Post on 20-Dec-2015
Packet Classificationon Multiple Fields
Pankaj Gupta and Nick McKeown
Stanford University{pankaj, nickm}@stanford.edu
September 2, 1999
Multi-field Packet Classification
Given a classifier with N rules, find the action associated with the highest priority rule matching an incoming packet.
Field 1 Field 2 … Field k Action
Rule 1 152.163.190.69/ 21 152.163.80.11/ 32 … UDP A1
Rule 2 152.168.3.0/ 24 152.163.0.0/ 16 … TCP A2
… … … … … …
Rule N 152.168.0.0/ 16 152.0.0.0/ 8 … ANY An
Example: A packet (152.168.3.32, 152.163.171.71, …, TCP) would have action A2 applied to it.
Performance Metrics of a Classification Algorithm
Data structure storage requirements Packet classification time Preprocessing time Incremental Update time
Background
Scheme Pros ConsLinear Search Good storage and
update timecharacteristics
Excessive classificationtime
Crossproducting(V. Srinivasan etal [Sigcomm 98])
Fast classificationfor multipledimensions
Large memoryrequirements. Suitablefor small classifiers upto 50 rules without theuse of caching.
Grid of Tries (V. Srinivasan et al [Sigcomm 98])Bit-level Parallelism (D. Stiliadis et al [Sigcomm 98])Hierarchical Cuttings (P. Gupta et al [Hot Interconnects 99])
Space-time tradeoff
Point Location among N non-overlapping regions in k dimensions:
either
O(log N) time with O(Nk) space, or
O(logk-1N) time with O(N) space
Need help: exploit structure in real-life classifiers.
Our Dataset
793 classifiers from 101 ISP and enterprise networks with a total of 41505 rules.
40 classifiers: more than 100 rules. Biggest classifier had 1733 rules.
Maximum of 4 fields per rule: source IP address, destination IP address, protocol and destination port number.
Structure of the Classifiers
R1
R2
R34 regions
Structure of the Classifiers
R1
R2
R3
{R1, R2}
{R2, R3}
{R1, R2, R3}
7 regions
Our dataset: 1733 rule classifier = 4316 distinct regions (worst case is 1013 !)
One-Step Classification
1422 T12822 S
Recursive Flow Classification (RFC)
1422 T12822 S 642 322
Chunking of a packet
Source L3 Address
Destination L3 Address
L4 protocol and flags
Source L4 port
Destination L4 port
Type of Service
Packet Header
Chunk #0
Chunk #7
Packet Flow
Phase 0 Phase 1 Phase 2 Phase 3
index
action
Header
Combination
16
16 8
16 8
16 8 Reduction
128 64 32 16
14
Example Classifier
Rule Destination L3 Source L3 DestinationL4
Protocol
R1 152.163.190.69/0.0.0.0
152.163.80.1/0.0.0.0
* *
R2 152.168.3.0/0.0.0.255
152.163.200.157/0.0.0.0
HTTP UDP
R3 152.168.3.0/0.0.0.255
152.163.200.157/0.0.0.0
20-21 UDP
R4 152.168.3.0/0.0.0.255
152.163.200.157/0.0.0.0
HTTP TCP
R5 152.163.198.4/0.0.0.0
152.163.160.0/0.0.3.255
>1023 TCP
R6 152.163.198.4/0.0.0.0
152.163.36.0/0.0.0.255
> 1023 TCP
Formation of regions
0 20 80 1024 65535
{20-21, HTTP, > 1023, *}
21
EqID Region/ Equivalenceclass
Overlapping RuleSet
E0 (00) {20,21} {R1, R3}
E1 (01) {80} {R1, R2, R4}
E2 (10) {1024-65535} {R1, R5, R6}
E3 (11) {0-19, 22-79, 81-1023} {R1}
Reduction
0
20
1023
65535
2100
01
10
11
1010
1024
80
11
0016 2
index eqID
16 2
16 2Protocol
L4 port4 3
Combination
Regions/Equivalence Classes
Rule DestinationL4
Protocol
R1 * *
R2 HTTP UDP
R3 20-21 UDP
R4 HTTP TCP
R5 >1023 TCP
R6 >1023 TCP
EqID Region/Equivalence Set
OverlappingRule Set
E0 {(HTTP,UDP)} {R1,R2}
E1 {(20-21,UDP)} {R1, R3}
E2 {(HTTP,TCP) } {R1, R4}
E3 {(>1023, TCP)} {R1, R5,R6}
E4 {all othercrossproducts}
{R1}
Successive reduction + combination: final action
Packet Flow
Phase 0 Phase 1 Phase 2 Phase 3
index
action
Header
16 8
16 8
16 8 Reduction
Choice of Reduction Tree
3
2
1
0
5
4
Number of phases = P = 310 memory accesses
3
2
1
0
5
4
Number of phases = P = 411 memory acceses
Storage Requirements
Number of Rules
Mem
ory
in M
byte
s
Preprocessing Time
Number of Rules
Tim
e in
sec
onds
333Mhz Pentium-II with 96MB RAM running Linux.
Classification Time
Pipelined hardware: 30 Mpps (worst case OC192) using two 4Mb SRAMs and two 64Mb SDRAMs at 125MHz.
Software: (3 phases)1 Mpps in the worst case and 1.4-1.7 Mpps in the average case. (average case OC48) [performance measured using Intel Vtune simulator on a windows NT platform]
Larger classifiers
Number of Rules
Mem
ory
in K
byte
s
Conclusions
Difficult to achieve both high classification rate and reasonable storage in the worst case.
Real classifiers exhibit structure and redundancy.
The proposed classification scheme, RFC, seems to be of practical use where classifiers do not change very frequently.