Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,"— Presentation transcript:

1 Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu, randy}@eecs.berkeley.edu

2 Outline New applications demand multi-match classification Multi-Match classification using TCAM  Order rules in TCAM  Remove negations Simulations results Conclusions

3 Today’s Packet Classification Systems A classifier consists of N rules, each with F fields  Next hop routing using destination IP (F=1)  Filters from firewall (F=5) Single-Match Classification:  Assumption: all the rules are associated with priorities  Only the highest priority match matters  E.g., longest prefix match Source IPDestination IPSource PortDestination PortProtocolActionPriority 128.59.67.100128.**15Tcpdrop2 128.*128.2.3.1*25tcpallow1

4 New Applications Intrusion Detection Systems (e.g., SNORT)  Rule header: a 5-field classification rule for the packet header  Rule options: specify intrusion patterns for the entire packet scanning. Packet header Match A packet may be related to multiple rules (matching rule headers) Multi-Match Classification: Identify all the matching rule headers Packet Payload Scan

5 In some edge networks  Each box introduces extra delay  Common functions like classification are repeatedly applied  Highly inefficient! Programmable Network Element  Support multiple functions in one device  Each packet may related to different set of functions E.g., HTTP packets related to firewall and HTTP load balancer E.g., VPN packets related to encryption / decryption  Multi- Match Classification: identify the all the relevant functions New Applications (cont.)

6 Multi-Match v.s. Single-Match Classification A classifier consists of N rules, each with F fields  Single-Match: Report the highest priority rule  Multi-Match: Report all the matching rules Single-match classification  Software solutions: O(logN) query time with O(N F ) storage  Real-world rule sets are simpler than theoretical worst case State of art heuristic algorithms: 20-30 memory accesses Multi-Match classification  More complex than single-match  Complex follow-up processing  Tighter time requirements 20-30 memory accesses  slow Can hardware solution help?

7 Ternary-CAM (TCAM) Fully associative memory: compares input string with all the entries in parallel  If multiple matches, report index of the first match Each cell takes one of three logic states  ‘0’, ‘1’, and ‘X’(don’t care) Current TCAM technology  Fast Match Time: 4 ns  Size: 1-2MB  Commercially used for single-match classification

8 Use TCAM for Multi-Match Classification Problem: TCAM only reports the first matching result  Return a bit vector of matched results?  Not a good solution because processing cost for bit vector is O(N) Solution: Add additional intersection rules  Upper bound of intersections O(N F )  Real-world rule set has far less intersections  Retrieve all matching results solely based on the first matched result --- TCAM Compatible Order

9 TCAM Compatible Order Relationship between rules E i and E j, with corresponding matched list M i and M j  Exclusive (E i E j = ): i and j can have any order.  Subset (E i E j ): i<j and M i M j.  Superset (E i E j ): j<i and M i M j.  Intersection (E i E j = ): add a rule E l =(E i E j ), (l<i, l<j), (M i M j ) M l.

10 Pseudo-Code for Generating TCAM Compatible Order Extend_rule_set(R){ E = ; for all the rule Ri in R E=Insert(Ri, E); return E; } Insert(x, E){ for all the rule Ei in E { Switch the relationship between Ei and x: Case exclusive: continue; Case subset: Mi = Mx Mi; continue; Case superset: Mx = Mx Mi; add x before Ei ; return E; Case intersection: If (Ei x E and M x Mi) add t = Ei x before Ei ; Mt = Mx Mi } add x at the end of E and return E; }

11 Example Original rule set Extended rule set in TCAM compatible order 1Tcp $SQL_SERVER 1433 $EXTERNAL_NET any 2Tcp $EXTERNAL_NET 119 $HOME_NET Any 3Tcp Any Any Any 139 Extended rules Matched List Tcp $SQL_SERVER 1443 $EXTERNAL_NET 1391,3 Tcp $SQL_SERVER 1433 $EXTERNAL_NET any1 Tcp $EXTERNAL_NET 119 $HOME_NET 1392,3 Tcp $EXTERNAL_NET 119 $HOME_NET any2 Tcp any any any 1393 $EXTERNAL_NET $EXTERNAL_NET=!$HOME_NET

12 Representing Negation with TCAM 80’s binary form 0000 0000 0101 0000 Negation of 80 (!80=[0,79], [81,2^16-1])  0000 0000 0101 0000 = 1111 1111 1010 1111 = 65375 is only a subset of !80  Need 16 TCAM entries Multiple negations in one rule  tcp $EXTERNAL_NET any $EXTERNAL_NET !80 requires up to 32*32*16=16384 TCAM entries 1xxx xxxx xxxx xxxx x1xx xxxx xxxx xxxx xx1x xxxx xxxx xxxx xxx1 xxxx xxxx xxxx xxxx 1xxx xxxx xxxx xxxx x1xx xxxx xxxx xxxx xx1x xxxx xxxx xxxx xxx1 xxxx xxxx xxxx xxxx 0xxx xxxx xxxx xxxx x1xx xxxx xxxx xxxx xx0x xxxx xxxx xxxx xxx1 xxxx xxxx xxxx xxxx 1xxx xxxx xxxx xxxx x1xx xxxx xxxx xxxx xx1x xxxx xxxx xxxx xxx1

13 Remove Negation Regions generating negation:  A, B, D Regions with no negation  C, A C, C D, A B C D 1Tcp $SQL_SERVER 1433 $EXTERNAL_NET any 2Tcp $EXTERNAL_NET 119 $HOME_NET Any 3Tcp Any Any Any 139

14 Remove Negation Can we extend rules in D to D C?  Yes, We can! With a first match TCAM 1Tcp $SQL_SERVER 1433 $EXTERNAL_NET any 2Tcp $EXTERNAL_NET 119 $HOME_NET Any 3Tcp Any Any Any 139 TCAM entriesMatched List tcp $HOME_NET any $HOME_NET 139 3 any $HOME_NET any $HOME_NET any Tcp $SQL_SERVER 1443 any 139 1,3 Tcp $SQL_SERVER 1433 any any 1

15 Removing Negation Rules in region C: “* $HOME_NET+ * $HOME_NET+ *” Separator rule 1: “any $HOME_NET any $HOME_NET any” Rules in region D, specified in the form of region C and D: “* $HOME_NET+ * any *” Rules in region A, specified in the form of region A and C: “* any * $HOME_NET+ *” Separator rule 2: “any $HOME_NET any any any” Separator rule 3: “any any any $HOME_NET any” Rules applying to region B, specified in the form of region A, B, C and D: “* any * any *”

16 Extended rulesMatched ListTCAM entries needed Tcp $SQL_SERVER 1443 $EXTERNAL_NET 1391,332 Tcp $SQL_SERVER 1433 $EXTERNAL_NET any132 Tcp $EXTERNAL_NET 119 $HOME_NET 1392,332 Tcp $EXTERNAL_NET 119 $HOME_NET any232 Tcp any any any 13931 TCAM Index TCAM entriesMatched List 1tcp $HOME_NET any $HOME_NET 1393 2any $HOME_NET any $HOME_NET any 3Tcp $SQL_SERVER 1443 any 1391,3 4Tcp $SQL_SERVER 1433 any any1 5Tcp any 119 $HOME_NET 1392,3 6Tcp any 119 $HOME_NET any2 7Tcp any any any 1393 94.5% of TCAM entries saving

17 Analysis of Negation Removing Scheme More than one negations in each field  Both !80 and !90 in the source port field  !subnet1 and !subnet2 in the destination IP field Generation of algorithm  For one field F i, K i unique negations with disjoint non-negation forms  S i =K i separator rules K i unique negations with intersected non-negation forms  S i =2 Ki separator rules  Total separator rules: removing $EXTERNAL_NET from source and destination IP addresses, S 1 = S 2 =1  a total of 3 separator rules

18 Simulation Results SNORT intrusion detection rule set VersionRule Set Size # of rules in extended set Single negation Double negations Triple negations 2.0.02403,69362.334%0.975%0 2.0.12554,00962.484%1.422%0.025% 2.1.02574,01562.540%1.420%0.025% 2.1.12634,33062.332%1.363%0.023%

19 Performance of Negation Removing Scheme Snort version With NegationNegation RemovedTCAM Space saved Extended rule set size TCAM Entries needed Extended rule set size TCAM Entries needed 2.0.03,693120,4094,1017,85393.4% 2.0.14,009145,2084,4118,12494.4% 2.1.04,015145,3524,4208,13394.4% 2.1.14,330151,9234,7978,64994.3% Fit all Snort rule headers into a 256KB TCAM  Retrieve multi-match classification result with one TCAM lookup and one SRAM lookup (<10ns)

20 Effect of Negation

21 Conclusions New applications demand for multi-mach classification TCAM-based solution to solve the multi- match classification problem  Report all the matching results with a single TCAM lookup and a SRAM lookup Negation removing scheme can save 93% to 95% of the TCAM space

Download ppt "Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,"

Similar presentations

1 SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu 1 T. V. Lakshman 2 Marti Austin Motoyama 1 Randy H. Katz 1 1 EECS.

1 SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu 1 T. V. Lakshman 2 Marti Austin Motoyama 1 Randy H. Katz 1 1 EECS.
IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.

A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.
August 17, 2000 Hot Interconnects 8 Devavrat Shah and Pankaj Gupta

August 17, 2000 Hot Interconnects 8 Devavrat Shah and Pankaj Gupta
1 IP-Lookup and Packet Classification Advanced Algorithms & Data Structures Lecture Theme 08 – Part I Prof. Dr. Th. Ottmann Summer Semester 2006.

1 IP-Lookup and Packet Classification Advanced Algorithms & Data Structures Lecture Theme 08 – Part I Prof. Dr. Th. Ottmann Summer Semester 2006.
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.

Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.
Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.

Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.
Outline Introduction Related work on packet classification Grouper Performance Empirical Evaluation Conclusions.

Outline Introduction Related work on packet classification Grouper Performance Empirical Evaluation Conclusions.
A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.

A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.
Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.

Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.
Power Efficient IP Lookup with Supernode Caching Lu Peng, Wencheng Lu*, and Lide Duan Dept. of Electrical & Computer Engineering Louisiana State University.

Power Efficient IP Lookup with Supernode Caching Lu Peng, Wencheng Lu*, and Lide Duan Dept. of Electrical & Computer Engineering Louisiana State University.
Efficient IP-Address Lookup with a Shared Forwarding Table for Multiple Virtual Routers Author: Jing Fu, Jennifer Rexford Publisher: ACM CoNEXT 2008 Presenter:

Efficient IP-Address Lookup with a Shared Forwarding Table for Multiple Virtual Routers Author: Jing Fu, Jennifer Rexford Publisher: ACM CoNEXT 2008 Presenter:
Packet Classification on Multiple Fields Pankaj Gupta and Nick McKeown Stanford University {pankaj, September 2, 1999.

Packet Classification on Multiple Fields Pankaj Gupta and Nick McKeown Stanford University {pankaj, September 2, 1999.
1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu

1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
CS 268: Lectures 13/14 (Route Lookup and Packet Classification) Ion Stoica April 1/3, 2002.

CS 268: Lectures 13/14 (Route Lookup and Packet Classification) Ion Stoica April 1/3, 2002.
CS 268: Route Lookup and Packet Classification Ion Stoica March 11, 2003.

CS 268: Route Lookup and Packet Classification Ion Stoica March 11, 2003.
Efficient Multi-Match Packet Classification with TCAM Fang Yu

Efficient Multi-Match Packet Classification with TCAM Fang Yu
1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman

1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman

Similar presentations

Ads by Google