Efficient Multi-match Packet Classification with TCAM

1. Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu, randy}@eecs.berkeley.edu

2. Outline • New applications demand multi-match classification • Multi-Match classification using TCAM • Order rules in TCAM • Remove negations • Simulations results • Conclusions

3. Today’s Packet Classification Systems • A classifier consists of N rules, each with F fields • Next hop routing using destination IP (F=1) • Filters from firewall (F=5) • Single-Match Classification: • Assumption: all the rules are associated with priorities • Only the highest priority match matters • E.g., longest prefix match

4. New Applications Packet header Packet Payload Match Scan • Intrusion Detection Systems (e.g., SNORT) • Rule header: a 5-field classification rule for the packet header • Rule options: specify intrusion patterns for the entirepacket scanning. • A packet may be related to multiple rules (matching rule headers) • Multi-Match Classification: Identify all the matching rule headers

5. New Applications (cont.) • In some edge networks • Each box introduces extra delay • Common functions like classification are repeatedly applied • Highly inefficient! • Programmable Network Element • Support multiple functions in one device • Each packet may related to different set of functions • E.g., HTTP packets related to firewall and HTTP load balancer • E.g., VPN packets related to encryption / decryption • Multi- Match Classification: identify the all the relevant functions

6. Multi-Match v.s. Single-Match Classification • A classifier consists of N rules, each with F fields • Single-Match: Report the highest priority rule • Multi-Match: Report all the matching rules • Single-match classification • Software solutions: O(logN) query time with O(NF) storage • Real-world rule sets are simpler than theoretical worst case • State of art heuristic algorithms: 20-30 memory accesses • Multi-Match classification • More complex than single-match • Complex follow-up processing • Tighter time requirements • 20-30 memory accesses  slow • Can hardware solution help?

7. Ternary-CAM (TCAM) • Fully associative memory: compares input string with all the entries in parallel • If multiple matches, report index of the first match • Each cell takes one of three logic states • ‘0’, ‘1’, and ‘X’(don’t care) • Current TCAM technology • Fast Match Time:4 ns • Size: 1-2MB • Commercially used for single-match classification

8. Use TCAM for Multi-Match Classification • Problem: TCAM only reports the first matching result • Return a bit vector of matched results? • Not a good solution because processing cost for bit vector is O(N) • Solution: Add additional intersection rules • Upper bound of intersections O(NF) • Real-world rule set has far less intersections • Retrieve all matching results solely based on the first matched result --- TCAM Compatible Order

9. TCAM Compatible Order • Relationship between rules Ei and Ej , with corresponding matched list Mi and Mj • Exclusive (Ei Ej= ):i and j can have any order. • Subset (Ei Ej): i<j and Mi Mj . • Superset (Ei Ej): j<i and Mi Mj . • Intersection (Ei Ej= ): add a rule El=(Ei Ej) , (l<i, l<j), (Mi Mj) Ml.

10. Extend_rule_set(R){ E = ; for all the rule Ri in R E=Insert(Ri, E); return E; } Insert(x, E){ for all the rule Ei in E { Switch the relationship between Ei and x: Case exclusive: continue; Case subset: Mi = Mx Mi; continue; Case superset: Mx = Mx Mi; add x before Ei ; return E; Case intersection: If (Ei x E and M x Mi) add t = Ei x before Ei ; Mt = Mx Mi } add x at the end of E and return E; } Pseudo-Code for Generating TCAM Compatible Order

11. Example $EXTERNAL_NET=!$HOME_NET • Original rule set • Extended rule set in TCAM compatible order $EXTERNAL_NET $EXTERNAL_NET $EXTERNAL_NET $EXTERNAL_NET

12. Representing Negation with TCAM • 80’s binary form 0000 0000 0101 0000 • Negation of 80 (!80=[0,79], [81,2^16-1]) • 0000 0000 0101 0000 = 1111 1111 1010 1111 = 65375 is only a subset of !80 • Need 16 TCAM entries • Multiple negations in one rule • tcp $EXTERNAL_NET any $EXTERNAL_NET !80 requires up to 32*32*16=16384 TCAM entries

13. Remove Negation • Regions generating negation: • A, B, D • Regions with no negation • C, A C, C D, A B C D

14. Remove Negation • Can we extend rules in D to D C? • Yes, We can! • With a first match TCAM

15. Removing Negation • Rules in region C: “* $HOME_NET+ * $HOME_NET+ *” • Separator rule 1: “any $HOME_NET any $HOME_NET any” • Rules in region D, specified in the form of region C and D: “* $HOME_NET+ * any *” • Rules in region A, specified in the form of region A and C: “* any * $HOME_NET+ *” • Separator rule 2: “any $HOME_NET any any any” • Separator rule 3: “any any any $HOME_NET any” • Rules applying to region B, specified in the form of region A, B, C and D: “* any * any *”

16. 94.5% of TCAM entries saving

17. Analysis of Negation Removing Scheme • More than one negations in each field • Both !80 and !90 in the source port field • !subnet1 and !subnet2 in the destination IP field • Generation of algorithm • For one field Fi, • Ki unique negations with disjoint non-negation forms  Si =Ki separator rules • Ki unique negations with intersected non-negation forms  Si =2Kiseparator rules • Total separator rules: • removing $EXTERNAL_NET from source and destination IP addresses, S1= S2=1 a total of 3 separator rules

18. Simulation Results • SNORT intrusion detection rule set

19. Performance of Negation Removing Scheme • Fit all Snort rule headers into a 256KB TCAM • Retrieve multi-match classification result with one TCAM lookup and one SRAM lookup (<10ns)

20. Effect of Negation

21. Conclusions • New applications demand for multi-mach classification • TCAM-based solution to solve the multi-match classification problem • Report all the matching results with a single TCAM lookup and a SRAM lookup • Negation removing scheme can save 93% to 95% of the TCAM space