Upload
marcin
View
45
Download
0
Tags:
Embed Size (px)
DESCRIPTION
A Difference Resolution Approach to Compressing Access Control Lists. James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013. Motivation. Classifiers used for many applications Packet Forwarding Firewalls Quality of Service Classifiers are growing New threats - PowerPoint PPT Presentation
Citation preview
A Difference Resolution Approach to Compressing Access Control ListsJames Daly,Alex Liu, Eric TorngMichigan State UniversityINFOCOM 2013
Motivation• Classifiers used for many applications• Packet Forwarding• Firewalls• Quality of Service
• Classifiers are growing• New threats• New services
2
Motivation• Classifier compression is an important problem• Device imposed rule limits
• NetScreen-100 allows only 733 rules• Simplifies rule management
• DIFANE [Yu et al. SIGCOMM 2010]
3
BackgroundF1 F2 Color
1 3 White
3 3 White
1-3 1 White
1-3 5 White
1-3 1-5 Black
4
F1 F2 Color
2 3 Black
1-3 3 White
1-3 2-4 Black
1-3 1-5 White
Packet: [2, 4]
Classifier Definition• Classifier : list of rules• Tuple of d intervals over finite, discrete fields• Decision (accept, deny, physical port number, etc.)
• Only first matching rule applies• Classifiers equivalent if they give the same result for all inputs
5
F1 F2 Color
1 3 White
3 3 White
1-3 1 White
1-3 5 White
1-3 1-5 Black
F1 F2 Color
2 3 Black
1-3 3 White
1-3 2-4 Black
1-3 1-5 White
Problem Definition• Problem• Input: classifier• Output: smallest equivalent classifier• NP-Hard
66
F1 F2 Color
1 3 White
3 3 White
1-3 1 White
1-3 5 White
1-3 1-5 Black
F1 F2 Color
2 3 Black
1-3 3 White
1-3 2-4 Black
1-3 1-5 White
Prior Work• Redundancy Removal [eg. Liu and Gouda. DBSec 2005]• Iterated Strip Rule [Applegate et al. SODA 2007]• Only two dimensions• Approximation guarantee: O(min(n1/3, Opt1/2))
• Firewall Compressor [Liu et al. INFOCOM 2008]• Optimal weighted 1-D case• Works on higher dimensions
7
Motivating Example
8
Dimension Reduction
9
FC: Fully Solve Each Row
10
X Y Color
2 2-3 Green
2 5-6 Red
2 4-8 White
2 1-9 Black
4 5 Red
4 6-7 Blue
4 3-8 White
4 1-9 Black
1-4 5-6 Red
1-4 3-8 White
1-4 1-9 Black
X Y Color
2 2-3 Green
2 5-6 Red
2 4-8 White
2 1-9 Black
4 5 Red
4 6-7 Blue
4 3-8 White
4 1-9 Black
X Y Color
2 2-3 Green
2 5-6 Red
2 4-8 White
2 1-9 Black
Diplomat: Identify and Resolve Differences
11
X Y Color
2-3 2 Green
Diplomat: Identify and Resolve Differences
12
X Y Color
2-3 2 Green
Diplomat: Identify and Resolve Differences
13
X Y Color
2-3 2 Green
X Y Color
2-3 2 Green
6-7 4 Blue
Diplomat: Identify and Resolve Differences
14
X Y Color
2-3 2 Green
6-7 4 Blue
X Y Color
2-3 2 Green
6-7 4 Blue
5-6 1-4 Red
3-8 1-4 White
1-9 1-4 Black
Higher Dimensions
15
Diplomat• Three parts• Base solver for the last row
• Firewall Compressor for 1D case• Diplomat otherwise
• Resolver• Given two rows identify and resolve differences• Merge rows together into one
• Scheduler• Find best order to resolve rows
16
F1 F2 Color
1 1-5 White
2 5-9 White
F1 F2 Color
1-1 1-5 White
1 6 Black
1 8 Black
Different Resolvers
17
F1 F2 Color
1 1-5 White
2 5-9 White
1-2 2 Black
1-2 4 Black
1-2 6 Black
1-2 8 Black
1-2 1-9 White
F1 F2 Color
1 1-5 White
1 6 Black
1 8 Black
1-2 2 Black
1-2 4 Black
1-2 1-9 White
Scheduling
18• Multi-row resolver: greedy schedule• Single-row resolver: dynamic programming schedule
Dynamic Schedule1 2 3 4
1 0 2 0 2
2 1 0 1 3
3 0 2 0 2
4 1 3 1 0
1 2 3 4
1 1:0 1:12:2
1:12:43:1
1:22:33:24:3
2 2:0 2:23:1
2:33:24:3
3 3:0 3:14:2
4 4:0
19
Remaining Row
Sour
ce R
ow
Upper Bound
Low
er B
ound
Results
• Comparison of Firewall Compressor and Diplomat on 40 real-life classifiers• Divided into sets based on
size• Diplomat requires 30%
fewer rules on largest sets• 2-D bounds: O(min(n1/3, Opt1/2))
Set Firewall Compressor
Diplomat
Small 67.4% 67.2%
Medium 50.8% 45.7%
Large 44.5% 30.2%
All 56.1% 50.6%
20
Mean Compression Ratio
Conclusion• Diplomat offers significant improvements over Firewall
Compressor because it focuses on the differences between rows
• Results are most pronounced on larger classifiers• Can guarantee approximation bound for 2-D classifiers
21
Questions?
22