A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013

Motivation Classifiers used for many applications Packet Forwarding Firewalls Quality of Service Classifiers are growing New threats New services

Motivation Classifier compression is an important problem Device imposed rule limits NetScreen-100 allows only 733 rules Simplifies rule management DIFANE [Yu et al. SIGCOMM 2010]

Background F1 F2 Color 1 3 White 1-3 5 1-5 Black F1 F2 Color 2 3 Black 2-4 1-5 Packet: [2, 4]

Classifier Definition Classifier : list of rules Tuple of d intervals over finite, discrete fields Decision (accept, deny, physical port number, etc.) Only first matching rule applies Classifiers equivalent if they give the same result for all inputs F1 F2 Color 1 3 White 1-3 5 1-5 Black F1 F2 Color 2 3 Black 1-3 White 2-4 1-5

Problem Definition Problem Input: classifier Output: smallest equivalent classifier NP-Hard F1 F2 Color 1 3 White 1-3 5 1-5 Black F1 F2 Color 2 3 Black 1-3 White 2-4 1-5 6

Prior Work Redundancy Removal [eg. Liu and Gouda. DBSec 2005] Iterated Strip Rule [Applegate et al. SODA 2007] Only two dimensions Approximation guarantee: O(min(n1/3, Opt1/2)) Firewall Compressor [Liu et al. INFOCOM 2008] Optimal weighted 1-D case Works on higher dimensions

Motivating Example

Dimension Reduction

FC: Fully Solve Each Row X Y Color 2 2-3 Green 5-6 Red 4-8 White 1-9 Black X Y Color 2 2-3 Green 5-6 Red 4-8 White 1-9 Black 4 5 6-7 Blue 3-8 1-4 X Y Color 2 2-3 Green 5-6 Red 4-8 White 1-9 Black 4 5 6-7 Blue 3-8

Diplomat: Identify and Resolve Differences X Y Color 2-3 2 Green

Diplomat: Identify and Resolve Differences X Y Color 2-3 2 Green

Diplomat: Identify and Resolve Differences X Y Color 2-3 2 Green 6-7 4 Blue X Y Color 2-3 2 Green

Diplomat: Identify and Resolve Differences X Y Color 2-3 2 Green 6-7 4 Blue 5-6 1-4 Red 3-8 White 1-9 Black X Y Color 2-3 2 Green 6-7 4 Blue

Higher Dimensions

Diplomat Three parts Base solver for the last row Resolver Scheduler Firewall Compressor for 1D case Diplomat otherwise Resolver Given two rows identify and resolve differences Merge rows together into one Scheduler Find best order to resolve rows

Different Resolvers F1 F2 Color 1 1-5 White 2 5-9 1-2 Black 4 6 8 1-9 1-1 1-5 White 1 6 Black 8

Scheduling Multi-row resolver: greedy schedule Single-row resolver: dynamic programming schedule

Dynamic Schedule Upper Bound Remaining Row 1 2 3 4 1:0 1:1 2:2 2:4 3:1 1:2 2:3 3:2 4:3 2:0 3:0 4:2 4:0 1 2 3 4 Source Row Lower Bound

Results Comparison of Firewall Compressor and Diplomat on 40 real-life classifiers Divided into sets based on size Diplomat requires 30% fewer rules on largest sets 2-D bounds: O(min(n1/3, Opt1/2)) Set Firewall Compressor Diplomat Small 67.4% 67.2% Medium 50.8% 45.7% Large 44.5% 30.2% All 56.1% 50.6% Mean Compression Ratio

Conclusion Diplomat offers significant improvements over Firewall Compressor because it focuses on the differences between rows Results are most pronounced on larger classifiers Can guarantee approximation bound for 2-D classifiers

Questions?