1 / 23

A prefix-based approach for managing hybrid specifications in complex packet filtering

A prefix-based approach for managing hybrid specifications in complex packet filtering. Author : Nizar Ben Neji , Adel Bouhoula Publisher : Computer Networks 56 (2012) Presenter: Yu Hao , Tzeng Date: 2012/11/. Outline. Introdution Proposed technique Performance Conclusion.

nanji
Télécharger la présentation

A prefix-based approach for managing hybrid specifications in complex packet filtering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A prefix-based approach for managing hybrid specifications in complex packet filtering Author: Nizar Ben Neji, Adel Bouhoula Publisher: Computer Networks 56 (2012) Presenter: Yu Hao, Tzeng Date: 2012/11/

  2. Outline • Introdution • Proposed technique • Performance • Conclusion

  3. Introduction • A packet filter must support rule sets involving any type of condition. • Prefix-based packet filters have gained wide acceptance in the research community for storing. • Range-based fields need to be converted into a set of standard prefixes to guarantee the homogeneity. • Since multiple packet header fields can contain several range specifications, a single rule may require multiple memory entries. • The difficulty lies in the fact that multiple memory entries have to be allocated to represent a rule containing various range specifications.

  4. Introduction (Cont.) • DRPC(direct range to prefix conversion) • Example :

  5. Introduction (Cont.) • The NAF (Non-Adjacent Form) conversion method lets us obtain a better conversion ratio than the previous proposed solutions. • Example :

  6. Introduction (Cont.)

  7. Introduction (Cont.)

  8. Proposed technique • Notation and definitions • An elementary w-bit range can be written using a single w-bit prefix. • Example : • 192.168.100.0 ~ 192.168.100.255 => • An extended w-bit range [L, U] of an arbitrary w-bit range [l, u] is the smallest elementary range containing the w-bit range [l, u]. • Two w-bit ranges and are adjacent ranges if . • Two elementary ranges and are consecutive if they are adjacent and they have same widths or consecutive power of 2 widths.

  9. Proposed technique (Cont.) • NAF conversion of arbitrary range • Direct range-to-prefix conversion (DRPC) • Indirect range to signed prefixes (IRSP) • Lower{} is a list of Integers • Upper{} is a list of Integers • Sign{} is a binary list

  10. Proposed technique (Cont.) • NAF conversion of arbitrary range • Example :

  11. Proposed technique (Cont.) • NAF conversion of arbitrary range • Direct range to signed prefixes (DRSP) • DRSP is better than the indirect conversion in terms of time since it lets us avoid the use of two conversion stages. Arbitrary Range Signed Prefixes DRSP

  12. Proposed technique (Cont.) • NAF conversion of arbitrary range • Direct range to signed prefixes (DRSP) • isElementaryRange() is a boolean function that takes as entry an arbitrary w-bit range [l, u] and tells whether it can be represented using a single prefix or not. • extendedRange() takes as entry an arbitrary range [l, u] and returns as a result the smallest elementary range covering it. • addSignedPrefix() stores the resulting signed prefixes in the lists Lower{}, Upper{} and Sign{}.

  13. Proposed technique (Cont.) • NAF conversion of arbitrary range • Algorithm

  14. Proposed technique (Cont.) • Building the two-staged data structure

  15. Proposed technique (Cont.)

  16. Proposed technique (Cont.) • Building the two-staged data structure

  17. Proposed technique (Cont.) • The matching process • Example :

  18. Proposed technique (Cont.) • The matching process • Example :

  19. Proposed technique (Cont.) • The matching process • searching for the longest matching prefix • searching for the shortest prefix that does not match. • Example :

  20. Performance

  21. Performance (Cont.)

  22. Performance (Cont.)

  23. Conclusion • In this paper, the essential issues related to the resolution of the range matching problem arising in the packet filtering process were thoroughly examined and efficiently solved using the new concept of signed prefixes.

More Related