1 / 18

Minimizing Rulesets for TCAM Implementation

Minimizing Rulesets for TCAM Implementation. Presenter: Praveen Yalagandula In collaboration with Rick McGeer HP Labs, Palo Alto, CA. Packet Classification. A typical task in most network appliances Firewalls, switches, routers, etc. Definition Classify packets into different buckets

denoch
Download Presentation

Minimizing Rulesets for TCAM Implementation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Minimizing Rulesets for TCAM Implementation Presenter: Praveen Yalagandula In collaboration with Rick McGeer HP Labs, Palo Alto, CA

  2. Packet Classification • A typical task in most network appliances • Firewalls, switches, routers, etc. • Definition • Classify packets into different buckets • E.g., dstport=80 (web-traffic), ether-type=0x8906 (FCoE) • Apply different actions to packets in different buffers • E.g., Allow, Deny, Deny-with-log, High-priority-queue • Used for • Access Control Lists • QoS enforcement

  3. Ternary Content Addressable Memory • ASIC to perform classification at line rates • Matches a packet header in parallel against all entires • Applies first matching entry’s action to the packet Action Pattern Deny 01011101110101 Packet header 10101010101XXX Forward 10101010101111 Deny-log 1010101XXXXXXX 10101010101000 …… …… 10101011111111 X : Don’t care

  4. Problem: Large Rulesets & Range Rules • TCAMs are expensive, space-hungry, and power-hungry • Large rulesets & rules with ranges  Need large TCAMs • Ranges are common • A single rule with ranges can use up multiple entries • E.g., rule 1 < src-port, dst-port < 216 -1 needs 900 entries!! • If all rules do not fit into TCAM, then • Some packets need to be diverted to software  substantial reduction in throughput • Switch vendors often receive several customer requests for dealing with such rulesets

  5. Ruleset Minimization • Given a ruleset, find a minimal set of TCAM entries that implement the ruleset Optimized TCAM Entries Direct Expansion into TCAM entries Input Ruleset 0: Deny 2: Deny *: Accept 000: Deny 010: Deny XXX: Accept 0X0: Deny XXX: Accept 0XX: Deny 10X: Deny 110: Deny XXX: Accept 111: Accept XXX : Deny 0-6: Deny * : Accept

  6. Previous Research • Mostly heuristics based on observed patterns • Targeting rules with ranges • Expanding/Trimming ranges • [Dong et al. SIGMETRICS’06] • Range Encoding • [Liu et al. HotInterconnects’02] • [Lakshminarayanan et al. SIGCOMM’05] • Decision trees on header fields • TCAM Razor [Mieners et al. ICNP’07]

  7. Our Approach: Leverage Boolean Logic Minimization • Logic Minimization (LM) • Given a set of Boolean cubes (n-dimensions) • Find a minimal set of cubes that are equivalent to the input • Logic Minimization has been studied extensively • A major research topic in VLSI CAD field • Several heuristics and tools available • However, straightforward LM misses TCAM’s first-match feature

  8. LM misses TCAM’s First-Match Rule A = y’z’ + wy’ + x’y’ D = y + w’xz LM: 5 cubes wx 00 01 10 11 yz --- --- --- A --- A A A 00 01X1 : Deny (w’xz) XX0X : Allow (y’) XXXX : Deny (1) TCAM: 3 entries A --- --- A --- --- D 01 D --- D D D 11 --- D D --- A : Allow D : Deny --- : Don’t Care 10

  9. Our Contributions • Formulated TCAM ruleset minimization problem in terms of LM • Minimal Sequential Cover problem • Proposed an algorithm and proved its optimality • Algorithm is exponential in computational complexity • Derived heuristics based on the optimal algorithm • Analyzed several artificial and two real rulesets • Avg. reduction in artifical rulesets: 42% • Reduction in real rulesets: 72% and 49%

  10. Steps IndividualTarget Functions Minimum Sequential Cover Step 2 Step 1 Input ruleset

  11. Converting input to target functions • The ordering is significant in the input rulesets too Input Ruleset Boolean Functions C1 : Accept C2 : Deny Accept = C1 Deny = C1’C2 Accept = C1 Deny = C2 Function F1 associated with rule 1 C1 Function F2 associated with rule 2 C2

  12. Converting input to target functions (contd.) • The ordering is significant in the input rulesets too Functions for rules Input Ruleset Target functions C1 : Accept C2 : Accept C3 : Deny C4 : Accept C5 : Deny F1 = C1 F2 = F1’C2 F3 = F1’F2’C3 F4 = F1’F2’F3’C4 F5 = F1’F2’F3’F4’C5 Accept = F1 + F2 + F4 Deny = F3 + F5 Simplify using: x+x’y = x+y x+xy = x Accept = C1 + C2 + C3’C4 Deny = C1’C2’C3 + C1’C2’C4’C5

  13. Minimal Sequential Cover Problem • Given: a set of target functions • Sequential Cover: a sequence of <cube,target> tuples that implement the target functions in TCAM • Minimal Sequential Cover: a minimal length sequential cover

  14. Exact Solution • Recursive procedure over all prime implicants for all functions • We prove this is optimal • Above is exponential in complexity

  15. Heuristics for PERMIT/DENY rulesets • PERMIT/DENY rulesets • Only PERMIT rules with an implicit DENY rule at the end • Common in the set of rulesets we have seen • Heuristic 1: • Apply Logic Minimization (LM) only on PERMIT cubes • Heuristic 2: • Generate DENY Cubes • For each DENY cube, run LM on PERMIT cubes with that deny cube as a don’t-care • Pick DENY cubes that reduce PERMIT cubes • Return those DENY cubes followed by the reduced set of PERMIT cubes • Heuristic 3: • Reduce the set of DENY cubes tried in Heuristic 2 through quantification • See paper for details

  16. Results • Synthetic rulesets • Generated using ClassBench tool (From WU, St.Louis) • Two real firewall rulesets • HP Palo Alto firewall • Firewall ruleset from a customer of ProCurve Avg Reduction: 41.6%

  17. Further Steps • Design a web service to provide our optimization as a service • Customers upload their rules • Our service computes a minimized ruleset • Customers apply the new ruleset in their network appliance • Explore more heuristics for further reduction • Deal more than two actions • Deal incremental updates to rulesets

  18. Q & A

More Related