Double Mask: An efficient rule encoding for Software Defined Networking - Inria - Institut national de recherche en sciences et technologies du numérique Accéder directement au contenu
Communication Dans Un Congrès Année : 2020

Double Mask: An efficient rule encoding for Software Defined Networking

Résumé

Packet filtering is widely used in multiple networking appliances and applications, in particular, to block malicious traffic (protect network infrastructures through firewalls and intrusion detection systems) and to be deployed on routers, switches and load balancers for packet classification. This mechanism relies on the packet's header fields to filter such traffic by using range rules of IP addresses or ports. However, the set of packet filters has to handle a growing number of connected nodes and many of them are compromised and used as sources of attacks. For instance, IP filter sets available in blacklists may reach several millions of entries, and may require large memory space for their storage in filtering appliances. In this paper, we propose a new method based on a double mask IP prefix representation together with a linear transformation algorithm to build a minimized set of range rules. This representation makes the network more secure, reliable and easy to maintain and configure. We define formally the double mask representation over range rules. We show empirically that the proposed method achieves an average compression ratio of 11% on real-life blacklists and up to 74% on synthetic range rule sets. Finally, we evaluate the performance of our double masks representation through an OpenFlow based implementation with an SDN testbed using real hardware. Our results show that our technique is capable of significantly reducing the matching time in the controller when compression ratios are higher than 15% leading to a faster response time, and a good balance between matching time and memory space in the switch.
Fichier principal
Vignette du fichier
1570605208.pdf (391.62 Ko) Télécharger le fichier
Origine : Fichiers produits par l'(les) auteur(s)
Loading...

Dates et versions

hal-02547097 , version 1 (19-04-2020)

Identifiants

  • HAL Id : hal-02547097 , version 1

Citer

Ahmad Abboud, Abdelkader Lahmadi, Michael Rusinowitch, Miguel Couceiro, Adel Bouhoula, et al.. Double Mask: An efficient rule encoding for Software Defined Networking. ICIN 2020 - 23rd Conference on Innovation in Clouds, Internet and Networks and Workshops, Feb 2020, Paris, France. pp.186--193. ⟨hal-02547097⟩
162 Consultations
277 Téléchargements

Partager

Gmail Facebook X LinkedIn More