Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Difference Resolution Approach to Compressing Access Control Lists

Published byIssac Blizzard Modified over 9 years ago

Similar presentations

Presentation on theme: "A Difference Resolution Approach to Compressing Access Control Lists"— Presentation transcript:

1 A Difference Resolution Approach to Compressing Access Control Lists
James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013

2 Motivation Classifiers used for many applications
Packet Forwarding Firewalls Quality of Service Classifiers are growing New threats New services

3 Motivation Classifier compression is an important problem
Device imposed rule limits NetScreen-100 allows only 733 rules Simplifies rule management DIFANE [Yu et al. SIGCOMM 2010]

4 Background F1 F2 Color 1 3 White 1-3 5 1-5 Black F1 F2 Color 2 3 Black
2-4 1-5 Packet: [2, 4]

5 Classifier Definition
Classifier : list of rules Tuple of d intervals over finite, discrete fields Decision (accept, deny, physical port number, etc.) Only first matching rule applies Classifiers equivalent if they give the same result for all inputs F1 F2 Color 1 3 White 1-3 5 1-5 Black F1 F2 Color 2 3 Black 1-3 White 2-4 1-5

6 Problem Definition Problem Input: classifier
Output: smallest equivalent classifier NP-Hard F1 F2 Color 1 3 White 1-3 5 1-5 Black F1 F2 Color 2 3 Black 1-3 White 2-4 1-5 6

7 Prior Work Redundancy Removal [eg. Liu and Gouda. DBSec 2005]
Iterated Strip Rule [Applegate et al. SODA 2007] Only two dimensions Approximation guarantee: O(min(n1/3, Opt1/2)) Firewall Compressor [Liu et al. INFOCOM 2008] Optimal weighted 1-D case Works on higher dimensions

8 Motivating Example

9 Dimension Reduction

10 FC: Fully Solve Each Row
X Y Color 2 2-3 Green 5-6 Red 4-8 White 1-9 Black X Y Color 2 2-3 Green 5-6 Red 4-8 White 1-9 Black 4 5 6-7 Blue 3-8 1-4 X Y Color 2 2-3 Green 5-6 Red 4-8 White 1-9 Black 4 5 6-7 Blue 3-8

11 Diplomat: Identify and Resolve Differences
X Y Color 2-3 2 Green

12 Diplomat: Identify and Resolve Differences
X Y Color 2-3 2 Green

13 Diplomat: Identify and Resolve Differences
X Y Color 2-3 2 Green 6-7 4 Blue X Y Color 2-3 2 Green

14 Diplomat: Identify and Resolve Differences
X Y Color 2-3 2 Green 6-7 4 Blue 5-6 1-4 Red 3-8 White 1-9 Black X Y Color 2-3 2 Green 6-7 4 Blue

15 Higher Dimensions

16 Diplomat Three parts Base solver for the last row Resolver Scheduler
Firewall Compressor for 1D case Diplomat otherwise Resolver Given two rows identify and resolve differences Merge rows together into one Scheduler Find best order to resolve rows

17 Different Resolvers F1 F2 Color 1 1-5 White 2 5-9 1-2 Black 4 6 8 1-9
1-1 1-5 White 1 6 Black 8

18 Scheduling Multi-row resolver: greedy schedule
Single-row resolver: dynamic programming schedule

19 Dynamic Schedule Upper Bound Remaining Row 1 2 3 4 1:0 1:1 2:2 2:4 3:1
1:2 2:3 3:2 4:3 2:0 3:0 4:2 4:0 1 2 3 4 Source Row Lower Bound

20 Results Comparison of Firewall Compressor and Diplomat on 40 real-life classifiers Divided into sets based on size Diplomat requires 30% fewer rules on largest sets 2-D bounds: O(min(n1/3, Opt1/2)) Set Firewall Compressor Diplomat Small 67.4% 67.2% Medium 50.8% 45.7% Large 44.5% 30.2% All 56.1% 50.6% Mean Compression Ratio

21 Conclusion Diplomat offers significant improvements over Firewall Compressor because it focuses on the differences between rows Results are most pronounced on larger classifiers Can guarantee approximation bound for 2-D classifiers

22 Questions?

Download ppt "A Difference Resolution Approach to Compressing Access Control Lists"

Similar presentations

Minimum Clique Partition Problem with Constrained Weight for Interval Graphs Jianping Li Department of Mathematics Yunnan University Jointed by M.X. Chen.

Minimum Clique Partition Problem with Constrained Weight for Interval Graphs Jianping Li Department of Mathematics Yunnan University Jointed by M.X. Chen.
Greedy Algorithms.

Greedy Algorithms.
1 Constraint Satisfaction Problems A Quick Overview (based on AIMA book slides)

1 Constraint Satisfaction Problems A Quick Overview (based on AIMA book slides)
Principal Component Analysis Based on L1-Norm Maximization Nojun Kwak IEEE Transactions on Pattern Analysis and Machine Intelligence, 2008.

Principal Component Analysis Based on L1-Norm Maximization Nojun Kwak IEEE Transactions on Pattern Analysis and Machine Intelligence, 2008.
An On-Chip IP Address Lookup Algorithm Author: Xuehong Sun and Yiqiang Q. Zhao Publisher: IEEE TRANSACTIONS ON COMPUTERS, 2005 Presenter: Yu Hao, Tseng.

An On-Chip IP Address Lookup Algorithm Author: Xuehong Sun and Yiqiang Q. Zhao Publisher: IEEE TRANSACTIONS ON COMPUTERS, 2005 Presenter: Yu Hao, Tseng.
Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.

Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.
IJCAI 20091 Russian Doll Search with Tree Decomposition Martí Sànchez, David Allouche, Simon de Givry, and Thomas Schiex INRA Toulouse, FRANCE.

IJCAI Russian Doll Search with Tree Decomposition Martí Sànchez, David Allouche, Simon de Givry, and Thomas Schiex INRA Toulouse, FRANCE.
Approximation Algorithms for Capacitated Set Cover Ravishankar Krishnaswamy (joint work with Nikhil Bansal and Barna Saha)

Approximation Algorithms for Capacitated Set Cover Ravishankar Krishnaswamy (joint work with Nikhil Bansal and Barna Saha)
A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.

A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.
First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.

First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.
1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.

1 TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs Department of Computer Science and Information Engineering National.
CS774. Markov Random Field : Theory and Application Lecture 17 Kyomin Jung KAIST Nov 05 2009.

CS774. Markov Random Field : Theory and Application Lecture 17 Kyomin Jung KAIST Nov
Approximating Maximum Edge Coloring in Multigraphs

Approximating Maximum Edge Coloring in Multigraphs
1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu

1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu
Privacy-Preserving Cross-Domain Network Reachability Quantification

Privacy-Preserving Cross-Domain Network Reachability Quantification
Zoë Abrams, Ashish Goel, Serge Plotkin Stanford University Set K-Cover Algorithms for Energy Efficient Monitoring in Wireless Sensor Networks.

Zoë Abrams, Ashish Goel, Serge Plotkin Stanford University Set K-Cover Algorithms for Energy Efficient Monitoring in Wireless Sensor Networks.
SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu 1 T. V. Lakshman 2 Martin Austin Motoyama 1 Randy H. Katz 1 1 EECS.

SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu 1 T. V. Lakshman 2 Martin Austin Motoyama 1 Randy H. Katz 1 1 EECS.
System-Wide Energy Minimization for Real-Time Tasks: Lower Bound and Approximation Xiliang Zhong and Cheng-Zhong Xu Dept. of Electrical & Computer Engg.

System-Wide Energy Minimization for Real-Time Tasks: Lower Bound and Approximation Xiliang Zhong and Cheng-Zhong Xu Dept. of Electrical & Computer Engg.
September 12, 2006IEEE PIMRC 2006, Helsinki, Finland1 On the Packet Header Size and Network State Tradeoff for Trajectory-Based Routing in Wireless Networks.

September 12, 2006IEEE PIMRC 2006, Helsinki, Finland1 On the Packet Header Size and Network State Tradeoff for Trajectory-Based Routing in Wireless Networks.
Finding a maximum independent set in a sparse random graph Uriel Feige and Eran Ofek.

Finding a maximum independent set in a sparse random graph Uriel Feige and Eran Ofek.

Similar presentations

Ads by Google