Packet Classification George Varghese. Original Motivation: Firewalls Firewalls use packet filtering to block say ssh and force access to web and mail.

Slides:

Advertisements

Similar presentations

A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.

Advertisements

August 17, 2000 Hot Interconnects 8 Devavrat Shah and Pankaj Gupta

Router/Classifier/Firewall Tables Set of rules—(F,A)  F is a filter Source and destination addresses. Port number and protocol. Time of day.  A is an.

Packet Classification using Hierarchical Intelligent Cuttings

Balajee Vamanan, Gwendolyn Voskuilen, and T. N. Vijaykumar School of Electrical & Computer Engineering SIGCOMM 2010.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

Spring 2006CS 685 Network Algorithmics1 Principles in Practice CS 685 Network Algorithmics Spring 2006.

Network Algorithms, Lecture 4: Longest Matching Prefix Lookups George Varghese.

Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.

Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.

Ultra-High Throughput Low-Power Packet Classification

M. Waldvogel, G. Varghese, J. Turner, B. Plattner Presenter: Shulin You UNIVERSITY OF MASSACHUSETTS, AMHERST – Department of Electrical and Computer Engineering.

IP Routing Lookups Scalable High Speed IP Routing Lookups.

HybridCuts: A Scheme Combining Decomposition and Cutting for Packet Classification Author: Wenjun Li, Xianfeng Li Publisher: 2013 IEEE 21 st Annual Symposium.

Outline Introduction Related work on packet classification Grouper Performance Empirical Evaluation Conclusions.

Survey of Packet Classification Algorithms. Outline Background and problem definition Classification schemes – One dimensional classification – Two dimensional.

A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.

1 Author: Ioannis Sourdis, Sri Harsha Katamaneni Publisher: IEEE ASAP,2011 Presenter: Jia-Wei Yo Date: 2011/11/16 Longest prefix Match and Updates in Range.

Oct 28, 2004CS573: Network Protocols and Standards1 IP: Routing and Subnetting Network Protocols and Standards Autumn

Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,

1 A Tree Based Router Search Engine Architecture With Single Port Memories Author: Baboescu, F.Baboescu, F. Tullsen, D.M. Rosu, G. Singh, S. Tullsen, D.M.Rosu,

CSIE NCKU High-performance router architecture 高效能路由器的架構與設計.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Oct 26, 2004CS573: Network Protocols and Standards1 IP: Routing and Subnetting Network Protocols and Standards Autumn

Worst-Case TCAM Rule Expansion Ori Rottenstreich (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel)

Packet Classification on Multiple Fields Pankaj Gupta and Nick McKeown Stanford University {pankaj, September 2, 1999.

CS 268: Lectures 13/14 (Route Lookup and Packet Classification) Ion Stoica April 1/3, 2002.

Efficient Multidimensional Packet Classification with Fast Updates Author: Yeim-Kuan Chang Publisher: IEEE TRANSACTIONS ON COMPUTERS, VOL. 58, NO. 4, APRIL.

CS 268: Route Lookup and Packet Classification Ion Stoica March 11, 2003.

Efficient Multi-Match Packet Classification with TCAM Fang Yu

1 Energy Efficient Packet Classification Hardware Accelerator Alan Kennedy, Xiaojun Wang HDL Lab, School of Electronic Engineering, Dublin City University.

Two stage packet classification using most specific filter matching and transport level sharing Authors: M.E. Kounavis *,A. Kumar,R. Yavatkar,H. Vin Presenter:

CS 268: Route Lookup and Packet Classification

Algorithms for Advanced Packet Classification with TCAMs Karthik Lakshminarayanan UC Berkeley Joint work with Anand Rangarajan and Srinivasan Venkatachary.

Worst-Case TCAM Rule Expansion Ori Rottenstreich (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel)

Fast binary and multiway prefix searches for pachet forwarding Author: Yeim-Kuan Chang Publisher: COMPUTER NETWORKS, Volume 51, Issue 3, pp , February.

March 1, Packet Classification and Filtering for Network Processors JC Ho.

Chapter 9 Classification And Forwarding. Outline.

Network Algorithms, Lecture 3: Exact Lookups George Varghese.

Cs6390 summer 2000 Tradeoffs for Packet Classification 1 Tradeoffs for Packet Classification Members: Jinxiao Song & Yan Tong.

IP Addressing Introductory material. An entire module devoted to IP addresses.

Applied Research Laboratory Edward W. Spitznagel 7 October Packet Classification for Core Routers: Is there an alternative to CAMs? Paper by: Florin.

Timothy Whelan Supervisor: Mr Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University Hardware based packet filtering.

Modular SRAM-based Binary Content-Addressable Memories Ameer M.S. Abdelhadi and Guy G.F. Lemieux Department of Electrical and Computer Engineering University.

IT253: Computer Organization

Wire Speed Packet Classification Without TCAMs ACM SIGMETRICS 2007 Qunfeng Dong (University of Wisconsin-Madison) Suman Banerjee (University of Wisconsin-Madison)

Packet Classification on Multiple Fields 참고 논문 : Pankaj Gupta and Nick McKeown SigComm 1999.

Packet Classifiers In Ternary CAMs Can Be Smaller Qunfeng Dong (University of Wisconsin-Madison) Suman Banerjee (University of Wisconsin-Madison) Jia Wang.

Packet Classification using Tuple Space Search

Applied Research Laboratory Edward W. Spitznagel 24 October Packet Classification using Extended TCAMs Edward W. Spitznagel, Jonathan S. Turner,

Packet Classification # 3 Ozgur Ozturk CSE 581: Internet Technology Winter 2002 Packet Classification # 3CSE 581: Internet Technology (Winter 2002)Ozgur.

1 ECE 526 – Network Processing Systems Design System Implementation Principles II Varghese Chapter 3.

StrideBV: Single chip 400G+ packet classification Author: Thilan Ganegedara, Viktor K. Prasanna Publisher: HPSR 2012 Presenter: Chun-Sheng Hsueh Date:

1 Packet Classification تنظیم : محمدعلی عظیمی. Classifier Example 2.

1 Fast packet classification for two-dimensional conflict-free filters Department of Computer Science and Information Engineering National Cheng Kung University,

Scalable High Speed IP Routing Lookups Scalable High Speed IP Routing Lookups Authors: M. Waldvogel, G. Varghese, J. Turner, B. Plattner Presenter: Zhqi.

High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.

Cross-Product Packet Classification in GNIFS based on Non-overlapping Areas and Equivalence Class Author: Mohua Zhang, Ge Li Publisher: AISS 2012 Presenter:

CS 740: Advanced Computer Networks IP Lookup and classification Supplemental material 02/05/2007.

Packet classification on Multiple Fields Authors: Pankaj Gupta and Nick McKcown Publisher: ACM 1999 Presenter: 楊皓中 Date: 2013/12/11.

Parallel tree search: An algorithmic approach for multi- field packet classification Authors: Derek Pao and Cutson Liu. Publisher: Computer communications.

Packet Classification Using Multidimensional Cutting Sumeet Singh (UCSD) Florin Baboescu (UCSD) George Varghese (UCSD) Jia Wang (AT&T Labs-Research) Reviewed.

Dynamic Algorithms with Worst-case Performance for Packet Classification Pankaj Gupta and Nick McKeown Stanford University {pankaj,

Hierarchical packet classification using a Bloom filter and rule-priority tries Source : Computer Communications Authors : A. G. Alagu Priya 、 Hyesook.

Packet Classification Using Multi- Iteration RFC Author: Chun-Hui Tsai, Hung-Mao Chu, Pi-Chung Wang Publisher: 2013 IEEE 37th Annual Computer Software.

A Classification for Access Control List To Speed Up Packet-Filtering Firewall CHEN FAN, LONG TAN, RAWAD FELIMBAN and ABDELSHAKOUR ABUZNEID Department.

Author Name Security and Networks Research Group Department of Computer Science Rhodes University SNRG SLIDE TEMPLATE.

IP Routers – internal view

Transport Layer Systems Packet Classification

High-performance router/switch architecture 高效能路由器/交換器的架構與設計

Presentation transcript:

Packet Classification George Varghese

Original Motivation: Firewalls Firewalls use packet filtering to block say ssh and force access to web and mail via proxies. Still part of “defense in depth” today. Need fast wire speed packet filtering

Simplified Internet Message Format Dest and Src IP address (telephone numbers). Dst and Src Ports (extensions): indicate protocol For instance, Port 80 = Web, Mail = 25

Sample Firewall Database

Beyond firewalls today

Service differentiation via classification Every router in world: if packet addressed to router, do packet classification before LPM. Extract 5 (or more fields). If there is a match, treat packet as specified by highest match rule. Can use to drop packets, give some applications more QoS, different routes for some apps etc. Standard solution: CAMs. But lets look at some algorithmic solutions some of which are used. Routers often support 1000s of rules so linear search (despite parallel logic) is too slow.

Plan of Attack First, 2-field (2D) packet classification. Useful for measurement and multicast. Then we introduce a nice geometric model and move on to general K-field classification.

2D (two field) example

First attempt: Set Pruning Tries Each destination prefix D points to a trie containing all source prefixes in rules whose destination field is a prefix of D. O(N^2) memory!

Worst-case example for storage

Less memory via backtracking Source tries now only contain sources in rules whose destination is equal to D. O(W^2) time.

Grid of Tries (Srinvasan-Varghese) Use pre-computed switch pointers (dashed line). No backtracking and linear space.

Geometric Model (Lakshman-Staliadis) Example: F1 = (0*, 10*). Each field is a dimension in geometric space

Beyond 2D Bad News: Lower bound (computational geometry): O((W^k)/k!) time for linear storage. Good news: (Gupta-Mckeown): # of Disjoint classification regions in real databases is small. For example: theoretically in 2D we can have N^2 disjoint regions but practically we have O(N) Can we exploit this observation for speed with small storage. Yes, but not provably. Heuristics.

Divide and Conquer? Natural to try LPM in each field separately and combine. Concatenation does not work!

Aside: Range to Prefix Matches Real classifiers use ranges (e.g., < 1024 for well known ports). Theorem: Can write any range as the union of a logaritmic number of prefix ranges. Example: [8,12] in 5 bits. 01* does not work but 0100* and 0101* and does! Useful theorem for CAM vendors as well as they only support prefix ranges. Recall hardware!

Bit Vector (Lakshman-Staliadis) Store an N-bit vector with each field value M with bit J set in Field I if M matches Rule I in field J. AND and find first bit set. Priority Encoder.

Why is Lucent Fast? Since the bit vectors are O(N), from a CS perspective it is O(N), as bad as linear search. Really reduces constants uses wide memories. Nk/W memory accesses where W is width. Recall W = 1000 is feasible  1000 rule tables in a few accesses, many of which are parallel. Moral: Know hardware complexity measures!

Cross-Products (Srinivasan-Varghese) Theorem: Best matching rule for crossproduct is best matcing rule for packet.

Equivalenced Crossproducts (Gupta-Mckeown): aka RFC Idea: Instead of “multiplying” in 1 fell swoop, do 2 at a time and equivalence at each step. GSR 16 crossproducts but only 8 classes!

Hi Cuts (Gupta-Mckeown) Different idea: Decision tree in geemetric space to “zero in” on narrowest matching region.

State of Art Woo algorithm: Like HiCuts but uses bit testing and not range testing. Hypercuts (Singh): beyond Woo to test multiple bits at a time using arrays. Cisco CRS Space usage of Hypercuts/HiCuts can be employed using 2 parallel trees (Brian Alleyne) Efficuts (Purdue, SIGCOMM 2010) is a publicly available implementation of best ideas so far. CAMs still easier though need algorithmic tricks to reduce power.

Principles Used P1: Relax Specification (heuristics beyond 2D) P2: Degrees of freedom (HiCuts  Hypercuts) P3: Shift Computation in Time (grid-of-tries) P4: Avoid Waste seen (Crossproducts  RFC) P5: Add State for efficiency (switch pointers) P6: Hardware parallelism (Bit vector) P8: Finite universe methods (Bit vector) P9: Use algorithmic thinking (decision trees)

Students like you... PANKAJ CHEENU SUMEET Stanford  Sahasra  Netlogic  Twitter UCSD  Sahasra  Netlogic  Google UCSD  NetSift  Cisco SO DO A GREAT PROJECT! SOME MORE PAPERS UP