Jedhe, Gajanan S and Ramamoorthy, Arun and Varghese, Kuruvilla (2008) A Scalable High Throughput Firewall in FPGA. In: 16th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, APR 14-15, 2008, Stanford, CA,.
getPDF.pdf - Published Version
Restricted to Registered users only
Download (412Kb) | Request a copy
High end network security applications demand high speed operation and large rule set support. Packet classification is the core functionality that demands high throughput in such applications. This paper proposes a packet classification architecture to meet such high throughput. We have Implemented a Firewall with this architecture in reconfigurable hardware. We propose an extension to Distributed Crossproducting of Field Labels (DCFL) technique to achieve scalable and high performance architecture. The implemented Firewall takes advantage of inherent structure and redundancy of rule set by using, our DCFL Extended (DCFLE) algorithm. The use of DCFLE algorithm results In both speed and area Improvement when It is Implemented in hardware. Although we restrict ourselves to standard 5-tuple matching, the architecture supports additional fields.High throughput classification Invariably uses Ternary Content Addressable Memory (TCAM) for prefix matching, though TCAM fares poorly In terms of area and power efficiency. Use of TCAM for port range matching is expensive, as the range to prefix conversion results in large number of prefixes leading to storage inefficiency. Extended TCAM (ETCAM) is fast and the most storage efficient solution for range matching. We present for the first time a reconfigurable hardware Implementation of ETCAM. We have implemented our Firewall as an embedded system on Virtex-II Pro FPGA based platform, running Linux with the packet classification in hardware. The Firewall was tested in real time with 1 Gbps Ethernet link and 128 sample rules. The packet classification hardware uses a quarter of logic resources and slightly over one third of memory resources of XC2VP30 FPGA. It achieves a maximum classification throughput of 50 million packet/s corresponding to 16 Gbps link rate for file worst case packet size. The Firewall rule update Involves only memory re-initialiization in software without any hardware change.
|Item Type:||Conference Paper|
|Additional Information:||Copyright of this article belongs to Ieee.|
|Department/Centre:||Division of Electrical Sciences > Electronic Systems Engineering (Formerly, (CEDT) Centre for Electronic Design & Technology)|
|Date Deposited:||08 Feb 2010 04:57|
|Last Modified:||19 Sep 2010 05:31|
Actions (login required)