K.U.Leuven

K.U.LEUVEN – ICTI Netwerken BCrouter: Overview How did it start... Main features Authentication Quota & Bandwidth Examples of user & IP limiting Exceptions Examples Routing Implementation overview Performance in real world Future plans

K.U.LEUVEN – ICTI Netwerken BCrouter: How did it start... K.U.Leuven Kotnet project Connect K.U.Leuven and associated high school students/personnel to the campus network and Internet from their homes Possible user base students, personnel Enhance possibility of study and research in an academic environment Low entrance fee and costs University owned infrastructure Cooperation with 3 commercial ISP’s Used daily by >30000 different users

K.U.LEUVEN – ICTI Netwerken BCrouter: How did it start... Performance problems in 2003 Login/quota core system maxed out with Cisco 7500 routers More flexibility needed for bandwidth & quota enforcement Redesign from scratch Basic requirements No anonymous access to the Internet → Network authentication Each user is only allowed X Gigabytes/month traffic → Network quota enforcement Prevent that a few users consume all bandwidth → Network bandwidth regulation Extra requirements Only K.U.Leuven users can access K.U.Leuven network → User group differentiation

K.U.LEUVEN – ICTI Netwerken BCrouter: Authentication All users must authenticate before using the network Browsers automatically redirected to login webpage Powerful exceptions possible E.g. software update website, educational sites Clients need no extra software or configuration HTTPS capable web browser Quarantine system (in development) If user administratively blocked → Automatically restrict network access

K.U.LEUVEN – ICTI Netwerken BCrouter: Quota & Bandwidth Both user and IP based (at the same time) Real-time quota check Every user and IP can have its own individual settings E.g. personal vs. lab PC, limited guest accounts... Throttle bandwidth if a user and/or IP generates too much traffic A user and/or IP is never blocked from the network (real-time small band) If a user and/or IP who is on 'small band' stops downloading for a few minutes, the user immediately can use a limited amount of traffic again at normal speed. Powerful exceptions possible

K.U.LEUVEN – ICTI Netwerken BCrouter: Quota & Bandwidth ‘Leaky Token Bucket’ principle Imagine bucket of water, filled at the top and drained at the bottom… Only packets containing a token can pass the router POLICER MeanFillRate TokenBucketMaxSize CurrentRate (0…BurstRate) TokenBucketSize TokenBucket Tokens Network packets

K.U.LEUVEN – ICTI Netwerken BCrouter: Quota & Bandwidth Normal case: 1 token = 1 byte on the network Configurable options per bucket TokenBucket maximum size Max. number of tokens the bucket can contain Equivalent to ‘quota’ in bytes Mean fill rate Number of tokens/sec entering the bucket (=constant) Equivalent to ‘refill speed’ of quota Burst rate Max. tokens/sec that can be extracted from the bucket Equivalent to ‘maximum speed’ in bytes

K.U.LEUVEN – ICTI Netwerken BCrouter: Quota & Bandwidth ‘Simple’ bucket has several major drawbacks BCrouter enhanced policing algorithm Track individual flows Prevent connection starvation by distributing individual bandwidth across individual flows Take average packet size of each flow into account Bulk traffic (e.g. downloads) is affected first Prioritize interactive traffic (e.g. ssh,irc,msn) Dynamic regulation of individual bandwidth based on specific criteria E.g. Prevent network saturation by automatically reducing maximum individual bandwidth Avoid retransmits by dynamically adjusting TCP Window Size (in development) Minimize overhead on the network due to policing

K.U.LEUVEN – ICTI Netwerken BCrouter: Quota & Bandwidth Conceptual packet flow (Both user & IP) Independent buckets for user and IP Independent buckets for upload and download POLICER Up Down Down/Up load? User POLICER Up Down IP

K.U.LEUVEN – ICTI Netwerken BCrouter: User & IP limiting Example 1: Assign user: Quota of 1 Gigabyte Refill the quota at rate of 1 Gigabyte/month Maximum speed: unlimited Assign IP: Quota of 10 Mbytes Refill the quota at rate of 5 Kilobytes/second Maximum speed: 20 Kilobytes/sec Result: User settings to determine the maximum volume a user can download each month IP settings to limit the ‘real-time’ bandwidth usage

K.U.LEUVEN – ICTI Netwerken BCrouter: User & IP limiting Example 2: Assign user: Unlimited quota Maximum speed: 50 Kilobytes/second Assign IP: Quota of 10 Mbytes Refill the quota at rate of 5 Kilobytes/second Maximum speed: 20 Kilobytes/sec Result: If a user logs in multiple times, the sum of all logins cannot exceed the maximum user speed. The speed is divided across the hosts that are logged in.

K.U.LEUVEN – ICTI Netwerken BCrouter: Exceptions Exception flags IP speed limit User speed limit IP accounting User accounting No login required Exceptions can be made for hosts or even entire networks (both local and/or internet)

K.U.LEUVEN – ICTI Netwerken BCrouter: Exceptions Quota/bandwidth exceptions examples: Default: Login required Accounting to both user and local IP Obey both user and local IP speed limits Local host A does not have to login to access the Internet, but still uses IP quota and speed settings E.g. Embedded devices that can’t login and need network access Traffic from Internet host B is always possible from any local host and is never accounted, but local host IP speed limits are obeyed E.g. Website with security patches Any combination of exception flags is possible in either direction for any host/network

K.U.LEUVEN – ICTI Netwerken BCrouter: Routing DHCP helper Allow forwarding of DHCP broadcasts to DHCP server DHCP auto logout (in development) If no DHCP renew packets within DHCP renew interval, logout user automatically → If user forgets to logout User group based routing Different routing tables for each user group and user status E.g. normal user, quarantined user, visitor…

K.U.LEUVEN – ICTI Netwerken BCrouter: Implementation BCrouter is a GNU/Linux software project Kernel-space Netfilter framework module ipt_bcrouter Iptables target BCROUTER Requires 2.6 kernel All processing is done entirely in kernel-space No need for slow kernel/user context switches High performance kernel-space only network logging User-space BCrouter daemon providing networked command access Get/Set User/IP bucket configuration and status Login/logout Network configuration User group configuration DHCP-fwd for forwarding DHCP broadcasts

K.U.LEUVEN – ICTI Netwerken BCrouter: Performance In use for more than 2 years on Kotnet >45099 users in BCrouter database > IP addresses in BCrouter database >500 Mbits bandwidth peak (30 min average) >140 network segments (140 VLAN’s) 1 Active server (with hot standby) Dual Xeon 3,2Ghz 1 Gigabyte RAM Debian Linux (2.6 kernel) Peak CPU Load 45% CPU total 85% Linux general routing code 15% BCrouter code 430 Mbytes RAM in use for entire system

K.U.LEUVEN – ICTI Netwerken BCrouter: Future Campus network-in-a-box Provide modular open-source solution BCrouter core element Simple web based User frontend User authentication Individual login and network usage statistics Log processing backend Process and store all historical network/user info Helpdesk & Management website Diagnose and troubleshoot network problems Adjust and configure network settings Present status Further development BCrouter core element Design log processing high performance backend

K.U.LEUVEN – ICTI Netwerken BCrouter: Summary BCrouter provides Network authentication User & IP quota enforcement User & IP bandwidth management BCrouter is GNU/Linux Netfilter kernel module BCrouter future Campus network-in-a-box More information: