Hardware architecture for packet classification with prefix coloring

Packet classification is a widely used operation in network security devices. As network speeds are increasing, the demand for hardware acceleration of packet classification in FPGAs or ASICs is growing. Nowadays algorithms implemented in hardware can achieve multigigabit speeds, but suffer with great memory overhead. We propose a new algorithm and hardware architecture which reduces memory requirements of decomposition based methods for packet classification. The algorithm uses prefix coloring to reduce large amount of Cartesian product rules at the cost of an additional pipelined processing and a few bits added into results of the longest prefix match operation. The proposed hardware architecture is designed as a processing pipeline with the throughput of 266 million packets per second using commodity FPGA and one external memory. The greatest strength of the algorithm is the constant time complexity of the search operation, which makes the solution resistant to various classes of network security attacks.