Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.

Published byNigel Freckleton Modified over 9 years ago

Similar presentations

Presentation on theme: "Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International."— Presentation transcript:

1 Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International Conference on Network Protocols Riverside, CA, November 2001

2 2 Outline Motivation for packet classification Performance metrics Related work Our approaches Performance results Summary

3 3 Motivation Traditionally, routers forward packets based on the destination field only Firewall and diff-serv require packet classification forward packets based on multiple fields in the packet header e.g. source IP address, destination IP address, source port, destination port, protocol, type of service (ToS) …

4 4 Problem Specification Given a set of filters (or rules), find the least cost matching filter for each incoming packet Each filter specifies Some criterion on K fields Associated directive Cost Example: Rule 1: 24.128.0.0/16 4.0.0.0/8 … udp deny Rule 2: 64.248.128.0/20 8.16.192.0/24 … tcp permit … Rule N: 24.128.0.0/16 4.16.128.0/20 … any permit Incoming packet: [24.128.34.8, 4.16.128.3, udp] Answer: rule 1

5 5 Performance Metrics Classification speed Wire rate lookup for minimum size (40 byte) packets at OC192 (10 Gbps) speeds. Memory usage Should use memory linear in the number of rules Update time Slow updates are acceptable Impact on search speed should be minimal

6 6 Related Work Given N rules in K dimensions, the worst-case bounds O(log N) search time, O(N (K-1) ) memory O(N) memory, O((log N) (K-1) ) search time Tree based Grid-of-tries (Srinivasan et.al. Sigcomm’98) Fat Inverted Segment Tree (Feldman et.al. Infocom’00) Cross-producting (Srinivasan et.al. Sigcomm’98) Bit vector scheme Lucent bit vector (Lakshman et.al. Sigcomm’98) Aggregated bit vector scheme (Baboescu et.al. Sigcomm’01) RFC (Pankaj et.al. Sigcomm’99) Tuple Space Search (Srinivasan et.al. Sigcomm’99)

7 7 Backtracking Search A trie is a binary branching tree, with each branch labeled 0 or 1 The prefix associated with a node is the concatenation of all the bits from the root to the node F100* F210* A B C F2 F1 1 0 0 0 D E

8 8 Backtracking Search (Cont.) Extend to multiple dimensions Standard backtracking Depth-first traversal of the tree visiting all the nodes satisfying the given constraints Example: Search for [00*,0*,0*] Result: F8 Reason for backtrack 00* matches *, 0*, 00* 0 0 0 0 0 0 0 0 0 1 1 1 1 1 0 0 F1 F4 F7 F2 F6 F3 F8 F5 1 C D E A B H I J K F G

9 9 Set Pruning Tries Multiplane trie Fully specify all search paths so that no backtracking is necessary Performance O(logN) search time O(N (k-1) ) storage

10 10 Set Pruning Tries: Conversion Converting a backtracking trie to a set pruning trie is essentially replacing a general filter with more specific filters

11 11 Set Pruning Tries: Example 0 0 0 1 1 1 0 0 0 1 1 1 10 F1 F2 F3Min(F1,F2) F2 Min(F2,F3) Backtracking TrieSet Pruning Trie F2 Replace [*,*,*] with [0*,0*,*], [0*,0*,0*], [0*,1*,*], [1**,0*,*],[1*,1*,*], and [1*,1*,1*]. A DCBE F

12 12 Performance Evaluation 5 real databases from various sites Five dimensions src IP, dest IP, src port, dest port, protocol Performance metrics Total storage Total number of nodes in the multiplane trie Worst-case lookup time Total number of memory accesses in the worst-case assuming 1 bit at a time trie traversal

13 13 Performance Results Data base # Rules BacktrackingSet Pruning Tries Lookup time StorageLookup time Storage 1671461848865541 2158153491410251785 3183169394910259180 42792026785102123951 52662086555102165920 Backtracking has small storage and affordable lookup time.

14 14 Major Optimizations Trie compression algorithm Pipelining the search Selective pushing Using minimal hardware

15 15 Trie Compression Algorithm  If a path AB satisfies the Compressible Property:  All nodes on its left point to the same place L  All nodes on its right point to the same place R then we compress the entire branches by 3 edges  Center edge with value  (AB) pointing to B  Left edge with value <  (AB) pointing to L  Right edge with value >  (AB) pointing to R  Advantages of compression: save time & storage 0 branch >01010 0 branch = 01010 0 branch < 01010 F1 F2F3 0 0 1 1 0 0 1 0 1F2F1F3

16 16 Performance Evaluation of Compression DatabaseLookup Time of Uncompressed Lookup Time of Compressed 114630 215351 316949 420298 520859 Compression reduces the lookup time by a factor of 2 - 5

17 17 Pipelining Backtracking Use pipeline to speed up backtracking Issues The amount of register memory passed between pipelining stages need to be small The amount of main memory need to be small Pipeline Stage 1 Pipeline Stage 2 Pipeline Stage m

18 18 Pipelining Backtracking: Limit the amount of register Standard backtracking requires O(KW) state for K-dimensional filters, with each dimension W-bit long Our approach Visit more general filters first, and more specific filters later Example Search for [00*,0*,0*] A-B-H-J-K-C-D-E-F-G Result: F8 Performance K+1 32-bit registers 0 0 0 0 0 0 0 0 0 1 1 1 1 1 0 0 F1 F4 F7 F2 F6 F3 F8 F5 1 C D E B H I J K F G A

19 19 Pipelining Backtracking: Limit the amount of memory Simple approach Store an entire backtracking search trie at every pipelining stage Storage increases proportionally with the number of pipelining stages Our approach Have pipeline stage i store only the trie nodes that will be visited in the stage i

20 20 Storage Requirement for Pipeline Storage increases moderately with the number of pipelining stages (i.e. slope < 1).

21 21 Trading Storage for Time Smoothly tradeoff storage for time Observations Set pruning tries eliminate all backtracking by pushing down all filters  intensive storage Eliminate backtracking for filters with large backtracking time Selective push  Push down the filters with large backtracking time  Iterate until the worst-case backtracking time satisfies our requirement O((logN) (k-1) ) Time (e.g. Backtrack) O(N (k-1) ) Space (e.g. Set Pruning)

22 22 Example of Selective Pushing Goal: worst-case memory accesses  11  The filter [0*, 0*, 000*] has 12 memory accesses.  Push the filter down  reduce lookup time  Now the search cost of the filter [0*,0*,001*] becomes 12 memory accesses. So we need to push it down. Done! F1 F3 F2 F1 F3 F1 F2 F1 F2 F3 F2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 111 00 0 0 0 1

23 23 Performance of Selective Push Uncompressed TrieCompressed Trie Lookup time is reduced with moderate increase in storage until we reach the knee of the curve.

24 24 Summary Experimentally show simple trie based schemes perform much better than the worst case figure Propose optimizations Trie compression Pipelining the search Selective push

25 25 Summary (Cont.) ApproachDescriptionPerformance Gain Trie compression algorithm Effectively exploit redundancy in trie nodes by using range match Reduce lookup time by a factor of 2 – 5, save storage by a factor of 2.8 – 8.7 Pipelining the search Split the search into multiple pipelining stages, and each stage is responsible for a portion of search Increase throughput with marginal increase in memory cost Selective push “Push down” the filters with large backtracking time Reduce lookup time by 10 – 25% with only marginal increase in storage

Download ppt "Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International."

Similar presentations

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.

A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.
Router/Classifier/Firewall Tables Set of rules—(F,A)  F is a filter Source and destination addresses. Port number and protocol. Time of day.  A is an.

Router/Classifier/Firewall Tables Set of rules—(F,A)  F is a filter Source and destination addresses. Port number and protocol. Time of day.  A is an.
Internet Routers

Internet Routers
Data plane algorithms in routers

Data plane algorithms in routers
Packet Classification using Hierarchical Intelligent Cuttings

Packet Classification using Hierarchical Intelligent Cuttings
Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond

Multi-dimensional Packet Classification on FPGA: 100Gbps and Beyond
1 IP-Lookup and Packet Classification Advanced Algorithms & Data Structures Lecture Theme 08 – Part I Prof. Dr. Th. Ottmann Summer Semester 2006.

1 IP-Lookup and Packet Classification Advanced Algorithms & Data Structures Lecture Theme 08 – Part I Prof. Dr. Th. Ottmann Summer Semester 2006.
Spring 2006CS 685 Network Algorithmics1 Principles in Practice CS 685 Network Algorithmics Spring 2006.

Spring 2006CS 685 Network Algorithmics1 Principles in Practice CS 685 Network Algorithmics Spring 2006.
M. Waldvogel, G. Varghese, J. Turner, B. Plattner Presenter: Shulin You UNIVERSITY OF MASSACHUSETTS, AMHERST – Department of Electrical and Computer Engineering.

M. Waldvogel, G. Varghese, J. Turner, B. Plattner Presenter: Shulin You UNIVERSITY OF MASSACHUSETTS, AMHERST – Department of Electrical and Computer Engineering.
IP Routing Lookups Scalable High Speed IP Routing Lookups.

IP Routing Lookups Scalable High Speed IP Routing Lookups.
A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.

A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.
Tries Standard Tries Compressed Tries Suffix Tries.

Tries Standard Tries Compressed Tries Suffix Tries.
On the Code Length of TCAM Coding Schemes Ori Rottenstreich (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel) 1.

On the Code Length of TCAM Coding Schemes Ori Rottenstreich (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel) 1.
1 A Tree Based Router Search Engine Architecture With Single Port Memories Author: Baboescu, F.Baboescu, F. Tullsen, D.M. Rosu, G. Singh, S. Tullsen, D.M.Rosu,

1 A Tree Based Router Search Engine Architecture With Single Port Memories Author: Baboescu, F.Baboescu, F. Tullsen, D.M. Rosu, G. Singh, S. Tullsen, D.M.Rosu,
CSIE NCKU High-performance router architecture 高效能路由器的架構與設計.

CSIE NCKU High-performance router architecture 高效能路由器的架構與設計.
Worst-Case TCAM Rule Expansion Ori Rottenstreich (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel)

Worst-Case TCAM Rule Expansion Ori Rottenstreich (Technion, Israel) Joint work with Isaac Keslassy (Technion, Israel)
Packet Classification on Multiple Fields Pankaj Gupta and Nick McKeown Stanford University {pankaj, September 2, 1999.

Packet Classification on Multiple Fields Pankaj Gupta and Nick McKeown Stanford University {pankaj, September 2, 1999.
CS 268: Lectures 13/14 (Route Lookup and Packet Classification) Ion Stoica April 1/3, 2002.

CS 268: Lectures 13/14 (Route Lookup and Packet Classification) Ion Stoica April 1/3, 2002.
CS 268: Route Lookup and Packet Classification Ion Stoica March 11, 2003.

CS 268: Route Lookup and Packet Classification Ion Stoica March 11, 2003.

Similar presentations

Ads by Google