© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Minimizing Rulesets for TCAM Implementation Presenter: Praveen Yalagandula In collaboration with Rick McGeer HP Labs, Palo Alto, CA

2 Packet Classification A typical task in most network appliances −Firewalls, switches, routers, etc. Definition −Classify packets into different buckets E.g., dstport=80 (web-traffic), ether-type=0x8906 (FCoE) −Apply different actions to packets in different buffers E.g., Allow, Deny, Deny-with-log, High-priority-queue Used for −Access Control Lists −QoS enforcement

3 Ternary Content Addressable Memory XXX Pattern Action Deny Forward ASIC to perform classification at line rates Matches a packet header in parallel against all entires Applies first matching entry’s action to the packet X : Don’t care XXXXXXX Deny-log …… Packet header

4 Problem: Large Rulesets & Range Rules TCAMs are expensive, space-hungry, and power-hungry Large rulesets & rules with ranges  Need large TCAMs −Ranges are common −A single rule with ranges can use up multiple entries E.g., rule 1 < src-port, dst-port < needs 900 entries!! If all rules do not fit into TCAM, then −Some packets need to be diverted to software  substantial reduction in throughput Switch vendors often receive several customer requests for dealing with such rulesets

5 Ruleset Minimization Given a ruleset, find a minimal set of TCAM entries that implement the ruleset 0-6: Deny * : Accept 0XX: Deny 10X: Deny 110: Deny XXX: Accept 111: Accept XXX : Deny Input Ruleset Direct Expansion into TCAM entries Optimized TCAM Entries 0: Deny 2: Deny *: Accept 000: Deny 010: Deny XXX: Accept 0X0: Deny XXX: Accept

6 Previous Research Mostly heuristics based on observed patterns Targeting rules with ranges −Expanding/Trimming ranges [Dong et al. SIGMETRICS’06] −Range Encoding [Liu et al. HotInterconnects’02] [Lakshminarayanan et al. SIGCOMM’05] Decision trees on header fields −TCAM Razor [Mieners et al. ICNP’07]

7 Our Approach: Leverage Boolean Logic Minimization Logic Minimization (LM) −Given a set of Boolean cubes (n-dimensions) −Find a minimal set of cubes that are equivalent to the input −Logic Minimization has been studied extensively A major research topic in VLSI CAD field Several heuristics and tools available However, straightforward LM misses TCAM’s first-match feature

8 LM misses TCAM’s First-Match Rule wx yz A A A A A D D D D D D A --- D A : Allow D : Deny --- : Don’t Care A = y’z’ + wy’ + x’y’ D = y + w’xz LM: 5 cubes 01X1 : Deny (w’xz) XX0X : Allow (y’) XXXX : Deny (1) TCAM: 3 entries ---

9 Our Contributions Formulated TCAM ruleset minimization problem in terms of LM −Minimal Sequential Cover problem Proposed an algorithm and proved its optimality Algorithm is exponential in computational complexity Derived heuristics based on the optimal algorithm Analyzed several artificial and two real rulesets −Avg. reduction in artifical rulesets: 42% −Reduction in real rulesets: 72% and 49%

10 Steps Input ruleset IndividualTa rget Functions Step 1 Minimum Sequential Cover Step 2

11 Converting input to target functions The ordering is significant in the input rulesets too Accept = C 1 Deny = C 2 Accept = C 1 Deny = C 1 ’C 2 C 1 : Accept C 2 : Deny Input Ruleset Boolean Functions C1C1 C2C2 Function F 1 associated with rule 1 Function F 2 associated with rule 2

12 Converting input to target functions (contd.) The ordering is significant in the input rulesets too Accept = C 1 + C 2 + C 3 ’C 4 Deny = C 1 ’C 2 ’C 3 + C 1 ’C 2 ’C 4 ’C 5 C 1 : Accept C 2 : Accept C 3 : Deny C 4 : Accept C 5 : Deny Input Ruleset Functions for rules F 1 = C 1 F 2 = F 1 ’C 2 F 3 = F 1 ’F 2 ’C 3 F 4 = F 1 ’F 2 ’F 3 ’C 4 F 5 = F 1 ’F 2 ’F 3 ’F 4 ’C 5 Accept = F 1 + F 2 + F 4 Deny = F 3 + F 5 Target functions Simplify using: x+x’y = x+y x+xy = x

13 Minimal Sequential Cover Problem Given: a set of target functions Sequential Cover: a sequence of tuples that implement the target functions in TCAM Minimal Sequential Cover: a minimal length sequential cover

14 Exact Solution Recursive procedure over all prime implicants for all functions We prove this is optimal Above is exponential in complexity

15 Heuristics for PERMIT/DENY rulesets PERMIT/DENY rulesets −Only PERMIT rules with an implicit DENY rule at the end −Common in the set of rulesets we have seen Heuristic 1: −Apply Logic Minimization (LM) only on PERMIT cubes Heuristic 2: −Generate DENY Cubes −For each DENY cube, run LM on PERMIT cubes with that deny cube as a don’t-care −Pick DENY cubes that reduce PERMIT cubes −Return those DENY cubes followed by the reduced set of PERMIT cubes Heuristic 3: −Reduce the set of DENY cubes tried in Heuristic 2 through quantification −See paper for details

16 Results Synthetic rulesets −Generated using ClassBench tool (From WU, St.Louis) Two real firewall rulesets −HP Palo Alto firewall −Firewall ruleset from a customer of ProCurve Avg Reduction: 41.6%

17 Further Steps Design a web service to provide our optimization as a service −Customers upload their rules −Our service computes a minimized ruleset −Customers apply the new ruleset in their network appliance Explore more heuristics for further reduction −Deal more than two actions −Deal incremental updates to rulesets

18 Q & A