Fast Packet Classification for Two-Dimensional Conflict-Free Filters Priyank Warkhede Subhash Suri George Varghese Abstract—Routers can use packet classification to support advanced functions such as QoS routing, virtual private net- works and access control. Unlike traditional routers, which forward packets based on destination address only, routers with packet classification capability can forward packets based on multiple header fields, such as source address, pro- tocol type, or application port numbers. The destination- based forwarding can be thought of as one-dimensional packet classification. While several efficient solutions are known for the one- dimensional IP lookup problem, the multi-dimensional packet classification has proved to be far more difficult. While an time scheme is known for the IP lookup, Srinivisan et al. [1] show a lower bound of for - dimensional filter lookup, where is the number of bits in a header field. In particular, this lower bound precludes the possibility of a binary search like scheme even for 2- dimensional filters (say, IP source and destination pairs). In this paper, we examine this lower bound more closely, and discover that the lower bound depends crucially on con- flicts in the filter database. We then show that for two- dimensional conflict-free filters, a binary search scheme does work! Our lookup scheme requires hashes in the worst-case, and uses memory. Alternatively, our algorithm can be viewed as making calls to a prefix lookup scheme. It has been observed in practice that filter databases have very few conflicts, and these conflicts can be removed by adding additional filters (one per conflict). Thus, our scheme may also be quite practical. Our simulation and experi- mental results show that the proposed scheme also performs as good as or better than existing schemes. For example, on real firewall data-sets with over rules consisting of source and destination IP prefixes, our algorithm performs worst case hashes. For filter sets containing arbitrarily many filtering rules with IP prefixes, the worst case search time guaranteed is utmost hashes. I. I NTRODUCTION Traditional routing of packets involves determination of outgoing link based on the destination address and then transferring packet data to the appropriate link interface using switching fabric. Destination-based packet forward- ing treats all packets going to the same destination ad- Cisco Systems. Computer Science, UC Santa Barbara, CA 93106 Computer Science and Engineering, UC San Diego, CA 92040 dress identically. However important emerging applica- tions, such as Virtual Private Networks (VPN), demand better service differentiation. Packet classification based on selected fields from packet headers provides a general mechanism to achieve this goal. Packet classification in- volves selection of header fields from packets, such as source and destination addresses, source and destination port numbers, protocol or even parts of URL; and then finding out the best packet classification rule (also called filtering rule or filter) to determine action to be taken on the packet. Since it is possible to peek at header fields cor- responding to Layer 4 or above in the OSI architecture, and perform a classification lookup that uses a combination of these fields, this is commonly referred to as L4+ switch- ing. Each packet classification rule consists of a prefix (or range of values) for each possible header field, which matches a subset of packets. As an example, consider an ISP that wants to support bandwidth guarantees for VPNs. Packet classification rules for this application can be of the type (source network prefix, destination network pre- fix, guaranteed bandwidth). The most specific rule for a packet determines the VPN that the packet belongs to and associated bandwidth guarantee. This framework can be used in various settings. Some prominent applications in- clude: packet filtering in firewalls, flow aggregation for MPLS tunneling, QoS routing, flow-preserving load bal- anced switching. Packet classification using ad hoc mechanisms like lin- ear search through all filtering rules is too slow in prac- tice and a significant source of bottleneck. Hence the problem has received some attention in last years. In particular, the tuple space framework proposed by Srini- vasan et.al. [1] and associated simulation results suggest significant reduction in search space, while keeping mem- ory requirement almost linear. The tuple space is formed by distinct combinations of prefix lengths ( ) in the fil- ter set. For filters containing IP prefixes, maximum prefix length for fields is . The number of distinct pre- fix length combinations is hence significantly smaller than total number of filters. However, as the number of fields on which lookups are performed increases, size of the tuple space can grow upto . Moreover, Srinivasan et.al. [1] show that hashes per lookup might be