Network element can support access control lists (ACLs) in order to block undesirable network traffic. An ACL is a series of rules, where each rule has a match criterion and an action. An ACL is applied to a piece of data by evaluating the data against these rules in order and taking the action of the first rule that matched. For example, a match criterion for each rule is a pair (V, M), where V is a numeric value up to N bits long and M is a mask of N 0 and 1 bits. A value X matches the rule if (X & M)==(V & M), where “&” is the bitwise “logical and” operator.
From time to time, the network element operator may change the specification of what traffic should be blocked or allowed by updating or replacing the rules of the ACL. To effect this change, the network element software loads the new ACL into the network element hardware, typically in the form of ternary content-addressable memory (TCAM) entries within a switch applicant specific integrated circuit (ASIC).
The challenge is that loading an ACL can take tens or even hundreds of milliseconds, during the time a large amount of traffic arrives at the switch. For example, if a large network element with 36 100 Gigabit per second port (Gbps) running at full speed, even tens of millisecond can still represent Gigabytes of data being processed by the network element. In this example, how can the network element forward this amount of traffic when the ACL is in the middle of being loaded? If the network element retains a complete copy of both the old and new ACL, the TCAM usage exceeds capacity in many applications. Others choices are to drop all traffic during the update, or to accept all traffic during the update.
Consider a use case where a web service provider connects to transit peers. Transit peer ports have ACLs that provide two functions: (1) block extremely harmful traffic, e.g. one transit peer spoofing another transit peer's routing session, or spoofing internal IP addresses; (2) distributed denial of service (DDOS) mitigation filters that reduce the severity of in progress DDOS attacks. Now, suppose the web service provider wishes to update the DDOS list. The DDOS list can be very long, so the old and new ACL cannot both fit in the TCAM. There are two bad choices. In deny all mode, the service provider would drop 10s or 100s of milliseconds of customer traffic while making the change. In contrast, in the permit all traffic, the provider would be exposed to very harmful attacks.