Comparative evaluation of software implementations of layer-4 packet classification schemes

The availability of fast network processors and general purpose CPUs has made software implementation of per-packet processing in network elements an attractive option. Given this, a-priori knowledge of performance of software implementations of the well known Layer-4 packet classification will be very useful. We compare the performance of three state-of-the-art packet classification schemes namely, Grid-of-Tries (GOT), Packet Classification Algorithms using Recursive Space-decomposition (PACARS) , and Tuple-Space-Search (TSS), implemented in FreeBSD 3.3 UNIX kernel. We developed two new OS extensions, namely, the Virtual Filter Database (VFD) framework and the new routing socket API to implement these algorithms. We used real-life as well as synthetic rule databases to evaluate their performance. Our key conclusions are: (1) compression of trie data structure that is central to a lot of classification algorithms has limited benefits on general purpose CPUs; (2) static algorithms such as GOT that do not support dynamic updates support very fast search performance of the order of a few microseconds per search and may be adequate for static firewalls; and (3) with medium sized databases, PACARS and TSS schemes provide update times of the order of 100s of microseconds and search performance of the order of 10s of microseconds. These algorithms are adequate for dynamic firewalls, traffic directors, and network monitoring applications in enterprise networks.