Abstract
Packet classification—the matching of packet headers against a predefined rule set—is a crucial functionality of firewalls, intrusion detection systems, and SDN switches. Most existing classification algorithms trade setup time for classification speed—that is, the packet classification is fast, but the transformation of rules set into the corresponding search data structure takes a considerable amount of time. This preprocessing time, however, poses a significant challenge for systems where rule sets can often change. Hence, these systems often use slow classification algorithms that support frequent rule set updates, which drastically limits their achievable throughput. In this work, we present a novel algorithmic technique which is able to upgrade an arbitrary existing classification algorithm to support fast updates, while still providing high lookup performance. Our evaluation demonstrates that our proposed technique exceeds the matching performance of existing dynamically updatable algorithms by an order of magnitude while providing the same level of update responsiveness.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
