High-Performance and Range-Supported Packet Classification Algorithm for Network Security Systems in SDN

Packet classification is a key function in network security systems in SDN, which detect potential threats by matching the packet header bits and a given rule set. It needs to support multi-dimensional fields, large rule sets, and high throughput. Bit Vector-based packet classification methods can support multi-field matching and achieve a very high throughput, However, the range matching is still challenging. To address issue, this paper proposes a Range Supported Bit Vector (RSBV) algorithm for processing the range fields. RSBV uses specially designed codes to store the pre-computed results in memory, and the result of range matching is derived through pipelined Boolean operations. Through a two-dimensional modular architecture, the RSBV can operate at a high clock frequency and line-rate processing can be guaranteed. Experimental results show that for a 1K and 512-bit OpenFlow rule set, the RSBV can sustain a throughput of 520 Million Packets Per Second.

[1]  Eric Torng,et al.  Split: Optimizing Space, Power, and Throughput for TCAM-Based Classification , 2011, 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems.

[2]  Viktor K. Prasanna,et al.  Field-split parallel architecture for high performance multi-match packet classification using FPGAs , 2009, SPAA '09.

[3]  Amritpal Singh,et al.  AdaptFlow: Adaptive Flow Forwarding Scheme for Software-Defined Industrial Networks , 2020, IEEE Internet of Things Journal.

[4]  Rajiv Ranjan,et al.  SAFE: SDN-Assisted Framework for Edge–Cloud Interplay in Secure Healthcare Ecosystem , 2019, IEEE Transactions on Industrial Informatics.

[5]  Mohammad S. Obaidat,et al.  SeDaTiVe: SDN-Enabled Deep Learning Architecture for Network Traffic Control in Vehicular Cyber-Physical Systems , 2018, IEEE Network.

[6]  Joel J. P. C. Rodrigues,et al.  An Ensembled Scheme for QoS-Aware Traffic Flow Management in Software Defined Networks , 2018, 2018 IEEE International Conference on Communications (ICC).

[7]  Viktor K. Prasanna,et al.  A Scalable and Modular Architecture for High-Performance Packet Classification , 2014, IEEE Transactions on Parallel and Distributed Systems.

[8]  Wooguil Pak,et al.  Fast Packet Classification Based on Hybrid Cutting , 2017, IEEE Communications Letters.

[9]  Jianping Wu,et al.  HyperVDP: High-Performance Virtualization of the Programmable Data Plane , 2019, IEEE Journal on Selected Areas in Communications.

[10]  Yeim-Kuan Chang,et al.  Range-Enhanced Packet Classification Design on FPGA , 2016, IEEE Transactions on Emerging Topics in Computing.

[11]  Viktor K. Prasanna,et al.  High-Performance and Dynamically Updatable Packet Classification Engine on FPGA , 2016, IEEE Transactions on Parallel and Distributed Systems.

[12]  Young-June Choi,et al.  High Performance and High Scalable Packet Classification Algorithm for Network Security Systems , 2017, IEEE Transactions on Dependable and Secure Computing.

[13]  Viktor K. Prasanna,et al.  StrideBV: Single chip 400G+ packet classification , 2012, 2012 IEEE 13th International Conference on High Performance Switching and Routing.

[14]  Yu-Chieh Cheng,et al.  Packet Classification Using Dynamically Generated Decision Trees , 2015, IEEE Transactions on Computers.