Fast Packet Classification for Two-Dimensional Conflict-Free Filters

Routers can use packet classification to support advanced functions such as QoS routing, virtual private networks and access control. Unlike traditional routers, which forward packets based on destination address only, routers with packet classification capability can forward packets based on multiple header fields, such as source address, protocol type, or application port numbers. The destinationbased forwarding can be thought of as one-dimensional packet classification. While several efficient solutions are known for the onedimensional IP lookup problem, the multi-dimensional packet classification has proved to be far more difficult. While an time scheme is known for the IP lookup, Srinivisan et al. [1] show a lower bound of for dimensional filter lookup, where is the number of bits in a header field. In particular, this lower bound precludes the possibility of a binary search like scheme even for 2dimensional filters (say, IP source and destination pairs). In this paper, we examine this lower bound more closely, and discover that the lower bound depends crucially on conflicts in the filter database. We then show that for twodimensional conflict-free filters, a binary search scheme does work! Our lookup scheme requires hashes in the worst-case, and uses memory. Alternatively, our algorithm can be viewed as making calls to a prefix lookup scheme. It has been observed in practice that filter databases have very few conflicts, and these conflicts can be removed by adding additional filters (one per conflict). Thus, our scheme may also be quite practical. Our simulation and experimental results show that the proposed scheme also performs as good as or better than existing schemes. For example, on real firewall data-sets with over rules consisting of source and destination IP prefixes, our algorithm performs worst case hashes. For filter sets containing arbitrarily many filtering rules with IP prefixes, the worst case search time guaranteed is utmost hashes.