Download Slides

BCrouter
@ K.U.Leuven
BCrouter: Overview


How did it start...
Main features


Authentication
Quota & Bandwidth
• Examples of user & IP limiting

Exceptions
• Examples




Routing
Implementation overview
Performance in real world
Future plans
K.U.LEUVEN – ICTI Netwerken
BCrouter: How did it start...

K.U.Leuven Kotnet project

Connect K.U.Leuven and associated high school
students/personnel to the campus network and
Internet from their homes
• Possible user base 70000 students, 10000 personnel


Enhance possibility of study and research in an
academic environment
Low entrance fee and costs
• University owned infrastructure
• Cooperation with 3 commercial ISP’s

Used daily by >30000 different users
K.U.LEUVEN – ICTI Netwerken
BCrouter: How did it start...

Performance problems in 2003



Login/quota core system maxed out with Cisco 7500 routers
More flexibility needed for bandwidth & quota enforcement
Redesign from scratch


Basic requirements
• No anonymous access to the Internet
→ Network authentication
• Each user is only allowed X Gigabytes/month traffic
→ Network quota enforcement
• Prevent that a few users consume all bandwidth
→ Network bandwidth regulation
Extra requirements
• Only K.U.Leuven users can access K.U.Leuven network
→ User group differentiation
K.U.LEUVEN – ICTI Netwerken
BCrouter: Authentication

All users must authenticate before using the
network


Browsers automatically redirected to login webpage
Powerful exceptions possible
• E.g. software update website, educational sites

Clients need no extra software or configuration


HTTPS capable web browser
Quarantine system (in development)

If user administratively blocked
→ Automatically restrict network access
K.U.LEUVEN – ICTI Netwerken
BCrouter: Quota & Bandwidth



Both user and IP based (at the same time)
Real-time quota check
Every user and IP can have its own individual settings


Throttle bandwidth if a user and/or IP generates too
much traffic



E.g. personal vs. lab PC, limited guest accounts...
A user and/or IP is never blocked from the network (real-time
small band)
If a user and/or IP who is on 'small band' stops downloading
for a few minutes, the user immediately can use a limited
amount of traffic again at normal speed.
Powerful exceptions possible
K.U.LEUVEN – ICTI Netwerken
BCrouter: Quota & Bandwidth

‘Leaky Token Bucket’ principle


Imagine bucket of water, filled at the top and drained
at the bottom…
Only packets containing a token can pass the router
Tokens
MeanFillRate
TokenBucket
TokenBucketSize
TokenBucketMaxSize
CurrentRate
(0…BurstRate)
Network
packets
POLICER
K.U.LEUVEN – ICTI Netwerken
BCrouter: Quota & Bandwidth

Normal case: 1 token = 1 byte on the network

Configurable options per bucket

TokenBucket maximum size
• Max. number of tokens the bucket can contain
• Equivalent to ‘quota’ in bytes

Mean fill rate
• Number of tokens/sec entering the bucket (=constant)
• Equivalent to ‘refill speed’ of quota

Burst rate
• Max. tokens/sec that can be extracted from the bucket
• Equivalent to ‘maximum speed’ in bytes
K.U.LEUVEN – ICTI Netwerken
BCrouter: Quota & Bandwidth


‘Simple’ bucket has several major drawbacks
BCrouter enhanced policing algorithm




Track individual flows
• Prevent connection starvation by distributing individual
bandwidth across individual flows
Take average packet size of each flow into account
• Bulk traffic (e.g. downloads) is affected first
• Prioritize interactive traffic (e.g. ssh,irc,msn)
Dynamic regulation of individual bandwidth based on specific
criteria
• E.g. Prevent network saturation by automatically reducing
maximum individual bandwidth
Avoid retransmits by dynamically adjusting TCP Window Size (in
development)
• Minimize overhead on the network due to policing
K.U.LEUVEN – ICTI Netwerken
BCrouter: Quota & Bandwidth

Conceptual packet flow (Both user & IP)


Independent buckets for user and IP
Independent buckets for upload and download
User
IP
Down
Down
POLICER
POLICER
Down/Up
load?
Up
Up
POLICER
POLICER
K.U.LEUVEN – ICTI Netwerken
BCrouter: User & IP limiting

Example 1:



Assign user:
• Quota of 1 Gigabyte
• Refill the quota at rate of 1 Gigabyte/month
• Maximum speed: unlimited
Assign IP:
• Quota of 10 Mbytes
• Refill the quota at rate of 5 Kilobytes/second
• Maximum speed: 20 Kilobytes/sec
Result:
• User settings to determine the maximum volume a user can
download each month
• IP settings to limit the ‘real-time’ bandwidth usage
K.U.LEUVEN – ICTI Netwerken
BCrouter: User & IP limiting

Example 2:

Assign user:
• Unlimited quota
• Maximum speed: 50 Kilobytes/second

Assign IP:
• Quota of 10 Mbytes
• Refill the quota at rate of 5 Kilobytes/second
• Maximum speed: 20 Kilobytes/sec

Result:
• If a user logs in multiple times, the sum of all logins
cannot exceed the maximum user speed. The speed is
divided across the hosts that are logged in.
K.U.LEUVEN – ICTI Netwerken
BCrouter: Exceptions

Exception flags






IP speed limit
User speed limit
IP accounting
User accounting
No login required
Exceptions can be made for hosts or even
entire networks (both local and/or internet)
K.U.LEUVEN – ICTI Netwerken
BCrouter: Exceptions

Quota/bandwidth exceptions examples:




Default:
• Login required
• Accounting to both user and local IP
• Obey both user and local IP speed limits
Local host A does not have to login to access the Internet, but
still uses IP quota and speed settings
• E.g. Embedded devices that can’t login and need network
access
Traffic from Internet host B is always possible from any local
host and is never accounted, but local host IP speed limits are
obeyed
• E.g. Website with security patches
Any combination of exception flags is possible in either
direction for any host/network
K.U.LEUVEN – ICTI Netwerken
BCrouter: Routing

DHCP helper


DHCP auto logout (in development)


Allow forwarding of DHCP broadcasts to DHCP server
If no DHCP renew packets within DHCP renew
interval, logout user automatically
→ If user forgets to logout
User group based routing

Different routing tables for each user group and user
status
E.g. normal user, quarantined user, visitor…
K.U.LEUVEN – ICTI Netwerken
BCrouter: Implementation

BCrouter is a GNU/Linux software project

Kernel-space
• Netfilter framework module ipt_bcrouter
• Iptables target BCROUTER
• Requires 2.6 kernel
• All processing is done entirely in kernel-space
• No need for slow kernel/user context switches

• High performance kernel-space only network logging
User-space
• BCrouter daemon providing networked command access
•
•
•
•
Get/Set User/IP bucket configuration and status
Login/logout
Network configuration
User group configuration
• DHCP-fwd for forwarding DHCP broadcasts
K.U.LEUVEN – ICTI Netwerken
BCrouter: Performance

In use for more than 2 years on Kotnet





1 Active server (with hot standby)




>45099 users in BCrouter database
>113420 IP addresses in BCrouter database
>500 Mbits bandwidth peak (30 min average)
>140 network segments (140 VLAN’s)
Dual Xeon 3,2Ghz
1 Gigabyte RAM
Debian Linux (2.6 kernel)
Peak CPU Load

45% CPU total
• 85% Linux general routing code
• 15% BCrouter code

430 Mbytes RAM in use for entire system
K.U.LEUVEN – ICTI Netwerken
BCrouter: Future

Campus network-in-a-box

Provide modular open-source solution
• BCrouter core element
• Simple web based User frontend
• User authentication
• Individual login and network usage statistics
• Log processing backend
• Process and store all historical network/user info
• Helpdesk & Management website
• Diagnose and troubleshoot network problems
• Adjust and configure network settings

Present status


Further development BCrouter core element
Design log processing high performance backend
K.U.LEUVEN – ICTI Netwerken
BCrouter: Summary

BCrouter provides




BCrouter is


GNU/Linux Netfilter kernel module
BCrouter future


Network authentication
User & IP quota enforcement
User & IP bandwidth management
Campus network-in-a-box
More information: [email protected]
K.U.LEUVEN – ICTI Netwerken