Lecture 7 - Packet - Classification - 1

Packet
Classification
2/119
Outline
Introduction to Packet Classification
Example Network and Services
Packet Classification Algorithms
Proposed Schemes
Conclusion
3/119

Traditional routers
Do not provide service differentiation because they treat
all traffic going to the same Internet destination address
identically
Routers with packet classification capabilities
Distinguish traffic based on destination, source, and
application type
Such classification allows various forms of service:
Blocking traffic sent by insecure sites (firewalls)
Preferential treatment for premium traffic (resource

reservation)
Routing based on traffic type and source (QoS
routing)
4/119
What is Packet Classification?
Informally
Identifies the flow a packet belongs to,
based on one or more fields in the packet
header
The ability to match each packet
against a database of rules
The process of categorizing packets into
flows in an Internet router
5/119
What is Packet Classification?

Formally
Suppose there are K header fields in each
packet that are relevant to filtering. Then,
each filter F[i] is either a variable length prefix
bit string or a range. A filter database consists
of N filters F1, F2, , FN. Each filter F is an
array of K distinct fields, where F[i] is a
specification on the i-th field. We say that a
packet P matches filter F if for all packet fields
i, P[i] matches F[i]. The packet classification
problem is to find the lowest cost filter
matching a given packet P.
6/119
Packet Header
Some of the header fields be used for classifying the packet.

Although not shown, higher-layer (application level) headers
may also used.
7/119
Example Classifier
8/119
Performance Metrics
Search speed
Storage requirement
Scalability in classifier size
Scalability in the number of header
fields
Update time
Flexibility in specification
9/119
Outline
Proposed Schemes
Conclusion
10/119
Example Network
E1
Router
Y
ISP1
ISP2 X
Z
NAP
ISP3 E2
Example network of an ISP(ISP1) connected to two

enterprise networks(E1 and E2) and to two other ISP
networks(ISP2, ISP3) across a network access point (NAP)
11/119
Packet Filtering Service

E1
Router
Y
ISP1
ISP2 X
Z
NAP
ISP3 E2
Packet Filtering Deny all traffic from ISP3(on the interface X) destined to E2
12/119
Policy Routing Service

E1
Router
Y
ISP1 ATM
ISP2 X
Z
NAP
ISP3 E2
Send all voice-over-IP traffic from E1 (on the interface Y) and

Policy Routing
destined to E2 Via a separate ATM network
13/119
Accounting Service
E1
Router
Y
Accounting
Database
ISP1
ISP2 X
Z
NAP
ISP3 E2
Accounting Treat all video traffic from E1 (on the interface Y) as highest
& Billing priority and perform accounting for the traffic sent this way
14/119
Traffic Rate Limiting Service

E1
Router
Y
ISP1
ISP2 X
Z
NAP
ISP3 E2
Traffic Ensure that ISP2 dost not inject more than 10Mbps email traffic
Rate Limiting and 50Mbps of total traffic on interface X
15/119
Traffic Shaping Service

E1
Router
Y
ISP1
ISP2 X
Z
NAP
ISP3 E2
Traffic Ensure that no more than 50Mbps of web traffic is injected into
Shaping ISP2 on interface X
16/119
Outline
Proposed Schemes
Conclusion
17/119
Linear Search
Organizing the rules of a classifier as an
array or a linked list in order of decreasing
priorities
The rules are examined one by one until a
match is found
The search time : O(N)
The storage complexity : O(N)
-> Infeasible for a large classifier
18/119
Hierarchical Trie
D-dimensional hierarchical trie is constructed by building 1-b

trie (S) on each field (dimension) recursively
A 1-b trie, named F1-trie, is constructed on all prefixes in
the F1 field of C
In each node of the F1-trie denoting a valid prefix P, there is
a pointer, named next-field pointer, pointing to an F2-tries
containing prefixes in the F2 fields of all rules whose first
field is exactly P
After obtaining such a set of F2-tries, another set of F3-tries
could be constructed from the nodes of F2-tries in the same
manner
This process is repeated until the set of Fd-tries is
constructed
19/119
Hierarchical Trie
Next-field pointer
backtracking
(001, 110)
All matches must be found to ensure that the highest

priority one is returned
20/119
Hierarchical Trie
The storage complexity : O(NdW)
assume that the maximum prefix length of
each field is W
The search time : O(Wd)
due to backtracking
The update time : O(d2W)
since each field of the updated rule is stored in
exactly one location at maximum depth O(dW)
21/119
Set-Pruning Trie
Modified version of the hierarchical trie
Each trie node (with a valid prefix)
duplicates all rules in the rule sets of its
ancestors into its own rule set and then
constructs the next dimension trie based
on the new rule set
Improvement of the query speed at the
cost of increased storage complexity
22/119
Set-Pruning Trie
Next-field pointer
(001, 110)
Copy the rules

Backtracking is avoided during the query process in a set-
pruning trie
23/119
Set-Pruning Trie
The storage complexity : O(NddW)
sincea rule may need to be duplicated
up to Nd times
The search time : O(dW)
searchprocess consists of d consecutive
longest prefix matching on each
dimension of the set-pruning trie
The update time : O(N2)
24/119
Grid of Tries
Use pre-computation and switching
pointers to reduce storage complexity
compared with set-pruning trie
The F1-trie node merges the F2-tries of its
ancestors into its own F2-trie
Grid-of-tries structure are constructed by
adding switching pointers to the F2-tries of the
hierarchical trie with comparison to that of the
set-pruning trie
25/119
Grid of Tries
Next-field pointer
(001, 110)
Switching pointers
Instead of node duplication, switching pointers are used

26/119
Grid of Tries
The storage complexity : O(NdW)
as in the hierarchical trie
The search time : O(dW)
as in the set-pruning trie
The Grid-of-tries structure performs well
on both search time and storage
complexity, but incremental updates are
complex since several pointers may point
to a single node
27/119
Cross-Producting
Suitable for an arbitrary number of
fields and type of field specification
Performing d range lookup operation
on each field and composing these
results to index a pre-computed
table that returns the highest priority
rule matched
28/119
Cross-Producting
Dst Src DPort SPort Protocol Dst Src Dst Src
Protocol
Prefix Prefix Port Port
M * 25 * M S 25 123 UDP
*
M * 53 * T1 T0 53 * TCP-ACK
UDP
M S 53 * Net Net 23 *
*
M * 23 * * * 123
*
T1 T0 123 123 *
UDP
* Net * *
TCP-ACK
Net * * *
*
* * * *
Matching
Num Cross Product
Filter
1 M, S, 25, 123, UDP F1
2 M, S, 25, 123, TCP-ACK F1
3 M, S, 25, 123, default F1
4 M, S, 25, default, UDP F1
5 M, S, 25, default, TCP-ACK F1

479 default, default, default, default, TCP-ACK F8
480 default, default, default, default, default F8
29/119
Cross-Productiong
The storage complexity : O(Nd)
A memory explosion problem
The search time : O(d*tRL)
tRL is
the time complexity of finding a range in
one dimension
Incremental updates require
reconstruction of the cross-product table,
so it cannot support dynamic classifiers
well
30/119
2-D Classification Scheme

Prefix
Specification
Arbitrary Range
Specification
A one dimension, say F1, is restricted to having

prefix specifications
The second dimension, F2, is allowed to have
arbitrary range specification
31/119

a9 P (0110, 0101)
a15
a12
a2
a8
e2 0 1
a14 e6
a7 0 1
e4
a1 1
e1 a6 a11 e5
P
a5
e3
a13 a0, a1, a2 a13, a14, a15
a0 a4 a10, a11, a12
a10 a3, a4, a5, a6, a7, a8, a9

a3
BMF : e1 -> e3 -> e5

0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
32/119

The query complexity : O(W*logN)
A range lookup needs to be performed (O(logN) in time)
at every trie node in the path from the root to a null
node in the F1 trie
This can be improved to (W+logN) using a technique
called fractional cascading borrowed from computational
geometry
The storage complexity : O(WN)
Each filter is stored only once in the data structure
However, the use of fractional cascading renders the
data structure static
33/119
AQT
(Area-Based Quadtree)
0* 1*
Geometric interpretation :
00* 01* 10* 11*
Space Decomposition
0011 100* 1101 If W is maximum prefix
length, a prefix filter can
00* R1
be view as a rectangle in
R3
0*
the 2W*2W search space
01*
R2
A filter F=(S*, D*), where
10*
S is a i bit prefix and D is
1*
R4
a j bit prefix, can be
11* represented by a 2W-i*2W-j
rectangle
Ex) The filter R2=(100*, *)
24 represents a rectangle of
R1=(0011, 00*) size 21*24 in the search
R2=(100*, *) space of size 24*24
R3=(1101, 0*)
R4=(0*, 101*)
34/119
AQT
NW NE
SW SE
A basic quadree is a 4-way branching tree that represents a

recursive binary decomposition of space where in at each level
we divide a square subspace into four equal size squares the
north-east (NE), north-west (NW), south-east (SE), and
south-west (SW) quadrants
The regions are split until there is a constant amount of
information to be stored in them
35/119
AQT
S
D
A A A
2k F1 F1 F1 F2
2k
Region A=2k*2k Region A=2k*2k Region A=2k*2k

Filter F=(Si, Dj), Filter F=(Si, Dj), Filter F1=(Si, Dj), And i>k, j<k
And i>k, j=k And i=k, j>k Filter F2=(Si, Dj), And i<k, j>k
Crossing Filter Set (CFS)

The set of all filters that cross a given region A
36/119
AQT
The component filters can
be projected along X and Y
axis, and since, the filters
are specified using
prefixes, these projections
are also prefixes
R5
The problem of filter match
R6
to problem of finding the
best matching prefix (BMP)
R1 R2 R3 R4 along X and Y axis and
selecting the one
corresponding to the high
CFS set C(v)=CX(v)+CY(v) priority (lowest cost) filter
CX(v) = {R1, R2, R3, R4}
CY(v) = {R5, R6}
37/119
AQT
Area-Based Quad Tree (AQT)
NW NE R1, R2, R3, R4, R10
2 (SE)
0 (NW)
2 (SW)
R9
R13
R8 R6, R5
30 33 3
R13
R9
R10 0 3
3 R7
R6 R11
R8
R12
R5 0
3
R7
R1 R2 R3 R4 R11 R12
SW SE
38/119
AQT
For N two-dimensional filters specified
using prefixes of up to W bits in length,
The Space Complexity : O(N)
Eachrule is only stored once at a certain node
where the rule crossed the 2-D space
The Search Time : O(W)
The Update Time : O(*N1/ )
: tunable integer parameter
39/119
RFC
(Recursive Flow Classification)
Structure of the Classifiers
A rule can be represented with a range of values in each
dimension
The number of regions created by n-rules in F dimension
can be as much as O(nF)
The more regions the classifier contains, the more
storage is required, and the longer it takes to classify a
packet
In real classifier, the number overlapping regions are

smaller than the worst case
The number of overlaps to be relatively small in each of
the classifiers
40/119
RFC
Classifying a packet
involves mapping the S-bit
packet header to a T-bit
action identifier, where
T=logN, T<<S
The main idea of RFC is to
perform the same mapping
but over several stages
(phase)
The mapping is performed
recursively; at each stage,
the algorithm performs a
reduction, mapping one set
of values to a smaller set
41/119
RFC
In the first phase, fields of
the packet header are split
into multiple chunks that
are used index multiple
Chunk No.
memories in parallel
0
In subsequent phases,
1
combining the results of
2 the lookups from earlier
3 phases
4
The algorithm requires the
5
contents of each table be
6
pre-computed
7
42/119
RFC
0
Phase=3 1
2
Tree_A Two parameters for tuning
the performance of RFC
Chunk # ClassID
3
4
5
0
Tree_B
The number of phases, P
1
Chunk # 2 ClassID
3 Given a value of P, the
4
5 reduction tree used
Phase 1 Phase 2Phase 3Phase 4
0
Combine those chunks
Phase=4 1
2
Tree_A
together which have the
Chunk #
3 ClassID most correlation
4
5 Combine as many chunks as
0
Tree_B
we can without causing
1
Chunk # 2 ClassID
unreasonable memory
3
4
consumption
5
43/119
RFC
Adjacency Groups (adjGrp)
For smaller memory usage,
reduce the number of chunk
equivalence classes which the
size of the RFC tables depends
on
If two rules are adjacent, they

are merged to form a new rule T
Condition to grouping
Two rules have same action
All but the ith field have the
exact same specification in the
two rules
All rules appearing in between
two rules in the classifier have
either the same action or are
disjoint
- + denotes a logical OR
- All rules shown are assumed to have the same action
44/119
* Assume that all addresses of machines within the

companys network start with the CIDR prefix Net.
45/119
RFC
46/119
RFC
47/119
Cross Product Table

48/119
RFC
(Recursive
Flow
Classification)
49/119
RFC
50/119
RFC
Evaluation
Pros
Suitable for multiple fields
Works for non-contiguous masks
Reasonable memory requirements for real-life
classifiers
Fast lookup rate
Cons
Large preprocessing time
Memory requirements for large classifiers
51/119
HiCuts
(Hierarchical Intelligent Cuttings)
Partitions the multi-dimensional search
space guided by heuristics
The HiCuts algorithm builds a decision tree
data structure by preprocessing the
classifier
The decision tree is traversed to find leaf
node, which stores a small number of
rules
Linear search among the rules of the leaf
node
52/119
HiCuts
Definitions
B(v) : a k-tuple of ranges or intervals
([l1:r1], [l2:r2], , [lk:rk])
C(v) : The cut defined by d and np(C)
d : dimension
np(C) : the number of times that box B(v) is cut into
equal-sized intervals in dimension d ([ld:rd])
R(u) : CollidingRuleSet of u
If u is a child of v, every rule in R(v) that spans, cuts,
or is contained in B(u) is a number of R(u)
53/119
HiCuts
Preprocessing by heuristic
pink a np(C) : the number of interval cuts to make
The trade-off between the depth of the tree (related to
query time) and storage requirement
pink a d : dimension to cut along at each internal node
Minimize maximum number of rules of child nodes
Maximize the entropy of the distribution
Minimize storage requirement
Cut the dimension that has the largest number of distinct
components of rules in that dimension
Maximize the reuse of child nodes
Eliminate redundancies on the tree
54/119
HiCuts
Parameter
binth
The threshold of number of rules stored in
the leaf nodes
spfac
spmf(N) : Pre-determined space measure
function
spmf(N)=spfac*N
55/119
HiCuts
Example
128
64 128 192
56/119
HiCuts
Example
( B(v), d, np(c) )
128
64 128 192
57/119
HiCuts
58/119
HiCuts
Performance
Two dimension Higher dimension
Classifier with 20000 Classifier containing
rules between 100 and 1733
binth : 4 binth : 8 / spfac : 4
Storage requirement : Storage requirement :
1.3MB about 1MB
Depth of tree : Depth of tree :
Worst=4 / Average=2.3 Worst=12 / Average=8
Memory Access : Memory Access :
Worst=8 Worst=20
59/119
Tuple Space Search

Decomposes a classification query into
several exact queries in hash tables
Motivated by the observation that while
classifiers contain many different prefixes, the
number of distinct prefix lengths tends to be
small -> the number of distinct combinations
of prefix lengths is also small
Linearly search each hash table and return
the best matching rule after all tables are
searched
60/119
Tuple Space Search
With K-dimensional filters, a tuple T is vector of K lengths

A filter F belongs or maps to tuples T if the ith field of F is
specified to exactly T[i] bits
Linearly probe all the tuples in the tuple set using hashing on
each tuple
61/119
Tuple Space Search

Tuple Search using a
Balance Heuristic
A probe into a tuple Tj can
be used to eliminate a
subset of the tuple space
Reduce search space! via pre-computation
Ti=[l1, l2, , lk], Tj=[h1, h2,
, hk], if hili for all i=1, 2,
, k, and TjTi :
TjShort(Ti)
Ti=[l1, l2, , lk], Tj=[h1, h2,
, hk], if hili for all i=1, 2,
, k, and TjTi :
TjLong(Ti)
A tuple Tj, where TjTi,
that is neither in Short(Ti)
nor in Long(Ti) : TjIC(Ti)
62/119
Tuple Space Search

Rectangle Search An
Optimal Algorithm for
2-D Filters
Marker
A filter F that belongs in
tuple [i, j] leaves a
marker in tuples [i, j-1],
[i, j-2], , [i, 1]
Pre-computation
A filter (or marker) in
tuple [i, j] pre-computes
the least cost filter
matching it from the
tuples [i-1, j], [i-2, j], ,
[1, j]
63/119
Tuple Space Search

Query time complexity : O(M)
M is the number of tuples in the tuple space
Improve query speed using tuple pruning scheme
Rectangle Search : 2W-1 with W*W tuple space
The storage complexity
Each rule is stored in exactly one hash table
Incremental updates are supported
Require just one hash memory access to the hash table
associated with the tuple of the modified rule
The use of hashing makes the time complexity of
queries and updates nondeterministic
64/119
EGT
(Extended Grid-of-Trie)
Assume a rule may have at most two
fields
If two rules(src.dst. pair) are match for a
packet, most specific rule is picked
Replacement of the backtracking with
switch pointers
Any failure point in source trie, search
jump to next possible second trie
65/119
EGT
Src.- Dst. IP matching characteristic
99.9% of Src.-Dst. crossproducts match rules
5 or less.
Even in worst case, no Src.-Dst. crossproduct
match more than 20 rules
Several rules share same Src.- Dst. Prefix pair
The large number of matches with only the
Src. or Dst. fields because of wildcard in each
field
66/119
EGT
Reduce linear
searching to all rules
corresponding to src-
dst prefix pairs that
match given packet
header.
Two advantages
Each rule is only
represented once
without replication
Port range stay as
ranges in individual
lists
67/119
EGT
Example
Rule Field1 Field2 Field3 Field4 Field5 Action
F0 000* 111* 10 * UDP Act0
Field1 Field2 Rules
F1 000* 111* 01 10 UDP Act0
000* 111* F0, F1
F2 000* 10* * 10 TCP Act1
000* 10* F2, F3 , F4
F3 000* 10* * 01 TCP Act2
0* 111* F5, F6
F4 000* 10* 10 11 TCP Act1
0* 1* F7
F5 0* 111* 10 01 UDP Act0
* 01* F8
F6 0* 111* 10 10 UDP Act0
* 0* F9
F7 0* 1* * * TCP Act2
* * F10, F11
F8 * 01* * * TCP Act2
F9 * 0* * 01 UDP Act0
F10 * * * * UDP Act3
F112 * * * * TCP Act4

68/119
EGT
Extended Grid-of-tries
Field1 Field2 Rules

000* 111* F0, F1
000* 10* F2, F3 , F4

In order to avoid
0* 111* F5, F6 backtracking, each
0* 1* F7 failure point in second
* 01* F8 trie has jump pointer
* 0* F9
* * F10, F11
0
0 Field 1
0
Jump Pointer
F7 0 F10, F11
1 1
1
0 1 1 Field 2
1 F9
1 F8
F2, F3, F4
F0, F1 F5 , F6
69/119
EGT
Extended Grid-of-tries
Field1 Field2 Rules

F 0, F 1
with Path Compression
000* 111*
000* 10* F2, F3 , F4
0* 111* F 5, F 6
Reducing the time of
0* 1* F7
the trie traversal by
applying path
* 01* F8
compression to the tries
* 0* F9
* * F10, F11
0 Field 1
00
Jump Pointer
F7 0 F10, F11
1 1
1
0 11 11 Field 2
F9
F8
F2, F3, F4 F0, F1 F5, F6
compressed path
70/119
EGT
Evaluation
Provides a reasonably fast algorithm with
minimal storage requirements that can fit into
on-chip SRAM
The memory space occupied by EGT-PC scales
linearly in number of rules
Has the advantage of being more predictable,
of not having any patent restrictions, and
potentially allowing simple further
improvements using compressed multibit tries
71/119
Bitmap Intersection
A natural decomposition of a k-
dimensional query in a k-dimensional
orthogonal rectangular range is to
decompose it into a set of 1-dimensional
queries on 1-dimensional intervals
The set of rules S that match a packet is
the intersection of d sets Si, where Si is
the set of rules that match the packet in
the ith dimension alone
72/119
Bitmap Intersection
P(p1, p2)
Given a packet P(p1, p2), two

range lookups are performed
in each interval set and two
intervals, Xi, and Yj, which
contain p1, and p2, are
determined
The resulting bitmap,
obtained by the intersection
of the bitmaps of Xi and Yj,
shows all matching rules for P
If the rules are ordered in
decreasing order of priority,
the first 1 in the bitmap
denotes the highest priority
1111 rule
AND
1101
Highest Priority 1101

Rule
73/119
Bitmap Intersection
First
0 0 0 1
Bit Map
1 1 1 1
2 0 0 0 Uses incremental reads to
3 1 0 0 reduce the space
4
5
1
1
1
1
1
1
requirements
6 0 0 1
The second bit map can be
7 1 1 1 reconstructed from the
first by just storing, in
place of the second bit
Second map, a pointer of size logn
Bit Map The bit position of which is indicates the
0 0 the bits which are
1 1 different between
position of the bits which
2 0 two first bit maps are different between two
3 1
first bit maps
4 1
5 1
O(n2)->O(n*logn)
6 0 0
7 1 3 6
74/119
Bitmap Intersection
Storage Complexity : O(dN2)
Query time complexity : O(dtRL+dN/W)
Time complexity can be reduced by a factor of by
looking up each dimension independently in parallel
Incremental updates are not well-supported
The scheme works well for a small number of
rules in multiple dimensions, but suffers from a
quadratic increase in storage and linear increase
in classification time with the size of the classifier
75/119
Ternary CAMs
TCAMs have been widely used in IP route lookup
for longest prefix matching
Prefix specification for packet classification, the
TCAM stores rules in decreasing order of priorities
Each entry of the TCAM stores a rule by
concatenating the prefixes of all fields
Todays TCAM products, 100 million queries per
second can be achieved
Each chip can accommodate 128k entries of 72b
wide or 64k entries of 144b wide
76/119
Ternary CAMs
77/119
Ternary CAMs
Unsuitable for large classifiers
Can not support range match operation
When the range specification is used for the
field, range splitting must be performed to
convert the ranges into the prefix formats
Costly
Less dense than SRAM
Dissipates more power than SRAM
Scalability issue toward IPv6
Not be embedded into IC
78/119
Outline
Proposed Schemes
Conclusion
79/119
Proposed Schemes
Parallel multiple hashing (HPSR
2005)
DPT (ISOCC 2005)
2-D BPT (HPSR 2005)
Priority-Based Quad-Tree (submitted
to ToN)
80/119
Parallel Multiple Hashing

Parallel Search
Each prefix tables according to semi-tuple space
Parallel search on all tables concurrently
Multiple Hashing
On each hash tables
With multiple hashing, collisions can be reduced
Semi-Tuple Space
The tuple spaces are divided using source prefix and
destination prefix
Find best matching rule
81/119

Example Classifier
Destination IP Source IP Protocol Dst.Port Src.Port
Rule Action
address address Type Number Number
R1 44.150.0.0/16 152.163.0.0/16 TCP 21 21 A1
R2 44.150.3.0/24 152.163.160.0/19 TCP * * A2
R3 152.163.0.0/16 68.163.160.0/22 * 23 23 A3
1024 1024
R4 203.255.176.0/24 176.136.0.0/16 UDP A4
~65535 ~65535
R5 197.12.76.0/24 203.255.161.0/23 TCP 21 21 A5
R6 203.0.0.0/8 36.0.0.0/8 * * * A6
1024 1024
R7 44.150.3.15/32 152.163.80.11/32 UDP A7
~65535 ~65535
Default * * * * * *
82/119

83/119

Classifier DB1 DB2 DB3 DB4
Num. of Rules 2250 2375 2783 4710 Characteristics of
Src. Pfx.
(0, 8~31)
Max
.
53 62 256 2329 Real Classifier
Total Avg
.
9 4 30 3 Prefix grouping
26 tuples
Dst. Pfx. Max
171 179 235 2396 shows the much
(0, 8~31) .
Total Avg better performance
12 6 39 3
26 tuples .
than the single field
Max
Src. Dst.
Total
.
11 20 21 30
cases even though
676 tuples
Avg
.
2 2 4 2 it has less number
Src. Dst. Max
11 37 173 48
of tuples
Grouping .
Total Avg
2 2 6 3
25 tuples .
84/119

Tuples
(Src. Prefix Length _ Dst. Prefix Length)
Grouping
Both Dst. Prefix
Tuples are defined using
Prefix only prefix grouping, in
wildcard which prefixes are
grouped into length 0,
0_0 0_8 0_16 0_24 0_32
8, 16, 24, 32
8_0 8_8 8_16 8_24 8_32
Both of the source and
destination prefixes are
16_0 16_8 16_16 16_24 16_32
considered in
comprising a tuple
24_0 24_8 24_16 24_24 24_32
25 tuples are generated
Some tuples share CRC
32_0 32_8 32_16 32_24 32_32 hash functions
according to its prefix
length
Src. Prefix
Src. Prefix &
only Dst. Prefix
85/119

Categorizing Rules
For each (Src. Prefix length, Dst. Prefix length)
Destination Source
Rule Protocol Dst. Port Src. Port
IP address IP address
8_8
R6 203.0.0.0/8 36.0.0.0/8 * * *
16_16
R1 44.150.0.0/16 152.163.0.0/16 TCP 21 21
R3 152.163.0.0/16 68.163.160.0/22 * 23 23
24_16
R2 44.150.3.0/24 152.163.160.0/19 TCP * *
R4 203.255.176.0/24 176.136.0.0/16 UDP 1024~65535 1024~65535
R5 197.12.76.0/24 203.255.161.0/23 TCP 21 21
32_32
R7 44.150.3.15/32 152.163.80.11/32 UDP 1024~65535 1024~65535
86/119

Extract Hash Indices
Ex) Hash Keys for 8_8, 8_16, 8_24, 8_32
Source Prefix Src[31:24] 8b0 8b0 8b0
XOR
Destination Prefix Dst[31:24] Dst[23:16] Dst[15:8] Dst[7:0]
Src[31:24]
Hash Key XOR Dst[23:16] Dst[15:8] Dst[7:0]
Dst[31:24]
Hash Key for tuple 8_8

87/119

Build Rule Dst. Dst. Src. Src.
Prot.
Dst. Dst. Src. Src.Linked List
Num.PrefixPfx Len.PrefixPfx Len. SPortEPortSPortEPort Addr.
For Each tuples 2 - 0 160 3 TCP * * * * Null
Rule Table
Dst. Prefix Src. Prefix
Protocol Dst. Port Src. Port Addr.
TCP * * 44.150.3 152.163 4

R2
Left Table Right Table
Dst. Prefix Src. Prefix
44.150.3.0/24152.163.160.0/19 Tuple 0_8
Rule Table
.. ..
. .
Tuple 24_16
Hash Key Hash
Function
.. ..
. .
24 bits of Src. Prefix
^ Tuple 32_32
16 bits of Dst.
prefix
88/119

Table Structure (1)
89/119

Table Structure (2)
90/119

Search Procedure
Step1: search in the main table
Extract hashing indices
Using hashing index, find matching entries from main
tables concurrently
Get rule table addresses from the matching entries
Step2: search in the rule table
Using the rule table address of step1, perform linear
search
Among the matching rules, the highest priority rule is
selected
91/119

Search Hash Tables Search Procedure
Left Table Right Table Rule Table
Tuple 0_8
Hash Key
Hash .. .. P
Function . . R
I
Tuple16_16 O
R
I Highest
T Priority
Y Rule
Tuple 24_32
Hash E
Hash Key Function N
C
O
D
E
Tuple 32_32
R
Hash
Hash Key Function
92/119

Simulation Results
Num. Max. Avg. Memory

Rules Size Overflow
of Rules Num. Num.
(bytes)
DB1 2250 11 9 104k 0
DB2 2375 38 4 117k 0
DB3 2783 43 9 78k 0
DB4 4710 49 30 183k 3

93/119
DPT
Yazdanis Definition
Comparison
For A=1001 and B=1100 , B>A
For A=1001 and B=110000 , B>A
For A=1001 and B=100110 , B>A
For A=1001 and B=100100 , A>B
Match
For A=1001 and B=100100, A and B are matched
Enclosure
For A=1001 and B=100100, A is an enclosure of B
Disjoint
For A=1001 and B=111, A and B are disjoint
94/119
DPT
Packet matches small number of
distinct source-destination prefix
pairs regardless of database size
Efficient two dimensional search
scheme for source-destination prefix
pairs
Classifierare filtered
Linear search can be applied to the
matched rules for the comparison of
remaining fields
95/119
DPT
Proposed
Architecture
Main memory : Store DPT

Rule memory : Store remaining fields of classifier
96/119
DPT
Prefix
Pair
Fixed length source prefix concatenated with destination prefix

Same characteristics as prefix
97/119
DPT
Rule Set
Source Dest.
Dest. Protocol
Src. Prefix Port Port
Prefix type
umber umber
1 101011* 0110* * >1024 >1024
2 11* 01* TCP 80 80

3 11* 01* UDP 80 80
4 10101* 00* TCP 88 88
5 01010101 * UDP >1024 *
6 10101* 00* TCP 80 80
7 01010101* 10* TCP 21 21
8 01110110* 1110* * 80 80
98/119
DPT
Source-Destination Prefix
Pairs
R1 = 100110*
R2 = 1101*
R3 = 1101*
R4 = 1000*
R5 = 01*
R6 = 1000*
R7 = 0110*
R8 = 011110*
99/119
DPT
Binary Trie Using Sample Prefix
Pairs
R5
R7 R2, R3
R4, R6
R8 R1
100/119
DPT
Prefix Expansion
R5
R5
R7,R5 R4 , R6 R2, R3
R5
R8,R5 R5 R1
101/119
DPT
Disjoint-Prefix Binary
Trie
102/119
DPT
Disjoint Prefix Tree
Every node in DPT is disjoint, DPT is a balanced

tree which does not have empty nodes
103/119
DPT
<01010101, 10101010, UDP, 15536, 2037>
0110101010
104/119
DPT
Memory
Access
No. of
Rule Avg. Max. Min.
Rules
DB-00 2250 13.7 21 6
DB-01 2375 30.4 52 10
DB-02 2783 15.2 34 10
DB-03 4710 39.8 44 13

105/119
DPT
Memory Size
DB-00 DB-01 DB-02 DB-03
Group 0
(Source 0bit) 0.9 2.1 1.8 70.2
Group 1
(Source 8bit) 0 1.4 0.4 0
Group 2
(Source 16bit) 2.2 9.8 2.5 0.8
Group 3
(Source 24bit) 0.02 36.1 52.7 27.1
Group 4
(Source 32bit) 52.0 20.3 46.4 28.5
Total 55.1 69.7 103.8 126.6
106/119
2-D BPT
Binary Prefix Tree (BPT)
Possible to compare two prefixes in different lengths
Include no empty internal nodes
Perform binary search for IP address lookup
Two dimensional BPT (2-D BPT)
Extend the concept of one-dimensional binary prefix
tree into two-dimension
Construct 2-D BPT using codeword generated from the
prefix pair which is consisted of source prefix and
destination prefix
Two step search procedure
107/119
2-D BPT
Example Rule Set
Src. Port Dst. Port

Rule Src. Prefix Dst. Prefix Protocol
Number Number
R1 10111* * 23 23 TCP
R2 1001* 101* 80 80 TCP
R3 * 10* >1024 >1024 UDP
R4 10* 11* * * *
R5 01* 0011* 80 * TCP
R6 100* 1011011* 21 21 TCP
R7 1001* 0111* <1023 * *
R8 101110* 1001* 4767 * UDP
R9 10* 1011* * * UDP
R10 100100* 1010011* * 21 *
R11 * 0011* * * *
108/119
2-D BPT
Codeword Generation
Codewords are generated from the (source,
destination) prefix pair
By taking one bit from each prefix from the
most significant bit, prefix pair (0, 0), (0, 1),
(1, 0) and (1, 1) are codeword digit 0, 1, 2 and
3
The codeword length is equal to shorter prefix
length
If there is a wildcard in either field, the
remaining field is used as codeword
109/119
2-D BPT
Codeword Generation
Src.Prefix 0 0 1 1 Rule Src. Prefix Dst. Prefix Codeword

Dst.Prefix 0 1 0 1 R1 10111* * 10111
Codeword 0 1 2 3 R2 1001* 101* 301
R3 * 10* 10
R4 10* 11* 31
Example R5 01* 0011* 02
R6 100* 1011011* 301
Src. Prefix 1001
R7 1001* 0111* 2113
Dst. Prefix 101 R8 101110* 1001* 3023
R9 10* 1011* 30
R10 100100* 1010011* 301201
R11 * 0011* 0011
Codeword 301
110/119
2-D BPT
2-D BPT Construction
The generated codewords construct a codeword tree
which is a 2-D BPT
Rules with the source prefix wildcard construct a
destination BPT, and rules with the destination prefix
wildcard construct a source BPT
BPT Construction Procedure
Codewords are sorted by the enclosure relationship
The disjoint codewords and the first level enclosure
codewords construct a balanced tree
Enclosed codewords construct a balanced sub-tree, and so
on
Repeat the same steps for 2-B BPT, Src. BPT and Dst. BPT
111/119
2-D BPT
BPT Construction 1 Src. BPT
2-D BPT
10111
Codeword
02 301201 10111
02 301
2113
2113 3023
30
30
301
31 Dst. BPT
3023
301201
0011
31
10
02
10111
2113
10 30 301 301201 0011
0011 31 3023 10
112/119
2-D BPT
BPT Construction 2
Src. BPT
2-D BPT
10111
2113
{R7} {R1}
02 30
{R9}
{R5}
31 Dst. BPT
{R4}
301 0011
{R2, R6}
3023 {R11}
10
{R8} {R3}
301201
{R10}
113/119
2-D BPT
Table Structure
Address Table
The address table has
index pointers going to
the 2-D BPT, Src. BPT
and Dst. BPT, and the
number of table entries
belonged to each tree
BPTs Table
The BPT table has
codeword and a
pointer indication the
location of rules in rule
table and the
information for sub-
trees
114/119
2-D BPT
Rule Table
The rule table has the
number of entries equal
to the number of rules
in classifier
The rule table include
remaining fields
The rules with the same
codeword are linked
together using a linked-
list pointer
CFS flag indicates which
prefix stored
Stack pointer indicates
the location of the
closest enclosure of the
rule
115/119
2-D BPT
Search Procedure
The locations and numbers of entries of 2-D
BPT, Src. BPT and Dst. BPT are obtained from
the address table
Binary searches are sequentially performed on
the 2-D BPT, Src. BPT and Dst. BPT until we
have the longest matched codeword
(all possible matching -> longest matching)
The final step is the linear search in rule table
for the rules with the same codeword as the
selected codeword
116/119
2-D BPT
2-D BPT Search
2-D BPT
Example
2113
(1011100/1001010/4767/6776/UDP)
1011100 R9
3023210 02 30
1001010
Best Matching 31
Rule
301
Src. BPT Dst. BPT
0011 3023
10111
301201 R8
R1 10
R3
117/119
2-D BPT
Example Address Table
(10010011/10100110/80/80/TCP) 2-D BPT
No. of
Src. BPT
No. of
Dst. BPT
No. of
Wildcard
Root Root Root Linked
Entries Entries Entries
10010011 Addr. Addr. Addr. Addr.
30120132
0 4 7 1 8 2 -
10100110
BPTs Table Rule Table

Src. Dst. Linked
Code Rule Sub No. of Rule CFS Prefix Pro Stack
Code Prefix Port Port -list
word Table -tree Sub-tree Num. Flag Length -tocol Pointer
word Num. Num. Pointer
Length Addr. Addr. Entries
02 2 4 - - 1 0 * 0 23 23 TCP - -
2113 4 6 - - 2 2 1001* 4 80 80 TCP 5 8
30 2 8 4 2 3 0 * 0 >1024 >1024 UDP - -
31 2 3 - - 4 0 * 0 * * * - -
301 3 1 6 1 5 1 0011* 4 80 * TCP - -
3023 4 7 - - 6 1 1011011* 7 21 21 TCP - 8
301201 6 9 - - 7 0 * 0 <1023 * * - -
10111 5 0 - - 8 2 101110* 6 4767 * UDP - 8
10 2 3 - - 9 1 1011* 4 * * UDP - -
0011 4 11 - - 10 1 1010011* 7 * 21 * - 1
11 1 * 0 * * * - -
118/119
2-D BPT
Simulation Results
Rule DB1 DB2 DB3
Number of Rules 2250 2375 4710
Address Table Search 1 1 1
Max. 25 37 35
BPT Table
Min. 8 9 7
Search
Avg. 18 23 23
Max. 16 45 31
Rule Table
Min. 1 1 1
Search
Avg. 10 18 29
Total Max. 39 77 67
Search Min. 13 16 18
Time Avg. 29 42 53
Required Memory Size 56k 60k 141k
119/119
Outline
Proposed Schemes
Conclusion
120/119
Comparison and Analysis

Software implementation has flexibility in
choosing data structures and operation
procedures to compromise storage
efficiency and query time
Hardware implementations, such as RFC,
bitmap insertion, and TCAM, have high
throughput but less flexibility to adapt to
the changes of classifiers, either in the
size or field specification
121/119
Conclusion
Compared with the 1-D IP route lookup,
packet classification is a much more
difficult and challenging task
Packet classification at high speeds
remains challenging, especially for very
large classifiers (e.g., several millions of
entries for micro-flow recognition) and
multiple fields
122/119
Public Database
David E. Taylor and Jonathan S. Turner,
ClassBench: A Packet Classification
Benchmark, in IEEE Infocom 2005
Abilene NetFlow Nightly Report,
http://www.itec.oar.net/abilene netflow/,
2002
S. Singh and F. Baboescu, Packet
Classification Repository,
http://ial.ucsd.edu/classification

Lecture 7 - Packet - Classification - 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture 7 - Packet - Classification - 1

Uploaded by

Copyright:

Available Formats

Packet

Introduction to Packet Classification

Preferential treatment for premium traffic (resource

What is Packet Classification?

What is Packet Classification?

Some of the header fields be used for classifying the packet.

Example network of an ISP(ISP1) connected to two

Packet Filtering Service

Policy Routing Service

Send all voice-over-IP traffic from E1 (on the interface Y) and

Traffic Rate Limiting Service

Traffic Shaping Service

D-dimensional hierarchical trie is constructed by building 1-b

All matches must be found to ensure that the highest

Copy the rules

Instead of node duplication, switching pointers are used

2-D Classification Scheme

A one dimension, say F1, is restricted to having

2-D Classification Scheme

a0 a4 a10, a11, a12

a10 a3, a4, a5, a6, a7, a8, a9

BMF : e1 -> e3 -> e5

2-D Classification Scheme

A basic quadree is a 4-way branching tree that represents a

Region A=2k*2k Region A=2k*2k Region A=2k*2k

Crossing Filter Set (CFS)

NW NE R1, R2, R3, R4, R10

In real classifier, the number overlapping regions are

If two rules are adjacent, they

* Assume that all addresses of machines within the

Cross Product Table

Tuple Space Search

Tuple Space Search

With K-dimensional filters, a tuple T is vector of K lengths

Tuple Space Search

Tuple Space Search

Tuple Space Search

F10 * * * * UDP Act3

F112 * * * * TCP Act4

000* 10* F2, F3 , F4

000* 10* F2, F3 , F4

Given a packet P(p1, p2), two

Highest Priority 1101

Parallel Multiple Hashing

Parallel Multiple Hashing

R1 44.150.0.0/16 152.163.0.0/16 TCP 21 21 A1

R2 44.150.3.0/24 152.163.160.0/19 TCP * * A2

R5 197.12.76.0/24 203.255.161.0/23 TCP 21 21 A5

Parallel Multiple Hashing

Parallel Multiple Hashing

Parallel Multiple Hashing

Parallel Multiple Hashing

R4 203.255.176.0/24 176.136.0.0/16 UDP 1024~65535 1024~65535

R5 197.12.76.0/24 203.255.161.0/23 TCP 21 21

Parallel Multiple Hashing

Source Prefix Src[31:24] 8b0 8b0 8b0

Destination Prefix Dst[31:24] Dst[23:16] Dst[15:8] Dst[7:0]

Hash Key for tuple 8_8

Parallel Multiple Hashing

TCP * * 44.150.3 152.163 4

Parallel Multiple Hashing

Parallel Multiple Hashing

Parallel Multiple Hashing

Region A=2k2k Region A=2k2k Region A=2k*2k