1 Fast packet classification for two-dimensional conflict-free filters Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C. Authors: Florin Baboescu, Priyank Warkhede, Subhash Suri, George Varghese Publisher: Computer Networks 50 (2006) 1831–1842 Present: Chi-Lu Yang ( 楊淇祿 ) Date: October, 18, 2007

2 Outline 1. Introduction 2. Problem statement 3. Tuple space approach and search Pre-computation and markers in tuple space Lower bound and impossibility of binary search 4. Binary search scheme 5. Algorithm and improvements 6. Experimental results 7. Conclusions 8. Appendix

3 Introduction The destination-based forwarding can be thought of as one- dimensional packet classification. Two-dimensional filters can be said as a combination of header fields. Such as IP source and destination pairs. we say that two filters conflict if they both match a packet header, but neither filter is contained in the other. Packet classification involves: 1.Selecting header fields from packets and storing them; such as: source and destination addresses, source and destination port numbers, protocol or even parts of URL; 2.Finding out the best packet classification rule (also called filtering rule or filter) to determine action to be taken on the packet.

4 Introduction (cont.) In this paper: 1.We consider fast lookup schemes for two-dimensional conflict-free filters. 2.We examine this lower bound more closely, and discover that the lower bound depends crucially on conflicts in the filter database. 3.Main contribution is to show that binary search can be used for packet classification in 2D filters if the filters are conflict-free. Packet classification applications include: Packet filtering in firewalls, Flow aggregation for MPLS (Multi-Potocol Label Switching) tunneling, QoS routing, Flow-preserving load balanced switching, and Bandwidth guarantees for VPNs.

5 Problem statement The 2-field conflict-free packet classification problem can be defined as follows. Given a conflict-free filter set F of 2-field filters, and a packet with header fields P[i], to determine the best matching filter F, where: P[i] denote the i th field from packet P. A filter set F is a set of k-field filters. F = {F 1, F 2,...,F n } Let F denote a filter, and let F[i], 1 <= i <= k, be the i th prefix is a selected field from packet header A filter rule is said to be a matching filter for packet P if it matches all fields of the packet header. F 1 and F 2 are Conflict filters:

6 Tuple Space Approach Rule (filter) F[1]F[2]Tuple F1F1 00* (2,2) F2F2 0*01*(1,2) F3F3 0* (1,1) F4F4 10* (2,2) F5F5 11*10*(2,2) F6F6 11* (2,2) F7F7 0*10*(1,2) F8F8 *11*(0,2) Tuple: H(T) (F[1], F[2]) Hash Table Entries (0,2)F8F8 (1,1)F3F3 (1,2)F 2, F 7 (2,2)F 1, F 4, F 5, F 6 #F[1] = 3, {0, 1, 2} #F[2] = 2, {1, 2} Totally, 3*2 = 6 tuples <= 8 Search: 1. design H(T) 2. find a best matching entries in H(T) To be parallelly implemented One kind of solutions for Packet classification on multiple fields.

7 Tuple Space Search Rectangle Search: always finds the best matching filters in a w * w tuple space. uses at most 2w-1 hashes in the worst case. builds on two keys ideas: Pre-computation and Markers. Pre-computation Consider a tuple (i, j), where 0 <= i, j <= w. A filter F in this tuple has i bits of source prefix and j bits of destination prefix. All filters mapped in the top-left quadrant of (i, j) are less specific. we can pre-compute and store with F the best matching filter from all the tuples in the top-left quadrant of (i, j). Advantage : we need not search the top-left quadrant of (i, j) An Example : F = (101*, 0110*) ==> tuple T (i, j) = T(3,4) See Fig. 2 (top-left quadrant)

8 Tuple Space Search (cont.) Markers Markers deals with the case when there is no match on a hash probe. Each filter in a tuple (i, j) leaves a marker in all the tuples in the top-left quadrant of (i, j). The marker of a filter F is obtained by taking prefixes of its two fields. An Example : the T(2, 1) marker of the filter F=(11001*, 0011*) is (11*, 0*). Tuple T 2 can leave markers. See Fig. 2 (bottom -right quadrant)

9 Tuple Space Search (cont.) Fig. 3 Time of Rectangle Search algorithm is O(2w-1) in tuple space. Fig. 2 Markers and pre-computation.

10 Tuple Space Search (cont.) Rectangle Search algorithm : (See Fig.3) Given a packet header P, we start by probing the tuple at the bottom-left of the tuple space. If we get a match, we move one column to the right; by pre-computation, any filter from a tuple above the current tuple has been stored with the marker or filter found by the match. If there is no match, we move one row up; by the marker rule, there cannot be any filter matching to the right of the current tuple － Otherwise, that filters marker in the current tuple will also have matched. Thus, each hash probe either eliminates a row or a column. After at most 2w-1 hashes steps (worst case), we find the best matching filter. Next, we examine this lower bound more closely, and observe that if the two-dimensional filters are conflict-free, then indeed binary search performance is possible.

11 Binary search scheme It’s an algorithm and Scheme for 2D conflict-free filters The time of worst case in per lookup is O(log 2 w). Assume that there are n two-dimensional conflict-free filters in a w * w tuple space W. In IPv4, source and destination fields are 32 bits, w=32 Assume that these n filters have been mapped into W tuple space uniquely in constant time. Markers of filters are generated. All filter and markers mapped to a tuple are organized into a hash table. Our search algorithm essentially performs a binary search over the columns of the tuple space, A column i in the tuple space is set of all tuples with exactly i bit source prefixes. Column i is the set of tuples (i, j), j <= w. Markers (See Fig. 4(a))

12 Binary search scheme (cont.) Each filter can create markers in the same row into tuples from columns to its left. Example (Fig. 4(a)): A Filter F in T(4,3) create markers in shaded tuples. For performing binary search on columns, one half of tuple space has to be eliminated per time. For every hash probe into a tuple, the tuple space can be divided into three regions. (in Fig. 4(b)) (1) If a matching filter or marker is found by the hash probe.( Lemma 1) (PS. top-left and bottom-left quadrants can be eliminated) (2) If no matching filter or marker is found in the tuple, then there cannot be any matching filters in right half of the row. (Lemma 2). (PS. right half of the row can be eliminated)

13 Binary search scheme (cont.)

14 Binary search scheme (cont.) Lemma 1. If there exists a filter or marker M matching packet P in tuple (i, j), all columns k < I (columns in the left half) can be eliminated from search space using pre-computation. Lemma 2. If there does not exist any marker (or filter) matching packet P in column i of tuple space, all columns k >= i (columns in the right half) can be eliminated from search space.

15 Binary search scheme(cont.) An Example: Filters F 1 = (1011*, 001*) and F 2 = (0110*, 11001*). F 1 maps to tuple (4, 3) and F 2 maps to tuple (4, 5). For finding any matching filter from column 4, we can take the 4 bits from field 1 and concatenate the prefix for field 2 from filters F 1 and F 2. In order to determine whether or not there exists a matching marker in column i, a best matching prefix lookup can be performed: Binary search algorithm Lemma 3. The Binary Search on Columns algorithm finds the best matching filter in O(log2w) hash probes.

16 Binary search scheme(cont.) For reducing memory requirement, a balanced binary search tree can be created on columns. height of the balanced binary tree is O(logw), number of markers is bounded by O(nlogw), total memory requirement by O(nlog2w). Rectangle Search algorithm : (See Fig.3) Given a packet header P, we start by probing the tuple at the bottom-left of the tuple space.

17 Binary search Algorithm construction of markers for binary search on columns

18 Binary search Algorithm (cont.) construction of secondary-markers

19 Binary search Algorithm (cont.) complete Binary Search on Columns algorithm for filter lookup

20 Binary search Algorithm (cont.) complete Binary Search on Columns algorithm for filter lookup

21 Experimental results

22 Experimental results (cont.)

23 Experimental results (cont.)

24 Conclusions have presented an algorithm that performs lookups in O(log2w) time on 2-field conflict-free filters. This is the fastest 2D filter lookup algorithm with small memory costs known to the authors. The average case performance of this algorithm significantly better than other algorithms in literature for two-dimensional conflict-free filter. The proposed algorithm also has very good space complexity of O(nlog2w). The proposed algorithm is scalable to large filter sets and can be implemented very easily in software.