Scalable Packet Classification for IPv6 by Using Limited TCAMs

Scalable Packet Classification for IPv6 by Using Limited TCAMs Chia-Tai Chan 1, Pi-Chung Wang 1,Shuo-ChengHu 2, Chung-Liang Lee 1,and Rong-Chang Chen 3 1 Telecommunication Laboratories, Chunghwa Telecom Co., Ltd. 7F, No. 9 Lane 74 Hsin-Yi Rd. Sec. 4, Taipei, Taiwan 106, R.O.C. {ctchan,abu,chlilee}@cht.com.tw 2 Department of Info. Management, Ming-Hsin University of Science and Technology 1 Hsin-Hsing Rd. Hsin-Fong, Hsinchu, Taiwan 304, R.O.C. schu@mis.must.edu.tw 3 Department of Logistics Engineering and Management National Taichung Institute of Technology No. 129, Sec. 3, Sanmin Rd., Taichung, Taiwan 404, R.O.C. rcchens@ntit.edu.tw Abstract. It has been demonstrated that performing packet classification on a potentially large number of filters on key header fields is difficult and has poor worst-case performance. To achieve fast packet classification, hardware support is unavoidable. Ternary content-addressable memory (TCAM) has been widely used to perform fast packet classification due to its ability to solve the problem in O(1) time without considering the number of entries, mask continuity and their lengths. As compared to the software-based solutions, the TCAM can offer sustained throughput and simple system architecture. It is attractive for packet classification, especially for the ultimate IPv6-based networks. However, it also comes with several shortcomings, such as the limited number of entries, expansive cost and power consumption. Accordingly, we propose an efficient algorithm to reduce the required TCAM by encoding the address portion of the searchable entries. The new scheme could encrypt the 128-bit prefixes of the real-world IPv6 routing tables into 11 bits and still keeps the property of CIDR. 1 Introduction The major obstacle for the high-speed router ties to the relatively slow Internet lookup, including routing lookup and packet classification. For an incoming packet, a router must perform routing lookup to forward packets toward their destinations based on the information gathered by the routing protocols. In next generation networks, the new services, such as firewall processing, RSVP style resource reservation policies, QoS Routing, and normal unicast and multicast forwarding, require more discriminating forwarding called packet classification. It allowsservice differentiation because the router can distinguish traffic based on

2 Chan et al. source/destination address, TCP/UDP port numbers, and protocol flags. Consequently, each packet is distinguished according to the policies (or filters). The forwarding database of a router consists of a potentially large number of policies. Each policy has a given cost. The header of the incoming packet might match multiple policies. The policy with least cost will be used to forward the packet. To perform packet classification on a potentially large number of policies on key header fields is difficult and has poor worst-case performance. Unlike the routing prefixes, the policy could be un-continuously masked and the length of policy is much longer than that of routing prefix. The routing lookup problem is just a special case of packet classification. As a result, the search of least cost policy (LCP) may be time consuming for a backbone router with a large number of table entries. The exponential growth of the Internet hosts has further stressed the routing system. It is difficult for the packet-forwarding rate to keep up with the increased traffic demand. 1.1 Problem Statement Essentially, packet classification is a problem of multi-dimensional range match. To describe the problem formally, we have to define the classifier and the policy. A classifier maintains a set of policies to divide an incoming packet stream into multiple classes. A policy F =(f[1],f[2],...,f[k]) is called k-dimension if the policy consists of k fields, where each f[i] is either a variable length prefix bit string, a range or a explicit value of the packet header. A policy can be any combination of fields of the packet header, the most common fields are the IP source address, the IP destination address, the protocol type, port numbers of source/destination applications and protocol flags. A packet P is said to match a particular policy F if for all i, thei th field of the header satisfies the f[i]. Each policy has an associative action. For example, the policy F = (140.113.,,UDP,1090, ) specifies a rule for flows which address to the subnet 140.113 use the progressive networks audio (PNA) and the action of the rule may assign the packets belonged to these flows with higher queueing priority. Besides the action, the policy is usually given a cost value to define the priority in the database. The action of the least-cost matched policy will be used to process the arriving packets, thus the packet classification problem is a least-cost problem. 1.2 Existing Approaches Recently, several packet classification algorithms have been proposed in the literature [2 6]. It can be categorized into following classes: linear search/caching, hardware-based, grid of tries/cross-product, recursive-flow classification, and hash-based solutions. In the following, we briefly described the main properties of these algorithms. Assume that N is the number of the policies, D is the number of classified fields and W is the length of IP address. Linear Search/Caching: The simplest approach for packet classification is to perform a linear search through all the policies. The space and time complexity

Scalable Packet Classification for IPv6 3 is O(N). Caching is a technique often employed at either hardware or software level to improve performance of linear search. However, performance of caching is critically dependent on having large number of packets in each flow. Also, if the number of simultaneous flows becomes larger than cache size, the performance degrades severely. Bit-Parallelism: Another scheme that relies on very wide memory bus is presented by Lakshamn et al. [5]. The algorithm reads Nk bits from memory, corresponding to the BMPs in each field and takes their intersection to find the set of matching policies. Memory requirement for this scheme is O(N 2 ). This scheme relies on heavy parallelism, and requires significant hardware cost, not to mention that flexibility and scalability of hardware solutions is very limited. Grid of Tries/Cross-product: Specifically for the case of 2-field policies, Srinivasan et al. [2] presented a trie-based algorithm. This algorithm has memory requirement O(NW)andrequires2W 1 memory accesses per policy lookup. Also presented in [2] is a general mechanism called cross-product which involves performing the BMP lookups on individual fields, and using a pre-computed table for combining results of individual prefix lookups. However, this scheme suffers from a O(N k ) memory blowup for k-field policies, including k = 2 field policies. Recursive-flow Classification: Gupta et al. presented an algorithm, which can be considered as a generalization of cross-product [3]. After BMP lookup has been performed, recursive flow classification algorithm performs cross-product in a hierarchical manner. Thus k BMP lookups and k 1 additional memory accesses are required per policy lookup. It is expected to provide significant improvement on an average, but it requires O(N k ) memory in the worst case. Also, for the case of 2-field policies, this scheme is identical to the cross-producting and hence has memory requirement of O(N 2 ). Hash-based Solution: The basic idea is motivated by the observation that while policy databases contain many different prefixes or ranges, the number of distinct prefix lengths tends to be small [1]. For instance, backbone routers have about 60K destination address prefixes, but there are only 32 distinct prefix lengths. Thus it can divide all the prefixes into 32 groups, one for each length (W ). Since all prefixes in a group have the same length, it can use the prefix bit string as a hash key. That leads to a simple IP lookup scheme, which requires O(W ) hash lookups, independent of the number of prefixes. The algorithm of Waldvogel [1] performs a binary search over the W length groups, and achieves O(logW ) worst-case time complexity. The tuple space idea generalizes the aforementioned approach to multi-dimension policies [4]. A tuple is a set of policies with specific prefix lengths, and the resulting set of tuples is called as tuple space. Since each tuple has a specific bit-length for each field, by concatenating these fields in order to create a hash key, which can be used to perform the tuple lookup. Thus, the matched policy can be found by probing each tuple alternately, and keep track of the least cost policy. As an example, the two-dimension policies F =(10, 110 ) andg =(11, 001 ) will both belong to the tuple T 2,3.When searching T 2,3, a hash key is constructed by concatenating 2 bits of the source

4 Chan et al. field with 3 bits of the destination field. Since the number of tuples is generally much smaller than the number of policies, even a linear search of the tuple space results, in a significant improvement over linear search of the policies. Ternary CAM: Ternary content-addressable memory (TCAM) is one popular hardware device to perform fast packet classification. As compared to the software-based solutions, the TCAM can offer sustained throughput and simple system architecture, thus makes it attractive. However, it also comes with several shortcomings, such as the limited size, power consumption and expansive cost. For example, a 9 Mbits TCAM chip (US $200, 40mm 40mm) running at 100 MHz dissipates about 8.5W. In comparison, a 9 Mbits SRAM (US $20, 14mm 22mm) running at 250 MHz dissipates only 0.75W. Specifically, the policy length could be as long as 296 bits with IPv6. With the state-of-the-art 9-Mbit TCAM, it could support 16K such entries. In next generation networks, the TCAM will be suffering from a limited number of entries. Table 1. Complexity comparisons. Schemes Speed Storage Scalability Linear Search O(N) O(NW) - Bit Parallelism [5] O(DW + N/B) O(DN 2 ) - Grid of Tries [2] O(W D 1 ) O(NDW 2 ) Cross-producting [2] O(DW ) O(N D ) - RFC [3] O(D) O(N D ) - Tuple Space Search [4] O(N) O(NW) Ternary CAM O(1) O(NW) - Proposed scheme O(1) O(N (logw + β)) N:the number of prefixes, W:the maximum prefix length D:the number of dimensions, B: the memory bus width β:the number of levels. In this article, we propose an efficient algorithm to reduce the required TCAM by encoding the address portion of the searchable entries. The new scheme could reduce the length of TCAM entries from W to (logn + β) and still keeps the property of CIDR, where N is the number of the policies, β is the maximum number of levels and W is the length of IP address. In our experiments, it could encrypt the 128-bit prefixes of the real-world IPv6 routing tables into 11 bits. The rest of the paper is organized as follows. Section 2 presents the proposed algorithm. The experiment results are presented in Section 3. Finally, a summary is given in Section 4.

2 TCAM Entry Encryption Algorithm Scalable Packet Classification for IPv6 5 From the proposed system architecture, the packet classification could inherit the search result from routing lookup. It motivates us to encode the routing prefix as a much shorter one by replacing the original source/destination addresses in the original policy with the generated keys, so that the required TCAM is also reduced. To achieve the purpose, we have to realize the nature of IP routing prefixes firstly. The adoption of classless inter-domain routing (CIDR) [10] allows the network administrator to specify a smaller network within an existing network. For example, an ISP network is specified by prefix 206.95. whose next hop is A. It might exists a enterprise network, which is specified by prefix 206.95.130. and its next hop is B. The encoding scheme must be able to reflect the hierarchical nature of the routing prefixes. Namely, the generated key for the prefix 206.95. must be a shorter prefix of that for the prefix 206.95.130.. Basic Scheme To encode the address portion of the searchable entries, a straightforward scheme is to divide the prefixes into several sub-prefixes according to the length of their shorter prefixes, as shown in Figure 1. The prefix P 4 010000 has two shorter prefixes: P 1 0 and P 3 0100. Thus it is divided as three sub-prefixes 0, 100 and 00 that are inserted to bit-stream group Level I, Level II and Level III, respectively. Clearly, it may derive the same sub-prefixes from different prefixes; such as the Level II bit-stream 01 of prefix P 13 is identical to that of P 2. In each group, the duplicate bit-stream must be eliminated and each bit-stream is assigned a unique IDs. By concatenating the relevant IDs, the encrypted key for each prefix can be generated. In this example, there are three different bit-streamin LevelI,fivein LevelII and four in Level III. Thus maximum 7 (=2+3+2) bits are required to represent the original prefixes. Prefixes P 1 0 P 2 001 P 3 0100 P 4 010000 P 5 01010 P 6 101 P 7 1010 P 8 1011 P 9 1011000 P 10 1011001 P 11 10111 P 12 11 P 13 1101 P 14 111 Prefixes with "Level I" bit-stream Prefixes with "Level I" & "Level II" bit-streams Prefixes with "Level I" ~ "Level III" bit-streams P 4 P 2 Binary Tree Representation P 1 P 6 P 3 P 7 P 8 P 5 P 9 P 10 P 11 P 12 P 13 P 14 LevelI ID 0 00 101 01 11 10 Level I ID 01 000 100 001 1010 010 0 011 1 100 Level IID 00 00 000 01 001 10 1 11 Fig. 1. Encoding the bit-streams according to what they attach to.

6 Chan et al. Exclusive Scheme Though the basic scheme is simple, the number of the encryptedbit-streams may be over-estimated. The encoding results are inefficient for the reason that it is without considering the associated relation between prefixes. For example, the bit-streams 100 and 1010 (i.e., corresponding to P 3 and P 5 respectively) in Level II only concatenate to 0 (i.e., P 1 ). Thus we only have to count the number of bit-streams attached to a specific shorter bit-stream. In our example, there are three bit-streams connected to 0 (P 1 ) and two to both 101 (P 6 )and 11 (P 12 ). Therefore, the number of bits for Level II could be reduced to two and the total length is reduced to six. In Figure 2, we list the ID for each bit-stream. The dotted line is used to separate the bit-streams based on their attached bit-streams. LevelI ID Level IID 0 00 00 00 101 01 000 00 11 10 001 01 Level IID 1 10 01 00 100 01 1010 10 0 00 1 01 01 00 1 01 P 2 Binary Tree Representation P 1 P 6 P 3 P 7 P 8 P 5 P 11 P 12 P 13 P 14 P 4 P 9 P 10 Fig. 2. Encoding the bit-streams according to what they attach to. Adaptive Scheme The exclusive scheme can be further improved with ingenious encoding of the bit-streams. According to the successive bit-stream length, the exclusive scheme can adjust the length of encoded ID dynamically, as shown in Figure 3. It encodes the bit-stream with bottom-up manner and uses Huffman Encoding to reduce the maximum length of concatenated IDs. Thus the bit-streams in Level III are encoded at first. The minimum required length for each Level III bit-stream is recorded in its preceding prefix. The Level II bit-streams are sorted according to the length of their successive bit-streams. Then the longest one, for example, the Level II bit-streams 1 corresponding to P 8, is assigned the shortest ID 0. Another Level II bit-stream 0 attached to P 6 is thus assigned the ID 01. The IDs for each bit-stream is listed in the left part of Figure 3. In Table 2, we show the encrypted prefixes for different schemes. With the basic scheme, the maximum required length is 7. It can be improved to 6 and 4 by adopting the exclusive and adaptive schemes respectively. Generally speaking, the length of the required bits for the adaptive scheme is quite close to

Scalable Packet Classification for IPv6 7 LevelI ID Level IID 0 10 00 0 101 0 000 00 11 11 001 01 Level IID 1 10 01 10 100 0 1010 11 0 10 1 0 01 0 1 1 P 2 1 2 Binary Tree Representation P 1 P 3 P 5 P 7 3 P 6 Minimum Requied Length for the attached bit-streams 2 P 8 P 11 P 12 P 13 1 P 14 P 4 P 9 P 10 Fig. 3. Encoding bit-streams according to the length of their successive bit-streams. the optimal value (log 2 N). Consequently, we use the prefixes of the real-world routing tables to demonstrate the performance of the proposed scheme. Prefix Basic Table 2. The encrypted prefixes for different schemes. Exclusive Adaptive Prefix Basic Exclusive Adaptive P 1 00 00 10 P 8 01100 0101 10 P 2 00000 0000 1010 P 9 0101 010100 0000 P 3 0001 0001 100 P 10 0110 010101 0001 P 4 0000100 000100 1000 P 11 0111 010110 0010 P 5 00010 0010 1011 P 12 10 10 11 P 6 01 01 0 P 13 10000 1000 110 P 7 01011 0100 010 P 14 10100 1001 111 Usage In each classifier, the referred routing prefixes are extracted from the policies. Then we construct the prefix tree and execute the encoding algorithm to encrypt the prefixes. These results are attached to the routing prefixes as a part of lookup results. For those prefixes which are not referred in the policies, the encrypted results of their referred sub-prefixes are recorded. Also, the address portion of the policy is replaced by the encoded prefixes and inserted into the TCAM. The routing lookup for each incoming packet will decide the next hop and also the encoded prefixes. Since the routing lookup is only performed for the destination address, an extra lookup for the source address is required. Consequently, the addresses in the packet header are replaced by the encoded prefixes and forwarded to the classifier. Then the classifier performs packet classification to derive the service priority.

8 Chan et al. 3 Performance Evaluation Through experiments, we demonstrate that the proposed scheme features much less TCAM bits. Currently, the IPv6 routing tables consist of only few hundreds prefixes which are download from 6bone. To further realize the scalability of the proposed scheme, we also use the real data available from the IPMA [8] and NLANR [9] projects for comparison, these data provide a daily snapshot of the routing tables used by some major Network Access Points (NAPs). We illustrate the maximum length of the encoded prefixes for different routing tables and different schemes. Figure 5 shows the encoding results for different routing tables. For the IPv4 routing tables, the basic scheme and exclusive scheme might incur longer encoded-bits than the original prefixes (32 bits). It is because these schemes concatenate maximum bits for each level to generate the encrypted prefixes. Contrarily, the adaptive scheme could complement the longest ID with shortest ID to eliminate the total length. In the experimental results, the adaptive scheme could encrypt the 32-bit prefix to a 22-bit one, which shows a bit-reduction of 70%. Moreover, the proposed scheme has achieved near optimal encoding as compared with the value log 2 (number of prefixes). The difference between two values is incurred by the round-off error in each level. For example, in the routing table of NLANR, there are 102,271 prefixes and 6 levels. The maximum length for NLANR table is 22-bit which is nearly equal to log 2 (102,271) + 6=22.6. 70 Maimum Length ofthe Encoded Prefix 60 50 40 30 20 10 Basic Schem e Exclusive Schem e Adaptive Schem e LOG(Num berofprefixes) 0 10,000 20,000 30,000 40,000 50,000 60,000 70,000 80,000 90,000 100,000 110,000 Num berofprefixes Fig. 4. The maximum length of encoded prefixes for different IPv4 routing tables. For the IPv6 routing tables, the adaptive scheme still outperforms the rest schemes, as shown in Figure 5. But with fewer prefixes, the number of levels is reduced as well. Thus even with the simplest scheme, it could achieve fairly good

Scalable Packet Classification for IPv6 9 results. While the number of prefixes increases, the effect of the adaptive scheme is emerged. In the results, the adaptive scheme could encrypt the 128-bit prefix to an 11-bit one, which shows a bit-reduction of 9%. 20 Maimum Length ofthe Encoded Prefix 18 16 14 12 10 8 Basic Schem e Exclusive Schem e Adaptive Schem e LOG(Num berofprefixes) 6 4 0 100 200 300 400 500 Num berofprefixes Fig. 5. The maximum length of encoded prefixes for different IPv6 routing tables. According to the experiments, we believe that the required bits are constrained from the increasing prefix length and prefix count. As the routing table contains 1M entries and 12 levels, it would require about 32 bits for encryption, not to mention the route aggregation in IPv6 will largely reduce the number of levels. 4 Conclusions This study investigates the major issues in TCAM-based router design, including its price, power and size. To make use of the TCAM in IPv6-based packet classification, we propose an efficient approach to utilize the limited bits of TCAM. The scheme is motivated by the necessity of routing lookup for each packet. By encoding the prefixes into a much shorter one, the required bits for the TCAM entry could be significantly reduced. The basic idea is to divide the prefixes according to the length of their shorter prefixes and allocate enough bits for each level. It could be further improved by adopting the concept of exclusion to eliminate the combination in each level. Accordingly, we address how to joint a long ID with a short one by using Huffman Encoding. The length of the generated prefix is dramatically reduced. A typical IPv4 routing prefix needs 22 bits and 11 bits for IPv6 routing prefix in the worst case. The resulted prefix length is nearly equal to O(log 2 N + β), where N is the number of prefixes and β is the maximum number of levels. We also demonstrate this in our experiments. With

10 Chan et al. the route aggregation in IPv6, the value of b tends to be small. Also, only the referred routing prefixes have to be encoded. Thus the required length for an IPv6 prefix is likely less than 32 bits, which save more than 75% storage. References 1. M. Waldvogel, G. vargnese, J. Turner, and B. Plattner, Scalable High Speed IP Routing Lookups, In Proc. ACM SIGCOMM 97, pages 25-36, Cannes, France, Sept. 1997. 2. V. Srinivasan, G. Varghese and S. Suri, Packet Classification using Tuple Space Search, in ACM SIGCOMM, September 1999, pp. 135 146. 3. Pankaj Gupta and Nick McKeown, Packet Classification on Multiple Fields, in ACM SIGCOMM, September 1999, pp. 147 160. 4. V. Srinivasan, G. Varghese, S. Suri and M. Waldvogel, Fast Scalable Level Four Switching, in ACM SIGCOMM, September 1998, pp. 191 202. 5. T.V. Lakshman and D. Stidialis, High Speed Policy-based Packet Forwarding Using Efficient Multi-dimensional Range Matching, in ACM SIGCOMM, September 1998, pp. 203 214. 6. Anja Feldmann and S. Muthukrishnan, Tradeoffs for Packet Classification, in IEEE INFOCOM, March 2000, pp. 1193 1202. 7. D. Shah and P. Gupta, Fast updating Algorithms for TCAMs, IEEE Micro Mag., 21(1):36-47, Jan.-Feb. 2001. 8. Merit Networks, Inc. Internet Performance Measurement and Analysis (IPMA) Statistics and Daily Reports. See http://www.merit.edu/ipma/routing table/. 9. NLANR Project. See http://moat.nlanr.net/. 10. Y. Rekhter, T. Li, An Architecture for IP Address Allocation with CIDR. RFC 1518, Sept. 1993.