A Comparison of Ruleset Feature Independent Packet Classification Engines on FPGA

Packet classification is used in network firewalls to identify and filter threats or unauthorized network access at the application level. This is realized by comparing incoming packet headers against a predefined rule set. Many solutions to packet classification are available, but most of these solutions exploit some features of the rule set in order to minimize the memory footprint of rule set storage. However, when the expected rule set features are not present, feature-reliant solutions may yield poor memory efficiency. In this paper, we focus on two rule set independent packet classification schemes, Ternary Content Addressable Memory (TCAM), a brute force search method, and StrideBV, a bit-vector-based algorithmic solution, to determine which solution is more suited for high performance packet classification. Using rule set sizes ranging from 32 to 2048 (targeted for firewall rule sets), we implement both schemes on a Field-Programmable Gate Array (FPGA) to evaluate their performance. We measure the performance using memory efficiency, resource consumption, throughput and power efficiency metrics for both solutions. The post place-and-route results on a state-of-the-art FPGA reveal that StrideBV has 4.5× and 3.5× higher power efficiency in comparison with TCAM, along with 6× and 4× higher throughput when using distributed RAM and block RAM as memory respectively. TCAM has better memory efficiency, though its improvement over StrideBV varies.

[1]  Kuruvilla Varghese,et al.  A Scalable High Throughput Firewall in FPGA , 2008, 2008 16th International Symposium on Field-Programmable Custom Computing Machines.

[2]  Roberto Rojas-Cessa,et al.  Efficient packet classification on FPGAs also targeting at manageable memory consumption , 2010, 2010 4th International Conference on Signal Processing and Communication Systems.

[3]  Timothy Sherwood,et al.  Modeling TCAM power for next generation network devices , 2006, 2006 IEEE International Symposium on Performance Analysis of Systems and Software.

[4]  Nick McKeown,et al.  Packet classification on multiple fields , 1999, SIGCOMM '99.

[5]  Gordon J. Brebner,et al.  400 Gb/s Programmable Packet Parsing on a Single FPGA , 2011, 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems.

[6]  Viktor K. Prasanna,et al.  StrideBV: Single chip 400G+ packet classification , 2012, 2012 IEEE 13th International Conference on High Performance Switching and Routing.

[7]  M. Nivedita,et al.  Scalable and Parallel Aggregated Bit Vector Packet Classification Using Prefix Computation Model , 2006, International Symposium on Parallel Computing in Electrical Engineering (PARELEC'06).

[8]  Tsutomu Sasao On the Complexity of Classification Functions , 2008, 38th International Symposium on Multiple Valued Logic (ismvl 2008).

[9]  Nick McKeown,et al.  Classifying Packets with Hierarchical Intelligent Cuttings , 2000, IEEE Micro.

[10]  Nick McKeown,et al.  Algorithms for packet classification , 2001, IEEE Netw..

[11]  Viktor K. Prasanna,et al.  Field-split parallel architecture for high performance multi-match packet classification using FPGAs , 2009, SPAA '09.

[12]  David E. Taylor Survey and taxonomy of packet classification techniques , 2005, CSUR.

[13]  Timothy Sherwood,et al.  Ternary CAM Power and Delay Model: Extensions and Uses , 2008, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[14]  T. V. Lakshman,et al.  SSA: a power and memory efficient scheme to multi-match packet classification , 2005, ANCS '05.

[15]  Jonathan S. Turner,et al.  Scalable packet classification using distributed crossproducing of field labels , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[16]  Haoyu Song,et al.  Efficient packet classification for network intrusion detection using FPGA , 2005, FPGA '05.

[17]  George Varghese,et al.  Packet classification using multidimensional cutting , 2003, SIGCOMM '03.

[18]  Ioannis Papaefstathiou,et al.  Memory-Efficient 5D Packet Classification At 40 Gbps , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.