访问控制列表的优化问题

访问控制列表(access control list,简称ACL)是解决和提高网络安全性的方法之一,但访问控制列表应用在网络设备的接口上将降低网络设备的性能.当ACL条目达到一定数量后,很难进行人工处理,根据一定算法进行ACL自动优化显得尤为重要.在深入研究ACL优化问题的基础上,考虑到一条语句与多条语句之间或多条语句与多条语句之间的交叉覆盖或包含关系,对ACL的全局优化问题进行了形式化描述,得出了3个有用的推论,并提出了一种ACL的近似优化算法.通过模拟实验表明,性能优于同类商业产品.该算法可以作为AC

Towards the Optimization of Access Control List

Access control list (ACL) is proposed to solve or improve the network security problem. It is widely deployed in network devices such as routers, switches and firewall appliances, to filter the packets. However, the performance of the network device will be degraded when access control lists are applied in data forwarding interfaces of the device. The optimization of the ACL can greatly improve the performance of the devices in packets forwarding. The paper studies the optimization problem of ACL, outlines the overlapping or containing relationships between single clause and multiple clauses or among multiple clauses, proposes a formula representation of the problem based on the studies, and draws three important conclusions. Based on these conclusions, an approximate optimization algorithm is designed and implemented. Simulation experiments show better performance than the similar commercial products, implying that the research not only provides theoretical references, but also has important practical application.