期刊名称:International Journal of Computer Science & Technology
印刷版ISSN:2229-4333
电子版ISSN:0976-8491
出版年度:2012
卷号:3
期号:2
页码:673-678
语种:English
出版社:Ayushmaan Technologies
摘要:We have seen that the GEM algorithm is an efficient and practical algorithm for firewall packet matching. We implemented it successfully in the Linux kernel, and tested its packet-matching speeds on live traffic with realistic large releases. GEM’s matching speed is far better than the naive linear search and it is able to increase the throughput of iptables by an order of magnitude. On rule-bases generated according to realistic statistics, GEM’s space complexity is well within the capabilities of modern hardware. Thus we believe that GEM may be a good candidate for use in firewall matching engines. We note that there are other algorithms that may well be candidates for software implementation in the kernel. We believe it should be quite interesting to implement all of these algorithms and to test them on equal footing, using the same hardware, rule-bases, and traffic load. Furthermore, it would be interesting to do this comparison with real rule-bases, in addition to synthetic Perimeter-model rules. We leave such a “bake-off” for future work. As for GEM itself, we would like to explore the algorithm’s behavior when using more than 4 fields, e.g., matching on the TCP flags, meta data, interfaces, etc. The main questions are: How best to encode the non-range fields? Will the space complexity still stay close to linear? What will be the best order of fields to achieve the best space complexity? Another direction to pursue is how GEM would perform with of IPv6, in which IP addresses have 128 bits.
