Title :
Detecting and resolving packet filter conflicts
Author :
Hari, Adiseshu ; Suri, Sean ; Parulkar, Guru
Author_Institution :
AT&T Bell Labs., Holmdel, NJ, USA
Abstract :
Packet filters are rules for classifying packets based on their header fields. Packet classification is essential to routers supporting services such as quality of service (QoS), virtual private networks (VPNs), and firewalls. A filter conflict occurs when two or more filters overlap, creating an ambiguity in packet classification. Current techniques for resolving filter conflicts are based on prioritizing conflicting filters, and choosing the higher priority filter. We show that such ordering does not always work. Instead, we propose a new scheme for conflict resolution, which is based on the idea of adding resolve filters. Our main results are algorithms for detecting and resolving conflicts in a filter database. We have tried our algorithm on 3 existing firewall databases, and have found conflicts, which are potential security holes, in each of them
Keywords :
Internet; database management systems; filtering theory; packet switching; telecommunication network routing; telecommunication security; Internet; QoS; VPN; conflict resolution; conflicting filters; filter database; firewall databases; firewalls; header fields; packet classification; packet filter conflicts; quality of service; resolve filters; routers; security holes; virtual private networks; Data security; Databases; Information filtering; Information filters; Matched filters; Protocols; Quality of service; TCPIP; Virtual private networks; Web and internet services;
Conference_Titel :
INFOCOM 2000. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE
Conference_Location :
Tel Aviv
Print_ISBN :
0-7803-5880-5
DOI :
10.1109/INFCOM.2000.832496
