Abstract
This paper considers an optimisation problem encountered in the implementation of traffic policies on network routers, namely the ordering of rules in an access control list to minimise or reduce processing time and hence packet latency. The problem is formulated as an objective function with constraints and shown to be NP-complete by translation to a known problem. Exact and heuristic solution methods are introduced, discussed and compared and computational results given. The emphasis throughout is on practical implementation of the optimisation process, that is within the tight constraints of a production network router seeking to reduce latency, on-line, in real-time but without the overhead of significant extra computation.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Aarts, E., Lenstra, J.K.: Local Search in Combinatorial Optimisation. Princeton University Press, Princeton (2003)
Al-Shaer, E., Hamed, H.: Modeling and management of firewall policies. IEEE Trans. Netw. Service Manag. 1(1) (April 2004)
Applegate, D., Bixby, R., Chvátal, V., Cook, W.: CONCORDE TSP Solver. Princeton University (2003). http://www.math.princeton.edu/tsp/concorde.html
Applegate, D., Bixby, R., Chvátal, V., Cook, W.: National Traveling Salesman Problems. Princeton University (2004). http://www.math.princeton.edu/tsp/world/countries.html
Bukhatwa, F.: High cost elimination method for best class permutation in access lists. In: Proceedings of IADIS WWW/Internet International Conference (W3I 2003), Madrid, Spain, 6th–9th October 2004, pp. 287–294
Bukhatwa, F., Patel, A.: Effects of ordered access lists in firewalls. In: Proceedings of IADIS WWW/Internet 2003, Algarve, Portugal, 5th–8th November 2003, pp. 257–264
Cisco: ACL Optimizer and Hits Optimizer. Cisco Systems (2002). www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/fam_prod/acl_mgr/aclm_1_x/1_5/u_guide/ac1js.pdf
Cisco: ACL Manager. Cisco Systems (2003). http://www.cisco.com/en/US/partner/products/sw/cscowork/ps402/products_user_guide_book09186a00801f42b9.html
Cisco: Turbo Access Control Lists. Cisco Systems (2004). http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s6/turboacl.htm
Colton, A.: Cisco IOS for IP Routing. Rocket Science Press Inc. (2002)
Davies, J.N., Grout, V.: Network monitoring and measurement. In: First International Conference on Internet Technologies and Applications (ITA 05), Wrexham, North Wales, UK, 7th–9th September 2005
Garey, M.R., Johnson, D.S.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W.H. Freeman, New York (1979)
Gutin, G., Punnen, A.P.: The Traveling Salesman Problem and its Variations. Kluwer Academic, Dordrecht (2002)
Hari, B., Suri, S., Parulkar, G.: Detecting and resolving packet filter conflicts. In: Proceedings of the 19th Joint Conference of the IEEE Computer and Communications Societies (INFOCOM00), pp. 1203–1212 (2002)
Held, M., Karp, R.M.: A dynamic programming approach to sequencing problems. J. Soc. Ind. Appl. Math. (SIAM) 10, 196–210 (1962)
Johnson, D.S., McGeoch, L.A.: Experimental analysis of heuristics for the STSP. In: Gutin, G., Pullen, A. (eds.) The Traveling Salesman Problem and its Variations. Kluwer Academic, Dordrecht (2002)
Johnson, D.S., Gutin, G., McGeoch, L.A., Yeo, A., Zhang, W., Zverovitch, A.: Experimental analysis of heuristics for the ATSP. In: Gutin, G., Pullen, A. (eds.) The Traveling Salesman Problem and its Variations. Kluwer Academic, Dordrecht (2002)
Lawler, E.L.: Sequencing jobs to minimize total weighted completion time subject to precedence constraints. Ann. Discret. Math. 2, 75–90 (1978)
Lawler, E.L., Lenstra, J.K., Rinnooy Kan, A.H.G., Shmoys, D.B.: The Traveling Salesman Problem: A Guided Tour of Combinatorial Optimisation. Wiley, New York (1985)
Lin, S., Kernighan, B.W.: An effective heuristic algorithm for the traveling salesman problem. Oper. Res. 21, 972–989 (1973)
Papadimitriou, C.H.: Computational Complexity. Addison Wesley Longman (1994)
Rego, C., Glover, F.: Local search and metaheuristics. In: Gutin, G., Pullen, A. (eds.) The Traveling Salesman Problem and its Variations. Kluwer Academic, Dordrecht (2002)
Shih, C.-S., Qian, J.: Security policy derivation. In: CS497: Cryptography and Computer Security. University of Illinois at Urbana Champaign (2003). http://www-sal.cs.uiuc.edu/~steng/cs497_01/qian.ppt
Stoica, I.: Route Lookup and Packet Classification, CS 268, February 2001, Department of Electrical Engineering and Computer Science, University of California, Berkeley, USA
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Grout, V., McGinn, J. & Davies, J. Real-time optimisation of access control lists for efficient Internet packet filtering. J Heuristics 13, 435–454 (2007). https://doi.org/10.1007/s10732-007-9019-1
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10732-007-9019-1