A prefix-based approach for managing hybrid specifications in complex packet filteringAuthor: Nizar Ben Neji, Adel BouhoulaPublisher: Computer Networks 56 (2012)Presenter: Yu Hao, TzengDate: 2012/11/

1

Outline• Introdution• Proposed technique• Performance• Conclusion

2

Introduction• A packet filter must support rule sets involving any type of

condition.• Prefix-based packet filters have gained wide acceptance in the

research community for storing.• Range-based fields need to be converted into a set of standard

prefixes to guarantee the homogeneity.• Since multiple packet header fields can contain several range

specifications, a single rule may require multiple memory entries.

• The difficulty lies in the fact that multiple memory entries have to be allocated to represent a rule containing various range specifications. 3

Introduction (Cont.)• DRPC (direct range to prefix conversion) • Example :

4

Introduction (Cont.)• The NAF (Non-Adjacent Form) conversion method lets us

obtain a better conversion ratio than the previous proposed solutions.• Example :

5

Introduction (Cont.)

6

Introduction (Cont.)

7

Proposed technique• Notation and definitions• An elementary w-bit range can be written using a single w-bit

prefix.• Example : • 192.168.100.0 ~ 192.168.100.255 =>

• An extended w-bit range [L, U] of an arbitrary w-bit range [l, u] is the smallest elementary range containing the w-bit range [l, u].

• Two w-bit ranges and are adjacent ranges if .• Two elementary ranges and are consecutive if they are adjacent

and they have same widths or consecutive power of 2 widths.

8

Proposed technique (Cont.)• NAF conversion of

arbitrary range• Direct range-to-prefix

conversion (DRPC)• Indirect range to signed

prefixes (IRSP)• Lower{} is a list of

Integers • Upper{} is a list of

Integers • Sign{} is a binary list

9

Proposed technique (Cont.)• NAF conversion of arbitrary range• Example :

10

Proposed technique (Cont.)• NAF conversion of arbitrary range• Direct range to signed prefixes (DRSP)

• DRSP is better than the indirect conversion in terms of time since it lets us avoid the use of two conversion stages.

Arbitrary Range Signed PrefixesDRSP

11

Proposed technique (Cont.)• NAF conversion of arbitrary range• Direct range to signed prefixes (DRSP)

• isElementaryRange() is a boolean function that takes as entry an arbitrary w-bit range [l, u] and tells whether it can be represented using a single prefix or not.

• extendedRange() takes as entry an arbitrary range [l, u] and returns as a result the smallest elementary range covering it.

• addSignedPrefix() stores the resulting signed prefixes in the lists Lower{}, Upper{} and Sign{}.

12

Proposed technique (Cont.)• NAF conversion of arbitrary range• Algorithm

13

Proposed technique (Cont.)• Building the two-staged data structure

14

Proposed technique (Cont.)

15

Proposed technique (Cont.)• Building the two-staged data structure

16

Proposed technique (Cont.)• The matching process• Example :

17

Proposed technique (Cont.)• The matching process• Example :

18

Proposed technique (Cont.)• The matching process• searching for the longest matching prefix • searching for the shortest prefix that does not match.

• Example :

19

Performance

20

Performance (Cont.)

21

Performance (Cont.)

22

Conclusion• In this paper, the essential issues related to the resolution of the

range matching problem arising in the packet filtering process were thoroughly examined and efficiently solved using the new concept of signed prefixes.

23