The Complex Packet Classification Problem

There exist situations where the sole use of geometric checks is not expressive enough in order to model certain kinds of more complex filtering behaviour. An example for such a situation can be seen in rules R1 and R2 in Table 2.1: here,

the intention is to prevent arbitrary TCP packets with source port 80 to enter the 54.17.102.0/24 subnet. Instead, the classification engine requires that a corresponding connection state entry has been created previously by an outgoing packet that matched rule R1. Such a connection entry typically stores at least

a timestamp of the last seen packet in this connection as well as the four-tuple of source and destination addresses/ports. That way, incoming packets only match rule R2 if the connection has not expired and if they have been explicitly

requested previously. Other examples for complex matching requirements are string matching within a packet’s payload or load balancing on the basis of packet counters or random numbers.

Here, for a classification system running on an underlying machine configured with a rule set R, we denote the set of all possible classification-relevant states stored on the machine by Σ. Examples for classification-relevant states are connection tables, packet counters, the state of a random number generator, and generally any further information that is utilized in the classification process for a given packet using the rule set R. In order to also model complex checks for a rule Ri,

we define Ri’s complex check ci as

ci: P_MTU_{× Σ × B → B × Σ} (2.26)

with

ci(︂p, σp_i−1, γRi(h

p₎)︂

:= (β, σ_ip). (2.27)

and

p ∈ PMTU : the current packet

σ_i−1p ∈ Σ : the classification-relevant state before the execution of ci

γRi(h

p₎ _∈ _B _: _{the geometric match result of R} ifor p

β ∈ _B : the match result of the complex check ci

σp_i ∈ Σ : the classification-relevant state after the execution of ci

(2.28)

In contrast to geometric checks, ci _{may use not only a packet p’s header values,}

but also p’s payload mp_{, the relevant state information σ}p

i−1, and the match results

of R′

is geometric checks γ (hp) ∈ B to reach a match result. Also, a complex

check may change the classification-relevant state of the classification system. We define σ_i−1p ∈ Σ as the classification-relevant state that is accessible to the classification system immediately before executing the complex check ci _{of rule}

Rion the packet p. Furthermore, we refer to σip ∈ Σ as the classification-relevant

state immediately after the execution of ci_{. Analogously to geometric checks, we}

say that a complex check ci _{matches a packet p iff β = true with}

ci(︂p, σ_i−1p , γRi(h

p₎)︂_{= (β, σ}p

i). (2.29)

Note that σi−1does not necessarily have to differ from σpi.

We now define two subclasses of complex checks that are required in the remainder of this thesis, namely stateless complex checks and match-based complex checks. A complex check ci _{is referred to as a stateless complex check if c}i _{never alters the}

classification-relevant state. Also, we say that a complex check ci_{is match-based,}

if it may only change the classification-relevant state if (1) all geometric checks evaluate to true, and (2), if the complex check itself matches the regarded packet, i. e.,

σi−1̸= σi ⇒ γRi(h

p_{) ∧ β.} _(2.30)

Examples for complex tests that can be implemented with match-based complex checks are string searches in packet payloads or connection tracking. In contrast, a complex check that uses a random number generator to randomly match is not match-based, because the generator’s state changes also in the no-match case.

For a rule Ri that does not specify a complex check, we model the complex check cias a function c_idwith c_id: P_MTU× Σ_M _{× B → B × Σ} (2.31) and c_id(p, σ, γRi(h p_{)) := (true, σ) ∀ (p, σ, γ} Ri(h p_{)) ∈ P} MTU× ΣM × B (2.32)

that does not change any classification-relevant state with the complex match decision true.

We refer to a rule R with

R = (g1, . . . , gd, cid, a) (2.33)

as a geometric rule, for which we also use the shorthand notation

R = (g1, . . . , gd, a). (2.34)

Otherwise, R is referred to as a complex rule. Likewise, we call a rule set R a geometric rule set if every rule in R is a geometric rule, i. e., iff

∀i ∈ {1, . . . , n} : c_i= c_id. (2.35)

Otherwise, we call R a complex rule set.

Finally, a rule Ri’s complex match function κRi is defined as

κRi : PMTU× Σ → B (2.36) with κRi (︂ p, σ_i−1p )︂:= γR(hp) ∧ β (2.37) and (β, σp_i) = ci(︂p, σ_i−1p , γR(hp) )︂ . (2.38)

In essence, a rule R’s complex match function determines whether an incoming packet matches R with respect to R’s geometric checks as well as R’s complex check.

With a proper definition of complex checks, we are now able to extend the GPCP to the Complex Packet Classification Problem (CPCP), as defined in Problem 2.2. The major difference between these problems are the matching semantics and the handling of classification-relevant states. In contrast to the GPCP, the CPCP

COMPLEXPACKETCLASSIFICATION PROBLEM

Given: · Rule set R = ⟨R1, . . . , Rn⟩

· Packet p ∈ PMTU

· Action set A = Aterm∪ Anonterm

· No-match symbol ϵ

· Initial classification-relevant state σ₀p

Searched: The tuple (verdict vp _{∈ A ∪ {ϵ}, new state σ}p

∗) with vp:= ⎧ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎨ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎩ ai∗, if ∃i∗∈ {1, . . . , n} : κRi∗ (︂ p, σp_i∗₋₁ )︂ ∧ ai∗ ∈ A_term∧ (∄i ∈ {1, . . . , i∗− 1} : κRi (︂ p, σp_i−1)︂ with ai_{∈ A} term) ϵ, otherwise and σ∗p := {︄ σp_i∗, if v_p̸= ϵ σp n, otherwise

Problem 2.2: The Complex Packet Classification Problem.

includes the execution of complex checks as well as non-terminal actions, which may both lead to potential state changes. Note that the CPCP allows multiple matching rules, as long as only the last matching rule defines a terminal action. Analogously to the function fGPCP, we define the function

fCPCP : SMTU× PMTU× Σ → (A ∪ {ϵ}) × Σ (2.39)

with

fCPCP(R, p, σ0p) := (vp, σ∗p) . (2.40)

to implement the semantics of Problem 2.2.

It is important to distinguish between the CPCP and the GPCP because not every classification algorithm suited for the GPCP is also able to solve the CPCP. The same holds for rule set transformation approaches: in Part II we will present a novel rule set optimization technique that, in contrast to related work, is able to not only optimize geometric rule sets, but also complex rule sets when match-

based complex checks are used. In order to ease notation in the remainder of this work, we define the rule set decision function fRas

fR(p, σ0p) :=

⎧ ⎨

⎩

fGPCP(R, p), if R is a geometric rule set

vp, with (vp, σ∗p) = fCPCP(R, p, σ0p) if R is a complex rule set.

(2.41) Also, we will abbreviate fR(p, σ)to fR(p), whenever σ = σ0p, thereby treating σ

as a default parameter to σ.

In document System-Specialized and Hybrid Approaches to Network Packet Classification (Page 31-35)