Abstract
Packet filters are rules for classifying packets based on their header fields. A filter conflict occurs when two or more filters overlap, creating an ambiguity in packet classification. There has been prior works on conflict detection for multi-dimensional classifiers, but their efficiency and scalability are not good. A new algorithm is proposed, which uses hashing-based PATRICIA trie. The new algorithm can fast detect conflicts in classifiers and have high scalability. The technology of processing transport-level ports can bring more security than existed algorithms.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Hari, A., Suri, S., Parulkar, G.: Detecting and resolving packet filter conflicts. In: 19th Annual Joint Conf. of the IEEE Computer and Communications Societies (2000)
Srinivasan, V.: A packet classification and filter management system. In: IEEE INFOCOM 2001 (2001)
Wool, A.: A quantitative study of firewall configuration errors. IEEE Computer (2004)
Al-Shaer, E., Hamed, H.: Firewall policy advisor for anomaly discovery and rule editing. In: IFIP/IEEE Eighth International Symposium on Integrated Network Management, pp. 17–30 (2003)
Baboescu, F., Varghese, G.: Fast and Scalable Conflict Detection for Packet Classifiers. In: 10th IEEE International Conference on Network Protocols (2002)
Gupta, P., McKeown, N.: Packet classification on multiple fields. In: Proceedings of ACM Sigcomm (1999)
Al-Shaer, E., Hamed, H.: Design and Implementation of Firewall Policy Advisor Tools, DePaul CTI Technical Report, CTI-TR-02-006 (2002)
Al-Shaer, E., Hamed, H.: Modeling and Management of Firewall Policies. IEEE Transactions on Network and Service Management 1-1 (2004)
Lakshman, T.V., Stidialis, D.: High speed policy-based packet forwarding using efficient multi-dimensional range matching. In: Proceedings of ACM Sigcomm (1998)
Baboescu, F., Varghese, G.: Scalable packet classification. In: Proceedings of ACM Sigcomm (2001)
Shishibori, M., Okuno, M., Ando, K., Aoe, J.-I.: An efficient compression method for Patricia tries. In: Proc. of IEEE International Conference on Computational Cybernetics and Simulation, pp. 12–15 (1997)
Wooguil, P., Saewoong, B.: Flexible and fast IP lookup algorithm. IEEE International Conference on Communication 14, 11–14, 2053–2057 (2001)
Cho, K., Kaizaki, R., Kato, A.: An aggregation technique for traffic monitoring. In: Applications and the Internet (SAINT) Workshops, pp. 74–81 (2002)
Li, X., Ji, Z.-Z., Hu, M.-Z.: Stateful Inspection Firewall Session Table Processing, ITCC, Las Vegas, NV, USA (2005)
Waldvogel, M., Varghese, G., Turner, J.: Scalable high speed IP routing lookups[C]. In: ACM Sigcomm, vol. 27(4), pp. 25–36 (1997)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Li, X., Ji, Z., Hu, M. (2005). A Fast and Scalable Conflict Detection Algorithm for Packet Classifiers. In: Pan, Y., Chen, D., Guo, M., Cao, J., Dongarra, J. (eds) Parallel and Distributed Processing and Applications. ISPA 2005. Lecture Notes in Computer Science, vol 3758. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11576235_34
Download citation
DOI: https://doi.org/10.1007/11576235_34
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-29769-7
Online ISBN: 978-3-540-32100-2
eBook Packages: Computer ScienceComputer Science (R0)