Stochastic Pre-classification for SDN Data Plane Matching

McHale, Luke; Case, Jasson; Gratz, Paul V.; Sprintson, Alex

doi:10.1109/icnp.2014.95

Cited by 12 publications

(9 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The rules are 64-bits integers generated from the IPv4 source and destination addresses, nonetheless, our solution can also be extended to support IPv6 after proper adjustment 10 . First, we employ a heuristic rule generation method [22] to synthesize the PCAP rulesets, where 11,000 rules are generated based on the CAIDA PCAP data [7]. We choose ive various set samples with diferent sizes (924, 2742, 3892, 5136, 7062) and extract a unique set of 1,044,618 keys from the traces to show the scalable performance.…”

Section: Methodsmentioning

confidence: 99%

SIMD-Matcher: A SIMD-based Arbitrary Matching Framework

Wang

Wen

Gratz

et al. 2022

ACM Trans. Archit. Code Optim.

Self Cite

View full text Add to dashboard Cite

Packet classification methods rely upon matching packet content/header against pre-defined rules, which are generated by network applications and their configurations. With the rapid development of network technology and the fast-growing network applications, users seek more enhanced, secure, and diverse network services. Hence it becomes critical to improve the performance of arbitrary matching operations. This paper presents SIMD-Matcher, an efficient Single Instruction Multiple Data (SIMD) and cache-friendly arbitrary matching framework. To further improve the arbitrary matching performance, SIMD-Matcher adopts a trie node with a fixed high-fanout, and a varying span for each node depending on the data distribution. The trie node layout leverage cache and modern processor features such as SIMD instructions. To support arbitrary matching, we first interpret arbitrary rules into three fields: value, mask, and priority. Second, to support insertion of randomly positioned wildcards to arbitrary rules, we propose the SIMD-Matcher extraction algorithm to process the wildcard bits. Third, we add an array of wildcard entries to the leaf entries, which stores the wildcard rules and guarantees the correctness of matching result. Experiments show that SIMD-Matcher outperforms GenMatcher under large scale of rule set and key set, in terms of search time, insert time, and memory cost. Specifically with 5M rules, our method achieves a 2.7X speedup on search time, and the insertion time takes~ ∼ 7.3 seconds, gaining a 1.38X speedup; meanwhile the memory cost reduction is up to 6.17X.

show abstract

Section: Methodsmentioning

confidence: 99%

SIMD-Matcher: A SIMD-based Arbitrary Matching Framework

Wang

Wen

Gratz

et al. 2022

ACM Trans. Archit. Code Optim.

Self Cite

View full text Add to dashboard Cite

show abstract

“…We program GenMatcher framework in C++, leveraging our in-house developed binary trie data structure and the linear vector data structure in C++ standard library (STL). A rule generation heuristic developed by McHale et al [31] was used to synthesize a set of rules relevant to a given PCAP trace. Rules used in this project consisted of IPv4 source and destination addresses, resulting in a key width of 64-bits.…”

Section: Methodsmentioning

confidence: 99%

GenMatcher

Wang

McHale

Gratz

et al. 2018

ACM Trans. Archit. Code Optim.

Self Cite

View full text Add to dashboard Cite

Packet classification methods rely upon packet content/header matching against rules. Thus, throughput of matching operations is critical in many networking applications. Further, with the advent of Software Defined Networking (SDN), efficient implementation of software approaches to matching are critical for the overall system performance. This article presents 1 GenMatcher, a generic, software-only, arbitrary matching framework for fast, efficient searches. The key idea of our approach is to represent arbitrary rules with efficient prefix-based tries. To support arbitrary wildcards, we rearrange bits within the rules such that wildcards accumulate to one side of the bitstring. Since many non-contiguous wildcards often remain, we use multiple prefix-based tries. The main challenge in this context is to generate efficient trie groupings and expansions to support all arbitrary rules. Finding an optimal mix of grouping and expansion is an NP-complete problem. Our contribution includes a novel, clustering-based grouping algorithm to group rules based upon their bit-level similarities. Our algorithm generates near-optimal trie groupings with low configuration times and provides significantly higher match throughput compared to prior techniques. Experiments with synthetic traffic show that our method can achieve a 58.9X speedup compared to the baseline on a single core processor under a given memory constraint.

show abstract

“…focus on spoofing attacks in general and propose the use of switch rules to match legitimate traffic and filter out potentially malicious flows. McHale et al 59 . use bloom filters and flow locality analysis to propose a more general solution to separate legitimate traffic from malicious.…”

Section: Solutions Focused On the Data Planementioning

confidence: 99%

A systematic review on distributed denial of service attack defense mechanisms in programmable networks

Dalmazo¹,

Marques

Costa

et al. 2021

Int J Network Mgmt

View full text Add to dashboard Cite

Summary Design flaws and vulnerabilities inherent to network protocols, devices, and services make Distributed Denial of Service (DDoS) a persisting threat in the cyberspace, despite decades of research efforts in the area. The historical vertical integration of traditional IP networks limited the solution space, forcing researchers to tweak network protocols while maintaining global compatibility and proper service to legitimate flows. The advent of Software‐Defined Networking (SDN) and advances in Programmable Data Planes (PDP) changed the state of affairs and brought novel possibilities to deal with such attacks. In summary, the ability of bringing together network intelligence to a control plane, and offloading flow processing tasks to the forwarding plane, opened up interesting opportunities for network security researchers unlike ever. In this article, we dive into recent research that relies on SDN and PDP to detect, mitigate, and prevent DDoS attacks. Our literature review takes into account the SDN layered view as defined in RFC7426 and focuses on the data, control, and application planes. We follow a systematic methodology to capture related articles and organize them into a taxonomy of DDoS defense mechanisms focusing on three facets: activity level, deployment location, and cooperation degree. From the analysis of existing work, we also highlight key research gaps that may foster future research in the field.

show abstract

Stochastic Pre-classification for SDN Data Plane Matching

Cited by 12 publications

References 26 publications

SIMD-Matcher: A SIMD-based Arbitrary Matching Framework

SIMD-Matcher: A SIMD-based Arbitrary Matching Framework

GenMatcher

A systematic review on distributed denial of service attack defense mechanisms in programmable networks

Contact Info

Product

Resources

About