Transcript Slides
BCrouter @ K.U.Leuven BCrouter: Overview How did it start... Main features Authentication Quota & Bandwidth • Examples of user & IP limiting Exceptions • Examples Routing Implementation overview Performance in real world Future plans K.U.LEUVEN – ICTI Netwerken BCrouter: How did it start... K.U.Leuven Kotnet project Connect K.U.Leuven and associated high school students/personnel to the campus network and Internet from their homes • Possible user base 70000 students, 10000 personnel Enhance possibility of study and research in an academic environment Low entrance fee and costs • University owned infrastructure • Cooperation with 3 commercial ISP’s Used daily by >30000 different users K.U.LEUVEN – ICTI Netwerken BCrouter: How did it start... Performance problems in 2003 Login/quota core system maxed out with Cisco 7500 routers More flexibility needed for bandwidth & quota enforcement Redesign from scratch Basic requirements • No anonymous access to the Internet → Network authentication • Each user is only allowed X Gigabytes/month traffic → Network quota enforcement • Prevent that a few users consume all bandwidth → Network bandwidth regulation Extra requirements • Only K.U.Leuven users can access K.U.Leuven network → User group differentiation K.U.LEUVEN – ICTI Netwerken BCrouter: Authentication All users must authenticate before using the network Browsers automatically redirected to login webpage Powerful exceptions possible • E.g. software update website, educational sites Clients need no extra software or configuration HTTPS capable web browser Quarantine system (in development) If user administratively blocked → Automatically restrict network access K.U.LEUVEN – ICTI Netwerken BCrouter: Quota & Bandwidth Both user and IP based (at the same time) Real-time quota check Every user and IP can have its own individual settings Throttle bandwidth if a user and/or IP generates too much traffic E.g. personal vs. lab PC, limited guest accounts... A user and/or IP is never blocked from the network (real-time small band) If a user and/or IP who is on 'small band' stops downloading for a few minutes, the user immediately can use a limited amount of traffic again at normal speed. Powerful exceptions possible K.U.LEUVEN – ICTI Netwerken BCrouter: Quota & Bandwidth ‘Leaky Token Bucket’ principle Imagine bucket of water, filled at the top and drained at the bottom… Only packets containing a token can pass the router Tokens MeanFillRate TokenBucket TokenBucketSize TokenBucketMaxSize CurrentRate (0…BurstRate) Network packets POLICER K.U.LEUVEN – ICTI Netwerken BCrouter: Quota & Bandwidth Normal case: 1 token = 1 byte on the network Configurable options per bucket TokenBucket maximum size • Max. number of tokens the bucket can contain • Equivalent to ‘quota’ in bytes Mean fill rate • Number of tokens/sec entering the bucket (=constant) • Equivalent to ‘refill speed’ of quota Burst rate • Max. tokens/sec that can be extracted from the bucket • Equivalent to ‘maximum speed’ in bytes K.U.LEUVEN – ICTI Netwerken BCrouter: Quota & Bandwidth ‘Simple’ bucket has several major drawbacks BCrouter enhanced policing algorithm Track individual flows • Prevent connection starvation by distributing individual bandwidth across individual flows Take average packet size of each flow into account • Bulk traffic (e.g. downloads) is affected first • Prioritize interactive traffic (e.g. ssh,irc,msn) Dynamic regulation of individual bandwidth based on specific criteria • E.g. Prevent network saturation by automatically reducing maximum individual bandwidth Avoid retransmits by dynamically adjusting TCP Window Size (in development) • Minimize overhead on the network due to policing K.U.LEUVEN – ICTI Netwerken BCrouter: Quota & Bandwidth Conceptual packet flow (Both user & IP) Independent buckets for user and IP Independent buckets for upload and download User IP Down Down POLICER POLICER Down/Up load? Up Up POLICER POLICER K.U.LEUVEN – ICTI Netwerken BCrouter: User & IP limiting Example 1: Assign user: • Quota of 1 Gigabyte • Refill the quota at rate of 1 Gigabyte/month • Maximum speed: unlimited Assign IP: • Quota of 10 Mbytes • Refill the quota at rate of 5 Kilobytes/second • Maximum speed: 20 Kilobytes/sec Result: • User settings to determine the maximum volume a user can download each month • IP settings to limit the ‘real-time’ bandwidth usage K.U.LEUVEN – ICTI Netwerken BCrouter: User & IP limiting Example 2: Assign user: • Unlimited quota • Maximum speed: 50 Kilobytes/second Assign IP: • Quota of 10 Mbytes • Refill the quota at rate of 5 Kilobytes/second • Maximum speed: 20 Kilobytes/sec Result: • If a user logs in multiple times, the sum of all logins cannot exceed the maximum user speed. The speed is divided across the hosts that are logged in. K.U.LEUVEN – ICTI Netwerken BCrouter: Exceptions Exception flags IP speed limit User speed limit IP accounting User accounting No login required Exceptions can be made for hosts or even entire networks (both local and/or internet) K.U.LEUVEN – ICTI Netwerken BCrouter: Exceptions Quota/bandwidth exceptions examples: Default: • Login required • Accounting to both user and local IP • Obey both user and local IP speed limits Local host A does not have to login to access the Internet, but still uses IP quota and speed settings • E.g. Embedded devices that can’t login and need network access Traffic from Internet host B is always possible from any local host and is never accounted, but local host IP speed limits are obeyed • E.g. Website with security patches Any combination of exception flags is possible in either direction for any host/network K.U.LEUVEN – ICTI Netwerken BCrouter: Routing DHCP helper DHCP auto logout (in development) Allow forwarding of DHCP broadcasts to DHCP server If no DHCP renew packets within DHCP renew interval, logout user automatically → If user forgets to logout User group based routing Different routing tables for each user group and user status E.g. normal user, quarantined user, visitor… K.U.LEUVEN – ICTI Netwerken BCrouter: Implementation BCrouter is a GNU/Linux software project Kernel-space • Netfilter framework module ipt_bcrouter • Iptables target BCROUTER • Requires 2.6 kernel • All processing is done entirely in kernel-space • No need for slow kernel/user context switches • High performance kernel-space only network logging User-space • BCrouter daemon providing networked command access • • • • Get/Set User/IP bucket configuration and status Login/logout Network configuration User group configuration • DHCP-fwd for forwarding DHCP broadcasts K.U.LEUVEN – ICTI Netwerken BCrouter: Performance In use for more than 2 years on Kotnet 1 Active server (with hot standby) >45099 users in BCrouter database >113420 IP addresses in BCrouter database >500 Mbits bandwidth peak (30 min average) >140 network segments (140 VLAN’s) Dual Xeon 3,2Ghz 1 Gigabyte RAM Debian Linux (2.6 kernel) Peak CPU Load 45% CPU total • 85% Linux general routing code • 15% BCrouter code 430 Mbytes RAM in use for entire system K.U.LEUVEN – ICTI Netwerken BCrouter: Future Campus network-in-a-box Provide modular open-source solution • BCrouter core element • Simple web based User frontend • User authentication • Individual login and network usage statistics • Log processing backend • Process and store all historical network/user info • Helpdesk & Management website • Diagnose and troubleshoot network problems • Adjust and configure network settings Present status Further development BCrouter core element Design log processing high performance backend K.U.LEUVEN – ICTI Netwerken BCrouter: Summary BCrouter provides BCrouter is GNU/Linux Netfilter kernel module BCrouter future Network authentication User & IP quota enforcement User & IP bandwidth management Campus network-in-a-box More information: [email protected] K.U.LEUVEN – ICTI Netwerken