bcrouter @ k.u.leuven. k.u.leuven – icti netwerken bcrouter: overview how did it start... main...
TRANSCRIPT
BCrouterBCrouter@ K.U.Leuven
K.U.LEUVEN – ICTI Netwerken
BCrouter: Overview
How did it start... Main features
Authentication Quota & Bandwidth
• Examples of user & IP limiting Exceptions
• Examples Routing
Implementation overview Performance in real world Future plans
K.U.LEUVEN – ICTI Netwerken
BCrouter: How did it start...
K.U.Leuven Kotnet project Connect K.U.Leuven and associated high
school students/personnel to the campus network and Internet from their homes• Possible user base 70000 students, 10000
personnel Enhance possibility of study and research in
an academic environment Low entrance fee and costs
• University owned infrastructure• Cooperation with 3 commercial ISP’s
Used daily by >30000 different users
K.U.LEUVEN – ICTI Netwerken
BCrouter: How did it start...
Performance problems in 2003 Login/quota core system maxed out with Cisco 7500
routers More flexibility needed for bandwidth & quota enforcement
Redesign from scratch Basic requirements
• No anonymous access to the Internet→ Network authentication
• Each user is only allowed X Gigabytes/month traffic→ Network quota enforcement
• Prevent that a few users consume all bandwidth→ Network bandwidth regulation
Extra requirements• Only K.U.Leuven users can access K.U.Leuven network→ User group differentiation
K.U.LEUVEN – ICTI Netwerken
BCrouter: Authentication
All users must authenticate before using the network Browsers automatically redirected to login
webpage Powerful exceptions possible
• E.g. software update website, educational sites
Clients need no extra software or configuration HTTPS capable web browser
Quarantine system (in development) If user administratively blocked
→ Automatically restrict network access
K.U.LEUVEN – ICTI Netwerken
BCrouter: Quota & Bandwidth
Both user and IP based (at the same time) Real-time quota check Every user and IP can have its own individual
settings E.g. personal vs. lab PC, limited guest accounts...
Throttle bandwidth if a user and/or IP generates too much traffic A user and/or IP is never blocked from the network (real-
time small band) If a user and/or IP who is on 'small band' stops
downloading for a few minutes, the user immediately can use a limited amount of traffic again at normal speed.
Powerful exceptions possible
K.U.LEUVEN – ICTI Netwerken
BCrouter: Quota & Bandwidth
‘Leaky Token Bucket’ principle Imagine bucket of water, filled at the top and
drained at the bottom… Only packets containing a token can pass the
router
POLICER
MeanFillRate
TokenBucketMaxSize
CurrentRate(0…BurstRate)
TokenBucketSize
TokenBucket
Tokens
Networkpackets
K.U.LEUVEN – ICTI Netwerken
BCrouter: Quota & Bandwidth
Normal case: 1 token = 1 byte on the network
Configurable options per bucket TokenBucket maximum size
• Max. number of tokens the bucket can contain• Equivalent to ‘quota’ in bytes
Mean fill rate• Number of tokens/sec entering the bucket
(=constant)• Equivalent to ‘refill speed’ of quota
Burst rate• Max. tokens/sec that can be extracted from the
bucket• Equivalent to ‘maximum speed’ in bytes
K.U.LEUVEN – ICTI Netwerken
BCrouter: Quota & Bandwidth
‘Simple’ bucket has several major drawbacks BCrouter enhanced policing algorithm
Track individual flows• Prevent connection starvation by distributing
individual bandwidth across individual flows Take average packet size of each flow into account
• Bulk traffic (e.g. downloads) is affected first• Prioritize interactive traffic (e.g. ssh,irc,msn)
Dynamic regulation of individual bandwidth based on specific criteria
• E.g. Prevent network saturation by automatically reducing maximum individual bandwidth
Avoid retransmits by dynamically adjusting TCP Window Size (in development)
• Minimize overhead on the network due to policing
K.U.LEUVEN – ICTI Netwerken
BCrouter: Quota & Bandwidth
Conceptual packet flow (Both user & IP) Independent buckets for user and IP Independent buckets for upload and download
POLICER
POLICER
Up
Down
Down/Up
load?
User
POLICER
POLICER
Up
Down
IP
K.U.LEUVEN – ICTI Netwerken
BCrouter: User & IP limiting
Example 1: Assign user:
• Quota of 1 Gigabyte• Refill the quota at rate of 1 Gigabyte/month• Maximum speed: unlimited
Assign IP:• Quota of 10 Mbytes• Refill the quota at rate of 5 Kilobytes/second• Maximum speed: 20 Kilobytes/sec
Result:• User settings to determine the maximum volume a
user can download each month• IP settings to limit the ‘real-time’ bandwidth usage
K.U.LEUVEN – ICTI Netwerken
BCrouter: User & IP limiting
Example 2: Assign user:
• Unlimited quota• Maximum speed: 50 Kilobytes/second
Assign IP:• Quota of 10 Mbytes• Refill the quota at rate of 5 Kilobytes/second• Maximum speed: 20 Kilobytes/sec
Result:• If a user logs in multiple times, the sum of all
logins cannot exceed the maximum user speed. The speed is divided across the hosts that are logged in.
K.U.LEUVEN – ICTI Netwerken
BCrouter: Exceptions
Exception flags IP speed limit User speed limit IP accounting User accounting No login required
Exceptions can be made for hosts or even entire networks (both local and/or internet)
K.U.LEUVEN – ICTI Netwerken
BCrouter: Exceptions
Quota/bandwidth exceptions examples: Default:
• Login required• Accounting to both user and local IP• Obey both user and local IP speed limits
Local host A does not have to login to access the Internet, but still uses IP quota and speed settings
• E.g. Embedded devices that can’t login and need network access
Traffic from Internet host B is always possible from any local host and is never accounted, but local host IP speed limits are obeyed
• E.g. Website with security patches
Any combination of exception flags is possible in either direction for any host/network
K.U.LEUVEN – ICTI Netwerken
BCrouter: Routing
DHCP helper Allow forwarding of DHCP broadcasts to DHCP
server DHCP auto logout (in development)
If no DHCP renew packets within DHCP renew interval, logout user automatically→ If user forgets to logout
User group based routing Different routing tables for each user group
and user statusE.g. normal user, quarantined user, visitor…
K.U.LEUVEN – ICTI Netwerken
BCrouter: Implementation
BCrouter is a GNU/Linux software project Kernel-space
• Netfilter framework module ipt_bcrouter• Iptables target BCROUTER
• Requires 2.6 kernel• All processing is done entirely in kernel-space
• No need for slow kernel/user context switches• High performance kernel-space only network logging
User-space• BCrouter daemon providing networked command
access• Get/Set User/IP bucket configuration and status• Login/logout• Network configuration• User group configuration
• DHCP-fwd for forwarding DHCP broadcasts
K.U.LEUVEN – ICTI Netwerken
BCrouter: Performance
In use for more than 2 years on Kotnet >45099 users in BCrouter database >113420 IP addresses in BCrouter database >500 Mbits bandwidth peak (30 min average) >140 network segments (140 VLAN’s)
1 Active server (with hot standby) Dual Xeon 3,2Ghz 1 Gigabyte RAM Debian Linux (2.6 kernel)
Peak CPU Load 45% CPU total
• 85% Linux general routing code• 15% BCrouter code
430 Mbytes RAM in use for entire system
K.U.LEUVEN – ICTI Netwerken
BCrouter: Future
Campus network-in-a-box Provide modular open-source solution
• BCrouter core element• Simple web based User frontend
• User authentication• Individual login and network usage statistics
• Log processing backend• Process and store all historical network/user info
• Helpdesk & Management website• Diagnose and troubleshoot network problems• Adjust and configure network settings
Present status Further development BCrouter core element Design log processing high performance backend
K.U.LEUVEN – ICTI Netwerken
BCrouter: Summary
BCrouter provides Network authentication User & IP quota enforcement User & IP bandwidth management
BCrouter is GNU/Linux Netfilter kernel module
BCrouter future Campus network-in-a-box
More information: [email protected]