worst-case tcam rule expansion
DESCRIPTION
Worst-Case TCAM Rule Expansion. Ori Rottenstreich (Technion, Israel). Joint work with Isaac Keslassy (Technion, Israel). Packet Classification. Forwarding Engine. Packet Classification. Policy Database (classifier). Rule. Action. ----. ----. ----. ----. ----. ----. HEADER. - PowerPoint PPT PresentationTRANSCRIPT
Worst-Case TCAM Rule Expansion
Ori Rottenstreich (Technion, Israel)
Joint work with Isaac Keslassy (Technion, Israel)
Packet Classification
Action
--------
---- ----
--------
Rule ActionPolicy Database (classifier)
Packet Classification
Forwarding Engine
Incoming Packet
HEADER
Power Consumption in a Router
Sources: R.S. Tucker, based on Cisco CRS-1, 2009; D. Hay
Packet Classification}
Ternary Content-Addressable Memory (TCAM)
Enc
oder
Match lines
Packet Header (Search Key)
0
1
2
3
4
6
5
7
8
9
2
0
1
2
3
4
6
5
7
8
9
accept
accept
accept
denydeny
deny
denydeny
deny
acceptTCAM ArrayEach entry is a word in {0,1,}W
Example
Enc
oder
Match lines
0
1
2
3
4
6
5
7
8
9
deny
log
accept
denydeny
deny
denylimit
deny
accept
001110110101000010011111100000011100101000110100101000010001101001000001110
11100100100101010100
1110010010010100100111010101010
111111111111111111111111
0011101010101001110001110001110
0
0
0
1
0
1
0
1
0
1
3
Range Rules
Rule Source address
Source port
Dest-address
Dest-port
Protocol
Action
Rule 1 123.25.0.0/16 80 255.2.3.4/32 80 TCP Accept
Rule 2 13.24.35.0/24 >1023 255.2.127.4/31 5556 TCP Deny
Rule 3 16.32.223.14 20-50 255.2.3.4/31 50-70 UDP Accept
Rule 4 22.2.3.4 1-6 255.2.3.0/21 20-22 TCP Limit
Rule 5 255.2.3.4 12-809 255.2.3.4 17-190 ICMP Log
Range rule = rule that contains range field Usually source-port or dest-port
Range Rule Representation in TCAM
Assume we want to represent a range in a single field of W bits
Our objective: minimize the number of TCAM entries needed to encode the range More TCAM entries represent more power consumption
Some ranges are easy to represent
Example: W=3: [4, 7] = {100,101,110,111} = 1
But what about [1,6]?
Range [1,6] in tree of all elements with W=3 bits:
(Internal) Encoding of [1,6]
010 011001 110100 101
10* 11001*001
111000
Known result: expansion in 2W-2 TCAM entries
Here: 2W-2=4 TCAM entries
External Encoding
010 011001 110100 101
***
111000
111000
Here: W=3 TCAM entries (instead of 4)
Idea to reduce number of TCAM entries: exploit TCAM entry order by encoding range complimentary as well
New upper bounds on the worst-case rule expansion
Theorem 1: Expansion of W-bit range in at most W TCAM entries
Note: W instead of 2W-2 Note: also in next talk
Theorem 2: W TCAM entries is optimal among prefix codes (not shown in this paper)
Theorem 3: Expansion of k W-bit ranges in k·W TCAM entries
Union of k ranges in kW
010 011001 110100 101 111000
R1=[1,5], R2=[7,7]
R=R1UR2 can be encoded using k·W=2·3=6 TCAM entries
Theorem 3: Expansion of k W-bit ranges in k·W TCAM entries
Example:
Multi-field Ranges
Known result: range expansion in d W-bit fields in (2W-2)d TCAM entries
Theorem 4: Expansion in O(d·W) TCAM entries (i.e. linear in d) without any additional logic
New TCAM architectures
Using additional logic to reduce expansion
Example for W=4
1 2[1,14] [5,14], [7,10] [2,3]R x R x
1R
2R
(a) Known Architecture: Internal – Product
51R
2R
1 2[1,14] [5,14], [7,10] [2,3]R x R x
6
3
1
Expansion of 6·5 + 3·1 = 33
(a) Internal - Product
0001 - 0101
0001 - 011*
0001 - 10**
10** - 01**
1110 - 10**
1110 - 110*
1110 - 1110
0111 - 001*
100* - 001*
1010 - 001*
header 1000.0111 )range 1)PE
)0)
)1)
)0)
)0)
)0)
)0)
)0))0)
)0)
)0)
Worst-case expansion of k·)2W-2)^d
0111 - 001*
100* - 001*
1010 - 001*
0000 - 0101
0000 - 011*
0000 - 1111
0000 - 1***
1111 - 0101
1111 - 011*
1111 - 1111
1111 - 1***
**** - 0101
**** - 011*
**** - 1111
**** - 1***
)0)
)1)
header 1000.0111
PE )range 1)
)0)
)1)
)0)
)0)
)0)
)0)
)0)
(b) Combined - Product
Worst-case expansion of k·W^d
0000 - ****
1111 - ****
**** - ****
0111 - ****
100* - ****
1010 - ****
**** - 0101
**** - 011*
**** - 1111
**** - 1***
**** - 001*
)0)
)1)
)1)
)0)
header 1000.0111 PE )range 1)
)1)
)1)
(c) Combined – Sum
Worst-case expansion of k·d·W
Experimental Results
On real-life rule set120 separate rule files from various
applications• Firewalls, ACL-routers, Intrusion Prevention
systems
215K rules280 unique ranges
Used as a common benchmark in literature
Summary
Expansion of W-bit range in at most W TCAM entries (instead of 2W-2)Optimal (among prefix codes)
Linear expansion for multi-field rangesNew TCAM architectures
Up to 39% less TCAM entries