Abstract

Nowadays, packet classification and filtering tasks play critical roles in almost any packet processing system design. In particular, packet classification engines are now required to be designed efficiently to keep up with high data rates in networking applications.

Most conventional packet classifiers find the highest priority filter that matches the packet. However, new networking applications such as Network Intrusion Detection Systems (NIDS) and load balancers require finding all (or the first few) matching results in packet classification.

A TCAM-based architecture optimized for multiple match search is presented in this work. We propose a renovated TCAM design that can find all or the first r matches in a packet filter set. This multi-match TCAM unit can find all r matching addresses in at most r clock cycles. We also introduce a novel partitioning scheme based on filters and their intersection properties. An efficient contention resolver unit is designed to enhance performance of the search by choosing only one partition. Our partitioning approach finds all matches in exactly one conventional TCAM cycle, while reducing the power consumption by at least two orders of magnitude. A VALISE implementation of our classifier in 0/18μm technology can achieve speed that is 1-2 order of magnitude higher than software based approaches. The multi-match packet classifier circuitry has been implemented on an FPGA and experimental results show that the system can achieve wire-speed of approximately three OC-192 without performance degradation. This system can significantly help many networking applications including packet classification, worm detection, packet level accounting and transparent monitoring.