Minimizing Rulesets for TCAM Implementation

1
Minimizing Rulesets for TCAM Implementation

• Presenter Praveen Yalagandula
• In collaboration with Rick McGeer
• HP Labs, Palo Alto, CA

2
Packet Classification

• A typical task in most network appliances
• Firewalls, switches, routers, etc.
• Definition
• Classify packets into different buckets
• E.g., dstport80 (web-traffic), ether-type0x8906
  (FCoE)
• Apply different actions to packets in different
  buffers
• E.g., Allow, Deny, Deny-with-log,
  High-priority-queue
• Used for
• Access Control Lists
• QoS enforcement

3
Ternary Content Addressable Memory

• ASIC to perform classification at line rates
• Matches a packet header in parallel against all
  entires
• Applies first matching entrys action to the
  packet

Pattern
Action
Deny
01011101110101
Packet header
10101010101XXX
Forward
10101010101111
1010101XXXXXXX
Deny-log
10101010101000


10101011111111
X Dont care
4
Problem Large Rulesets Range Rules

• TCAMs are expensive, space-hungry, and
  power-hungry
• Large rulesets rules with ranges ? Need large
  TCAMs
• Ranges are common
• A single rule with ranges can use up multiple
  entries
• E.g., rule 1 lt src-port, dst-port lt 216 -1 needs
  900 entries!!
• If all rules do not fit into TCAM, then
• Some packets need to be diverted to software
• ? substantial reduction in
  throughput
• Switch vendors often receive several customer
  requests for dealing with such rulesets

5
Ruleset Minimization

• Given a ruleset, find a minimal set of TCAM
  entries that implement the ruleset

Optimized TCAM Entries
Direct Expansion into TCAM entries
Input Ruleset
0 Deny 2 Deny Accept
000 Deny 010 Deny XXX Accept
0X0 Deny XXX Accept
0XX Deny 10X Deny 110 Deny XXX Accept
111 Accept XXX Deny
0-6 Deny Accept
6
Previous Research

• Mostly heuristics based on observed patterns
• Targeting rules with ranges
• Expanding/Trimming ranges
• Dong et al. SIGMETRICS06
• Range Encoding
• Liu et al. HotInterconnects02
• Lakshminarayanan et al. SIGCOMM05
• Decision trees on header fields
• TCAM Razor Mieners et al. ICNP07

7
Our Approach Leverage Boolean Logic Minimization

• Logic Minimization (LM)
• Given a set of Boolean cubes (n-dimensions)
• Find a minimal set of cubes that are equivalent
  to the input
• Logic Minimization has been studied extensively
• A major research topic in VLSI CAD field
• Several heuristics and tools available
• However, straightforward LM misses TCAMs
  first-match feature

8
LM misses TCAMs First-Match Rule
A yz wy xy D y wxz LM 5 cubes
wx
00
10
01
yz
11
---
A
---
---
A
A
---
A
00
01X1 Deny (wxz) XX0X Allow (y) XXXX
Deny (1) TCAM 3 entries
A
---
---
A
---
D
---
01
D
---
D
D
D
11
---
D
---
D
A Allow D Deny --- Dont Care
10
9
Our Contributions

• Formulated TCAM ruleset minimization problem in
  terms of LM
• Minimal Sequential Cover problem
• Proposed an algorithm and proved its optimality
• Algorithm is exponential in computational
  complexity
• Derived heuristics based on the optimal algorithm
• Analyzed several artificial and two real rulesets
• Avg. reduction in artifical rulesets 42
• Reduction in real rulesets 72 and 49

10
Steps
IndividualTarget Functions
Minimum Sequential Cover
Step 2
Step 1
Input ruleset
11
Converting input to target functions

• The ordering is significant in the input rulesets
  too

Input Ruleset
Boolean Functions
Accept C1 Deny C1C2
C1 Accept C2 Deny
Accept C1 Deny C2
Function F1 associated with rule 1
C1
Function F2 associated with rule 2
C2
12
Converting input to target functions (contd.)

• The ordering is significant in the input rulesets
  too

Input Ruleset
Functions for rules
Target functions
C1 Accept C2 Accept C3 Deny C4 Accept C5
Deny
F1 C1 F2 F1C2 F3 F1F2C3 F4
F1F2F3C4 F5 F1F2F3F4C5
Accept F1 F2 F4 Deny F3 F5
Simplify using xxy xy xxy x
Accept C1 C2 C3C4 Deny C1C2C3
C1C2C4C5
13
Minimal Sequential Cover Problem

• Given a set of target functions
• Sequential Cover
• a sequence of ltcube,targetgt tuples that
  implement the target functions in TCAM
• Minimal Sequential Cover
• a minimal length sequential cover

14
Exact Solution

• Recursive procedure over all prime implicants for
  all functions
• We prove this is optimal
• Above is exponential in complexity

15
Heuristics for PERMIT/DENY rulesets

• PERMIT/DENY rulesets
• Only PERMIT rules with an implicit DENY rule at
  the end
• Common in the set of rulesets we have seen
• Heuristic 1
• Apply Logic Minimization (LM) only on PERMIT
  cubes
• Heuristic 2
• Generate DENY Cubes
• For each DENY cube, run LM on PERMIT cubes with
  that deny cube as a dont-care
• Pick DENY cubes that reduce PERMIT cubes
• Return those DENY cubes followed by the reduced
  set of PERMIT cubes
• Heuristic 3
• Reduce the set of DENY cubes tried in Heuristic 2
  through quantification
• See paper for details

16
Results

• Synthetic rulesets
• Generated using ClassBench tool (From WU,
  St.Louis)
• Two real firewall rulesets
• HP Palo Alto firewall
• Firewall ruleset from a
• customer of ProCurve

Avg Reduction 41.6
17
Further Steps

• Design a web service to provide our optimization
  as a service
• Customers upload their rules
• Our service computes a minimized ruleset
• Customers apply the new ruleset in their network
  appliance
• Explore more heuristics for further reduction
• Deal more than two actions
• Deal incremental updates to rulesets

18

• Q A