Packet Filter Management for Layer 4 Switching

Packet lters are rules for classifying packets based on their header elds. A lter speciies a pattern for each of the key header elds, and an action that is applied to the packet matching this lter. Packet classiication is essential to routers supporting services such as Quality of Service (QoS), Virtual Private Networks (VPNs), and rewalls. A lter connict occurs when two or more lters overlap, creating an ambiguity in packet classiication. Current techniques for resolving lter connicts are based on prioritizing connicting lters, and choosing the higher priority lter. We show that prioritizing does not always work. Instead, we propose a new scheme for connict resolution, which is based on the idea of adding resolve lters. Our main results are a geometric framework for studying lters, an algorithm for detecting connicts in a lter database, and an algorithm for resolving connicts. In the special case of 2-dimensional (Source-Destination) lters, we present a very fast algorithm that can be used both for lter connict detection as well as packet classiication, thereby eliminating any redundancy between the control path and the data path. A simple version of the algorithm running on a 200 MHz Pentium workstation takes a few microseconds to perform connict detection and classiication on a lter database of 40 thousand lters. We also show how a more eecient packet classiication scheme 11] ts into our framework, which can improve the detection time by another order of magnitude.