a difference resolution approach to compressing access...
TRANSCRIPT
-
1
A Difference Resolution Approach to
Compressing Access Control ListsJames Daly Alex X. Liu Eric Torng
Abstract—Access Control Lists (ACLs) are the core of manynetworking and security devices. As new threats and vulnerabil-ities emerge, ACLs on routers and firewalls are getting larger.Therefore, compressing ACLs is an important problem. In thispaper, we propose a new approach, called Diplomat, to ACLcompression. The key idea is to transform higher dimensionaltarget patterns into lower dimensional patterns by dividing theoriginal pattern into a series of hyperplanes and then resolvingdifferences between two adjacent hyperplanes by adding rulesthat specify the differences. This approach is fundamentallydifferent from prior ACL compression algorithms and is shown tobe very effective. We implemented Diplomat and conducted side-by-side comparison with the prior Firewall Compressor, TCAMRazor and ACL Compressor algorithms on real life classifiers.Our experimental results show that Diplomat outperforms all ofthem on most of our real-life classifiers, often by a considerablemargin, particularly as classifier size and complexity increases.In particular, on our largest ACLs, Diplomat has an averageimprovement ratio of 34.9% over Firewall Compressor on range-ACLs, of 14.1% over TCAM Razor on prefix-ACLs, and 8.9%over ACL Compressor on mixed-ACLs.
Index Terms—Hardware-based Packet Classification, TernaryContent Addressable Memory (TCAM), Range Encoding.
I. INTRODUCTION
A. Background and Motivation
Access Control Lists (ACLs) are the core of many net-
working and security devices, such as routers and firewalls,
which perform services such as packet filtering, virtual private
networks (VPNs), network address translation (NAT), qual-
ity of service (QoS), load balancing, traffic accounting and
monitoring, differentiated services (Diffserv), etc. A packet
can be viewed as a d-tuple over d fields with finite, discretedomains. For IP packets, d is typically 5 and the relevantfields are source IP address, destination IP address, source port
number, destination port number, and protocol type, where
the domains of these fields are [0, 232 − 1], [0, 232 − 1],[0, 216−1], [0, 216−1], and [0, 28−1], respectively. An ACL isspecified as a sequence (i.e., ordered list) of predefined rules.
Each rule is specified in the form 〈predicate〉 → 〈decision〉.The 〈predicate〉 over packet fields F1, F2, · · · , Fd is typicallyspecified as (F1 ∈ S1) ∧ (F2 ∈ S2) ∧ · · · ,∧(Fd ∈ Sd). Ifeach Si is specified as a range, we call the ACL a range-ACL. If each Si is specified as a prefix, we call the ACL a
James Daly, Alex X. Liu, and Eric Torng are with the Department ofComputer Science and Engineering, Michigan State University, East Lansing,MI, 48824. E-mail: {dalyjame, alexliu, torng}@cse.msu.edu.
Corresponding author: Alex X. LiuThe preliminary version of this paper titled “A Difference Resolution
Approach to Compressing Access Control Lists” was published in the pro-ceedings of the 32rd Annual IEEE International Conference on ComputerCommunications (INFOCOM), pages 2040-2048, Turin, Italy, April 2013.
prefix-ACL. If some Si are specified as prefixes and others asranges, then we call the ACL a mixed-ACL. The 〈decision〉of a rule can be accept, or discard, or a combination of these
decisions with other options such as a logging option. An ACL
is essentially a function from the space of legal packets to a
set of possible decisions. When a packet arrives at a router, the
router extracts the relevant field values to form a search key
and searches the ACL to find the first rule that the search key
matches. The decision of this rule determines the appropriate
action to take upon the packet. The rules in an ACL often
conflict, which means that a packet may match multiple rules
and these rules may have different decisions. The way that
ACLs resolve conflicts is to follow the first match principle:
for any packet, the decision for the packet is the decision of
the first packet that the packet matches.
In this paper, we focus on the ACL Compression Prob-
lem: given a range-ACL, prefix-ACL or mixed-ACL L, findan equivalent range-ACL, prefix-ACL or mixed-ACL L′ sothat the number of rules in L′, denoted |L′|, is as smallas possible. We consider three different variations of the
ACL Compression Problem because of varying application
constraints. For applications where all fields must be prefixes,
we use the prefix-ACL variant. For applications where all
fields can be ranges, we use the range-ACL variant which
allows for more compression. For applications where only
some fields are constrained to be prefixes, we use the mixed-
ACL variant.
This problem has many motivations. First, as new threats
and vulnerabilities emerge, ACLs on routers and firewalls are
getting larger. For example, because the ACLs used for Quality
of Services on routers are often automatically generated, they
tend to be huge. Second, in the Open Flow architecture, which
is gaining more popularity and real deployment, networking
devices typically need to handle a large number of ACL-
like rules; thus, compressing such ACL-like rules is very
helpful for managing and optimizing such devices. A number
of network system management work, such as Yu et al.’s
DIFANE work [19] and Sung et al.’s work [16], have used our
prior ACL compression tool called Firewall Compressor [11],
[12] to reduce system complexity. Third, some networking and
security devices have strict limits on the number of rules that
can be stored. For example, NetScreen-100 only allows ACLs
with 733 rules. Fourth, fewer ACL rules often leads to higher
system performance. As ACLs are used to examine every
incoming and outgoing packet, such performance is critical
for network throughput.
-
2
B. Summary and Limitations of Prior Art
Optimal polynomial time algorithms have been developed
for 1-dimensional range-ACL compression (Top Coder Chal-
lenge in 2003, [2], [11]) and prefix-ACL compression [4],
[17]. Applegate et al. proved that the 2-dimensional range-
ACL compression problem is NP-hard [2]. The complexity
of 2-dimensional prefix-ACL compression is still unknown,
but prefix-ACL compression with an arbitrary number of
dimensions is NP-hard [5]. The only approximation algo-
rithm with a non-trivial approximation bound is one given
by Applegate et al. which has an approximation ratio of
O(min(n1/3, OPT 1/2)) for 2-dimensional range-ACL com-pression and O(w2 min(n1/3, OPT 1/2)) for 2-dimensionalprefix-ACL compression, where n is the number of rules inthe input rule list, w is the word size in bits, and OPTis the number of rules in the optimal rule list [2]. Their
bounds are tight. Their method requires dividing the input
into several subproblems to deal with the special forbidden
rectangle pattern described in Section V. The number of
subproblems required may be O(Opt), each of which mayrequire O(Opt1/2) rules.
Very few prior algorithms work for more than two dimen-
sions. Liu et al.’s Firewall Compressor algorithm [11] handles
d-dimensional range-ACLs by converting the rule list into acanonical firewall decision diagram and applying an optimal
weighted algorithm to each of the one-dimensional patterns
formed between two layers of the diagram. In their algorithm,
the “decision” used is actually the rule list that is produced by
lower levels, which is replicated for each of the corresponding
rules in the higher dimension. However, Firewall Compressor
only considers whether or not the two lower rule lists are the
same. If two lists are very similar but not the same, both lists
are replicated in their entirety. Their later work, TCAM Razor,
works by the same principle but uses an optimal prefix-ACL
algorithm rather than a range-ACL algorithm [15]. Finally,
they combined both works into ACL Compressor, which can
use either prefix or range compressors on different fields [13].
C. Proposed Approach
We present a new approach, called Diplomat, to ACL
compression. The key idea is to transform higher dimensional
target patterns into lower dimensional patterns by dividing the
original pattern into a series of hyperplanes. It then selects two
adjacent planes and resolves their differences by adding rules
to specify where the two planes differ. After resolution, the
two planes are compatible and can be merged into a single
plane. For example, in Figure 2, a single white rule in the
middle row would allow it to be merged with the top row.
Diplomat repeats this process until all of the planes have been
merged together into a single plane. Diplomat then repeats the
process on the reduced pattern. After recursive applications,
the pattern is reduced to a 1-dimensional pattern for which
optimal algorithms already exist. In terms of construction,
the rules generated by each resolution step and the final
compression step are joined together into one rule list with
the rules from earlier steps appearing before the rules from
later steps. Thus, any section specified by an earlier resolution
cannot be undone by a later resolution. This is what allows
Diplomat to consider the result of each resolution to be one
homogeneous region. We illustrate this process for a two-
dimensional range-ACL in Figure 1. We call this algorithm
Diplomat because it compresses a rule list by repeatedly
“resolving differences” between adjacent planes.
Fig. 1. Overview of Diplomat in two dimensions
Figure 2 shows that for an example input ACL, Firewall
Compressor produces more rules than Diplomat.
Firewall Compressor Diplomat
0
1
2
0 1 2 3 4 5
x [1, 1] !y [4, 4] !"#$%&
x [1, 1] !"! [0, 5] !"#$%&
x [0, 2] !"! [1, 1] !"#$%&
x [0, 2] !"! [4, 4] !"#$%&
x [0, 2] !"! [0, 5] !"#$%&
x [1, 1] !"! [0, 3] !"#$%&
x [0, 2] !"! [1, 1] !"#$%&
x [0, 2] !"! [4, 4] !"#$%&
x [0, 2] !"! [0, 5] !"#$%&
Fig. 2. A two-dimensional pattern divided into three rowsNote that Diplomat is designed to be run offline so that
network managers do not need to interact with the compressed
ACL. Rather, the manager can interact with the rule list in
a comfortable and understandable form. This can then be
input into Diplomat, which will create the compressed rule
list actually used by the network device.
D. Key Contributions
The key contribution of this paper is our new ACL compres-
sion approach that is totally different from all prior ACL com-
pression algorithms. This novel approach is also very effective.
We implemented Diplomat and conducted side-by-side com-
parison with the prior Firewall Compressor, TCAM Razor and
ACL Compressor algorithms on real life classifiers. The exper-
imental results show that Diplomat outperforms Firewall Com-
pressor, TCAM Razor and ACL Compressor most of the time,
often by a considerable margin. In particular, on our largest
ACLs, Diplomat has an average improvement ratio of 34.9%
over Firewall Compressor on range-ACLs, of 14.1% over
Razor on prefix-ACLs, and 8.9% over ACL Compressor on
mixed-ACLs. Furthermore, on two-dimensional classifiers we
demonstrate approximation ratios of O(min(n1/3, OPT 1/2)for range-ACLs and (min(w4/3n1/3, w2OPT 1/2)) for prefix-ACLs, improving on the prior best result of [2]. We do note
that Diplomat achieves these performance gains at the cost of
additional running time compared to both Firewall Compressor
and TCAM Razor.
The rest of this paper is organized as follows. First, we
review related work in Section II. Second, we present key
definitions and some fundamental results in Section III. We
-
3
then describe how Diplomat is applied to range and prefix-
ACLs in Section IV. We cover the theoretical approximation
bounds in Section V and the practical experimental results in
Section VI. We conclude the paper by summarizing our results
and discussing some open problems in Section VII.
II. RELATED WORKThe 2-dimensional range-ACL compression problem was
proven to be NP-hard in [2]. This implies that mixed-ACL
compression with at least two range fields is also NP-Hard.
Whether the prefix-ACL problem with a fixed number of
dimensions is NP-hard is currently open. The 1-dimensional
case for both range and prefix-ACL compression is in P.
Applegate et al. [2] presented an algorithm for compressing
2-dimensional range-ACLs. For the special case of strip rules
where each rectangle spans the entire canvas in one of the two
dimensions and only 2 colors, their algorithm is optimal. They
then describe a way to divide the ACL into regions which can
each be solved with their strip rule solver. When applying their
solution to the general 2-dimensional range-ACL problem,
they gave a O(min(n1/3, OPT 1/2))-approximation algorithm.They also adapt their methods to prefix-ACL compression
which adds a factor of w2 to their approximation bounds wherew is the number of bits in the prefix word size. This is theonly approximation result we are aware of for either range
or prefix-ACL compression for 2 or more dimensions. We
adapt their methods in Section V to demonstrate that some
versions of Diplomat can achieve the same bounds. Finally,
they observe that the 1-dimensional range-ACL version was
given as StripePainter in the 2003 Google TopCoder challenge
and that a O(Kn3) running time can be achieved, where Kis the number of possible decisions [1].
For the 1-dimensional prefix-ACL compression problem,
Draves et al. gave an optimal algorithm based on tries [4],
and Suri et al. gave an optimal algorithm based on dynamic
programming [17]. Suri et al. also gave an optimal dynamic
programming solution for the special case where two prefix
rectangles in the ACL can intersect only if one is fully con-
tained within the other. In this paper, we use Suri’s algorithm
to optimally compress the 1-dimensional prefix-ACLs which
the prefix version of Diplomat generates as subproblems.
Liu et al. presented their own optimal 1-dimensional range-
ACL compression solution based on dynamic programming
methods with an improved running time of O(k2n) wheren is the number of rules and k is the maximum numberof rules with the same decision [11]. They then applied this
algorithm to each of the layers of a firewall decision diagram
[7] to create a solution for any number of dimensions. In their
later paper [10], they apply a similar idea using the optimal
1-dimensional prefix-ACL solver from [17] to expand their
solution to operate on prefix-ACLs. In [13], Liu et al. define
ACL Compressor which considers ACLs where some fields are
ranges and some fields are prefixes. ACL Compressor operates
on the same principles, using an optimal 1-dimensional range-
ACL solver on range fields and an optimal 1-dimensional
prefix-ACL solver on prefix fields. In this paper, we use
Firewall Compressor to optimally compress the 1-dimensional
range-ACLs which the range and mixed versions of Diplomat
generate as subproblems.
Finally, the Rectilinear Polygon Cover (RPC) Problem,
which has been well explored in prior work [3], [6], [14], can
be thought of as a special case of the range-ACL compression
problem where the color of the last rule must be white and the
color of all prior rules must be black. However, RPC is very
different than range-ACL because the ability to use rectangles
with different colors leads to much shorter rule lists. Thus,
we cannot leverage any existing RPC algorithms to help with
range-ACL compression.
III. DEFINITIONS AND NOTATIONS
Let K be the set of decisions. It can be any finite set, suchas {yes, no}, {accept, deny}, or {0, 1, 2, 3, 4}. The actualitems are irrelevant so long as they are distinct. A color c ∈ Kis any one of those decisions.
We define a canvas C as the Cartesian product of d finitediscrete dimensions, [0, n1 − 1] × · · · × [0, nd − 1]. For theprefix version, ni = 2
wi where wi is the number of bits used torepresent dimension i. A box B ⊆ C is any region representedby a Cartesian product of intervals. For prefix classifiers, the
intervals are represented by the prefix {0, 1}k{∗}wi−k forsome k with 0 ≤ k ≤ wi. A pattern or coloring is a functionP : C→ K relating points in C to colors in K. An incompletepattern is a pattern that does not define a color for some points
in the canvas. Given two incomplete patterns P1 and P2 thatdo not both assign colors to the same point in the canvas,
P1 ∪ P2 is the pattern formed by joining the two patterns P1and P2.
A rule r : B → K assigns exactly one color c ∈ K to eachpoint in box B. A rule list L = {r1, . . . , rn} is an orderedlist of rules and |L| = n is the number of rules in L. A rulelist L assigns colors to points as follows: for any point p ∈ C,L(p) is the value of ri(p) for the minimum i such that ri(p)is defined. A rule list is complete if L(p) is defined for allpoints p in the canvas and is incomplete otherwise. We use ℓto denote an incomplete rule list. We use the terms rule list
and classifier interchangeably to refer to both a rule list Land the pattern defined by L. For a complete rule list L, wecall the color of rn the background color of L, and we canassume without loss of generality that domain(rn) = C sincern applies to all of C not covered by prior rules. For tworule lists L1 and L2, L1 · L2 denotes the rule list formed byappending L2 to the end of L1. We will also write ℓ ·P whereP is a pattern; in this case, the pattern implied by incompleterule list ℓ overrides P for points where both are defined.
Two rule lists are equivalent, L1 ≡ L2, if L1(p) =L2(p) ∀p ∈ C. We denote the set of all rule lists equivalent toP as 〈P 〉. L is an optimal rule list for a pattern P if L ∈ 〈P 〉and |L| ≤ |L′| ∀L′ ∈ 〈P 〉. Our objective is to find an optimalrule list for an input pattern P . This was shown in [2] to beNP-hard for patterns of two or more dimensions in the range
case (and may be for the prefix case as well), so we try to
find one as close to optimal as possible.
Given a pattern P , box B is P -monochromatic if P (p1) =P (p2) ∀p1, p2 ∈ B. We can break C into monochromaticboxes using Applegate et al.’s effective grid concept. Quoting
[2], “For any rectilinear pattern P , call a horizontal or verticalline segment that separates and bounds two differently-colored
-
4
regions a boundary line. Extend each boundary line in both
directions so that it crosses the full canvas. We call the
resulting grid the “effective grid” for the pattern, and note
that all its grid cells will be monochromatic.” Without loss
of generality, we assume the input rule list L is convertedto the effective grid space, so C is the effective grid and ni(1 ≤ i ≤ d) is one more than the number of boundary planes indimension i. We also order the dimensions so n1 ≤ · · · ≤ nd.Applegate et al. also showed that ni ≤ 2n [2]. An exampleof an effective grid can be seen in Figure 3.
Fig. 3. An effective grid denoted by the dashed lines
IV. METHODOLOGY
We now formally describe the Diplomat classifier com-
pression algorithm. We first describe how we reduce our d-dimensional pattern into a collection of (d − 1)-dimensionalpatterns. Given a d-dimensional pattern P with a d-dimensional canvas C = [0, n1−1]×· · ·×[0, nd−1], define the(d−1)-dimensional canvas C′ = [0, n2−1]×· · ·× [0, nd−1].We divide C into n1 copies of canvas C
′ with C′i being the
(d−1)-dimensional plane with f1 = i for 0 ≤ i ≤ n1−1. Wethen create n1 patterns Pi for 0 ≤ i ≤ n1− 1 where Pi is theintersection of plane C′i with the original pattern P . We definepattern Pi on the (d − 1)-dimensional canvas C′ as follows:for any point p ∈ C′, Pi(p) = P (i × p). In Figure 4 (a), wesee a 3-dimensional pattern reduced into four 2-dimensional
patterns P0 through P3.
P3
P2
P1
d2
d3
d1
P0
(a) Before
P3
P[1,2]
d2
d3
d1
P0
(b) After
Fig. 4. Merging planes P1 and P2.
We create the resulting rule list L for C from our sequenceof n1 patterns Pi (0 ≤ i ≤ n1 − 1) by “merging” togetheradjacent patterns until we are left with a single pattern and then
recursively solving that single pattern. More formally, let P[i,j]denote some merging of patterns Pi to Pj inclusive. In Figure4 (b), we see P[1,2] representing the merger of patterns P1 andP2 from Figure 4 (a). For any point p ∈ C′, P[i,j](p) = Pk(p)for some i ≤ k ≤ j. For any p ∈ C′, we define pattern PC[i,j] onC by setting PC[i,j](k × p) = P[i,j](p) if i ≤ k ≤ j; otherwise,PC[i,j](k × p) is undefined.
Initially, P[i,i] = Pi ∀i ∈ [0, n1 − 1]. Initialize L to be theempty rule list. While we have at least two patterns remaining
Algorithm 1 Diplomat Solver
Require: Pattern PEnsure: Rule list L
1: L← ∅ ⊲ Final Result2: ~R← {Pi : Pi is the subpattern with P (f1) = i∀i ∈ [0, n1−1]}
⊲ Sub-planes
3: ~I ← {[i, i] : ∀i ∈ [0, n1 − 1]} ⊲ Intervals
4: while
∣
∣
∣
~R∣
∣
∣> 1 do
5: (t, b)← Schedule(~R)6: (ℓ, Rm)← Resolve(Rt, Rb, It, Ib)7: Replace Rt and Rb with Rm8: Replace It and Ib with Join(It, Ib)9: Append ℓ to L
10: end while11: Llower ← Solve(R)12: Append Llower to L13: return L
in our sequence of patterns, we select two adjacent patterns
P[i,j] and P[j+1,k] to be merged. We merge these two patternsinto a single pattern by providing extra information in a partial
rule list ℓ defined on C which is appended to L. Intuitively, ℓcolors points where P[i,j] and P[j+1,k] differ; this allows thetwo patterns to be merged. Let ℓq be the partial rule list usedin the qth merger of patterns where 1 ≤ q ≤ n1−1. When wehave a single pattern P[0,n1−1] remaining, the rule list L is theconcatenation of partial rule lists ℓq for 1 ≤ q ≤ n1 − 1. Wethen recursively solve the (d−1)-dimensional pattern P[0,n1−1]which is then appended to L for our final solution. If d = 2which means d−1 = 1, we have reached our base case and usethe optimal one-dimensional solvers in [11] or [17] to generate
a solution to P[0,n1−1].To merge two adjacent patterns P[i,j] and P[j+1,k] , we need
a resolver which we formally define as follows.
Definition 1. A resolver of P[i,j] and P[j+1,k] returns a partialrule list ℓ defined on C and pattern P[i,k] defined on C
′ subject
to the following constraints: ∀p ∈ C′, P[i,k](p) equals eitherP[i,j](p) or P[j+1,k](p) and ℓ · PC[i,k] ≡ PC[i,j] ∪ PC[j+1,k].
We observe that if P[i,j] ≡ P[j+1,k] then P[i,k] will matchboth lists and ℓ is the empty list. While a resolver is formallythe function that computes the partial rule list ℓ and the mergedpattern P[i,k], we also often refer to partial rule list ℓ as aresolver and say that ℓ resolves P[i,j] and P[j+1,k].
Next, we review the Firewall Compressor and Suri algo-
rithms which are used as sub-programs by our resolvers.
We then formally present several different resolvers to merge
adjacent patterns and schedulers to determine the merging
order for patterns.
A. Firewall Compressor
We review here the 1-dimensional version of Firewall Com-
pressor from [11]. Given some input classifier L, compute theeffective grid of L and label the cells from 0 to n−1. The firstkey insight is that the last rule rm covers the leftmost cell 0 insome optimal solution. Liu et al. use dynamic programming
to determine which other cells are also covered by rule rm. Ifno other cells are covered, then the optimal solution consists
of rule rm which only covers cell 0 plus an optimal solution
-
5
that covers region [1, n − 1]. Otherwise, let x be the nearestcell that is also covered by rm. The optimal solution is thenone that covers region [1, x − 1] and one that covers region[x, n− 1] where the last rule covers cell x (and cell 0).
B. Suri’s Prefix ACL Solver
We review the 1-dimensional version of the prefix ACL
solver from [17]. Their method works by dividing the range
into regions designated by prefixes. Each region has a desig-
nated background color. They then proceed to merge regions
together, sharing background colors between neighboring re-
gions at reduced cost when possible.
More formally, they begin by dividing P into the largestprefix segments that are monochromatic. For each prefix-color
pair, compute Cost(p, c), where c is the background colorapplied to the given prefix. For the base case of one of the
monochromatic prefixes, then Cost(p, c) = 0 if c is the color ofthe segment and 1 otherwise. For other prefixes, Cost(p, c) =minc0,c1(Cost(p0, c0) + Cost(p1, c1) + [c 6= c0] + [c 6= c1].The final cost, Cost(p) = minc Cost(p, c) + 1 (to fill in thebackground color). We utilize Suri’s algorithm for constructing
our prefix resolvers.
C. Resolvers
We first define two different types of resolvers that constrain
the type of scheduler Diplomat can use.
Definition 2. An in-plane resolver is a resolver where all of
the rules in ℓ correspond to one of the two patterns beingmerged. Stated another way, all the rules in ℓ come from thecanvas C′ corresponding to only one of the two patterns being
merged. A general resolver has no constraints placed upon the
rule source.
With an in-plane resolver, the resulting merged pattern will
be identical to the pattern that is not the source of the rules in
ℓ. With a general resolver, the merged pattern may be a newpattern that is different from either of the two input patterns.
The general resolver has the advantage that ℓ can be smallersince we have more flexibility in resolving differences between
the two patterns. The in-plane resolver has the advantage that
because the resulting pattern will be one of the input patterns,
the scheduler can use dynamic programming. We now describe
our efforts to develop fast and effective resolvers. We begin by
giving optimal general and in-plane resolvers for rows (one-
dimensional planes) and then give heuristic higher dimensional
resolvers.
1) Optimal one-dimensional resolvers: In this section, C′
is a row. We use Rt and Rb to correspond to the two patternsP[i,j] and P[j+1,k] that are being merged. We use Rt[i, j]and Rb[i, j] to refer to the sub-pattern in row Rt and Rb,respectively, between columns i and j. All the resolvers wepresent use the optimal one-dimensional versions of Firewall
Compressor (FC) in [11] or Suri’s algorithm in [17] as a
subroutine. Proofs of optimality for the resolvers can be found
in Section V.
a) Optimal General Range-Resolver: Here, we present
an optimal way to merge Rt and Rb between columns 0 andk. Let ℓk denote the partial rule list returned by this optimalsolution, let Ck = |ℓk|, and let Pk denote the resulting patternthat is returned. If Rt[k] = Rb[k], then ℓk = ℓk−1, Ck =Ck−1, and Pk = Pk−1 ∪ Rt[k] as there are no differences incolumn k. Otherwise, there is a difference between Rt andRb in position k. This means ℓk must include at least onerule that covers either Rt[k] or Rb[k]. We prove in SectionV-A that we can restrict our attention to resolvers that cover
only Rt or Rb from column k back to some column s where0 ≤ s ≤ k. This is then combined with an optimal solutionup to column s− 1. We consider all possible choices of thissplit point s in the following description and set C−1 = 0,ℓ−1 = ∅, and P−1 = ∅ for the case where s = 0. Then Ck =min0≤s≤k(Cs−1 +min(|FC(Rt[s, k])| , |FC(Rb[s, k])|)) andSk is the corresponding value of s. Now, using Sk, we buildthe solution ℓk, Pk. We add the rules from the appropriatesolution FC(Rt[Sk, k]) or FC(Rb[Sk, k]) to ℓSk−1 to formℓk, and we add the other pattern for columns Sk to k to PSk−1to form Pk.
b) Optimal In-Plane Range-Resolver: This version as-
sumes that all of the rules for ℓk have to come from Rt orRb. Without loss of generality, assume the rules come fromRt. Then Pk is defined by Rb. We use a dynamic programmingtechnique similar to the general resolver to create our rule list
ℓk. Since we know no rules for ℓk can come from Rb, we onlyneed to compute the partial solutions in Rt.
Algorithm 2 Optimal In-Row Range Resolver
Require: Rows Rt and Rb and interval ItEnsure: A rule list, ℓ marking how Rt is different from Rb.
1: ℓ = ∅2: cost(−1) = 03: for k = 0→ nd − 1 do4: if Rt(k) 6= Rb(k) then5: bestS ← ∅6: bestScore←∞7: for s = 0→ k do8: score← cost(s− 1) + FC(Rt([s, k]))9: if score < bestScore then
10: bestS ← s11: bestScore← score12: end if13: end for14: cost(k)← bestScore15: backtrace(k)← bestS16: else17: cost(k)← cost(k − 1)18: end if19: end for20: k ← nd − 121: while k ≥ 0 do22: if Rt(k) 6= Rb(k) then23: ℓ← It × FC(Rt([backtrace(k), k]))24: k ← backtrace(k)− 125: else26: k ← k − 127: end if28: end while29: return ℓ
-
6
c) Optimal General Prefix-Resolver: Here, we present
an optimal way to merge Rt and Rb over the range ofsome prefix pr using only prefix rules; the end result isresolver l(pr) and pattern P (pr). We begin by observing thatSuri(Rt) and Suri(Rb) are both resolvers. Let p denotethe smallest prefix (and thus specifies the largest number
of points) used in an optimal resolver. The restrictions
on prefix rules means that either p = pr, p ⊆ pr0, orp ⊆ pr1. If p = pr, then the optimal resolver is eitherSuri(Rt) or Suri(Rb). Otherwise, it is some combinationof the optimal resolvers for pr0 and pr1. That is, ℓ(pr) =OptResolve(Rt, Rb, pr) = min(OptResolve(Rt, Rb, pr0) ·OptResolve(Rt, Rb, pr1), Suri(Rt, pr), Suri(Rb, pr)) Ourbase case for this recurrence relation occurs when Rt[pr]or Rb[pr] is monochromatic meaning |OptResolve| isone. We create P (pr) in the same way as for the generalrange-resolver.
d) Optimal In-Plane Prefix-Resolver: This version as-
sumes that all of the rules in ℓ(pr) have to come from Rt orRb and that the ranges are restricted to being prefixes. Withoutloss of generality, assume that the rules come from Rt. ThenP (pr) is defined by Rb. The algorithm is otherwise identical tothe general prefix-resolver except that we cannot use Suri(Rb)as part of the solution.
Algorithm 3 Optimal In-Row Prefix Resolver
Require: Rows Rt and Rb of width 2w and interval It
Ensure: A rule list ℓ marking how Rt is different from Rb.C : p→ Z ⊲ Return values of all calls to PCost()C ← PCost(Rt, Rb, ∗
w)ℓ← PBuild(Rt, It, C, ∗
w)return ℓ
Algorithm 4 Prefix Resolve Cost
Require: Rows Rt and Rb and prefix pEnsure: Cost cp
if Rt[p] is monochromatic thenif Rt[p] = Rb[p] then
return 0else
return 1end if
elsecm ← PCost(Rt, Rb, p0) + PCost(Rt, Rb, p1)cs ← SuriCost(Rt, p)if cs ≤ cm then
return cselse
return cmend if
end if
2) Higher Order Resolvers: If d ≥ 3, we need to merge twopatterns P1 and P2 that are (d− 1)-dimensional hyperplanes.This is more complicated than merging two rows. In particular,
we have an optimal algorithm for compressing 1-dimensional
patterns, but compressing 2-dimensional patterns is NP-hard
as shown in [2]. This difference in complexity carries over to
merging patterns.
We propose two different in-plane methods for merging
(d−1)-dimensional hyperplanes when d ≥ 3. We use in-plane
Algorithm 5 Prefix Resolve Builder
Require: Row RtRequire: Interval ItRequire: Cost function C : p→ ZRequire: Prefix pEnsure: Rule list ℓ
if SuriCost(Rt, p) = C[p] thenreturn Suri(Rt, p)
else if C[p] > 0 thenreturn PBuild(Rt, It, C, p0) · PBuild(Rt, It, C, p1)
end if
methods so that we can use a dynamic programming scheduler.
We can easily extend both methods to general resolvers if
desired. Without loss of generality, we assume that we wish
to merge P1 and P2 leaving pattern P1. Thus, all rules in theresolver will be within P2.
The first method is to enumerate all the differences. That
is, we use the FDD comparison algorithm in [9] to find the
differences between the two patterns. We then define ℓdif bygenerating rules in P2 to cover all the places where P2 differsfrom P1. We may cover additional locations if this reducesthe total number of rules required to cover all the differences.
This resolver implicitly uses the correct type of rule (range,
prefix or mixed) given the characteristics of the fields.
In the second method, we find box, the minimum boundingbox surrounding all differences. If any of the fields are prefix
fields, we expand the bounding box in that dimension so
that the bounding box can be defined by prefixes. We then
solve P2(box) using the appropriate version of Diplomat(range, prefix or mixed) and call the resulting solution ℓmbb.Alternately, we can solve P2 and then clip the results againstthe bounding box, removing any rules that fall entirely outside
the box. This solution is faster because the subsolution can
be computed once and shared between merges; however, this
may produce less compression because we do not optimize
the compression for the bounding box. We use this variant for
our experimental results in Section VI
To achieve greater compression, we run both methods and
use the smaller of the two resolvers. That is, our final resolver
ℓ = min(ℓdif , ℓmbb).
D. Schedulers
To complete the Diplomat algorithm, we need a scheduler
to determine an order for merging patterns. We present two
such schedulers. The first uses a greedy scheme and works
with any resolver while the second uses dynamic programming
to get better overall results but requires in-plane resolvers.
We can prove theoretical bounds for the greedy scheduler, but
the dynamic programming scheduler outperforms the greedy
scheduler in our experiments.
1) Greedy Range Scheduler: For the greedy scheduler, we
compute the cost of the original n1− 1 possible merges, pickthe minimum cost merge, and repeat until only one pattern
remains. Note that after performing a given merge, we must
recompute the cost of the one or two merges that involve the
new merged pattern. Overall, we perform at most 2n1−2 callsto Resolve. For a d-dimensional classifier, we can consider
-
7
all possible permutations of the d fields when performing thegreedy scheduling.
Thinking more generally, there is no reason to perform
merges in only one dimension at a time. Instead, we can
greedily choose the best merge in any of the d dimensionsat any point in time. In particular, for d = 2, we find thecheapest pair of rows or columns to merge. In section V,
we show how to use this rotational greedy schedule to create
an O(min(n1/3, OPT 1/2))-approximation for 2-dimensionalpatterns.
2) Dynamic Programming Range Scheduler: We also
present a dynamic programming method that requires more
initial work and, as a result, outperforms the greedy sched-
uler in our experiments. Using an in-plane range resolver
such as the one in Section IV-C1b, let MergeCost[i, j] =|Resolve(Pi, Pj)| ∀i 6= j ∈ [0, n1 − 1] where the returnedpattern is Pi. This requires O(n
21) calls to Resolve. However,
because the merged pattern is always one of the original
patterns, we do not need to do any more merges.
We then define the following subproblem. Given interval
[l, u] for 0 ≤ l ≤ u ≤ n1 − 1, we find the minimumcost for merging patterns Pl, . . . Pu together while havingPr be the remaining pattern where l ≤ r ≤ u. We usestandard dynamic programming techniques to compute the
minimum cost solution to these O(n31) subproblems and thecorresponding optimal schedule of merges.
3) Greedy Prefix Scheduler: For a greedy prefix scheduler,
we take the greedy range scheduler described above and make
two changes to it. First, when considering the cost of rules in
P[i,j], the rules are weighted by the number of prefixes it takesto describe the range [i, j]. This acts as a conversion factorbetween the effective grid space and the prefix space. Second,
we use a weighted prefix resolver instead of a range resolver.
4) Dynamic Programming Prefix Scheduler: We also
present a dynamic programming method for scheduling that
works with prefixes. We begin by precomputing the merge
costs as for the range scheduler above. We then define the
recursive subproblem. Given a prefix p and row r ∈ p, wefind the minimum cost for merging the two halves, p0 and p1while having Pr be the remaining pattern. We use standarddynamic programming techniques to compute the minimum
cost solution to each of the O(w2n21) subproblems and thecorresponding schedule of merges.
5) Mixed Schedulers: We can generalize our greedy and
dynamic programming range and prefix schedulers into a
greedy and dynamic programming mixed scheduler as follows.
The key is the type of field f1. If f1 is a range field, then it actslike a range scheduler; if f1 is a prefix field, then it acts likea prefix scheduler. To merge the resulting hyperplanes defined
by the remaining fields, it calls an appropriate resolver. If all
of the remaining fields are range fields, then it calls a range
resolver. If all of them are prefix fields, then it calls a prefix
resolver. Otherwise, it calls a mixed resolver.
V. ALGORITHMIC ANALYSIS
We now prove some results about our algorithms. We first
prove that our one-dimensional resolvers are optimal. We then
prove some approximation results for some two-dimensional
Algorithm 6 Scheduler(l, u, r,MergeCost)
Require: Integers l, u, and r such that 0 ≤ l ≤ r ≤ u < n1Require: n1 × n1 matrix MergeCostEnsure: Stack of triples 〈Rt, Rb, I〉, ScheduleEnsure: The last row, Lr
1: if l = u then2: Cost[l, u, r]← 03: end if4: minCost←∞5: minS ← ∅6: minM ← ∅7: for all s ∈ [l, r] do8: for all m in[r + 1, u] do9: c← Cost[l, s, r]+Cost[s+1, u,m]+MergeCost[m,r]
10: if c < minCost then11: minCost← c12: minS ← s13: minM ← m14: end if15: end for16: end for17: for all s ∈ [r + 1, u] do18: for all m in[l, r] do19: c← Cost[l, s,m]+Cost[s+1, u, r]+MergeCost[m,r]20: if c < minCost then21: minCost← c22: minS ← s23: minM ← m24: end if25: end for26: end for27: Cost[l, u, r]← minCost28: Split[l, u, r]← minS29: Mate[l, u, r]← minM30: rmin = argr minCost[1, n1, r] + |FC(Lr)|.31: return Schedule(1, nd, r, Split,Mate), Lr
Algorithm 7 Schedule(l, u, r, Split,Mate)
Require: Integers l, u, and r such that 0 ≤ l ≤ r ≤ u < n1Require: n1 × n1 × n1 matrices Split and MateEnsure: a triple 〈Rt, Rb, I〉 is added to the stack Schedule.
1: s← Split[l, u, r]2: m←Mate[l, u, r]3: if l < r then4: if m ≤ s then5: push 〈m, s, [l, s]〉 onto Schedule6: else
7: push 〈m, s, [s+ 1, u]〉 onto Schedule8: end if
9: end if
Algorithm 8 Prefix-Scheduler
Require: n1 × n1 matrix MergeCostEnsure: Stack of triples 〈Rt, Rb, I〉, ScheduleEnsure: The last row, Lr
1: Costs, Mates2: for all p ∈ ∗w do3: PrefixScheduleCost(∗w , p)4: end for5: r ← argmin
r
Costs[∗w, r]
6: Schedule← PrefixSchedule(Mates, ∗w, r)7: Lr ← Rr
-
8
Algorithm 9 Prefix-Scheduler-Cost
Require: Prefixes p and r : r ⊆ sRequire: n1 × n1 matrix MergeCostEnsure: Costs[p, r], Mates[p, r]
1: if p = r then2: Costs[p, r] ← 03: Mates[p, r] ← ∅4: else if r ⊆ p0 then5: PrefixSceduleCost(p1, r)6: cbest ←∞7: mbest ← ∅8: for all m ∈ p1 do9: PrefixSceduleCost(p1, r)
10: end for11: m← argmin
m∈p1
MergeCost[r,m] +Costs[p1,m]
12: Costs[p, r] ← MergeCost[r,m] + Costs[p0, r] +Costs[p1,m]
13: Mates[p, r] ← m14: else15: Right side is analogous16: end if
Algorithm 10 Prefix-Schedule
Require: MatesRequire: Prefixes p and r : p ⊆ rEnsure: 〈Rt, Rb, p〉 is added to the stack Schedule.
1: if r ⊂ p then2: m←Mates[p, r]3: Schedule← 〈Rr, Rm, p〉4: if r ⊆ p0 then5: PrefixSchedule(Mates, p0, r)6: PrefixSchedule(Mates, p1,m)7: else8: PrefixSchedule(Mates, p1, r)9: PrefixSchedule(Mates, p0,m)
10: end if11: end if
implementations of Diplomat. Finally, we prove that Diplomat
with a dynamic programming scheduler should outperform the
current state of the art algorithms, Firewall Compressor for
range-ACLs and TCAM Razor for prefix-ACLs.
A. Optimal One-Dimensional Resolvers
In this section, we prove that our one-dimensional resolvers
are optimal.
We first prove that there are optimal one-dimensional re-
solvers in which no rule spans both rows.
Theorem 1. Let ℓ be a rule list that resolves Rt and Rb, Thenthere exists a rule list ℓ′ that also resolves Rt and Rb suchthat |ℓ′| ≤ |ℓ| and that no rule r ∈ ℓ′ spans both rows. Inparticular, there is an optimal resolver with this property.
Proof: We prove this result by contradiction. Let ℓ be anoptimal resolver with the minimum possible number of rules
k that span both rows. If k = 0 then ℓ = ℓ′ and we are done.Otherwise, let ri be the last rule in ℓ spanning both rows.
We first consider the case where there is no rule rj withj > i and ri ∩ rj 6= ∅. In this case, we create a new rule listℓ∗ from ℓ by replacing ri with rt = ri ∩Rt. Any point in Rtcovered by ri is also covered by ri ∩ Rt, so ℓ∗ still resolvesall of the columns. For any point p ∈ Rb, either some rule rk
with k < i defines p for both ℓ and ℓ∗ or no rule in ℓ∗ does.Thus, there can be no color clash and ℓ∗ is still a resolver.This means ℓ∗ is an optimal resolver with only k − 1 rulesthat span both rows contradicting the definition of ℓ. Thus,this case is not possible.
The case where all rj with ri ∩ rj 6= ∅ for j > i are in rowRt can be shown to be impossible using the same analysis. Thereverse case where are all intersections occur in row Rb canbe handled similarly; the only modification is that we replace
ri with ri ∩Rb to form ℓ∗.We now consider the last case where some later rules that
intersect ri are in row Rt and others are in row Rb. We handlethe range and prefix cases separately, starting with the range
case. We first trim all rules rj with j > i so that both its leftand right end points are not covered by any prior rules. Since
we merely removed the parts of rj covered by other rules, theresulting rule list ℓ∗ is equivalent to ℓ. This may reduce theproblem to one of the above cases in which case we are done.
If not, let S be the set of rules rj in ℓ∗ with j > i that intersect
ri and let St ⊂ S be the subset in row Rt and Sb ⊂ S bethe subset in row Rb. Assume without loss of generality thatr∗ ∈ St is the first rule in S to appear scanning from leftto right. Since r∗ intersects ri, its right end point must be tothe right of ri’s end point given the trimming operation weperformed earlier. We then apply a second trimming operation
and update ℓ∗ by replacing all rules rj ∈ Sb with the portion ofrj that is strictly to the right of ri. This classifier still resolvesRt and Rb since rt still covers any column that was formerlycovered by rb. We have thus reduced this case to the priorcase where all rules after ri that intersect ri are from one row,and the proof is complete for ranges.
For prefix rule lists, we observe that for any rj and j > i,either rj ⊂ ri (a contradiction since rj is totally obscured byri), or else ri ⊂ rj in the horizontal field. Let rt be the widestsuch rule from Rt and rb the same from Rb. Such rules mustalso be the last such rules since any narrower rules must lie
entirely within their ranges and thus be obscured. Likewise,
either rt ⊆ rb or rb ⊆ rt in this field. Assume without loss ofgenerality that rt ⊆ rb. If we remove rt, we find that rb stillresolves all of the columns within this range. Since rt musthave been the last rule in this range within Rt, there can beno other rule that is revealed by the removal of rt and thusno color clash. Thus ℓ − rt is still a resolver, a contradictionto ℓ being optimal. Thus the proof is complete for prefixes aswell.
We next prove that there are optimal one-dimensional re-
solvers in which no column is covered by rules in both rows.
Theorem 2. Let ℓ be a rule list that resolves Rt and Rb. Thenthere exists a rule list ℓ′ that resolves Rt and Rb such that|ℓ′| ≤ |ℓ| and that for any i ∈ [0, nd − 1], either ℓ′(t, i) orℓ′(b, i) is undefined.
Proof: First, by Theorem 1, we can assume that ℓ hasno rule that occupies both rows. Let ℓ be an optimal resolverwith the minimum number of rules k in one row that overlapsthe horizontal range of any rule in the other row. If k = 0,we are done. Otherwise, assume without loss of generality
-
9
that r∗ ∈ Rt is the first such rule when scanned left to right.We create a modified rule list ℓ∗ by trimming all rules in Rbthat overlap the horizontal range of r∗, removing any that areentirely contained within the range of r∗ (which cannot happenor else ℓ is not optimal). For prefix classifiers, any overlappingrule must by entirely within this range (and thus there cannot
be any overlapping rules). The rule list ℓ∗ still resolves Rt andRb since ℓ
∗ specifies values for all columns affected in row
Rt. However, because the modified rule r∗ does not overlap
any rules in Rb, ℓ∗ has a smaller k value contradicting the
definition of ℓ, and the result follows.We now prove the optimality of our general one-
dimensional resolver.
Theorem 3. The Optimal Range-Resolver algorithm described
in Section IV-C1a is an optimal one-dimensional range-
resolver.
Proof: We prove this by induction on k, the length ofthe rows. The base case k = 0 is trivial. Now assume thismethod produces an optimal resolver ℓj for 0 ≤ j ≤ k. Wenow consider k+1. We first observe that the optimal resolverfor k + 1 has no fewer rules than the optimal resolver for k.Next, if Rt[k] = Rb[k], then ℓk+1 = ℓk is clearly an optimalresolver as it resolves all differences between the two rows in
the first k + 1 columns. Thus, by our induction hypothesis,our one-dimensional resolver is an optimal one-dimensional
resolver for this case.
If Rt[k] 6= Rb[k], by Theorem 2 we restrict our attentionto optimal resolvers ℓk+1 in which no column is covered byrules in both rows. Column k must be covered by some rulesince Rt[k] 6= Rb[k]. This means column k will be coveredby a rule ri in only Rb or Rt. Without loss of generality, letus assume ri is only in Rt. By Theorem 2, it follows thatfor some 0 ≤ q ≤ k that ℓk+1 must color Rt[q, k] and ℓk+1does not color Rb[q, k]. Thus ℓ
∗ will be an optimal resolver
ℓq−1 combined with an optimal coloring of Rt[q, k]. By ourinduction hypothesis, the fact that Firewall Compressor will
compute an optimal coloring of Rt[q, k], and the fact we tryall possible values of q, our general resolver algorithm is anoptimal resolver that finds such a solution.
We also show that our one-dimensional in-plane resolver is
an optimal one-dimensional in-plane resolver.
Theorem 4. The Optimal In-Plane Range-Resolver algorithm
described in Section IV-C1b is an optimal one-dimensional
in-plane range-resolver.
Proof: We again induct on k, the length of the rows. Thebase case k = 0 is trivial. Now assume this method producesan optimal in-plane resolver ℓj for 0 ≤ j ≤ k. We nowconsider k+1. If Rt[k] = Rb[k], then ℓk+1 = ℓk is clearly anoptimal in-plane resolver as it resolves all differences between
the two rows in the first k + 1 columns, and |ℓk+1| ≤ |ℓk|.Thus, by our induction hypothesis, our in-plane resolver is an
optimal in-plane resolver for this case.
If Rt[k] 6= Rb[k], then ℓk+1 must color Rt[k]. It followsthat ℓk+1 must color Rt[q, k] for some 0 ≤ q ≤ k. Thusℓk+1 will be an optimal in-plane resolver ℓq−1 combined withan optimal coloring of Rt[q, k]. By our induction hypothesis,
the fact that Firewall Compressor will compute an optimal
coloring of Rt[q, k], and the fact we try all possible valuesof q, our in-plane resolver algorithm is an optimal in-planeresolver that finds such a solution.
Theorem 5. The Optimal General Prefix-Resolver algorithm
described in Section IV-C1c is an optimal one-dimensional
general prefix resolver.
Proof: We induct on w, the word size of the rows (2w isthe length of the row). The base case w = 0 is trivial. Nowassume that this method produces an optimal in-plane resolver
for all smaller word sizes. If ℓ(pr) = Suri(Rt) or ℓ(pr) =Suri(Rb) is an optimal in-plane resolver, then this methodfinds an optimal solution. Otherwise, the rule delimited by prcannot be included in the optimal resolver for pr. Because ofthe limitations on prefix rules, all pi are contained in either pr0or pr1. Thus, ℓopt = ℓ(pr0)·ℓ(pr1), which is the other solutionconsidered by our method. By the inductive hypothesis, both of
the subsolutions are optimal and thus so is the overall solution.
Theorem 6. The Optimal In-Plane Prefix-Resolver algorithm
described in Section IV-C1d is an optimal one-dimensional
in-plane prefix-resolver.
Proof: This proof is essentially the same as for Theorem
5.
B. Two-Dimensional Approximation Results
In [2], the authors present an iterated strip-rule algorithm
and prove that it is a O(min(n1/3, OPT 1/2))-approximationalgorithm on range-ACLs and a O(w2 min(n1/3, OPT 1/2))-approximation algorithm on prefix-ACLs, where n is thenumber of rules in the input list, w is the word size in bits,and OPT is the size of the optimal solution. We simplify theiralgorithm and generalize it to create a class of approximation
algorithms with the same approximation ratio. We then show
that some Diplomat variations belong to this class.
We first define strip rule patterns [2].
Definition 3. A strip-rule pattern is a two-dimensional pattern
which can be created by a rule list where each rule spans an
entire row or column.
Applegate et al. prove several properties about strip-rule
patterns, the most important of which is that any 2 × 2 or3× 3 sub-array must have a monochromatic row or column.Definition 4. A forbidden rectangle is a minimal subpattern
containing either a 2×2 or 3×3 subarray with no monochro-matic rows or columns.
Any pattern that includes a forbidden rectangle is not a
strip-rule pattern.
We now define the class of strip solver compression algo-
rithms.
Definition 5. A strip solver is a compressor that on an m×n strip-rule pattern always returns a rule list with at mostk(m+ n) rules for some constant k.
-
10
Fig. 5. A forbidden rectangle
On other m × n patterns, a strip solver may either returnsuch a rule list or it may fail. Any compressor that completes
on all values and satisfies the bounds on strip rule patterns can
be turned into a strip solver by checking to see if the limit was
met and failing if it does not.
Theorem 7. Range Diplomat with the rotational greedy sched-
uler is a strip solver compressor with k = 1.
Proof: Let P be an arbitrary strip-rule pattern. We provethis by induction on m+n, the sum of the number of rows andcolumns in P . If m+ n ≤ 1, then we have the empty patternwhich Diplomat solves optimally with 0 rules. If m+ n = 2,then we have a pattern with 1 row and 1 column which means
it is a single cell which Diplomat again solves optimally with
1 rule. If m + n = 3, then we have a pattern with either 1row and 2 columns or 2 rows and 1 column which Diplomat
solves optimally using 2 rules.
Now consider m + n ≥ 4 and assume the inductivehypothesis holds for all patterns where the sum of the rows
and columns is strictly smaller than m + n. Since P is astrip-rule pattern, there must exist a monochromatic row or
column in P . Without loss of generality, assume there exists amonochromatic row R∗. This row can be merged with eitherof its neighbors at cost 1 by coloring R∗ with a single rule.Thus, Diplomat with the rotational greedy scheduler must
incur a cost of exactly one when merging the first two rows
or columns. Without loss of generality, we assume Diplomat
merges rows Rt and Rb.We now argue that P ′, the resulting pattern of merging
Rt and Rb, is still a strip-rule pattern. Assume otherwisefor contradiction. This implies that the row created by the
merge is part of a forbidden rectangle. However, since only
a single rule is placed in one of the rows, the merged row
must be identical to the other row. This implies that the
forbidden rectangle already exists in the original pattern P ,a contradiction. Thus, P ′ is a strip rule pattern where the sumof the rows and columns is at most m + n − 1. Thus, bythe inductive hypothesis, Diplomat with the rotational greedy
scheduler solves P ′ with at most m+n− 1 rules. Combiningthis with the one rule used to merge Rt and Rb, we see thatDiplomat with the rotational greedy scheduler colors P withat most m+ n rules and the inductive case is complete.
We now define the class of iterated strip solver algorithms
using ideas from Applegate et al. Iterated strip solver al-
gorithms can be applied to arbitrary 2-dimensional patterns
P . The first step is to partition P as follows. Let P be a2h × 2w pattern for integers h and w and assume withoutloss of generality that w ≥ h; we pad P with empty rowsand columns as needed if they are not powers of 2. For each
integer q ∈ [1, w], do the following. Partition P into vertical
sections of width 2q . Partition each section into a sequence ofdisjoint blocks B1, B2, . . . , where each block Bi is a maximalheight subpattern using the full width of the section in which
the strip solver returns a value. Apply a strip solver to each
block. For each value of q, form a solution by taking theunion of solutions for each block defined by q. Because theblocks are disjoint, the solutions for each block are completely
independent. The final solution is the best of the w differentsolutions for each width 2q.
Applegate et al. prove the following result.
Lemma 1. Suppose there are r disjoint forbidden rectanglesin a 2-dimensional pattern P . Then OPT (P ) ≥ r/4.
Proof: Applegate et al. give a proof for this in [2].
The intuition is that the first rule to include any corner of
a forbidden rectangle must itself have a corner within that
forbidden rectangle.
We now prove an approximation bound for any iterated strip
solver algorithm.
Theorem 8. For any two-dimensional pattern P ,any iterated strip solver with constant k is aO(min(k2/3n1/3, kOPT 1/2))-approximation algorithm.
Proof: For a given value of q, there is a total of b+2w−q
blocks where b ≥ 0. The first 2w−q blocks must exist sinceeach vertical section has at least one block. Additional blocks
are added each time the strip solver cannot add another row in
the current section. For any pair of vertically adjacent blocks,
there must be at least one forbidden rectangle or else the two
blocks would together be a strip rule pattern. While some of
the forbidden rectangles may overlap, if two pairs are disjoint,
then their forbidden rectangles must also be disjoint. Thus,
there are at least b/2 disjoint forbidden rectangles. This leadsto three lower bounds on OPT: b/8, 2w and 2h.
For a given value of q, an upper bound on the cost of theiterated strip solver solution is given as follows:
TotalCost = k∑
Bi(Width(Bi) +Height(Bi))
= k∑
BiWidth(Bi) + k
∑Bi
Height(Bi)
= k(b+ 2w−q)2q + k(2w−q2h)= k(b2q + 2w + 2w−q+h)≤ k(8OPT 2q +OPT +OPT 2/2q)
We choose the value of q that minimizes the above ex-pression. If we choose q so that 2q =
√OPT we get
Cost ≤ k(OPT + 9OPT 3/2) = O(kOPT 3/2) leading toan O(k
√OPT )-approximation. While we cannot know q a
priori, by selecting multiple different q we can guarantee that2q−1 <
√OPT ≤ 2q for some q.
We can choose to use L if it is better than the classi-fier generated above. This means |L| ≤ kOPT 3/2 whichmeans OPT ≥ (|L|/k)2/3 = (n/k)2/3 which leads to|L|/OPT ≤ k2/3n1/3. Further, the two bounds are equal ifOPT = (n/k)2/3 and the result follows.
Corollary 1. For any two-dimensional pattern P , range-Diplomat with the rotational greedy scheduler is a
O(min(n1/3, OPT 1/2))-approximation algorithm.
-
11
Proof: The result follows immediately from Theorem 7
and Theorem 8.
For prefix-ACLs, we present these modifications to the
iterated strip solver algorithm. We divide the effective grid into
2w−q columns of width 2q as we did for the range version.We then divide these columns into vertical sections so that
each section can be represented by a prefix. We then apply
a prefix strip solver to each section. If the strip solver does
not return on a section, we divide it into blocks, each half the
height of the pattern and repeat until it returns on each block.
The solution is again the union of the result on each block.
Theorem 9. For any two-dimensional pattern P , any iteratedprefix strip solver is a O(min(k2/3w2/3n1/3, kw
√OPT ))-
approximation algorithm.
Proof: The 2w−q columns created by the initial parti-tioning may require O(w2w−q) prefix-columns to represent.We also assume that another b blocks are added becausesome blocks are not solvable by the strip-solver. This gives
O(w2w−q + b) blocks. As before, we note a relation betweenthe number of added blocks and the number of forbidden
rectangles. This time, a single forbidden rectangle can force
up to w additional blocks to be added. This is because wedivide the block in half and the forbidden rectangle can remain
entirely within one sub-block, but no block can be divided
more than w times. Thus, there are at least b/w forbiddenrectangles.
TotalCost = k∑
Bi(Width(Bi) +Height(Bi))
= k∑
BiWidth(Bi) + k
∑Bi
Height(Bi)= k(b+ w2q)m2q + kn(w2
q)= kmw + kmb2q + knw2
q
≤ kwOPT + 8kwOPT 22q + kwOPT 2q
Again, we let 2q =√OPT and we find that
Cost = O(kwOPT 3/2)). The result is a O(kw√OPT ))-
approximation. If OPT ≥ ( nkw )2/3 then we have n/OPT ≤k2/3w2/3n1/3. Again, these are equal in the event that OPT =( nkw )
2/3. This gives us the final approximation bounds of
O(min(k2/3w2/3n1/3, kwOPT 1/2)).We now place a bound on k for prefix Diplomat to get our
approximation bounds.
Theorem 10. Given a 2w × 2h strip rule pattern with aneffective grid of size m × n with 1 ≤ m ≤ 2w, 1 ≤ n ≤ 2hand w ≥ h, prefix Diplomat with a rotational greedy scheduleand optimal in-row resolver requires at most 2w(m+n) rules.
Proof: We prove this by induction on q = m + n. As abase case, if either m = 1 or n = 1, then the single row orcolumn can be filled with at most w rules per cell. This costseither wm or wn rules.
Now assume that this is true for all smaller q. Since P isa strip-rule pattern, there must exist a monochromatic row or
column in the effective grid. Assume for generality that it is a
row. Diplomat could use at most 2w− 2 rules to describe thisrow. If it chooses otherwise, it must pick another row which
costs less to remove. Since we are using an in-plane resolver,
the resulting pattern must only contain rows in the original
pattern. Thus the subgrids of P ′ are a subset of those in P . Assuch, there can be no forbidden rectangles and P ′ is also a striprule pattern. The total cost then is at most 2w(q−1)+2w−2 =2w(n+m)− 2 ≤ 2w(n+m).Corollary 2. Prefix-Diplomat with the rotational
greedy scheduler and optimal in-plane resolver is a
O(min(w4/3n1/3, w2OPT 1/2))-approximation algorithm.
Proof. This follows directly from Theorems 9 and 10.
This is a little smaller than the original bounds of
O(w2 min(n1/3, OPT 1/2)) presented in [2]. The same ap-proximation bounds can be achieved by using their maximal
pick-up sticks algorithm as the strip solver for our revised
iterated strip solver algorithm.
C. Comparison with Firewall Compressor, TCAM Razor and
ACL Compressor
We now show that on two-dimensional patterns, Diplomat
with a dynamic programming scheduler produces a smaller
rule list than Firewall Compressor, TCAM Razor and ACL
Compressor.
Theorem 11. Given some two-dimensional pattern P , let Dbe the rule list produced by range-Diplomat with a dynamic
programming scheduler and F be the rule list produced byFirewall Compressor. Then for all P , we have |D| ≤ |F |.
Proof: We prove this by induction on the number of rows
m in P . As a base case where m = 1, a 1 × n pattern takesthe same number of rules for both Diplomat and Firewall
Compressor as both use an optimal one-dimensional solver.
We now consider patterns P with m ≥ 2. Both Diplomat andFirewall Compressor eliminate one row from P to create anm − 1 row pattern. Let R∗ be the row removed by FirewallCompressor with cost k and P ′ be the resulting m − 1row pattern. The key observation is that Diplomat considers
removing all rows including R∗; more precisely, Diplomatconsiders merging R∗ with each of its neighboring rows usingrules that only color R∗. When Diplomat considers removingrow R∗, its cost c for doing so is at most k because one optionthat Diplomat considers is coloring all of R∗. Furthermore,because Diplomat uses an in-plane resolver, the resulting m−1row pattern is also P ′. By our inductive hypothesis, Diplomatwill color P ′ with smaller total cost than Firewall Compressorwill color P ′. Thus, one choice for Diplomat with dynamicprogramming has cost no more than Firewall Compressor’s
cost. Since Diplomat chooses the lowest cost solution, the
result follows.
Theorem 12. Given some two-dimensional pattern P , let Dbe the rule list produced by prefix-Diplomat with a dynamic
programming scheduler and R be the rule list produced byTCAM Razor. Then for all P , we have |D| ≤ |R|.
Proof: This proof uses the same basic ideas as the proof
of Theorem 11. Diplomat considers removing rows in the same
order that TCAM Razor does, and a merge never costs more
rules than solving a row. This places an upper bound on |D|to be |R| and the result follows.
-
12
Theorem 13. Given some two-dimensional pattern P , let Dbe the rule list produced by mixed-Diplomat with a dynamic
programming sheduler and A be the rule list produced by ACLCompressor. Then for all P , we have |D| ≤ |A|.
Proof: This proof is essentially the same as for Theorems
11 and 12. As before, Diplomat considers the same order
to remove rows as ACL Compressor does, and merging
rows never costs more than solving a row. Thus, this choice
for Diplomat is no worse than ACL Compressor and since
Diplomat takes the best possible option the result follows.
Theorems 11, 12, and 13 do not necessarily hold when we
include redundancy removal and other post-processing steps.
For example, while Theorem 11 guarantees that Diplomat
with a dynamic programming scheduler will produce a range-
ACL with no more rules than Firewall Compressor before
performing redundancy removal, no such guarantee can be
made after performing redundancy removal. In our experi-
ments, we observe that Firewall Compressor, TCAM Razor
and ACL Compressor rarely but occasionally do outperform
Diplomat with a dynamic programming scheduler due to this
phenomenon.
D. Runtime Efficiency
We compute the worst-case runtime of the Diplomat algo-
rithm with a dynamic programming scheduler and in-plane
resolvers given a d-dimensional classifier with d ≥ 2. Weassume each field has size n. We analyze the algorithm inthree steps: computing the child merges, finding an optimal
schedule, and solving the final plane.
There are O(n) possible planes. We compute a solution foreach plane as part of the merge process which only needs
to be done once per plane, not per merge. The total runtime
will then be at least O(n) times the runtime for a lower-dimensional solution. Range and prefix Diplomat will have
different solutions, covered later.
There are O(n2) pairs of planes to try merging together.When d = 2, the planes are rows and are a special casefor both range and prefix Diplomat. When d > 2, thisrequires clipping one of the sub-solutions against a bounding
box. Finding a minimum bounding box requires finding all
of the differences between two planes. This can be done
in O(nd−1) time [9]. Afterwards, it takes O(dn) time tocalculate the boundary and O(dn) time to clip the lowerdimensional solution against the box. Altogether, each merge
takes O(nd−1) time, so all merges take O(nd+1) time.The runtime of the scheduler is not dependent on the number
of dimensions. Thus, the total runtime is O(nd+1) plus O(n)times the runtime of a lower-dimensional solution.
1) Range Diplomat: We now find the merge cost for range
Diplomat when d = 2. For each row, we must make a callto Firewall Compressor, which takes O(n3) time (for O(n4)time total) [11]. This will be used as part of the computation
for each merge. Each merge requires determining which other
subsolution works best for each right end point. Since there
are O(n) choices, O(n) end points, and O(n2) merges, thetotal merge cost is O(n4).
We now derive the time required to compute the optimal
schedule. We have n3 subproblems of the form (i, j, k) where
we merge rows from i to j and k is the original row thatremains. There must have been a final merge that produced
(i, j, k). There are O(n) choices for the partition point thatdefines this last merge. One half will include row k. For theother half, we have O(n) choices for the original row thatremains. Thus, it takes O(n2) time to compute the optimalschedule for (i, j, k). Altogether, this leads to O(n5) time tocompute the optimal schedule for our original problem. This
sets the overall runtime to be O(n5) when d = 2.For range Diplomat, the total runtime when d = 2 is
O(n5) = O(nd+3). By induction, the runtime for rangeDiplomat with d ≥ 2 is O(nd+3). This is slightly worsethan Firewall Compressor which requires O(nd+2) time in theworst case.
2) Prefix Diplomat: For prefix Diplomat with d = 2,we make a single call to Suri’s algorithm for each row.
Each call takes O(kw2n) time (or O(kw2n2) total) where kis the number of colors [18]. Each merge contains O(wn)subproblems: for prefix p, is it better to use Suri’s partialsolution for p or to join the solutions for subproblems p0 andp1? Deciding each subproblem takes a constant amount oftime. Thus each merge takes O(wn) time or O(wn3) time tocompute the cost of all possible merges.
For the dynamic prefix scheduler, we have O(wn2) sub-problems of the form (p, k) where we merge prefixes p0 andp1 and row k remains. Unlike the range version, there is onlyone possible partition point. Again, one half will contain row
k. There are then O(n) options for the original row remainingin the other half. Altogether, this leads to O(wn3) time tocompute the optimal schedule.
For d = 2, the overall cost is O(kw2n2 + wn3) whichis approximately O(wn3) when k ≪ n. By induction, theruntime of prefix Diplomat with d ≥ 2 is O(wnd+1) in theworst case. This is slightly worse than TCAM Razor which
requires O(kw2nd) time in the worst case.
VI. EXPERIMENTAL RESULTS
In this section we evaluate the effectiveness of Diplomat on
real-life classifiers. Specifically, we assess how much Diplomat
improves over Firewall Compressor [11], TCAM Razor [15],
and ACL compressor [13], the current state of the art algo-
rithms for range-, prefix-, and mixed-ACL compression. For
Diplomat, we use the dynamic programming scheduler (using
the solve-then-clip variant) and in-plane resolver appropriate
to the problem. We label the different applications RDip for
range-ACL compression, PDip for prefix-ACL compression,
and MDip for mixed-ACL compression. We do not report
results using a greedy scheduler (or consequently the general
resolver) since this was determined experimentally to always
be worse than the dynamic programming scheduler.
A. Methodology
All Diplomat variants, Firewall Compressor (FC), Razor,
and ACL Compressor (AC) are sensitive to the ordering of the
five packet fields (source IP address, destination IP address,
source port, destination port, and protocol). We run these
algorithms using each of the 5! = 120 different permutationsacross all of the fields and use the best of the 120 results
-
13
for each classifier. We also use redundancy removal [8] as a
post-processing step.
We now define the metrics for measuring the effectiveness
of our Diplomat variants. Let f and g denote compressors andL denote a classifier. Let f(L) denote the resulting rule listobtained by applying compressor f to L, and |L| is the numberof rules in L. The compression ratio of f on L is |f(L)||L| , and
the improvement ratio of f over g on L is |g(L)|−|f(L)||g(L)| . Inour results, we focus on the mean compression ratio and mean
improvement ratio given a set of classifiers S. It is desirableto have a low compression ratio and a high improvement ratio.
We assess the performance of our algorithms using a set of
40 real-life classifiers which we first preprocess by removing
redundant rules. Most of them have five fields (source and
destination address, source and destination port, and protocol)
although some only use a subset of these. We divide this set
into three smaller sets based on the number of rules after
running redundancy removal. The small set contains the 17
smallest classifiers, the middle set contains the next 12 larger
classifiers, and the large set contains the 11 largest classifiers.
The classifiers in the large set all have at least 600 rules after
redundancy removal, with the largest having more than 7600
rules. For range and prefix tests, we treat all of the fields as
ranges or prefixes, respectfully. For mixed tests, we treat the
port fields as ranges and the other fields as prefixes.
In general, larger classifiers also have larger effective grids.
Not all of the fields strictly increase as the list size goes up.
In particular, the protocol field only uses a few distinct values
across all classifiers, usually 6 (TCP) and 17 (UDP). As such,
the smallest dimension size is at most 9 for all classifiers. The
range of the largest dimension size for each set can be seen
in Table I.
TABLE ISIZE OF LARGEST DIMENSION
Min Median Max
Small 5 14 37Medium 24 66 139
Large 55 506 1805
B. Compression Results
Our results show that (i) RDip, PDip, and MDip outperform
Firewall Compressor, Razor, and ACL Compressor, respec-
tively, and that (ii) the performance gap between Diplomat
and its competitors increases as the classifiers grow in size and
complexity. Diplomat’s superior performance manifests itself
in two ways. First, as classifiers grow in size and complexity
from small to medium to large, the percentage of classifiers
where Diplomat outperforms its competitors increases (Figure
9). For range classifiers it increases from 5.9% for the small
classifiers to 58.3% for the medium classifiers to 100% for
the large classifiers. Second, again as classifiers grow in size
and complexity, Diplomat’s average improvement ratio grows
(Figure 10). For range Diplomat, it increases from 0.6% for
the small classifiers to 14.4% for the medium classifiers to
34.9% for the large classifiers over Firewall Compressor.
It is especially encouraging that Diplomat performs best
on the large classifier set as the large classifiers are the ones
that most accurately represent the complex classifiers we are
likely to encounter in the future and which most need new
compression techniques. More specifically, we hypothesize
that for the small classifiers, there is relatively little room for
optimization and all the methods are finding optimal or near
optimal classifiers. However, as the classifiers increase in size
and complexity, Diplomat is able to find new compression
opportunities missed by the earlier methods. More detailed
compression ratio results for RDip, PDip and MDip are shown
in Figures 6, 7, and 8, respectively.
C. Efficiency
We implemented our algorithms using a combination of
C# and VB.Net. Tests were performed on a Xeon E5620
processor at 2.4 GHz running Red Hat Enterprise Linux 6.1
and Mono 2.10.8. We report the time for the best permutation
for each method.
Diplomat does require significantly more time to compress
a classifier than both Firewall Compressor and Razor as can be
seen in Figure 11. This is because Diplomat does explore more
possibilities when compressing classifiers. RDip is slower
than PDip because there are more possible cases to consider
when any range can be used as opposed to fixed prefixes. In
future work, we hope to find ways to maintain Diplomat’s
compression advantage while reducing its running time.
VII. CONCLUSIONS
In this paper, we presented Diplomat, an algorithm for
compressing ACLs. We first presented the general framework
and then presented concrete algorithms for implementing this
framework. In particular, we presented a greedy scheduler
that has guaranteed approximation bounds and a dynamic
programming scheduler that performs well in practice. We
implemented Diplomat and conducted side-by-side compar-
ison with the prior Firewall Compressor, Razor, and ACL
Compressor algorithms on real life classifiers. The experimen-
tal results show that Diplomat outperforms them most of the
time, often by a considerable margin. In particular, on our
largest ACLs, Diplomat has an average improvement ratio of
34.9% over Firewall Compressor on range-ACLs, 14.1% over
Razor on prefix-ACLs, and 8.9% over ACL Compressor on
mixed-ACLs. Furthermore, we generalized the Iterated Strip
Rule algorithm in [2] and used it to create a larger class of
algorithms that achieve the same approximation bounds. We
showed that Diplomat with a greedy scheduler is a member
of this class.
ACKNOWLEDGEMENTS
This work is supported by the National Science Foundation
under Grant Numbers CNS-0916044, CNS-1017588, CNS-
1017598, and CCF-1347953, and the National Natural Sci-
ence Foundation of China under Grant Numbers 61472184,
61321491, and 61272546. We thank the anonymous referees
for their constructive comments.
REFERENCES
[1] Topcoder statistics. http://community.topcoder.com/tc?module=Static&d1=match editorials&d2=srm150. Accessed 27/7/2012.
-
14
Small Medium
Large
All
Classifier Size
0
10
20
30
40
50
60
70
80
Compression Ratio (%)
FC
DDip
Fig. 6. Compression ratios on range classifiers
Small Medium
Large
All
Classifier Size
0
10
20
30
40
50
60
70
80
Compression Ratio(%)
Razor
PDip
Fig. 7. Compression ratios on prefix classifiers
Small Medium
Large
All
Classifier Size
0
10
20
30
40
50
60
70
80
Compression Ratio (%)
AC
MDip
Fig. 8. Compression ratios on mixed classifiers
Small Medium
Large
All
Classifier Size
0
20
40
60
80
100
Classifiers Improved (%)
GDip vs FC
DDip vs FC
PDip vs Razor
MDip vs AC
Fig. 9. Percentages of ACLs that Diplomat out-performs previous methods on
Small Medium
Large
All
Classifier Size
0
5
10
15
20
25
30
35
Improvement Ratio (%)
GDip vs FC
DDip vs FC
PDip vs Razor
MDip vs AC
Fig. 10. Mean improvement ratios
Classifier
10
0
10
1
10
2
10
3
10
4
10
5
Time (s)
FC
RDip
Razor
PDip
Fig. 11. Runtime of each algorithm on the 8 largestclassifiers
[2] David A. Applegate, Gruia Calinescu, David S. Johnson, HowardKarloff, Katrina Ligett, and Jia Wang. Compressing rectilinear picturesand minimizing access control lists. In Proceedings of the ACM-SIAMSymposium on Discrete Algorithms (SODA), January 2007.
[3] P. Berman and B. DasGupta. Complexities of efficient solutions ofrectilinear polygon cover problems. Algorithmica, 17:331–356, 1997.
[4] Richard Draves, Christopher King, Srinivasan Venkatachary, and BrianZill. Constructing optimal IP routing tables. In Proceedings of the IEEEINFOCOM, pages 88–97, 1999.
[5] Kirill Kogan, Sergey Nikolenko, William Culhane, Patrick Eugster, andEddie Ruan. Towards efficient implementation of packet classifiers insdn/openflow. In Proceedings of the Second ACM SIGCOMM Workshopon Hot Topics in Software Defined Networking, HotSDN ’13, pages 153–154, New York, NY, USA, 2013. ACM.
[6] V. S. Anil Kumar and H. Ramesh. Covering rectilinear polygons withaxis-parallel rectangles. In Proceedings of the ACM Symposium onTheory of Computing (STOC), pages 445–454, 1999.
[7] Alex X. Liu and Mohamed G. Gouda. Diverse firewall design. InProceedings of the International Conference on Dependable Systems
and Networks (DSN-04), pages 595–604, June 2004.
[8] Alex X. Liu and Mohamed G. Gouda. Complete redundancy detectionin firewalls. In Proceedings of the 19th Annual IFIP Conference onData and Applications Security, LNCS 3654, pages 196–209, August2005.
[9] Alex X. Liu and Mohamed G. Gouda. Diverse firewall design. IEEETransactions on Parallel and Distributed Systems, 19:1237–1251, 2008.
[10] Alex X. Liu, Chad R. Meiners, and Eric Torng. TCAM Razor: Asystematic approach towards minimizing packet classifiers in TCAMs.IEEE/ACM Transactions on Networking, 18(2):490–500, 2010.
[11] Alex X. Liu, Eric Torng, and Chad Meiners. Firewall compressor:An algorithm for minimizing firewall policies. In Proceedings of the27th Annual IEEE Conference on Computer Communications (Infocom),Phoenix, Arizona, April 2008.
[12] Alex X. Liu, Eric Torng, and Chad R. Meiners. Compressing networkaccess control lists. IEEE Transactions on Parallel and DistributedSystems, 22(12):1969 – 1977, December 2011.
[13] Alex X. Liu, Eric Torng, and Chad R. Meiners. Compressing networkaccess control lists. IEEE Transactions on Parallel and DistributedSystems, 22:1969–1977, 2011.
[14] W. J. Masek. Some NP-complete set covering problems. 1978.
[15] h̃ttp://razor.sourceforge.net/ Razor. Date of access: February 7, 2005.
[16] Yu-Wei Eric Sung, Xin Sun, Sanjay G. Rao, Geoffrey G. Xie, and
David A. Maltz. Towards systematic design of enterprise networks.IEEE/ACM Trans. Netw., 19(3):695–708, June 2011.
[17] Subhash Suri, Tuomas Sandholm, and Priyank Warkhede. Compressingtwo-dimensional routing tables. Algorithmica, 35:287–300, 2003.
[18] Subhash Suri, Tuomas Sandholm, and Priyank Ramesh Warkhede.Compressing two-dimensional routing tables. Algorithmica, 35(4):287–300, 2003.
[19] Minlan Yu, Jennifer Rexford, Michael J. Freedman, and Jia Wang.Scalable flow-based networking with difane. In Proceedings of theSIGCOMM, 2010.
James Daly received his B.S. degree in Engineer-ing and Computer Science from Hope College in2008. He is currently a Ph.D. candidate in computerscience at Michigan State University. His researchinterests are algorithms, networking, and security.
Alex X. Liu received his Ph.D. degree in computerscience from the University of Texas at Austin in2006. He received the IEEE & IFIP William C.Carter Award in 2004 and an NSF CAREER awardin 2009. He received the Withrow DistinguishedScholar Award in 2011 at Michigan State University.He is an Associate Editor of IEEE/ACM Transac-tions on Networking. He received Best Paper Awardsfrom ICNP-2012, SRDS-2012, and LISA-2010. Heis the TPC Co-Chair of ICNP 2014. His researchinterests focus on networking and security.
Eric Torng received his Ph.D. degree in computerscience from Stanford University in 1994. He is cur-rently an associate professor and graduate directorin the Department of Computer Science and Engi-neering at Michigan State University. He received anNSF CAREER award in 1997. His research interestsinclude algorithms, scheduling, and networking.