1 / 20

Efficient Multi-Match Packet Classification with TCAM

Efficient Multi-Match Packet Classification with TCAM. Fang Yu fyu@eecs.berkeley.edu. Outline. New applications demand Multi-Match Classification Multi-Match classification using TCAM Order rules in TCAM Remove negations Simulations results Conclusions.

dawson
Télécharger la présentation

Efficient Multi-Match Packet Classification with TCAM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient Multi-Match Packet Classification with TCAM Fang Yu fyu@eecs.berkeley.edu

  2. Outline • New applications demand Multi-Match Classification • Multi-Match classification using TCAM • Order rules in TCAM • Remove negations • Simulations results • Conclusions

  3. Today’s Packet Classification Systems • A classifier consists of N rules, each with F fields • Next hop routing using destination IP (F=1) • Filters from firewall (F=5) • Given a packet, report the highest priority match • E.g., longest prefix match • Single-Match Classification

  4. New Applications Packet header Packet Payload Match Scan • Intrusion Detection Systems (e.g., SNORT) • Rule header: a 5 fields classification rule for packet header • Rule options: specify intrusion patterns for entirepacket scanning. • A packet may be related to multiple rules (matching rule headers) • Multi-Match Classification: Identify all the matching rule headers

  5. New Applications (cont.) • In current network, a packet sequentially traverses multiple network devices, e.g., firewall, HTTP load balancing, intrusion detection, NAT etc. • Each box introduces extra delay • Common functions like classification are repeatedly applied • Highly inefficient! • Programmable Network Element • Support multiple functions in one device • Each packet may related to different set of functions • E.g., HTTP packets related to firewall and HTTP load balancer • E.g., VPN packets related to encryption / decryption • Multi- Match Classification : identify the all the relevant functions

  6. Multi-Match Classification • A classifier consists of N rules, each with F fields • Goal: Reporting all the matching rules • Software solution for single-match classification • O(logN) query time with O(NF) storage • Real rule sets are simpler than theoretical worst case • State of art heuristic algorithms: 20-30 memory accesses • Multi-Match Classification • More complex than single-match • Complex follow-up processing • Tighter time requirements • 20-30 memory accesses  slow • Can hardware solution help?

  7. Ternary-CAM (TCAM) • Fully associative memory: compares input string with all the entries in parallel • If multiple matches, report index of the first match • Each cell takes one of three logic states • ‘0’, ‘1’, and ‘X’(don’t care) • Current TCAM technology • Fast Match Time:4 ns • Size: 1-2MB • Commercially used for single-match classification

  8. Arrange Rules in the TCAM • Problem: TCAM only reports the first matching result • For example, two rules have intersection relationship • “Tcp $SQL_SERVER 1433 $EXTERNAL_NET any” • “Tcp Any Any Any 139” • Solution: Add additional intersection rules • Upper bound of intersections O(NF) • Real world rule set far less intersections • Retrieve all matching results solely based on the first matched result

  9. Order of Rules • Relationship between rules Ei and Ej , with corresponding matched list Mi and Mj • Exclusive (Ei Ej= ):i and j can have any order. • Subset (Ei Ej): i<j and Mi Mj . • Superset (Ei Ej): j<i and Mi Mj . • Intersection (Ei Ej= ): add a rule El=(Ei Ej) , (l<i, l<j), (Mi Mj) Ml.

  10. Example $EXTERNAL_NET=!$HOME_NET • Original rule set • Extended rule set TCAM compatible order $EXTERNAL_NET $EXTERNAL_NET $EXTERNAL_NET $EXTERNAL_NET

  11. Representing Negation with TCAM • 80’s binary form 0000 0000 0101 0000 • Negation of 80 (!80) • 0000 0000 0101 0000 = 1111 1111 1010 1111 = 65375 is only a subset of !80 • Need 16 TCAM entries • Multiple negations in one rule • tcp $EXTERNAL_NET any $EXTERNAL_NET !80 requires up to 32*32*16=16384 TCAM entries

  12. Remove Negation • Regions generating negation: • A, B, D • Regions with no negation • C, A C, C D, A B C D

  13. Remove Negation • Can we extend rules in D to D C? • Yes, We can! • with a first match TCAM

  14. 94.5% of TCAM entries saving

  15. Simulation Results • SNORT intrusion detection rule set

  16. Performance of Negation Removing Scheme • Fit all Snort rule header into 128KB-256KB TCAM • Retrieve multi-match classification result with one TCAM lookup and one SRAM lookup (<10ns)

  17. Conclusions • New applications demands for multi-mach classification • TCAM-based solution to solve the multi-match classification problem • Reports all the matching results with a single TCAM lookup and a SRAM lookup • Negation removing scheme can save 93% to 95% of the TCAM space • Future work • Study the complexity of multi-match classification problem and tradeoffs between different approaches • Search part of the TCAM to reduce power consumption

  18. Backup slides

  19. Removing Negation • Rules in region C: “* $HOME_NET+ * $HOME_NET+ *” • Separator rule 1: “any $HOME_NET any $HOME_NET any” • Rules in region D, specified in the form of region C and D: “* $HOME_NET+ * any *” • Rules in region A, specified in the form of region A and C: “* any * $HOME_NET+ *” • Separator rule 2: “any $HOME_NET any any any” • Separator rule 3: “any any any $HOME_NET any” • Rules applying to region B, specified in the form of region A, B, C and D: “* any * any *”

  20. Effect of Negation

More Related