A Difference Resolution
Approach to
Compressing Access
Control Lists
James Daly,
Alex Liu, Eric Torng
Michigan State University
INFOCOM 2013
Motivation
• Classifiers used for many applications
• Packet Forwarding
• Firewalls
• Quality of Service
• Classifiers are growing
• New threats
• New services
2
Motivation
• Classifier compression is an important problem
• Device imposed rule limits
• NetScreen-100 allows only 733 rules
• Simplifies rule management
• DIFANE [Yu et al. SIGCOMM 2010]
3
Background
Packet: [2, 4]
F1
F2
Color
1
3
White
3
3
White
1-3
1
White
1-3
5
White
1-3
1-5
Black
F1
F2
Color
2
3
Black
1-3
3
White
1-3
2-4
Black
1-3
1-5
White
4
Classifier Definition
• Classifier : list of rules
• Tuple of d intervals over finite, discrete fields
• Decision (accept, deny, physical port number, etc.)
• Only first matching rule applies
• Classifiers equivalent if they give the same result for all inputs
F1
F2
Color
F1
F2
Color
1
3
White
2
3
Black
3
3
White
1-3
3
White
1-3
1
White
1-3
2-4
Black
1-3
5
White
1-3
1-5
White
1-3
1-5
Black
5
Problem Definition
• Problem
• Input: classifier
• Output: smallest equivalent classifier
• NP-Hard
F1
F2
Color
F1
F2
Color
1
3
White
2
3
Black
3
3
White
1-3
3
White
1-3
1
White
1-3
2-4
Black
1-3
5
White
1-3
1-5
White
1-3
1-5
Black
6
6
Prior Work
• Redundancy Removal [eg. Liu and Gouda. DBSec 2005]
• Iterated Strip Rule [Applegate et al. SODA 2007]
• Only two dimensions
• Approximation guarantee: O(min(n1/3, Opt1/2))
• Firewall Compressor [Liu et al. INFOCOM 2008]
• Optimal weighted 1-D case
• Works on higher dimensions
7
Motivating Example
8
Dimension Reduction
9
FC: Fully Solve Each Row
X
Y
Color
2
2-3
Green
2
5-6
Red
2
4-8
White
2
1-9
Black
4
5
Red
4
6-7
Blue
4
3-8
White
4
1-9
Black
1-4
5-6
Red
1-4
3-8
White
1-4
1-9
Black
10
Diplomat: Identify and Resolve Differences
X
Y Color
2-3
2 Green
11
Diplomat: Identify and Resolve Differences
X
Y Color
2-3
2 Green
12
Diplomat: Identify and Resolve Differences
X
Y Color
2-3
2 Green
6-7
4 Blue
13
Diplomat: Identify and Resolve Differences
X
YY Color
Color
2-3 22 Green
Green
6-7 44 Blue
Blue
5-6 1-4 Red
3-8 1-4 White
1-9 1-4 Black
14
Higher Dimensions
15
Diplomat
• Three parts
• Base solver for the last row
• Firewall Compressor for 1D case
• Diplomat otherwise
• Resolver
• Given two rows identify and resolve differences
• Merge rows together into one
• Scheduler
• Find best order to resolve rows
16
Different Resolvers
F1
F2
Color
1
F1
1-5
F2
White
Color
2
1
5-9
1-5
White
1-2
2
2
5-9
Black
White
1-2
4
Black
1-2
6
Black
1-2
8
Black
1-2
1-9
White
F1
F1
1
1-1
1
1
1
1
1-2
F2
F2
1-5
1-5
6
6
8
8
2
Color
Color
White
White
Black
Black
Black
Black
Black
1-2
4
Black
1-2
1-9
White
17
Scheduling
• Multi-row resolver: greedy schedule
• Single-row resolver: dynamic programming schedule
18
Dynamic Schedule
1
2
3
4
1
0
2
0
2
2
1
0
1
3
3
0
2
0
2
4
1
3
1
0
1
1
Lower Bound
Source Row
Remaining Row
2
3
4
1:0
Upper Bound
2
3
4
1:1
2:2
1:1
2:4
3:1
1:2
2:3
3:2
4:3
2:0
2:2
3:1
2:3
3:2
4:3
3:0
3:1
4:2
4:0
19
Results
• Comparison of Firewall
Compressor and Diplomat
on 40 real-life classifiers
• Divided into sets based on
size
• Diplomat requires 30%
fewer rules on largest sets
Set
Firewall
Diplomat
Compressor
Small
67.4%
67.2%
Medium
50.8%
45.7%
Large
44.5%
30.2%
All
56.1%
50.6%
Mean Compression Ratio
• 2-D bounds: O(min(n1/3, Opt1/2))
20
Conclusion
• Diplomat offers significant improvements over Firewall
Compressor because it focuses on the differences between
rows
• Results are most pronounced on larger classifiers
• Can guarantee approximation bound for 2-D classifiers
21
Questions?
22