High-speed Firewall Rule Verification Technique Improves Throughput Performance for IP Version 6

Abstract

Throughput performance of firewalls depend on the execution speed to verify rules. Internet Protocol Version 6 (IPv6) and IPv4 ruleset memory requirements differ and affect rule access and execution time in a wide range of common firewalls. This paper contributes a high-speed firewall to execute rules for IPv6 with constant O(1) access time, and consumes optimal O(nbit) memory for 64-bit architectures, named FW6 firewall. Results are based on actual performance evaluations in conjunction with other high-speed firewalls (IPSets, IPack, and F3), such as processing time, memory consumption and throughput. Throughput measurements in IPv6 TCP/UDP packet trials (across ruleset and window sizes) show FW6 significantly outperforms IPSets. The trials have shown that FW6 improves throughput performance over IPSets by 0.24% (mean) and 0.21% (median) across all test variables. Nevertheless, the results suggest similarity and a minor performance increase by FW6 over IPSets. In addition, FW6 and IPSets throughputs are similar to IPack and F3 in IPv4 ruleset execution comparisons. As a result, FW6 can be used to replace previous high-speed firewalls.