a difference resolution approach to compressing access control lists james daly, alex liu, eric...
TRANSCRIPT
![Page 1: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/1.jpg)
A Difference Resolution Approach to Compressing Access Control ListsJames Daly,Alex Liu, Eric TorngMichigan State UniversityINFOCOM 2013
![Page 2: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/2.jpg)
Motivation• Classifiers used for many applications• Packet Forwarding• Firewalls• Quality of Service
• Classifiers are growing• New threats• New services
2
![Page 3: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/3.jpg)
Motivation• Classifier compression is an important problem• Device imposed rule limits
• NetScreen-100 allows only 733 rules• Simplifies rule management
• DIFANE [Yu et al. SIGCOMM 2010]
3
![Page 4: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/4.jpg)
BackgroundF1 F2 Color
1 3 White
3 3 White
1-3 1 White
1-3 5 White
1-3 1-5 Black
4
F1 F2 Color
2 3 Black
1-3 3 White
1-3 2-4 Black
1-3 1-5 White
Packet: [2, 4]
![Page 5: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/5.jpg)
Classifier Definition• Classifier : list of rules• Tuple of d intervals over finite, discrete fields• Decision (accept, deny, physical port number, etc.)
• Only first matching rule applies• Classifiers equivalent if they give the same result for all inputs
5
F1 F2 Color
1 3 White
3 3 White
1-3 1 White
1-3 5 White
1-3 1-5 Black
F1 F2 Color
2 3 Black
1-3 3 White
1-3 2-4 Black
1-3 1-5 White
![Page 6: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/6.jpg)
Problem Definition• Problem• Input: classifier• Output: smallest equivalent classifier• NP-Hard
66
F1 F2 Color
1 3 White
3 3 White
1-3 1 White
1-3 5 White
1-3 1-5 Black
F1 F2 Color
2 3 Black
1-3 3 White
1-3 2-4 Black
1-3 1-5 White
![Page 7: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/7.jpg)
Prior Work• Redundancy Removal [eg. Liu and Gouda. DBSec 2005]• Iterated Strip Rule [Applegate et al. SODA 2007]• Only two dimensions• Approximation guarantee: O(min(n1/3, Opt1/2))
• Firewall Compressor [Liu et al. INFOCOM 2008]• Optimal weighted 1-D case• Works on higher dimensions
7
![Page 8: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/8.jpg)
Motivating Example
8
![Page 9: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/9.jpg)
Dimension Reduction
9
![Page 10: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/10.jpg)
FC: Fully Solve Each Row
10
X Y Color
2 2-3 Green
2 5-6 Red
2 4-8 White
2 1-9 Black
4 5 Red
4 6-7 Blue
4 3-8 White
4 1-9 Black
1-4 5-6 Red
1-4 3-8 White
1-4 1-9 Black
X Y Color
2 2-3 Green
2 5-6 Red
2 4-8 White
2 1-9 Black
4 5 Red
4 6-7 Blue
4 3-8 White
4 1-9 Black
X Y Color
2 2-3 Green
2 5-6 Red
2 4-8 White
2 1-9 Black
![Page 11: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/11.jpg)
Diplomat: Identify and Resolve Differences
11
X Y Color
2-3 2 Green
![Page 12: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/12.jpg)
Diplomat: Identify and Resolve Differences
12
X Y Color
2-3 2 Green
![Page 13: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/13.jpg)
Diplomat: Identify and Resolve Differences
13
X Y Color
2-3 2 Green
X Y Color
2-3 2 Green
6-7 4 Blue
![Page 14: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/14.jpg)
Diplomat: Identify and Resolve Differences
14
X Y Color
2-3 2 Green
6-7 4 Blue
X Y Color
2-3 2 Green
6-7 4 Blue
5-6 1-4 Red
3-8 1-4 White
1-9 1-4 Black
![Page 15: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/15.jpg)
Higher Dimensions
15
![Page 16: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/16.jpg)
Diplomat• Three parts• Base solver for the last row
• Firewall Compressor for 1D case• Diplomat otherwise
• Resolver• Given two rows identify and resolve differences• Merge rows together into one
• Scheduler• Find best order to resolve rows
16
![Page 17: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/17.jpg)
F1 F2 Color
1 1-5 White
2 5-9 White
F1 F2 Color
1-1 1-5 White
1 6 Black
1 8 Black
Different Resolvers
17
F1 F2 Color
1 1-5 White
2 5-9 White
1-2 2 Black
1-2 4 Black
1-2 6 Black
1-2 8 Black
1-2 1-9 White
F1 F2 Color
1 1-5 White
1 6 Black
1 8 Black
1-2 2 Black
1-2 4 Black
1-2 1-9 White
![Page 18: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/18.jpg)
Scheduling
18• Multi-row resolver: greedy schedule• Single-row resolver: dynamic programming schedule
![Page 19: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/19.jpg)
Dynamic Schedule1 2 3 4
1 0 2 0 2
2 1 0 1 3
3 0 2 0 2
4 1 3 1 0
1 2 3 4
1 1:0 1:12:2
1:12:43:1
1:22:33:24:3
2 2:0 2:23:1
2:33:24:3
3 3:0 3:14:2
4 4:0
19
Remaining Row
Sour
ce R
ow
Upper Bound
Low
er B
ound
![Page 20: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/20.jpg)
Results
• Comparison of Firewall Compressor and Diplomat on 40 real-life classifiers• Divided into sets based on
size• Diplomat requires 30%
fewer rules on largest sets• 2-D bounds: O(min(n1/3, Opt1/2))
Set Firewall Compressor
Diplomat
Small 67.4% 67.2%
Medium 50.8% 45.7%
Large 44.5% 30.2%
All 56.1% 50.6%
20
Mean Compression Ratio
![Page 21: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/21.jpg)
Conclusion• Diplomat offers significant improvements over Firewall
Compressor because it focuses on the differences between rows
• Results are most pronounced on larger classifiers• Can guarantee approximation bound for 2-D classifiers
21
![Page 22: A Difference Resolution Approach to Compressing Access Control Lists James Daly, Alex Liu, Eric Torng Michigan State University INFOCOM 2013](https://reader035.vdocuments.net/reader035/viewer/2022081603/56649c7d5503460f94932531/html5/thumbnails/22.jpg)
Questions?
22