Abstract
This paper explores the use of Multi-Terminal Interval Decision Diagrams (MTIDDs) as the central structure of a firewall packet filtering mechanism. This is done by first relating the packet filtering problem to predicate logic, then implementing a prototype which is used in an empirical evaluation. The main benefits of the MTIDD structure are that it provides access to Boolean algebra over filters, efficient classification time, and a compact representation. Results from the empirical evaluation shows that MTIDDs are scalable in terms of memory usage: a 50,000 rule filter requires only 3MB of memory, and efficient for packet classification: it is able to handle more rules than the schemes it was compared to without causing a degradation in performance.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
H.R. Andersen, An Introduction to Binary Decision Diagrams, Lectures Notes (1997).
A. Attar and S. Hazelhurst, Fast packet filtering using N-ary decision diagrams, Technical Report, School of Computer Science, University of Witwatersrand (2002).
F. Baboescu and G. Varghese, Scalable packet classification, in: Proc. of ACMSIGCOMM, San Diego, CA, USA (2001) pp. 199–210.
A. Begel, S. McCanne and S. L. Graham, BPF+: Exploiting global data-flow optimization in a generalized packet filter architecture, in: Proc. of ACM SIGCOMM, Cambridge, MA, USA (1999) pp. 123–134.
M. Bellion and T. Heinz, http://www.hipac.org/firewall_documentation/ packet_filter_faq.htm#l17 (2003).
M. Bellion and T. Heinz, Hipac (High performance packet classification for netfilter), http://www. hipac.org (2003).
R.E. Bryant, Graph-based algorithms for boolean function manipulation, IEEE Transactions on Computers 35(8) (1986) 677–691.
M. Christiansen and E. Fleury, Compact filter, http://www.cs.auc.dk/ fleury/cf/ (2003).
A. Feldmann and S. Muthukrishnan, Tradeoffs for packet classification, in: Proc. of IEEE INFO-COMM, Tel Aviv, Israel (2000) pp. 1193–1202.
P. Gupta and N. McKeown, Packet classification on multiple fields, in: Proc. of ACM SIGCOMM, Cambridge, MA, USA (1999) pp. 147–160.
S. Hazelhurst, Algorithms for analysing firewall and router access lists, Technical Report TR-WitsCS-1999–5, Department of Computer Science, University of the Witwatersrand, South Africa (1999).
S. Hazelhurst, A. Attar and R. Sinnappan, Algorithms for improving the dependability of firewall and filter rule lists, in: Proc. of the Internat. Conf. on Dependable Systems and Networks, NewYork, USA (2000) pp. 576–585.
M. Josefsson, K. Jozsef, H. Welte, J. Morris, M. Boucher and P.R. Russell, NetFilter homepage, http://www.netfilter.org (2003).
T.V. Lakshman and D. Stiliadis, high speed policy-based packet forwarding using efficient multidi-mensional range matching, in: Proc. of ACM SIGCOMM, Vancouver, Canada (1988) pp. 203–214.
D. Rovniagin and A. Wool, The geometric efficient matching algorithm for firewalls, Technical Re-port, Deptartment of Electrical Engineering Systems, Tel Aviv University, Ramat Aviv, Israel (2003).
R. Sedgewick, Algorithms in C, Part 5: Graph Algorithms, 3rd ed. (Addison-Wesley, Reading, MA, 2002).
S. Singh, F. Baboescu, G. Varghese and J. Wang, Packet classification using multidimensional cutting, in: Proc. of ACM SIGCOMM (2003) pp. 213–223.
V. Srinivasan, A packet classification and filter management system, in: Proc. of IEEE INFOCOMM, Anchorage, AK, USA (2001).
K. Strehl and L. Thiele, Symbolic model checking using interval diagram techniques, Technical Report 40, Computer Engineering and Networks Lab., Swiss Federal Institute of Technology, Gloria-strasse 35, 8092 Zürich, Switzerland (1998).
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Christiansen, M., Fleury, E. An MTIDD Based Firewall. Telecommunication Systems 27, 297–319 (2004). https://doi.org/10.1023/B:TELS.0000041013.23205.0f
Issue Date:
DOI: https://doi.org/10.1023/B:TELS.0000041013.23205.0f