Efficient multi-match packet classification with TCAM

Proceedings. 12th Annual IEEE Symposium on High Performance Interconnects Pub Date : 2004-08-05 DOI:10.1109/CONECT.2004.1375197

Fang Yu, R. Katz

{"title":"Efficient multi-match packet classification with TCAM","authors":"Fang Yu, R. Katz","doi":"10.1109/CONECT.2004.1375197","DOIUrl":null,"url":null,"abstract":"Today's packet classification systems are designed to provide the highest priority matching result, e.g., the longest prefix match, even if a packet matches multiple classification rules. However, new network applications, such as intrusion detection systems, require information about all the matching results. We call this the multi-match classification problem. In several complex network applications, multi-match classification is immediately followed by other processing dependent on the classification results. Therefore, classification should be even faster than the line rate. Pure software solutions cannot be used due to their slow speeds. We present a solution based on ternary content addressable memory (TCAM), which produces multi-match classification results with only one TCAM lookup and one SRAM lookup per packet - about ten times fewer memory lookups than a pure software approach. In addition, we present a scheme to remove the negation format in rule sets, which can save up to 95% of TCAM space compared with the straight forward solution. We show that using our pre-processing scheme, header processing for the SNORT rule set can be done with one TCAM and one SRAM lookup using a 135 KB TCAM.","PeriodicalId":224195,"journal":{"name":"Proceedings. 12th Annual IEEE Symposium on High Performance Interconnects","volume":"15 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2004-08-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"69","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings. 12th Annual IEEE Symposium on High Performance Interconnects","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CONECT.2004.1375197","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 69

Abstract

Today's packet classification systems are designed to provide the highest priority matching result, e.g., the longest prefix match, even if a packet matches multiple classification rules. However, new network applications, such as intrusion detection systems, require information about all the matching results. We call this the multi-match classification problem. In several complex network applications, multi-match classification is immediately followed by other processing dependent on the classification results. Therefore, classification should be even faster than the line rate. Pure software solutions cannot be used due to their slow speeds. We present a solution based on ternary content addressable memory (TCAM), which produces multi-match classification results with only one TCAM lookup and one SRAM lookup per packet - about ten times fewer memory lookups than a pure software approach. In addition, we present a scheme to remove the negation format in rule sets, which can save up to 95% of TCAM space compared with the straight forward solution. We show that using our pre-processing scheme, header processing for the SNORT rule set can be done with one TCAM and one SRAM lookup using a 135 KB TCAM.

查看原文本刊更多论文

基于TCAM的高效多匹配分组分类

今天的包分类系统被设计为提供最高优先级的匹配结果，例如，最长的前缀匹配，即使一个包匹配多个分类规则。然而，新的网络应用，如入侵检测系统，需要所有匹配结果的信息。我们称之为多匹配分类问题。在一些复杂的网络应用中，多匹配分类之后紧接着是依赖于分类结果的其他处理。因此，分类速度应该比排线速度还要快。纯软件解决方案由于速度慢而不能使用。我们提出了一种基于三元内容可寻址存储器(TCAM)的解决方案，它产生多匹配分类结果，每个数据包只有一次TCAM查找和一次SRAM查找-大约比纯软件方法少十倍的内存查找。此外，我们还提出了一种去除规则集中否定格式的方案，与直接解决方案相比，该方案可节省高达95%的TCAM空间。我们展示了使用我们的预处理方案，SNORT规则集的标头处理可以通过一个TCAM和一个使用135 KB TCAM的SRAM查找来完成。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings. 12th Annual IEEE Symposium on High Performance Interconnects

自引率

0.00%

发文量