1926
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 17, NO. 6, DECEMBER 2009
Scalable Packet Classification Through Rulebase Partitioning Using the Maximum Entropy Hashing Lynn Choi, Member, IEEE, Hyogon Kim, Sunil Kim, and Moon Hae Kim, Member, IEEE
Abstract—In this paper, we introduce a new packet classification algorithm, which can substantially improve the performance of a classifier. The algorithm is built on the observation that a given packet matches only a few rules even in large classifiers, which suggests that most of rules are independent in any given rulebase. The algorithm hierarchically partitions the rulebase into smaller independent subrulebases based on hashing. By using the same hash key used in the partitioning a classifier only needs to look up the relevant subrulebase to which an incoming packet belongs. For an optimal partitioning of rulebases, we apply the notion of maximum entropy to the hash key selection. We performed the detailed simulations of our proposed algorithm on synthetic rulebases of size 1 K to 500 K entries using real-life packet traces. The results show that the algorithm can significantly outperform existing classifiers by reducing the size of a rulebase by more than four orders of magnitude with just two-levels of partitioning. Both the time complexity and the space complexity of the algorithm exhibit linearity in terms of the size of a rulebase. This suggests that the algorithm can be a good scalable solution for medium to large rulebases. Index Terms—Computer networks, firewalls, network performance, packet classification.
I. INTRODUCTION ACKET classification is one of the most fundamental building blocks in many networking functions such as Diff-Serv traffic conditioning, firewall, virtual private network (VPN), traffic accounting and billing, load-balancing, and policy-based routing. These functions need to track flows, i.e., equivalence classes of packets, and give the same treatment to the packets in a flow. A rulebase stores classification rules, which define the flows and their corresponding treatments. Since a flow is defined by the header values of a packet, a classifier’s duty is to examine the packet header and identify the corresponding flow. Internet traffic is not only growing, but also diversifying both in applications and in protocols. New applications and protocols such as Internet telephony, security protocols, and peer-to-peer
P
Manuscript received November 03, 2004; revised July 17, 2006; May 03, 2007; August 18, 2008; approved by IEEE/ACM TRANSACTIONS ON NETWORKING Editor M. Buddhikot. First published September 15, 2009; current version published December 16, 2009. This work was supported by the Korea Science and Engineering Foundation (KOSEF) Grant funded by the Korea Government (MOST) (R01-2007-000-20958-0). L. Choi is with the Department of Electronics and Computer Engineering, Korea University, Seoul 136-701, Korea (e-mail:
[email protected]). H. Kim is with the Department of Computer and Communication Engineering, Korea University, Seoul 136-701, Korea (e-mail:
[email protected]). S. Kim is with the Department of Computer Engineering, Hongik University, Seoul 121-791, Korea (e-mail:
[email protected]). M. H. Kim is with the Department of Computer Science and Engineering, KonKuk University, Seoul 143-701, Korea (e-mail:
[email protected]). Digital Object Identifier 10.1109/TNET.2009.2018618
applications are being rapidly deployed in addition to the traditional Internet applications such as Web, ftp, and email. As a result, the rulebase size is rapidly increasing. In a recent study [9], Woo argues that a rulebase with over a million entries is possible in future packet classification applications. From the classifier’s viewpoint, this implies that for each packet the classifier must be able to find the matching rule with the highest priority among all the rules in the rulebase at the wire speed. There has been a renewal of interest in the scalability issue in terms of the size of a rulebase. Most of existing works, however, mainly focus on relatively small classifiers, e.g., with less than 20 K rules [12]. To address this issue, we propose a new scalable packet classification algorithm that can scale well up to this size. The motivation of our algorithm is based on the observation that a given packet matches only a few rules even in large classifiers [1], [18]. This strongly suggests that most of rules in any given rulebase are independent. We can partition the rulebase into many smaller independent subrulebases. As long as the matching subrulebase can be identified quickly, the performance of the rulebase lookup can be substantially improved since the lookup needs to be performed only in the final subrulebase. This is achieved by hierarchically decomposing the original rulebase into many smaller independent subrulebases based on the rules’ definitions. Fig. 1 shows the distribution of rules in a hypothetical rulebase in 2-D classification space. For example, you can view the two fields, Field1 and Field2, in Fig. 1(a) as source and destination IP address fields. As shown in the figure, rules may not be evenly distributed in the classification space. But by carefully partitioning the original rulebase into many smaller equally sized subrulebases, we can quickly identify the matching subrulebase for an incoming packet during the classification phase. The algorithm is carried out in two phases: preprocessing and classification. First, during the preprocessing phase we hierarchically partition the original rulebase into many smaller independent subrulebases by hashing on the selected bit fields from the classification space. The degree of the partitioning depends on the density of a subrulebase in the classification space. The denser the subrulebase is in the classification space, the more partitioning is needed. This hierarchical partitioning continues until all the subrulebases are small enough. Then, during the classification phase, a classifier inspects each incoming packet using the same hash key used in the preprocessing and identifies the subrulebase relevant to the packet. This is shown in Fig. 2. The search to find a matching rule is performed only in the final subrulebase where any existing lookup algorithm such as RFC [1] can be employed.
1063-6692/$26.00 © 2009 IEEE Authorized licensed use limited to: Korea University. Downloaded on February 11, 2010 at 06:52 from IEEE Xplore. Restrictions apply.
CHOI et al.: SCALABLE PACKET CLASSIFICATION THROUGH RULEBASE PARTITIONING
1927
introduces several hash key selection algorithms including the notion of maximum entropy and discusses the variations of the proposed algorithm to handle rule definitions with range and prefix mask descriptions. Section III describes our experimentation methodology and discusses various simulation results. Section IV briefly reviews existing classification algorithms, and Section V concludes the paper. II. PROPOSED CLASSIFICATION PROCESS Fig. 1. (a) Rulebase distribution in 2-D classification space and (b) rulebase partitioning. Each rectangle in (a) corresponds to a subrulebase, which is a leaf node in the tree shown in (b).
Fig. 2. The overall algorithm is carried out in two phases: preprocessing phase and classification phase.
For an optimal partitioning of rulebases, we apply the notion of entropy, which guides us to choose the bits that most evenly divide the given rulebase. When the hash keys are selected to maximize the entropy, a rulebase is partitioned evenly into subrulebases under the smallest variance. As a result, we can achieve the smallest depth in the partitioning tree, which directly translates to the smallest number of hash table lookups required for each packet classification. If the depth is small and each final subrulebase is small enough, we can achieve a low per-packet classification delay. To evaluate the performance of our classification algorithm, we have applied our algorithm to real-life packet traces under synthetic rulebases of size 1 K to 500 K rules. The results show that the algorithm can reduce the size of the original rulebase by several orders of magnitude with only two-levels of partitioning, which requires only a couple of memory lookups during the classification phase. For example, a rulebase with 100 K rules can be reduced to a subrulebase with only 7.6 rules on average and 258 rules in the maximum. In view of the memory accesses, our algorithm requires 2 or 3 times less number of memory lookups compared to the best classification algorithm known so far. Furthermore, the algorithm exhibits scalability in both its memory requirement and the classification performance as we increase the size of a rulebase beyond the size where previous schemes could not scale. This paper is organized as follows. Section II defines the packet classification problem and presents the overall algorithm of our packet classification process. The section also
A. Problem Definition We can define the packet classification problem as follows. , a set of rules, a Given a rulebase, packet classifier needs to identify the rule that an incoming packet matches by looking up one or more fields of the packet header. Each rule is specified by the range of values in one or more fields of a packet header. Specifically, in -dimensional is defined over fields. packet classification, each rule Formally, is defined by a tuple where is called is the associated action of rule a classification space and . The classification space is defined by the crossproduct, where is a range of rule must take. A rule matches of values the field if for where is a packet a singleton. Multiple rules can match a packet. Therefore, a classifier must identify the highest priority rule among all the matching rules. Assuming that the rulebase is presorted in decreasing order of priority, the classifier needs to identify the first matching rule. On a match, the classifier must take action associated with the rule . The specific action depends on the classification application. Common examples of the action may include “accept” and “reject.” This packet classification function can also be defined as a , mapping function from a packet to a rule where is the ordered set of the header fields of a given packet used in the classification and is the matching rule number with the highest priority. Intuitively, this requires the classifier to lookup the header fields of an incoming packet and to compare them against the rules in the rulebase one by one in order of decreasing priority. When , i.e., the number of rules, is large or the arrival rate of incoming packets is high, it is a time-consuming serial process, which will limit the speed of the classifier. Thus, when is large or is high, we need a different classifier. The essence of the problem is to find a fast yet scalable classification function both in time and in space. B. Overview of the Proposed Classification Process Our classification algorithm is based on the conjecture that, in a rulebase, only a few rules have the possibility of matching a given packet. An example of a typical firewall rulebase [16] is shown in Table I where inner network serves several appli, cation services such as HTTP, telnet, and FTP. Rules represent grant of these connection requests whereas and protects inner network against spoofing attacks. is the default deny rule for all other communications. The protocol field in Table I suggests that a packet using UDP protocol can
Authorized licensed use limited to: Korea University. Downloaded on February 11, 2010 at 06:52 from IEEE Xplore. Restrictions apply.
1928
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 17, NO. 6, DECEMBER 2009
TABLE I RULEBASE EXAMPLE OF A FIREWALL
y Inner side: Protected local network by the firewall. z Outer side: Network separated from inner side network by the firewall.
be matched only to or . Thus, , and do not need to be matched against a UDP packet. The algorithm consists of two phases: preprocessing phase and classification phase. The idea is to use the divide-and-conquer approach. First, during the preprocessing phase we divide the original rulebase into many smaller independent subrulebases based on the values of classification fields where each rule is defined. Then, during the classification phase a classifier looks up the same header fields of an incoming packet and identifies the subrulebase where the relevant rules are stored. Thus, when of the size of the subrulebase over the size the ratio is small, then we can overcome the of the original rulebase scalability issue by a single memory lookup to the hash table, which is constructed during the preprocessing phase. If a subrulebase is still large, then the subrulebase can be partitioned repeatedly during the preprocessing phase until the final subrulebase is small enough. Below, we discuss how we can guarantee the independence between subrulebases. According to [12], a rule overlaps with a rule if , where denotes an empty set. Intuitively, two rules overlap if there is a packet that can match both rules. Since subrulebases differ at least in those bit fields that are selected as the hash key, a packet cannot match both subrulebases at the same time. Thus, it is sufficient to look up only the relevant subrulebase after inspecting a packet on the same bit fields. 1) Preprocessing Phase—Rulebase Partitioning and Hash Table Construction: In the preprocessing phase, we partition the original rulebase into many independent subrulebases. For example, the rules governing HTTP, FTP, and SMTP traffic can be partitioned into separate independent subrulebases. Then, during the classification phase a classifier can determine the relevant subrulebase by looking up the protocol field of an incoming packet, since a matching rule can be found only from the subrulebase with the same protocol. We can choose any of the bits in the classification fields as a hash key. If we select 8 bits, then we create a hash table with entries, each of which points to a subrulebase. Two rules may overlap if they map to the same subrulebase whereas
rules mapped to different subrulebases would never overlap. This implies that they are independent. Subrulebases larger than a threshold value, such as 16 rules per subrulebase, can be repartitioned with another hash key, which must be different from the first hash key. This recursive partitioning continues until all the subrulebases are small enough. However, our experimentation results show that two levels of partitioning are enough for a rulebase smaller than 500 K rules. Both the space and time complexity of our classification algorithm depend on the number of nodes and the depth of the partitioning hierarchy. To reduce the number of partitioning we need to partition a rulebase into subrulebases as evenly as possible so that the number of empty subrulebases is minimized and the number of rules in subrulebases must follow uniform distribution. This partitioning efficiency depends on the hash key selection algorithm, which we will discuss in detail in Section II-C. 2) Classification Phase: After we partition a rulebase and construct hash tables during the preprocessing stage, a classifier can narrow down the rulebase lookup by mapping an incoming packet into the corresponding subrulebase where the packet can be applied. The classifier looks up the hash table by using the hash key extracted from the packet header. Let us consider the rulebase example shown in Table II. Assume that rules R0 to R3 are listed in decreasing order of priority. If a packet does not match all four rules, it matches the default deny rule, which has the lowest priority. We assume 5-D packet classification, which uses 104-bit fields from protocol (8 bits), source port (16 bits), destination port (16 bits), source IP address (32 bits), and destination IP address (32 bits) fields from the packet header. In Table II(a), we show the eight most significant bits (MSBs) of a classification space, which may represent any header field such as the protocol field. We partition the rulebase in Table I to 256 subrulebases by using the 8 MSBs in Table II(a) and create the hash table as shown in Table II(b). Rules in one subrulebase do not overlap with rules in other subrulebases. When a packet arrives at a classifier, the classifier extracts the 8 MSBs from the packet header and uses it as an index to the hash table. The hash key used in the packet classification is the same key used to partition the rulebase. After hashing, if the hash table entry
Authorized licensed use limited to: Korea University. Downloaded on February 11, 2010 at 06:52 from IEEE Xplore. Restrictions apply.
CHOI et al.: SCALABLE PACKET CLASSIFICATION THROUGH RULEBASE PARTITIONING
1929
TABLE II RULEBASE EXAMPLE AND ITS HASH TABLES: (a) RULEBASE, (b) HASH TABLE USING 8 MSBS AS A HASH KEY, AND (c) HASH TABLE USING b b AS A HASH KEY. * DENOTES DON’T CARE BIT
is not empty, then the classification can be performed within the subrulebase in the entry. Otherwise, the default rule is the matching rule. C. Rulebase Partitioning and Hash Key Selection Algorithms 1) The First Level Partitioning: For the first-level partitioning, we only consider the protocol and port numbers as a hash key since these fields can naturally classify rules based on the Internet services governed by the rules. For example, HTTP service corresponds to protocol 6 and server port 80. The classification space at this level consists of 40 bits concatenated with protocol (8), source (16), and destination port (16) numbers. To limit the size of the hash table, we select a subset from the classification space as our first-level hash key. In our implementation, we use a 17-bit hash key, which suggests a hash table with 128 K entries. There is a tradeoff between the depth of the partitioning hierarchy and the size of the hash key. Assuming each entry contains either a 32-bit address or NULL-pointer, the size of the table is 512 kB. For the 17-bit hash key, we first select 6 bits from the protocol field using the entropy-maximizing key selection algorithm, which will be discussed in detail later on this section. Since only two protocols, TCP and UDP, need to specify port numbers in addition to the protocol field, we select up to 11 additional bits from the port numbers for these protocols. Since a port number is bi-directional, i.e., either source or destination, we use a single bit to denote the direction. Then, we select additional 10 LSBs or 6 MSBs from the port field by using the precision directed grouping, which is described in Section II-D. Typically, a server port (dense area) designates a specific port number between 0 and 1023 whereas a client port (sparse area) uses a random port numbered from 1024 to 65535. Thus, lower 10 bits are used for a server port whereas upper 6 bits are used for a client port. Then, a hash key is concatenated from [protocol field], [direction bit] and [10 LSBs 6 MSBs in one of the port field]. Since a server port has a higher partitioning efficiency than a client port, we use the server port regardless of direction if a rule specifies a server port either in a source or in a destination port. If a rule specifies client ports in both source
and destination ports, we use the 6 MSBs and spread the rules in both source and destination hash tables. This rule spreading issue is discussed in detail in Section II-D. 2) The Second Level Partitioning: The second level partitioning only applies to subrulebases larger than the threshold after the first level partitioning. Since the second-level hash key must be disjoint from the first-level hash key, we only consider source and destination IP addresses. To limit the size of the hash table, we only select a subset of the 64-bit fields as a second-level hash key. In our implementation, we use a 16-bit hash key. We propose the following four different hash key selection algorithms. 1. MSB pattern (represented as MSB): With this criterion, a 16-bit hash key is made by concatenating 8 MSBs from source and destination IP address fields. The idea is that most of prefix mask selects the first few significant bits from an IP address field. This simple key selection algorithm is used as a basis to compare the performance of others. The time complexity of this key selection algorithm , which is independent of the number of rules in a is rulebase. 2. Exponential growing pattern (Exp): With this criterion, a 12-bit hash key can be made by selecting the bit position corresponding to the exponential function of 2, namely from both source and destination IP addresses. The idea is that the lower the position of a bit in an IP address field, the more likely to be masked out. We add to create a 16-bit hash key. The time extra two bits complexity of this key selection algorithm is also . 3. Mask distribution pattern (Mask)): The basic idea of this heuristic method is that don’t care bits in a classification space do not provide any information. Each bit in the classification space has the amount of information in inverse proportion to the number of don’t care bits in the bit position of rule definitions. The procedure of finding this key is as follows. For each bit position we sum the number of non-don’t care bits in all the rule definitions in a rulebase, and accumulate them from the MSB to the LSB. For a -bit hash key, we select a bit if the accumulated value of the bit position is the multiple of the total accumulated
Authorized licensed use limited to: Korea University. Downloaded on February 11, 2010 at 06:52 from IEEE Xplore. Restrictions apply.
1930
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 17, NO. 6, DECEMBER 2009
value divided by . The time complexity of this key selecassuming that the total number of tion algorithm is rules in a rulebase is . In our experimentation, is 16. 4. Entropy-maximizing pattern (Ent): To find a good hash key we use the notion of entropy, which is used in information theory [11]. A good hash key must evenly distribute rules in a hash table so that both the number of null entries and the differences in the population of each subrulebase must be minimized. As widely known, the entropy is maximized when all the entries have the same probability of occurrence. We can find a good hash key through the calculation of entropy. Using the notion of entropy, a of length can be expressed recursively by hash key , where is the concatenation operator and q is the bit selected from the classification space that produces the maximum entropy. The algorithm starts by calculating the entropy for the hash key of length 1 and determines the bit position that produces the maximum entropy value. Then, the algorithm repeats this process for the hash key of length 2 and continues until the length of the hash key reaches or the entropy does not increase further. Based on this algorithm, we create a 16-bit hash key by selecting an 8-bit hash key from each IP address field. The , time complexity this algorithm is where is the length of classification space, is the length of a hash key, and the n is the total number of rules in a rulebase. Since s and w are relatively small constants, this . The speed time complexity can also be viewed as of the key selection is quite fast and was not an issue in our experimentation. Note that the key selection does not affect the classification time since the key selection is performed during the rulebase partitioning phase rather than the classification phase. The detailed discussion of the entropy-maximizing key selection algorithm can be found in [17]. D. Adaptation of the Algorithm for Prefix Mask and Range Specification So far our discussion implicitly assumed an exact value matching for packet classification. However, a rule definition often includes field descriptions with prefix mask or range specification. In this section, we will discuss how our proposed algorithm can handle these different field specifications. 1) Prefix Mask Field: This is commonly used to specify the range of an IP address field. Table III(a) shows a rulebase example with prefix masks. Don’t care bits are denoted by *. The issue here is that we may need to duplicate a rule into multiple entries in a hash table if the rule contains a field specification with masks. Table III(b) shows two different hash tables that can be constructed for the rulebase in Table III(a). as a hash key, needs to be spread over two enWith is don’t care term in R3. tries indexed by 10 and 11 since We call this issue rule spreading, which may increase the size of the result hash table by duplicating rules. However, by seas a hash key, the rule spreading can be avoided as lecting shown in Table III(b). To avoid this rule spreading as much as possible, we need to modify the entropy-maximizing key selection algorithm such that when calculating the entropy of a bit,
TABLE III (a) RULEBASE WITH MASKED FIELD DESCRIPTION AND (b) ITS HASH TABLES WITH TWO DIFFERENT HASH KEYS OF LENGTH 2
the algorithm must ignore a rule whose definition specifies don’t care condition for the selected bit. This is simply because don’t care bits do not add any information to the system in terms of entropy. 2) Range Field: This is commonly used to specify a TCP or a UDP port description. As described in Section II-C, typically a server port designates a specific port number between 0 and 1023 whereas a client port uses a random port number between 1024 and 65535. The basic idea here is to transform the range specification to exact or prefix mask specification. We can use range to prefix conversion proposed by Srinivasan [5], which splits a given arbitrary range to a group of prefix masks. For excan be split to six prefix ample, a 16-bit range masks such as 000001*, 00001*, 0001*, 001*, 01*, 1*. However, this method results in extensive rule spreading in our algorithm, which is not desirable. Instead, we propose precision-directed grouping in this paper. It is straightforward to split a rule with a range specification into multiple rules with exact values [24], [25]. For example, a can be split into four rules with rule with a range exact values from 71 to 74. However, a rule with a wide range can create a huge number of rules such as (16 384). Fortunately, a TCP/UDP port description with a range is usually biased. For example, 80% of port numbers used in most rules are under 3 999 although the total number of ports [13]. The idea is that we reserved is much higher can group a different number of rules depending on the density of the range. For the 16-bit port range specification, we use the , creating 10 LSBs as a hash key for a dense area a single entry for each port under 1024, whereas we use the , creating 6 MSBs as a hash key for a sparse area 63 entries, i.e., 1024 ports per entry. This process is called precision-directed grouping, which can effectively alleviate the rule spreading issue in practice by transforming a wide range specification into many smaller subrange or singleton specifications. III. EXPERIMENTATION AND RESULTS In this section, we demonstrate the performance of the proposed algorithms for 5-D classification, which uses the five IP and TCP header fields, namely protocol, source port, destination port, source IP, destination IP , for classification. Since it is practically impossible to obtain large real-life classification rulebases, we synthesized large rulebases from real-life packet traces. The packet traces were collected from PUBNET for five to eight hours during three days, 7/24/01, 12/14/01, and 12/17/01, respectively, [14]. One-hour trace is nearly 70 million
Authorized licensed use limited to: Korea University. Downloaded on February 11, 2010 at 06:52 from IEEE Xplore. Restrictions apply.
CHOI et al.: SCALABLE PACKET CLASSIFICATION THROUGH RULEBASE PARTITIONING
1931
packets. The first trace is used to synthesize the rulebase and others are used as data for packet classification. All of our experimentation was performed on 1.7–GHz Pentium IV system with 512 MB of memory running Linux. A. Rulebase Synthesis To create a synthetic rulebase that resembles real-life rulebases, we carefully synthesized a rulebase by following the rulebase characteristics observed from real-life firewall applications [1], [2]. The detailed guidelines are the following: • All the rules in a rulebase must match at least one packet in the test packet trace during classification. • For the prefix mask of an IP address field, we need to determine the distribution of the prefix length. It is reported that in industrial firewalls most prefixes have either a length of 0 (probability of occurrence is 50%) or 32 (20%) [2]. Roughly 50% of rules are wild carded. In addition, 10.2% of rules contain noncontiguous masks [1]. We use these statistics to determine the prefix length. • We synthesize IP addresses from the trace by using two approaches. One is the random selection from the trace, which we call random rulebase. The other is fractional rulebase, which reflects the IP address distribution in the trace. Since the results do not show much difference depending on the synthesis approaches, we report only the results of random rulebase in this paper. • The protocol field is in general restricted to a small set of values: TCP, UDP, ICMP, IGMP, (E)IGRP, GRE, IPINIP, and wildcard [1]. In our synthesis the protocol number is randomly selected from these values with a probability associated with each. The ratio we used is approximately , where other protocols such as OSPF (89), PIM(103), IPv6(41), GRE (47), IGMP(2) are almost negligible [3]. • The port number description for a given rule can be arbitrary. Gupta [1] reports that roughly 10% of rules ” have range specifications, and in particular “ occurs in 9% of the rules. For simplicity, we assume that well-known port numbers are used as a singleton whereas range specifications are generated for ephemeral ports with 10% probability. • There is one all-wildcard rule that matches all packets, which is located at the bottom of the rulebase. (In firewalls, for instance, this is the default “all-deny” rule). Since rules are generated synthetically, there are some redundant rules. However, real-life rulebases do have some redundant rules (8%) because of network manager’s mistakes [1], but we decide to remove these rules in our experimentation. In this manner, we create 9 rulebases with sizes ranging from 1 K to 500 K rules. B. Rulebase Partitioning 1) First Level Partitioning: Fig. 3 shows the results of the first level partitioning by displaying the average and maximum size of a subrulebase after the partitioning. By the partitioning we can reduce the average size of a rulebase substantially. For rulebases with 10 K, 100 K, and 500 K rules, the reduction ratios are 0.0029, 0.0014, and 0.0014, respectively. This is very
Fig. 3. The result of the first level partitioning.
significant since we can reduce the size of a rulebase by more than two orders of magnitude by a single memory lookup to the corresponding hash table. However, as you can see from the maximum size of a rulebase in the figure, rules are not evenly distributed in the partitioned rulebases. The largest subrulebase contains about 24% of rules of the original rulebase in all the rulebases tested. As we can predict, these rules are related to HTTP service, which corresponds to protocol 6 and port 80. The numbers of subrulebases over the threshold (16 rules per subrulebase) are 141, 192, and 1114 for 10 K, 100 K, and 500 K cases. For these subrulebases we perform the second-level partitioning. All of the first level partitioning is completed in less than one second in our experimentation platform. As a side effect of the first level partitioning, we observe that the partitioning more than doubles the total number of rules due to rule spreading caused by inexact range specification. The actual inflation ratio is 2.42. 2) Second Level Partitioning: Figs. 4 and 5 show the results of the second level partitioning with various hash key selection algorithms. Fig. 4 shows the average number of rules per subrulebase whereas Fig. 5 shows the size of the largest rulebase. Assuming the entropy-maximizing key selection, the secondlevel partitioning further reduces the subrulebase by reduction ratios of 0.054, 0.054, and 0.052 compared to the first-level partitioning for 10 K, 100 K, and 500 K rulebases. When the first-level and the second-level partitioning are combined, 10 K, 100 K, and 500 K rulebases are reduced to 1.6, 7.6, and 36.6 rules per subrulebase on average, which corresponds to reduction ratios of 0.00016, 0.000076, and 0.000073. This is very significant since we can reduce the size of a rulebase by more than four orders of magnitude by just two memory lookups to the hash tables. The second level partitioning is also very effective in reducing the largest subrulebase, which contains 24% of the original rulebase after the first level partitioning. Assuming the entropymaximizing key selection, with the second level partitioning we can reduce the size of the largest rulebase to contain 31, 258, and 1281 rules in 10 K, 100 K, and 500 K rulebases respectively, which correspond to 0.31, 0.26, and 0.26% of the original rulebase. This suggests that for a 100 K rulebase we only need to compare a packet to those 258 rules in the worst case
Authorized licensed use limited to: Korea University. Downloaded on February 11, 2010 at 06:52 from IEEE Xplore. Restrictions apply.
1932
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 17, NO. 6, DECEMBER 2009
Fig. 4. The average size of a subrulebase after the second-level partitioning with different key selection algorithms.
Fig. 5. The maximum size of a subrulebase after the second-level partitioning with different key selection algorithms.
during the classification phase. Note that the second-level partitioning is more effective in reducing the largest rulebase compared to the first-level partitioning. This is expected since the first-level partitioning partitions the original rulebase according to the Internet services governed by the rules. Therefore, the largest subrulebase governing the HTTP service is grouped into a single subrulebase. Yet, the second-level partitioning can further reduce this largest subrulebase substantially by considering the distribution of IP addresses in the classification space with the entropy-maximizing key selection algorithm. 3) Comparison of Different Hash Key Selection Algorithms: Figs. 4 and 5 also compares the effectiveness of different key selection algorithms in the second level partitioning. As expected, the entropy-maximizing key selection gives the best partitioning result. In particular, it can reduce the size of the largest subrulebase substantially compared to other key selection heuristics. For 10 K, 100 K, and 500 K rulebases, the entropy-maximizing key selection is more effective compared to MSB pattern key selection by factors of 2.38, 3.42, and 3.49. All the key selection algorithms show comparable results on the average size of a subrulebase. However, the entropy-maximizing key selection is the most effective in all the cases, especially for rulebases larger than 100 K rules. 4) Scalability: It is hard to judge the scalability of our rulebase partitioning from Figs. 4 and 5 since the size of a rulebase does not increase linearly in the horizontal axis. But, we
carefully scrutinized the numbers and could verify that both the maximum and the average size of a subrulebase grow linearly as we increase the size of rulebase. Note that these results assumed only two-levels of partitioning. If necessary, more levels of partitioning can be employed to significantly reduce the size of subrulebases with only modest amount of memory space increase. 5) Memory Requirement: The memory space required by our algorithm is determined by the size of the hash table and the total number of rules in the final subrulebases. The space comwhere is the size of plexity of the hash table is the hash key at level and the is the size of a pointer. For the two-level partitioning used in our evaluation, this would lead to , and . However, the ac32 GB since tual size of the hash table is only 279 MB since the second-level hash table is needed only for those subrulebases whose sizes are larger than the threshold. We also studied the inflation ratio of the total number of rules in the final subrulebases compared to the original rulebase. This is caused by the rule spreading due to prefix mask and range specification. The inflation ratio remains constant around 400 as we increase the size of a rulebase [17]. Thus, for 500 K rules, the total number of rules generated by our algorithm would be about 200 M. Although this number seems relatively large, we could complete all of our experimentation in our PC platform. Compared to some of the existing proposals such as RFC [1] or ABV [2], the space requirement of the pro-
Authorized licensed use limited to: Korea University. Downloaded on February 11, 2010 at 06:52 from IEEE Xplore. Restrictions apply.
CHOI et al.: SCALABLE PACKET CLASSIFICATION THROUGH RULEBASE PARTITIONING
1933
Fig. 6. The packet classification results.
posed algorithm is substantially smaller. The space complexity of the existing schemes is also discussed in Section IV.
in each subrulebase. These algorithms outperform the linear search and work fine for subrulebases whose size range from a few dozen to a few thousand.
C. Classification Performance
IV. RELATED WORK In this section, we briefly review some of the prior works on packet classification. Although there is a large array of works on packet classification—grid-of-tries [5], cross-producting [5], hierarchical model [19], FIS tree [8], bit-parallelism [4], RFC [1], HiCuts [10], AQT [7], tuple space search [6], hash trie-tree [15], ABV [2], G-filter [20], and statistical search trees [21] among others—we describe only those works that are closely related with ours. A comparative analysis of previous works can be found in [22]. Grid-of-tries is well fit to 2-D classification using prefix , matching. Search cost is 2 and space complexity is where is the maximum number of bits specified in the destination or source fields and is the number of rules. Thus, this algorithm provides a good solution to a small 2-D rulebase. Cross-producting becomes supplement to grid-of-tries but suffers from memory space explosion. It uses 1.5 MB for 50 rules and if either the size of a rulebase is increased or the dependences among the rules are significant, then the memory requirement grows exponentially. Probably the best-known algorithm is Recursive Flow Classification (RFC) by Gupta and McKeown [1]. Given the number of bits extracted from the packet header and the number of bits required to identify the first matching rule, the classification operation of mapping to is performed recursively in multiple steps, in order to reduce the space requirement for the mapping table and the rule equivalence table. Although the theoretical space and time complexity in its table pre-computation is exponential, RFC does not suffer from the problem in almost all real-life rulebases that were scrutinized [1]. This is because the rulebases that generate near worst-case bounds should exhibit heavy rule intersections, but rule intersection turns out to be very rare in real-life classifiers. The number of memory accesses per classification with RFC is limited to a small fixed number, e.g., 13. Due to this property, RFC easily lends itself to pipelined hardware implementation, capable of doing up to
To demonstrate the classification performance of our algorithm, we use real-life packet traces collected during December 14 and 17, 2001, from PUBNET. The amount of packet trace used in classification is 202 million packets, which is large enough to obtain the confidence of our experiment. Rulebases are synthesized with 40 million packets and the largest has 500 K rules. After the first and second-level partitioning, we use the worst-case search algorithm, i.e., a simple linear search, to find the matching rule in the final subrulebase so that we can show the pure effectiveness of the proposed partitioning algorithm. Fig. 6 shows the classification performance in terms of the average number of rules accessed to find a matching rule. Fig. 6 reveals that our classification procedure using the entropy-maximizing hash key accesses 5.6, 42.64, and 207.02 rules for 10 K, 100 K, and 500 K rulebases, respectively. This is very promising since the best-known packet classification algorithm [1] requires at least 13 memory accesses for 5 K rules. On the other hand, our partitioning algorithm needs to access only 4.2 rules in addition to 2 memory accesses required for hash table lookups although the worst-case linear search is used in the final subrulebase. Although they are not shown explicitly in Fig. 6, the worst-case performance data can be easily drawn from Fig. 5 since the worst case is equal to the maximum size of a subrulebase after the second-level partitioning. Acceleration of subrulebase lookup: We can further improve the classification performance of our algorithm by employing a more efficient algorithm rather than the worst-case linear search. We recommend existing efficient classification algorithms, such as grid-of-tries [5], ABV scheme [2], and dynamic rulebase reconfiguration [12]. Grid-of-tries and ABV can be easily employed by excluding the bits used by the hashing. Dynamic rulebase reconfiguration can easily accelerate the linear search since the algorithm only changes the position of rules while keeping the inter-rule dependences
Authorized licensed use limited to: Korea University. Downloaded on February 11, 2010 at 06:52 from IEEE Xplore. Restrictions apply.
1934
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 17, NO. 6, DECEMBER 2009
OC-192. It is considered that the pre-computable rulebase size is bounded by about 15 K even after optimization [1]. Hierarchical model [19] is one of the earlier works that addresses the scalability issue of a large rulebase. Although the work introduces the idea of constructing the hierarchy of filter database, it is hard to judge the effectiveness of the proposal since no experimental data have been presented. A work by Woo [9] recursively partitions a rulebase into groups of “similar” rules. Unfortunately, it is not immediately clear from the paper how many memory accesses are required for each classification operation. In addition, although this scheme attempts to shorten the tree search path for frequently referenced rules using Huffman-coding like idea, it lacks a quantitative description of how the optimization of the search tree affects the performance. ABV [2] preprocesses the rulebase and constructs a trie for each field. Each node of a trie may or may not have a bit vector (BV) of size , and one or more aggregated bit vectors (ABVs) summarizing the BV. ABV is capable of completing searches on 5-field 20 K-rulebase in about 140 memory accesses. Arguably, this may not be practical for gigabit or faster devices, even with fast memories. The space requirement grows linearly with the size of a rulebase. In the worst case, the space complexity of the where is the number of dimensions, algorithm is is the number of rules and is the width of the largest prefix (e.g., 32 for IP address). For instance, for a 5-field rulebase with 100 K rules, we observe that with ABV it is easy to exceed over a gigabyte in terms of memory requirement. G-filter [20] maps the classification problem into a geometric point location problem in a multidimensional hypercube. G-filter recursively partitions the classification space into a number of possibly overlapping regions until only a single rule can be applied. Experimental results show that G-filter can outperform FIS tree [8] by a factor of 2 for large rulebases with reasonable amount of memory although it is less competitive in comparison to RFC for small rulebases. Recently, another study [23] introduced V-Cuts and H-Cuts which also rely on the rulebase pre-partitioning to speed up the classification as in our earlier works [17], [18]. However, it does not discuss key selection algorithms and the optimal partitioning issue, which is discussed in detail in this paper. V. CONCLUSION The growth of Internet in applications and protocols makes the size of a rulebase rapidly increasing. From the classifier’s viewpoint, this implies that for each incoming packet the classifier must be able to find the matching rule with the highest priority among all the rules in the rulebase at the wire speed. However, most of existing works mainly focus on relatively small classifiers, e.g., with less than 20 K rules. Beyond this size, most of existing schemes may not work either due to the memory explosion or due to the slowdown of classification. To address this issue, we propose a new scalable packet classification algorithm that achieves the scalability by hierarchically partitioning a rulebase into many smaller independent subrulebases. By using the same hash key used in the partitioning a classifier can inspect an incoming packet and find its relevant subrulebase with a few memory lookups to the hash tables. Thus,
the classification performance mainly depends on how much the final subrulebase can be reduced compared to the original rulebase. To make the reduction effective, we use the notion of entropy that finds a good hash key considering the distribution of rules in the classification space. With synthesized rulebases of sizes ranging from 1 K to 500 K rules, we evaluate the effectiveness of the proposed algorithm in both partitioning and classification. The experimental results show that two-levels of partitioning can substantially reduce the size of a rulebase. For example, a rulebase with 100 K rules can be reduced to 7.6 rules on average and 258 rules in the worst case. This suggests that for a 100 K rulebase a classifier only needs to compare an incoming packet to those 258 rules in the worst case. The simulation data with real-life packet traces show that a classifier needs to access only 4.2, 5.6, 8.4, 20.4, 42.6, 83.2, and 207 rules on average for rulebases with 5 K, 10 K, 20 K, 50 K, 100 K, 200 K, and 500 K rules. This is quite surprising. Although the worst-case linear search is used in a subrulebase, the proposed scheme outperforms RFC, one of the best algorithms for a relatively small rulebase, which requires 13 memory references for a 5-K rulebase. Furthermore, we show that the proposed algorithm has the unique scalability both in space and in time as we increase the size of a rulebase. ACKNOWLEDGMENT The authors would like to thank J. Heo for his contribution to the earlier work of this paper. L. Choi also thanks M. Choi for carefully proofreading this paper. REFERENCES [1] P. Gupta and N. McKeown, “Packet classification on multiple fields,” in Proc. ACM SIGCOMM, Aug. 1999, vol. 29, no. 4, pp. 149–160. [2] F. Baboescu and G. Varghese, “Scalable packet classification,” in Proc. ACM SIGCOMM, Aug. 2001, vol. 31, no. 4, pp. 199–210. [3] “Flow Analysis of Passive Measurement Data,” [Online]. Available: http://pma.nlanr.net/PMA/Datacube.html [4] T. V. Lakshman and D. Stiladis, “High-speed policy-based packet forwarding using efficient multi-dimensional range matching,” in Proc. ACM SIGCOMM, Oct. 1998, vol. 28, no. 4, pp. 203–214. [5] V. Srinivasan, S. Suri, G. Varghese, and M. Valdvogel, “Fast and scalable layer four switching,” in Proc. ACM SIGCOMM, Oct. 1998, vol. 28, no. 4, pp. 191–202. [6] V. Srinivasan, G. Varghese, and S. Suri, “Packet classification using tuple space search,” in Proc. ACM SIGCOMM, Aug. 1999, vol. 29, no. 4, pp. 135–146. [7] M. M. Buddhikot, S. Suri, and M. Waldvogel, “Space decomposition techniques for fast layer-4 switching,” in Proc. IFIP 6th Int. Workshop on Protocols for High Speed Netw., Aug. 1999, vol. 66, no. 6, pp. 277–283. [8] A. Feldmann and S. Muthukrishnan, “Tradeoffs for packet classification,” in Proc. GBN and IEEE INFOCOM, Mar. 2000, pp. 1193–1202. [9] T. Woo, “A modular approach to packet classification: Algorithms and results,” in Proc. IEEE INFOCOM, Mar. 2000, pp. 1213–1222. [10] P. Gupta and N. McKeown, “Packet classification using hierarchical intelligent cuttings,” in Proc. Hot Interconn. VII, 1999, pp. 3–6. [11] R. B. Ash, Information Theory, 1st ed. New York: Dover, Nov. 1990. [12] H. Kim, J. Heo, L. Choi, and S. Kim, “Taming large classifiers with rule reference locality,” in Proc. ICOIN, Feb. 2003, vol. 1, pp. 35–50. [13] IANA Port Number Assignment, Nov. 06, 2002 [Online]. Available: http://www.iana.org/assignments/port-numbers [14] Korea Network Information Center, [Online]. Available: http://www. nic.or.kr [15] Z. Yu, J. Wu, K. Xu, and M. Xu, “A fast IP classification algorithm applying to multiple fields,” in Proc. IEEE Int. Conf. Commun., Jun. 2001, pp. 2058–2062. [16] E. D. Zwicky, S. Cooper, and D. B. Chapman, Building Internet Firewall, 2nd ed. New York: O’Reilly, 2000.
Authorized licensed use limited to: Korea University. Downloaded on February 11, 2010 at 06:52 from IEEE Xplore. Restrictions apply.
CHOI et al.: SCALABLE PACKET CLASSIFICATION THROUGH RULEBASE PARTITIONING
[17] L. Choi, “Packet classification method through hierarchical rulebase partitioning,” U.S. Patent Appl. No. 20050254502, May 2, 2005. [18] L. Choi, J. Heo, H. Kim, J. Joung, and S. Kim, “Scalable packet classification through maximum entropy hashing,” in Proc. 3rd IFIP-TC6 Netw. 2004 Conf., May 2004, pp. 297–302. [19] C. Macián and P. Domschitz, “Advanced IP classification techniques for a hybrid routing node in a DWDM metropolitan network,” in Proc. Eur. Conf. Netw. Opt. Commun., 1999, pp. 5–8. [20] F. Geraci, M. Pellegrini, and P. Pisati, “Packet classification via improved space decomposition techniques,” in Proc. IEEE INFOCOM, Mar. 2005, vol. 1, pp. 304–312. [21] H. Hamed, A. El-Atawy, and E. Al-Shaer, “Adaptive statistical optimization techniques for firewall packet filtering,” in Proc. IEEE INFOCOM, Apr. 2006, vol. 1, pp. 1–12. [22] C. Macian and R. Finthammer, “An evaluation of the key design criteria to achieve high update rates in packet classifiers,” IEEE Netw., vol. 15, no. 6, pp. 24–29, Nov./Dec. 2001. [23] K. Zheng, Z. Liang, and Y. Ge, “Gear up the classifier: Scalable packet classification optimization framework via rule set pre-processing,” in Proc. 11th IEEE ISCC, Jun. 2006, pp. 814–819. [24] J. van Lunteren and A. P. J. Engbersen, “Fast and scalable pacekt classification,” IEEE J. Sel. Areas Commun., vol. 21, no. 4, pp. 560–571, May 2003. [25] H. Liu, “Efficient mapping of range classifier into ternary CAM,” in Proc. 10th Symp. Hot Interconn., 2002, pp. 2–4. Lynn Choi (M’96) received the B.S. and M.S. degrees in computer engineering from Seoul National University, Seoul, Korea, in 1986 and 1988, respectively, and the Ph.D. degree in computer science from the University of Illinois at Urbana-Champaign in 1996. From March 1988 to July 1990, he was with Korea Telecom Research Center as a Member of Technical Staff. After he received the Ph.D. degree, he joined Intel Corporation as a Senior Design Engineer, participating on the Itanium Processor Design Team, where he worked on the microarchitecture design and validation of the Itanium processor. From September 1998 to August 2000, he was with the Department of Electrical and Computer Engineering, University of California, Irvine, as a tenure track faculty member. Since September 2000, he has been with the Department of Electronics and Computer Engineering, where he is currently a Professor. He has published more than 30 international conference papers and journals in the areas of computer architecture, compilers, internet security, and computer networks. His current research interests include algorithm and architecture issues in application-specific processors, sensor networks and applications, and processor architectures for secure computing. Prof. Choi has served on several program committees and editorial boards. He is a Member of the Association for Computing Machinery.
1935
Hyogon Kim received the Ph.D. degree in computer and information science from the University of Pennsylvania, Philadelphia, in 1995. From 1996 to 1999, he was a Research Scientist with Bell Communications Research, where he worked on various Internet-related issues such as Internet QoS, IP over WDM, and mobile multicast protocols. He is currently an Associate Professor at Korea University, Seoul. His research interests include next generation Internet applications and 4G technologies.
Sunil Kim received the B.S. and M.S. degrees in computer engineering from Seoul National University, Seoul, Korea, and received the Ph.D. degree in computer science from the University of Illinois at Urbana-Champaign in 1995. He joined IBM, Austin, TX, and worked on the high-end PowerPC processor development from June 1995 to March 1999. Currently, he is an Associate Professor with the Department of Computer Engineering, Hongik University, Seoul. His current research interests include embedded system design, computer security, and application-specific processor architectures.
Moon Hae Kim (M’89) received the B.S. and M.S. degrees in electrical engineering from Seoul National University, Seoul, Korea, in 1979 and 1981, respectively, and the Ph.D. degree in computer science from the University of California at Berkeley in 1991. He is a Professor with the Department of Computer Science and Engineering, Konkuk University, Seoul, Korea, and Director of the university’s Software Research Center, which is one of the Information Technology Research Centers (ITRCs) supported by the Korea Ministry of Information and Communication. He is also a project leader in the development of Linux-based object-oriented distributed real-time embedded operating platform. Dr. Kim has served on numerous program committees and editorial boards, including IEEE ISORC, IEEE WORDS, Korea Information Science Society (KISS), and Korea Information Processing Society. He is a Member of the Association for Computing Machinery, KISS, and KIPS.
Authorized licensed use limited to: Korea University. Downloaded on February 11, 2010 at 06:52 from IEEE Xplore. Restrictions apply.
