Skip to Main content Skip to Navigation
New interface
Preprints, Working Papers, ...

Minimizing Range Rules for Packet Filtering Using Double Mask Representation

Ahmad Abboud 1, 2 Abdelkader Lahmadi 2 Michaël Rusinowitch 3 Miguel Couceiro 4 Adel Bouhoula 5 Saif El Hakk Awainia 6 Mondher Ayadi 6 
2 RESIST - Resilience and Elasticity for Security and ScalabiliTy of dynamic networked systems
Inria Nancy - Grand Est, LORIA - NSS - Department of Networks, Systems and Services
3 PESTO - Proof techniques for security protocols
Inria Nancy - Grand Est, LORIA - FM - Department of Formal Methods
4 ORPAILLEUR - Knowledge representation, reasonning
Inria Nancy - Grand Est, LORIA - NLPKD - Department of Natural Language Processing & Knowledge Discovery
Abstract : Packet filtering is widely used in multiple networking appliances and applications, in particular, to block malicious traffic (protect network infrastructures through fire-walls and intrusion detection systems) and to be deployed on routers, switches and load balancers for packet classification. This mechanism relies on the packet's header fields to filter such traffic by using range rules of IP addresses or ports. However, the set of packet filters has to handle a growing number of connected nodes and many of them are compromised and used as sources of attacks. For instance, IP filter sets available in blacklists may reach several millions of entries, and may require large memory space for their storage in filtering appliances. In this paper, we propose a new method based on a double mask IP prefix representation together with a linear transformation algorithm to build a minimized set of range rules. We define formally the double mask representation over range rules and we prove that the number of required masks for any range is at most 2w − 4, where w is the length of a field. This representation makes the network more secure, reliable and easy to maintain and configure. We define formally the double mask representation over range rules. We show empirically that the proposed method achieves an average compression ratio of 11% on real-life blacklists and up to 74% on synthetic range rule sets.Finally, we add support of double mask into a real SDN network.
Document type :
Preprints, Working Papers, ...
Complete list of metadata

Cited literature [31 references]  Display  Hide  Download
Contributor : Ahmad ABBOUD Connect in order to contact the contributor
Submitted on : Wednesday, April 24, 2019 - 11:20:14 AM
Last modification on : Friday, August 5, 2022 - 3:50:25 AM


Double Mask General Version.pd...
Files produced by the author(s)


  • HAL Id : hal-02102225, version 4


Ahmad Abboud, Abdelkader Lahmadi, Michaël Rusinowitch, Miguel Couceiro, Adel Bouhoula, et al.. Minimizing Range Rules for Packet Filtering Using Double Mask Representation. {date}. ⟨hal-02102225v4⟩



Record views


Files downloads