commercially used for single-match classification

Arrange Rules in the TCAM Problem: TCAM only reports the first matching result  For example, two rules have intersection relationship  “Tcp $SQL_SERVER 1433 $EXTERNAL_NET any”  “Tcp Any Any Any 139” Solution: Add additional intersection rules  Upper bound of intersections O(N F )  Real world rule set far less intersections  Retrieve all matching results solely based on the first matched result

Order of Rules Relationship between rules E i and E j, with corresponding matched list M i and M j  Exclusive (E i E j = ): i and j can have any order.  Subset (E i E j ): i<j and M i M j.  Superset (E i E j ): j<i and M i M j.  Intersection (E i E j = ): add a rule E l =(E i E j ), (l<i, l<j), (M i M j ) M l.

Example Original rule set Extended rule set TCAM compatible order 1Tcp $SQL_SERVER 1433 $EXTERNAL_NET any 2Tcp $EXTERNAL_NET 119 $HOME_NET Any 3Tcp Any Any Any 139 Extended rules Matched List Tcp $SQL_SERVER 1443 $EXTERNAL_NET 1391,3 Tcp $SQL_SERVER 1433 $EXTERNAL_NET any1 Tcp $EXTERNAL_NET 119 $HOME_NET 1392,3 Tcp $EXTERNAL_NET 119 $HOME_NET any2 Tcp any any any 1393 $EXTERNAL_NET $EXTERNAL_NET=!$HOME_NET

Representing Negation with TCAM 80’s binary form Negation of 80 (!80)  = = is only a subset of !80  Need 16 TCAM entries Multiple negations in one rule  tcp $EXTERNAL_NET any $EXTERNAL_NET !80 requires up to 32*32*16=16384 TCAM entries 1xxx xxxx xxxx xxxx x1xx xxxx xxxx xxxx xx1x xxxx xxxx xxxx xxx1 xxxx xxxx xxxx xxxx 1xxx xxxx xxxx xxxx x1xx xxxx xxxx xxxx xx1x xxxx xxxx xxxx xxx1 xxxx xxxx xxxx xxxx 0xxx xxxx xxxx xxxx x1xx xxxx xxxx xxxx xx0x xxxx xxxx xxxx xxx1 xxxx xxxx xxxx xxxx 1xxx xxxx xxxx xxxx x1xx xxxx xxxx xxxx xx1x xxxx xxxx xxxx xxx1

Remove Negation Regions generating negation:  A, B, D Regions with no negation  C, A C, C D, A B C D 1Tcp $SQL_SERVER 1433 $EXTERNAL_NET any 2Tcp $EXTERNAL_NET 119 $HOME_NET Any 3Tcp Any Any Any 139

Remove Negation Can we extend rules in D to D C?  Yes, We can! with a first match TCAM 1Tcp $SQL_SERVER 1433 $EXTERNAL_NET any 2Tcp $EXTERNAL_NET 119 $HOME_NET Any 3Tcp Any Any Any 139 TCAM entriesMatched List tcp $HOME_NET any $HOME_NET any $HOME_NET any $HOME_NET any Tcp $SQL_SERVER 1443 any 139 1,3 Tcp $SQL_SERVER 1433 any any 1

Extended rulesMatched ListTCAM entries needed Tcp $SQL_SERVER 1443 $EXTERNAL_NET 1391,332 Tcp $SQL_SERVER 1433 $EXTERNAL_NET any132 Tcp $EXTERNAL_NET 119 $HOME_NET 1392,332 Tcp $EXTERNAL_NET 119 $HOME_NET any232 Tcp any any any TCAM Index TCAM entriesMatched List 1tcp $HOME_NET any $HOME_NET any $HOME_NET any $HOME_NET any 3Tcp $SQL_SERVER 1443 any 1391,3 4Tcp $SQL_SERVER 1433 any any1 5Tcp any 119 $HOME_NET 1392,3 6Tcp any 119 $HOME_NET any2 7Tcp any any any % of TCAM entries saving

Simulation Results SNORT intrusion detection rule set VersionRule Set Size # of rules in extended set Single negation Double negations Triple negations , %0.975% , %1.422%0.025% , %1.420%0.025% , %1.363%0.023%

Performance of Negation Removing Scheme Snort version With NegationNegation RemovedTCAM Space saved Extended rule set size TCAM Entries needed Extended rule set size TCAM Entries needed ,693120,4094,1017, % ,009145,2084,4118, % ,015145,3524,4208, % ,330151,9234,7978, % Fit all Snort rule header into 128KB-256KB TCAM  Retrieve multi-match classification result with one TCAM lookup and one SRAM lookup (<10ns)

Conclusions New applications demands for multi-mach classification TCAM-based solution to solve the multi-match classification problem  Reports all the matching results with a single TCAM lookup and a SRAM lookup Negation removing scheme can save 93% to 95% of the TCAM space Future work  Study the complexity of multi-match classification problem and tradeoffs between different approaches  Search part of the TCAM to reduce power consumption

Backup slides

Removing Negation Rules in region C: “* $HOME_NET+ * $HOME_NET+ *” Separator rule 1: “any $HOME_NET any $HOME_NET any” Rules in region D, specified in the form of region C and D: “* $HOME_NET+ * any *” Rules in region A, specified in the form of region A and C: “* any * $HOME_NET+ *” Separator rule 2: “any $HOME_NET any any any” Separator rule 3: “any any any $HOME_NET any” Rules applying to region B, specified in the form of region A, B, C and D: “* any * any *”

Effect of Negation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.