Presentation is loading. Please wait.

Presentation is loading. Please wait.

Packet Classification George Varghese. Original Motivation: Firewalls Firewalls use packet filtering to block say ssh and force access to web and mail.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Packet Classification George Varghese. Original Motivation: Firewalls Firewalls use packet filtering to block say ssh and force access to web and mail."— Presentation transcript:

1 Packet Classification George Varghese

2 Original Motivation: Firewalls Firewalls use packet filtering to block say ssh and force access to web and mail via proxies. Still part of “defense in depth” today. Need fast wire speed packet filtering

3 Simplified Internet Message Format Dest and Src IP address (telephone numbers). Dst and Src Ports (extensions): indicate protocol For instance, Port 80 = Web, Mail = 25

4 Sample Firewall Database

5 Beyond firewalls today

6 Service differentiation via classification Every router in world: if packet addressed to router, do packet classification before LPM. Extract 5 (or more fields). If there is a match, treat packet as specified by highest match rule. Can use to drop packets, give some applications more QoS, different routes for some apps etc. Standard solution: CAMs. But lets look at some algorithmic solutions some of which are used. Routers often support 1000s of rules so linear search (despite parallel logic) is too slow.

7 Plan of Attack First, 2-field (2D) packet classification. Useful for measurement and multicast. Then we introduce a nice geometric model and move on to general K-field classification.

8 2D (two field) example

9 First attempt: Set Pruning Tries Each destination prefix D points to a trie containing all source prefixes in rules whose destination field is a prefix of D. O(N^2) memory!

10 Worst-case example for storage

11 Less memory via backtracking Source tries now only contain sources in rules whose destination is equal to D. O(W^2) time.

12 Grid of Tries (Srinvasan-Varghese) Use pre-computed switch pointers (dashed line). No backtracking and linear space.

13 Geometric Model (Lakshman-Staliadis) Example: F1 = (0*, 10*). Each field is a dimension in geometric space

14 Beyond 2D Bad News: Lower bound (computational geometry): O((W^k)/k!) time for linear storage. Good news: (Gupta-Mckeown): # of Disjoint classification regions in real databases is small. For example: theoretically in 2D we can have N^2 disjoint regions but practically we have O(N) Can we exploit this observation for speed with small storage. Yes, but not provably. Heuristics.

15 Divide and Conquer? Natural to try LPM in each field separately and combine. Concatenation does not work!

16 Aside: Range to Prefix Matches Real classifiers use ranges (e.g., < 1024 for well known ports). Theorem: Can write any range as the union of a logaritmic number of prefix ranges. Example: [8,12] in 5 bits. 01* does not work but 0100* and 0101* and 011000 does! Useful theorem for CAM vendors as well as they only support prefix ranges. Recall hardware!

17 Bit Vector (Lakshman-Staliadis) Store an N-bit vector with each field value M with bit J set in Field I if M matches Rule I in field J. AND and find first bit set. Priority Encoder.

18 Why is Lucent Fast? Since the bit vectors are O(N), from a CS perspective it is O(N), as bad as linear search. Really reduces constants uses wide memories. Nk/W memory accesses where W is width. Recall W = 1000 is feasible  1000 rule tables in a few accesses, many of which are parallel. Moral: Know hardware complexity measures!

19 Cross-Products (Srinivasan-Varghese) Theorem: Best matching rule for crossproduct is best matcing rule for packet.

20 Equivalenced Crossproducts (Gupta-Mckeown): aka RFC Idea: Instead of “multiplying” in 1 fell swoop, do 2 at a time and equivalence at each step. GSR 16 crossproducts but only 8 classes!

21 Hi Cuts (Gupta-Mckeown) Different idea: Decision tree in geemetric space to “zero in” on narrowest matching region.

22 State of Art Woo algorithm: Like HiCuts but uses bit testing and not range testing. Hypercuts (Singh): beyond Woo to test multiple bits at a time using arrays. Cisco CRS Space usage of Hypercuts/HiCuts can be employed using 2 parallel trees (Brian Alleyne) Efficuts (Purdue, SIGCOMM 2010) is a publicly available implementation of best ideas so far. CAMs still easier though need algorithmic tricks to reduce power.

23 Principles Used P1: Relax Specification (heuristics beyond 2D) P2: Degrees of freedom (HiCuts  Hypercuts) P3: Shift Computation in Time (grid-of-tries) P4: Avoid Waste seen (Crossproducts  RFC) P5: Add State for efficiency (switch pointers) P6: Hardware parallelism (Bit vector) P8: Finite universe methods (Bit vector) P9: Use algorithmic thinking (decision trees)

24 Students like you... PANKAJ CHEENU SUMEET Stanford  Sahasra  Netlogic  Twitter UCSD  Sahasra  Netlogic  Google UCSD  NetSift  Cisco SO DO A GREAT PROJECT! SOME MORE PAPERS UP

Download ppt "Packet Classification George Varghese. Original Motivation: Firewalls Firewalls use packet filtering to block say ssh and force access to web and mail."

Similar presentations

A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.

A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.
August 17, 2000 Hot Interconnects 8 Devavrat Shah and Pankaj Gupta

August 17, 2000 Hot Interconnects 8 Devavrat Shah and Pankaj Gupta
Router/Classifier/Firewall Tables Set of rules—(F,A)  F is a filter Source and destination addresses. Port number and protocol. Time of day.  A is an.

Router/Classifier/Firewall Tables Set of rules—(F,A)  F is a filter Source and destination addresses. Port number and protocol. Time of day.  A is an.
Packet Classification using Hierarchical Intelligent Cuttings

Packet Classification using Hierarchical Intelligent Cuttings
Balajee Vamanan, Gwendolyn Voskuilen, and T. N. Vijaykumar School of Electrical & Computer Engineering SIGCOMM 2010.

Balajee Vamanan, Gwendolyn Voskuilen, and T. N. Vijaykumar School of Electrical & Computer Engineering SIGCOMM 2010.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
Spring 2006CS 685 Network Algorithmics1 Principles in Practice CS 685 Network Algorithmics Spring 2006.

Spring 2006CS 685 Network Algorithmics1 Principles in Practice CS 685 Network Algorithmics Spring 2006.
Network Algorithms, Lecture 4: Longest Matching Prefix Lookups George Varghese.

Network Algorithms, Lecture 4: Longest Matching Prefix Lookups George Varghese.
Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.

Fast Firewall Implementation for Software and Hardware-based Routers Lili Qiu, Microsoft Research George Varghese, UCSD Subhash Suri, UCSB 9 th International.
Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.

Bio Michel Hanna M.S. in E.E., Cairo University, Egypt B.S. in E.E., Cairo University at Fayoum, Egypt Currently is a Ph.D. Student in Computer Engineering.
Ultra-High Throughput Low-Power Packet Classification

Ultra-High Throughput Low-Power Packet Classification
M. Waldvogel, G. Varghese, J. Turner, B. Plattner Presenter: Shulin You UNIVERSITY OF MASSACHUSETTS, AMHERST – Department of Electrical and Computer Engineering.

M. Waldvogel, G. Varghese, J. Turner, B. Plattner Presenter: Shulin You UNIVERSITY OF MASSACHUSETTS, AMHERST – Department of Electrical and Computer Engineering.
IP Routing Lookups Scalable High Speed IP Routing Lookups.

IP Routing Lookups Scalable High Speed IP Routing Lookups.
HybridCuts: A Scheme Combining Decomposition and Cutting for Packet Classification Author: Wenjun Li, Xianfeng Li Publisher: 2013 IEEE 21 st Annual Symposium.

HybridCuts: A Scheme Combining Decomposition and Cutting for Packet Classification Author: Wenjun Li, Xianfeng Li Publisher: 2013 IEEE 21 st Annual Symposium.
Outline Introduction Related work on packet classification Grouper Performance Empirical Evaluation Conclusions.

Outline Introduction Related work on packet classification Grouper Performance Empirical Evaluation Conclusions.
Survey of Packet Classification Algorithms. Outline Background and problem definition Classification schemes – One dimensional classification – Two dimensional.

Survey of Packet Classification Algorithms. Outline Background and problem definition Classification schemes – One dimensional classification – Two dimensional.
A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.

A Ternary Unification Framework for Optimizing TCAM-Based Packet Classification Systems Author: Eric Norige, Alex X. Liu, and Eric Torng Publisher: ANCS.
1 Author: Ioannis Sourdis, Sri Harsha Katamaneni Publisher: IEEE ASAP,2011 Presenter: Jia-Wei Yo Date: 2011/11/16 Longest prefix Match and Updates in Range.

1 Author: Ioannis Sourdis, Sri Harsha Katamaneni Publisher: IEEE ASAP,2011 Presenter: Jia-Wei Yo Date: 2011/11/16 Longest prefix Match and Updates in Range.
Oct 28, 2004CS573: Network Protocols and Standards1 IP: Routing and Subnetting Network Protocols and Standards Autumn 2004-2005.

Oct 28, 2004CS573: Network Protocols and Standards1 IP: Routing and Subnetting Network Protocols and Standards Autumn
Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,

Efficient Multi-match Packet Classification with TCAM Fang Yu Randy H. Katz EECS Department, UC Berkeley {fyu,

Similar presentations

Ads by Google