a difference resolution approach to compressing access control lists
DESCRIPTION
A Difference Resolution Approach to Compressing Access Control Lists. James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013. Motivation. Classifiers used for many applications Packet Forwarding Firewalls Quality of Service Classifiers are growing New threats - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/1.jpg)
A Difference Resolution Approach to Compressing Access Control ListsJames Daly,Alex Liu, Eric TorngMichigan State UniversityINFOCOM 2013
![Page 2: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/2.jpg)
Motivation• Classifiers used for many applications• Packet Forwarding• Firewalls• Quality of Service
• Classifiers are growing• New threats• New services
2
![Page 3: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/3.jpg)
Motivation• Classifier compression is an important problem• Device imposed rule limits
• NetScreen-100 allows only 733 rules• Simplifies rule management
• DIFANE [Yu et al. SIGCOMM 2010]
3
![Page 4: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/4.jpg)
BackgroundF1 F2 Color
1 3 White
3 3 White
1-3 1 White
1-3 5 White
1-3 1-5 Black
4
F1 F2 Color
2 3 Black
1-3 3 White
1-3 2-4 Black
1-3 1-5 White
Packet: [2, 4]
![Page 5: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/5.jpg)
Classifier Definition• Classifier : list of rules• Tuple of d intervals over finite, discrete fields• Decision (accept, deny, physical port number, etc.)
• Only first matching rule applies• Classifiers equivalent if they give the same result for all inputs
5
F1 F2 Color
1 3 White
3 3 White
1-3 1 White
1-3 5 White
1-3 1-5 Black
F1 F2 Color
2 3 Black
1-3 3 White
1-3 2-4 Black
1-3 1-5 White
![Page 6: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/6.jpg)
Problem Definition• Problem• Input: classifier• Output: smallest equivalent classifier• NP-Hard
66
F1 F2 Color
1 3 White
3 3 White
1-3 1 White
1-3 5 White
1-3 1-5 Black
F1 F2 Color
2 3 Black
1-3 3 White
1-3 2-4 Black
1-3 1-5 White
![Page 7: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/7.jpg)
Prior Work• Redundancy Removal [eg. Liu and Gouda. DBSec 2005]• Iterated Strip Rule [Applegate et al. SODA 2007]• Only two dimensions• Approximation guarantee: O(min(n1/3, Opt1/2))
• Firewall Compressor [Liu et al. INFOCOM 2008]• Optimal weighted 1-D case• Works on higher dimensions
7
![Page 8: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/8.jpg)
Motivating Example
8
![Page 9: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/9.jpg)
Dimension Reduction
9
![Page 10: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/10.jpg)
FC: Fully Solve Each Row
10
X Y Color
2 2-3 Green
2 5-6 Red
2 4-8 White
2 1-9 Black
4 5 Red
4 6-7 Blue
4 3-8 White
4 1-9 Black
1-4 5-6 Red
1-4 3-8 White
1-4 1-9 Black
X Y Color
2 2-3 Green
2 5-6 Red
2 4-8 White
2 1-9 Black
4 5 Red
4 6-7 Blue
4 3-8 White
4 1-9 Black
X Y Color
2 2-3 Green
2 5-6 Red
2 4-8 White
2 1-9 Black
![Page 11: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/11.jpg)
Diplomat: Identify and Resolve Differences
11
X Y Color
2-3 2 Green
![Page 12: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/12.jpg)
Diplomat: Identify and Resolve Differences
12
X Y Color
2-3 2 Green
![Page 13: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/13.jpg)
Diplomat: Identify and Resolve Differences
13
X Y Color
2-3 2 Green
X Y Color
2-3 2 Green
6-7 4 Blue
![Page 14: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/14.jpg)
Diplomat: Identify and Resolve Differences
14
X Y Color
2-3 2 Green
6-7 4 Blue
X Y Color
2-3 2 Green
6-7 4 Blue
5-6 1-4 Red
3-8 1-4 White
1-9 1-4 Black
![Page 15: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/15.jpg)
Higher Dimensions
15
![Page 16: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/16.jpg)
Diplomat• Three parts• Base solver for the last row
• Firewall Compressor for 1D case• Diplomat otherwise
• Resolver• Given two rows identify and resolve differences• Merge rows together into one
• Scheduler• Find best order to resolve rows
16
![Page 17: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/17.jpg)
F1 F2 Color
1 1-5 White
2 5-9 White
F1 F2 Color
1-1 1-5 White
1 6 Black
1 8 Black
Different Resolvers
17
F1 F2 Color
1 1-5 White
2 5-9 White
1-2 2 Black
1-2 4 Black
1-2 6 Black
1-2 8 Black
1-2 1-9 White
F1 F2 Color
1 1-5 White
1 6 Black
1 8 Black
1-2 2 Black
1-2 4 Black
1-2 1-9 White
![Page 18: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/18.jpg)
Scheduling
18• Multi-row resolver: greedy schedule• Single-row resolver: dynamic programming schedule
![Page 19: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/19.jpg)
Dynamic Schedule1 2 3 4
1 0 2 0 2
2 1 0 1 3
3 0 2 0 2
4 1 3 1 0
1 2 3 4
1 1:0 1:12:2
1:12:43:1
1:22:33:24:3
2 2:0 2:23:1
2:33:24:3
3 3:0 3:14:2
4 4:0
19
Remaining Row
Sour
ce R
ow
Upper Bound
Low
er B
ound
![Page 20: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/20.jpg)
Results
• Comparison of Firewall Compressor and Diplomat on 40 real-life classifiers• Divided into sets based on
size• Diplomat requires 30%
fewer rules on largest sets• 2-D bounds: O(min(n1/3, Opt1/2))
Set Firewall Compressor
Diplomat
Small 67.4% 67.2%
Medium 50.8% 45.7%
Large 44.5% 30.2%
All 56.1% 50.6%
20
Mean Compression Ratio
![Page 21: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/21.jpg)
Conclusion• Diplomat offers significant improvements over Firewall
Compressor because it focuses on the differences between rows
• Results are most pronounced on larger classifiers• Can guarantee approximation bound for 2-D classifiers
21
![Page 22: A Difference Resolution Approach to Compressing Access Control Lists](https://reader036.vdocuments.site/reader036/viewer/2022062323/56816047550346895dcf6ca5/html5/thumbnails/22.jpg)
Questions?
22