Firewall Decision Diagrams for Better Packet Classifiers

1
Firewall Decision Diagrams for Better Packet
Classifiers
Department of Computer Science
EngineeringCollege of Engineering
Introduction Packet classification, which is
widely used on the Internet, is the core
mechanism that enables routers to perform many
networking services such as firewall packet
filtering, and access control lists. As more
services are deployed on the Internet, packet
classification grows in demand and
importance. Our work focuses on finding
semantically equivalent classifiers that use less
resources.
Equivalent Classifier Transformation Range
Transformation Rule predicates are a single
range. This transformation is used for software
classifiers Prefix Transformation Rule
predicates are a single prefix range since ranges
are represented by ternary bit strings in the
hardware. Solution We formulate optimal
dynamic programs with the single dimensional
version of each problem and use a FDD to create a
greedy solution for multiple dimensions
Redundancy Removal A rule is redundant if and
only if removing it from a classifier does not
change the classifiers semantics. We use a
specialized All-match FDD to detect redundant
rules. ri is redundant iff there does not exist a
terminal node with a first value i which is not
followed by a j such that rj has the same
decision as ri
The function of a packet classification system is
to map each packet to a decision (i.e. action)
according to a sequence (i.e. ordered list) of
rules, which is called a packet classifier. Each
rule in a packet classifier has a predicate over
some packet header fields and a decision to be
performed upon the packets that match the
predicate. To resolve possible conflicts among
rules in a classifier, the decision for each
packet is the decision of the first (i.e. highest
priority) rule that the packet matches.
Range Rules
Prefix Rules
Our work uses firewall decision diagrams(FDD) to
reduce the size of packet classifiers for both
software based packet classifiers and hardware
based packet classifiers. We accomplish this
reduction via two techniques Redundant Rule
Removal and Equivalent Classifier Transformation
References Alex X. Liu, Chad R. Meiners, and Yun
Zhou. All-Match Based Complete Redundancy Removal
for Packet Classifiers in TCAMs. Proceedings of
the 27th Annual IEEE Conference on Computer
Communications (Infocom), Phoenix, Arizona, April
2008. Alex X. Liu, Eric Torng, and Chad Meiners.
Firewall Compressor An Algorithm for Minimizing
Firewall Policies. Proceedings of the 27th
Annual IEEE Conference on Computer Communications
(Infocom), Phoenix, Arizona, April 2008. Chad R.
Meiners, Alex X. Liu, and Eric Torng. TCAM Razor
A Systematic Approach Towards Minimizing Packet
Classifiers in TCAMs. Proceedings of the 15th
IEEE International Conference on Network
Protocols (ICNP), pages 226-275, Beijing, China,
October 2007. April 11, 2008