Title: Energy Efficient Multi-match Packet Classification with TCAM
1Energy Efficient Multi-match Packet
Classification with TCAM
- Fang Yu
- fyu_at_eecs.berkeley.edu
2Outline
- Introduction to multi-match classification
- Multi-match classification using TCAM
- May create many intersections
- Consume many TACM resources and high power
consumption - Filter set splitting algorithm to remove
intersections - Simulations results
- Conclusions and future work
3Packet Classification
- Single-Match Classification
- Assumption all the filters are associated with
priorities - Only the highest priority match matters
- E.g., longest prefix match
Packet header
Packet Payload
- Multi-Match Classification
- Report all matching results
- No priority among filters
- PNE (iBox) identify the all the relevant
functions - Intrusion Detection System identify all the
related rules - Need faster solutions because of the complex
follow-up processing
4Ternary-CAM (TCAM)
- Fully associative memory compare input string
with all the entries in parallel - If multiple matches, report the index of the
first match - Each cell takes one of three logic states
- 0, 1, and ?(dont care)
- Current TCAM technology
- Fast match time 4 ns
- Size 1-2MB priced at 200-300
cell
entry
width
5Ternary-CAM (TCAM)
- Fully associative memory compare input string
with all the entries in parallel - If multiple matches, report the index of the
first match - Each cell takes one of three logic states
- 0, 1, and ?(dont care)
- Current TCAM technology
- Fast match time 4 ns
- Size 1-2MB priced at 200-300
- Power consumption is high
6Report Multi-match Results
- Problem TCAM only reports the first matching
result - For example, two filters have intersection
relationship - Tcp SQL_SERVER 1433 EXTERNAL_NET any
- Tcp Any Any Any 139
- Tcp SQL_SERVER 1433 EXTERNAL_NET 139
- Return a bit-vector of matched results?
processing cost for the bit-vector can still be
O(N)
Intersection
7Report Multi-match Results (cont.)
- Solution add additional intersection filters
- Pros
- High speed
- Return the all the matching results within one
cycle - Deterministic lookup time
- Cons
- May require high storage and is not energy
efficient - Create 10N intersection filters for the Snort
rule set - May create O(NF) intersection filters in the
worst case - Not easily updatable
Goal decrease number of intersections
and easy for update
8Observation
Original
Two sets
FN
Matching FN
F1
Matching F1 and FN
Matching F1
N filters O(N2) intersection 1 TCAM lookup
N filters 1 intersection 2 TCAM lookups
- Split filters to two sets to reduce intersection
- Report the union of results from all sets
- No need to include the intersections of the
filters from different sets - Decrease the number of filters in TCAM, decrease
power consumption - Increase the number of TCAM access
9Problem Definition
- Given a set of filters F(F1,F2, ., FN)
- Filters create a set of intersections I(I1,I2,
., IM) - e.g., I1 intersection of (F1,, F5, F6)
- How to divide the filters into several sets
- Residual intersection set I intersections from
filters in the same set - N I lt TCAM size
- Number of sets (TCAM accesses) is minimum
- NP hard problem!
10Split filters into Two Sets
- Still an NP hard problem (known as maximum set
splitting or maximum hypergraph cut ) - Best known approximation algorithms
- Yield a performance ratio of 0.72 to the optimum
solution - Require quadratic programming ?slow when the
number of filters is large - Our algorithm based on Johnsons algorithm
- Remove at least half of the intersections
- O(NM) complexity, where N is the total number of
filters, and M is the total number of
intersections
11Maximum Satisfiability Problem
- Maximum Satisfiability Problem
- A set of literals F1, F1, F2, F2,.., FN, FN
- A set of clauses, each clause is a subset of
literals - E.g., C1F1 F5 F6
- Goal Find an assignment of F to satisfy maximum
number of clauses
12Johnsons Algorithm to Maximum Satisfiability
Problem
- Assign each clause a weight 2-c
- E.g., weight of C1F1, F5 F6 is 2-3
- Let Fi be any literal which hasnt been assigned
value yet - If the weight of all clauses contain Fi is higher
than the clauses contain Fi - Assign Fi a true value, remove all clauses
containing Fi - Multiply the weight of all the clauses containing
Fi by 2 - Otherwise
- Assign Fi a false value, remove all clauses
containing Fi - Multiply the weight of all the clauses containing
Fi by 2
13Johnsons Theory
- If all the clauses have at least k literals
- Johnsons algorithm can satisfy at least
- (2K-1)/ 2K percent of the total clauses
- e.g., k2, satisfy at least ¾ of the clauses
- It is proved that (2K-1)/ 2K is the best
approximable bound for kgt2
14Filter Split Algorithm
- For any intersection (e.g., I1 intersection of
F1,, F5, and F6), add two clauses - CF1, F5 F6 and CF1, F5 F6
- Total number of clauses is 2M
- Run Johnsons algorithm and assign each filter Fi
either a true (put in set one) or a false value
(put in set two)
15Filter Split Algorithm (cont.)
- According to Johnsons theory
- At least ¾ of the clauses are satisfied ?
2M3/41.5M - ?At least 0.5M of the intersections have both
clauses satisfied - Suppose for intersection of F1,, F5, and F6 ,
CF1,, F5, F6 and CF1,, F5, F6 both are
satisfied - At least one of F1,, F5, F6 is true and at
least one is false - F1,, F5, F6 are split into different sets, thus
this intersection doesnt need to be presented in
TCAM - ?At least 50 of the intersection is removed!
16Simulation Results
- SNORT intrusion detection rule set
Version Filter Set Size No split No split Split into 2 sets Split into 2 sets Split into 2 sets
Version Filter Set Size Unique Inter-sections TCAM Entries Remaining Inter-sections TCAM Entries Saving
2.0.0 240 3453 3,693 520 760 79.4
2.0.1 255 3754 4,009 556 811 79.7
2.1.0 257 3758 4,015 552 809 79.8
2.1.1 263 4067 4,330 596 859 80.1
17Split filters into Multiple Sets
18Conclusion
- We propose a filter split algorithm to decrease
the intersections - O(NM) complexity
- Guarantee to remove 50 of the intersections each
time the filter set splits - Save TCAM space
- Reduce power consumption
- Save 80 TCAM space and power consumption for
the snort rule sets - With the cost of one more TCAM access
19Ongoing Work
- Narrow down the search region (Region Split)
- E.g., tcp packet only needs to search tcp related
filters - Use SRAM accesses to narrow down the search
region
Region Splits Only Tree based algorithms Memory
access O(logN) Storage cost O(NF) Power
consumption min Update cost high
Filter Splits Only Accesses all filters in
TCAM Memory access of set Storage cost
O(N) Update cost low
Middle ground Hybrid SRAM and TCAM
approach Memory access several (e.g.,
lt5) Storage cost O(N) Power consumption
moderate Update cost moderate
Region Split (SRAM access)
Filter Split (TCAM accesses)