StrideBV: Single chip 400G+ packet classification

Hardware firewalls act as the first line of defense in protecting networks against attacks. Packets are organized into flows based on a set of packet header fields and a predefined rule is applied on the packets in each flow to filter malicious network traffic. This is realized using packet classification, which is implemented in secure networking environments where mere best-effort delivery of packets is not adequate. Existing packet classification solutions are highly dependent on the properties (or features) of the ruleset. We present a bit vector based lookup scheme and a parallel hardware architecture that does not rely on ruleset features. A detailed performance analysis of the proposed scheme is given under different configurations. Post place-and-route results of our parallel pipelined architecture on a state-of-the-art Field Programmable Gate Array (FPGA) device shows that for real-life firewall rulesets, the proposed solution achieves 400G+ throughput. To the best of our knowledge, this is the first packet classification engine that achieves 400G+ rate on a single FPGA. Further, on the average we achieve 2.5× power efficiency compared with the state-of-the-art solutions.

[1]  Viktor K. Prasanna,et al.  Field-split parallel architecture for high performance multi-match packet classification using FPGAs , 2009, SPAA '09.

[2]  Nick McKeown,et al.  Packet classification on multiple fields , 1999, SIGCOMM '99.

[3]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[4]  Gordon J. Brebner,et al.  400 Gb/s Programmable Packet Parsing on a Single FPGA , 2011, 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems.

[5]  George Varghese,et al.  Packet classification using multidimensional cutting , 2003, SIGCOMM '03.

[6]  Zheng Yan-shu Efficient Packet Classification for Network Intrusion Detection using FPGA , 2005 .

[7]  Miad Faezipour,et al.  Wire-Speed TCAM-Based Architectures for Multimatch Packet Classification , 2009, IEEE Transactions on Computers.

[8]  T. V. Lakshman,et al.  SSA: a power and memory efficient scheme to multi-match packet classification , 2005, ANCS '05.

[9]  Kuruvilla Varghese,et al.  A Scalable High Throughput Firewall in FPGA , 2008, 2008 16th International Symposium on Field-Programmable Custom Computing Machines.

[10]  Tsutomu Sasao On the Complexity of Classification Functions , 2008, 38th International Symposium on Multiple Valued Logic (ismvl 2008).

[11]  Nick McKeown,et al.  Classifying Packets with Hierarchical Intelligent Cuttings , 2000, IEEE Micro.

[12]  Diego Perino,et al.  A reality check for content centric networking , 2011, ICN '11.