Routers can use packet classification to support advanced functions such as QoS routing, virtual private networks and access control. Unlike traditional routers, which forward packets based on destination address only, routers with packet classification capability can forward packets based on multiple header fields, such as source address, protocol type, or application port numbers. The destination-based forwarding can be thought of as one-dimensional packet classification. While several efficient solutions are known for the one-dimensional IP lookup problem, the multi-dimensional packet classification has proved to be far more difficult. While an O(log w) time scheme is known for the IP lookup, Srinivisan et al. [V. Srinivasan, S. Suri, G. Varghese, Packet classification using tuple space search, in: Proceedings of SIGCOMM’99, 1999] show a lower bound of Ω( w k−1 ) for k-dimensional filter lookup, where w is the number of bits in a header field. In particular, this lower bound precludes the possibility of a binary search like scheme even for two-dimensional filters (say, IP source and destination pairs). In this paper, we examine this lower bound more closely, and discover that the lower bound depends crucially on conflicts in the filter database. We then show that for two-dimensional conflict-free filters, a binary search scheme does work! Our lookup scheme requires O(log 2 w) hashes in the worst case, and uses O( n log 2 w) memory. Alternatively, our algorithm can be viewed as making O(log w) calls to a prefix lookup scheme. It has been observed in practice that filter databases have very few conflicts, and these conflicts can be removed by adding additional filters (one per conflict). Thus, our scheme may also be quite practical. Our simulation and experimental results show that the proposed scheme also performs as good as or better than existing schemes. For example, on real firewall data sets with over 200 rules consisting of source and destination IP prefixes, our algorithm performs worst case 12 hashes. For filter sets containing arbitrarily many filtering rules with IP prefixes, the worst case search time guaranteed is utmost 25 hashes.
Read full abstract