BWCTL (Bandwidth Test Control)

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

OWAMP March 10 th 2011, OSG All Hands Meeting, Network Performance Jason Zurawski – Internet2.
System Security Scanning and Discovery Chapter 14.
Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Installing Samba Vicki Insixiengmay Jonathan Krieger.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
2007/01/031 Bandwidth Test Controller Speaker : Po-Chou Chen Cheng-Lin Tsai Advisor : Quincy Wu Date : 2008/01/03.
BWCTL March 10 th 2011, OSG All Hands Meeting, Network Performance Jason Zurawski – Internet2.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
BWCTL August 9 th 2011, OSG Site Admin Workshop Jason Zurawski – Internet2 Research Liaison.
Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
OWAMP August 10 th 2010, OSG Site Admin Workshop - Network Performance Jason Zurawski, Internet2.
05-Apr-2006 OWAMP and BWCTL: Installation and Configuration Jeff Boote Network Performance Workshop.
10-Jun-2005 OWAMP and BWCTL: Installation and Configuration Jeff Boote Network Performance Workshop.
22-Sept-2005 Google Summer of Code Projects: Lightweight Precision Timestamps Jeff Boote.
10-Jun-2005 OWAMP (One-Way Active Measurement Protocol) Jeff Boote Network Performance Workshop.
FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
Role Of Network IDS in Network Perimeter Defense.
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
Netprog: Client/Server Issues1 Issues in Client/Server Programming Refs: Chapter 27.
© 2002, Cisco Systems, Inc. All rights reserved..
14-Nov-07 OWAMP (One-Way Latencies) BWCTL (Bandwidth Test Control) Jeff Boote Network Performance Tools BOF-SC07.
10-Jun-05 BWCTL (Bandwidth Test Control) Jeff Boote Network Performance Workshop.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Connect communicate collaborate Performance Metrics & Basic Tools Robert Stoy, DFN EGI TF, Madrid September 2013.
BWCTL August 10 th 2010, OSG Site Admin Workshop - Network Performance Jason Zurawski, Internet2.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
1 Issues in Client/Server Refs: Chapter 27 Case Studies RFCs.
Chapter 19: Network Management
Chapter 9: Transport Layer
Instructor Materials Chapter 9: Transport Layer
Working at a Small-to-Medium Business or ISP – Chapter 8
Maintaining Windows Server 2008 File Services
BWCTL (Bandwidth Test Control)
Instructor Materials Chapter 9: Testing and Troubleshooting
Securing the Network Perimeter with ISA 2004
Outline Basics of network security Definitions Sample attacks
Module 4 Remote Login.
Chapter 2: System Structures
Radius, LDAP, Radius used in Authenticating Users
OWAMP (One-Way Active Measurement Protocol)
PPP – Point to Point Protocol
Introduction to SQL Server 2000 Security
Introduction to Operating System (OS)
Understand Networking Services
Introduction to Networking
Client-Server Interaction
Chapter 4: Access Control Lists (ACLs)
Packet Sniffing.
(bandwidth control) Jeff Boote Internet2
Nessus Vulnerability Scanning
CCNA 2 v3.1 Module 10 Intermediate TCP/IP
* Essential Network Security Book Slides.
OWAMP One-Way Active Measurement Protocol (Sample Implementation)
A Distributed DoS in Action
– Chapter 3 – Device Security (B)
Issues in Client/Server Programming
SSH – the practical solution
Introduction to Network Security
Chapter 2: Operating-System Structures
APACHE WEB SERVER.
Preventing Privilege Escalation
Outline Basics of network security Definitions Sample attacks
Presentation transcript:

BWCTL (Bandwidth Test Control) Jeff Boote (boote@internet2.edu) Network Performance Workshop Controls throughput or “bandwidth” tests. 10-Jun-05

What is it? A resource allocation and scheduling daemon for arbitration of iperf tests Bwctl controls the throughput tests by adding resource allocation and scheduling policy controls. 2005-Mar-22

Problem Statement Users want to verify available bandwidth from their site to another. Methodology Verify available bandwidth from each endpoint to points in the middle to determine problem area. This is arguably one of the best ways to determine if an application will work because it is doing the throughput test end-2-end exactly like the application would be doing it. 2005-Mar-22

Typical Solution Run “iperf” or similar tool on two endpoints and hosts on intermediate paths If NOC operators had a quarter for every time someone asked them to start an iperf server somewhere… 2005-Mar-22

Typical road blocks Need software on all test systems Need permissions on all systems involved (usually full shell accounts*) Need to coordinate testing with others * Need to run software on both sides with specified test parameters * (* BWCTL was designed to help with these) Basically, lots of administration. And the worst part is that there is no consistent policy taken for the amount of resources different users are allowed to use. BWCTL allows you to think about what policy you want and gives you a way to codify and enforce it uniformly. 2005-Mar-22

Implementation Applications Built upon protocol abstraction library bwctld daemon bwctl client Built upon protocol abstraction library Supports one-off applications Allows authentication/policy hooks to be incorporated The policy implementation is compile-time pluggable. 2005-Mar-22

Functionality (bwctl) bwctl client application makes requests to both endpoints of a test Communication can be “open”, “authenticated”, or “encrypted” (encrypted reserved for future use) Requests include a request for a time slot as well as a full parameterization of the test Third party requests If no server is available on the localhost, client handles test endpoint *Mostly* the same command line options as iperf (some options limited or not implemented.) The command like options are as similar to iperf as possible. Probably too much so. ;) 2005-Mar-22

Functionality (bwctld) bwctld on each test host Accepts requests for “iperf” tests including time slot and parameters for test Responds with a tentative reservation or a denied message Reservations by a client must be confirmed with a “start session” message Resource “Broker” Runs tests Both “sides” of test get results This is where the policy is implemented. Bwctld is a traditional accept/fork style daemon with the parent process also listening for resource requests from child processes. 2005-Mar-22

Scheduling A time slot is simply a time-dependant resource that needs to be allocated just like any other resource. It therefore follows the resource allocation model. bwctl scheduling currently only allows a single test to happen at a time. 2005-Mar-22

Resource Allocation (bwctld) Each connection is “classified” (authentication) Each classification is hierarchical and has an associated set of hierarchical limits: Connection policy (allow_open_mode) Bandwidth (allow_tcp,allow_udp,bandwidth) Scheduling (duration,event_horizon,pending) The parent bwctld keeps track of current resource utilization needed to implement policy. 2005-Mar-22

BWCTL: 3-party Interaction The master daemon on each server maintains the full schedule for that host. A request broker is forked off for each new client request. The peer agent is responsible for verifying the time offset between the servers, it is used as a protection against DoS attacks, and is also used to share the results of each test with the test peer. The client makes a request for an iperf test indicating the amount of time (duration) it wants, the earliest start time, and the latest time it is willing to accept. It makes this request to each server in sequence. Each server allocates the earliest time slot it is willing to give. The client then updates the request before asking for a matching timeslot from the other server. Either a matching timeslot will be open, or the scheduling algorithm will reach beyond the latest time the client or one of the servers is willing to schedule and the request will be denied. 2005-Mar-22

BWCTL: No Local Server This is essentially identical to the previous slide except the client implements the functionality of one of the servers. 2005-Mar-22

Iperf is the “tester” Well known – widely used Problems of integration Iperf server initialization (port number allocation) Iperf error conditions End of session No indication of partial progress (How full was the send buffer when the session was killed?) These problems will likely show up in your test results just as they do when you normally run iperf. The difference is that when you run iperf by hand and give up - typing cntrl-C you are not surprised when you don’t have results from the test. Specific difficulties for scheduling (UDP) Iperf doesn’t always send at requested rate Iperf sender hangs intermittently End of session is difficult to detect, which is problematic for a “scheduled” timeslot Iperf sometimes takes large amounts of time to finish Specific difficulties for scheduling (TCP) Large pipe to small pipe Launch a large window Test waits until completion Terminate test to remain within schedule No data to represent real problem Full mesh presents difficulties for window size selection (and other path specific characteristics) bwctl uses the peer to peer server connection to deduce a “reasonable” window If possible, path specific parameters should be dynamically configured 2005-Mar-22

General Requirements Iperf version 2.0 and 2.0.2 NTP (ntpd) synchronized clock on the local system Used for scheduling More important that errors are accurate than the clock itself Firewalls: Lots of ports for communication and testing End hosts must be tuned! http://www.psc.edu/networking/perf_tune.html http://www-didc.lbl.gov/TCP-tuning/buffers.html NTP may be a surprising requirement - but to schedule the tests without wasting too much time between tests requires a reasonable estimate for the accuracy of the local clock. 2005-Mar-22

Supported Systems FreeBSD 4.x, 5.x Linux 2.4, 2.6 (Most recent versions of UNIX should work) SunOS is likely in the future. 2005-Mar-22

Recommended Hardware Highly dependent upon the network tests Any system that can support an iperf test of a given intensity will be able to handle the additional burden of BWCTL To support 990 Mbps TCP flows on Abilene we use: Intel SCB2 motherboard 2 x 1.266 GHz PIII, 512 KB L2 cache, 133 MHz FSB 2 x 512 MB ECC registered RAM (one/slot to enable interleaving) 2 x Seagate 18 GB SCSI (ST318406LC) SysConnect Gigabit Ethernet SK-9843 SX See http://abilene.ucaid.edu/observatory/ for more information on the systems we use on Abilene. 2005-Mar-22

Policy/Security Considerations DoS source Imagine a large number of compromised BWCTLD servers being used to direct traffic DoS target Someone might attempt to affect statstics web pages to see how much impact they can have Resource consumption Time slots Network bandwidth DoS source: A compromised bwctld server could be used to send packets toward others. The implementation ensures that sessions can not be directed to random hosts in unauthenticated mode. (Only toward the BWCTL-control client.) DoS target: Packets directed toward an bwctld server can/will affect the results of the valid test traffic. Resource Consumption: bwctld has policy controls to allocate resources to appropriate users. 2005-Mar-22

Policy Recommendations Restrictive for UDP More liberal for TCP tests More liberal still for “peers” Protect AES keys! On Abilene we attempt to be as open as we can, until we can’t anymore. 2005-Mar-22

Availability http://e2epi.internet2.edu/bwctl/ Currently available Mail lists: bwctl-users@internet2.edu bwctl-announce@internet2.edu https://mail.internet2.edu/wws/lists/engineering http://e2epi.internet2.edu/bwctl/ 2005-Mar-22

The End. www.internet2.edu