research-article

Trees in the List: Accelerating List-based Packet Classification Through Controlled Rule Set Expansion

Authors:

Björn ScheuermannAuthors Info & Claims

CoNEXT '14: Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies

Pages 101 - 108

https://doi.org/10.1145/2674005.2675005

Published: 02 December 2014 Publication History

Abstract

Network packet classification is performed by a wide variety of network devices, like routers or firewalls. Accordingly, researchers have put great efforts in the development of fast packet classification algorithms. However, despite the fact that such approaches have been around for over a decade, most classification systems used in practice still rely on the slow linear search approach. In this work, we propose a methodology that enables linear search-based systems with jump semantics to take advantage of the superior matching performance of decision tree algorithms, without the need to touch the underlying system implementation. By performing source-to-source transformations on packet classification rule sets, we encode decision trees inside of the modified rule sets in order to guide and tweak the originally linear matching process. We implement this in a proof-of-concept tool which transforms Linux iptables firewall rule sets. Our evaluation demonstrates that throughput performance boosts of one order of magnitude and more are possible - without changing the semantics of the rule set, and without any modifications to the matching engine.

References

[1]

IPFW packet filter. https://www.freebsd.org/doc/en/books/handbook/firewallsipfw. html. Last accessed on September 28, 2014.

[2]

The netfilter.org project. www.netfilter.org. Last accessed on June 14, 2014.

[3]

OpenBSD packet filter. http://www.openbsd.org/faq/pf/. Last accessed on June 14, 2014.

[4]

S. Acharya, M. Abliz, B. Mills, T. Znati, J. Wang, Z. Ge, and A. Greenberg. OPTWALL: A hierarchical traffic-aware firewall. In NDSS '07: The 14th Annual Network and Distributed System Security Symposium, Feb. 2007.

[5]

F. Baboescu, S. Singh, and G. Varghese. Packet classification for core routers: Is there an alternative to CAMs? In INFOCOM '03: Proceedings of the 22nd Annual Joint Conference of the IEEE Computer and Communications Societies, pages 53--63, Mar. 2003.

[6]

F. Baboescu and G. Varghese. Scalable packet classification. In SIGCOMM '01: Proceedings of the 2001 Conference on\ Applications, Technologies, Architectures, and Protocols for Computer Communications, pages 199--210, Aug. 2001.

Digital Library

[7]

M. Carbone and L. Rizzo. An emulation tool for PlanetLab. Computer Communications, Elsevier, 34(16):1980--1990, Oct. 2011.

Digital Library

[8]

P. Gupta and N. McKeown. Packet classification using hierarchical intelligent cuttings. In HOTI '99: Proceedings of the 7th Symposium on High Performance Interconnects, pages 34--41, Aug. 1999.

[9]

P. Gupta and N. McKeown. Algorithms for packet classification. IEEE Network: The Magazine of Global Internetworking, 15(2):24--32, Mar. 2001.

Digital Library

[10]

S. Hager. Hitables source code. https://github.com/shager/hitables.

[11]

D. Hartmeier. Design and performance of the OpenBSD stateful packet filter (pf). In Proceedings of the FREENIX Track: 2002 USENIX Annual Technical Conference, pages 171--180, Berkeley, CA, USA, June 2002.

Digital Library

[12]

K. Kogan, S. Nikolenko, O. Rottenstreich, W. Culhane, and P. Eugster. SAX-PAC (scalable and expressive packet classification). In SIGCOMM '14: Proceedings of the 2014 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pages 15--26, Aug. 2014.

Digital Library

[13]

T. V. Lakshman and D. Stiliadis. High-speed policy-based packet forwarding using efficient multi-dimensional range matching. In SIGCOMM '98: Proceedings of the 1998 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pages 203--214, Aug. 1998.

Digital Library

[14]

H. Lam, D. Wang, and H. Chao. A traffic-aware top-n firewall approximation algorithm. In INFOCOM WKSHPS '11: 2011 IEEE Conference on Computer Communications Workshops, pages 1036--1041, Apr. 2011.

[15]

A. Liu and M. Gouda. Removing redundancy from packet classifiers. In SIGCOMM '04: Proceedings of the 2004 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Sept. 2004.

[16]

A. Liu, E. Torng, and C. Meiners. Firewall compressor: An algorithm for minimizing firewall policies. In INFOCOM '08: Proceedings of the 27th Annual Joint Conference of the IEEE Computer and Communications Societies, pages 176--180, Apr. 2008.

[17]

A. Nygren et al. OpenFlow switch specification. Technical report, Open Networking Foundation, Oct. 2013.

[18]

Y. Qi, L. Xu, B. Yang, Y. Xue, and J. Li. Packet classification algorithms: From theory to practice. In INFOCOM '09: Proceedings of the 28th Annual Joint Conference of the IEEE Computer and Communications Societies, pages 648--656, Apr. 2009.

[19]

S. Singh, F. Baboescu, G. Varghese, and J. Wang. Packet classification using multidimensional cutting. In SIGCOMM '03: Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pages 213--224, Aug. 2003.

Digital Library

[20]

H. Song. Evaluation of packet classification algorithms. http://www.arl.wustl.edu/?hs1/PClassEval.html. website includes publicly available rulesets, last access: October 3, 2014.

[21]

V. Srinivasan, S. Suri, and G. Varghese. Packet classification using tuple space search. In SIGCOMM '99: Proceedings of the 1999 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pages 135--146, Aug. 1999.

Digital Library

[22]

V. Srinivasan, G. Varghese, S. Suri, and M. Waldvogel. Fast and scalable layer four switching. In SIGCOMM '98: Proceedings of the 1998 Conference on Applications,Technologies, Architectures, and Protocols for Computer Communications, Aug. 1998.

Digital Library

[23]

D. Taylor and J. Turner. Classbench: a packet classification benchmark. IEEE/ACM Transactions on Networking, 15(3),June 2007.

Digital Library

[24]

B. Vamanan, G. Voskuilen, and T. N. Vijaykumar. Efficuts:Optimizing packet classification for memory and throughput. In SIGCOMM'10: Proceedings of the 2010 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pages 207--218, Aug. 2010.

Digital Library

[25]

T. Woo. A modular approach to packet classification: Algorithms and results. In INFOCOM'00: Proceedings of the 19th Annual Joint Conference of the IEEE Computer and Communications Societies, pages 1213--1222, Mar. 2000.

Cited By

Li WYang TChang YLi TLi H(2019)TabTree: A TSS-assisted Bit-selecting Tree Scheme for Packet Classification with Balanced Rule Mapping2019 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS)10.1109/ANCS.2019.8901884(1-8)Online publication date: Sep-2019
https://doi.org/10.1109/ANCS.2019.8901884
Fiessler ALorenz CHager SScheuermann BMoore A(2017)HyPaFilter+IEEE/ACM Transactions on Networking10.1109/TNET.2017.274969925:6(3655-3669)Online publication date: 1-Dec-2017
https://dl.acm.org/doi/10.1109/TNET.2017.2749699
Hager SJohn PFiessler AScheuermann BCrowley PRizzo LMathy L(2016)MinflateProceedings of the 2016 Symposium on Architectures for Networking and Communications Systems10.1145/2881025.2889485(115-116)Online publication date: 17-Mar-2016
https://dl.acm.org/doi/10.1145/2881025.2889485
Show More Cited By

Index Terms

Trees in the List: Accelerating List-based Packet Classification Through Controlled Rule Set Expansion
1. Networks
  1. Network services
    1. Network management
2. Security and privacy
  1. Network security

Recommendations

Minflate: Combining Rule Set Minimization with Jump-based Expansion for Fast Packet Classification
ANCS '16: Proceedings of the 2016 Symposium on Architectures for Networking and Communications Systems

Network packet classification is a key functionality for packet filters and firewalls, and its performance is crucial for such systems to maintain a high packet throughput under heavy load situations. However, many existing packet filters employ slow ...
A Decomposition-Based Approach for Scalable Many-Field Packet Classification on Multi-core Processors

As a kernel function in network routers, packet classification requires the incoming packet headers to be checked against a set of predefined rules. There are two trends for packet classification: (1) to examine a large number of packet header fields, ...
EffiCuts: optimizing packet classification for memory and throughput
SIGCOMM '10

Packet Classification is a key functionality provided by modern routers. Previous decision-tree algorithms, HiCuts and HyperCuts, cut the multi-dimensional rule space to separate a classifier's rules. Despite their optimizations, the algorithms incur ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CoNEXT '14: Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies

December 2014

438 pages

ISBN:9781450332798

DOI:10.1145/2674005

General Chairs:
Aruna Seneviratne
NICTA/UNSW, Australia
,
Christophe Diot
Technicolor, France
,
Jim Kurose
Umass, USA
,
Program Chairs:
Augustin Chaintreau
Columbia University, USA
,
Luigi Rizzo
University of Pisa, Italy

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 December 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CoNEXT '14

Sponsor:

SIGCOMM

CoNEXT '14: Conference on emerging Networking Experiments and Technologies

December 2 - 5, 2014

Sydney, Australia

Acceptance Rates

CoNEXT '14 Paper Acceptance Rate 27 of 133 submissions, 20%;

Overall Acceptance Rate 198 of 789 submissions, 25%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
117
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)2

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li WYang TChang YLi TLi H(2019)TabTree: A TSS-assisted Bit-selecting Tree Scheme for Packet Classification with Balanced Rule Mapping2019 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS)10.1109/ANCS.2019.8901884(1-8)Online publication date: Sep-2019
https://doi.org/10.1109/ANCS.2019.8901884
Fiessler ALorenz CHager SScheuermann BMoore A(2017)HyPaFilter+IEEE/ACM Transactions on Networking10.1109/TNET.2017.274969925:6(3655-3669)Online publication date: 1-Dec-2017
https://dl.acm.org/doi/10.1109/TNET.2017.2749699
Hager SJohn PFiessler AScheuermann BCrowley PRizzo LMathy L(2016)MinflateProceedings of the 2016 Symposium on Architectures for Networking and Communications Systems10.1145/2881025.2889485(115-116)Online publication date: 17-Mar-2016
https://dl.acm.org/doi/10.1145/2881025.2889485
Fiessler AHager SScheuermann BMoore ACrowley PRizzo LMathy L(2016)HyPaFilterProceedings of the 2016 Symposium on Architectures for Networking and Communications Systems10.1145/2881025.2881033(25-36)Online publication date: 17-Mar-2016
https://dl.acm.org/doi/10.1145/2881025.2881033
Hager SBrack SScheuermann B(2016)The Small, the Fast, and the Lazy (SFL): A General Approach for Fast and Flexible Packet Classification2016 IEEE 41st Conference on Local Computer Networks (LCN)10.1109/LCN.2016.125(43-51)Online publication date: Nov-2016
https://doi.org/10.1109/LCN.2016.125

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents