IP Packing Technique for High-speed Firewall Rule Verification

A network bottleneck is often caused by firewalls installed between network gateways. As a result, the overall performance of networks is significantly dropped. The following solution to resolve such the problem can be achieved by increasing the speed of firewall rule verification. Nowadays, there is an open-source matching framework which is the fastest of rule verification, namely IPSets. It can verify a number of firewall rules against huge packets with O(1) worst case access time. However, IPSets still displays several drawbacks of usability such as rule management, subnet IP address, rule conflicts, and memory usage. This paper proposes a novel firewall structure that can resolve all drawbacks of IPSets, and obtains the optimal speed of firewall rule verification at O(1) of access time, called IPack. According to IPack implementation, the paper applies the sparse matrix to be data structures to maintain firewall rules, the Path Selection Diagram (PSD) to eliminate rule conflicts and IP packing technique to reduce the size of memory space. The experimental results show that IPSets drawbacks can be solved by IPack. Especially, the size of memory space is reduced from O(2(n)) to be O(n) with the same optimal access time and the speed of IPack is still equal to IPSets.