naf conversion: an efficient solution for the range matching problem in packet filters

AUTHOR:NIZAR BEN NEJI, ADEL BOUHOULAPUBLISHER:IEEE INTERNATIONAL CONFERENCE ,2011PRESENTER:KAI-YANG LIUDATE:2011/08/31

1

NAF Conversion: An Efficient Solution for the Range Matching Problem in Packet Filters

Introduction2

The cause of the coexistence of range based and prefix based fields within the filtering rules.In this paper, we deal with prefix-based solutions.The available solutions usually require that the filtering rules must be written only in prefix format.Arbitrary ranges need to be usually converted into standard prefixes when dealing with prefix based solutions.

Direct Range to Prefix Conversion

3

Exmaple4

Direct Range to Prefix Conversion

In the worst case, the w-bit range [1, 2w−2] is split into 2w−2 prefixes.

For example, the 4-bit worst case range [1,14] requires 6 prefixes as follows:

5

Non-Adjacent Form6

Every integer n has a unique non-adjacent form (NAF). NAF is a signed binary representation

(SBR) of length k and of the form n = where the digits are in {−1, 0, 1} satisfying the property that ai×ai+1 = 0

Example: 47 is 101111 = 32+8+4+2+1 and the NAF form

is

Proposed Technique7

Notations and Terminology:1. w is the size of the packet header

field to be inspected.2. A w-bit range R = [l , u]satisfies 0 ≤ l

≤ 2w−1 (lower bound) and 0 ≤u ≤ 2w −1 (upper bound) where l ≤ u.

Proposed Technique8

3. Adjacent ranges: Two w-bit ranges [l1 , u1] and [l2 , u2] are adjacent if l2 = u1+1.

4. Consecutive elementary ranges: Two elementary ranges[l1 , u1] and [l2 , u2] are consecutive if they are adjacent and they have same widths or consecutive power of 2 widths.

=> |width1−width2| = min(width1 , width2)

Conversion Algorithm of a Single Range

9

Lower{ } is a list of Integers and it stores lower bounds of ranges,

Upper{ } is a list of Integers and it stores upper bounds of ranges,

Sign{ } is a binary list and it stores signs as 0s and 1s,the zero value means “ ＋” and one means “ －” .

Example10

Example

Case 1: difference equals to zero Ex: [4,7] ,[8,11]

[4,7] = 01** U1+1=L2 , L2=(1000)2

[8,11] = 10** max(width1,width2)=4

=> L2 mod (2.max(midth1,width2))=0 ∴ can’t be converted

11

Example

Case 2: difference equals to width1 Ex: [6,7] ,[8,11]

[6,7] = 011* U1+1=L2 , L2=(1000)2

[8,11] = 10** max(width1,width2)=4

=> L2 mod (2.max(midth1,width2))=0 ∴ can’t be converted

12

Matching Algorithm13

Two main phases:searching for the longest matching prefix and

then searching for the shortest prefix that doesn’t match.

Ex: A. 2 =

(0010)2 B. 4 =

(0100)2.

Performance Analysis14

Worst Expansion Case The worst expansion case for DRPC

algorithm gives for the w-bit range of the form [1, 2w−2] 2w-2 prefixes.

The proposed algorithm: 　→ Only 3 prefixes

The Worst Case for the NAF Conversion

15

The worst case expansion is only w prefixesExample:

General Case of the Worst Result16

Average Expansion Case17

Special Cases18

Converting multiple ranges:1. Two intersecting ranges [a , b] and [c , d]

and c≤b2.Two disjoint ranges such that b+1<cLeft and right extremal ranges: Left: [0, a ] with 0≤a≤2W-1 ； Worst:[0, 2W-2] Right: [b, 2W-1 ] with 0≤b≤2W-1 ； Worst:[1,

2W-1]

Special Cases19

Negation of an arbitrary range: The negation of the w-bit range [a, b] gives

two extremal w-bit ranges [0, a−1] and [b+1,

2w−1]. Worst case of DRPC : 2w-2 prefixes given by

the range of the formWorst case of NAF conversion : w prefixes

given by the negation of the range of the form: