The geometric efficient matching algorithm for firewalls

Firewall packet matching can be viewed as a point location problem: each packet (point) has 5 fields (dimensions) which need to be checked against every firewall rule in order to find the first matching rule. We consider a packet matching algorithm, which we call the geometric efficient matching (GEM) algorithm. The GEM algorithm enjoys a logarithmic matching time performance, easily beating the linear time required by the naive matching algorithm. However, the algorithm's theoretical worst-case space complexity is O(n/sup 4/) for a rule-base with n rules. Based on statistics from real firewall rule-bases, we created a model that generates random, but non-uniform, rule-bases. We evaluated GEM via extensive simulation using this rule-base generator. Subsequently, we integrated GEM into the code of the Linux "iptables" open-source firewall. Our GEM-iptables implementation supports a throughput which is at least 5-10 times higher than that of the unoptimized iptables. Our implementation was able to match over 30,000 packets-per-second even with 10 thousand rules.

[1]  Mark de Berg,et al.  Computational geometry: algorithms and applications , 1997 .

[2]  William Feller,et al.  An Introduction to Probability Theory and Its Applications , 1951 .

[3]  George Varghese,et al.  Packet classification for core routers: is there an alternative to CAMs? , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[4]  George Varghese,et al.  Fast and scalable layer four switching , 1998, SIGCOMM '98.

[5]  David E. Taylor Survey and taxonomy of packet classification techniques , 2005, CSUR.

[6]  George Varghese,et al.  Fast firewall implementations for software-based and hardware-based routers , 2001, SIGMETRICS '01.

[7]  Marcel Waldvogel,et al.  Multi-dimensional prefix matching using line search , 2000, Proceedings 25th Annual IEEE Conference on Local Computer Networks. LCN 2000.

[8]  Venkatachary Srinivasan,et al.  Packet classification using tuple space search , 1999, SIGCOMM '99.

[9]  Ray Jain,et al.  The art of computer systems performance analysis - techniques for experimental design, measurement, simulation, and modeling , 1991, Wiley professional computing.

[10]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[11]  T. V. Lakshman,et al.  High-speed policy-based packet forwarding using efficient multi-dimensional range matching , 1998, SIGCOMM '98.

[12]  Jirí Matousek,et al.  Geometric range searching , 1994, CSUR.

[13]  Dan S. Wallach,et al.  Denial of Service via Algorithmic Complexity Attacks , 2003, USENIX Security Symposium.

[14]  George Varghese,et al.  Scalable packet classification , 2001, SIGCOMM 2001.

[15]  Nick McKeown,et al.  Packet classification on multiple fields , 1999, SIGCOMM '99.

[16]  Subhash Suri,et al.  Space Decomposition Techniques for Fast Layer-4 Switching , 1999, Protocols for High-Speed Networks.

[17]  Carsten Lund,et al.  Packet classification in large ISPs: design and evaluation of decision tree classifiers , 2005, SIGMETRICS '05.

[18]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[19]  Nick McKeown,et al.  Algorithms for packet classification , 2001, IEEE Netw..

[20]  Michiel H. M. Smid Dynamic Rectangular Point Location, with an Application to the Closest Pair Problem , 1995, Inf. Comput..

[21]  George Varghese,et al.  Faster IP lookups using controlled prefix expansion , 1998, SIGMETRICS '98/PERFORMANCE '98.

[22]  Anja Feldmann,et al.  Tradeoffs for packet classification , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[23]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[24]  Richard J. Lipton,et al.  Multidimensional Searching Problems , 1976, SIAM J. Comput..

[25]  Venkatachary Srinivasan,et al.  A packet classification and filter management system , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[26]  George Varghese,et al.  Packet classification using multidimensional cutting , 2003, SIGCOMM '03.

[27]  George Varghese,et al.  Fast packet classification for two-dimensional conflict-free filters , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[28]  David Eppstein,et al.  Internet packet filter management and rectangle geometry , 2000, SODA '01.

[29]  Bernhard Plattner,et al.  Scalable high speed IP routing lookups , 1997, SIGCOMM '97.

[30]  Daniel Hartmeier,et al.  Design and Performance of the OpenBSD Stateful Packet Filter (pf) , 2002, USENIX Annual Technical Conference, FREENIX Track.

[31]  Thomas Y. C. Woo A modular approach to packet classification: algorithms and results , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).