Hardware architecture for packet classification with prefix coloring

Packet classification is a widely used operation in network security devices. As network speeds are increasing, the demand for hardware acceleration of packet classification in FPGAs or ASICs is growing. Nowadays algorithms implemented in hardware can achieve multigigabit speeds, but suffer with great memory overhead. We propose a new algorithm and hardware architecture which reduces memory requirements of decomposition based methods for packet classification. The algorithm uses prefix coloring to reduce large amount of Cartesian product rules at the cost of an additional pipelined processing and a few bits added into results of the longest prefix match operation. The proposed hardware architecture is designed as a processing pipeline with the throughput of 266 million packets per second using commodity FPGA and one external memory. The greatest strength of the algorithm is the constant time complexity of the search operation, which makes the solution resistant to various classes of network security attacks.

[1]  Haoyu Song,et al.  Fast packet classification using bloom filters , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[2]  Nick McKeown,et al.  Packet classification on multiple fields , 1999, SIGCOMM '99.

[3]  George Varghese,et al.  Tree bitmap: hardware/software IP lookups with incremental updates , 2004, CCRV.

[4]  George Havas,et al.  An Optimal Algorithm for Generating Minimal Perfect Hash Functions , 1992, Inf. Process. Lett..

[5]  Jan Korenek,et al.  Fast and scalable packet classification using perfect hash functions , 2009, FPGA '09.

[6]  Jonathan S. Turner,et al.  Scalable packet classification using distributed crossproducing of field labels , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[7]  Viktor K. Prasanna,et al.  Scalable high-throughput SRAM-based architecture for IP-lookup using FPGA , 2008, 2008 International Conference on Field Programmable Logic and Applications.

[8]  Jonathan S. Turner,et al.  ClassBench: A Packet Classification Benchmark , 2005, IEEE/ACM Transactions on Networking.

[9]  Haoyu Song,et al.  Shape shifting tries for faster IP route lookup , 2005, 13TH IEEE International Conference on Network Protocols (ICNP'05).