Improving the Performance of IP Filtering using a Hybrid Approach to ACLs

With the use of policy based security being implemented in Access Control Lists (ACLs) at the distribution layer and the increased speed of interfaces the delays introduced into networks by routers are becoming significant. This paper investigates the size of the problem that is encountered in a typical network installation. Additionally since specialized hardware is not always available a hybrid approach to optimizing the order of rules in an ACL is put forward. This approach is based on the off-line pre-processing of lists to enable them to be reordered dynamically based on the type of traffic being processed by the router

Optimization of delays experienced by packets due to ACLs within a domain

The infrastructure of large networks is broken down into areas that have a common security policy called a domain. Security within a domain is commonly implemented at all nodes however this has a negative effect on performance since it introduces a delay associated with packet filtering. Recommended techniques for network design imply that every packet should be checked at the first possible ingress points of the network. When access control lists (ACL's) are used within a router for this purpose then there can be a significant overhead associated with this process. The purpose of this paper is to consider the effect of delays when using router operating systems offering different levels of functionality. It considers factors which contribute to the delay particularly due to ACL. Using theoretical principles modified by practical calculation a model is created for packet delay for all nodes across a given path in a domain

Improving the Performance of IP Filtering using a Hybrid Approach to ACLs

Abstract With the use of policy based security being implemented in Access Control Lists (ACLs) at the distribution layer and the increased speed of interfaces the delays introduced into networks by routers are becoming significant. This paper investigates the size of the problem that is encountered in a typical network installation. Additionally since specialized hardware is not always available a hybrid approach to optimizing the order of rules in an ACL is put forward. This approach is based on the off-line pre-processing of lists to enable them to be reordered dynamically based on the type of traffic being processed by the router. Abstract: With the use of policy based security being implemented in Access Control Lists (ACLs) at the distribution layer and the increased speed of interfaces the delays introduced into networks by routers are becoming significant. This paper investigates the size of the problem that is encountered in a typical network installation. Additionally since specialized hardware is not always available a hybrid approach to optimizing the order of rules in an ACL is put forward. This approach is based on the off-line pre-processing of lists to enable them to be reordered dynamically based on the type of traffic being processed by the router