Jie Zheng, Placement and balancing of cooperative packet filters

Packet filter is an important mechanism for protecting a network from malicious traffic and for providing differentiated service to high priority traffic. As the number of malicious attacks and the number of high priority traffic flows increase, more and more filter rules are required. Unfortunately, the number of filter rules that a network interface can handle efficiently is limited. Consequently, a network interface with a large number of filter rules may suffer from degraded performance.

We observe that a high-end router can perform packet filtering independently at both ingress interfaces and egress interfaces. When the filter processor on one interface is overloaded, the filter processor on other interfaces may be unused and wasted. The workload on different interfaces could be highly unbalanced. We leverage this observation to improve packet filtering performance. We propose a cooperative filter solution, which tries to optimize the placement of filter rules among the ingress and egress interfaces of a router. When the filter processor on one interface is overloaded, its filter rule set can be split and some rules can be migrated from this interface to other interfaces. The filter rule set splitting algorithm should preserve the semantics of the original filter rule set. The cooperative filters can balance the workload of filter processors on different interfaces, improve the utility of filter processing resources, and improve the router packet processing speed.