Routers in todays networks perform many difficult tasks of which the actual routing is merely one. Especially in high-speed networks IPv6 routing and traffic classification are still major problems. This project aims at improving the performance of various router functions under the harsh conditions of high-speed and backbone networks. It has been conducted in cooperation with and partially funded by Huawei Technologies Co., Ltd.
IPv6 packet forwarding still is a major bottleneck. Especially in the internet core we face very large routing tables with millions of entries and a large number of high-speed links. We survey and evaluate data structures for applicability in IPv6 routing and explore ways to exploit the harsh conditions in the internet core to design a data structure specialized for IPv6 lookup applications, which we call Efficient Hash Table.
Deep Packet Inspection (DPI)
DPI examines the packet content and matches it against known signatures to perform protocol identification. Although the actual matching is simple, parsing and evaluating the packet content at line speed is not. We designed a DPI compiler capable of generating NFA and DFA matching engines optimized to run on dedicated FPGAs at very high speeds.
Deep Flow Inspection (DFI)
While DPI looks at packet contents, DFI examines the network flow properties and uses heuristics and statistical fingerprints to learn about the applications behavior. We propose an algorithm and a hardware implementation suitable to run in very limited environments like Physical Interface Card (PICs) that uses a simple heuristic to distinguish between P2P and Non-P2P flows.
FPGA Accelerated Traffic Identification
Identification algorithms perform good in software but are usually hard to implement in hardware when performance is critical. Practical Traffic Identification is expensive both in space and time and usually requires multiple identification engines in parallel. We propose a toolchain that allows high speed traffic classification on FPGAs. Starting with rule preprocessing to reduce the search space we design a classification system consisting of multiple parallel engines dedicated to specific tasks like fixed string, variable string and regular expression matching. We design a generic PBV matching element that can be reprogrammed to match different rules.
Some of the software is available open source under various licenses (GPL, LGPL and MIT).
- Pcap2Bytes, a preprocessor that reads pcap files, extracts the packet content and writes it to binary files.
- picDFI, software simulator of the DFI classification engine.
- iplookup, software related to the iplookup part of the project.
- A Survey of Hash Tables with Summaries for IP Lookup Applications.
- Packet Forwarding using Efficient Hash Tables.
- Large-scale Network Monitoring for Visual Analysis of Attacks. Visualization for Computer Security: 5th Internat. Workshop.
- Bloom Filters: One Size Fits All? LCN '07.