Algorithms for Analysing Firewall and Router Access Lists

Network firewalls and routers use a rule database to decide which packets will be allowed from one network onto another. By filtering packets the firewalls and routers can improve security and performance. However, as the size of the rule list increases, it becomes difficult to maintain and validate the rules, and lookup latency may increase significantly. Ordered binary decision diagrams (BDDs) - a compact method of representing and manipulating boolean expressions - are a potential method of representing the rules. This paper presents a new algorithm for representing such lists as a BDD and then shows how the resulting boolean expression can be used to analyse rule sets.