Strategies for Mitigating TCAM Space Bottlenecks Kirill Kogan Purdue University Email: kirill.kogan@gmail.com Sergey Nikolenko Steklov Institute of Mathematics National Research University Higher School of Economics Email: sergey@logic.pdmi.ras.ru Patrick Eugster Purdue University Email: p@cs.purdue.edu Eddie Ruan Cisco Systems Email: eruan@cisco.com Abstract Transport networks satisfy requests to forward data in a given topology. At the level of a network element, forwarding decisions are defined by flows. To implement desired data properties during forwarding, a network operator imposes economic models by applying policies to flows. In real ap- plications, the number of different policies is much smaller than the number of flows. In this work, we draw from our experience in classifier design for commercial systems and demonstrate how to share classifiers that represent policies between flows while still implementing them per flow per policy state. The resulting space saving is several orders of magnitude higher than any state-of-the art methods which reduce space of classifiers representation. I. BACKGROUND AND MOTIVATION Packet classification is a core functionality for many com- modity services including quality-of-service (QoS) and access control lists (ACLs). It has recently become an even more prominent problem with the adoption of OpenFlow [24], which expresses features through hierarchical tuple matching with set actions. Multi-field classification has become very common. Ternary Content-Addressable Memory (TCAM) is a de- facto standard for representation of packet classifiers [22]. TCAM is a fast class of memory for matching packet headers against a set of entries represented as tuples of value and mask words; the latter serves to mask out “don’t care” bits. TCAMs can efficiently represent multi-field prefix-based classification and have a worst-case guaranteed lookup time. Every field of a classifier that is represented by range introduces an additional multiplicative factor on the TCAM memory size. Unfortunately, TCAM memory has a limited size, so the majority of prior studies optimize required space and mostly deal with optimization of a single classifier instance (see Section II). In this work, we are going in a different direction and present several simple yet effective methods that jointly optimize multiple classifiers. To further simplify network management abstraction, we explicitly separate “flows” from “policies” applied to them. A network forwards packets between certain points; a forwarding request is defined by its source, destination (perhaps together with a predefined path through the network topology), and traffic aggregation level (i.e., a subset of packets identified to be transmitted); such a forwarding request is called a flow.A policy is a Service-Level-Agreement (SLA) applied to a flow. When a policy P is applied to a flow S, it may have a separate state for this flow (e.g., if P contains rate limiters these rate limiters should only be applied to the traffic from S, not other flows), i.e., a single policy attached to two different flows does not share its state between these flows. Both abstractions (policy and flow) can be represented as a hierarchical tuple match with set actions, but they have distinct behavior and may require different invariants, so we separate them at the model level. Separating flows from policies pro- motes better reuse of the underlying infrastructure. Typically there are only a few different policies (e.g. “gold”, “silver”, “bronze”) and many flows; according to Cisco specifications, there are at most 256 QoS different policies per box in IOS but up to 64000 flows are supported [3]. In real-life scenarios, “gold”, “silver”, and “bronze” policies can be applied to tens of thousands of flows. Thus, classifier optimization has two conflicting goals: on one hand, sharing a classifier or its part among all flows with the same policy can reduce TCAM space requirements in the same network element proportional to the number of flows with the same applied policy; on the other hand, one has to implement per policy per flow state. Currently, one classifier instance per flow is usually configured. In this work, we propose methods that can be orders of magnitude more efficient in terms of TCAM space than existing solutions for a single classifier instance. Furthermore, the proposed methods can be applied transparently to already optimized representations of a single classifier instance. Vari- ous application-specific integrated circuits (ASICs) conceived for packet processing and network processors have different constraints in their implementation of packet classification. In this paper we cover representative cases, and our solutions do not require any further changes to already existing packet processing engines. Proposed methods implemented on real systems demonstrate that TCAM is not a bottleneck anymore for representing policies. In addition, we share design patterns from our extensive experience of efficient implementations of packet classifiers on commercial systems that in addition to significant TCAM space savings also reduce memory require- ments in managing controllers and bandwidth requirements on the control plane. The paper is organized as follows. Section II contains a survey of previous work, while Section III introduces the basic model. In Sections IV and V, we consider two very efficient schemes for classifier sharing. Section VI discusses how to reduce TCAM space by partitioning a classifier for two serial lookups. Section VII deals with a model with two parallel lookups and discusses how to use algorithms intended to reduce TCAM space as a “black box” to construct efficient