Parallel tree search: An algorithmic approach for multi-field packet classification

Abstract

To support advanced functions such as quality of service provisioning, firewall, and virtual private networks, today’s IP routers need to classify incoming packets into flows. The classification problem becomes extremely difficult when the system needs to process millions of packets per second, matching them against a filter database with tens of thousands of rules. Dynamic updates to the filter database and scalability to IPv6 with 128-bit addresses pose great challenges to the classification methods. We adopt the two-stage classification approach of Baboescu et al. [F. Baboescu, S. Singh, G. Varghese, Packet classification for core routers: is there an alternative to CAMs?, IEEE INFOCOM 2003.] The first stage determines the best matching source and destination prefix pair, and the second stage determines the highest priority matching filter by comparing the remaining fields against a short list of candidate rules in parallel. The first stage 2-D search problem is reduced to a pseudo 1-D problem by a process called filter decomposition. The decomposed filters are organized as a height-balanced search tree. The search operation is speeded up by parallel processing techniques to achieve a throughput of one packet per memory cycle. Our method is scalable to large filter databases and IPv6. It also allows incremental updates to the data structures.