HighSpeed PolicyBased Packet Forwarding Using Efficient Multidimensional Range Matching

1
High-Speed Policy-Based Packet Forwarding Using
Efficient Multi-dimensional Range Matching

• Lakshman and Stiliadis
• ACM SIGCOMM 98

2
Abstract

• Internet Service Providers (ISP) would like to
  provide differentiated services using the same
  shared, connectionless network infrastructure.
• The key mechanism is the packet classification
  function that
• parses the headers of the packets,
• and after determining their context, classifies
  them based on administrative policies or
  real-time reservation decisions.

3

• Packet classification is
• Complex, and thus the bottleneck in the gigabit
  links
• Currently implemented at lower-speed edge routers
• Not based on multiple fields
• This paper presents new packet classification
  schemes that can classify packets
• at rates of a million packets per second
• using range matches on more than 4 packet header
  fields
• with a worst-case and traffic-independent
  performance metric
• by checking amongst a few thousand filtering rules

4
Introduction

• Packet Filtering/Packet Classification
• Forwarding engines must be able to
• identify the context of packets,
• apply the necessary actions so as to satisfy the
  user requirements.
• Such actions may be
• the dropping of unauthorized packets,
• redirection of packets to proxy servers,
• special queuing and scheduling actions,
• routing decisions based on a criteria other than
  the destination address

5

• The specification of the packet classification
  policies must allow aggregations in their
  definitions.
• Classification algorithms must be be able to
  process rules that define combinations of ranges
  of values.
• If the algorithms can only handle exact values
  and do not support aggregation, preprocessing is
  required to translate the ranges to exact values.

6

• A trend worth noting is that
• even though packet filtering was thought of as a
  tool necessary only at the network access points
  and mainly for firewall or security applications,
• it is now becoming apparent that it is a valuable
  tool for performing traffic engineering and
  meeting the new service requirements of the
  commercial Internet.
• The main consequence of these new uses is that
• all packet classification actions must be
  performed at wire-speed, i.e., the forwarding
  engines must have enough processing power to be
  able to process every arriving packet without
  queuing.

7
Design Goals

• The Requirement for Real-Time Operation
• Traditional router architectures are based on
  flow-cache architectures to classify packets.
• The complete header of the first packet of a flow
  is processed through a slow path.
• The header is then inserted into a cache or hash
  table together with the action that must be
  applied all packets of the same flow.
• When subsequent packets of that flow arrive, the
  corresponding action can be determined from the
  cache or hash table.

8

• Three problems with the cache-based
  architectures
• The number of simultaneous flows is extremely
  high.? The use of hardware caches is extremely
  difficult. Caches of such size will most likely
  be implemented as hash tables since hash tables
  can be scaled to these sizes. However, the O(1)
  look-up time of a hash table is an average case
  result and the worst-case performance of a hash
  table can be poor.
• The performance of cache-based schemes is heavily
  traffic dependent.
• A commercial Internet infrastructure should be
  robust and should provide predictable performance
  at all times.

9

• Criteria for efficient packet classification and
  system constraints
• The algorithm must be fast enough for Gigabit
  routers.
• The algorithm must process every packet at
  wire-speed.
• Classification rules must be based on several
  fields of the packet header, including source and
  destination IP addresses, source and destination
  port numbers, protocol type, and Type-of-Service.
  The rules must be able to specify ranges and not
  just exact values.
• Two-dimensional requirement for multicast lookup
  and RSVP reservations that use either wild-card
  filters or CIDR aggregations.

10

• Priorities are imposed on the rules for multiple
  match.
• Updates of rules are rare compare to searches in
  the data structures.
• Memory accesses are expensive and are the
  dominant factor in determining the worst-case
  execution time.
• Memory is organized in words of size w and the
  cost of accessing a word is the same as the cost
  of accessing any subset of bits in a word.
• Memory cost can be relatively low if technologies
  such as Synchronous Dynamic RAMS (SDRAMs) are
  used.
• For operation at very high speed the algorithm
  must be amenable to hardware implementation.

11
Previous Work

• Most previous papers were targeted mainly for an
  end-point and their main goal was to isolate
  packets that are destined to specific protocols
  or to specific connections.
• Linear parsing but do not scale to high speed
• The first hardware implementation of packet
  filters
• fast enough to support an OC-12 link
• restricted to only a small number of rules (lt 12)
• The pipeline implementation results in O(1)
  performance using O(N) processing elements for
  O(N) rules.
• cannot scale to a large number of filter rules (?
  a linear number of processing elements).
• for rules with exact matching and not with ranges.

12
Point Location Problem

• The general packet classification problem can be
  viewed as a point location problem in
  multidimensional space.
• This is a classic problem in Computational
  Geometry and numerous results have been reported
  in literatures.

13
Definition of the point location problem

• Given a point in a d-dimensional space, and a set
  of n d-dimensional objects, find the object that
  the point belongs to.
• Most algorithms reported in the literature deal
  with the case of non-overlapping objects or
  specific arrangements of hyper-planes or
  hyper-surfaces of bounded degree.
• For d gt 3 dimensions, the best algorithms have
• either an O(logd-1 n) complexity with O(n) space,
• or an O(log n) time-complexity with O(nd) space.
• not directly useful for high speed packet
  filtering

14

• No-queuing before processing
• Any packet queuing delays are only acceptable
  after the classification step is performed,
  because it is the header processing (including
  packet filtering) operation that enables the
  router to determine the quality-of-service (QOS)
  level to be accorded to a particular packet.

15
(No Transcript)
16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
Figure 5 Operation of the 2-dimensional
algorithm when one dimension includes only
intervals created by prefixes and the propagation
technique is used.