Abstract
This paper explores the use of Interval Decision Diagrams (IDDs) as the central structure of a firewall packet filtering mechanism. This is done by first relating the packet filtering problem to predicate logic, then implementing a prototype which is used in an empirical evaluation. The main benefits of the IDD structure are that it provides access to boolean algebra over filters, efficient classification time, and potentially a compact representation. Results from the empirical evaluation shows that IDDs are scalable in terms of memory usage: a 50,000 rule filter requires only 3MB of memory, and efficient for packet classification: it is able to handle more rules than the schemes it was compared to without causing a degradation in performance.
| Original language | English |
|---|---|
| Journal | Telecommunications Systems |
| Volume | 27 |
| Issue number | 2-4 |
| Pages (from-to) | 297-319 |
| Number of pages | 22 |
| ISSN | 1018-4864 |
| Publication status | Published - 2004 |
Keywords
- Packet Classification, Firewall, Traffic Filtering, Decision Diagrams