340 likes | 408 Views
Learn about packet classification in Internet routers, enabling services like firewalls, resource reservation, and QoS routing. Explore the tradeoffs, algorithms, and characteristics involved in the classification process.
E N D
Packet Classification CSE 581 Internet Technology Winter 2002 Jeffrey Chilberto
Papers Tradeoffs for Packet Classification AT&T Labs-Research, Ana Feldmann and S.Muthukrishnan March 2000 Packet Classification using Tuple Space Search Washington University, Srinivasan, Suri and Varghese September 1999 Algorithms for Packet Classification Stanford University, Pankaj Gupta and Nick McKeown March 2001 CSE 581 Internet Technology
Content • Introduction to Packet Classification • What is Packet Classification? • Example Network and Services • Characteristics of Packet Classification • Categories of Packet Classification • Software Schemes • Geometry-based Schemes • Heuristic Schemes • Hardware Based Schemes CSE 581 Internet Technology
Introduction to Packet Classification Traditional routers do not provide service differentiation because they treat all traffic going to the same Internet destination address identically. Routers with packet classification capabilities can distinguish traffic based on destination, source, and application type. Such classification allows various forms of service: • Blocking traffic sent by insecure sites (firewalls) • Preferential treatment for premium traffic (resource reservation) • Routing based on traffic type and source (QoS routing) CSE 581 Internet Technology
What is Packet Classification? Informally: Identifies the flow a packet belongs to, based on one or more fields in the packet header. (Tradeoffs) The ability to match each packet against a database of rules. (Tuple Space) The process of categorizing packets into “flows” in an Internet router. (Algorithms) CSE 581 Internet Technology
What is Packet Classification? Formally (from Algorithms of Packet Classification): “Each rule of a classifier has d components. R[i] is the ith component of rule R, and is a regular expression on the ith field of the packet header. A packet P is said to match rule R, if for all i, the ith field of the header of P satisfies the regular expression R[i].” Most cases we are concerned with not just a match, but a match with the lowest cost. CSE 581 Internet Technology
What is Packet Classification? Formally (from Packet Classification using Tuple Space Search): “Suppose there are K header fields in each packet that are relevant to filtering. Then, each filter F[i] is either a variable length prefix bit string or a range. A filter database consists of N filters F1, F2, …, FN. Each filter F is an array of K distinct fields, where F[I] is a specification on the I-th field. We say that a packet P matches filter F if for all packet fields I, P[I] matches F[I]. The packet classification problem is to find the lowest cost filter matching a given packet P.” What about considerations of time of day or packet size? CSE 581 Internet Technology
What is Packet Classification? Formally (from Tradeoffs for Packet Classification): “…given a set R = {r1,…rn} of rules over d fields (dimensions). Each rule consists of a set of ranges ri=[Fi(1),…Fi(d)], where Fi(j) is a range (interval) of values the field j may take; each rule also has a cost. The set of rules may be preprocessed. Queries are presented on line. Each query is a packet p=[f1,…,fd], where each fi is a singleton value. A rule ri applies to a packet p if for all dimensions k, the field fk of packet p lies in the range Fi(k). The problem is to determine the least cost rule that applies to the packet. CSE 581 Internet Technology
Example Network CSE 581 Internet Technology
Packet Filtering Service CSE 581 Internet Technology
Policy Routing Service CSE 581 Internet Technology
Accounting Service CSE 581 Internet Technology
Traffic Rate Limiting Service CSE 581 Internet Technology
Traffic Shaping Service CSE 581 Internet Technology
Packet Header CSE 581 Internet Technology
Example Classifier CSE 581 Internet Technology
Characteristics of Packet Classification Search Speed • Faster links require faster classification (e.g., links running at 10Gbps can bring 31.25 million packets per second Storage • Small storage enable the use of fast memory technologies (e.g., SRAM for on-chip cache by a software algorithm and/or hardware algorithm) CSE 581 Internet Technology
Characteristics of Packet Classification Number of Rules to be Supported • Range from hundreds to hundreds of thousands Number of fields to be used • Fields (dimensions) of IP header CSE 581 Internet Technology
Characteristics of Packet Classification Nature of Rules • Prefix mask on destination IP address • General masks (e.g., arbitrary ranges) Updates to the set of rules • Packet classification must adapt gracefully and swiftly to updates without sacrificing the access performance (e.g., UDP control) CSE 581 Internet Technology
Characteristics of Packet Classification Worst case vs Average Case • Typically focus is on worst case rather than average case. Wide range of solutions depending on requirements • Desirable to have a suite of solutions with a range of tradeoffs that can be tuned to particular applications. • Often filter schemes with fast lookup time do not scale to large filter databases. • Other more scalable schemes work for 2-dimensional, but performance quickly degrades with each additional dimension. CSE 581 Internet Technology
Categories of Classification Algorithms CSE 581 Internet Technology
Example Set of Rules CSE 581 Internet Technology
Summary of Software Schemes N – Number of Rules W – Width of dimension d – Number of dimensions • Trie schemes provide a good worst case query time at the expense of storage • Set-pruning tries reduce query time by replicating rules to eliminate recursive traversals CSE 581 Internet Technology
Hierarchical Trie CSE 581 Internet Technology
Set-pruning Trie CSE 581 Internet Technology
Summary of Geometry-based Schemes N – Number of Rules W – Width of dimension d – Number of dimensions l – levels of tree • Several standard geometry problems such as ray shooting, point location, and rectangle enclosure resemble packet classification. • Mostly used for 2 dimension classifiers • Multi-dimension classifiers may require heuristics CSE 581 Internet Technology
Geometric Representation Most Geometry solutions do not match on ranges as well as prefixes. One solution is to convert all ranges to matching prefixes (thus increasing storage complexity). CSE 581 Internet Technology
Summary of Heuristic Schemes N – Number of Rules W – Width of dimension d – Number of dimensions M – Number of Tuples • Based on assumption that classifiers in real networks have considerable structure and redundancy that might be exploited by a heuristic. CSE 581 Internet Technology
Tuple Space Search • Based on observation that while filter databases contain many different prefixes or ranges, the number of distinct prefix lengths tends to be small. • Pruned Tuple Space is a modified approach where longest prefix matching is performed first and then only tuples compatible with matches are searched. This approach requires maintaining a tuple list for each entry (e.g., Mae-East prefix database < 6). CSE 581 Internet Technology
Tuple Results Tests performed on 4 industrial firewall databases. Randomly generated filter database from prefixes randomly chosen from MaeEast database. * Both Destination and Source Address Pruned CSE 581 Internet Technology
Summary of Hardware Schemes N – Number of Rules W – Width of dimension d – Number of dimensions CSE 581 Internet Technology
Ternary CAM • TCAM memory is used as a gate to determine classification • Unsuitable for large classifiers • Costly • Less dense than SRAM • Dissipates more power than SRAM CSE 581 Internet Technology
Ternary CAM CSE 581 Internet Technology
Summary • Current routers must perform more services at faster speeds. • More sophisticated techniques need to be developed and/or implemented to meet the growing size of classifiers. • Because of the diversity of requirements, best approaches comprise multiple classification schemes and the ability to flexibly specify classifiers. CSE 581 Internet Technology