Fast Conflict Detection for Two-Dimensional Packet Filters

Advanced network services such as firewall, differentiated services, and virtual private networks require network devices to perform packet classification. According to pre-defined rules (or filters), network devices classify incoming packets into different flows and execute the operation specified by the matching filter. However, two filters may overlap and leads to a conflict if the actions specified in the filters conflict. Filter conflicts may cause security breaches or quality-of-service failures. In this paper, we propose an algorithm that can efficiently detect and resolve filter conflicts. By analyzing the conditions that two conflicting filters must hold, our proposed algorithm can detect conflicts without complicated data structures. The time complexity of our proposed algorithm is O(n), and the space complexity is O(n), where n is the number of filters. Experimental results show that our proposed algorithm can reduce the average detection time per filter by 30% to 56% compared to the scalable bit vector (SBV) algorithm. Moreover, the memory required by our proposed algorithm is much smaller than that by the SBV algorithm.


Introduction
Today's Internet offers not only best-effort services, but also advanced network services such as differentiated services, firewalls, virtual private networks, and policy-based routing.All these advanced services require routers to perform packet classification-that is, classifying incoming packets into different flows based on one or more fields in the packet header and a set of rules (or filters).A filter F = (f [1], f [2], …, f [k]) is called k-dimensional if the filter consists of k fields, where each field can be a variable length prefix, a range, an exact value or wildcard.Possible fields in a filter include network source address, network destination address, source port, destination port, and protocol type.A packet P is said to match a filter if every field in the packet header satisfies the field defined in the filter.Each filter has an associated action that specifies how to treat packets matching this filter.
It is possible that a packet matches more than one filter.In this case, ambiguity may arise if the actions of matching filters conflict.Depending on the implemented services, filter conflicts may cause different problems such as security breach, violation of service level agreement, and routing problem.For example, Table 1 gives a two-dimensional filter database with 4 filters.Suppose that the maximum length of each field is 4 bits.A packet 1 = (1000 b , 0000 b ) matches filter D, and will be denied to pass through if this device is a firewall.However, another packet 2 = (0000 b , 1010 b ) matches both filters B and C. The conflicting actions of filters B and C cause a security problem if packets that should be blocked are allowed to pass through.
One approach to resolve conflicts is to select the first matching filter (1) .Through reordering the filters, the expected matching filter can be moved before other matching filters.However, filter reordering cannot fully solve the problem caused by filter conflicts.Hari et al. (2) used resolve filters to solve this problem.A resolve filter is a filter that matches the packets in the overlap region of two Table 1.An example filter database.conflicting filters.However, it has been shown that finding the minimum number of resolve filters in a filter database is an NP-hard problem (2) .Therefore, it is a challenging task to design an algorithm that can efficiently detect and resolve filter conflicts.In this paper, we propose an efficient conflict detection algorithm for two-dimensional packet filters.By analyzing the conditions that two conflicting filters must hold, our proposed algorithm can quickly detect all conflicts in a filter database without generating complicated data structures.Therefore, the memory required by our algorithm is much smaller than other algorithms.The rest of this paper is organized as follows.Section 2 reviews existing conflict detection algorithms.Section 3 describes our proposed algorithm.Section 4 presents the experimental setup and results.Finally, Section 5 concludes the paper.

Related Work
Hari et al. (2) proposed the use of two grid-of-tries (GoT) (3) to detect all conflicts in two-dimensional (2-D) prefix filters.The time complexity of their algorithm is O(nW+s), where n is the number of filters, W is the length of the longest prefix and s is the number of pairs of conflicting filters.Based on the bit vector scheme and the aggregated bit vector scheme (4) , Baboescu and Varghese (5) proposed a conflict detection algorithm called the scalable bit vector (SBV) algorithm.The time complexity of the SBV algorithm is O(n 2 ), and the space complexity is also O(n 2 ).Lu and Sahni (6) proposed a plane-sweep algorithm that improves the performance of both time and space.The key idea behind the plane-sweep algorithm is to treat each filter as a rectangle with four line segments in the space, and then find all overlap regions (i.e., conflicts) by finding orthogonal line segment intersections.The plane-sweep algorithm runs in O(nlogn+s) time and requires O(n) space.Lai and Wang (7) pointed out that the SBV algorithm cannot support filters with arbitrary ranges, and proposed several new algorithms based on the SBV algorithm.To achieve fast detection speed, their algorithm required nodes in a trie to store extra bit vectors called boundary bit vectors (BBV).The major drawback of these algorithms based on bit vectors is that a large amount of memory is required to store bit vectors.Lee et al. (8) proposed a tuple-based conflict detection algorithm (TCDA).By exploiting the relationship between the tuple space and filter conflicts, TCDA is not only faster than other compared algorithms, but also requires less memory space.

Proposed Conflict Detection Algorithm
Before we describe our proposed algorithm, we first define the possible relationships between two fields and two filters.
Definition 1: Given two fields f and g, if  ∩  = ∅, f and g are disjoint.Otherwise, f and g are overlapping, and the possible relationships between f and g include: (a) If  ⊃ , the relationship between f and g is an enclosure.
(b) If  ⊂  , the relationship between f and g is a containment.
(c) If  = , the relationship between f and g is an equality.
(d) If  ∩  ≠  and  ∩  ≠  , the relationship between f and g is a cross-intersection.
Definition 2: Given two filters F and G, if there exists a field i, such that F[i] and G[i] are disjoint, F and G are disjoint.Otherwise, F and G are overlapping, and the possible relationships between F and G include: (a) For every field i, the relationship between F[i] and G[i] is an equality or an enclosure.In addition, there exists a field j, such that the relationship between F[j] and G[j] is an enclosure.Then, the relationship between F and G is an enclosure.
(b) For every field i, the relationship between F[i] and G[i] is an equality or a containment.In addition, there exists a field j, such that the relationship between F[j] and G[j] is a containment.Then, the relationship between F and G is a containment.
(c) For every field i, the relationship between F[i] and G[i] is an equality.Then, the relationship between F and G is an equality.
(d) If F and G are not disjoint, and the relationship between them is not an enclosure, a containment, or an equality, then the relationship between F and G is a cross-intersection.
As mentioned before, the value of a field in a filter can be a prefix, a range of values, or an exact.Since a prefix can be represented as a range of values, we can treat each field as a range of values.Let f be a field.We use f min and f max to denote the smallest value and the largest value of f, respectively.
Theorem 1: Two fields f and g are overlapping if and only if   ≤   and   ≤   .
Theorem 2: If two fields f and g can be represented in prefix format, the relationship between f and g cannot be a cross-intersection.
Proof: If f and g are disjoint, we have proved this theorem.Otherwise, f and g are overlapping.Since f and g can be represented in prefix format, either f is a prefix of g, or g is a prefix of f.Otherwise, f and g are disjoint.Therefore, the relationship of f and g must be one of Definition (a)-(c).
We now describe our proposed conflict detection algorithm.Given a 2-D filter F = (f [1], f [2]), where both fields are represented in prefix format.The range of values represented by a prefix can be calculated as shown in lines 1-2 in Fig. 2. For example, if the maximum length of a prefix is 4 bits.Given a prefix P = 11 b , P min is P<<2, which is 1100 b .P max is 1100 b +2 4-2 -1, which is 1111 b .Given two prefixes P and Q, we can determine if P and Q are overlapping by first converting each of them to a range of values.Then, we can use Theorem 1 to determine if they are overlapping.Fig. 2 shows the detailed algorithm.
Once two prefixes can be determined if they are overlapping, we can determine the relationship between two filters.Fig. 3 shows the detailed algorithm.First, according to Definition 2, if either the first fields (i.e., source IP address) or the second fields (destination IP address) in two filters are not overlapping, two filters are disjoint (lines 1-3).Then, the relationship of the source IP address field between two filters can be determined by the prefix lengths (lines 4-10), and so as the destination IP address field.Finally, the relationship between two filters can be determined by the relationships between two fields using Definition 2 (lines 18-26).
For example, the relationship between B and C in Table 1 can be determined as follows.Recall that the maximum length of each field is 4 bits.B [1] min is 0 << (4-1) = 0, and B [1] max is 0+2 4-1 -1 = 7.Similarly, we can obtain C [1] min = 0 and C [1] max =15.Since  [1]  ≤  [1]  and  [1]  ≤  [1]  , the first fields in B and C are overlapping.Similarly, we can find that the second fields in B and C are also overlapping.Since the length of B [1] (i.e., 1) is larger than the length of C [1] (i.e., 0), the relationship between the first fields of B and C is an enclosure.Similarly, the relationship between the second fields of B and C is a containment.Finally, we can determine that the relationship between B and C is a cross-intersection.
Using the algorithm shown in Fig. 3, all conflicts in a filter database can be detected by checking the relationship between every pair of filters in the filter database.

Experimental Results
This section compares our proposed algorithm with the SBV algorithm.All algorithms were implemented in C++,   and benchmarked on a 2.1 GHz Intel Xeon PC.The tested filter databases were synthesized by ClassBench (9) .This tool includes 12 seed files derived from real filter sets to reflect the characteristics of filters of different applications, including three categories: the access control list (ACL), firewall (FW), and IP chain (IPC).For each seed file, we generate filter sets with 16K and 32K filters.Since the filters generated by ClassBench are 5-D, the number of filters for each file generated is slightly less than the specified number after removing duplicate filters by only considering source and destination address fields.Filter database statistics, including the number of filters and the number of conflicts, are shown in Table 2. Figs. 4 and 5 show the average detection time for 16K and 32K filter databases, respectively.Compared with the SBV algorithm, our proposed algorithm can reduce the detection time by 30% to 40% for 16K-filter databases, and 37% to 56% for 32K-filter databases.One thing worth noting is that the parameter files exerts little impact on the detection time for our proposed algorithm.This is because our proposed algorithm detects conflicts based on whether two fields are overlapping using value comparison.On the contrary, the SBV algorithm has to traverse two tries and perform bitwise operations for bit vectors.Since the number of traversed nodes depends on the length of the prefix being processed, the detection time of the SBV is sensitive to the characteristics of parameter files.
As for the required storage, our proposed algorithm does not need to generate extra data structures for accelerating the conflict detection process.For each field, our algorithm only needs two 32-bit integers to store the minimum and the maximum values of the range represented by a prefix.In addition, one extra byte is needed to store the length of the prefix.Therefore, our algorithm needs 18 bytes to store a filter.As for the SBV algorithm, one trie is required for each field.In addition, every node in a trie has to store one or two bit vectors.The length of a bit vector is the number of filters.As a result, the average storage size required by a filter for a 16K-filter database in the SBV algorithm varies between several KBs to tens KBs.Table 3 summarizes the average storage size required by a filter for the SBV algorithm and our proposed algorithm.As the number of filters increases, the SBV algorithm requires more memory space to store a filter, while our proposed algorithm does not.

Conclusions
Conflict detection is important for the correctness of packet classification.In this paper, we described our proposal for a conflict detection algorithm to resolve conflicts in two-dimensional packet filters.By analyzing the rules to determine the relationship between two prefixes and the relationship between two filters, our proposed algorithm does not need to generate extra data structures for accelerating the conflict detection process.Compared with the SBV algorithm, our algorihtm can reduce the detection time by 30% to 56% for 16K-filter and 32K-filter databases.The space complexity of our algorihtm is O(n) and that of the SBV algorihtm is O(n 2 ), where n is the number of filters.

Fig. 3 .
Fig. 3. Pseudo code to determine the relationship between two filters.

Table 2 .
Statistics of filter databases.

Table 3 .
Required storage size (in bytes).