Towards efficient security policy lookup on many-core network processing platforms

Xiang Wang; Yaxuan Qi; Kai Wang; Yibo Xue; Jun Li

doi:10.1109/CC.2015.7224697

Towards efficient security policy lookup on many-core network processing platforms

Xiang Wang^*
, Yaxuan Qi
, Kai Wang
, Yibo Xue
, Jun Li

^*Corresponding author for this work

Tsinghua University
Yunshan Networks Inc.

Research output: Contribution to journal › Review article › peer-review

2 Scopus citations

Abstract

Modern network security devices employ packet classification and pattern matching algorithms to inspect packets. Due to the complexity and heterogeneity of different search data structures, it is difficult for existing algorithms to leverage modern hardware platforms to achieve high performance. This paper presents a Structural Compression (SC) method that optimizes the data structures of both algorithms. It reviews both algorithms under the model of search space decomposition, and homogenizes their search data structures. This approach not only guarantees deterministic lookup speed but also optimizes the data structure for efficient implementation on many-core platforms. The performance evaluation reveals that the homogeneous data structure achieves 10Gbps line-rate 64byte packet classification throughput and multi-Gbps deep inspection speed.

Original language	English
Article number	7224697
Pages (from-to)	146-160
Number of pages	15
Journal	China Communications
Volume	12
Issue number	8
DOIs	https://doi.org/10.1109/CC.2015.7224697
State	Published - 1 Aug 2015
Externally published	Yes

Keywords

algorithms
data structures
packet classification
patternmatching

Access to Document

10.1109/CC.2015.7224697

Cite this

@article{1fb7b18003724e9f897ddf85a8cd601a,

title = "Towards efficient security policy lookup on many-core network processing platforms",

abstract = "Modern network security devices employ packet classification and pattern matching algorithms to inspect packets. Due to the complexity and heterogeneity of different search data structures, it is difficult for existing algorithms to leverage modern hardware platforms to achieve high performance. This paper presents a Structural Compression (SC) method that optimizes the data structures of both algorithms. It reviews both algorithms under the model of search space decomposition, and homogenizes their search data structures. This approach not only guarantees deterministic lookup speed but also optimizes the data structure for efficient implementation on many-core platforms. The performance evaluation reveals that the homogeneous data structure achieves 10Gbps line-rate 64byte packet classification throughput and multi-Gbps deep inspection speed.",

keywords = "algorithms, data structures, packet classification, patternmatching",

author = "Xiang Wang and Yaxuan Qi and Kai Wang and Yibo Xue and Jun Li",

note = "Publisher Copyright: {\textcopyright} 2013 IEEE.",

year = "2015",

month = aug,

day = "1",

doi = "10.1109/CC.2015.7224697",

language = "英语",

volume = "12",

pages = "146--160",

journal = "China Communications",

issn = "1673-5447",

publisher = "Editorial Board of Journal on Communications",

number = "8",

}

TY - JOUR

T1 - Towards efficient security policy lookup on many-core network processing platforms

AU - Wang, Xiang

AU - Qi, Yaxuan

AU - Wang, Kai

AU - Xue, Yibo

AU - Li, Jun

PY - 2015/8/1

Y1 - 2015/8/1

N2 - Modern network security devices employ packet classification and pattern matching algorithms to inspect packets. Due to the complexity and heterogeneity of different search data structures, it is difficult for existing algorithms to leverage modern hardware platforms to achieve high performance. This paper presents a Structural Compression (SC) method that optimizes the data structures of both algorithms. It reviews both algorithms under the model of search space decomposition, and homogenizes their search data structures. This approach not only guarantees deterministic lookup speed but also optimizes the data structure for efficient implementation on many-core platforms. The performance evaluation reveals that the homogeneous data structure achieves 10Gbps line-rate 64byte packet classification throughput and multi-Gbps deep inspection speed.

AB - Modern network security devices employ packet classification and pattern matching algorithms to inspect packets. Due to the complexity and heterogeneity of different search data structures, it is difficult for existing algorithms to leverage modern hardware platforms to achieve high performance. This paper presents a Structural Compression (SC) method that optimizes the data structures of both algorithms. It reviews both algorithms under the model of search space decomposition, and homogenizes their search data structures. This approach not only guarantees deterministic lookup speed but also optimizes the data structure for efficient implementation on many-core platforms. The performance evaluation reveals that the homogeneous data structure achieves 10Gbps line-rate 64byte packet classification throughput and multi-Gbps deep inspection speed.

KW - algorithms

KW - data structures

KW - packet classification

KW - patternmatching

UR - https://www.scopus.com/pages/publications/84941002223

U2 - 10.1109/CC.2015.7224697

DO - 10.1109/CC.2015.7224697

M3 - 文献综述

AN - SCOPUS:84941002223

SN - 1673-5447

VL - 12

SP - 146

EP - 160

JO - China Communications

JF - China Communications

IS - 8

M1 - 7224697

ER -

Towards efficient security policy lookup on many-core network processing platforms

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this