Title: Fast and Scalable Layer 4 Switching
1Fast and Scalable Layer 4 Switching
- V. Srinivasan
- Advisor Dr. George Varghese
- Washington University in St Louis
2Packet forwarding
Internet today Destination based forwarding
Tomorrow forwarding based on other fields too.
Even today Firewalls
Protocol, Dest Addr, Src Addr, Dest Port, Src
Port
Types Full match or wildcard, prefix, range
3Prefix matching 1-D Trie
0
1
0 00 10
0
0
Brown
nodes have an associated prefix.
nodes dont have any associated prefix.
Red
Search for 100 returns 10
Search for 110 returns
4Overview
- Problem definition Layer 4 filter lookup
- 2-D Lookups (Dest, Src)
- Previous Linear, Backtracking, Set Pruning
- New Grid-of-tries (870 nsec, linear memory)
- Multi-dimension
- 4-plane Grid-of-tries (Ports full spec or
wildcard) - Crossproducting (Port ranges) (500 nsec)
5Layer 4 Switching
- Forwarding based on 5-tuple Layer 4
- Firewall filters
- QoS Routing (web traffic different route)
- Flow Switching
- Virtual Private Networks
- Multicast
- Some other fields if the need arises
6An Example
lt TCP , 0 , 00 , 12-34 , 32-36 gt lt
, 00 , 0 , , gt
Search TCP , 0011 , 0000 , 30 , 34
Matches both filters chose the one with lower
cost
72-dimensional prefix matching
- VPN, Multicast ltDest,Srcgt prefix pairs
- N prefix pairs, max prefix length W
- Find the least cost matching pair
- Previous Schemes
- Linear Search O(N)
- Backtracking search Search O(W2)
- Set Pruning Tries(DAG) Memory O(N2)
8Linear Search
F1 0 , 10 F2 0 , 01 F3 0
, 1 F4 00 , 1 F5 00 , 11
F6 10 , 1 F7 , 00
Cost of F(J) J
Earliest matching filter.
O(N) Search
Search 01,10 matches F1 and F3. Search 00,11
matches F3,F4 and F5.
9Backtracking Search
F1 0 , 10 F2 0 , 01 F3 0
, 1 F4 00 , 1 F5 00 , 11
F6 10 , 1 F7 , 00
Green 0
Blue 1
F4
F3
F6
F5
F2
F1
F7
O(W2) search
Search 01,10 Search 00,11
O(N) memory
10Set Pruning Tries
F1 0 , 10 F2 0 , 01 F3 0
, 1 F4 00 , 1 F5 00 , 11
F6 10 , 1 F7 , 00
F4
F3
F3
F6
F5
F7
F2
F1
F7
F2
F1
F7
F7
Search 01,10 Search 00,11
Worst case memory O(N2)
Search O(W)
11Avoid backtracking Precompute
- With each null pointer in the source trie,
precompute a switch pointer - Switch pointer points to a position in a higher
source trie, which would be reached by following
the same source prefix - Also, precompute best filter from this and all
higher source tries.
12Grid of Tries
F1 0 , 10 F2 0 , 01 F3 0
, 1 F4 00 , 1 F5 00 , 11
F6 10 , 1 F7 , 00
1
0
0
1
F3
F6
F4
F3
F5
Search O(W) Memory O(NW)
F1
F2
F7
Green 0
Blue 1
Search 00,10 bestmatch F3
13Multi-dimensional filters
- Arbitrary filters, including ranges (log N)(k-1)
or W(k-1) - Ports or fully specified or wildcarded
- 4-plane Grid-of-tries
- (,) (Dst Port,) (,Src Port) (Dst Port, Src
Port) - Port ranges Crossproducting
- Concatenate results from each field lookup to
make a crossproduct C - Theorem Best matching filter of P is the best
matching filter of C
14Crossproduct Cache
F1 001 , 0 , 0-1024 F2 0
, 011 , 0-1024 F3 001 , 0 , gt
1024
1
001
1
1
0
0-1024
2
011
2
1025-65535
0
2
C 1.2.1 F1 C 1.2.2 F3
15Speed memory acceses
- Reduce memory accesses multibit tries
- 300 MHz Pentium II running Windows NT
- Destination prefix 3-4 accesses
- D-S filter 6-8 accesses
- fully specified 7-9 accesses
- crossproduct 10-12 accesses
164 plane Grid-of-tries
Planes correspond to (,), (P1,),(,P2), (P1,P2)
17Crossproduct measurements
18Summary
- Grid-of-tries linear storage,fast for 2-D
filters - 870 nsec (2 IP lookup times) for 2-D filters
- Ports fully-specified or wildcarded with Dest-Src
prefixes 3.6 usec - Crossproducting 500 nsec for small databases
- On-demand for larger databases
- Hardware parallelization
19Conclusion
Faster Firewalls Today
Flexible and Fast Layer 4 Routing Tomorrow
Thank You