Detecting and resolving packet filter conflicts

Author

Hari, Adiseshu ; Suri, Sean ; Parulkar, Guru

Author_Institution

AT&T Bell Labs., Holmdel, NJ, USA

Volume

3

fYear

2000

fDate

26-30 Mar 2000

Firstpage

1203

Abstract

Packet filters are rules for classifying packets based on their header fields. Packet classification is essential to routers supporting services such as quality of service (QoS), virtual private networks (VPNs), and firewalls. A filter conflict occurs when two or more filters overlap, creating an ambiguity in packet classification. Current techniques for resolving filter conflicts are based on prioritizing conflicting filters, and choosing the higher priority filter. We show that such ordering does not always work. Instead, we propose a new scheme for conflict resolution, which is based on the idea of adding resolve filters. Our main results are algorithms for detecting and resolving conflicts in a filter database. We have tried our algorithm on 3 existing firewall databases, and have found conflicts, which are potential security holes, in each of them

Keywords

Internet; database management systems; filtering theory; packet switching; telecommunication network routing; telecommunication security; Internet; QoS; VPN; conflict resolution; conflicting filters; filter database; firewall databases; firewalls; header fields; packet classification; packet filter conflicts; quality of service; resolve filters; routers; security holes; virtual private networks; Data security; Databases; Information filtering; Information filters; Matched filters; Protocols; Quality of service; TCPIP; Virtual private networks; Web and internet services;

fLanguage

English

Publisher

ieee

Conference_Titel

INFOCOM 2000. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE

Conference_Location

Tel Aviv

ISSN

0743-166X

Print_ISBN

0-7803-5880-5

Type

conf

DOI

10.1109/INFCOM.2000.832496

Filename

832496