Multi-Field Range Encoding for Packet Classification in TCAM

Transcription

1 Multi-Field Range Encoding for Packet Classification in TCAM Yeim-Kuan Chang, Chun-I Lee and Cheng-Chien Su Department of Computer Science and Information Engineering National Cheng Kung University Tainan, Taiwan R.O.C. {ykchang, p , Abstract Packet classification has wide applications such as unauthorized access prevention in firewalls and Quality of Service supported in Internet routers. The classifier containing all the pre-defined rules is processed by the router to find the best matching rule for each incoming packet and take appropriate actions. Although many software-based solutions had been proposed, high search speed required for Internet backbone routers is not easy to achieve. To accelerate the packet classification, the state-of-the-art ternary content-addressable memory (TCAM) is a promising solution. In this paper, we propose an efficient multi-field range encoding scheme to solve the problem of storing ranges in TCAM and to decrease TCAM usage. Existing range encoding schemes are usually single-field schemes that perform range encoding processes in the range fields independently. Our performance experiments on real-life classifiers show that the proposed multi-field range encoding scheme uses less TCAM memory than the existing single field schemes. Compared with existing notable single-field encoding schemes, the proposed scheme uses 12% ~ 33% of TCAM memory needed in DRIPE or SRGE and 56% ~ 86% of TCAM memory needed in PPC for the classifiers of up to 10k rules. Keywords-TCAM, Packet classification, multi-field range encoding I. INTRODUCTION In modern network architecture, routers are the most important components. A router is a device that interconnects two or more networks and interchanges packets between them. By inspecting the information in the packet header, routers can decide the target network and select the preferred path between any two networks for the packets. However, the rapid growth of Internet has caused increasing congestion and packet loss at intermediate routers in recent years. Internet service providers (ISPs) would like to provide the differentiated services. Therefore, some important new network services are developed for routers to provide different levels of services. To meet thee services requirements, routers need to implement a new function, called packet classification, to distinguish and classify the incoming packet into different classes of services. Packet classification is an enabling function in routers to supports many network applications, such as Quality of Service (QoS), security, monitoring, and network intrusion detection. To achieve the high performance, the speed of packet classification is often a bottleneck in routers. To perform the function of packet classification, routers need to recognize the information of the incoming packets. The incoming packets are specified by a classifier containing a set of rules that are used to check the header field values. Packet classification is the process of identifying the rules within a classifier that the incoming packet matches. Rules in the classifier consisted of five fields and an action value. The five fields are source IP address, destination IP address, source port, destination port, and the protocol number. Table I shows an example of a classifier. In order to decide the action taken for the incoming packet, the router needs to search the matching rule in the classifier. To resolve the problem of multiple matches, each rule is associated with a priority value and the router executes the action corresponding to the so called best matching rule with the highest priority. With the increasing network speed and size of classifiers, packet classification speed is becoming more and more important. In recent years, many software-based packet classification schemes are proposed [6][10][16][24], but they are not fast enough to reach the performance demanded by Internet backbone routers. To accelerate the search speed, special hardware support is a good approach. Ternary contentaddressable memory (TCAM) is often used to solve the packet classification problem because of its speed, simple design and management. When a search operation is undertaken in TCAM, parallel comparisons on all TCAM entries against the input data are processed and all matching entries can be output in one clock cycle. Another feature is that TCAM allows a third matching state of * or don t care. If a bit is set to *, it can be matched by 0 and 1. Although TCAM can compare all entries in one clock, it still has some primary disadvantages: (1) high hardware cost, (2) high power consumption, and (3) inefficiency in storing range data. Current industrial technology and circuit designs [22] have made great progress in reducing hardware cost and power consumption, and some schemes are proposed to minimize the required storage [18][21]. In order to store rules into TCAM, the issue of storing range data such as source and destination port fields must be solved. Any arbitrary range can be pre-processed to convert to one ore more ternary strings which contain don t care bits. This preprocessing procedure is called range encoding. To store rules into TCAM, the source and destination port fields should be encoded. Finally, the ternary strings obtained by encoding the range fields are

2 TABLE I. A 5-FIELD CLASSIFIER. Rule Source IP Destination IP Src. Port Dest. Port Prot. Action / /32 2:6 10:15 TCP Deny R / / : :32207 UDP Deny R / / :21 UDP Permit R / /0 * * * Permit concatenated with other three prefix fields before being put into TCAM. Because the length of ternary strings and the number of concatenations greatly affect the TCAM memory usage, how to design a memory-efficient encoding scheme is the main issue in this paper II. RELATED WORK The encoding scheme for packet classification can be categorized to two types, database-independent and databasedependent encoding schemes. For database-dependent encoding schemes, the codeword assignment of one range is not independent of other ranges. While performing search operations, the router needs to fetch the codeword corresponding to the range search key from memory first, and then uses the codeword to execute the matching operation in TCAM. On the contrary, database-independent encoding schemes do not need additional memory to store codewords, and each range can be encoded independently. Router is able to directly convert the search key to the needed codeword. The advantage of database-dependent encoding schemes is the efficiency of utilizing memory space. But, the drawback is that it hard to update when a rule is added or deleted because all codewords need to be re-calculated. Subsequently, we will briefly describe some famous database-independent and database-dependent encoding schemes. A. Database-independent Range Encoding In order to encode arbitrary range independently from other ranges, the direct range-to-prefix conversion [5] is the simplest scheme that uses multiple prefixes to represent a range. But, its worst case is 2W-2 prefixes for a range in W-bit address space. Rather than using binary Buddy code, Gray code is better for encoding by its properties. Two successive codewords in Gray code must be differed by one bit and thus, fewer ternary strings are needed for a range than Buddy code. Espresso-II [2] and Short Range Gray code Encoding (SRGE) [3] provide the efficient way to find the near minimum number of ternary strings for ranges. In [16], authors proposed another scheme, called Database Independent Range PreEncoding (DIRPE). By using specific format to represent a value, DIRPE can convert the range to fewer ternary strings directly. B. Database-dependent Range Encoding The Bitmap-intersection [15][17] is a straightforward database-dependent scheme in which each port range corresponds to a bit of a bitmap which is used to record the covering rules. But the disadvantage is the size of bitmap is dependent on the number of distinct ranges. To solve this problem, the elementary interval based encoding schemes are proposed. The elementary interval-based scheme using binary reflected Gray code (EIGC) [8] scheme assigns each elementary interval a codeword by the order in Gray code [11]. Each range can obtain ternary strings by combining the codewords of all covered elementary intervals. Another encoding scheme called Parallel Packet Classification (PPC) [20] groups all rules into several layers and each layer can be performed encoding scheme independently. Because too many layers will cause longer codeword, The scheme called Layered Interval Encoding [4], which proposed by Anat Bremler-Barr, provided methods to find the maximum independent rule set. There is another type of encoding scheme, called hybrid encoding scheme, such as DRES [9]. The main idea is that encode the rules which cause large rule expansion, so the encoding complexity can be decreased. In database-dependent encoding schemes, the codeword length in some single-field range encoding schemes depends on the number of distinct elementary intervals. As the size of classifier increases, the length of codeword may also increase because the classifier contains many distinct ranges. On the other hand, direct range-to-prefix expansion incurs the prefix explosion problem as follows. Each range field value of a rule may need more than one ternary string in one field. As a result, each rule may require more than one TCAM entries. Assume one range field value of a rule needs t i ternary strings in field i. Thus, the number of TCAM entries needed is Π t i and each of TCAM entries is the concatenated ternary strings from all fields. For example, suppose that the range field values of rule R in fields 1 and 2 are represented as { *00, 001 } and { 000, 0*1, 110 }, respectively. In order to represent the rule R in terms of ternary strings correctly, 2*3 = 6 TCAM entries are needed, which are *00 000, *00 0*1, *00 110, , 001 0*1, and , and the size of TCAM entries is 3+3 = 6 bits. III. PROPOSED SCHEME In this section, we proposed a multi-field range encoding algorithm. We process multiple fields simultaneously and assign suitable ternary strings for all original 2-D ranges. In most cases, the length of codewords in multi-field encoding scheme is shorter than that of single-field encoding scheme. For example, the length of a codeword in single-field bitmap intersection scheme is twice than the one when two fields are considered simultaneously. Besides, the expansion ratio of a classifier is an important factor to estimate the needed TCAM size. Large expansion ratio will cause higher TCAM entry usage and smaller expansion ratio may cause longer codewords. In order to decrease the TCAM memory usage, our proposed scheme solves this problem by using one TCAM entry for each rule and the length of the codeword can be limited. The two-field range that defined by rule is called original 2- D range in the paper. Before introducing the proposed encoding algorithms, the following definitions of region and elementary region are needed. The relationships of two original 2-D ranges must satisfy one of following three situations: 1) Disjoint: A and B are disjoint if and only if address intersection of A and B is empty, i.e., A B =. 2) Partially overlapped: A is partially overlapped with B if and only if A B φ or A or B.

3 Y 4 R 0 ER ER 0 1 Two field port number (src. port, dest. port) Y 3 r 0 r 1 Field 1 EI memory Y 2 Y 1 r 2 r ER 2 3 ER 3 r 4 r 5 r 6 Field 2 EI memory Obtain the located region Y 0 X 0 X 1 X 2 X 3 X 4 Figure 1: The 2-D original ranges, regions and elementary regions. Codeword Memory Get the codeword of located region 3) Enclosed: A encloses B if and only if A B = B. Definition 1 (region): A region is a rectangular area corresponding to a pair of 1-D elementary intervals, which is composed from the first and second range fields. Figure 1 shows a simple example. There are two overlapping original 2-D ranges, R 0 and. Five elementary intervals X 0 to X 4 in field X and five elementary intervals Y 0 to Y 4 in field Y are formed from these two rules. As a result, there are 5*5 = 25 rectangular regions each of which corresponds to a pair of two elementary intervals belonging to fields X and Y. For instance, region r 1 in Figure 1 is formed by elementary interval pair (X 2, Y 3 ). The original 2-D range R 0 contains four regions, r 0, r 1, r 2, and r 3, and the original 2-D range contains four regions, r 3, r 4, r 5, and r 6. Definition 2 (Elementary region): Let the set of k elementary regions constructed from an original 2-D range set R of 2-D W-bit rules be X = {ER i i = 1 to k}. Each elementary region ER i covers a subset of addresses in the 2D address space of (0 2 W 1, 0 2 W 1). X must satisfy the following: (1) All addresses in ER i are covered by the same subset of original 2-D ranges (called the range matching set of ER i, denoted by ER i.range), and (2) The range matching sets of two different elementary regions are not equivalent. Based on above definition, similar to elementary interval defined in [7], the regions belonging to the same elementary region match the same set of original 2-D ranges. The shape of an elementary region is not necessarily a rectangular and also does not necessarily cover a contiguous address space. Consider the same example in Figure 1. There are four elementary regions constructed from the original 2-D range R 0 and. Elementary region E covers regions r 0, r 1, and r 2, ER 2 covers region r 3, and ER 3 covers regions r 4, r 5, and r 6. ER 0 covers all the remaining regions. The searching operation must locate the elementary region corresponding to the header field values of the incoming packet and return the intermediate codeword of the located elementary region which is then used to search the ternary strings constructed from the proposed 2-D range encoding schemes. In a single-field encoding scheme, such as PPC, the intermediate codewords have to be assigned to all elementary intervals and also the ternary strings for all the original 1-D TCAM Priority Encoder Action Memory action Find the best matching rule Get the corresponding action Figure 2: architecture for multi-field packet classification. ranges have to be determined. For the same reason, in our proposed scheme, we need to assign the intermediate codewords to all elementary regions. For example, E in Figure 1 is assigned with codeword 01, and ER 2 is assigned with codeword 11, and ER 3 is assigned with codeword 10. By combining the codewords of elementary regions E and ER 2, R 0 can be expressed as a ternary string *1, Similarly, R 0 can be expressed as a ternary string 1*. In addition, the intermediate codeword 00 has to be assigned to the default elementary region. The relationships (disjoint, enclosing, or partially overlapped) among all original 2-D ranges in 2-D plane are complex for larger classifiers. The main issue is how to assign an appropriate codeword of length as short as possible to each elementary region such that each original 2-D range can be represented by only one ternary string. Consider the same example in Figure 1. Suppose E, ER 2, and ER 3 are assigned with 01, 10, and 11, respectively. can be represented by one ternary string 1* but two ternary strings 01 and 10 are needed for R 0. So inappropriate elementary region codeword assignment will fail to represent each original 2-D range as one ternary string, which is the primary objective of the proposed encoding algorithms. B. Hardware Architecture In single-field searching operation, the router needs two memory accesses to fetch the codewords of respective port fields. Then, the two found codewords are concatenated with the header values of other fields to be the searching key in TCAM. To perform the multi-field searching operation, the hardware architecture is similar to the single-field architecture. Figure 2 shows the searching architecture for multi-field packet

4 E R 2 ER 2 E ER 2 R 4 V VR 2 R 2 R 4 ER 4 ER 0 VR 3 ER 0 ER 4 R 3 R 3 (a) ER 3 ER 5 classification. When an incoming packet arrives, the router fetches port numbers of two port fields from packet header. By using those two port numbers, the router can find out two corresponding elementary intervals of IDs EI x and EI y. Then, IDs EI x and EI y are used as the key to search the codeword memory layout as the 2D array using the elementary interval IDs as the indices. Finally, from the codeword memory, the codeword of the corresponding region can be obtained. Based on this procedure, we need two memory accesses (can be run in parallel) to access the elementary interval ID arrays and one memory access to obtain the codeword from codeword memory. Compared to the single-field searching architecture, the multi-field searching architecture needs only one more memory access. Although the multi-field searching architecture needs additional one memory access, the total SRAM access time is quiet small. C. Layered Approach If the relationship of any two original 2-D ranges R i and R j is disjoint or enclosed, performing the codeword assignment can be simple as in the PPC [20]. We classify all original 2-D ranges into many groups, called layers in which the relationship between any two original 2-D ranges in the same layer must be disjoint or enclosed. We can perform the encoding procedure for each layer independently. Unlike PPC scheme, our proposed layered scheme can put the original 2-D ranges into the same layer even they are enclosed, in addition to being disjoint. R 5 ER 3 R 5 ER 5 R i Vset i E,ER 2,ER 3 ER 4,ER 5 R 2 ER 2,ER 4 R 3 ER 3 R 4 ER 4 R 5 ER 5 R i Vset i E, ER 2, ER 3 ER 4, ER 5, V, VR 2, VR 3 R 2 ER 2,ER 4 R 3 ER 3 R 4 ER 4 R 5 ER 5 (b) Figure 3: The original 2-D range set in one layer. (b) After adding virtual region for conforming constraint 1. Our goal is to assign a codeword to each elementary region, and each original 2-D range can be represented by only one ternary string. Some structures or constraints are needed to execute the codeword assignment. In this paper, we propose to use graph theory to find the correct and efficient codeword assignment. The proposed codeword assignment algorithm is based on hypercube. Hypercube is suitable for encoding because of its regularity and symmetry properties. An n- dimensional hypercube is also called an n-cube or Q n, which contains 2 n vertices, n2 n -1 edges, and the degree of each vertex is n. The most important property is that each node in an n- cube can be uniquely represented by an n-bit codeword in such a way that two vertices are adjacent if and only if their codeword differ in exactly one bit. If a graph is a subgraph of an n-cube, each vertex can fetch a codeword from the corresponding vertex in n-cube. We will try to convert all original 2-D ranges to a graph and find a mapping from a vertex in the n-cube to each elementary region. If it is successful, it means all elementary regions can be assigned with an n-bit codeword and ultimately each 2D range can be represented by only one ternary string that corresponding to a sub-cube. The vertices mapped to the elementary regions covered by a 2-D range R i forms a vertex set, called Vset i. The following constraint is the necessary condition to meet for all 2D ranges. Constraint 1: Vset i = 2 n and Vset i must form an n-cube. In constraint 1, because any sub-cubes in an n-cube can be represented as one ternary string, we restrict the number of vertices in each original 2-D range to be a power of 2. If the produced graph is a sub-graph of an n-cube, every elementary region can be assigned an appreciate codeword, and the ternary string of each original 2-D range can be obtained by combining all the codewords of the sub-cube. After converting all the original 2-D ranges to a graph, if we show that the converted graph is a sub-graph of an n-cube, we can easily carry out the process of codeword assignment. For the purpose of finding the correct result, complying with constraint 1 is necessary. If there is one or more original 2-D ranges not complying with constraint 1, it is impossible to find the correct result. Figure 3(a) shows an example and list the Vsets of all original 2-D ranges. It is obvious that the Vset 1 of does not comply with constraint 1 because contains 5 elementary regions. In order to resolve this problem, we make the number of elementary regions of a 2D rule a power of 2 by adding especial elementary regions, called virtual region to some elementary regions. Because virtual regions are fictitious, they will not be matched against input key. After adding virtual regions to some elementary regions, all original 2-D ranges can conform to constraint 1. Because we also need to assign a codeword to every virtual region, producing too many virtual regions will increase the complexity of finding the mapping of a graph onto a sub-cube. Thus, we have to limit the number of virtual regions added as much as possible. In order to find the minimum allocation of virtual regions, we should check all original 2-D ranges in a decreasing order of their Vset size. Assume there are two original 2-D range R A and R B in the same layer and the Vset size of R A is large than that of R B. We add

5 R: the original 2-D range set AdjMatrix: Record all edges for entire graph 01 function Encoding(R, AdjMatrix) 02 Ordered_list = sort R in decreasing order by their Vset sizes 03 while (Ordered_list is not empty) 04 R i = the first original 2-D range in Ordered_list 05 add virtual regions for R i 06 Map-To-Cube(R i, AdjMatrix) 07 remove the first original 2-D range from Ordered_list 08 end while 09 Assign-Codeword(AdjMatrix) 10 end function 11 function Map-To-Cube(R i, AdjMatrix) 12 d = log 2(# of elementary regions and virtual regions in R i) 13 Create a d-dimensional sub-cube Q sub 14 Obtain all sub-cubes which belong to R i from AdjMatrix 15 Find mappings for all sub-cubes and isolated vertices in Q sub. 16 Record all edges of Q sub in AdjMatrix 17 end function 18 function Assign-Codeword (AdjMatrix) 19 Create a d-dimensional Q, where d = log 2(# of elementary regions and virtual regions) 20 Obtain all sub-cubes from AdjMatrix 21 Find mappings for all sub-cubes and isolated vertices in Q. 22 Assign codewords to all elementary regions according to the corresponding vertices in Q 23 end function Figure 4: The pseudo code of layered encoding scheme. virtual regions to R B before R A because R A may enclose R B. Figure 3(b) shows the result. E is appended with three virtual regions V, VR 2, and VR 3. Another important problem is how to connect the correct edges between the vertices corresponding to all elementary regions. In constraint 1, the elementary regions belong to the same original 2-D range should form a sub-cube in an n-cube. So, the edge-connecting order is important. If the original 2-D range R A encloses R B, the edge- connecting procedure should process R B before R A. For example, in Figure 3(b), the edgeconnecting order should be in the order of R 4 R 2, R 3, or R 5. Because R 2, R 3, and R 5 are mutual disjoint, process those three original 2-D ranges in arbitrary order will not affect the final produced graph. Figure 4 shows the pseudo code of the proposed encoding algorithm. In line 2, in order to get the processing order, we record all original 2-D ranges in the decreasing order of their Vset sizes. In line 5-6, the original 2-D range R i must comply with constraint 1, so we add minimum number of virtual regions to R i so that the size of Vset i is a power of 2. Then, we use function Map-To-Cube for R i to map the vertices corresponding to all elementary regions and virtual regions of R i onto a sub-cube. To record entire graph, we use adjacent matrix AdjMatrix to track all created edges, and all edges cannot be modified after being created. Repeat line 3-8 until all original 2-D ranges are processed. In line 9, the function Assign-Codeword map the entire graph into an n-cube, and each elementary region can obtains a codeword from the corresponding vertex in n-cube. Because we classify all original 2-D ranges into several layers, each layer can perform VR 2 VR 3 ER 0 R 3 ER 3 ER 4 V ER 2 E ER 7 ER 6 ER 5 R 4 Figure 5: Append virtual regions to elementary regions. the encoding scheme independently, and every region can obtain a codeword by concatenating the codewords of all layers. In search operation, the router can fetch a codeword from the located region by the port number of two port fields, and find the best matching rule via TCAM. D. Optimized layered approach Layered approach guarantees to find an appropriate codeword for each elementary region and a ternary string for each 2D range. However, the drawback is that the number of produced layers may be large and thus longer codewords are obtained. In order to reduce the number of layers and also guarantee that all elementary regions can be assigned an appropriate codeword, an optimizing layered approach is developed to combine layers incrementally. In other words, the incremental layer combining procedure finds one range in one layer and tries to insert it into another layer. Partially overlapped ranges make it hard to find a mapping in a hypercube for the produced graph. To deal with the situation of partially overlapping, we need define one more constraint: Constraint 2: Assume V is a Vset intersection of k mutually partially overlapped original 2-D ranges. The size of V must be a power of 2 and V must form a sub-cube. The constraint 2 is based on one property of hypercube: the shared vertices of any number of sub-cubes in a hypercube must be also a sub-cube. Unlike constraint 1, we need to check if the number of shared elementary regions is also a power of 2. Similarly, to comply with the constraint 2, all the intersection of original 2-D ranges should be checked, and virtual regions may need to be added to some elementary regions. We use the range matching set size of each elementary region as the checking order. If the size of ER i.range is larger than ER j.range, the intersection of all original 2-D ranges in ER i.range should be checked first. For example, there are four original 2-D ranges in Figure 5. Because ER 4 and ER 6 have the largest range matching set whose sizes are three, we check whether the intersection of ER 4.range={, R 2, R 3 } and ER 6.range={, R 2, R 6 } need virtual regions or not. Then we check the intersection of ER 3.range, ER 5.range, and ER 7.range because their sizes are two. We find out that ER 7.range = {,R 2 } and Vset 1 Vset 2 ={ER 4, ER 6, ER 7 }. So we need append a virtual region V to ER 7 to satisfy constraint 2. Finally, we check E.range and ER 2.range and add two virtual regions to them, respectively. R 2 VR 4 VR 5 ER i ER i.range ER 0 φ E ER 2 R 2 ER 3, R 3 ER 4, R 2, R 3 ER 5 R 2, R 4 ER 6,R 2, R 4 ER 7,R 2

6 L : the layer set. L max : the layer which contains most original 2-D ranges. 01 function Layer-Optimized(L) 02 Layer_order_list = sort L in decreasing order by the size of layer 03 while (the # of layers in Layer_order_list > 1) 04 L max = the first layer in Layer_order_list 05 for all layer L i Layer_order_list and L i L max 06 for all R i L i 07 insert R i into L max 08 if Map-to-cube(L max) == false 09 remove R i from L max 10 else 11 remove R i from L i 12 end for 13 if L i is empty 14 remove L i from Layer_order_list 15 end for 16 remove L max from Layer_order_list 17 sort Layer_order_list in descending order by the layer sizes 18 end while 19 perform encoding procedure for each layer 20 end function 21 function Map-to-cube(L) 22 ER_order_list = sort all elementary regions in L 23 while ER_order_list NULL 24 ER = the first elementary region in ER_order_list 25 Vset = all elementary regions and virtual regions which has covered by ER.range 26 if Vset 2 n 27 add minimum number of virtual regions into ER 28 if Vset cannot map to a hypercube 29 return false 30 remove ER from ER_order_list 31 end while 32 return true 33 end function Figure 6: The pseudo code of optimized layerd encoding scheme. In order to reduce the number of layers, we choose an original 2-D range from one layer incrementally and insert into the largest layer which contains most number of original 2-D range. The main problem is how to find the mapping for the produced graph. Different from the layered approach, we can promise the produced graph is a sub graph of a hypercube. Assume the original 2-D range R is inserted into the largest layer and a graph G is generated. Because the problem of hypercube embedding is an NP-Complete problem [14][19], it is hard to guarantee the produced graph can mapped onto a hypercube. If we cannot find a mapping for G in limited amount of computation time or ensure G is not a sub-graph of a hypercube, we should remove R in the largest layer and choose next original 2-D range for insertion. Figure 6 shows the pseudo code of layer combination. In line 2, to decide the combining order, we sort all layers in descending order by the number of containing original 2-d ranges, and select the largest layer L max as the insertion target layer in line 4. In line 5-15, we select one original 2-D range and insert it into L max incrementally. In every insertion, we must to check whether the produced graph of L max can map onto a hypercube or not. In the mapping procedure Map-tocube, we check and add virtual regions for all elementary regions to satisfy with constraint 2, and check the graph is cubical or not by using divide-and-conquer approach. In the divide-and-conquer approach, we divide the produced graph into several sub-graphs and try to find an appropriate sub-cube for each sub-graph. If we cannot find a solution or confirm the produced graph is conflict with the properties of hypercube, we then give up inserting this original 2-D range to L max. In line 16-17, we remove L max from order list and resort all layers for selecting next insertion target layer. IV. EXPERIMENT RESULTS We compare the proposed scheme with existing algorithms in terms of TCAM entry size, TCAM size and SRAM size, and perform the experiments with classifiers of various sizes. ClassBench [25] is a well-known benchmark that provides classifiers similar to real classifiers used in the Internet routers and input traces corresponding to the classifiers. The three different type classifiers, access control lists (ACL), firewalls (FW), and IP chains (IPC) are generated by ClassBench and experimented in the simulation. Because the proposed schemes are designed for encoding original 2-D range, the source and destination port fields in classifiers are only used in this experiment. The rules in the classifiers are composed of five fields: {source IP address, destination IP address, source port, destination port, protocol}. In order to evaluate the performance of our proposed schemes for classifiers of different sizes, we use 12 synthetic classifiers which are fw1, acl1, and ipc1 with sizes 100, 1,000, 5,000, and 10,000. The evaluated schemes are direct range-to-prefix conversion (DC), the Short Range Gray code Encoding (SRGE) [3], the elementary interval-based scheme using natural binary code (EIDC), the elementary interval-based scheme using BRGC (EIGC) [8], the database independent range pre-encoding (DIRPE) [16], the bitmap-intersection scheme (Bitmap), PPC style-ii or III which performs the best (PPC) [20], and our proposed schemes layered approach (Layer) and Optimized layered approach (O-Layer). In DIRPE, the source port field uses strides 2, 2, 3, 3, 3, 3, and the destination port field uses strides 2, 2, 2, 2, 2, 3, 3, as suggested in [16]. Thus, TCAM entry widths of source and destination port fields are 34 and 29 bits, respectively. Table II shows the results for the synthetic classifier whose sizes are close to 10,000 rules. Because the source and destination port fields of some rules can be presented by prefix, we also show the performance of non-prefix rules only. In order to correctly show the encoding results of single-field encoding schemes with two fields, the entry size of single-field encoding schemes is obtained by concatenating the encoding results of the two fields. In acl1_10k classifier, since the range in source port is only wildcard, the needed TCAM entry size can be decreased in most of the schemes, such as DIRPE, PPC, EIGC, and Bitmap. The number of TCAM entries is sum of the required entries for all converted ranges, and the value of EF is the expansion ratio which calculated by (# of TCAM Entries) / (# of Rule). In some schemes such as direct range-to-prefix conversion and EIGC, the expansion ratio is larger than other schemes; it is because most rules require more than one ternary strings or

7 # of rules 9,311 (fw1_10k) 9,603 (acl1_10k) 9,037 (ipc1_10k) TABLE II. PERFORMANCE OF 10K CLASSIFIERS All Rules Non-prefix Rules scheme entry size # of TCAM entry size EF TCAM SRAM # of scheme # of EF TCAM SRAM src dest entry size (kb) size (KB) rules src dest TCAM entry size (kb) size (KB) DC , , DC , SRGE , , SRGE , EIDC , EIDC 5 6 8, EIGC , EIGC 5 6 8, DIRPE , DIRPE , (fw1_10k) Bitmap , Bitmap PPC 6 8 9, PPC Layer 13 9, Layer O-Layer 12 9, O-Layer DC , DC , SRGE , SRGE , EIDC , EIDC 1 6 1, EIGC , EIGC 1 6 1, ,061 DIRPE , DIRPE , (acl1_10k) Bitmap , , Bitmap , PPC , PPC , Layer 9 9, Layer 7 1, O-Layer 9 9, O-Layer 7 1, DC , DC , SRGE , SRGE , EIDC , , EIDC 3 3 1, EIGC , , EIGC 3 3 1, ,66 DIRPE , DIRPE , (ipc1_10k) Bitmap , Bitmap PPC , PPC Layer 14 9, Layer O-Layer 15 9, O-Layer prefixes after conversion. The TCAM size is calculated by (# of TCAM Entries * TCAM Entry size) / 1024, and the SRAM size in Kbyte of single-field range encoding scheme is calculated by (65536 * sum of entry sizes in source and destination port) / (8 1024). In our proposed schemes, we need to count the number of elementary interval in each field. Assume there are s elementary intervals in source port field and d elementary intervals in source port field. The SRAM size is calculated by (65536*( log 2 s + log 2 d ) + s * d * the size of TCAM entry) / (8 1024). It s obvious that direct range-to-prefix conversion has the worst performance because it requires the largest number of TCAM entries and the size of TCAM entry is 32 bits. PPC, DIRPE and our proposed schemes need the minimum number of TCAM entries because those schemes are databasedependent encoding schemes, which usually focus on decreasing expansion ration. Comparing the entry size with all schemes, the proposed schemes can use the minimum TCAM cost in all classifiers, and the SRAM usage are also better than single-field encoding schemes. To compare the results with small classifiers, Table III shows the performance with synthetic classifier whose sizes are close to 100 rules. The TCAM usages of our proposed schemes are still better than other schemes in small classifiers. Because the SRAM usage of our proposed schemes is dependent on the length of codeword and the number of elementary intervals in two fields, the SRAM usage in small classifier may be larger than single-field encoding schemes. In Figure 7, we show the TCAM requirements of different schemes with various classifiers. The optimized layered scheme is suitable for firewall classifier and layered scheme is suitable for access control lists and IP chains classifier. V. CONCLUSION In this paper, we described the problem of classifier storage in TCAM, and presented a new multi-field range encoding scheme. In order to decrease the TCAM memory usage, we need to determine the codewords for all elementary regions. Based on the properties of hypercubes, finding the codewords for each elementary region become a feasible process. On the other hand, our proposed scheme reduces the entry size and TCAM size. From the experimental results of real-life classifiers, we show that the proposed schemes can reduce the TCAM memory usage compared with other existing singlefield encoding schemes. Although additional SRAM to store codewords is needed, it is fewer than other single-field schemes because our proposed schemes can use shorter codeword length. Compared with existing single-field encoding schemes, our proposed scheme uses 12% ~ 33% of TCAM memory needed in DRIPE or SRGE and 56% ~ 86% of TCAM memory needed in PPC for the classifiers of up to 10k rules

8 # of rules 92 (fw1_100) 98 (acl1_100) 99 (ipc1_100) scheme All Rules entry size # of TCAM src dest entry TABLE III. PERFORMANCE OF 100 CLASSIFIERS EF TCAM size (kb) SRAM size (KB) # of rules scheme Non-prefix Rules entry size # of TCAM src dest entry EF TCAM size (kb) SRAM size (KB) DC DC SRGE SRGE EIDC EIDC EIGC EIGC DIRPE DIRPE (fw1_100) Bitmap Bitmap PPC PPC Layer Layer O-Layer O-Layer DC DC SRGE SRGE EIDC EIDC EIGC EIGC DIRPE DIRPE (acl1_100) Bitmap Bitmap PPC PPC Layer Layer O-Layer O-Layer DC DC SRGE SRGE EIDC EIDC EIGC EIGC DIRPE DIRPE (ipc1_100) Bitmap Bitmap PPC PPC Layer Layer O-Layer O-Layer REFERENCE [1] F. Afrati, C. Papadimitriou, and G. Papageorgiou. The complexity of cubical graphs. Inform. and Control,1985. [2] R. Brayton, G. Hachtel, C. McMullen, and A. Sangiovanni-Vincentelli, Logic Minimization Algorithms for VLSI Synthesis, Kluwer Academic Publishers, [3] A. Bremler-Barr and D. Hendler, Space-Efficient TCAM-based Classification Using Gray Coding, in Proc. IEEE INFOCOM, pp , [4] A. Bremler-Barr, D. Hayy, and D. Hendler, Layered Interval Codes for TCAM-based Classification, in Proc. IEEE INFOCOM, pp , [5] A. L. Buchsbaum, G. S. Fowler, B. Krishnamurthy, K.-P. Vo, and J. Wang, "Fast Prefix Matching of Bounded Strings", ACM Journal of Experimental Algorithmics, vol. 8, Jan [6] H. J. Chao, Next Generation Routers, in Proc. of the IEEE, vol. 90, Issue 9, pp , Sep [7] Y.-K. Chang and Y.-C. Lin, "Dynamic Segment Trees for Ranges and Prefixes," IEEE Trans. Computers, Vol. 56, Issue 6, pp , June [8] Y.-K. Chang and C.C. Su, "Efficient TCAM Encoding Schemes for Packet Classification using Gray Code," in Proc. IEEE Globecom 2007, pp , Nov [9] H. Che, Z. Wang, K. Zheng, and B. Liu, DRES: Dynamic Range Encoding Scheme for TCAM Coprocessors, IEEE Transactions on Computers, Vol. 57, Issue 7, pp , June [10] Q. Dong, S. Banerjee, J. Wang, D. Agrawal, A. Shukla, Packet Classifiers in Ternary CAMs Can Be Smaller, in Proc. ACM SIGMETRICS, pp , 2006,. [11] F. Gray, "Pulse Code Communication", U. S. Patent , March 17, [12] P. Gupta and N. McKeown, Algorithms for Packet Classification, IEEE Network, vol. 15, Issue 2, pp , [13] P. Gupta and N. McKeown, Packet Classification on Multiple Fields, in Proc. ACM SIGCOMM, pp , Aug [14] D. W. Krumme, K. N. Venkataraman, and G. Cybenko, "Hypercube embedding is NP-complete," in Proc. Hypercube Concurrent. Computers and Applications, pp , August [15] T. Lakshman and D. Stiliadis, High-Speed Policy-Based Packet Forwarding Using Efficient Multi-Dimensional Range Matching, in Proc. ACM SIGCOMM, pp , 1998 [16] K. Lakshminarayanan, S. Venkatachary, and A. Rangarajan, Algorithms for Advanced Packet Classification With Ternary CAMs, in Proc. ACM SIGCOMM, pp , [17] H. Liu, Efficient Mapping of Range Classifier into Ternary-CAM, in Proc. IEEE Symp. High Performance Interconnects, pp , [18] H. Liu, Routing Table Compaction in Ternary CAM, IEEE Micro, Vol. 22, Issue 1, pp , Jan-Feb [19] M. Livingston, Q.F. Stout, Embeddings in Hypercubes. Mathematical and Computational Modelling, vol. 11, pp , 1988 [20] J. Lunteren and T. Engbersen, "Fast and Scalable Packet Classification," IEEE Journal on Selected Areas in Communications, vol. 21, Issue 4, pp , May [21] C.R. Meiners, A.X. Liu, E. Torng, TCAM Razor: A Systematic Approach Towards Minimizing Packet Classifiers in TCAMs, in Proc. IEEE ICNP, pp , 2007.

9 TCAM size (kb) DC DIRPE EIGC PPC O-Layer SRGE EIDC Bitmap Layer TCAM size (kb) DC DIRPE EIGC PPC O-Layer SRGE EIDC Bitmap Layer fw1_100 acl1_100 ipc1_100 0 fw1_1k acl1_1k ipc1_1k TCAM size (kb) DC DIRPE EIGC PPC O-Layer SRGE EIDC Bitmap Layer TCAM size (kb) DC DIRPE EIGC PPC O-Layer SRGE EIDC Bitmap Layer fw1_5k acl1_5k ipc1_5k 0 fw1_10k acl1_10k ipc1_10k Figure 7: TCAM requirements for synthesized classifiers [22] N. Mohan, M. Sachdev, "Low Power Dual Matchline Ternary Content Addressable Memory," in Proc. IEEE ISCAS, pp , May 2004 [23] B. Schieber, D. Geist, and A. Zaks, Computing the Minimum DNF Representation of Boolean Functions Defined by Intervals, Discrete Applied Mathematics, vol. 149, no. 1-3, pp , [24] D. Taylor, Survey and taxonomy of packet classification techniques, ACM Computer Surveys, vol. 37, no. 3, pp , Sep [25] D. Taylor and J. Turner, ClassBench: A Packet Classification Benchmark, in Proc. IEEE INFOCOM, pp , [26] F. Yu and R. H. Katz, Efficient Multi-Match Packet Classification with TCAM, in Proc. IEEE Symp. High Performance Interconnects, pp.28-34, 2004.