Minimizing Range Rules for Packet Filtering Using Double Mask Representation - Archive ouverte HAL Access content directly
Preprints, Working Papers, ... Year :

Minimizing Range Rules for Packet Filtering Using Double Mask Representation

(1, 2) , (2) , (3) , (4) , (5) , (6) , (6)
1
2
3
4
5
6

Abstract

Packet filtering is widely used in multiple networking appliances and applications, in particular, to block malicious traffic (protect network infrastructures through fire-walls and intrusion detection systems) and to be deployed on routers, switches and load balancers for packet classification. This mechanism relies on the packet's header fields to filter such traffic by using range rules of IP addresses or ports. However, the set of packet filters has to handle a growing number of connected nodes and many of them are compromised and used as sources of attacks. For instance, IP filter sets available in blacklists may reach several millions of entries, and may require large memory space for their storage in filtering appliances. In this paper, we propose a new method based on a double mask IP prefix representation together with a linear transformation algorithm to build a minimized set of range rules. We define formally the double mask representation over range rules and we prove that the number of required masks for any range is at most 2w − 4, where w is the length of a field. This representation makes the network more secure, reliable and easy to maintain and configure. We define formally the double mask representation over range rules. We show empirically that the proposed method achieves an average compression ratio of 11% on real-life blacklists and up to 74% on synthetic range rule sets.Finally, we add support of double mask into a real SDN network.
Fichier principal
Vignette du fichier
Double Mask General Version.pdf (1.34 Mo) Télécharger le fichier
Origin : Files produced by the author(s)
Loading...

Dates and versions

hal-02102225 , version 1 (17-04-2019)
hal-02102225 , version 2 (23-04-2019)
hal-02102225 , version 3 (24-04-2019)
hal-02102225 , version 4 (24-04-2019)

Identifiers

  • HAL Id : hal-02102225 , version 4

Cite

Ahmad Abboud, Abdelkader Lahmadi, Michaël Rusinowitch, Miguel Couceiro, Adel Bouhoula, et al.. Minimizing Range Rules for Packet Filtering Using Double Mask Representation. 2019. ⟨hal-02102225v4⟩
410 View
265 Download

Share

Gmail Facebook Twitter LinkedIn More