2019 IEEE 21st International Conference on High Performance Computing and Communications; IEEE 17th
International Conference on Smart City; IEEE 5th International Conference on Data Science and Systems
An Analysis Method for IPv6 Firewall Policy
Yi Yin, Guoqiang Zhang
School of Computer Science and Technology
Nanjing Normal University
Nanjing, China
yi837@hotmail.com, guoqiang@ict.ac.cn
Yun Wang
School of Computer Science and Engineering
Southeast University
Nanjing, China
101004974@seu.edu.cn
Abstract—Firewalls play a vitally important role to network
security. Packet filtering in firewall either accepts or denies
network packets based upon a set of pre-defined rules called
firewall policy. Management of firewall policy is a boring
task and is always prone to error. There have been a lot of
analysis methods for anomalies detection of IPv4 firewall
policy. But, for the reason of enormous address space, these
methods either could not be used to deal with IPv6 firewall
policy directly, or have low effectiveness. In this work, we
propose a method by using a formal method that can analyze
the inclusion relations between every two IPv6 firewall rules
and detect their anomalies. We have implemented a
prototype system to verify our proposed method,
experimental results show the effectiveness.
Keywords- IPv6, Firewall policy, SMT Solver
I. INTRODUCTION
Recently, many organizations have started using
Internet Protocol version 6 (IPv6) [1], because they
recognized the improvements and technical benefits of
IPv6 that can meet the current and future Internet demands.
IPv6 is a new protocol that offers technical benefits not
only in addition to a larger addressing space but also takes
advantage of its security and configuration features.
As is known to all, firewall is the most widely used
mechanism to guarantee network security, and rule
matching is one of the most important technologies to
firewall. However, firewall rules management is a very
significant task and it is prone to error. Wool shows that
the “Firewall Complexity” is still positively correlated
with the number of detected risk items [2]. Wool also
inspected firewall policies collected from different
organizations and indicated that all examined firewall
policies have security flaws[3]. Security flaws often lead to
anomalies, which caused by conflicts of rules, that is, two
or more rules match the same packet. To resolve this
problem, E. Al-Shaer classified the anomalies in IPv4
firewall rules in detail [4]. They also reported
comprehensive and in-depth study of automated firewall
policy analysis for designing, configuring and managing
distributed firewalls [5]. Based on the researches of E. Al-
Shaer, there have been developed many researches [6]-[9]
about anomalies detection in firewall rules. Nevertheless,
with the network derivation from IPv4 to IPv6, those rule
978-1-7281-2058-4/19/$31.00 ©2019 IEEE
DOI 10.1109/HPCC/SmartCity/DSS.2019.00241
Yuichiro Tateiwa, Yoshiaki Katayama, Naohisa
Takahashi
Department of Computer Science and Engineering
Nagoya Institute of Technology
Nagoya, Japan
{tateiwa, katayama, naohisa}@ nitech.ac.jp
Chao Zhang
The 28th Research Institute of China Electronics
Technology Group Corporation
Nanjing, China
13584017650@163.com
analysis methods based on IPv4 are not suitable for IPv6
or have low effectiveness. The main reason of this
situation is that the range of IPv6 address is much bigger
than the range of IPv4 address. There also have very little
researches about IPv6 firewall policy [10]-[11]. Among
them, the distributed firewall policy detection tool ad6 [10]
can be used to analyze distributed IPv6 networks firewall
policies, but their anomalies were designed for distributed
environment. In this work, the classification of anomalies
is different with ad6 and our goal is also different with the
ad6, we want to detect the anomalies between every two
rules in individual IPv6 firewall policy.
In this work, to implement the analysis of IPv6 firewall
policy rapidly and effectively, we propose a solution to
represent every two rules in IPv6 firewall policy into a
formal verification format, and then use SMT solver Z3 to
verify their inclusion relations. At last, according to the
inclusion relations and actions of rules, we decide their
anomalies. The major contributions of this paper are stated
as follows:
x We represented the IPv6 firewall rules as some
logical formulas and used SMT solver Z3 to verify
their inclusion relations. There was no need to
interpret the meanings of rules by means of
additional complex analysis technology.
x We classified the anomalies kinds and proposed the
corresponding algorithm to detect them according
to the inclusion relations between rules.
x We have developed a prototype system to verify
our proposed method. The experimental results
show the time consumption.
This paper is organized as follows. Section II
introduces the basic concepts of firewall policy and SMT
solver. Section III describes inclusion relations of IPv6
firewall rules. Section IV presents our proposed anomalies
detection method of IPv6 policy. Section V introduces our
prototype system and the experiments. Section VI
discusses the relevant works in the similar areas. Finally,
section VII draws the conclusions and future works.
II. FIREWALL POLICY AND SMT SOLVER
The slow but steady migration from IPv4 to IPv6 is a
challenge for a variety of organizations. The IPv4 firewall
1757
model has been used for more than a decade, and because
of the enormous huge address space of IPv6, the new IPv6
model will require a lot of development and testing, so
firewall model based on IPv4 will still be used for a period
of time.
A. Structure of Firewall Policy
A firewall policy, FP, usually consists of an ordered set
of n rules {f1, f2, ......, fn}, where if the rule fi is placed
before the rule fj in FP (i, j[1, n], and i<j), we say that fi
has the higher priority. Each rule fi includes t predicates,
p1, p2, ..., pt, and an action shown as follows:
fi : pi1 , pi2 , ......, pit, actioni,
where t is the number of key fields of header used in
packet filtering. The commonly used header fields are:
protocol, source IP (SrcIP), destination IP (DesIP), source
port (SrcPort) and destination port (DesPort). Each
predicate pij (ię[1, n], ję[1, t]) in a rule, is a matching
condition for a packet header field. For the privacy of the
IPv6 firewall rules, it is difficult to get actual rules set,
therefore, in this work, we use the rules that generated by
ClassBenchv6 [16] for the proposed method explanation
and experiments. ClassBenchv6 is an open source tool for
providing reliable and flexible benchmark for future IPv6
based application devise designing. We modified the open
source code and generated the following format IPv6 rules
shown as in Fig. 1. Each rule consists flow label (for
example: @393978-516704), SrcIP/prefix, DesIP/prefix,
SrcPort, DesPort, Protocol, and an action respectively.
Figure 1. Example of three IPv6 rules
B. SMT Solver and Internal Form of Rules
Satisfiability Modulo Theories (SMT) problem is a
decision problem for logical first order formulas with
respect to combinations of background theories such as:
arithmetic, bit vectors, arrays, and so on. An SMT solver is
a tool for deciding the satisfiability of formulas in these
theories. Z3 is a new SMT solver freely available from
Microsoft Research [14]. In this paper, we call Z3 solver
procedurally by using ANSI C API [15]. It is necessary to
transform FP rules into logical formulas so as to use Z3
solver.
Each predicate pij (i ę [1, n], j ę [1, t]) in a rule, is a
matching condition for a packet header field, and it
commonly allows four kinds of matching: exact matching,
prefix matching, range matching, and list matching.
However, in this work, for the simplicity, each predicate pij
in a rule is represented as a uniform range value, [aij , bij].
Predicates in other forms can be easily converted into one
or multiple rules with range values. A rule where all
predicates are represented as integer range values is called
1758
an internal form rule. An internal form rule, fi (ię[1, n]),
is represented as follows:
fi : [ai1, bi1], [ai2, bi2], ......[ait, bit], actioni.
The range values [aij , bij] (ię[1, n], ję[1, t]) represent
the commonly used header fields: SrcIP, DesIP, SrcPort,
DesPort, and protocol. Assume a packet P with the header
values of P are (x1, x2, ......, xt), if and only if (ai1 İ x1 İ
bi1) ġ (ai2 İ x2 İ bi2) ġ ...... ġ (ait İ xt İ bit), packet P
matches the fi, and the action of rule fi is performed on the
packet P. For example, the first rule in Fig. 1 was
transformed to the internal form rule shown as in Fig. 2.
To verify the inclusion relations between every two
rules by using SMT solver Z3 and detect their anomalies,
we represented the predicates of internal form rules into
logical formula shown as in Fig. 3. The IPv6 address in
internal form rule is a very huge integer number, to
analyze the IPv6 address, we split it into 8 small integer
numbers in the logical formula. The logical formula will
be as the input of SMT solver Z3.
Figure 2. Example of an internal form rule
Figure 3. Logical formula of the internal form rule shown in Fig. 2
III. INCLUSION RELATIONS OF IPV6 FIREWALL RULES
A. Inclusion Relations between Two Rules
When the number of key fields in a packet is n, the
packet can be represented as a point in an n-dimensional
space called packet space. A rule f is represented as a
subspace in a packet space called the rule space. It is
represented as the symbol P(f), which includes the set of
packets that match the rule f. We also define R(fi, fj) to
represent the inclusion relations between two rules
spaces P(fi) and P(fj). According to set theory, the
inclusion relations between two set P(fi) and P(fj), that is,
R(fi, fj) could be classified as five kinds: Equal, Include,
Inside, Disjoint and Overlap, shown in formula (1). To
show the image of the inclusion relations of two rules, for
the simplicity, we suppose packets have two key fields of
SrcIP and DesIP, and the two rules fi and fj only consist
corresponding two predicates (SrcIP, DesIP). Fig. 4 shows
the illustration of five kinds of R(fi, fj) in two dimensional
packet
p space.
p
(1)
B. Decision Method for Inclusion Relations of Rules
To decide the inclusion relations between two rules fi
and fj, that is, R(fi, fj), we provide the decision algorithm
shown as in Fig. 5.
In line 4, we constructed the logical formulas S1 = P(fi)
ġ P(fj). The formula S1 wants to check whether the set of
packets matched rule fi have intersection with the set of
packets matched fj. If the Z3’s output of S1 is
UNSATISFIABLE(UNSAT), which means that the set of
packets matched rule fi have no intersection with the set of
packets matched rule fj. That is to say, R(fi, fj) is the
Disjoint relation shown in formula (1).
If Z3’s output of S1 is SATISFIABLE(SAT), R(fi, fj)
must not be the Disjoint relation, it is necessary to further
decide. Therefore, we constructed two more logical
formulas S2 = ¬ P(fi) ġ P(fj) and S3 = P(fi) ġ ¬P(fj)
shown as in lines 9-10. The formula S2 wants to check
whether the set of packets not matched rule fi have the
intersection with the set of packets matched fj. Similarly,
the formula S3 wants to check whether the set of packets
matched rule fi have the intersection with the set of packets
not matched fj. Then we use SMT solver Z3 to verify them.
Figure 4. Illustration of inclusion relations between two rules
Figure 5. Inclusion relation decision algorithm of two rules
1759
If the Z3’s output of S2 is UNSAT, which means that
the set of packets not matched rule fi have no intersection
with the set of packets matched rule fj. That is to say, the
relation of two sets P(fi) ⊇ P(fj) is satisfied, and the R(fi, fj)
could be decided as the Include relation shown in formula
(1). Similarly, if the Z3’s output of S3 is UNSAT, the
relation of two sets P(fi) ⊆ P(fj) is satisfied, and the R(fi, fj)
could be decided as the Inside relation. If S2 and S3 are
both UNSAT, according to the following formula (2), the
relation of two sets P(fi) = P(fj) is satisfied, R(fi, fj) could be
decided as the Equal relation. Above all, the kinds of R(fi,
fj) could be decided according to the Z3’s outputs of three
logical formulas S1~S3.
P(fi) = P(fj) if and only if P(fi)⊇P(fj) and P(fi)⊆P(fj) (2)
IV. ANOMALIES DETECTION METHOD
A. Anomalies Classification of IPv6 Firewall Rules
Anomalies classification was inspired by the work [4]-
[5] and also based on our previous works [18]-[19], we
classify the anomalies between every two rules as error
and warning. Error occurs when the higher priority rule
matches all the packets that matches the lower priority rule,
which will cause the lower priority rule that cannot be
executed. Warning occurs when the higher priority rule
matches part of the packets that matches the lower priority
rule, which results in low priority rule sometimes being
executed. If there have two IPv6 rules pair (fi, fj) where fi
precedes fj in execution, we classify error and warning as
in the following four kinds.
(1) Shadowing error: Shadowing error occurs when the
lower priority rule fj is never executed as the previous
rule fi matches all the packets that match the rule fj.
For example, two rules shown in Fig. 6 are different
at the prefix of DesIP, the second rule will never be
executed because the first rule matches all the packets
that matches the second rule. In this case, the second
rule is shadowed by the first rule, and it is never
executed.
Figure 6. Fig. 6 Shadowing error example
(2) Redundancy error: This error occurs when the
lower priority rule fj is never executed as the previous
rule fi prevents it from execution. Redundant rule
unnecessarily increases the size of the rules. Even if
the redundant rules are removed, it will not cause any
change. For example, if the actions of two rules
shown in Fig. 6 are the same, the second rule is a
redundant rule to the first rule.
(3) Generalization warning: This warning occurs when
the lower priority rule fj is executed only when the
packets do not match the previous rule fi. For
 example, two rules shown in Fig. 7 exist
generalization warning.
(4) Correlation warning: In this case, the lower priority
rule fj is only executed when a certain range of the
packets arrive. For example, two rules shown in Fig.
8 exist correlation warning, where their DesPort are
overlap for some certain ranges.
Figure 7. Generalization warning example
Figure 8. Correlation warning example
B. Algorithms of Anomalies Detection Method
We provided the anomalies detection algorithm
between two IPv6 firewall rules shown as in Fig. 9. A
shadowing error occurs when the following condition is
true, which is shown in the line 6 of Fig. 9.
R(fi, fj) = Equal or Include, and fi.action ≠ fj.action
A redundancy error occurs when the following
condition is true, which is shown in the line 8 of Fig. 9.
R(fi, fj) = Equal or Include, and fi.action = fj.action
A generalization warning occurs when the following
condition is true, which is shown in the line 10 of Fig. 9.
R(fi, fj) = Inside, and fi.action ≠ fj.action
A correlation warning occurs when the following
condition is true, which is shown in line 12 of Fig. 9.
R(fi, fj) = Overlap, and fi.action ≠ fj.action
Figure 9. Anomalies detection algorithm
V. IMPLEMENTATION AND EXPERIMENTS
Traditional rules usually identify and classify packets
based on 5-triples, that is, the source IP address,
destination IP address, protocol, source port and
1760
destination port of the transport layer. Nevertheless, the
author of classbenchv6 mentioned that there appeared
some new fields in IPv6 other than IPv4, such as flow
labels [21]. It is defined as a 20-bit random number in
RFC3697, where also specifies a single data flow can be
identified by flow label conjunction with source address
and destination address [22]. Therefore, flow labels will be
possible to provide a new opportunity for the next
generation of Internet stream identifiers. In fact, flow label
could be viewed as the sequence number to identify each
IPv6 firewall rule.
A. Prototype System
We implemented a prototype system to verify our
proposed method. The prototype system implemented
using the C language. The experiments were performed on
a computer equipped with an Intel Core i7-7700 CPU
running at 3.6GHz and 8GB of RAM. We use
classbenchv6 [20] to generate IPv6 firewall policy as the
input of our prototype system.
In addition, we designed a visual interface by using Qt
framework for our prototype system. Fig. 10 shows the
architecture and the main functions of the prototype
system. The dashed line rectangle in Fig. 10 will loop for
every two rules until the whole IPv6 firewall policy are
checked. Fig. 11 shows the visual interface of the
execution of the prototype system. The scale in the
anomalies detection results represents the number of rules.
We use the flow label to identify each rule.
Figure 10. Architecture of the prototype system
Figure 11. Anomalies detection results of the prototype system
B. Experiment and Consideration with arbitrary ranges. There also some researches about the
In this work, we did following two groups experiments. comparison between global security policy and firewall
Group one: Each rule only consists of flow label and policy [10]-[13]. The existing IPv4 firewall rules
two predicates (source IP address, destination IP address) anomalies detection researches are difficult to extend for
and an action. We measured the time consumption that the the IPv6 firewall rules, or have the low effectiveness.
prototype system detected all the anomalies between every
two rules.
z Experiment 1: The number of rules ranged from 50 to
500, which are suitable for the medium sized firewall
z Experiment 2: The number of rules range from 200 to
2000, which are suitable for the large sized firewall
Group two: Each rule consists of flow label, five
predicates (source IP address, destination IP address,
source port, destination port, protocol) and an action. We
measured the time consumption that the prototype system
detected all the anomalies between every two rules.
z Experiment 1: The number of rules range from 100 to
500, which are suitable for medium sized firewall. Figure 12. Time consumption for anomalies detection of medium scale
rules
z Experiment 2: The number of rules range from 200 to
2000, which are suitable for large sized firewall.
The experimental results are shown as in Fig. 12 and
Fig. 13. The results of the time consumption include the
time of reading and combining every two rules, building
SMT formulas, using Z3 to solve the logical formulas and
deciding all the anomalies. The results in Fig. 12 show that
when the number of rules ranged from 50 to 500, it took
about 1 second to 120 seconds to detect and report all the
anomalies. The results in Fig. 13 show that when the
number of rules ranged from 200 to 2000, it took about 19
seconds to 1800 seconds to detect and report all the
anomalies. Although, the whole time consumption for the
anomalies detection increases with the quantity of rules,
we have implemented the analysis of IPv6 firewall policy Figure 13. Time consumption for anomalies detection of large scale
and anomalies detection preliminarily. rules

VI. RELATED WORK

A. IPv4 Firewall Rules Anomalies Detection Works
Wool [3] recently inspected firewall policies collected
from different organizations and indicated that all
examined firewall policies have security flaws. Therefore,
anomalies classification and discovery of IPv4 firewall
rules have gained a lot of attention, and many related
methods were proposed [4]-[10]. Al-Share and Hamed [4]-
[5] classified the kinds of anomalies in detail and provided
the anomalies detection methods. Work [6] reported
comprehensive and in-depth study of automated firewall
policy analysis for designing, configuring and managing
distributed firewalls. It also provided methodologies,
techniques, tools and case studies. Work [7] proposed a
novel anomaly management framework that facilitates
systematic detection and resolution of firewall policy
anomalies. Work [8] designed an open source conflict
resolution framework (C application and Linux firewall
kernel module on top of Netfilter) that can be used as a
constant independent system auditor, automatically
detecting and resolving conflicts in firewall rules. Research
[9] presented a series of algorithms and defined new data
structures to process range fields with their boundary
addresses. The algorithm based on new bit vectors can
detect partial overlaps between multidimensional filters
B. Anomalies Detection of IPv6 firewall rules
The similarly research with our work is the network
anomaly detection tool ad6 [14], it can be used to analyze
the IPv6 networks with an emphasis on firewalls. The
detected invariants include unreachable or shadowed rules,
cycles, and cross path anomalies. The tool models
firewalls and networks as a boolean satisfiability problem
and uses a SAT solver for verification. In this work, we
classify the different anomalies with ad6, and our goal is
also different with the ad6. Their anomalies were designed
for distributed environment, but we want to detect the
anomalies between every two rules in individual IPv6
firewall policy.
C. Other Researches about IPv6 firewall rules
A verification system for IPv6 enabled networks FaVe
[15] propose a solution for the integration of IPv6 firewalls
into a formal verification framework based on the fast
NetPlumber ([16]) engine. The modeling of the Linux
ip6tables/netfilter firewall with dynamic support for
extension header chains as well as the modeling of a proxy
based application layer gateway deliver the elements
necessary for a comprehensive verification of complex
IPv6 networks. There exist some researches about rule
matching algorithms in IPv6 environment [17]-[18]. Work

1761
[17] combined the real number coding differential
evolution algorithm with the traditional packet matching
algorithm, and developed a new algorithm. Applying the
algorithm to IPv6 network that the packet can linear speed
forward. Work [18] proposed a high performance rule
matching algorithm suitable for IPv6, named HiPRM
(High Performance Rule Matching). The above mentioned
researches were not used for anomalies detection in IPv6
firewall rules.
VII. CONCLUSION AND FUTURE WORKS
In this paper, we have proposed a method that can
analyze the huge IPv6 address space and detect the
anomalies between every two rules in an individual IPv6
firewall policy. We firstly transform each rule into an
internal form of rule, and then construct logical formulas
between every two rules. At last, we use SMT solver Z3 to
verify and then decide the anomalies. We also
implemented a prototype system and did some experiments
to show the time consumption of our proposed method.
Our future work includes optimization of our proposed
method and results visualization. We also want to extend
our method to detect the anomalies between abstract
security policy and actual IPv6 firewall rules, and also
extend our method to other rule-based systems.
ACKNOWLEDGMENT
This research was supported by CERNET Innovation
Project (No. NGII20170402), and also partially supported
by National Natural Science Foundation of China (No.
61772279). This work also partially supported by National
Key Research Plan (Grant No. 2017YFC0840202) and
Collaborative Innovation Center of Novel Software
Technology and Industrialization, and also partially
supported by National Project Grant (No. 315055101).
REFERENCES
[1] S. Deering and R. Hinden, “Internet Protocol Version 6 (IPv6)
Specification”, RFC 2460, December 1998.
[2] A. Wool, “Firewall Configuration Errors Revisited”, IEEE Internet
Computing, Vol. 14, No. 4, pp.58-65, 2009.
[3] A. Wool, “Trends in Firewall Configuration Errors: Measuring the
Holes in Swiss Cheese”, IEEE Internet Computing, vol. 14, no. 4,
pp. 58-65 (2010).
[4] E. Al-Share, H. Haned, R. Boutaba, and M. Hasan, “Conflict
classification and analysis of distributed firewall policies”, IEEE
Journal on Selected Areas in Communication, Vol.23, No.10,
pp.2069-2084, 2005.
[5] H. Hamed, AI. Shaer, “Taxonomy of Conflicts in Network Security
Policies”, IEEE Commn Magazine, vol.44, no.3, pp.134-141, 2006.
1762
[6] E. Al-Shaer, “Automated Firewall Analytics Design, Configuration
and Optimization”, Springer International Publishing, 2014.
[7] H. Hu, G.-J. Ahn, K. Kulkarni, “Detecting and resolving firewall
policy anomalies”, IEEE Transactions on Dependable and Secure
Computing, Vol.9, No.3, pp. 318–331, May 2012.
[8] A. Papagrigoriou, P. Petrakis, M.D.Grammatikakis, “A firewall
module resolving rules consistency”, 13th Workshop on Intelligent
Solutions in Embedded Systems, WISES 2017, pp.47-50, June 12-
13, 2017.
[9] C.Y. Lai, P.C. Wang, “Fast and complete conflict detection for
packet classifiers”, IEEE Systems Journal, Vol.11, No.2, pp. 1137-
1148, Dec. 2014.
[10] A. Saˆadaoui, N.B.Y.B. Souayeh and A. Bouhoula, “Formal
approach for managing firewall misconfigurations”, International
Conference on Research Challenges in Information Science, 2014.
[11] A.Saâdaoui,S. Ben, N.B.Y.B.Souayeh, A.Bouhoula, “A new FDD-
based method for distributed firewall misconfigurations resolution”,
14th, European, Mediterranean, and Middle Eastern Conference,
EMCIS, v 299,, pp 369-383, 2017.
[12] Yin, Y., Xu, X., Takahashi, N.: Verifying Consistency between
Security Policy and Firewall Policy by Using a Constraint
Satisfaction Problem Server, 2011 International Conference on
Future Wireless Networks and Information Systems, LNCS, vol.
144, pp. 135̽145, Springer, Heidelberg (2012).
[13] Yi Yin, Yuichiro Tateiwa, Yun Wang, Yoshiaki Katayama and
Naohisa Takahashi, "An Inconsistency Detection Method for
Security Policy and Firewall Policy Based on CSP Solver", Proc.
of ICCCS2017, Part II, LNCS 10603, pp.147–161, Jun. 2017.
[14] C. Lorenz and B. Schnor, "Policy Anomaly Detection for
Distributed IPv6 Firewalls", in International Conference on
Security and Cryptography (SECRYPT 2015), Colmar, France,
2015.
[15] C. Lorenz, S. Kiekheben, B. Schnor, "FaVe: Modeling IPv6
Firewalls for Fast Formal Verification", International Conference
on Networked Systems, NetSys 2017, April 18, Germany.
[16] P. Kazemian, M. Chan, H. Zeng, G. Vadrghese, N. McKeown, and
S. Whyte, “Real Time Network Policy Checking Using Header
Space Analysis,” in Proceedings of the 10th USENIX Symposium
on Networked Systems Design and Implementation, Lombard, IL,
USA, April 2-5, 2013. USENIX Association, 2013, pp. 99–111.
[17] W.Z. Lin, Z.J. Wu, L. Yi, “High-Dimension Large-Scale Packet
Matching Algorithm in IPv6”, Acta Electronica Sinica, Vol. 41, No.
11, Nov. 2013, pp. 2181-2186. (In Chinese)
[18] L.H.Pang, F.Jiang, “Research on High Performance Rule Matching
Algorithm in IPv6 Networks”, Computer Science, Vol. 44, No. 3,
Mar. 2017, pp. 158-162. (In Chinese)
[19] L.D.Moura,N.Bjorner, “Z3: An Efficient SMT Solver”,
Proceedings of the Theory and practice of software, 14th
international conference on Tools and algorithms for the
construction and analysis of systems, 2008, pp. 337-340.
[20] Q. Sun, X. Huang, W. Yang, X. Zhou, Y. Ma, and C. Wang,
“ClassBenchv6: An IPv6 Packet Classification Benchmark”,
GLOBECOM, page 1-6. IEEE, 2009.
[21] Q. Sun, “Research on the Packet Labeling and Lookup Technology
in the Next Generation Internet”, doctoral thesis, School of
Computer Science and Technology, Beijing University Of Posts
and Telecommunications, May, 2010.
[22] J. Rajahalme, A. Conta, B. Carpenter and S. Deedng, “lPv6 Flow
Label Specification, “, RFC3697, Mar. 2004.