Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Multi-Match Packet Classification with TCAM Fang Yu

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Efficient Multi-Match Packet Classification with TCAM Fang Yu"— Presentation transcript:

1 Efficient Multi-Match Packet Classification with TCAM Fang Yu fyu@eecs.berkeley.edu

2 Outline New applications demand Multi-Match Classification Multi-Match classification using TCAM  Order rules in TCAM  Remove negations Simulations results Conclusions

3 Today’s Packet Classification Systems A classifier consists of N rules, each with F fields  Next hop routing using destination IP (F=1)  Filters from firewall (F=5) Given a packet, report the highest priority match  E.g., longest prefix match  Single-Match Classification Source IPDestination IPSource PortDestination PortProtocolActionPriority 128.59.67.100128.**15Tcpdrop2 128.*128.2.3.1*25tcpallow1

4 New Applications Intrusion Detection Systems (e.g., SNORT)  Rule header: a 5 fields classification rule for packet header  Rule options: specify intrusion patterns for entire packet scanning. Packet header Match A packet may be related to multiple rules (matching rule headers) Multi-Match Classification: Identify all the matching rule headers Packet Payload Scan

5 In current network, a packet sequentially traverses multiple network devices, e.g., firewall, HTTP load balancing, intrusion detection, NAT etc.  Each box introduces extra delay  Common functions like classification are repeatedly applied  Highly inefficient! Programmable Network Element  Support multiple functions in one device  Each packet may related to different set of functions E.g., HTTP packets related to firewall and HTTP load balancer E.g., VPN packets related to encryption / decryption  Multi- Match Classification : identify the all the relevant functions New Applications (cont.)

6 Multi-Match Classification A classifier consists of N rules, each with F fields  Goal: Reporting all the matching rules Software solution for single-match classification  O(logN) query time with O(N F ) storage  Real rule sets are simpler than theoretical worst case State of art heuristic algorithms: 20-30 memory accesses Multi-Match Classification  More complex than single-match  Complex follow-up processing  Tighter time requirements 20-30 memory accesses  slow Can hardware solution help?

7 Ternary-CAM (TCAM) Fully associative memory: compares input string with all the entries in parallel  If multiple matches, report index of the first match Each cell takes one of three logic states  ‘0’, ‘1’, and ‘X’(don’t care) Current TCAM technology  Fast Match Time: 4 ns  Size: 1-2MB  Commercially used for single-match classification

8 Arrange Rules in the TCAM Problem: TCAM only reports the first matching result  For example, two rules have intersection relationship  “Tcp $SQL_SERVER 1433 $EXTERNAL_NET any”  “Tcp Any Any Any 139” Solution: Add additional intersection rules  Upper bound of intersections O(N F )  Real world rule set far less intersections  Retrieve all matching results solely based on the first matched result

9 Order of Rules Relationship between rules E i and E j, with corresponding matched list M i and M j  Exclusive (E i E j = ): i and j can have any order.  Subset (E i E j ): i<j and M i M j.  Superset (E i E j ): j<i and M i M j.  Intersection (E i E j = ): add a rule E l =(E i E j ), (l<i, l<j), (M i M j ) M l.

10 Example Original rule set Extended rule set TCAM compatible order 1Tcp $SQL_SERVER 1433 $EXTERNAL_NET any 2Tcp $EXTERNAL_NET 119 $HOME_NET Any 3Tcp Any Any Any 139 Extended rules Matched List Tcp $SQL_SERVER 1443 $EXTERNAL_NET 1391,3 Tcp $SQL_SERVER 1433 $EXTERNAL_NET any1 Tcp $EXTERNAL_NET 119 $HOME_NET 1392,3 Tcp $EXTERNAL_NET 119 $HOME_NET any2 Tcp any any any 1393 $EXTERNAL_NET $EXTERNAL_NET=!$HOME_NET

11 Representing Negation with TCAM 80’s binary form 0000 0000 0101 0000 Negation of 80 (!80)  0000 0000 0101 0000 = 1111 1111 1010 1111 = 65375 is only a subset of !80  Need 16 TCAM entries Multiple negations in one rule  tcp $EXTERNAL_NET any $EXTERNAL_NET !80 requires up to 32*32*16=16384 TCAM entries 1xxx xxxx xxxx xxxx x1xx xxxx xxxx xxxx xx1x xxxx xxxx xxxx xxx1 xxxx xxxx xxxx xxxx 1xxx xxxx xxxx xxxx x1xx xxxx xxxx xxxx xx1x xxxx xxxx xxxx xxx1 xxxx xxxx xxxx xxxx 0xxx xxxx xxxx xxxx x1xx xxxx xxxx xxxx xx0x xxxx xxxx xxxx xxx1 xxxx xxxx xxxx xxxx 1xxx xxxx xxxx xxxx x1xx xxxx xxxx xxxx xx1x xxxx xxxx xxxx xxx1

12 Remove Negation Regions generating negation:  A, B, D Regions with no negation  C, A C, C D, A B C D 1Tcp $SQL_SERVER 1433 $EXTERNAL_NET any 2Tcp $EXTERNAL_NET 119 $HOME_NET Any 3Tcp Any Any Any 139

13 Remove Negation Can we extend rules in D to D C?  Yes, We can! with a first match TCAM 1Tcp $SQL_SERVER 1433 $EXTERNAL_NET any 2Tcp $EXTERNAL_NET 119 $HOME_NET Any 3Tcp Any Any Any 139 TCAM entriesMatched List tcp $HOME_NET any $HOME_NET 139 3 any $HOME_NET any $HOME_NET any Tcp $SQL_SERVER 1443 any 139 1,3 Tcp $SQL_SERVER 1433 any any 1

14 Extended rulesMatched ListTCAM entries needed Tcp $SQL_SERVER 1443 $EXTERNAL_NET 1391,332 Tcp $SQL_SERVER 1433 $EXTERNAL_NET any132 Tcp $EXTERNAL_NET 119 $HOME_NET 1392,332 Tcp $EXTERNAL_NET 119 $HOME_NET any232 Tcp any any any 13931 TCAM Index TCAM entriesMatched List 1tcp $HOME_NET any $HOME_NET 1393 2any $HOME_NET any $HOME_NET any 3Tcp $SQL_SERVER 1443 any 1391,3 4Tcp $SQL_SERVER 1433 any any1 5Tcp any 119 $HOME_NET 1392,3 6Tcp any 119 $HOME_NET any2 7Tcp any any any 1393 94.5% of TCAM entries saving

15 Simulation Results SNORT intrusion detection rule set VersionRule Set Size # of rules in extended set Single negation Double negations Triple negations 2.0.02403,69362.334%0.975%0 2.0.12554,00962.484%1.422%0.025% 2.1.02574,01562.540%1.420%0.025% 2.1.12634,33062.332%1.363%0.023%

16 Performance of Negation Removing Scheme Snort version With NegationNegation RemovedTCAM Space saved Extended rule set size TCAM Entries needed Extended rule set size TCAM Entries needed 2.0.03,693120,4094,1017,85393.4% 2.0.14,009145,2084,4118,12494.4% 2.1.04,015145,3524,4208,13394.4% 2.1.14,330151,9234,7978,64994.3% Fit all Snort rule header into 128KB-256KB TCAM  Retrieve multi-match classification result with one TCAM lookup and one SRAM lookup (<10ns)

17 Conclusions New applications demands for multi-mach classification TCAM-based solution to solve the multi-match classification problem  Reports all the matching results with a single TCAM lookup and a SRAM lookup Negation removing scheme can save 93% to 95% of the TCAM space Future work  Study the complexity of multi-match classification problem and tradeoffs between different approaches  Search part of the TCAM to reduce power consumption

18 Backup slides

19 Removing Negation Rules in region C: “* $HOME_NET+ * $HOME_NET+ *” Separator rule 1: “any $HOME_NET any $HOME_NET any” Rules in region D, specified in the form of region C and D: “* $HOME_NET+ * any *” Rules in region A, specified in the form of region A and C: “* any * $HOME_NET+ *” Separator rule 2: “any $HOME_NET any any any” Separator rule 3: “any any any $HOME_NET any” Rules applying to region B, specified in the form of region A, B, C and D: “* any * any *”

20 Effect of Negation

Download ppt "Efficient Multi-Match Packet Classification with TCAM Fang Yu"

Similar presentations

1 SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu 1 T. V. Lakshman 2 Marti Austin Motoyama 1 Randy H. Katz 1 1 EECS.

1 SSA: A Power and Memory Efficient Scheme to Multi-Match Packet Classification Fang Yu 1 T. V. Lakshman 2 Marti Austin Motoyama 1 Randy H. Katz 1 1 EECS.
IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.

A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.
August 17, 2000 Hot Interconnects 8 Devavrat Shah and Pankaj Gupta

August 17, 2000 Hot Interconnects 8 Devavrat Shah and Pankaj Gupta
Fast Updating Algorithms for TCAMs Devavrat Shah Pankaj Gupta IEEE MICRO, Jan.-Feb. 2001.

Fast Updating Algorithms for TCAMs Devavrat Shah Pankaj Gupta IEEE MICRO, Jan.-Feb
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
1 An Efficient, Hardware-based Multi-Hash Scheme for High Speed IP Lookup Hot Interconnects 2008 Socrates Demetriades, Michel Hanna, Sangyeun Cho and Rami.

1 An Efficient, Hardware-based Multi-Hash Scheme for High Speed IP Lookup Hot Interconnects 2008 Socrates Demetriades, Michel Hanna, Sangyeun Cho and Rami.
Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.

Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.
Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.

Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.
Outline Introduction Related work on packet classification Grouper Performance Empirical Evaluation Conclusions.

Outline Introduction Related work on packet classification Grouper Performance Empirical Evaluation Conclusions.
Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.

Reviewer: Jing Lu Gigabit Rate Packet Pattern- Matching Using TCAM Fang Yu, Randy H. Katz T. V. Lakshman UC Berkeley Bell Labs, Lucent ICNP’2004.
Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,

Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,
Power Efficient IP Lookup with Supernode Caching Lu Peng, Wencheng Lu*, and Lide Duan Dept. of Electrical & Computer Engineering Louisiana State University.

Power Efficient IP Lookup with Supernode Caching Lu Peng, Wencheng Lu*, and Lide Duan Dept. of Electrical & Computer Engineering Louisiana State University.
Packet Classification on Multiple Fields Pankaj Gupta and Nick McKeown Stanford University {pankaj, September 2, 1999.

Packet Classification on Multiple Fields Pankaj Gupta and Nick McKeown Stanford University {pankaj, September 2, 1999.
1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu

1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
CS 268: Lectures 13/14 (Route Lookup and Packet Classification) Ion Stoica April 1/3, 2002.

CS 268: Lectures 13/14 (Route Lookup and Packet Classification) Ion Stoica April 1/3, 2002.
Efficient Multidimensional Packet Classification with Fast Updates Author: Yeim-Kuan Chang Publisher: IEEE TRANSACTIONS ON COMPUTERS, VOL. 58, NO. 4, APRIL.

Efficient Multidimensional Packet Classification with Fast Updates Author: Yeim-Kuan Chang Publisher: IEEE TRANSACTIONS ON COMPUTERS, VOL. 58, NO. 4, APRIL.
1 Partition Filter Set for Power- Efficient Packet Classification Authors: Haibin Lu, MianPan Publisher: IEEE GLOBECOM 2006 Present: Chen-Yu Lin Date:

1 Partition Filter Set for Power- Efficient Packet Classification Authors: Haibin Lu, MianPan Publisher: IEEE GLOBECOM 2006 Present: Chen-Yu Lin Date:
1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman

1 Gigabit Rate Multiple- Pattern Matching with TCAM Fang Yu Randy H. Katz T. V. Lakshman

Similar presentations

Ads by Google