Packet Classifiers InPacket Classifiers InTernary CAMs Can Be SmallerTernary CAMs Can Be Smaller

Qunfeng Dong (University of Wisconsin-Madison)Qunfeng Dong (University of Wisconsin-Madison)

Suman Banerjee (University of Wisconsin-Madison)Suman Banerjee (University of Wisconsin-Madison)

Jia Wang (AT&T Laboratories – Research)Jia Wang (AT&T Laboratories – Research)

Dheeraj Agrawal (University of Wisconsin-Madison)Dheeraj Agrawal (University of Wisconsin-Madison)

Ashutosh Shukla (University of Wisconsin-Ashutosh Shukla (University of Wisconsin-

Madison)Madison)

SIGMETRICS 2006SIGMETRICS 2006

Introduction TCAM is the favoured solution for wire speed packet classification

in backbone routers. TCAM suffers size explosion on range specifications. Previous techniques require modification to packet processors.

Motivation Trimming rules Expanding rules Adding rules Merging rules

Design Evaluation Summary Future work

Outline

Packet classification [SVSW98,LS98] Use a set of rules for finer differentiation of packets based on

multiple packet header fields. Is the foundation of many Internet functions (e.g. security, QoS, VPN,

etc).

Each rule specifies a range clause on each relevant fielde.g. the source port must be in the range [5000, 65535]Prefix, single value and wildcard are all special ranges.

A rule matchesmatches a packet iff every range clause is satisfied. Objective:

For each incoming packet, find the first (i.e., highest priority) rule that matches the packet.

Introduction

TCAM is the favoured solution for packet classification. Pure software solutions are becoming increasingly difficult as the

gap between wire speeds and memory speeds keeps widening.

Unfortunately, TCAM suffers size explosion on range clauses and accounts for a significant portion of the cost of a router line card. Each range clause can take many TCAM entries. The total amount of TCAM entries needed is the product of the

number of TCAM entries needed to represent individual range clauses.

Introduction

Rule:

TCAM:

Field AField A DecisionDecision

[64, 127][64, 127] DenyDeny

Field AField A DecisionDecision

0101×××××××××××× 00

Rule:

TCAM:

Field AField A DecisionDecision

[80, 127][80, 127] DenyDeny

Field AField A DecisionDecision

010101××××01×××× 00

01011×××××1××××× 00

Fact:A range clause defined on a k-bitfield may take 2k-2 TCAM entries

to represent.

Rule:

TCAM:

Field AField A DecisionDecision

[80, 127][80, 127] DenyDeny

Field AField A DecisionDecision

010101××××01×××× 00

01011×××××1××××× 00

Rule:

TCAM:

Field AField A Field BField B DecisionDecision

[80, 127][80, 127] [80, 127][80, 127] DenyDeny

Field AField A Field BField B DecisionDecision

010101××××01×××× 010101××××01×××× 00

010101××××01×××× 01011×××××1××××× 00

01011×××××1××××× 010101××××01×××× 00

01011×××××1××××× 01011×××××1××××× 00

Fact:The total number of TCAM entries

needed to represent a rule is the product

of the number of TCAM entries needed

to represent its range clauses!

Fact:A rule that specifies range clauses on

the 16-bit source port and destination

port can take (2×16-2) × (2×16-2) =

900 TCAM entries to represent!

Our objective To be cost efficient, we want to reduce the amount of TCAM entries

needed to implement a given rule set.Without modifying its semantics!

Our approach is to transform the given rule set into a semantically equivalent rule set that requires less TCAM entries to represent. Previously proposed techniques:

Represent rules in a new format (e.g., [SIGCOMM’05]) Need to modify packet processor hardware to interpret the new format.

Our techniques do not change the format of rule sets and hence do not require any hardware modification

Trimming rulesExpanding rulesAdding rulesMerging rules

Our Objective & Approach

Rule: TCAM:

Rule: TCAM:

Trimming Rules

Field AField A DecisionDecision

[96, 127][96, 127] DenyDeny

[100, 255][100, 255] PermitPermit

Field AField A DecisionDecision

0011×××××11××××× 00

011001××011001×× 11

01101×××01101××× 11

0111××××0111×××× 11

1×××××××1××××××× 11

Field AField A DecisionDecision

[96, 127][96, 127] DenyDeny

[128, 255][128, 255] PermitPermit

Field AField A DecisionDecision

0011×××××11××××× 00

1×××××××1××××××× 11

Rule: TCAM:

Rule: TCAM:

Expanding Rules

Field AField A DecisionDecision

[32, 79][32, 79] DenyDeny

[72, 255][72, 255] PermitPermit

Field AField A DecisionDecision

0001×××××01××××× 00

010100××××00×××× 00

01001×××01001××× 11

0101××××0101×××× 11

011×××××011××××× 11

1×××××××1××××××× 11

Field AField A DecisionDecision

[32, 79][32, 79] DenyDeny

[64, 255][64, 255] PermitPermit

Field AField A DecisionDecision

0001×××××01××××× 00

010100××××00×××× 00

01××××××01×××××× 11

1×××××××1××××××× 11

Rule: TCAM:

Rule: TCAM:

Adding Rules

Field AField A DecisionDecision

[64, 119][64, 119] DenyDeny

[0, 255][0, 255] PermitPermit

Field AField A DecisionDecision

0010×××××10××××× 00

00110××××110×××× 00

001110×××1110××× 00

×××××××××××××××× 11

Field AField A DecisionDecision

[120, 127][120, 127] PermitPermit

[64, 127][64, 127] DenyDeny

[0, 255][0, 255] PermitPermit

Field AField A DecisionDecision

001111×××1111××× 11

001××××××1×××××× 00

1×××××××1××××××× 11

Rule: TCAM:

Rule: TCAM:

Merging Rules

Field AField A DecisionDecision

[96, 111][96, 111] PermitPermit

[64, 95][64, 95] DenyDeny

[100, 127][100, 127] DenyDeny

[0, 255][0, 255] PermitPermit

Field AField A DecisionDecision

00110××××110×××× 11

0010×××××10××××× 00

0011001××11001×× 00

001101×××1101××× 00

00111××××111×××× 00

×××××××××××××××× 11

Field AField A DecisionDecision

[96, 111][96, 111] PermitPermit

[64, 127][64, 127] DenyDeny

[0, 255][0, 255] PermitPermit

Field AField A DecisionDecision

00110××××110×××× 11

001××××××1×××××× 00

1×××××××1××××××× 11

Question:How to define a systematic solution?

Framework

Expandingwill help?

NO

YES

Last Rule?

YES

NO

Remove Redundancy

Trim Rule Set

Expand Rule

Adding a rulewill help?

NO

YESAdd A Rule

Merge with otherrules will help?

NO

YESMerge Rules

Get Next Rule

Last Rule?

YES

NO

Compute the coreregion of each rule

Trim the rule to be theminimum hypercube thatencloses its core region

If a range clause originallyspecifies a prefix, expand it

to be the minimum prefix

Trim Rule

To preserve the semantics of the rule set

To avoid unnecessary increase in the number of TCAM entries needed

Core region is the part of a rule’s definition region that is not covered by higher rules

or lower rules of the same color

Get Next Rule

Expansionallowed?

YES

NO

Perform a minimumexpansion of the chosen

range clause

Expand Rule

A minimum expansion of the chosen clause should lead to the largest decrease in the

number of TCAM entries neededPick a range clauseto expand

Any range clausecan be expand?

NO

YES

Expand with Adding Rules

Expand with Adding Rules

Expand with Adding Rules

Expansionallowed?

YES

NO

Perform a minimumexpansion of the chosen

range clause

Expand with Adding Rules

A minimum expansion of the chosen clause should lead to the largest decrease in the

number of TCAM entries neededPick a range clauseto expand

Any range clausecan be expand?

NO

YES

Add a rule before andexpand the current rule

Semantics of therule set preserved?

YES

NO

Roll backNumber of TCAM entriesof the rule reduced?

YES NO

Expand with Adding/Merging Rules

Expand with Adding/Merging Rules

Expansionallowed?

YES

NO

Perform a minimumexpansion of the chosen

range clause

A minimum expansion of the chosen clause should lead to the largest decrease in the

number of TCAM entries neededPick a range clauseto expand

Any range clausecan be expand?

NO

YES

Add a rule before andexpand the current rule

Semantics of the rule set preserved?

NO

NO

Roll backNumber of TCAM entriesof the rule set reduced?

YES NO

YES

Number of TCAM entriesof the rule reduced?

Remove redundancy

YES

Expand with Adding/Merging Rules

Real rule sets 1000+ real rule sets from the network of a tier-1 ISP Each rule specifies clauses on source IP, destination IP, source

port, destination port and protocol type. Action doesn’t matter here.

Evaluation

Evaluation: real rule sets

Evaluation: real rule sets

Ramdom rule sets 100 randomly generated rule sets IP addresses a random prefix Protocol type a random number Port range a random sub-range of [0, 65535] Action randomly selected from actions in real rule sets

Evaluation

Evaluation: random rule sets

Evaluation: random rule sets

Packet classification is the foundation of many Internet functions.

TCAM is the favoured solution for packet classification. Pure software solutions are becoming increasingly difficult as the

gap between wire speeds and memory speeds keeps widening.

TCAM suffers size explosion on range clauses. TCAM accounts for a significant portion of the cost of router line

cards.

We propose (a set of techniques) to define smaller but semantically equivalent rule sets. Do not require any hardware modification. Become even more effective with more range clauses!

Summary

We have tried to compress TCAM.

Question:Can we totally eliminate TCAM?

Future Work

Work in progress:Wire Speed Packet Classification Without TCAM:

One More Register (And A Bit of Logic) Is Enough

Poster @ ACM SIGCOMM 2006

Pisa, Italy

9.11 ~ 9.15

Future Work

More coming…Besides packet classification based on

the standard 5-tuple, deep packet

classification based on payload is another

important topic of interest.

Future Work

Thank you!Thank you!Qunfeng DongQunfeng Dong

University of Wisconsin - MadisonUniversity of Wisconsin - Madison

Email: qunfeng@cs.wisc.eduEmail: qunfeng@cs.wisc.edu

SIGMETRICS 2006SIGMETRICS 2006