Presentation is loading. Please wait.

Presentation is loading. Please wait.

Algorithms for Advanced Packet Classification with TCAMs Karthik Lakshminarayanan UC Berkeley Joint work with Anand Rangarajan and Srinivasan Venkatachary.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Algorithms for Advanced Packet Classification with TCAMs Karthik Lakshminarayanan UC Berkeley Joint work with Anand Rangarajan and Srinivasan Venkatachary."— Presentation transcript:

1 Algorithms for Advanced Packet Classification with TCAMs Karthik Lakshminarayanan UC Berkeley Joint work with Anand Rangarajan and Srinivasan Venkatachary (Cypress Semiconductors Inc.)

2 Packet Processing Environment Packet matches a set of rules based on the header Examples: routers, intrusion detection systems Rule: acl-id src-addr src-port dst-addr dst-port proto (e.g. acl1231 128.32.0.0/8 0-1023 32.12.1.1/16 1024 tcp) HdrPayload Search Key permit/deny, update counter RuleAction …… ACL Database

3 Ternary Content Addressable Memory Memory device with fixed width arrays Each bit is 0, 1 or x (don’t care) Search is performed against all entries in parallel and the first result is returned width = W bits TCAM row 1 row 2 row n … 00100x1x001110x0x 01110xxx001100xxx 1111101x1101000xx width = W bits Search key 011101xx001100x10 Output is row 2

4 TCAM: Benefits and Disadvantages Benefits: –Deterministic Search Throughput—O(1) search Disadvantages: –Cost –Power consumption Current TCAM usage: –6 million TCAM devices deployed –Used in multi-gigabit systems that have O(10,000) rules –TCAMs can support a table of size 128K ternary entries and 133 million searches per second for 144-bit keys

5 Problems Range Representation Problem Multimatch Classification Problem Algorithms in software easier to implement

6 Problems Range Representation Problem Multimatch Classification Problem

7 Range Representation Problem Representing prefixes in ternary is trivial –IP address prefixes present in rules Representing arbitrary ranges is not easy though –port fields might contain ranges –e.g. some security applications may allow ports 1024-65535 only

8 Earlier Approaches – I Prefix expansion of ranges: –express ranges as a union of prefixes –have a separate TCAM entry for each prefix –expansion: the number of entries a rules expands to Example: the range [3,12] over a 4-bit field would expand to: –0011 (3), 01xx (4-7), 10xx (8-11) and 1100 (12) Worst-case expansion for a W-bit field is 2W-2 –example: [1,14] would expand to 0001, 001x, 01xx, 10xx, 110x, 1110 –16-bit port field expands to 30 entries

9 Earlier Approaches – II Database-dependent encoding: –observation: TCAM array has some unused bits –use these additional bits to encode commonly occurring ranges in the database TCAMs with IP ACLs have ~ 36 extra bits –144-bit wide TCAMs –104-bits + 4-bits for IP ACL rules

10 Earlier Approaches – II Database-dependent encoding: –observation: TCAM array has some unused bits –use these additional bits to encode commonly occurring ranges in the database Example: Address Port … 12.123.0.0/16 20-24 … 32.12.13.0/24 1024- … 128.0.0.0/8 20-24 … Set extra bit to 1 Set extra bit to x If search key falls in 20-24, set extra bit to 1, else set it to 0

11 Earlier Approaches – II Database-dependent encoding: –observation: TCAM array has some unused bits –use these additional bits to encode commonly occurring ranges in the database Improved version: Region-based Range Encoding Disadvantages: –database dependent  incremental update is hard

12 Database-Independent Range Pre-Encoding Key insight: use additional bits in a database independent way –wider representation of ranges –reduce expansion in the worst-case

13 Database-Independent Range Pre-Encoding Fence encoding (W bits): –total of 2 W -1 bits –encoding of i has i ones preceded by 2 W -i-1 zeros –e.g. W=3, f(0) = 0000000, f(2) = 0000011 With 2 W -1 bits, fence encoding achieves an expansion of 1 Theorem: For achieving a worst-case row expansion of 1 for a W-bit range, 2 W -1 bits are necessary

14 Database-Independent Range Pre-Encoding Procedure: –split W-bit field into multiple chunks –encode each chunk using fence encoding –“combine” the chunks to form ternary entries Combining chunks: analogous to multi-bit tries W bits k 1 bitsk 0 bitsk 2 bits

15 Unibit view of DIRPE (Prefix expansion) W=3 divided into 3 one-bit chunks R=[1,6]—prefixes = {001,01x,10x,110} Each level can contribute to at most 2 prefixes (but the top level) xxx 0xx1xx 00x01x11x10x 000001010011100101110111

16 Multi-bit view of DIRPE Worst case expansion = 2W/k – 1 Number of extra bits needed = (2 k -1)W/k - W Legend: 8-bit field (W=8) k 0 =2, k 1 =3, k 2 =3 R=[11,54] =[013, 066] split chunk = 1

17 Comparison of Expansion Worst-case expansion Real-life expansion DIRPE + DB-dependent  Net expansion was 1.12

18 Metric Prefix Expansion Region-based Encoding (with r regions) DIRPE (with k-bit chunks) DIRPE + Region-based Extra bits Worst-case capacity degradation Cost of an incremental update Overhead on the packet processor 0F(log 2 r + 2n-1 r ) F( W(2 k -1) k - W) 2n-1 r ) + F( (2 k -1) log 2 r k (2W-2) F (2log 2 r) F ( )F)F 2W k - 1 ( )F)F 2log 2 r k W k O(( ) O(W F )O(N) None O((log 2 r+ 2n-1 r ) F.2 W ) Pre-computed table of size: ( or ) O(nF) comparators of width W bits W.2 k k O( ) logic gates Both pieces of logic from previous two columns )F)F

19 DIRPE: Summary ↑Database independent ↑Scales well for large databases ↑Good incremental update properties ↓Additional bits needed ↓Small logic needed for modifying search key

20 Problems Range Expansion Problem Multimatch Classification Problem

21 TCAM search primitive: return first matching entry for a key Multimatch requirement: return k matches (or all matches) for a key –security applications where all signatures that match this packet need to be found –accounting applications where counters have to be updated for all matching entries

22 Earlier Approaches Entry Invalidation scheme: –maintain state of multimatch using an additional bit in TCAM called “valid” bit TCAM array … 00100x1x001110x0x 01110xxx001100xxx 1111101x1101000xx Search key 011101xx001100x10 x x x 1 valid bit 0 match

23 Earlier Approaches Entry Invalidation scheme: –maintain state of multimatch using an additional bit in TCAM called “valid” bit Disadvantage: –ill-suited for multi-threaded environments need one bit for each thread

24 Earlier Approaches Geometric intersection scheme: –construct geometric intersection (cross- products) of the fields and place in TCAM –pre-processing step is expensive –search is fast Disadvantage: –does not scale well in capacity –for router dataset: expansion of 25—100

25 Multimatch Using Discriminators (MUD) Observation: after index j is matched, the ACL has to be searched for all indices >j Basic idea: –store a discriminator field with each row that encodes the index of the row –to search rows with index >j, the search key is expanded to prefixes that correspond to >j –multiple searches are then issued

26 MUD: Example TCAM array … discriminator field 0000 0001 0010 rule 0 rule 1 rule 2 Search key 011101xx00 xxxx discriminator match 001x 01xx 1xxx

27 Metric Entry Invalidation Geometric Intersection-based MUD Multi-threading support Cycles for k multi-matches Overhead on the packet processor No Yes 7kk None Small state machine logic; can be implemented using a few hundred gates or a few microcode instructions 1 + d + (d-1)(k-2) Update cost O(N F ) O(N) N Worst-case TCAM entries for N rules NO(N F ) Small state machine logic; can be implemented using a few hundred gates or a few microcode instructions Extra bits00 without DIRPE: d with DIRPE: 1 + d(k-1) r with DIRPE: log 2 (d/r) + (d-r) + (2 r -1)

28 MUD: Summary ↑No per-search state—multi-threaded ↑Incremental updates fast ↑Scales well to large databases ↓Additional bits needed ↓Extra search cycles ↑Can still support Gbps speeds

29 Conclusion Range expansion problem: proposed DIRPE, a database independent encoding –scales to large number of ranges –good incremental update properties Multimatch classification problem: MUD –suitable for multithreaded environments –scales to large databases No change to hardware  easy to deploy

Download ppt "Algorithms for Advanced Packet Classification with TCAMs Karthik Lakshminarayanan UC Berkeley Joint work with Anand Rangarajan and Srinivasan Venkatachary."

Similar presentations

A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.

A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.
August 17, 2000 Hot Interconnects 8 Devavrat Shah and Pankaj Gupta

August 17, 2000 Hot Interconnects 8 Devavrat Shah and Pankaj Gupta
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
Network Algorithms, Lecture 4: Longest Matching Prefix Lookups George Varghese.

Network Algorithms, Lecture 4: Longest Matching Prefix Lookups George Varghese.
1 An Efficient, Hardware-based Multi-Hash Scheme for High Speed IP Lookup Hot Interconnects 2008 Socrates Demetriades, Michel Hanna, Sangyeun Cho and Rami.

1 An Efficient, Hardware-based Multi-Hash Scheme for High Speed IP Lookup Hot Interconnects 2008 Socrates Demetriades, Michel Hanna, Sangyeun Cho and Rami.
Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.

Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.
M. Waldvogel, G. Varghese, J. Turner, B. Plattner Presenter: Shulin You UNIVERSITY OF MASSACHUSETTS, AMHERST – Department of Electrical and Computer Engineering.

M. Waldvogel, G. Varghese, J. Turner, B. Plattner Presenter: Shulin You UNIVERSITY OF MASSACHUSETTS, AMHERST – Department of Electrical and Computer Engineering.
Outline Introduction Related work on packet classification Grouper Performance Empirical Evaluation Conclusions.

Outline Introduction Related work on packet classification Grouper Performance Empirical Evaluation Conclusions.
A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.

A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.
On the Code Length of TCAM Coding Schemes Ori Rottenstreich (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel) 1.

On the Code Length of TCAM Coding Schemes Ori Rottenstreich (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel) 1.
Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,

Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,
Fast Filter Updates for Packet Classification using TCAM Authors: Haoyu Song, Jonathan Turner. Publisher: GLOBECOM 2006, IEEE Present: Chen-Yu Lin Date:

Fast Filter Updates for Packet Classification using TCAM Authors: Haoyu Song, Jonathan Turner. Publisher: GLOBECOM 2006, IEEE Present: Chen-Yu Lin Date:
Worst-Case TCAM Rule Expansion Ori Rottenstreich (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel)

Worst-Case TCAM Rule Expansion Ori Rottenstreich (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel)
Packet Classification on Multiple Fields Pankaj Gupta and Nick McKeown Stanford University {pankaj, September 2, 1999.

Packet Classification on Multiple Fields Pankaj Gupta and Nick McKeown Stanford University {pankaj, September 2, 1999.
1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu

1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu
CS 268: Lectures 13/14 (Route Lookup and Packet Classification) Ion Stoica April 1/3, 2002.

CS 268: Lectures 13/14 (Route Lookup and Packet Classification) Ion Stoica April 1/3, 2002.
CS 268: Route Lookup and Packet Classification Ion Stoica March 11, 2003.

CS 268: Route Lookup and Packet Classification Ion Stoica March 11, 2003.
Efficient Multi-Match Packet Classification with TCAM Fang Yu

Efficient Multi-Match Packet Classification with TCAM Fang Yu
SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu 1 T. V. Lakshman 2 Martin Austin Motoyama 1 Randy H. Katz 1 1 EECS.

SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu 1 T. V. Lakshman 2 Martin Austin Motoyama 1 Randy H. Katz 1 1 EECS.
An Efficient IP Lookup Architecture with Fast Update Using Single-Match TCAMs Author: Jinsoo Kim, Junghwan Kim Publisher: WWIC 2008 Presenter: Chen-Yu.

An Efficient IP Lookup Architecture with Fast Update Using Single-Match TCAMs Author: Jinsoo Kim, Junghwan Kim Publisher: WWIC 2008 Presenter: Chen-Yu.

Similar presentations

Ads by Google