A Comparison of Ruleset Feature Independent Packet Classification Engines on FPGA

Abstract

Packet classification is used in network firewalls to identify and filter threats or unauthorized network access at the application level. This is realized by comparing incoming packet headers against a predefined rule set. Many solutions to packet classification are available, but most of these solutions exploit some features of the rule set in order to minimize the memory footprint of rule set storage. However, when the expected rule set features are not present, feature-reliant solutions may yield poor memory efficiency. In this paper, we focus on two rule set independent packet classification schemes, Ternary Content Addressable Memory (TCAM), a brute force search method, and StrideBV, a bit-vector-based algorithmic solution, to determine which solution is more suited for high performance packet classification. Using rule set sizes ranging from 32 to 2048 (targeted for firewall rule sets), we implement both schemes on a Field-Programmable Gate Array (FPGA) to evaluate their performance. We measure the performance using memory efficiency, resource consumption, throughput and power efficiency metrics for both solutions. The post place-and-route results on a state-of-the-art FPGA reveal that StrideBV has 4.5× and 3.5× higher power efficiency in comparison with TCAM, along with 6× and 4× higher throughput when using distributed RAM and block RAM as memory respectively. TCAM has better memory efficiency, though its improvement over StrideBV varies.