3004 IEICE TRANS. COMMUN., VOL.E93–B, NO.11 NOVEMBER 2010 PAPER A New TCAM Architecture for Managing ACL in Routers Haesung HWANG † a) , Student Member, Shingo ATA †† , Member, Koji YAMAMOTO ††† , Nonmember, Kazunari INOUE ††† , Member, and Masayuki MURATA † , Fellow SUMMARY Ternary Content Addressable Memory (TCAM) is a spe- cial type of memory used in routers to achieve high-speed packet forward- ing and classification. Packet forwarding is done by referring to the rules written in the routing table, whereas packet classification is performed by referring to the rules in the Access Control List (ACL). TCAM uses more transistors than Random Access Memory (RAM), resulting in high power consumption and high production cost. Therefore, it is necessary to re- duce the entries written in the TCAM to reduce the transistor count. In this paper, we propose a new TCAM architecture by using Range Match- ing Devices (RMD) integrated within the TCAM’s control logic with an optimized prefix expansion algorithm. The proposed method reduces the number of entries required to express ACL rules, especially when specify- ing port ranges. With less than 10 RMDs, the total number of lines required to write port ranges in the TCAM can be reduced to approximately 50%. key words: Access Control List (ACL), hardware cost, IP router, prefix expansion, Ternary Content Addressable Memory (TCAM) 1. Introduction The need for high-speed Internet communication has prompted many researchers to design fast network architec- tures. One of the crucial components in any architecture is the router. Routers are network devices used for forwarding and classifying packets and usually consist of a specialized operating system and memory. More specifically, when a router forwards the packets, it uses forwarding tables to as- sociate destination networks with output ports. Upon every packet arrival, the table is searched for the appropriate entry specifying which port and the IP address the packet should be forwarded to. In the case of access control, the Access Control List (ACL) is searched to determine whether the packet should be permitted or denied, causing the packets to be forwarded to the destination or to be dropped. According to [1], the rules in an ACL of a typical en- terprise network gateway consist of approximately 5,000 entries, a number that is also expected to increase due to greater awareness of network security. Access control pol- icy is becoming more restrictive and shifting from “reject Manuscript received November 26, 2009. Manuscript revised June 3, 2010. † The authors are with the Graduate School of Information Science and Technology, Osaka University, Suita-shi, 565-0871 Japan. †† The author is with the Department of Information and Com- munication Engineering, Osaka City University, Osaka-shi, 558- 8585 Japan. ††† The authors are with the Renesas Electronics Corporation, Itami-shi, 664-0005 Japan. a) E-mail: h-hwang@ist.osaka-u.ac.jp DOI: 10.1587/transcom.E93.B.3004 unnecessary traffic” to “transmit only the minimal amount of legitimate traffic” leading to a tendency toward more rules defining which specific packets are legitimate rather than just denying a group of packets. Therefore, in both cases, it is necessary to search for a certain object that quickly matches the given criteria from an enormous candidate set. These ACLs are written in high-end routers in a type of memory called Content Addressable Memory (CAM). Un- like Random Access Memory (RAM), which uses a mem- ory address as a search key and returns the content of the memory as the result, CAM is a device that searches using the content of the memory and returns the address where the supplied data was found. There are two kinds of CAM. Binary CAM (BCAM) only returns an entry that exactly matches the input data as it uses 0s and 1s, whereas Ternary CAM (TCAM) can also perform partial matches of the entries because it can consist of 0, 1 or *. The “*” represents a “don’t care” bit in each memory cell. A basic description of TCAM functionality can be found in [2]–[7]. Storage of the IP addresses of ACLs uses this don’t care bit to represent a network level address. Table 1 shows an example of an ACL. ACL entries typ- ically consist of five fields: source and destination IP ad- dresses, source and destination port numbers, and protocol type. Packets are classified according to the correspond- ing rule and a necessary action (permit/deny) is performed only when all fields are matched. For example in Table 1, access-list 101 permits the TCP packets with source IP ad- dress as 10.1.1.2 and with destination address as 172.16.1.1 that equals telnet. One of the other main advantages of the TCAM be- sides its search speed is its ability to express ranges. A typ- ical type of data in the form of a range is the port number field of an ACL, which is used in the form of range to al- low/deny various applications requiring several port num- bers as a set as in video plus audio chat. In BCAM, it is impossible to represent the range without writing every cor- responding number within the range in the memory. For example, when writing the range 1024-65535 in a BCAM entry, the simplest form is to write every single number to exactly match the entire entry. However, it is obvious that 64,512 entries are required to write a single range which ends up consuming a huge number of entries in BCAM. We refer to this method as Full Expansion in this paper. Since full expansion is not a practical method, in most cases the range has to be divided into several subranges to Copyright c  2010 The Institute of Electronics, Information and Communication Engineers