Sven Hager

MPFC: Massively Parallel Firewall Circuits

The process of matching the header fields of network packets against a set of rules is a performance critical task of firewalls. Software-based solutions have no chance to keep pace with the ever-growing data rates in high-speed networks. However, specialized filtering hardware is costly because complex logic is required in order to be able to apply arbitrary rulesets to a packet stream. By adapting the implemented logic to the specific firewall ruleset, FPGAs allow for much more specifically tailored and thus more efficient processing than ruleset-independent circuits in an ASIC. We present MPFC, a method to generate customized firewall circuits in the form of synthesizable VHDL code for FPGA configuration. The highly parallel MPFC circuits achieve a deterministic throughput of one packet per clock cycle, can be operated at high clock frequencies, and provide orders of magnitudes shorter processing latencies than previous work in this direction.

Trees in the List: Accelerating List-based Packet Classification Through Controlled Rule Set Expansion

Network packet classification is performed by a wide variety of network devices, like routers or firewalls. Accordingly, researchers have put great efforts in the development of fast packet classification algorithms. However, despite the fact that such approaches have been around for over a decade, most classification systems used in practice still rely on the slow linear search approach. In this work, we propose a methodology that enables linear search-based systems with jump semantics to take advantage of the superior matching performance of decision tree algorithms, without the need to touch the underlying system implementation. By performing source-to-source transformations on packet classification rule sets, we encode decision trees inside of the modified rule sets in order to guide and tweak the originally linear matching process. We implement this in a proof-of-concept tool which transforms Linux iptables firewall rule sets. Our evaluation demonstrates that throughput performance boosts of one order of magnitude and more are possible - without changing the semantics of the rule set, and without any modifications to the matching engine.

HyPaFilter: A Versatile Hybrid FPGA Packet Filter

With network traffic rates continuously growing, security systems like firewalls are facing increasing challenges to process incoming packets at line speed without sacrificing protection. Accordingly, specialized hardware firewalls are increasingly used in high-speed environments. Hardware solutions, though, are inherently limited in terms of the complexity of the policies they can implement, often forcing users to choose between throughput and comprehensive analysis. On the contrary, complex rules typically constitute only a small fraction of the rule set. This motivates the combination of massively parallel, yet complexity-limited specialized circuitry with a slower, but semantically powerful software firewall. The key challenge in such a design arises from the dependencies between classification rules due to their relative priorities within the rule set: complex rules requiring software-based processing may be interleaved at arbitrary positions between those where hardware processing is feasible. We therefore discuss approaches for partitioning and transforming rule sets for hybrid packet processing, and propose HyPaFilter, a hybrid classification system based on tailored circuitry on an FPGA as an accelerator for a Linux netfilter firewall. Our evaluation demonstrates 30-fold performance gains in comparison to software-only processing.

Partial reconfiguration and specialized circuitry for flexible FPGA-based packet processing

In order to process network packets at high rates, network functions like routing or firewalling require specialized hardware like TCAMs (Ternary Content Addressable Memories), ASICs (Application Specific Integrated Circuits), or GPUs (Graphics Processing Units). Such hardware must be fast enough to process packets at line rate, and furthermore, it must be programmable in order to update the packet processing policy (e. g., a forwarding table or firewall rule set). From a fundamental point of view, though, these goals are conflicting because a generic programmable circuit must provide sufficient resources to support a wide range of policies, which can lead to unused circuitry and low clock rates. In addition, it misses logic optimization opportunities with regard to the structure of the installed policy. In this work, we investigate the optimization potential of automatically generated network processing circuits that are tailor-made for a specific policy. Using the example of router forwarding information bases (FIBs), we demonstrate that circuits which are partially evaluated with respect to the implemented FIB need more than one order of magnitude less logic resources than an equivalent generic forwarding circuit. We combine this approach with the partial reconfiguration capability of FPGAs in order to obtain an efficient low-latency forwarding engine whose matching circuitry can be replaced on demand.

HyPaFilter+: Enhanced Hybrid Packet Filtering Using Hardware Assisted Classification and Header Space Analysis

Firewalls, key components for secured network infrastructures, are faced with two different kinds of challenges: first, they must be fast enough to classify network packets at line speed, and second, their packet processing capabilities should be versatile in order to support complex filtering policies. Unfortunately, most existing classification systems do not qualify equally well for both requirements: systems built on special-purpose hardware are fast, but limited in their filtering functionality. In contrast, software filters provide powerful matching semantics, but struggle to meet line speed. This motivates the combination of parallel, yet complexity-limited specialized circuitry with a slower, but versatile software firewall. The key challenge in such a design arises from the dependencies between classification rules due to their relative priorities within the rule set: complex rules requiring software-based processing may be interleaved at arbitrary positions between those where hardware processing is feasible. Therefore, we discuss approaches for partitioning and transforming rule sets for hybrid packet processing. As a result, we propose HyPaFilter+, a hybrid classification system consisting of an FPGA-based hardware matcher and a Linux netfilter firewall, which provides a simple, yet effective hardware/software packet shunting algorithm. Our evaluation shows up to 30-fold throughput gains over software packet processing.

Minflate: Combining Rule Set Minimization with Jump-based Expansion for Fast Packet Classification

Network packet classification is a key functionality for packet filters and firewalls, and its performance is crucial for such systems to maintain a high packet throughput under heavy load situations. However, many existing packet filters employ slow classification algorithms which cannot provide the required lookup performance due to slow rule set traversal. In this work, we address this problem by providing a novel rule set transformation strategy called Minflate which combines the advantages of existing orthogonal transformation schemes by first minimizing a source rule set and then encoding decision trees into the minimized rule set. Our results show that the Minflate-generated rule sets are both small and can in many cases be traversed faster than rule sets transformed by existing techniques in isolation.

RuleBender: Tree-based Policy Transformations for Practical Packet Classification Systems

Abstract Many existing packet filter implementations use rule set guided packet classification to discriminate incoming network traffic. However, these implementations often rely on slow linear search through the rule set, which diminishes the achievable throughput. Therefore, we propose RuleBender, a rule set transformation technique that encodes decision tree search structures into the transformed rule set, which in turn can be traversed significantly faster. To this end, RuleBender uses the widely supported jump action feature, that enables the redirection of the matching flow to another rule in the otherwise linearly traversed rule set. That way, incoming packets are directed to small sub rule sets that can be searched quickly. In contrast to related work, RuleBender is not restricted to rules that exclusively define geometric matching criteria such as range or subnet tests, but instead inherently supports complex tasks such as payload inspection. RuleBender-generated rule sets can lead to throughput increases up to 13x when compared to the unmodified rule sets, and up to 4x when compared to related work.

Flexible line speed network packet classification using hybrid on-chip matching circuits

Packet classification is a core feature needed in firewalls, SDN switches, and QoS routers. Current research to accelerate the classification with hardware employing Field-programmable Gate Arrays (FPGAs) created a variety of approaches, with significant differences in terms of hardware resource requirements, memory usage, configuration update time, and power dissipation. However, there is no optimal, universal method for classification at link rate, due to inherent conflicts between large generic circuits with high resource consumption, and optimized circuits with limited versatility. Thus, current implementations have different trade-offs in terms of memory usage, resource requirements, power consumption, and flexibility. As a new approach to tackle this challenge, we present a hybrid concept that combines an highly optimized configuration-specialized and thus energy- and resource-efficient classification circuit with a generic matching circuit whose configuration can be updated quickly. The combined circuit can thus support reasonably fast configuration updates, has a low power dissipation, and can process network packets at link rate.

Matching circuits can be small: Partial evaluation and reconfiguration for FPGA-based packet processing

Abstract Network functions like routing or firewalling require specialized hardware such as FPGAs to process packets at high rates. Such hardware must be fast enough to process packets at line rate, and it must be programmable to update the installed packet processing policy. However, these goals are conflicting because a generic programmable circuit must provide sufficient resources to support a wide range of policies, which can lead to unused circuitry and low clock rates. Also, it misses logic optimization opportunities with regard to the structure of the installed policy. In this work, we investigate the optimization potential of policy-specific generated network processing circuits. Using the example of router forwarding information bases (FIBs), we demonstrate that FIB-specialized circuits need significantly fewer logic resources than equivalent generic forwarding circuits. In combination with the partial reconfiguration capability of FPGAs, we obtain efficient low-latency forwarding engines whose matching circuitry can be replaced on demand.

JitVector: Just-in-time code generation for network packet classification

Network packet classification plays a pivotal role in packet-switched networks; it is at the heart of many functions including firewalling, QoS routing, and OpenFlow-based switching. However, packet classification is a hard problem, as packets must be classified within a short time frame. Existing classification techniques use sophisticated data structures which are traversed by generic search algorithms - that is, the algorithm is static, while the data structure reflects the configuration of the classifier. In this paper, we propose to break up the strict separation between data structure and algorithm by specializing the algorithms implementation on the specific classification rules. We demonstrate the feasibility of our approach by introducing JitVector, which builds upon the well-known bit vector classification algorithm, but generates instance-specific machine code at runtime. In our evaluation, which also includes an integration into the OpenFlow Reference Switch, we show that JitVector achieves significant performance gains over an equivalent generic search scheme.