A TwoStage

1
A Two-Stage Packet Classification Algorithm

• Authors W. T. Chen, S. B. Shin, and J. L. Chiang
• Source 17th International Conference on AINA,
• Page 762-767, March 27, 2003
• Reporter Tian Yu Hwang (? ? ?)
• Date 2003/12/20

2
Outline

• Background
• Hierarchical Trie H-Trie
• Two-Stage PC Algorithm
• Experiment
• Conclusion

3
Background

• Definition of packet classifier
• Packet classifier is a classifier that
  classifies packets into specific flows,
  aggregates, forwarding equivalence classes (FECs)
  depending upon one or more fields in the header
  of the packet.
• Functions of packet classifier
• multi-dimensional (multi-field) packet
  classification
• flow recognition

router
classifier
action
packet
4
Background

• Applications of packet classifier
• 32-bit destination IP address lookup (routing,
  layer-4 switching)
• longest-prefix-matching scheme to search for
  the best-fit routing rule that matches the
  longest prefixes with the destination address in
  the packet header
• packet filtering in firewalls (policy-based
  security)
• Virtual Private Networks (VPNs)
• multicasting forwarding
• to deploying those protocols and services (such
  as DiffServ, InServ, RSVP, and MPLS) that IETF
  have worked out to provide QoS
• binding flows to MPLS labels for traffic
  engineering
• binding flows to DiffServ code points

5
Background

• Example fields of headers
• In IPv4 headers, such as
• Source Address (32 bits)
• Destination Address (32 bits)
• Source Port (16 bits)
• Destination Port (16 bits)
• Protocol field (8 bits)
• TCP flag (8 bits) (may have ACK bit set)
• Other header fields beside TCP/IP, such as
• MAC address
• Application (e.g. http) header

6
Background

• Structure of a packet classifier
• A packet classifier contains a rule database,
  which consists of a finite sequence of rules, R1,
  R2, , RN.
• Each rule is a combination of k values, one for
  each header field.

K-dimensional rule database
7
Background

• Associated action
• Associated with each rule is an action which
  defines how to forward the packet matching this
  rule. Examples such as
• differentiated output scheduling (e.g., Voice
  over IP packets are routed to a high priority
  queue)
• taking security-related actions (e.g., dropping
  packets sent from a certain subnet)
• load balancing (e.g., routing packets to
  different servers)
• doing traffic measurement (e.g. measuring
  traffic between subnet pairs)
• making a copy
• bandwidth guarantee

8
Background

• Match types
• Each field in a rule is allowed three kinds of
  matches
• Exact match the header field of the packet
  should exactly match the rule field (useful in
  protocol and flag fields.)
• Prefix match the rule field should be a
  prefix of the header filed (useful for blocking
  access from a certain subnetwork.)
• Range match the header values should lie in
  the range specified by the rule (useful for
  specifying port number ranges.)
• A packet P matches a rule R if each field of P
  matches the corresponding field of R. (e.g.
  (000,TCP,6) matches R1)

9
Background

• Packet classification problem
• A multi-field packet classification that
  involves d-fields matching is called a
  d-dimensional packet classification problem.

10
Background

• Conflict problem
• When a packet matches multiple filters with
  conflicting values for the action field, what
  action should be done?
• Two conflict conditions for rules
• Overlapping conflict the set of packets that
  match one rule is overlapping (unequal) with the
  other (e.g. R0 R1).
• Subset conflict the set of packets that match
  one rule forms a strict subset of the other (e.g.
  R2 R3).

11
Background

• Formal definition of conflicts (in prefix
  notation)
• Given two rules Ri(Ri,1, , Ri,k) and
  Rj(Rj,1, , Rj,k), we say that Ri conflicts with
  Rj if for w1, , k, either Ri,w is a prefix of
  Rj,w or an exact match, or Rj,w is a prefix of
  Ri,w.

12
Background

• Prefix-based matching scheme
• enlarge rule database
• inefficient searching performance
• Range-based matching scheme
• complex geometric problem

13
Hierarchical Trie H-Trie

• A prefix-based matching scheme

0
1
BBT1 (binary branching tree)
0
0
0
0
1
0
BBT2
0
1
0
14
Two Stage PC Algorithm

• Structure model

Prefix-matching-tree (PMT)
TCP
UDP
TCP
Range-matching-tree (RMT)
UDP
15
Two Stage PC Algorithm

• Step 1 reorganize the rule table by grouping

5-dimentional rule table
Group (0,0)
Group (00,10)
Group (1,0)
16
Two Stage PC Algorithm

• Step 2 divide each group into subgroup
  according to protocol type

5-dimentional rule table
Group (0,0) (R1,R2,R3)T
Group (00,10) (R4,R6)U (R5,R6)T
Group (1,0) (R7,R8,R9)U
17
Two Stage PC Algorithm

• Step 3 construct the PMT with prefix-based
  fields create the pointers for TCP and UDP

00
10
01
2-bit branching tree
TCP
UDP
00
TCP
UDP
18
Two Stage PC Algorithm

• Step 4 define the elementary intervals with
  range-based fields

5-dimentional rule table
SP
2
3
4
5
DP
1
2
3
4
5
6
19
Two Stage PC Algorithm

• Step 5 construct the RMT according to the
  elementary internals prune the RMT

4-5,4-6
6
R7
R7
R7
2-3,1-3
4-5,1-3
2-3,4-6
4-5
R7
R7
R7,R8
2,1-2
3,3
2,3
3,1-2
R7,R8 R9
3
R7
R7

2
R7
R7
R7,R8
2,3
2,1
2,1
2,2
1
R7
R7
R7
3,3
2,2

2
3
4-5
R7,R8 R9
R7
R7
R7
R7
R7,R8
2-bit branching tree
20
Two Stage PC Algorithm

• Memory consumption

21
Two Stage PC Algorithm

• Average look-up time

22
Conclusion

• Novel prefix-based matching scheme, and
  two-stage packet classification
• Reduce memory consumption and efficient
  performance compared with H-trie
• Further works
• employment of multi-bit branching tree in PMT
  and RMT