Binary-tree-based high speed packet classification system on FPGA

In the network intrusion detection system (NIDS), there is a limitation on the speed of software-based packet classification because of the processor performance, the serial program execution and so on. It has become a great challenge to develop scalable solutions for next-generation packet classification that support higher throughput, larger rule sets and more packet header fields. For low-cost high performance embedded networking applications, the best solution could be doing packet classification by special designed hardware, which can effectively release the burden of system CPU. In order to improve the speed of packet classification, exhibit good memory performance and support quick rule update, a high-speed packet classification system based on FPGA is proposed in this paper. Taking advantage of parallel processing, pipeline and hardware circuit, the throughput has been improved greatly; defining the size of the tree nodes to be binary tree, the memory usage can be more efficient. The binary tree structure is generated through pre-processing on computer, which does not influence the searching speed of FPGA. During the packet header division, the division field is dynamic and selected according to the rules. The experimental results show that the pre-processing time for 50000 rules is shorter than 0.051s, the average speed of rule-header classification for Snort IDS is higher than 10 Gbps.