A. Hari, S. Suri, and G. Parulkar. Detecting and resolving packet filter conflicts. In Proceedings of IEEE Infocom, volume 3, pages 1203--1212, Tel Aviv, Israel, Mar. 2000.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....conflict with any of the other rules in the database. ### ### # ### # ######### ### ##### # # # ########### ### ### # ### # # ######### ### ##### # ##### # # ########### # # # # # ### # ########### ### # # # # # ######### Fig. 1. A simple example with 6 rules on two fields. A seminal paper [3] introduced these two types of conflicts and showed that subset conflicts can be avoided by positioning but overlapping conflicts cannot, in general, be avoided by repositioning. Instead, 3] suggests introducing a new rule for each area that is shared by multiple overlapping rules, for example in ....

....########### ### # # # # # ######### Fig. 1. A simple example with 6 rules on two fields. A seminal paper [3] introduced these two types of conflicts and showed that subset conflicts can be avoided by positioning but overlapping conflicts cannot, in general, be avoided by repositioning. Instead, [3] suggests introducing a new rule for each area that is shared by multiple overlapping rules, for example in the case of ## and ### , the new rule ####### ##### ### . In our paper, we will not distinguish between these two types of conflicts but describe an algorithm to identify either all the ....

[Article contains additional citation context not shown here]

A. Hari, S. Suri, and G. Parulkar, "Detecting and resolving packet filter conflicts," in Proceedings of Infocom, march 2000.

....a header (1110; 1111) will only be assigned 10 Mbps according to R 2 . The last two rules R 4 and R 5 do not have any conflict with any of the other rules in the database. Rule F ield 1 F ield 2 Action R 5 01 10Mbps Fig. 1. A simple example with 6 rules on two fields. A seminal paper [3] introduced these two types of conflicts and showed that subset conflicts can be avoided by positioning but overlapping conflicts cannot, in general, be avoided by repositioning. Instead, 3] suggests introducing a new rule for each area that is shared by multiple overlapping rules, for example in ....

....ield 2 Action R 5 01 10Mbps Fig. 1. A simple example with 6 rules on two fields. A seminal paper [3] introduced these two types of conflicts and showed that subset conflicts can be avoided by positioning but overlapping conflicts cannot, in general, be avoided by repositioning. Instead, [3] suggests introducing a new rule for each area that is shared by multiple overlapping rules, for example in the case of R 0 and R 1 , the new rule (00 ; 11 ) In our paper, we will not distinguish between these two types of conflicts but describe an algorithm to identify either all the conflicting ....

[Article contains additional citation context not shown here]

A. Hari, S. Suri, and G. Parulkar, "Detecting and resolving packet filter conflicts," in Proceedings of Infocom, march 2000.

....) What we do for intersection calculation is to do string matching to find out those filters with common prefix in all fields. Performance can be greatly improved by using a trie based algorithm. The detail description of a trie based algorithm to calculate filter intersection can be found in [20]. It appears to be not too difficult to separate traffic flows into bundles and find requirement list for each bundle. However, there is performance concern as follows. To group traffic flows into bundles, we need a lot of filter difference calculation. The difference calculation could be very ....

A. Hari, S. Suri, G. Parulkar, "Detecting and Resolving Packet Filter Conflicts", Infocom 2000, Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies, Proceedings, IEEE, pp. 1203-1212, Vol.3.

....the work has focused on performance issues and hardware implementations; Feldman and Muthukrishnan [10] give a recent summary and a good bibliography of the topic. Although performance issues are not directly related to security, the problem of detecting conflicts in packet filters is. Hari et al. [12] have applied these techniques to analyzing access lists from a security viewpoint, and Eppstein et al. 9] present a fast algorithm for detecting conflicts. 6 Evaluation and future work The main benefits of our system are the use of logic programming and a generic inference engine. Logic ....

Adiseshu Hari, Subhash Suri, and Guru Parulkar. Detecting and resolving packet filter conflicts. In Proceedings of IEEE INFOCOM 2000, pages 1203-- 1212, Tel Aviv, Israel, March 2000.

....is the same. Therefore, it is impossible to find a natural ordering between the two; the ambiguity cannot be resolved. If it is known in advance that only few entries will contain ambiguities, it may be possible to split the entry into several sub entries to resolve ambiguities, as described in [1]. To resolve ambiguity, several solutions have been proposed: Unspecified There is no simple way to know in advance which of the matching entries will be returned. This is the simplest solution, but seldom satisfactory, unless ambiguities can be prevented to appear in the database in the first ....

....resolve ambiguity, several solutions have been proposed: Unspecified There is no simple way to know in advance which of the matching entries will be returned. This is the simplest solution, but seldom satisfactory, unless ambiguities can be prevented to appear in the database in the first place ([1]) Unfortunately, a general solution requires # memory, with the number of filters and the number of dimensions. Priorities of Dimensions The dimensions are prioritized against each other. Without loss of generality, it can be assumed that the dimensions are sorted in order of ....

H. Adiseshu, S. Suri, and G. Parulkar. Detecting and resolving packet filter conflicts. In Proceedings of IEEE Infocom 2000, March 2000.

....with an earlier filter. If there are no conflicts, then we let the new filter be added. If it does conflict with an existing filter, we use priorities among the programs to decide if the new filter should be added or not. A filter conflict detection algorithm based on tries was presented in [23] which works for 2 dimensional filters and takes ### # # # # # time, where # # is the length of field #.For multi dimensional filters, however, we do a linear scan of the database to find conflicts. While this will take linear time, notice that this is done on the router management processor and ....

Hari Adiseshu, Guru Parulkar, and Subash Suri, "Detecting and Resolving Packet Filter Conflicts," Proceedings of IEEE Infocom 2000, vol. (March), 2000.

....let n denote the number of filters in F. The value of n varies depending on where filtering is done: backbone routers may have hundreds of thousands of filters, firewalls may only have a few hundreds, etc. All numbers are integers in the range [0, U 1] for IP addresses, this is currently [0, 2 32 1], but may go up to 2 64 or higher in IPv6. 1.2 Our Results Our main results are as follows. Packet Classification Problem. We present an algorithm for this problem with different tradeoffs for data structure space vs filtering time. In particular, we obtain very fast classification times ....

....upon the #(n 1 # ) space needed by [7, 8] which is the previously best known result. Furthermore, our result is easily implementable; hence, it additionally holds promise as a practical packet classification solution. The filter conflict detection problem has received attention only recently [1]. That work was primarily motivated by detecting security holes in firewalls. Filter databases in firewalls get modified by systems administrators manually or automatically (for example, when a host from inside a firewall requests a TCP connection with a host outside, a filter may be added to the ....

[Article contains additional citation context not shown here]

H. Adiseshu, S. Suri, and G. Parulkar. Detecting and resolving packet filter conflicts. In Proc. INFOCOM, volume 3, pages 1203--1212. IEEE, March 2000.

....[4] report that filter databases of sizes upto #### had only #### conflicts, whereas the worst case bound would have been # ## . When a filter database does have conflicts, there is an elegant way to remove them by inserting additional filters covering the region of overlap. See Hari et al. [5]. Thus, from a practical standpoint, we can assume that real databases are conflict free. Our main contribution in this paper is to show that binary search can be used for packet classification in 2D filters if the filters are conflict free. Thus we are able to identify and solve an important ....

....##### is matched by both # # and # # . Filter # # is more specific in the destination field while as filter # # is more specific in source field. In case of filter conflict, there is ambiguity regarding action corresponding to which filter should be taken for the packet. As proposed by Hari et.al. [5], a general way to resolve conflicts is to introduce conflict resolution filters. As shown in Figure 1, introduction of a new filter # # # ####### ###### allows determination of a unique best matching filter for any possible source,destination values. The 2 field conflict free packet ....

A. Hari, S. Suri, and G. Parulkar, "Detecting and resolving packet filter conflicts," in Proceedings of IEEE INFOCOMM'2000.

....address is between 8 and 32 bits long. In IP version 6, the hosts will be assigned 128 bit long addresses. For the sake of generality, we assume that each host address is w bits long. Taking a geometric view, a network address prefix corresponds to a contiguous interval of the discrete line [0, 2 1]. The routers in the current Internet route packets based only on the destination address of the packet. Thus, each router maintains a routing table, containing a set of network address prefixes; associated with each prefix is a next hop label, which is the router to which the packet is ....

....to provide a high bandwidth connection between two different sites of a company. Such refined forwarding is part of the next generation Internet design, and falls within the broader scope of layer four packet classification, where packets are routed using arbitrary fields of the packet header [1], 9] 10] 12] 15] 16] 17] Routers capable of packet classification can implement many advanced services, such as firewall access control, Virtual Private Networks, and quality of service routing. In this paper we focus on a particular problem that arises in the context of using ....

[Article contains additional citation context not shown here]

H. Adiseshu, S. Suri, and G. Parulkar. Detecting and Resolving Packet Filter Conflicts. Proc. of IEEE INFOCOM 2000.

....[4] report that filter databases of sizes upto 1734 had only 2581 conflicts, whereas the worst case bound would have been 10 13 . When a filter database does have conflicts, there is an elegant way to remove them by inserting additional filters covering the region of overlap. See Hari et al. [5]. Thus, from a practical standpoint, we can assume that real databases are conflict free. Our main contribution in this paper is to show that binary search can be used for packet classification in 2D filters if the filters are conflict free. Thus we are able to identify and solve an important ....

....01010 is matched by both F 1 and F 2 . Filter F 1 is more specific in the destination field while as filter F 2 is more specific in source field. In case of filter conflict, there is ambiguity regarding action corresponding to which filter should be taken for the packet. As proposed by Hari et.al. [5], a general way to resolve conflicts is to introduce conflict resolution filters. As shown in Figure 1, introduction of a new filter F 3 = 1011 ; 0101 ) allows determination of a unique best matching filter for any possible source,destination values. The 2 field conflict free packet ....

A. Hari, S. Suri, and G. Parulkar, "Detecting and resolving packet filter conflicts," in Proceedings of IEEE INFOCOMM'2000, 2000.

....filter databases of sizes upto 8 5 had only AB8 conflicts, whereas the worst case bound would have been CD8FE 3HG . When a filter database does have conflicts, there is an elegant way to remove them by inserting additional filters covering the region of overlap. See Hari et al. [5]. Thus, from a practical standpoint, we can assume that real databases are conflict free. Our main contribution in this paper is to show that binary search can be used for packet classification in 2D filters if the filters are conflict free. Thus we are able to identify and solve an important ....

....matched by both h 3 and h N . Filter h 3 is more specific in the destination field while as filter h is more specific in source field. In case of filter conflict, there is ambiguity regarding action corresponding to which filter should be taken for the packet. As proposed by Hari et.al. [5], a general way to resolve conflicts is to introduce conflict resolution filters. As shown in Figure 1, introduction of a new filter h G # n8FE 8 85qsawE 8FE 85q5 allows determination of a unique best matching filter for any possible source,destination values. The 2 field conflict free ....

A. Hari, S. Suri, and G. Parulkar, "Detecting and resolving packet filter conflicts," in Proceedings of IEEE INFOCOMM'2000, 2000.

No context found.

A. Hari, S. Suri, and G. Parulkar. Detecting and resolving packet filter conflicts. In Proceedings of IEEE Infocom, volume 3, pages 1203--1212, Tel Aviv, Israel, Mar. 2000.

No context found.

A. Hari, S. Suri, and G. Parulkar, "Detecting and Resolving Packet Filter Conflicts," in Proceedings of IEEE Infocom, 2000.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC