R2-D2: Filter Rule set Decomposition and Distribution in Software Defined Networks

(1)

HAL Id: hal-03036292

https://hal.inria.fr/hal-03036292

Submitted on 2 Dec 2020

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

R2-D2: Filter Rule set Decomposition and Distribution in Software Defined Networks

Ahmad Abboud, Rémi Garcia, Abdelkader Lahmadi, Michaël Rusinowitch, Adel Bouhoula

To cite this version:

Ahmad Abboud, Rémi Garcia, Abdelkader Lahmadi, Michaël Rusinowitch, Adel Bouhoula. R2-D2:

Filter Rule set Decomposition and Distribution in Software Defined Networks. CNSM 2020 - 16th International Conference on Network and Service Management, Nov 2020, Izmir/Virtual, Turkey.

�hal-03036292�

(2)

R2-D2: Filter Rule set Decomposition and Distribution in Software Defined Networks

Ahmad Abboud ^1,2 Rémi Garcia ^3,1 Abdelkader Lahmadi ² Michaël Rusinowitch Adel Bouhoula ⁴

1 Université de Lorraine, CNRS, Inria, Loria, F-54000 Nancy, France ² NUMERYX TECHNOLOGIES, France. ³ IPB Enseirb-Matmeca, France ⁴ College of Graduate Studies, Arabian Gulf University, Kingdom of Bahrain.

Background and Motivation

Context

- Large number of filtering rules due to the increasing number of hosts and applications.

- Increase in number of attacks that affect entries in access- control lists (ACL).

- Expensive and power-hungry ternary content-addressable memory (TCAM).

Research question

How to decompose and distribute filtering rules on a set of limited size switch tables ?

Overview of Longest prefix matching (LPM) representation

Rule Address field ^Action

1 0 0 * * A ₁

2 0 0 0 * A ₂

Table: Example of a rule set in a switch table.

If a switch receives a packet with 0001 as address

Prioritized list strategy : Rule 1 is first, A ₁ is applied.

LP M strategy : Rule 2 is most specific, A ₂ is applied.

Rule Representation

- Single field filtering.

- Sufficient for blacklists.

- Rules represented in a binary tree.

- One rule at most on each tree node.

00*

0*

*

01*

1*

Figure: Compact representation of rules prefixes (00,01,0,1,0*) in a binary tree.

Decomposition Algorithm

- Input a set of rules and switches.

- Search the binary tree in order to find the best candidates.

- All rules present in the chosen node and all nodes below it, will be added to the switch.

- Minimize the number of generated rules by merging old for- ward rules with the ones from the best candidates.

- No rule duplication.

Generate forward

rules add condidate

and forward rules to switch i remove

chosen rules from the binary tree start over with the

new binary tree and switch i+1

chose

condidates

chosen condidates

Forward Rule Generation

- Forward rules avoid processing packets filtered by previous switches multiple times.

- Rules with deny action does not require a forward rule to be generated.

IP Action

000* A

₁

00** A

₃

**** Forward

IP Action

00** Forward

0*** A

₂

**** A

₄

Switch 1 Switch 2

IP Action

000* A

₁

0*** A

₂

00** A

₃

**** A

₄

Rule set :

Figure: Illustration of forward rule generation with a rule set and two successive switches.

Decomposition over a graph

- Series-parallels graphs.

- Build the binary tree from a parallel and series composition.

- Simplify the binary tree using S-components.

- Packets with different sources will be processed by the same rule table of an intersection switch.

Figure: S-component.

2

3

4 5

S

P

S

S S

P

13 24

12 34

124 134

1

45 45

Binary tree representing Graph G Graph G

Binary tree using S-component

Figure: Tree representation of a series-parallel graph.

Evaluation

- 12 sets of data generated using ClassBench.

- Percentage of forward action field between 0 and 100%.

- Rules with same action type have zero overhead.

- Around 15% overhead on 8 switches path length.

0 0.1 0.2 0.3 0.4 0.5

0 20 40 60 80 100

0 200 400 600 800 1000 1200 1400 1600 1800 2000

Overhead Cmin

Percentage of "forward" action Overhead

Cmin

(a)

Effect of action field on overhead

OH

and

C_min

using acl1 rule set.

0 0.05 0.1 0.15 0.2 0.25 0.3 0.35

1 2 3 4 5 6 7 8

Overhead

Path length

(b)

R2-D2: Filter Rule set Decomposition and Distribution in Software Defined Networks

R2-D2: Filter Rule set Decomposition and Distribution in Software Defined Networks

R2-D2: Filter Rule set Decomposition and Distribution in Software Defined Networks

Ahmad Abboud 1,2 Rémi Garcia 3,1 Abdelkader Lahmadi 2 Michaël Rusinowitch Adel Bouhoula 4

1 Université de Lorraine, CNRS, Inria, Loria, F-54000 Nancy, France 2 NUMERYX TECHNOLOGIES, France. 3 IPB Enseirb-Matmeca, France 4 College of Graduate Studies, Arabian Gulf University, Kingdom of Bahrain.

Background and Motivation

Context

- Large number of filtering rules due to the increasing number of hosts and applications.

- Increase in number of attacks that affect entries in access- control lists (ACL).

- Expensive and power-hungry ternary content-addressable memory (TCAM).

Research question

How to decompose and distribute filtering rules on a set of limited size switch tables ?

Overview of Longest prefix matching (LPM) representation

Rule Address field Action

1 0 0 * * A 1

2 0 0 0 * A 2

Table: Example of a rule set in a switch table.

If a switch receives a packet with 0001 as address

Prioritized list strategy : Rule 1 is first, A 1 is applied.

LP M strategy : Rule 2 is most specific, A 2 is applied.

Rule Representation

- Single field filtering.

- Sufficient for blacklists.

- Rules represented in a binary tree.

- One rule at most on each tree node.

0*

*

1*

Figure: Compact representation of rules prefixes (00*,01*,0*,1*,0*) in a binary tree.

Decomposition Algorithm

- Input a set of rules and switches.

- Search the binary tree in order to find the best candidates.

- All rules present in the chosen node and all nodes below it, will be added to the switch.

- Minimize the number of generated rules by merging old for- ward rules with the ones from the best candidates.

- No rule duplication.

Forward Rule Generation

- Forward rules avoid processing packets filtered by previous switches multiple times.

- Rules with deny action does not require a forward rule to be generated.

000* A

00** A

**** Forward

00** Forward

0*** A

**** A

Switch 1 Switch 2

000* A

0*** A

00** A

**** A

Rule set :

Figure: Illustration of forward rule generation with a rule set and two successive switches.

Decomposition over a graph

- Series-parallels graphs.

- Build the binary tree from a parallel and series composition.

- Simplify the binary tree using S-components.

- Packets with different sources will be processed by the same rule table of an intersection switch.

Figure: S-component.

Figure: Tree representation of a series-parallel graph.

Evaluation

- 12 sets of data generated using ClassBench.

- Percentage of forward action field between 0 and 100%.

- Rules with same action type have zero overhead.

- Around 15% overhead on 8 switches path length.

Effect of action field on overhead

and

using acl1 rule set.

Rule space overhead while distributing a rule set with a 50% of rules having Forward actions.

Acknowledgement

This work is supported by a CIFRE convention between the ANRT (National Association of Re-

search and Technology) and the company NUMERYX Technologies.

Ahmad Abboud ^1,2 Rémi Garcia ^3,1 Abdelkader Lahmadi ² Michaël Rusinowitch Adel Bouhoula ⁴

1 Université de Lorraine, CNRS, Inria, Loria, F-54000 Nancy, France ² NUMERYX TECHNOLOGIES, France. ³ IPB Enseirb-Matmeca, France ⁴ College of Graduate Studies, Arabian Gulf University, Kingdom of Bahrain.

Rule Address field ^Action

1 0 0 * * A ₁

2 0 0 0 * A ₂

Prioritized list strategy : Rule 1 is first, A ₁ is applied.

LP M strategy : Rule 2 is most specific, A ₂ is applied.

Figure: Compact representation of rules prefixes (00,01,0,1,0*) in a binary tree.