Title :
Range Matching without TCAM Entries Expansion for Packet Classification
Author :
Li, Yang ; Wan, Chengwei ; Fan, Xiumei
Author_Institution :
Sch. of Comput. Sci. & Technol., Beijing Inst. of Technol., Beijing, China
Abstract :
Packet classification has been widely used in network security protection. A number of the major techniques for network security protection, such as virtual private networks (VPN), firewalls, and network intrusion detection systems (NIDS), are all dependent on the speed and ability of packet classification. The complexity of multi-dimensional packet classification will result in large scale rule-sets, which makes it prohibitive for software implementation. Algorithms based on ternary content addressable memory (TCAM) can solve this problem but cause entries expansion during the range matching. Our paper introduces a new region encoding mechanism of range mapping which can eliminate the expansion. By adding a new regional code, which is used to encode the ranges spanning two regions or more, the improved mechanism is able to express all the ranges by only one entry. Simulation and characteristics analysis of real rule-sets verify this encoding mechanism´s feasibility and efficiency in actual applications.
Keywords :
computer network security; content-addressable storage; encoding; pattern matching; TCAM; encoding mechanism; entries expansion; network security protection; packet classification; range matching; ternary content addressable memory; Computer science; Encoding; Intrusion detection; Multidimensional systems; National security; Protection; Quality of service; Routing; Virtual private networks; Wide area networks; TCAM; entry expansion; packet classification; range matching;
Conference_Titel :
Frontier of Computer Science and Technology, 2009. FCST '09. Fourth International Conference on
Conference_Location :
Shanghai
Print_ISBN :
978-0-7695-3932-4
Electronic_ISBN :
978-1-4244-5467-9
DOI :
10.1109/FCST.2009.25
