On Dynamic Optimization of Packet Matching in High-Speed Firewalls

Packet matching plays a critical role in the performance of many network devices and a tremendous amount of research has already been invested to come up with better optimized packet filters. However, most of the related works use deterministic techniques and do not exploit the traffic characteristics in their optimization schemes. In addition, most packet classifiers give no specific consideration for optimizing packet rejection, which is important for many filtering devices like firewalls. Our contribution in this paper is twofold. First, we present a novel algorithm for maximizing early rejection of unwanted flows with minimal impact on other flows. Second, we present a new packet filtering dynamic optimization technique that uses statistical search trees to utilize traffic characteristics and minimize the average packet matching time. The proposed techniques timely adapt to changes in the traffic conditions by performing simple calculations for optimizing the search data structure. Our techniques are practically attractive because they exhibit simple-to-implement and easy-to-deploy algorithms. Our extensive evaluation study using Internet traces shows that the proposed techniques can significantly minimize the packet filtering time with reasonable memory space requirements