Abstract—this document gives a general idea of Access Control Lists, how are they implemented, a brief and short history of them, a treatment of the main issues that they present and some studies realized in order to perform them.

1. 1
Abstract—this document gives a general idea of Access Control
Lists, how are they implemented, a brief and short history of
them, a treatment of the main issues that they present and some
studies realized in order to perform them.
I. INTRODUCTION
CESS CONTROL LISTS, known as ACLs, present a problem
according with the optimization when is necessary to
reorder the rules in them to optimize and reduce their
processing latency.
The problem, Sequencing to Minimize Expected Latency
(SMEL) is to find a way to reorder rules obeying the
dependency constraints reducing the expected latency.
This problem is actually important in very large companies,
like Telefonica España S.A, Yahoo, ONO, T-Online and many
others. It is why companies as Cisco, Nokia and many others
work deeply to solve it.
II. WHAT IS AN ACL?
A. Definition
In a network, routers are the ones which have the
responsibility of doing an appropriate delivery of packets from
source to destination using protocols and applying policies.
They will send each packet to the correspondent device at each
hop in the network, considering a set of rules that it may
match.
An ACL is a number of rules that will be processed in order,
which will implement a determined objective or a group of
them. They can be used to pass or block packets, or as filters
for more sophisticated policies like network addresses
translation (NAT), queuing, traffic shaping, tunneling (VPN),
logging or encryption. A packet will be matched against many
ACLs on its complete journey. Because of this, ACLs can add
significantly packet latency within the network.
B. History
The history of the ACL design is very short, and actually,
till the year 2004 there are not good and optimized techniques
in this subject. The first attempt at optimization is from Cisco
(2002) but they did not take in consideration some important
aspects like dependencies. The first real treatment of the
problem was given by Al-Shaer and Hamed (2004) with a
complete model of it. Then, with the introduction of Turbo
Access List (Cisco, 2004), it is introduced the concept of an
ACL manager and they get a more efficient method of
searching of ACLs, but also different rules latencies are still
not considered.
III. TREATING THE PROBLEM
A. Optimizing an ACL
The way of how the matching of packets against an ACL
can be optimized depends of some aspects like, how the ACLs
are implemented – where they are stored and where the
optimization takes place – where the ACLs are implemented –
hardware, software or a combination of them – and how the
ACLs are searched – linearly, in parallel, using trees/tries or
using cache.
In an ACL, the rules have to be reordered to minimize or
reduce processing time, but the existing relationships or
dependencies between them do not allow an arbitrary
reordering.
B. The goals of the ACL Optimization
The main goals of the ACL Optimization are the ones that
are explained next.
- To find the expected rule as soon as possible in order to
minimize the expected latency.
- To minimize the number of rules in the ACL, removing
the ones that covered, merging the rules’ address ranges
that are maskable, merging the possible rules of port
ranges that are covered, removing redundant rules of
port ranges and removing the duplicated ones.
- To place the most frequently rules ahead of the less
frequently ones in order to minimize or reduce the
processing time, taking in consideration dependencies
between them.
Table 1: Removing covered rules in an ACL1
Table 2: Merging the rules’ address ports that are
covered1
1
Cisco, “Optimizing ACLs”.
ACL Optimization
María – Almudena García – Fraile Fraile, Student of the orth East Wales Institute, EWI
A

2. 2
Table 3: Merging the rules’ address ranges that are
maskable2
Table 4: Removing redundant rules2
Table 5: Removing covered rules2
C. Hardware Implementations
Using Ternary Content Addressable Memory (known as
TCAMs). A TCAM takes a rule and output the lowest indexed
rule that matches the packet.
A TCAM is a hardware version of an associative array that
emulates trees, hashing or pipelining. Actually it is only viable
for top-end routers.
Fig. 1: Example of the schema of a TCAM3
2
Cisco, “Optimising ACLs”
3
Banit Agrawal and Timothy Sherwood, “Ternary CAM (TCAM) and
Delay Modelling”
Fig. 2: Example of a TCAM in an ACL4
D. Software Implementations
All of them have advantages and disadvantages, but
generally, the ones that are faster to search are the ones that
are harder to maintain.
They are:
- Binary trees.
- Tries: they are an improvement over the Binary Trees.
- Reordering linear list.
Fig. 3: Example of Tries4
IV. EXACT ALGORITHMS
ACLs vary considerably in size, from ten to hundred rules in
a typical filter, and tens of thousand in large enterprises. It is
the cause of considering exact approaches in order to minimize
rule order.
A. Exhaustive Search
It is the simplest algorithm, but the least efficient. This
method orders, by iteration or recursion, the rules in turn,
testing for validity against the dependencies between them and
reordering the solution that minimizes the expected latency.
The time complexity for this process is O(n!) and the space
complexity is O(n). This method minimizes space complexity
and it can be interesting in environments with limited capacity,
but its time complexity is unacceptable.
4
Vic Grout and Stuart Cunningham, “Optimising Internet Access Control
Lists”

3. 3
B. Dynamic Programming
This method was given by Held and Karp (1962) and then
adapted. It is more efficient that the last one.
Its time complexity is O(2n
), the space complexity is O(2n
)
and it can be adapted for Sequencing to Minimize Expected
Latency (SMEL).
The time complexity and the space complexity are
exponential, and having an exponential space complexity will
be a problem in restricted environments,
This method can be a good option for smaller lists.
C. Linear Programming
This method is well established, and is adapted for
Sequencing to Minimize Expected Latency (SMEL) providing
faster solutions.
The implementation of this method is unrealistic, being only
appropriate for small number of tests since each new instance
has to be programmed into the system before solving.
D. Branch and Bound
It is the most efficient known solution to large problems
developed in relation with Linear Programming methods.
It is adequate for very large problems, so, it is only useful
for a few comparisons.
V. APPROXIMATION AND HEURISTICS
Heuristics are necessary for implementation in real-time in
operational network.
ACLs vary considerably in size, so it is actually important
reducing packet latency. It is the cause that any attempt to
optimize packet processing is really valuable.
Some recent methods that optimize it, based in genetic
behaviors, show some improvements, but are really very
complex to implement in software or in hardware.
But there are some simple heuristic solutions which extend
well to SMEL.
A. K-OPT
It is the simplest and easiest algorithm for local searches.
This method starts from an initial ACL and rules are swapped
(k=2) or permuted (k>2) in a search to find superior solutions.
The 2-OPT algorithm works by applying sequence of 2-
swaps to the current list, and implementing the best while an
improvement exists. Its space complexity is O(n) and it time
complexity is p*O(n), where p is the number of passes through
the indefinite loop.
The 3-OPT algorithm has space complexity of O(n) and
time complexity of p*O(n3
).
The nature of these algorithms aids easy implementation in
software or hardware solutions.
Fig. 4: SMEL 2-OPT5
Fig. 5: SMEL 3-OPT5
B. Lin and Kernighan
This method approach to local search optimization and it is
a variant of the K-OPT.
Its essential objective is to extend the scope and resolution
of a fixed search, and this algorithm usually generates better
results.
The most used version of this algorithm for SMEL is
(2,3)LK-OPT. Its space complexity is O(n), but its time
5
Vic Grout, John McGinn and John Davies, “Real-time optimisation of
access control lists for efficient Internet packet filtering”

4. 4
complexity is not predictable.
Fig. 6: SMEL L-K OPT6
C. Constrained Sort
This algorithm is a restricted version of 2-OPT that only
swaps adjacent rules. Each rule is compared with the one
following to see if interchanging them the expected latency of
the ACL improves.
This method is quicker than 2-OPT but is more inherently
greedy and less precise.
Fig. 7: SMEL C-SORT6
VI. SOME INVESTIGATIONS
According to some investigations realized by Vic Grout,
John McGinn and John Davies (2006), here is a good
comparison between the bellow methods in order to find the
best way to have the better method to optimize ACLs.
They did some simulations in two ways. Firstly, some tests
with a number of moderate rules (n<100) comparing the 2-
OPT and LK-OPT processes. Secondly, some tests with a
large number of rules (500≤n≤10000) comparing 2-OPT and
C-SORT.
With the investigations that they have realised we can see
that LK-OPT gives better results that 2-OPT but a greater
expense in terms of rum-time7
. 2-OPT gives greater solutions
for ACLs with 10 to 100 rules.
The 2-OPT heuristic will not be appropriate for large ACLs
and C-SORT will perform well in this case.
6
Vic Grout, John McGinn and John Davies, “Real-time optimisation of
access control lists for efficient Internet packet filtering”
7
Real-time optimization of access control lists for efficient Internet packet
filtering, by Vic Grout, John McGinn and John Davies (2006), published
online by Springer Science+Business Media, LLC 2007.
VII. ANALYSIS
Here it is discussed the practical implementation of the
techniques exposed above according to the following
algorithms, Exhaustive Search, Dynamic Programming,
Linear Programming, Branch and Bound, K-OPT, LK-OPT
and C-SORT.
The first ones, Exhaustive Search, Linear Programming and
Branch and Bound will be rejected because of their
complexities.
Dynamic Programming will be viable for extremely small
ACLs, 2-OPT are viable for larger ones, and only C-SORT is
viable in the very large ones.
A. Measuring hit-rates and timing
There is not a specific method to calculate hit-rates, because
traffic characteristics change over time and some times it is
oscillatory. That is, the hit-rate of a rule being considered for
promotion up the list will not be swapped too far, causing
constant re-swapping.
A frequent re-optimization of the ACL is not practical,
being a better solution to re-optimize after a fixed period.
It is important to take in consideration that rules used to
filter some traffic may be at the top of the list, and all the other
rules in the ACL will be dependent of them.
VIII. CONCLUSIONS
Nowadays, there is a real problem with the ACL
Optimization. Packets that are delivery from source to
destination increments their latency from every ACL in which
they have to be matched, so it is actually important to have an
optimized ACL and good methods to reorder them and to find
the rule that matches it as soon as possible reducing the
expected latency.
There are some very fast hardware implementations to solve
the problem, but they are very complex and expensive and
they are only implemented in routers destined to very large
companies.
It is the reason of why software implementations may be the
solution. It is known that only in the smallest ACLs will have
exact approximations. But, the adapted 2-OPT algorithm is a
good solution for medium ACLs and the C-SORT algorithm
for the larger ones.
REFERENCES
[1] Cisco, “Access Control Lists: Overview and Guidelines”.
http://www.cisco.com/en/US/docs/ios/11_3/security/configuration/guide
/scacls.html
[2] Vic Grout and John McGinn, “Optimisation of Policy – Based Internet
Routing Using Access Control Lists”.
[3] Cisco, “Optimizing ACLs”.
http://www.cisco.com/en/US/products/sw/cscowork/ps402/products_use
r_guide_chapter09186a008008123d.html
[4] I-Lung Kao and R. Chow, “An Extended Capability Architecture To
Enforce Dynamic Control Policies”.
http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/pro
ceedings/&toc=comp/proceedings/acsac/1996/7606/00/7606toc.xml&D
OI=10.1109/CSAC.1996.569688

5. 5
[5] Vic Grout, John McGinn and John Davies, “Real-time optimization of
access control lists for efficient packet filtering”.
http://www.springerlink.com/content/r0mw0x4200264558/
[6] Cisco, “Turbo Access Control Lists”.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120n
ewft/120limit/120s/120s6/turboacl.pdf
[7] Ramaswamy, Lukas Kencl and Gianluca Iannaccone, “Approximate
Fingerprinting to Accelerate Pattern Matching”.
http://delivery.acm.org/10.1145/1180000/1177120/p301-
ramaswamy.pdf?key1=1177120&key2=9071638021&coll=GUIDE&dl
=GUIDE&CFID=23891779&CFTOKEN=16101266
[8] Cisco, “User Guide for ACL Manager 1.5”
http://www.cisco.com/en/US/products/sw/cscowork/ps402/products_use
r_guide_book09186a008017add4.html
[9] H3C Technologies Co., “ACL Introduction”
http://www.h3c.com/portal/Products___Solutions/Technology/Security_
and_VPN/ACL/200701/195606_57_0.htm
[10] Banit Agrawal and Timothy Sherwood, “Ternary CAM (TCAM) and
Delay Modelling”
http://www.cs.ucsb.edu/~arch/memmodel/
[11] Vic Grout, John Davies and John McGinn, “An argument for simple
embedded ACL optimisation”
http://www.newi.ac.uk/groutv/Papers/ACLArg.pdf
[12] Nigel Houlden, Vic Grout, John McGinn and John Davies, “Extended
End-to-End Cost Metrics for Improved Dynamic Route Calculation”