The process of classifying packets according to a set of gen- eral rules is crucial to many network functions, from QoS en- forcement and network monitoring to security and firewalls. Although classification is a well studied subject, most of the literature is concerned with matching prefix based rules over the canonical 5-tuple of packet meta-data. However, we be- lieve that future applications (e.g. layer 7 monitoring) would benefit from an increased flexibility in the definition of clas- sification rules. Indeed, the main contribution of this paper is a novel classification method that applies pattern match- ing techniques (which are already widely used in the field of deep packet inspection due to their high expressiveness), to traffic classification, by specifying a rule as a pattern over a stream composed by the packet meta-data. We implemented a high performance prototype of our scheme designed for NetFPGA boards. As these devices provide a limited amount of memory, we take advantage of a very compressed version of Deterministic Finite Automata (DFA), that combines ex- cellent compression and high speed.
Packet Classification Through Regular Expression Matching on NetFPGA
ANTICHI, GIANNI;GIORDANO, STEFANO;PROCISSI, GREGORIO;VITUCCI, FABIO
2010
Abstract
The process of classifying packets according to a set of gen- eral rules is crucial to many network functions, from QoS en- forcement and network monitoring to security and firewalls. Although classification is a well studied subject, most of the literature is concerned with matching prefix based rules over the canonical 5-tuple of packet meta-data. However, we be- lieve that future applications (e.g. layer 7 monitoring) would benefit from an increased flexibility in the definition of clas- sification rules. Indeed, the main contribution of this paper is a novel classification method that applies pattern match- ing techniques (which are already widely used in the field of deep packet inspection due to their high expressiveness), to traffic classification, by specifying a rule as a pattern over a stream composed by the packet meta-data. We implemented a high performance prototype of our scheme designed for NetFPGA boards. As these devices provide a limited amount of memory, we take advantage of a very compressed version of Deterministic Finite Automata (DFA), that combines ex- cellent compression and high speed.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
