[nsp] Cost metric for ACL entries in TCAM

[Florian Weimer]

Hi,

this probably isn't a real NSP topic (not yet, anyway), but here we
go.

We configure the packet filters at the border of our network according
to the needs of our local system administrators.  This means that they
can subscribe to set of services, and we will activate the suitable
filtering rules for them.  (The underlying concept, "block almost
everything and open almost anything on request", works suprisingly
well to keep out most of the vandals and is now accepted by the admins
as well.)

The primary filter is implemented on a 7609 with TCAM support (via
PFC2 and MSFC2, or what's it called).  Here's the actual problem:

There is no obvious mapping from the order-dependent access lists we
feed to the router and the TCAM table that is generated by it.  As a
result, it is hard to come up with a cost metric.  (The cost metric is
necessary to encourage admins to unsubscribe services which are no
longer needed.) This is probably not a TCAM-specific problem, but TCAM
is deterministic, only the table generation is a mystery, so there is
some hope.

I could perform some experiments with a spare 650x/760x next year and
empirically determine a cost metric.  But this is a tedious task, and
I'd have to rerun the tests for each new IOS release we install -- and
it's rather unusal that a complete spare router is available for such
tests. ;-)

So I'm interested in a concrete description of the ODM table merging
algorithm, or a way of generating the table externally and loading it
directly into the router.  In both cases, I should be able to count
the actual table entries (and use them as some kind of currency).

Otherwise, I'll have to settle for counting ACL entries, which is
quite misleading in some cases...

Thanks,
-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898