The present invention relates to IP classification in routers.
The present invention relates to a method for compiling command based router classifiers to an equivalent flat structure that is suitable for storing in Ternary CAM (Content Addressable Memory) for fast look-up.
Internet Protocol (IP) classification is performed in routers. This is the process of classifying IP packets into categories that require special treatment. A subset of IP classification is IP filtering. IP filtering is a security feature that restricts IP traffic by permitting or denying packets by applying certain rules. This way, users can be restricted to specific domains or applications on the Internet. To perform classification, IP headers of packets that reach a router need to be compared to patterns stored in a table, generating an output that classifies the packet. Usually, this table is stored in memory and matching is done in software.
The functionality of filtering and classifying packets treated here is called Multi-field (MF) classification, since it acts on several independent fields in the packet headers, and is used both for Differentiated Services (DiffServ) policy enforcement and security (firewall) filtering.
The IP header fields on which packets can be classified by the filters are:
The command based router classifiers is structured in a tree-like hierarchy with a policy map consisting of class maps, access control lists and filters with their match outcomes, actions and match patterns.
Said structures are built in a hierarchy of the components Filters, ACLs (access control lists, or just access lists), CMAPs (class maps) and PMAPs (policy maps). These components will now be described one by one in more detail with reference to
Filter—this component cannot be specified alone, but only as part of an including ACL. Each filter consists of a match field and a result. The match field is a bit-pattern, wherein “don't care” is allowed, to test for match against defined header fields of packets to be classified. The result is an indication of whether or not a packet matching the match field is considered to belong to the ACL as a whole. Conventionally the result is called either “permit”, meaning “belongs to ACL”, or “deny”, meaning “does not belong to ACL”. (These conventional terms come from the original restricted use of ACLs, which was only to determine access through a firewall.) For the extended use of ACLs employed now, it is suggested using “+” and “−” instead of permit and deny.
ACL—Access Control List, or just access list, is an ordered list of Filters to be tried for match against packets to be classified, starting at the head of the list, and progressing through until some filter matches, or until the end of the list is reached. If the end of the list is reached without any filter matching, it is deemed that the packet does not match the ACL, which could be considered as an implicit filter at the tail of the ACL having bits “don't care” in the match field and “deny” as the result. Each ACL is defined by a management operation and is given a name to use as reference. Filters can be added and removed from existing ACLs. Note that the order of the filters in an ACL is significant, so the position, priority, of added filters can be specified. ACLs can be used in two ways: as a member of a CMAP (see below) or tied directly to an interface as a firewall filter.
CMAP—Class Map is a set (order not significant) of specified (by name, e.g. reference number) ACLs and match operator, also denoted match mode, which is either match-any or match-all. A packet being classified is considered to belong to a class defined by a CMAP either if it matches any of the ACLs in a CMAP having the match-any attribute or, if, and only if, it matches all the ACLs in a CMAP having the match-all attribute. CMAPs are defined by management operations and given a reference name. Existing CMAPs can also be modified. The only use of a CMAP is by membership in a PMAP.
PMAP—Policy Map is an ordered set of CMAPs to which each CMAP is associated with an action. A PMAP can be tied to an interface, and then all packets passing the interface will be tested against the PMAP, starting with the first CMAP and continuing until the packet is found to belong to a CMAP or until all CMAPs have been exhausted. When the packet is found to belong to a CMAP, the associated action is performed. The possible actions are:
The default action is FORWARD.
Note: When a packet matches a filter having result permit, thus causing the packet to belong to the class defined by a CMAP including this ACL, and in which the CMAP is included in a PMAP with action DROP. The packet is thus dropped due to matching a filter with permit.
Each interface can be tied to at most one PMAP and one firewall ACL (otherwise would not make sense). Inbound and outbound interfaces are treated separately.
Since ACLs are referred to by name, the same ACL can be used in several roles (as member of multiple CMAPs and/or as firewall ACL for various interfaces). Likewise, the same CMAP can be used in multiple PMAPs, and the same PMAP can be tied to various interfaces.
If an interface is tied both to a firewall ACL and to a PMAP, the firewall ACL (ACLFW) is traversed first, and only if a packet is permitted for access is it tested against the PMAP. Interfaces which is not connected to a firewall ACL are implicitly permitted for access.
Due to increasing performance requirements and larger and wider search sets, software-based search algorithms become too slow and alternative implementations need to be considered. One such alternative is to use a Content Addressable Memory (CAM).
A Content Addressable Memory, CAM, is a memory device that has become increasingly valuable during the recent years in some applications. A CAM can perform fast storing and search operations. The CAM provides a performance advantage over memory search algorithms such as binary and tree based searches or look-aside tag buffers by comparing the desired information against the entire list of pre-stored data simultaneously often resulting in an order-of-magnitude reduction of search time. Once information is stored in a CAM location, it is found by comparing every bit in the CAM with the bits of the data in a search expression. If there is a match for every bit in a location with every corresponding bit in the search expression, an output is obtained from the CAM, which is an association value or address pointing to associated information. The associated information may be stored in a conventional memory device such as a RAM. Depending on the application, the RAM can contain information or instructions or operations or the like to be displayed or performed when there is a match between the search expression and the information stored in the CAM. Thus, with a CAM, the data is supplied and the address is obtained.
Because the CAM doesn't need address lines to find data, the depth of a memory system using CAMs can be extended as far as desired, but the width is limited by the size of the chip. For example, a chip can be 64 to 128 bits wide, but 32768 entries deep. It is fairly easy to extend the depth of the CAM, because the addressing is all self-contained.
Some CAMs are so called ternary CAMs in which the stored data can contain bit values of 0, 1 or X, where X is interpreted as “don't care”, i.e. the value matches both 0 and 1.
The function and advantages of the CAM memory makes it very suitable for applications and operations such as LANs, data base management, file storage management, look-up to pattern recognition, and the like, and is particularly suited to performing search operations. To classify a packet, the look-up performance will depend on the search algorithm, and the look-up time is not deterministic using software solutions. Hardware accelerated solutions, such as Ternary Content Addressable Memory (TCAM), will increase the search performance by orders-of-magnitude as the look-up in TCAM entries can be performed with a single operation, typically at one clock cycle. In recent years, TCAMs are becoming faster, bigger and cheaper, and they provide an excellent solution for doing very fast look-ups with deterministic look-up time.
A method in which CAMs of less width are used to store “expressions” in CAMs and to match expressions with the contents of CAMs, where the width of the expressions is larger than the width of the CAMs used, is earlier known from the international patent application WO 02/082458.
From the U.S. Pat. No. 6,484,170 techniques for generating searchable data entries in a CAM, such as binary or ternary CAMs, are earlier known. In said document, a method of classifying data networking packets and a packet classifier based on subfields of a packet header are also described.
Packet classification by using TCAMs is earlier known and treated in a document “Efficient Mapping of Range Classifier into Ternary-CAM” by Huan Liu, published on the internet by Department of Electrical Engineering, Stanford University, CA 94305.
In practice, complications arise because the desired classification rules to be enforced on the traffic flow, as defined by a network manager, consist of a tree-like structure in which it is required to look for more than one possible match against each packet in the flow. Such a structure is straightforward and easy to follow manually, or by a procedural program, but not by a linear CAM array which terminates search at the first matching entry. However, CAMs, such as TCAMs, can only store flat structures and a tree-like hierarchy cannot be stored in it directly. To get a table of CAM entries to provide a behaviour corresponding to that of the tree-like structure, the filter rules must be “flattened” to a linear array, taking advantage of the CAM's ternary capability (“don't care” match at required bit positions). The implementation of the “flattening” of the filter tree is called the “Filter Compiler”. Therefore, an algorithm is needed for compiling the command based router classifiers with a tree-like hierarchy to an equivalent flat CAM friendly structure.
One of the objects with the present invention is to provide an algorithm for compiling the command based router classifiers with a tree-like hierarchy to an equivalent flat CAM friendly structure.
Therefore, the present invention solves the problem to compile command based policy rules to a format, such as a flat filter list structure, adapted for storage in a Ternary Content Addressable Memory (TCAM), by a method that involves steps of finding all the possible search paths in the tree structure and steps of only adding the valid search paths according to defined criteria to the flat filter list.
The present invention is defined according to the independent claim 1. Different embodiments of the invention is defined by the independent claims 2-9.
A computer program product according to the invention is defined according to the independent claim 10.
An advantage with the present invention is that it provides a computerized method to compile the command based router classifiers with a tree-like hierarchy to an equivalent flat CAM friendly structure. This will save a lot of time and money as the work to transform filter rules from tree-structure to flat structure does not have to be performed manually. This is especially interesting when converting old filter rule systems to TCAM solutions.
The present invention will now be described in more detail with reference to following drawings:
The functionality of filtering and classifying packets treated here is called Multi-field (MF) classification, since it acts on several independent fields in the packet headers, and is used both for Differentiated Services (DiffServ) policy enforcement and security (firewall) filtering.
The use of TCAM memory for classification is straight-forward. Each entry in the TCAM consists of a vector of three-valued bits corresponding to certain fields in the header of an IP packet, therefore the name “ternary CAM” can be used. The value of each three-valued bit position can be 0, 1, or x, where x means “don't care”. A search in the CAM is performed by the hardware HW against a packet by applying the header fields of the packet (a vector of only 0's and 1's) to the CAM's internal logic. The CAM then, using fast parallel logic, finds the first “matching” entry (priority arbitration) and outputs its address (reference number 2 in the figure). This address is then used to access a normal associated SRAM memory, from which a pre-stored output is fetched “Next Hop 3”, which affects the further handling of the packet.
The combination of the match pattern in the CAM and the output value in the associated SRAM address is referred to as a “CAM entry”.
Thus setting up filtering and classification in the hardware consists of inserting into certain CAM positions a pattern which will match a sought-after packet, and writing the corresponding output-SRAM position an instruction to the HW guiding treatment of the packet. To achieve “wire speed” processing of IP packets arriving on high-speed links. The actual treatment of individual IP packets is therefore performed in hardware. Software is used to configure and control the hardware so that it can do its job efficiently, and correctly according to the intentions of the network manager, which through e.g. a command line interface to a router can apply various filtering and packet-treatment policies.
The present invention is a method for transforming tree-like organized classifiers to “flat filter” structure. The invention is implemented in computer software programming for computers and data processing. The different steps of the invention is possible to code into computer software instructions in different computer program languages and coding. As mathematical theory often is very useful for describing methods and for guiding computer software programming, the invented method will be described hereafter by using the theory of sets.
First some basic terms has to be defined in accordance to the theory of sets.
Notice that a sequence differs from a set in that the order of the element in a sequence is of importance (and duplicated elements are not redundant), while in a set,
the order is of no importance, and duplicated elements are redundant and thus can be removed.
A sequence with n elements is also called an n-tuple. A 2-tuple is also called an ordered pair, S=(s1, s2).
Operations such as union and intersection can be applied to two sequences, X1 and Y2, with the same size, n elements:
where the operation fF1,i∩fF2,i(iε{0, 1, . . . n}) is defined in Table 1.
If there exists at least one i(iε{0, 1, . . . , n}), fF1,i∩fF2,i=Ø, then F1∩F2=FØ.
The classifiers will now be described in terms of the mathematical theory.
A classifier can be represented by a Policy Map (PMAP), and the building blocks in a PMAP hierarchy at different levels are:
An ACL is a sequence of ordered pairs (F, X), where F is a filter and X is the corresponding matching outcome, Xε{permit, deny}. We use the symbols X+ for permit and X− for deny.
A packet matches an ACL if there exists at least one Fi(iε{0, 1, . . . , n}) in the ACL, P∩Fi≠FØ, The matching outcome is the one for the matching filter with lowest index, i.e. for all Fj where j<i, P∩Fj=FØ, the match outcome will be Xi.
An ACL always ends with an implicit, if not already existing, universal filter (F*) with a default match outcome (usually is the deny match outcome, X−), so a packet always matches this one with the outcome (X−) if no other matches encountered prior to this.
A Class List (CL) is a sequence of ACLS,
And a CMAP is an ordered pair of Class List and a corresponding match operator (Y):
where the match operator Yε{match all, match any}. We use the symbols Yall for match all operator and Yany for match any operator.
For match all operation, a packet matches a Class Map with X+ (permit) if there exists at least one filter, which is the first matching filter in the ACL, with the match outcome X+ (permit) in each of the ACLs of the Class List. In other words, the packet must match all ACLs in the CL of the CMAP with the match outcome X+ (permit). If in any ACL, the first matching filter has an outcome X− (deny), the match has an outcome X− (deny) for the CMAP.
For match any operation, a packet matches a CMAP with X+ (permit) if and only if it matches at least one filter, which is the first matching filter encountered, with the match outcome X+ (permit) from at least one ACL in the CL of the CMAP. In other words, the packet can match any of ACLs in the CL of the CMAP with the match outcome X+ (permit). If in any ACL, the first matching filter has outcome is X− (deny), the match has an outcome X− (deny) for the CMAP.
Notice that the order of ACLs in a CL is of no importance. So a CMAP can then be rewritten as:
If there exists only one ACL in the CL of a CMAP, the match all and match any are equivalent.
Note: In the presentation of the invention, it has been chosen that for match all operation or match any operation, a packet matches a Class Map with X+ (permit). However, the invented algorithm is not limited to packet matches a Class Map with X+ (permit), deny is applicable in some applications.
A policy map (PMAP) is a sequence of pairs (CMAP, Z) where Z is the action to be taken for the packet if it matches the CMAP with permit. The actions are typically Forward, Drop, Remark DSCP Field in the IP Header and so on.
A packet matches a PMAP if and only if it first matches a CMAPi, with the outcome X+ (permit) and the corresponding action Zi will be performed for the packet. If a packet does not match any of the CMAPs or all the CMAPs match with outcome X− (deny), a default action ZDef is performed for the packet. So a PMAP is implicitly equivalent to:
The universal CMAP, CMAP*, contains only one ACL, the universal ACL*, together with a universal match operator, Y*:
In general, a PMAP can be expressed by:
where the last element is the implicit universal CMAP with default action, (CMAP*, ZDef).
As the classifiers have been defined in accordance to the theory of sets, the invented algorithm for transforming tree-like organized classifiers to flat filter structure, a kind of list structure, will now be present with reference to
One important mathematical operation used hereafter is the intersection between two sets, i.e. the intersections between two filters. The filter intersection has been earlier defined as the intersection between two filters:
where fF1,i∩fF2,i is defined in Table 1.
The first section, sub-algorithm A or section A, of the present invention is the transformation of a CMAP into flat filter structure, hereafter denoted as F_CMAP.
A Class Map (CMAP) is defined as:
When a packet matches a CMAP, the result is a match outcome Xε{permit, deny}. So there exists an equivalent ordered sequence of (Fi, Xi) which defines the exact same classification rules as in the CMAP.
The last element in the ordered sequence is (F*, X−). As in all the ACLs the last element is implicitly (F*, X−).
It can be seen that the resulting flat CMAP, F_CMAP, has the same structure as in an ACL. To transform a CMAP to an F_CMAP, two neighboring ACLs in the CL of the CMAP can be joined into one equivalent ACL, and eventually all the ACLs will be transformed into a single equivalent ACL as the CL.
Two ACLs are as follows:
To emphasize the implicit terminating element (F*, X−) in every ACL, we rewrite the ACLs:
We rewrite ACL1 and ACL2 in a more general form:
where the last element in both ACLs is the implicit, if not otherwise already existing, universal filter with match outcome deny.
The algorithm for transforming them into a single one is as follows:
As for any F(Fi≠FØ), F∩F2,*=F, so the last element in the F_CMAP is always (F*, X−).
The joined ACL, ACL1+2, is:
ACL1+2 can be joined with next ACL in the CL, ACL3. Therefore:
By repeating these steps, all the ACLs in the CL of the CMAP can be joined in to a single one.
where the last element is the implicit universal deny filter, (F*, X−).
The next section, section B or sub-algorithm B, of the invented method is to transform a PMAP into a flat filter structure, i.e. F_PMAP.
A Policy Map (PMAP) is defined as:
where the last element is the implicit terminating universal CMAP* with the default action ZDef.
As a CMAP can be represented by an equivalent F_CMAP,
where the last element is the universal deny filter, (F*, X−), we can rewrite the PMAP after converting ACLs in all CMAPs into F_CMAPs as:
The flat PMAP structure can be defined as
where the last element is the universal default filter, (F*, ZDef).
To transform a PMAP into F_PMAP format, first all the CMAPs are transformed into F_CMAPS. Then join two neighboring F_CMAPs in the PMAP and transform into the flat structure as defined by the F_PMAP, and continue this until the last F_CMAP in the PMAP is transformed.
Two F_CMAPs are as follows:
To join two neighboring elements in a PMAP,
the following steps are used:
Join two neighboring F_PMAPs, starting with the first F_PMAP as one of the F_PMAPs in the first iteration and thereafter using the combined iterated F_PMAP in the following iterations, into a single F_PMAP in accordance to the following steps:
In this case the implicit universal default filter, (F*, ZDef), terminating both F_PMAPs, is included.
The last element in the F_PMAP is (F1,*, ZDef) as all F_CMAPs end with the element (F*, X−).
We can express the combined F_PMAP with:
The combined two neighboring CMAPs can be expressed as:
By repeating steps B2 and B3 until the last CMAP is compiled, we get a flat PMAP as:
where the last one is the implicit universal default CMAP, (CMAP*, ZDef).
The above presented method is a first embodiment of the invention. A second embodiment of the invention is used when compiling a combination of a firewall ACL and a PMAP to flat filter structure.
A firewall ACL is defined as:
We have an existing PMAP:
Firewall rules are usually used prior to the PMAP, so the combined firewall ACL with a PMAP can be represented by:
The CMAPFW is equivalent to the original firewall ACL and ZFW is the defined action when a packet matches a filter rule in the ACL, such as “Drop”. The default action can be “Forward” when firewall ACL is used alone, and “Continue” when the packet needs to be filtered/classified further.
The algorithm for compiling a firewall ACL to an equivalent (CMAPFW, ZFW) is as follows:
The inverting operator, ˜, is defined for the match outcome as follows:
So the inverted firewall ACL can be rewritten as:
where the last one is the universal permit filter, (F*, X+).
It can be compiled to a flat PMAP, F_PMAP+FW, using the described algorithm according to section B of the invented compiling algorithm.
where the last element is the universal default filter, (F*, ZDef).
The flat filter structure for a PMAP can be defined as:
F_PMAP=((F1, Z1), (F2, Z2), . . . , (FN, ZN), (F*, ZDef))
Following rules to optimize the entries:
Optimization rule A: An element in an F_PMAP, (Fi, Zi), is redundant if FiFj where iε{1, 2, . . . , N) and j<i
where FiFj is true if and only if Fi∩Fj=Fi using the rules defined in Table. 1.
A more general rule is:
Optimization rule B: An element in an F_PMAP, (Fi, Zi), is redundant if Fi(F1∪F2∪ . . . ∪Fi−1) where iε{2, . . . , N)
Notice that optimization rules A and B apply to an ACL as well.
The methods presented here is general and can be applied to a single ACL, CMAP, PMAP or a combination of all these.
So far, the action Zi associated with match of a CMAPi, in a Policy Map (PMAP)
has been a single action (e.g. Forward, Drop, Remark DSCP field). The filter rule look-up is finished as soon as a match is found in a CMAP, and the corresponding action will be taken.
However, there are occasions when it is suitable to process a packet in several steps, e.g. multiple actions being taken for one packet along the processing pipeline. One simple example is the combined firewall ACL and Policy Map, where in the firewall ACL, the action to be taken is Continue to PMAP if it is a match with permit and the action is Drop if there is a match with deny.
In a Policy Map, the first action may involve a control flag such as Z1=Remark DSCP field and continue to the next CMAP. The second action Z2 can be defined as Set MPLS tag and Transmit. If a packet matches both CMAP1 and CMAP2, two actions will be taken, first the DSCP field in the packet is remarked, then based on the new DSCP value, the packet is tagged with an MPLS value and transmitted. Hence, the static rule now becomes a dynamic one, as the packet header has been changed due to the first action taken. Two approaches can be used to solve the problem:
As the packet header is changed, it is not possible to use the same header information for doing a look-up of filter rules. Thus it is necessary to do multiple searches with separate CMAPs and the corresponding action is taken after each search using the most recent updated header information.
2) Single Compilation and Search Method
If the header information is changed in the packet due to a match in the first CMAP, it is possible to replace the filters in CMAP2 with the relevant filters in CMAP1. Take the example mentioned above, there are two filters, F1,1 and F1,2 in CMAP1 that will cause the remarking in DSCP field in the packet to a certain DSCP value, which is defined in a filter F2,1 in CMAP2. Thus it is possible to replace F2,1 with F1,1 and F1,2 in CMAP2 in compiling to a single flat PMAP. It is easily understood that this can easily cause TCAM entry blow-ups and the algorithm is getting more complicated.
The multiple compilation and search method described in 1) will cause suffering in speed, as the search time is proportional to the number of multiple searches, compared to the single search method described in 2). However, the single search method can easily cause blow-ups in number of entries. Thus there is a trade-off between speed and storage when comparing method 1) with 2). Generally, method 2) is more complicated to implement using a TCAM and can easily cause blow-up of entries.
The present invention also relates to a computer program product comprising a computer readable memory storage and stored computer readable software code involving program instructions capable of controlling a central processing unit of a computer or a microprocessor. The computer readable memory storage comprises stored computer readable software code involving program instructions that, when read by and/or stored in said computer or microprocessor, are capable of controlling said computer or microprocessor to perform any of the steps according to any of the claims 1-9.
Any computer readable memory storage of any kind that is available for sale on the market is possible to use for storing the computer readable software code comprising the invented algorithm.
The present invention is not limited to the above-described preferred embodiments. Various alternatives, modifications and equivalents may be used. Therefore, the above embodiments should not be taken as limiting the scope of the invention, which is defined by the appending claims.
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/SE2005/002071 | 12/30/2005 | WO | 00 | 9/16/2008 |