SSA: A Power and Memory Efficient Scheme to Multi-Match

Packet Classification

Fang Yu1 T. V. Lakshman2 Martin Austin Motoyama1 Randy H. Katz1

1EECS Department, UC Berkeley , 2Bell Laboratories, Lucent Technologies

Single-Match Classification Assumption: all the filters are associated with priorities Only the highest priority match matters E.g., longest prefix match

Multi-Match Classification Report all matching results No priority among filters Applications:

Intrusion Detection Systems: identify all the related rules Accounting Applications: update multiple counters given one

packet

Multi-Match Packet Classification

Ternary-CAM (TCAM)

Fully associative memory compare input string with all the entries in parallel If multiple matches, report the index

of the first match Each cell takes one of three logic

states : ‘0’, ‘1’, and ‘?’(don’t care)

Current TCAM technology Fast match time: e.g., 4 ns Size: 9Mbits – 18Mbits priced at

$200-$300 Power consumption is high

Grow linearly to the number of entries searched in parallel

Scales with the frequency of TCAM accesses.

192.128.101.100

168.100.???.???

192.128.???.???

Match192.128.101.???

Input

TCAM

0

2

4

6

8

10

12

0 20,000 40,000 60,000Number of Entries Searched in Parallel

Po

we

r (i

n w

att

s)

250 Million Lookups Per Second207 Million Lookups Per Second165 Million Lookups Per Second125 Million Lookups Per Second

Previous Solutions: Geometric Intersection-based Solution [Hot Interconnects 04]

Add additional intersection filters Return the all the matching

results within one cycle

May require high storage and is not energy efficient

Create ~10N intersection filters for the Snort rule set

May create O(NF) intersection filters in the worst case

Not easily updatable

tcp $SQL_SERVER 1433$EXTERNAL_NET 139

tcp any any any 139

Match

tcp $SQL_SERVER 1433$EXTERNAL_NET any

Input

TCAMStores Rules

Filter 1

Filter 2

SRAM

Stores Match list(Index of rule)

tcp $SQL_SERVER 1433$EXTERNAL_NET 139

Filter 1&2

Previous Solution: MUD [ Sigcomm 05]

Encode the index of the entry and include the encoded value in each TCAM entry

Search the TCAM with initial MUD as all don’t cares After finding a matching result at index j, search again

discriminator field value ‘greater than j’

Require 1+d+(k-2)*(d-1) TCAM lookups to get k matching results

d is the logarithm of the number of entries in TCAM (d=log2N)

decreased to 1+d*(k-1)/r with DIRPE, where r (smaller than d)

All the entries in TCAMs are accessed each time high power consumption.

Filter 3Filter 2

Filter 1

Packet InfoInput

TCAM

00110010

0001

Discrim-inators

Our Goal: Find a memory and power efficient solution

Observation

Split filters to two sets to reduce intersection Perform separate TCAM accesses into different sets Report the union of results from all sets

N filters +O(N2) intersection1 TCAM lookup

N filters + 1 intersection2 TCAM lookups

Original Two sets

F1

FN

Matching F1 and FN

Matching F1

Matching FN

Analysis: Split Filters into K Sets

No need to include the intersections of the filters from different sets low memory requirement

Perform one TCAM lookups into each set Each filter is accessed only once Low power consumption Total number of lookups (K) is independent to the multi-

matching degree of the packet Deterministic lookup rate These lookups are can parallelized Update is local to one of the set

Split filters into Multiple Sets

Splitting filters into multiple sets is an NP hard problem

Splitting filters into two sets is still an NP hard problem (known as maximum set splitting or maximum hypergraph cut ) Best known approximation algorithms

Yield a performance ratio of 0.72 to the optimum solution Require quadratic programming slow when the number of filters

is large

We propose a set splitting algorithm (SSA) based on Johnson’s algorithm

Guarantee to remove at least 50% of the intersections O(NM) complexity, where N is the total number of filters, and M is

the total number of intersections

Simulation Results on Snort Rule Sets

0

1000

2000

3000

4000

5000

6000

7000

8000

2.0.0 2.0.1 2.1.0 2.1.1Snort version

Nu

mb

er

of

TC

AM

en

trie

s

ac

ce

ss

ed

pe

r p

ac

ke

t

MUD (HTTP Packets)MUD (Napster Packets)MUD (worst case)Geometric Intersection-based SSA-2SSA-4

Total number of extra intersections filters in TCAMs.

Version

GeometricIntersection-

based

SSA-2 SSA-4

ExtraIntersections

SavingExtra

IntersectionsSaving

2.0.0 3453 46 98.67% 1 99.97%

2.0.1 3754 47 98.75% 1 99.97%

2.1.0 3758 47 98.75% 0 100%

2.1.1 4067 55 98.65% 0 100%

Memory Consumption: Total number of TCAM entries

Version MUDGeometric

Intersection-basedSSA-2 SSA-

4

2.0.0 240 3693 286 241

2.0.1 255 4009 302 256

2.1.0 257 4015 304 257

2.1.1 263 4330 318 263

Version MUD

GeometricIntersection-

based

SSA-2 SSA-4

Avg Max Avg Max Avg Max

2.0.0 1 31.73 157 1.33 17 1.002 2

2.0.1 1 35.24 135 1.34 19 1 1

2.1.0 1 34.71 135 1.36 20 1.002 2

2.1.1 1 36.00 172 1.41 26 1.006 2

Update cost in terms of newly inserted filters. Power Consumption: TCAM entries accessed per packet.

Conclusion

SSA can solve multi-match classifying problem efficiently O(NM) complexity Guarantee to remove 50% of the intersections each

time the filter set splits Comparing to MUD

Use a similar amount of TCAM memory Yield a 75% to 95% reduction in power consumption

Comparing to the Geometric Intersection-based Solution Use 90% less TCAM memory and power Require one additional TCAM lookup per packet.