A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013.

A Difference Resolution Approach to Compressing Access Control ListsJames Daly,Alex Liu, Eric TorngMichigan State UniversityINFOCOM 2013

Motivation• Classifiers used for many applications• Packet Forwarding• Firewalls• Quality of Service

• Classifiers are growing• New threats• New services

2

Motivation• Classifier compression is an important problem• Device imposed rule limits

• NetScreen-100 allows only 733 rules• Simplifies rule management

• DIFANE [Yu et al. SIGCOMM 2010]

3

BackgroundF1 F2 Color

1 3 White

3 3 White

1-3 1 White

1-3 5 White

1-3 1-5 Black

4

F1 F2 Color

2 3 Black

1-3 3 White

1-3 2-4 Black

1-3 1-5 White

Packet: [2, 4]

Classifier Definition• Classifier : list of rules• Tuple of d intervals over finite, discrete fields• Decision (accept, deny, physical port number, etc.)

• Only first matching rule applies• Classifiers equivalent if they give the same result for all inputs

5

F1 F2 Color

1 3 White

3 3 White

1-3 1 White

1-3 5 White

1-3 1-5 Black

F1 F2 Color

2 3 Black

1-3 3 White

1-3 2-4 Black

1-3 1-5 White

Problem Definition• Problem• Input: classifier• Output: smallest equivalent classifier• NP-Hard

66

F1 F2 Color

1 3 White

3 3 White

1-3 1 White

1-3 5 White

1-3 1-5 Black

F1 F2 Color

2 3 Black

1-3 3 White

1-3 2-4 Black

1-3 1-5 White

Prior Work• Redundancy Removal [eg. Liu and Gouda. DBSec 2005]• Iterated Strip Rule [Applegate et al. SODA 2007]• Only two dimensions• Approximation guarantee: O(min(n1/3, Opt1/2))

• Firewall Compressor [Liu et al. INFOCOM 2008]• Optimal weighted 1-D case• Works on higher dimensions

7

Motivating Example

8

Dimension Reduction

9

FC: Fully Solve Each Row

10

X Y Color

2 2-3 Green

2 5-6 Red

2 4-8 White

2 1-9 Black

4 5 Red

4 6-7 Blue

4 3-8 White

4 1-9 Black

1-4 5-6 Red

1-4 3-8 White

1-4 1-9 Black

X Y Color

2 2-3 Green

2 5-6 Red

2 4-8 White

2 1-9 Black

4 5 Red

4 6-7 Blue

4 3-8 White

4 1-9 Black

X Y Color

2 2-3 Green

2 5-6 Red

2 4-8 White

2 1-9 Black

Diplomat: Identify and Resolve Differences

11

X Y Color

2-3 2 Green

Diplomat: Identify and Resolve Differences

12

X Y Color

2-3 2 Green

Diplomat: Identify and Resolve Differences

13

X Y Color

2-3 2 Green

X Y Color

2-3 2 Green

6-7 4 Blue

Diplomat: Identify and Resolve Differences

14

X Y Color

2-3 2 Green

6-7 4 Blue

X Y Color

2-3 2 Green

6-7 4 Blue

5-6 1-4 Red

3-8 1-4 White

1-9 1-4 Black

Higher Dimensions

15

Diplomat• Three parts• Base solver for the last row

• Firewall Compressor for 1D case• Diplomat otherwise

• Resolver• Given two rows identify and resolve differences• Merge rows together into one

• Scheduler• Find best order to resolve rows

16

F1 F2 Color

1 1-5 White

2 5-9 White

F1 F2 Color

1-1 1-5 White

1 6 Black

1 8 Black

Different Resolvers

17

F1 F2 Color

1 1-5 White

2 5-9 White

1-2 2 Black

1-2 4 Black

1-2 6 Black

1-2 8 Black

1-2 1-9 White

F1 F2 Color

1 1-5 White

1 6 Black

1 8 Black

1-2 2 Black

1-2 4 Black

1-2 1-9 White

Scheduling

18• Multi-row resolver: greedy schedule• Single-row resolver: dynamic programming schedule

Dynamic Schedule1 2 3 4

1 0 2 0 2

2 1 0 1 3

3 0 2 0 2

4 1 3 1 0

1 2 3 4

1 1:0 1:12:2

1:12:43:1

1:22:33:24:3

2 2:0 2:23:1

2:33:24:3

3 3:0 3:14:2

4 4:0

19

Remaining Row

Sour

ce R

ow

Upper Bound

Low

er B

ound

Results

• Comparison of Firewall Compressor and Diplomat on 40 real-life classifiers• Divided into sets based on

size• Diplomat requires 30%

fewer rules on largest sets• 2-D bounds: O(min(n1/3, Opt1/2))

Set Firewall Compressor

Diplomat

Small 67.4% 67.2%

Medium 50.8% 45.7%

Large 44.5% 30.2%

All 56.1% 50.6%

20

Mean Compression Ratio

Conclusion• Diplomat offers significant improvements over Firewall

Compressor because it focuses on the differences between rows

• Results are most pronounced on larger classifiers• Can guarantee approximation bound for 2-D classifiers

21

Questions?

22