Minimizing Range Rules for Packet Filtering Using Double Mask Representation

Abstract : Packet filtering is widely used in multiple networking appliances and applications, in particular, to block malicious traffic (protect network infrastructures through fire-walls and intrusion detection systems) and to be deployed on routers, switches and load balancers for packet classification. This mechanism relies on the packet's header fields to filter such traffic by using range rules of IP addresses or ports. However, the set of packet filters has to handle a growing number of connected nodes and many of them are compromised and used as sources of attacks. For instance, IP filter sets available in blacklists may reach several millions of entries, and may require large memory space for their storage in filtering appliances. In this paper, we propose a new method based on a double mask IP prefix representation together with a linear transformation algorithm to build a minimized set of range rules. We define formally the double mask representation over range rules and we prove that the number of required masks for any range is at most 2w − 4, where w is the length of a field. This representation makes the network more secure, reliable and easy to maintain and configure. We define formally the double mask representation over range rules. We show empirically that the proposed method achieves an average compression ratio of 11% on real-life blacklists and up to 74% on synthetic range rule sets.Finally, we add support of double mask into a real SDN network.
Document type :
Preprints, Working Papers, ...
Complete list of metadatas

Cited literature [11 references]  Display  Hide  Download

https://hal.inria.fr/hal-02102225
Contributor : Ahmad Abboud <>
Submitted on : Wednesday, April 24, 2019 - 11:20:14 AM
Last modification on : Friday, May 3, 2019 - 1:18:50 AM

File

Double Mask General Version.pd...
Files produced by the author(s)

Identifiers

  • HAL Id : hal-02102225, version 4

Citation

Ahmad Abboud, Abdelkader Lahmadi, Michaël Rusinowitch, Miguel Couceiro, Adel Bouhoula, et al.. Minimizing Range Rules for Packet Filtering Using Double Mask Representation. 2019. ⟨hal-02102225v4⟩

Share

Metrics

Record views

54

Files downloads

361