Presentation is loading. Please wait.

Presentation is loading. Please wait.

K.U.Leuven. K.U.LEUVEN – ICTI Netwerken BCrouter: Overview How did it start... Main features Authentication Quota & Bandwidth Examples of user.

Published byMarvin Taylor Modified over 9 years ago

Similar presentations

Presentation on theme: "K.U.Leuven. K.U.LEUVEN – ICTI Netwerken BCrouter: Overview How did it start... Main features Authentication Quota & Bandwidth Examples of user."— Presentation transcript:

1 BCrouter @ K.U.Leuven

2 K.U.LEUVEN – ICTI Netwerken BCrouter: Overview How did it start... Main features Authentication Quota & Bandwidth Examples of user & IP limiting Exceptions Examples Routing Implementation overview Performance in real world Future plans

3 K.U.LEUVEN – ICTI Netwerken BCrouter: How did it start... K.U.Leuven Kotnet project Connect K.U.Leuven and associated high school students/personnel to the campus network and Internet from their homes Possible user base 70000 students, 10000 personnel Enhance possibility of study and research in an academic environment Low entrance fee and costs University owned infrastructure Cooperation with 3 commercial ISP’s Used daily by >30000 different users

4 K.U.LEUVEN – ICTI Netwerken BCrouter: How did it start... Performance problems in 2003 Login/quota core system maxed out with Cisco 7500 routers More flexibility needed for bandwidth & quota enforcement Redesign from scratch Basic requirements No anonymous access to the Internet → Network authentication Each user is only allowed X Gigabytes/month traffic → Network quota enforcement Prevent that a few users consume all bandwidth → Network bandwidth regulation Extra requirements Only K.U.Leuven users can access K.U.Leuven network → User group differentiation

5 K.U.LEUVEN – ICTI Netwerken BCrouter: Authentication All users must authenticate before using the network Browsers automatically redirected to login webpage Powerful exceptions possible E.g. software update website, educational sites Clients need no extra software or configuration HTTPS capable web browser Quarantine system (in development) If user administratively blocked → Automatically restrict network access

6 K.U.LEUVEN – ICTI Netwerken BCrouter: Quota & Bandwidth Both user and IP based (at the same time) Real-time quota check Every user and IP can have its own individual settings E.g. personal vs. lab PC, limited guest accounts... Throttle bandwidth if a user and/or IP generates too much traffic A user and/or IP is never blocked from the network (real-time small band) If a user and/or IP who is on 'small band' stops downloading for a few minutes, the user immediately can use a limited amount of traffic again at normal speed. Powerful exceptions possible

7 K.U.LEUVEN – ICTI Netwerken BCrouter: Quota & Bandwidth ‘Leaky Token Bucket’ principle Imagine bucket of water, filled at the top and drained at the bottom… Only packets containing a token can pass the router POLICER MeanFillRate TokenBucketMaxSize CurrentRate (0…BurstRate) TokenBucketSize TokenBucket Tokens Network packets

8 K.U.LEUVEN – ICTI Netwerken BCrouter: Quota & Bandwidth Normal case: 1 token = 1 byte on the network Configurable options per bucket TokenBucket maximum size Max. number of tokens the bucket can contain Equivalent to ‘quota’ in bytes Mean fill rate Number of tokens/sec entering the bucket (=constant) Equivalent to ‘refill speed’ of quota Burst rate Max. tokens/sec that can be extracted from the bucket Equivalent to ‘maximum speed’ in bytes

9 K.U.LEUVEN – ICTI Netwerken BCrouter: Quota & Bandwidth ‘Simple’ bucket has several major drawbacks BCrouter enhanced policing algorithm Track individual flows Prevent connection starvation by distributing individual bandwidth across individual flows Take average packet size of each flow into account Bulk traffic (e.g. downloads) is affected first Prioritize interactive traffic (e.g. ssh,irc,msn) Dynamic regulation of individual bandwidth based on specific criteria E.g. Prevent network saturation by automatically reducing maximum individual bandwidth Avoid retransmits by dynamically adjusting TCP Window Size (in development) Minimize overhead on the network due to policing

10 K.U.LEUVEN – ICTI Netwerken BCrouter: Quota & Bandwidth Conceptual packet flow (Both user & IP) Independent buckets for user and IP Independent buckets for upload and download POLICER Up Down Down/Up load? User POLICER Up Down IP

11 K.U.LEUVEN – ICTI Netwerken BCrouter: User & IP limiting Example 1: Assign user: Quota of 1 Gigabyte Refill the quota at rate of 1 Gigabyte/month Maximum speed: unlimited Assign IP: Quota of 10 Mbytes Refill the quota at rate of 5 Kilobytes/second Maximum speed: 20 Kilobytes/sec Result: User settings to determine the maximum volume a user can download each month IP settings to limit the ‘real-time’ bandwidth usage

12 K.U.LEUVEN – ICTI Netwerken BCrouter: User & IP limiting Example 2: Assign user: Unlimited quota Maximum speed: 50 Kilobytes/second Assign IP: Quota of 10 Mbytes Refill the quota at rate of 5 Kilobytes/second Maximum speed: 20 Kilobytes/sec Result: If a user logs in multiple times, the sum of all logins cannot exceed the maximum user speed. The speed is divided across the hosts that are logged in.

13 K.U.LEUVEN – ICTI Netwerken BCrouter: Exceptions Exception flags IP speed limit User speed limit IP accounting User accounting No login required Exceptions can be made for hosts or even entire networks (both local and/or internet)

14 K.U.LEUVEN – ICTI Netwerken BCrouter: Exceptions Quota/bandwidth exceptions examples: Default: Login required Accounting to both user and local IP Obey both user and local IP speed limits Local host A does not have to login to access the Internet, but still uses IP quota and speed settings E.g. Embedded devices that can’t login and need network access Traffic from Internet host B is always possible from any local host and is never accounted, but local host IP speed limits are obeyed E.g. Website with security patches Any combination of exception flags is possible in either direction for any host/network

15 K.U.LEUVEN – ICTI Netwerken BCrouter: Routing DHCP helper Allow forwarding of DHCP broadcasts to DHCP server DHCP auto logout (in development) If no DHCP renew packets within DHCP renew interval, logout user automatically → If user forgets to logout User group based routing Different routing tables for each user group and user status E.g. normal user, quarantined user, visitor…

16 K.U.LEUVEN – ICTI Netwerken BCrouter: Implementation BCrouter is a GNU/Linux software project Kernel-space Netfilter framework module ipt_bcrouter Iptables target BCROUTER Requires 2.6 kernel All processing is done entirely in kernel-space No need for slow kernel/user context switches High performance kernel-space only network logging User-space BCrouter daemon providing networked command access Get/Set User/IP bucket configuration and status Login/logout Network configuration User group configuration DHCP-fwd for forwarding DHCP broadcasts

17 K.U.LEUVEN – ICTI Netwerken BCrouter: Performance In use for more than 2 years on Kotnet >45099 users in BCrouter database >113420 IP addresses in BCrouter database >500 Mbits bandwidth peak (30 min average) >140 network segments (140 VLAN’s) 1 Active server (with hot standby) Dual Xeon 3,2Ghz 1 Gigabyte RAM Debian Linux (2.6 kernel) Peak CPU Load 45% CPU total 85% Linux general routing code 15% BCrouter code 430 Mbytes RAM in use for entire system

18 K.U.LEUVEN – ICTI Netwerken BCrouter: Future Campus network-in-a-box Provide modular open-source solution BCrouter core element Simple web based User frontend User authentication Individual login and network usage statistics Log processing backend Process and store all historical network/user info Helpdesk & Management website Diagnose and troubleshoot network problems Adjust and configure network settings Present status Further development BCrouter core element Design log processing high performance backend

19 K.U.LEUVEN – ICTI Netwerken BCrouter: Summary BCrouter provides Network authentication User & IP quota enforcement User & IP bandwidth management BCrouter is GNU/Linux Netfilter kernel module BCrouter future Campus network-in-a-box More information: bcrouter@kuleuven.net

Download ppt "K.U.Leuven. K.U.LEUVEN – ICTI Netwerken BCrouter: Overview How did it start... Main features Authentication Quota & Bandwidth Examples of user."

Similar presentations

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Implementing Inter-VLAN Routing

Implementing Inter-VLAN Routing
Traffic Shaping Why traffic shaping? Isochronous shaping

Traffic Shaping Why traffic shaping? Isochronous shaping
Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.

Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Routing Basics By Craig Lindstrom. Overview Routing Process Routing Process Default Routing Default Routing Static Routing Static Routing Dynamic Routing.

Routing Basics By Craig Lindstrom. Overview Routing Process Routing Process Default Routing Default Routing Static Routing Static Routing Dynamic Routing.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
QoS Solutions Confidential 2010 NetQuality Analyzer and QPerf.

QoS Solutions Confidential 2010 NetQuality Analyzer and QPerf.
Toolbox Mirror -Overview Effective Distributed Learning.

Toolbox Mirror -Overview Effective Distributed Learning.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 5: Planning, Configuring, And Troubleshooting DHCP.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 5: Planning, Configuring, And Troubleshooting DHCP.
Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.

Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.
Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1.

Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1.
Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.

Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Managing DHCP. 2 DHCP Overview Is a protocol that allows client computers to automatically receive an IP address and TCP/IP settings from a Server Reduces.

Managing DHCP. 2 DHCP Overview Is a protocol that allows client computers to automatically receive an IP address and TCP/IP settings from a Server Reduces.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 4: Dynamic Host Configuration Protocol.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 4: Dynamic Host Configuration Protocol.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Bandwidth management and optimization BCrouter 14-16 March 2006 Dirk Janssens ICTS – K.U.Leuven.

1 Bandwidth management and optimization BCrouter March 2006 Dirk Janssens ICTS – K.U.Leuven.

Similar presentations

Ads by Google