Packet filtering is the one of the major contemporary firewall design techniques. An important design goal is to arrive at the decision at the packet only. Implementation of such packet filter using Binary Decision Diagram (BDD) gives more advantages in terms of memory usage and look up time. In the case of the list-based packet filter firewall where rules are checked one by one for each incoming packet, the time taken to decide on a packet is proportional to the number of rules. The performance is improved with rule promotion but that itself a slow procedure. In this work we present a BDD-based approach which gives much better result in terms of number of comparisons or accesses the rule list make. Results on 1 million packets show that for most-accept packets, on an average, 75% reduction happens in such comparisons when BDD-based approach is used over list-based with promotion approach. For most-reject packets this reduction is nearly 34%.
展开▼
