Опис документа

An Access Control List (ACL) is an ordered list of rules which specify the action to take for any packet which is tested and matched against it. The list is arranged in order of decreasing priority, therefore if a match is made on a particular rule the packet is either permitted or denied and no further rules are evaluated. When configuring firewall rules it is possible to specify varying levels of granularity when examining the fields of a packet header. The most basic form of checking is on the source Layer 3 address. However there are more complex forms of the rule which enables further fields to be checked. This paper investigates the effect on the performance of a router when using these complex rules. In particular it concentrates on the checking of the port number field in TCP/UDP. A specialized simulator was built to help understand the process undertaken by the router. There are results of the investigations and a recommendation on how to improve performance in certain areas. Keywords: IP packet filtering, ACL complexity, Network Performance, Delay through Routers, Access Control List, ACL optimization, ACL Simulator, Firewalls.