Efficient multi-match packet classification with TCAM

Today's packet classification systems are designed to provide the highest priority matching result, e.g., the longest prefix match, even if a packet matches multiple classification rules. However, new network applications, such as intrusion detection systems, require information about all the matching results. We call this the multi-match classification problem. In several complex network applications, multi-match classification is immediately followed by other processing dependent on the classification results. Therefore, classification should be even faster than the line rate. Pure software solutions cannot be used due to their slow speeds. We present a solution based on ternary content addressable memory (TCAM), which produces multi-match classification results with only one TCAM lookup and one SRAM lookup per packet - about ten times fewer memory lookups than a pure software approach. In addition, we present a scheme to remove the negation format in rule sets, which can save up to 95% of TCAM space compared with the straight forward solution. We show that using our pre-processing scheme, header processing for the SNORT rule set can be done with one TCAM and one SRAM lookup using a 135 KB TCAM.

[1]  Pankaj Gupta,et al.  Packet Classification using Hierarchical Intelligent Cuttings , 1999 .

[2]  Mark H. Overmars,et al.  Range Searching and Point Location among Fat Objects , 1994, J. Algorithms.

[3]  George Varghese,et al.  Fast and scalable layer four switching , 1998, SIGCOMM '98.

[4]  Nick McKeown,et al.  Packet classification on multiple fields , 1999, SIGCOMM '99.

[5]  Michael E. Kounavis,et al.  Directions in Packet Classification for Network Processors , 2004 .

[6]  Francis Zane,et al.  Coolcams: power-efficient TCAMs for forwarding engines , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[7]  George Varghese,et al.  Packet classification using multidimensional cutting , 2003, SIGCOMM '03.

[8]  Nick McKeown,et al.  Algorithms for packet classification , 2001, IEEE Netw..

[9]  Mark H. Overmars,et al.  Range Searching and Point Location among Fat Objects , 1996, J. Algorithms.

[10]  Huan Liu Reducing routing table size using ternary-CAM , 2001, HOT 9 Interconnects. Symposium on High Performance Interconnects.

[11]  David Wetherall,et al.  Towards an active network architecture , 1996, CCRV.

[12]  Jonathan S. Turner,et al.  Packet classification using extended TCAMs , 2003, 11th IEEE International Conference on Network Protocols, 2003. Proceedings..

[13]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[14]  Randy Katz,et al.  The OASIS Group at U . C . Berkeley : Research Summary and Future Directions , 2003 .