Title: Managing hybrid packet filter's specifications

Authors: Nizar Ben Neji; Adel Bouhoula

Addresses: Higher School of Communications of Tunis (Sup'Com), University of Carthage, City of Communications Technologies, 2083, Ariana, Tunisia. ' Higher School of Communications of Tunis (Sup'Com), University of Carthage, City of Communications Technologies, 2083, Ariana, Tunisia

Abstract: The coexistence of range based and prefix based fields within the filtering policy is one of the most important cause that makes the packet filtering problem difficult to solve and the proposed hybrid solutions hard to implement. Packet filters must support rule sets involving any type of conditions and must scale the number of rules, the number of fields, and the field sizes in order to avoid being outdated by future internet developments. Since the prefix-based solutions are the most efficient, we try to efficiently incorporate ranges in such data structure using of the new concept of signed prefixes that helps to guarantee homogeneity when matching on multiple packet header fields of distinct types. The proposed two-staged prefix-based model is able to achieve good performance in a practical environment and it scales well as the filtering list size increases and contains a large variety of range specifications.

Keywords: packet filtering; prefix-based models; range matching; NAF conversion; signed prefixes; packet filters.

DOI: 10.1504/IJSN.2012.050024

International Journal of Security and Networks, 2012 Vol.7 No.2, pp.73 - 82

Published online: 24 Oct 2012 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article