Parallel Processing of Packets with a PRAM

The operation of policy tables, for access control (firewalls) and for routing (flow tables), is a major component in networks. For example, one of the most important bottlenecks in the Internet is the time taken by backbone routers to resolve packets. In practice, such routers use special hardware such as Ternary Content-Addressable Memory. How well do standard architectures for parallel computing work to speed up such operations? At first glance, it appears that firstmatch policies such as firewalls might force a serial approach, where the only mechanism for speeding up packet processing is to handle different packets on different cores. However, we show in this paper that the operation of packet-processing policies for each individual packet can in fact be sped up with a PRAM parallel computer. We go on to demonstrate how to build a policy engine for XMT (Explicit Multi Threading), a practical near-PRAM architecture and instruction set, and present some performance results.

[1]  George Varghese,et al.  Multiway range trees: scalable IP lookup with fast updates , 2004, Comput. Networks.

[2]  Hrishikesh B. Acharya,et al.  Firewall verification and redundancy checking are equivalent , 2011, 2011 Proceedings IEEE INFOCOM.

[3]  S. Sahni,et al.  O(log n) dynamic packet routing , 2002, Proceedings ISCC 2002 Seventh International Symposium on Computers and Communications.

[4]  Uzi Vishkin,et al.  Fpga-based prototype of a pram-on-chip processor , 2008, CF '08.

[5]  Hrishikesh B. Acharya,et al.  Linear-time verification of firewalls , 2009, 2009 17th IEEE International Conference on Network Protocols.

[6]  Mohamed G. Gouda,et al.  Firewall Policy Queries , 2009, IEEE Transactions on Parallel and Distributed Systems.

[7]  Hrishikesh B. Acharya,et al.  POPE and PaNeL : Fast lookup in routing tables , 2014, 2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[8]  David Eppstein,et al.  Internet packet filter management and rectangle geometry , 2000, SODA '01.

[9]  Sonia Fahmy,et al.  Refereed papers: A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals1 1This work was supported by sponsers of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University. , 2001 .

[10]  Daniel Hoffman,et al.  Blowtorch: a framework for firewall test automation , 2005, ASE.

[11]  Sonia Fahmy,et al.  A Framework for Understanding Vulnerabilities in Firewalls Using a Dataflow Model of Firewall Internals , 2001, Comput. Secur..

[12]  Mohamed G. Gouda,et al.  Verification of Distributed Firewalls , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[13]  Srinivasan Keshav,et al.  Issues and trends in router design , 1998, IEEE Commun. Mag..

[14]  Bernhard Plattner,et al.  Scalable high speed IP routing lookups , 1997, SIGCOMM '97.

[15]  Sonia Fahmy,et al.  Analysis of vulnerabilities in Internet firewalls , 2003, Comput. Secur..

[16]  Hrishikesh B. Acharya,et al.  Projection and Division: Linear-Space Verification of Firewalls , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[17]  Nick McKeown,et al.  Routing lookups in hardware at memory access speeds , 1998, Proceedings. IEEE INFOCOM '98, the Conference on Computer Communications. Seventeenth Annual Joint Conference of the IEEE Computer and Communications Societies. Gateway to the 21st Century (Cat. No.98.

[18]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[19]  Ehab Al-Shaer,et al.  Policy segmentation for intelligent firewall testing , 2005, 1st IEEE ICNP Workshop on Secure Network Protocols, 2005. (NPSec)..

[20]  Uzi Vishkin,et al.  PRAM-on-chip: first commitment to silicon , 2007, SPAA '07.