Wire-Speed TCAM-Based Architectures for Multimatch Packet Classification

Author

Faezipour, Miad ; Nourani, Mehrdad

Author_Institution

Univ. of Texas at Dallas, Richardson, TX

Volume

58

Issue

1

fYear

2009

Firstpage

5

Lastpage

17

Abstract

Most conventional packet classifiers find only the highest priority filter that matches the arriving packet. However, new networking applications such as network intrusion detection systems and load balancers require all (or the first few) matching packets during classification. In this paper, two TCAM-based architectures for multi-match search are introduced. The first one is a renovated TCAM design that can find all or the first r matches in a packet filter set. The second architecture is a novel partitioning scheme based on filter intersection properties allowing us to use off-the-shelf TCAMs for multi-match packet classification. Our classifier engine finds all matches in exactly one conventional TCAM cycle while reducing the power consumption by at least two orders of magnitude, which is far better than the existing hardware based designs.

Keywords

computer networks; content-addressable storage; resource allocation; security of data; classifier engine; filter intersection property; load balancers; matching packets; multimatch packet classification; multimatch search; network intrusion detection systems; off-the-shelf TCAM; packet filter set; power consumption; wire-speed TCAM-based architectures; Associative memory; Databases; Energy consumption; Engines; Indexes; Intrusion detection; Matched filters; Multidimensional systems; Payloads; Protocols; Classifier design and evaluation; Network monitoring; Network-level security and protection; System architectures; integration and modeling;

fLanguage

English

Journal_Title

Computers, IEEE Transactions on

Publisher

ieee

ISSN

0018-9340

Type

jour

DOI

10.1109/TC.2008.159

Filename

4609379