1 / 19

BCrouter

BCrouter is a robust system developed by K.U.Leuven for network authentication, quota enforcement, bandwidth regulation, and routing. It provides secure and efficient access to the campus network and Internet. This overview highlights the main features and future plans of BCrouter.

kmonaghan
Download Presentation

BCrouter

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BCrouter @ K.U.Leuven

  2. BCrouter: Overview • How did it start... • Main features • Authentication • Quota & Bandwidth • Examples of user & IP limiting • Exceptions • Examples • Routing • Implementation overview • Performance in real world • Future plans

  3. BCrouter: How did it start... • K.U.Leuven Kotnet project • Connect K.U.Leuven and associated high school students/personnel to the campus network and Internet from their homes • Possible user base 70000 students, 10000 personnel • Enhance possibility of study and research in an academic environment • Low entrance fee and costs • University owned infrastructure • Cooperation with 3 commercial ISP’s • Used daily by >30000 different users

  4. BCrouter: How did it start... • Performance problems in 2003 • Login/quota core system maxed out with Cisco 7500 routers • More flexibility needed for bandwidth & quota enforcement • Redesign from scratch • Basic requirements • No anonymous access to the Internet →Network authentication • Each user is only allowed X Gigabytes/month traffic →Network quota enforcement • Prevent that a few users consume all bandwidth →Network bandwidth regulation • Extra requirements • Only K.U.Leuven users can access K.U.Leuven network →User group differentiation

  5. BCrouter: Authentication • All users must authenticate before using the network • Browsers automatically redirected to login webpage • Powerful exceptions possible • E.g. software update website, educational sites • Clients need no extra software or configuration • HTTPS capable web browser • Quarantine system (in development) • If user administratively blocked→ Automatically restrict network access

  6. BCrouter: Quota & Bandwidth • Both user and IP based (at the same time) • Real-time quota check • Every user and IP can have its own individual settings • E.g. personal vs. lab PC, limited guest accounts... • Throttle bandwidth if a user and/or IP generates too much traffic • A user and/or IP is never blocked from the network (real-time small band) • If a user and/or IP who is on 'small band' stops downloading for a few minutes, the user immediately can use a limited amount of traffic again at normal speed. • Powerful exceptions possible

  7. BCrouter: Quota & Bandwidth • ‘Leaky Token Bucket’ principle • Imagine bucket of water, filled at the top and drained at the bottom… • Only packets containing a token can pass the router MeanFillRate Tokens TokenBucket TokenBucketSize TokenBucketMaxSize CurrentRate (0…BurstRate) Network packets POLICER

  8. BCrouter: Quota & Bandwidth • Normal case: 1 token = 1 byte on the network • Configurable options per bucket • TokenBucket maximum size • Max. number of tokens the bucket can contain • Equivalent to ‘quota’ in bytes • Mean fill rate • Number of tokens/sec entering the bucket (=constant) • Equivalent to ‘refill speed’ of quota • Burst rate • Max. tokens/sec that can be extracted from the bucket • Equivalent to ‘maximum speed’ in bytes

  9. BCrouter: Quota & Bandwidth • ‘Simple’ bucket has several major drawbacks • BCrouter enhanced policing algorithm • Track individual flows • Prevent connection starvation by distributing individual bandwidth across individual flows • Take average packet size of each flow into account • Bulk traffic (e.g. downloads) is affected first • Prioritize interactive traffic (e.g. ssh,irc,msn) • Dynamic regulation of individual bandwidth based on specific criteria • E.g. Prevent network saturation by automatically reducing maximum individual bandwidth • Avoid retransmits by dynamically adjusting TCP Window Size (in development) • Minimize overhead on the network due to policing

  10. POLICER POLICER POLICER POLICER BCrouter: Quota & Bandwidth • Conceptual packet flow (Both user & IP) • Independent buckets for user and IP • Independent buckets for upload and download IP User Down Down Down/Up load? Up Up

  11. BCrouter: User & IP limiting • Example 1: • Assign user: • Quota of 1 Gigabyte • Refill the quota at rate of 1 Gigabyte/month • Maximum speed: unlimited • Assign IP: • Quota of 10 Mbytes • Refill the quota at rate of 5 Kilobytes/second • Maximum speed: 20 Kilobytes/sec • Result: • Usersettings to determine the maximum volume a user can download each month • IPsettings to limit the ‘real-time’ bandwidth usage

  12. BCrouter: User & IP limiting • Example 2: • Assign user: • Unlimited quota • Maximum speed: 50 Kilobytes/second • Assign IP: • Quota of 10 Mbytes • Refill the quota at rate of 5 Kilobytes/second • Maximum speed: 20 Kilobytes/sec • Result: • If a user logs in multiple times, the sum of all logins cannot exceed the maximum user speed. The speed is divided across the hosts that are logged in.

  13. BCrouter: Exceptions • Exception flags • IP speed limit • User speed limit • IP accounting • User accounting • No login required • Exceptions can be made for hosts or even entire networks (both local and/or internet)

  14. BCrouter: Exceptions • Quota/bandwidth exceptions examples: • Default: • Login required • Accounting to both user and local IP • Obey both user and local IP speed limits • Local host A does not have to login to access the Internet, but still uses IP quota and speed settings • E.g. Embedded devices that can’t login and need network access • Traffic from Internet host B is always possible from any local host and is never accounted, but local host IP speed limits are obeyed • E.g. Website with security patches • Any combination of exception flags ispossible in either direction for any host/network

  15. BCrouter: Routing • DHCP helper • Allow forwarding of DHCP broadcasts to DHCP server • DHCP auto logout (in development) • If no DHCP renew packets within DHCP renew interval, logout user automatically→ If user forgets to logout • User group based routing • Different routing tables for each user group and user statusE.g. normal user, quarantined user, visitor…

  16. BCrouter: Implementation • BCrouter is a GNU/Linux software project • Kernel-space • Netfilter framework module ipt_bcrouter • Iptables target BCROUTER • Requires 2.6 kernel • All processing is done entirely in kernel-space • No need for slow kernel/user context switches • High performance kernel-space only network logging • User-space • BCrouter daemon providing networked command access • Get/Set User/IP bucket configuration and status • Login/logout • Network configuration • User group configuration • DHCP-fwd for forwarding DHCP broadcasts

  17. BCrouter: Performance • In use for more than 2 years on Kotnet • >45099 users in BCrouter database • >113420 IPaddresses in BCrouter database • >500 Mbits bandwidth peak (30 min average) • >140 network segments (140 VLAN’s) • 1 Active server (with hot standby) • Dual Xeon 3,2Ghz • 1 Gigabyte RAM • Debian Linux (2.6 kernel) • Peak CPU Load • 45% CPU total • 85% Linux general routing code • 15% BCrouter code • 430 Mbytes RAM in use for entire system

  18. BCrouter: Future • Campus network-in-a-box • Provide modular open-source solution • BCrouter core element • Simple web based User frontend • User authentication • Individual login and network usage statistics • Log processing backend • Process and store all historical network/user info • Helpdesk & Management website • Diagnose and troubleshoot network problems • Adjust and configure network settings • Present status • Further development BCrouter core element • Design log processing high performance backend

  19. BCrouter: Summary • BCrouter provides • Network authentication • User & IP quota enforcement • User & IP bandwidth management • BCrouter is • GNU/Linux Netfilter kernel module • BCrouter future • Campus network-in-a-box • More information: bcrouter@kuleuven.net

More Related