Rules in Play: On the Complexity of Routing Tables and Firewalls

TL;DR

This paper investigates the complexity of routing tables and firewalls, revealing that practical factors significantly reduce the decision tree size, making analysis and optimization feasible in real-world scenarios.

Contribution

It introduces the 'rules in play' concept to accurately bound decision tree size and demonstrates how to prune policies without altering their behavior.

Findings

Actual decision tree size is much smaller than theoretical worst-case.

Narrow fields, singletons, and all-matches simplify policy analysis.

Pruning policies to minimal rules without changing their meaning is achievable.

Abstract

A fundamental component of networking infras- tructure is the policy, used in routing tables and firewalls. Accordingly, there has been extensive study of policies. However, the theory of such policies indicates that the size of the decision tree for a policy is very large ( O((2n)d), where the policy has n rules and examines d features of packets). If this was indeed the case, the existing algorithms to detect anomalies, conflicts, and redundancies would not be tractable for practical policies (say, n = 1000 and d = 10). In this paper, we clear up this apparent paradox. Using the concept of 'rules in play', we calculate the actual upper bound on the size of the decision tree, and demonstrate how three other factors - narrow fields, singletons, and all-matches make the problem tractable in practice. We also show how this concept may be used to solve an open problem: pruning a policy to the minimum possible number of rules, without changing its meaning.