The document discusses the need for scalable methods to implement complex policies on network infrastructure, as traditional single-switch policies are limited by memory and computation constraints. It presents a solution that divides rules across multiple switches while ensuring that flow-table sizes are minimized and can operate within linear time complexity. The approach addresses issues of high computation costs and exponential growth of table sizes, and showcases an algorithm for managing packet classification effectively.

1. How to implement complex policies on existing
network infrastructure
Pavel Chuprikov Kirill Kogan Sergey Nikolenko
Ajay Kharat (2019H1030011G)
BITS - Pilani

2. Motivation
• Network has grown complex today and requires several features like
VPN, firewall, intrusion detection etc
• Network wide policy cannot be defined on a single switch(approximately
around 750 entries per table), requires too much memory and
computation
• Need to split policy into several switches

3. Problem Statement
• To find scalable and manageable methods to support these
complexities without upgrading the capabilities of individual network
elements
• Splitting policy over several switches and minimizing individual flow -
table size in switches is an intractable optimization problem
• Earlier proposed solutions suffer from three problems
1. very high computation cost
2. the resulting number of table sizes can grow exponentially
3. dynamic header fields cannot be handled

4. Approach and Solution
• Model description:
1. Packet header H= (h1, h2, ..., hw ), bit sequence of 0 or 1
2. Classifier K = {R1, R2 , ..., Rn }, ordered set of rules with total
ordering
3. Rule Ri = (Fi , Ai ), filter Fi and pointer to action Ai
4. Filter F = (f1, f2,..., fw), bit sequence of 0, 1 and *(don’t care)
corresponding to header bits

5. Approach and Solution
• A classifier’s main purpose is to find the action corresponding to the
highest priority rule that matches a given header
• Two classifiers K1 and K2 are equivalent if they choose the same actions
for every possible incoming packet
• If the individual capacity of each switch adds up to the total number of
rules in the classifier then the solution works.
i.e ∑ ci >= |K|

6. Approach and Solution
• We simply put the first c1 rules to the first switch , then next c2 rules to
the next switch and so on until all the rules in K are covered
• The approach uses a “matched” bit. This bit ensures that the header is
matched with the rules only once among all the switches

7. Algorithm followed
• Runs in linear time
complexity.(i.e O(K))

8. Example
K #1 #2 #3 #4 Action
R1 * * 1 0 A1
R2 1 0 * * A2
R3 0 0 * * A3
R4 * * 1 1 A4
K1 #1 #2 #3 #4 Action
R1 * * 1 0 A1,
Matched=1
R2 1 0 * *
A2,
Matched =1
R3 0 0 * *
A3,
Matched =1
K2 #1 #2 #3 #4
Action
If matched==0
R4 * * 1 1
A4,
Matched = 1
Algorithm for OneBit(K<,c1,c2,…,cl)
1. Initialize K1,K2,…..,Kl to emply classifiers
2. For I in 1,2,….,l do
3. Let Ri be ci highest priority rules of K
4. for (F,A) € sorted(R,<) do
5. Append(F,[A , matched 1]) to Ki
6. if i=1 then
7. Set default action to matched  0 in Ki
8. else
9. Make Ki conditioned on matched = 1
10. Remove R from K
11. return K1,K2,……,Kl

9. Evaluation of the solution

10. Related work
• Palette : Distributing tables in software – defined networks
• Expands each bit of header one by one.
• Unable to cope with dynamic header changes.
• Optimizing the "one big switch “ abstraction in software-defined
networks
• Uses header space and overlapping technique.
• Unable to cope with dynamic header changes.