22-sutherland.ppt

791 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
791
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

22-sutherland.ppt

  1. 1. Open Source Routing, Firewalls and Traffic Shaping Russell Sutherland Computing and Networking Services University of Toronto [email_address]
  2. 2. Reference URLs for Tree Huggers <ul><li>This presentation </li></ul><ul><ul><li>http://madhaus.cns.utoronto.ca/~russ/canheit2004/ </li></ul></ul><ul><li>Routing </li></ul><ul><ul><li>http://www.quagga.net/ </li></ul></ul><ul><ul><li>http://www.xorp.net/ </li></ul></ul><ul><ul><li>http://latrc.org/ </li></ul></ul><ul><li>Traffic Shaping </li></ul><ul><ul><li>Linux http://tcng.sourceforge.net/ </li></ul></ul><ul><ul><li>FreeBSD http://info.iet.unipi.it/~luigi/ip_dummynet/ </li></ul></ul><ul><li>Packet Filtering </li></ul><ul><ul><li>Linux (iptables) http://www.netfilter.org/ </li></ul></ul><ul><ul><li>FreeBSD (ipfw) http://www.freebsd.org/ </li></ul></ul><ul><ul><li>OpenBSD (pf) http://www.benzedrine.cx/pf.html </li></ul></ul>
  3. 3. Routing Chronology <ul><li>1984 BSD 4.2 ships with routed (RIPv1) </li></ul><ul><li>1986 Fuzz Ball PDP-11 NSFNet Routers </li></ul><ul><li>1988 Age of dedicated routing machines </li></ul><ul><ul><li>Cisco, Proteon, Wellfleet, ACC </li></ul></ul><ul><li>1992 Gated Consortium Formed </li></ul><ul><li>1996 GNU Zebra </li></ul><ul><li>2002 Quagga, XORP </li></ul>
  4. 4. Quagga Routing Architecture <ul><li>Modular Design </li></ul><ul><li>One process per protocol </li></ul><ul><ul><li>bgpd, ospfd, ripd </li></ul></ul><ul><li>One main controlling process </li></ul><ul><ul><li>zebra </li></ul></ul><ul><li>Extensible </li></ul>
  5. 5. Quagga Architecture Diagram bgpd ospfd ripd zebra Unix Kernel Routing Table
  6. 6. Quagga Routing Protocols <ul><li>RIPv1, RIPv2, RIPng </li></ul><ul><li>OSPFv2, OSPFv3 </li></ul><ul><li>BGP-4, BGP+ </li></ul><ul><li>BGP route server and reflector </li></ul><ul><li>IPv6 </li></ul><ul><li>Supported RFCs </li></ul><ul><ul><li>1058 RIPv1, 2453 RIPv2, 2080 RIPng </li></ul></ul><ul><ul><li>2328 OSPFv2, 2740 OSPF for Ipv6 </li></ul></ul><ul><ul><li>1771 BGPv4, 1965, 1997, 2545 BGPv6, 2796 BGP Route Reflection, 2858 Multiprotocol extensions, 2842 Capabilities Advertisement </li></ul></ul>
  7. 7. Quagga Supported Platforms <ul><li>GNU Linux </li></ul><ul><ul><li>Debian, RedHat, SuSE, Slackware </li></ul></ul><ul><ul><li>Kernels 2.2.x - 2.4.x </li></ul></ul><ul><li>FreeBSD </li></ul><ul><ul><li>versions 4.x and 5.x </li></ul></ul><ul><li>OpenBSD </li></ul><ul><ul><li>version 3.x </li></ul></ul><ul><li>NetBSD </li></ul><ul><ul><li>version 1.4 </li></ul></ul><ul><li>Solaris </li></ul><ul><ul><li>2.6 and version 7 </li></ul></ul>
  8. 8. Hardware Requirements <ul><li>CPU Intel 2.0 – 3.0 Ghz </li></ul><ul><li>Memory 512MB </li></ul><ul><li>Disks 18GB </li></ul><ul><ul><li>RAID-1 (optional) </li></ul></ul><ul><ul><li>SCSI or IDE </li></ul></ul><ul><li>Ethernet Interfaces </li></ul><ul><ul><li>2 x 10/100 Intel, 2 x 10/100/100 Broadcom </li></ul></ul><ul><li>Redundancy </li></ul><ul><ul><li>hot spare serves as backup to N production units </li></ul></ul>
  9. 9. Scottish Economics <ul><li>Router Prices </li></ul><ul><ul><li>Cisco Mid-size </li></ul></ul><ul><ul><ul><li>7204VxR, Catalyst 3550 </li></ul></ul></ul><ul><ul><ul><li>$15k – $32k </li></ul></ul></ul><ul><ul><li>Extreme </li></ul></ul><ul><ul><ul><li>Alpine 3800 </li></ul></ul></ul><ul><ul><ul><li>$31k - $38k </li></ul></ul></ul><ul><ul><li>Foundry </li></ul></ul><ul><ul><ul><li>BigIron 4000 </li></ul></ul></ul><ul><ul><ul><li>$16k </li></ul></ul></ul><ul><ul><li>Intel 2.x Ghz server </li></ul></ul><ul><ul><ul><li>Dell 2650, IBM x335 </li></ul></ul></ul><ul><ul><ul><li>$2.5k - $3.5k </li></ul></ul></ul>
  10. 10. Network Topology Internal External Cogent A [100Mbps] Cogent B [100Mbps] C4 [1000Mbps] Skye Mull Jura Bute McL 1. UofT A 2. UofT B 3. ResNet Touchdown Network 1000 Mbps Traffic Shaper
  11. 11. Network Routing Policy <ul><li>Three classes of traffic (based on src IP) </li></ul><ul><ul><li>ResNet </li></ul></ul><ul><ul><li>UofT A </li></ul></ul><ul><ul><li>UofT B </li></ul></ul><ul><li>ResNet </li></ul><ul><ul><li>to (via TS) Skye to Cogent A </li></ul></ul><ul><ul><li>No C4 transit !!! </li></ul></ul><ul><li>UofT A </li></ul><ul><ul><li>to C4 if dst IP == C4 otherwise via Skye to Cog A </li></ul></ul><ul><li>UofT B </li></ul><ul><ul><li>to C4 if dst IP == C4 otherwise via Mull to CogB </li></ul></ul>
  12. 12. Network Packet Filtering Policies <ul><li>Drop all packets with </li></ul><ul><ul><li>spoofed (non UofT) source IP addresses </li></ul></ul><ul><ul><li>non-routable destination addresses </li></ul></ul><ul><ul><ul><li>0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8 </li></ul></ul></ul><ul><ul><ul><li>169.254.0.0/16, 172.16.0.0/12, 192.168/16 </li></ul></ul></ul><ul><ul><ul><li>etc. </li></ul></ul></ul><ul><ul><li>nasty tcp/udp M$ worm ports (Blaster, Welchia, etc.) </li></ul></ul><ul><ul><ul><li>67, 68, 69, 135, 137, 139 </li></ul></ul></ul><ul><ul><ul><li>161, 162 </li></ul></ul></ul><ul><ul><ul><li>445, 593, 707, 1433, 1434, 3127, 4444 </li></ul></ul></ul><ul><ul><li>non-assigned UofT subnets </li></ul></ul><ul><li>Allow everything else </li></ul>
  13. 13. Network Traffic Shaping Policies <ul><li>All traffic from a local Redhat ftp site to the outside world gets a 50 kbps pipe </li></ul><ul><li>Peer to peer traffic to and from UofT A&B gets a 256 kpbs full duplex pipe </li></ul><ul><ul><li>KaZaa 1214 </li></ul></ul><ul><ul><li>eDonkey 466[12] </li></ul></ul><ul><ul><li>BitTorrent 6881-6889 </li></ul></ul><ul><li>ResNet traffic gets conditioned by a dedicated Traffic Shaper (Packeteer) </li></ul><ul><li>Everything else flows freely </li></ul>
  14. 14. Routing Protocols and Configuration <ul><li>Jura </li></ul><ul><ul><li>runs OSPF on int. intf. with other UofT routers </li></ul></ul><ul><ul><li>runs BGP on external interface with C4 peer </li></ul></ul><ul><ul><li>contains all UofT and C4 specific routes </li></ul></ul><ul><li>Mull </li></ul><ul><ul><li>runs OSPF on int. intf. with other UofT routers </li></ul></ul><ul><ul><li>runs BGP on external interface with Cogent B peer </li></ul></ul><ul><ul><li>advertises UofTB routes </li></ul></ul><ul><ul><li>defaults points to Cogent B </li></ul></ul><ul><li>Skye </li></ul><ul><ul><li>same setup as Mull but with Cogent A </li></ul></ul><ul><ul><li>advertises UofTA and ResNet routes </li></ul></ul>
  15. 15. Quagga Routing Configuration <ul><li>Command line interface similar to Cisco IOS </li></ul>C4# conf t C4(config)# interface eth2 C4(config-if)# description dummy interface C4(config-if)# ip address 10.1.2.3/24 C4(config-if)# exit C4(config)# exit C4# C4# conf t C4(config)# router bgp 328 C4(config-router)# bgp router-id 10.1.1.10 C4(config-router)# network 10.1.1.0/24 C4(config-router)# redistribute static C4(config-router)# neighbor 10.1.1.1 remote-as 999 C4(config-router)# exit C4(config)# exit C4#
  16. 16. Quagga Operation # show ip route Codes: K - kernel route, C – connected, S – static, O -OSPF B – BGP, > - selected route, * FIB route S>* 0.0.0.0/0 [10/0] via 128.100.96.194, disc0 B>* 6.1.0.0/16 [20/0] via 205.211.94.97, yk0, 01w4d03h B>* 6.2.0.0/22 [20/0] via 205.211.94.97, yk0, 01w4d03h B>* 6.3.0.0/18 [20/0] via 205.211.94.97, yk0, 01w4d03h # show bgp neighbors BGP neighbor is 205.211.94.97, remote AS 549, local AS 239, external link BGP version 4, remote router ID 205.211.94.253 BGP state = Established, up for 01w4d22h
  17. 17. FreeBSD ipfw Packet Filtering <ul><li>Native packet filtering interface </li></ul><ul><li>Implemented as a multifunction user command </li></ul><ul><li>The packet passed to the firewall is compared against each of the rules in the firewall ruleset. </li></ul><ul><li>When a match is found, the action corresponding to the matching rule is performed and the search terminates. </li></ul><ul><li>General syntax </li></ul><ul><ul><li>ipfw [rule number] action [log] body </li></ul></ul>
  18. 18. ipfw examples <ul><li>Drop all www traffic from a network </li></ul><ul><ul><li>ipfw add deny tcp from 12.12.12.0/24 to www.ubc.ca 80 </li></ul></ul><ul><li>Drop all telnet traffic from a bad host </li></ul><ul><ul><li>ipfw add deny tcp from bad.host.com to my.host.com 23 </li></ul></ul><ul><li>Throw away RFC 1918 networks </li></ul><ul><ul><li>ipfw add deny all from 10.0.0.0/8 to any in via fxp0 </li></ul></ul><ul><ul><li>ipfw add deny all from 172.16.0.0/12 to any in via fxp0 </li></ul></ul><ul><ul><li>ipfw add deny all from 192.168.0.0/16 to any in via fxp0 </li></ul></ul><ul><li>Allow ssh </li></ul><ul><ul><li>ipfw add allow tcp from any to any 22 in via fxp0 setup keep-state </li></ul></ul>
  19. 19. ipfw actions <ul><li>allow | accept | pass | permit </li></ul><ul><ul><li>Allow packets that match rule. The search ends. </li></ul></ul><ul><li>deny | drop </li></ul><ul><ul><li>Discard packets that match rule. The search ends. </li></ul></ul><ul><li>fwd | forward ipaddr[,port] </li></ul><ul><ul><li>Change the next-hop on matching pckts to ipaddr </li></ul></ul><ul><li>pipe N </li></ul><ul><ul><li>Pass packet to a dummynet(4) for bandwidth limitation. [ conditionally end or continue ] </li></ul></ul><ul><li>count </li></ul><ul><ul><li>Update counters for all packets that match rule. The search continues with the next rule </li></ul></ul>
  20. 20. Traffic Control Concepts I <ul><li>Set of mechanisms to condition net traffic </li></ul><ul><li>Examples </li></ul><ul><ul><li>raise priority of some kinds of traffic </li></ul></ul><ul><ul><li>limit the rate at which traffic is sent </li></ul></ul><ul><ul><li>block undesirable traffic (same as packet filtering) </li></ul></ul><ul><li>TC is done at the network interface </li></ul><ul><ul><li>ingress (traffic entering an interface) </li></ul></ul><ul><ul><ul><li>limited set of functions (classifying, dropping) </li></ul></ul></ul><ul><ul><li>egress (traffic leaving an interface) </li></ul></ul><ul><ul><ul><li>full range of functions available </li></ul></ul></ul><ul><ul><ul><li>queueing </li></ul></ul></ul>
  21. 21. Traffic Control Concepts II Queueing Classification Scheduling
  22. 22. Traffic Control Concepts III <ul><li>Classification </li></ul><ul><ul><li>looks at packet content and assigns each to one or more classes. </li></ul></ul><ul><li>Queueing </li></ul><ul><ul><li>stuffs incoming packets into storage silos based on class </li></ul></ul><ul><li>Scheduling </li></ul><ul><ul><li>transmitting packets in queues based upon priority </li></ul></ul><ul><li>Queueing and Scheduling are often combined into queuing disciplines </li></ul>
  23. 23. Traffic Control Concepts IV <ul><li>Common Queueing Disciplines </li></ul><ul><ul><li>simple drop tail (FIFO) </li></ul></ul><ul><ul><ul><li>stores and emits packets in order which they arrive </li></ul></ul></ul><ul><ul><li>Random Early Detection (RED) </li></ul></ul><ul><ul><ul><li>starts dropping packets already before reaching maximum queue size </li></ul></ul></ul><ul><ul><li>Token Bucket Filter (TBF) </li></ul></ul><ul><ul><ul><li>shapers that emits packets at a fixed rate </li></ul></ul></ul><ul><ul><li>Priority Scheduler (PQ) </li></ul></ul><ul><ul><ul><li>emits packets in higher priority classes before packets in lower priority classes </li></ul></ul></ul><ul><ul><li>Weighted Fair Queueing (WFQ) </li></ul></ul><ul><ul><ul><li>assigns an independent queue for each flow </li></ul></ul></ul><ul><ul><ul><li>a weight can be defined for each queue </li></ul></ul></ul>
  24. 24. FreeBSD Dummynet Features <ul><li>Integrated with ipfw to classify packets </li></ul><ul><li>Can be used equally well on egress/ingress </li></ul><ul><li>Abstractions/features </li></ul><ul><ul><li>pipes </li></ul></ul><ul><ul><ul><li>fixed bandwidth channels </li></ul></ul></ul><ul><ul><ul><li>variable queue size, delays, random packet loss </li></ul></ul></ul><ul><ul><li>queues </li></ul></ul><ul><ul><ul><li>queues of packets </li></ul></ul></ul><ul><ul><ul><li>weighted </li></ul></ul></ul><ul><ul><ul><li>share bandwidth of pipe they are associated with proportionally to their weight </li></ul></ul></ul><ul><li>WF2Q+ used for queuing discipline </li></ul>
  25. 25. Dummynet Examples <ul><li>Limit WWW traffic to 100Mbps </li></ul><ul><ul><ul><li>ipfw pipe 1 config bw 100Mbit/s </li></ul></ul></ul><ul><ul><ul><li>ipfw add pipe 1 ip from any to any dst-port 80 </li></ul></ul></ul><ul><li>Prefer ssh to telnet traffic </li></ul><ul><ul><ul><li>ipfw pipe 2 config bw 256kbit/s </li></ul></ul></ul><ul><ul><ul><li>ipfw queue 1 config pipe 2 weight 7 </li></ul></ul></ul><ul><ul><ul><li>ipfw queue 2 config pipe 2 weight 3 </li></ul></ul></ul><ul><ul><ul><li>ipfw add queue 1 ip from any to any dst-port 22 </li></ul></ul></ul><ul><ul><ul><li>ipfw add queue 2 ip from any to any dst-port 23 </li></ul></ul></ul><ul><li>Rate limit each network host's upload rate </li></ul><ul><ul><ul><li>ipfw pipe 3 config mask src-ip 0x000000ff bw 16kbit/s queue 8Kbytes </li></ul></ul></ul><ul><ul><ul><li>ipfw add pipe 3 ip from 12.18.123.0/24 to any out via xl0 </li></ul></ul></ul>
  26. 26. Routing Policy Using ipfw <ul><li>All ResNet traffic forwarded directly to Skye </li></ul><ul><ul><li>ipfw add fwd $skye from $resnet to any in recv $uoft_if </li></ul></ul><ul><li>Block spoofed packets </li></ul><ul><ul><li>ipfw add allow all from $uoftnet to any in recv $uoft_if </li></ul></ul><ul><ul><li>ipfw add deny in recv $uoft_if </li></ul></ul><ul><li>Block bad packets (M$ worms etc.) </li></ul><ul><ul><li>for i in 67-69 135-139 161 162 445 593 707 4444 </li></ul></ul><ul><ul><ul><li>do </li></ul></ul></ul><ul><ul><ul><ul><li>ipfw add deny udp from any to any $i </li></ul></ul></ul></ul><ul><ul><ul><ul><li>ipfw add deny tcp from any to any $i </li></ul></ul></ul></ul><ul><ul><ul><li>done </li></ul></ul></ul><ul><li>C4 traffic follows specific routes from BGP </li></ul>
  27. 27. Routing Policy Using ipfw Cont. <ul><li>Block all traffic to non-defined UofT addrs </li></ul><ul><ul><li>ipfw add deny all from any to $uoftnet out xmit $def_if </li></ul></ul><ul><li>Partition UofT A/B traffic to Skye/Mull </li></ul><ul><ul><li>add fwd $skye all from $uoftA to any out xmit $def_if </li></ul></ul><ul><ul><li>add fwd $mull all from $uoftB to any out xmit $def_if </li></ul></ul><ul><li>Traffic Shaping </li></ul><ul><ul><li>limit RH ftp server </li></ul></ul><ul><ul><ul><li>ipfw pipe 1 config bw 50Kbit/s </li></ul></ul></ul><ul><ul><ul><li>ipfw add pipe 1 ip from $rhftp to any in recv $uoftif </li></ul></ul></ul><ul><ul><li>limit peer to peer </li></ul></ul><ul><ul><ul><li>ipfw pipe 2 config bw 256 Kbit/s </li></ul></ul></ul><ul><ul><ul><li>ipfw add pipe 2 ip from $uoftA to any dst_port 1214,4661,4662 </li></ul></ul></ul>
  28. 28. Linux Packet Filtering: iptables <ul><li>Similar to ipfw in functionality and use </li></ul><ul><li>User based command line interface </li></ul><ul><li>Syntax </li></ul><ul><ul><li>iptables rule-action table name conditions action </li></ul></ul><ul><li>Very rich set of conditions and actions </li></ul><ul><li>Extensible modular actions </li></ul><ul><li>More complicated in concept than ipfw or pf </li></ul><ul><li>hierarchy: tables -> chains -> rules </li></ul><ul><li>three default tables with default policies </li></ul><ul><ul><li>filter, nat, mangle </li></ul></ul>
  29. 29. Linux iptables Anatomy Ingress P REROUTING QOS Ingress F ORWARD I NPUT I NPUT R OUTING and RPDB Contrack mangle IMQ nat Network Interface mangle filter L OCAL P ROCESSES mangle filter R EMOTE I P A DDR
  30. 30. Linux iptables Anatomy Egress P OST R OUTING QOS Egress nat IMQ mangle O UTPUT Network Interface L OCAL P ROCESSES R EMOTE IP A DDR contrack mangle nat filter O UTPUT R OUTING
  31. 31. iptables examples <ul><li>Drop all www traffic from a network </li></ul><ul><ul><ul><li>iptables -A FORWARD -p tcp –dport 80 -s 12.12.12.0/24 -d www.ubc.ca -j DROP </li></ul></ul></ul><ul><li>Drop all telnet traffic from a bad host </li></ul><ul><ul><ul><li>iptables -A INPUT -p tcp -s bad.host.com -d my.host.com –-dport 23 -j DROP </li></ul></ul></ul><ul><li>Throw away RFC 1918 networks from inside </li></ul><ul><ul><ul><li>iptables -A FORWARD -s 10.0.0.0/8 -i eth0 -j DROP </li></ul></ul></ul><ul><ul><ul><li>iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP </li></ul></ul></ul><ul><ul><ul><li>iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -i eth0 -j DROP </li></ul></ul></ul><ul><li>Allow ssh and keep state </li></ul><ul><ul><ul><li>iptables -A FORWARD -p tcp –dport 22 -i fxp0 -m state -–state NEW,ESTABLISHED -j ACCEPT </li></ul></ul></ul>
  32. 32. Linux Routing – Multiple Tables <ul><li>Multiple routing/forwarding tables </li></ul><ul><li>Three fixed prefined tables </li></ul><ul><ul><li>local </li></ul></ul><ul><ul><li>main </li></ul></ul><ul><ul><li>default </li></ul></ul><ul><li>Each table is assigned a priority number </li></ul><ul><ul><li>0 local </li></ul></ul><ul><ul><li>32766 main </li></ul></ul><ul><ul><li>32767 default </li></ul></ul><ul><li>match is sought starting with highest priority tables (local -> main -> default) </li></ul>
  33. 33. Linux Routing Policy Database
  34. 34. Linux Traffic Control: tc <ul><li>Uses queueing disciplines for managing bandwidth </li></ul><ul><li>Largely concerned with data being sent rather than received . </li></ul><ul><li>Classless queueing disciplines </li></ul><ul><ul><li>reschedule, drop or delay </li></ul></ul><ul><ul><li>applied to the bulk interface </li></ul></ul><ul><ul><li>pfifo_fast </li></ul></ul><ul><ul><ul><li>default, can't be changed </li></ul></ul></ul><ul><ul><li>TBF (Token Bucket Filter) </li></ul></ul><ul><ul><ul><li>passes traffic up to a fixed rate </li></ul></ul></ul><ul><ul><ul><li>drops the rest </li></ul></ul></ul><ul><ul><ul><li>allows short burst in excess of fixed rate </li></ul></ul></ul>
  35. 35. tc: Classless qdiscs <ul><li>SFQ (Stocastic Fair Queueing) </li></ul><ul><ul><li>Traffic split into large number of FIFO queues, one per flow </li></ul></ul><ul><ul><li>Traffic gets sent/serviced in a round robin fashion, giving each flow a chance to sent its data. </li></ul></ul><ul><ul><li>Leads to fair behaviour </li></ul></ul><ul><ul><li>prevents one flow from hogging all the bandwidth </li></ul></ul><ul><ul><li>only really useful when the link is full </li></ul></ul><ul><li>RED (Random Early Detection) </li></ul><ul><ul><li>drops packets statistically before queues are full </li></ul></ul><ul><ul><li>leads to a congested link to slow more gracefully </li></ul></ul><ul><ul><li>helps TCP applications find their fair speed faster </li></ul></ul>
  36. 36. tc: Classful qdiscs <ul><li>Used when different types of traffic need different treatment. </li></ul><ul><li>CBQ (Class Based Queueing) </li></ul><ul><ul><li>very complicated to set up and tune </li></ul></ul><ul><li>PRIO </li></ul><ul><ul><li>classify and traffic into a number of bands each with its own priority. </li></ul></ul><ul><li>u32 </li></ul><ul><ul><li>used as the tool to classify the traffic into sub queues </li></ul></ul><ul><ul><li>based on actual offset of information in the IP header </li></ul></ul>
  37. 37. Linux: tcng <ul><li>tc syntax is very complicated both in setting up the qdisc's and classification </li></ul><ul><ul><ul><li>tc qdisc add dev eth0 root handle 1:0 prio </li></ul></ul></ul><ul><ul><ul><li>tc qdisc add dev eth0 parent 1:0 protocol ip u32 match ip protocol 6 ff match tcp dst 50 ffff classid 1:1 </li></ul></ul></ul><ul><ul><ul><li>tc qdisc add dev eth0 parent 1:3 handle 30: sfq </li></ul></ul></ul><ul><ul><ul><li>tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip sport 80 0xffff flowid 1:3 </li></ul></ul></ul><ul><li>tcng was created as a higher level tool </li></ul><ul><ul><li>simple to configure </li></ul></ul><ul><ul><li>more natural language to set up classes and qdisc </li></ul></ul><ul><ul><li>compiles to tc or “C” </li></ul></ul><ul><ul><li>comes with a simulator </li></ul></ul>
  38. 38. tcng: Example Input dev “eth0” { egress { class (<$high>) if tcp_port == 80; class (<$low>) if 1; prio { $high = class { tbf(limit 10kB, rate 20kbps, burst 2kB, mtu 1500B); $low = class { fifo(limit 30kB) } } } }
  39. 39. tcng: Example Output tc qdisc add dev eth0 handle 1:0 root dsmark indices 4 default_index 0 tc qdisc add dev eth0 handle 2:0 parent 1:0 prio tc qdisc add dev eth0 handle 3:0 parent 2:1 tbf burst 2048 limit 10240 mtu 1500 rate 2500bps tc qdisc add dev eth0 handle 4:0 parent 2:2 bfifo limit 30720 tc filter add dev eth0 parent 2:0 protocol all prio 1 tcindex mask 0x3 shift 0 tc filter add dev eth0 parent 2:0 protocol all prio 1 handle 2 tcindex classid 2:2 tc filter add dev eth0 parent 2:0 protocol all prio 1 handle 1 tcindex classid 2:1 tc filter add dev eth0 parent 1:0 protocol all prio 1 handle 1:0:0 u32 divisor 1 tc filter add dev eth0 parent 1:0 protocol all prio 1 u32 match u8 0x6 0xff at 9 offset at 0 mask 0f00 shift 6 eat link 1:0:0 tc filter add dev eth0 parent 1:0 protocol all prio 1 handle 1:0:1 u32 ht 1:0:0 match u16 0x50 0xffff at 2 classid 1:1 tc filter add dev eth0 parent 1:0 protocol all prio 1 u32 match u32 0x0 0x0 at 0 classid 1:2
  40. 40. Routing Policy Using Linux <ul><li>Routing Tables </li></ul><ul><ul><li>0: from all lookup local </li></ul></ul><ul><ul><li>100: from 142.151.0.0/16 lookup resnet </li></ul></ul><ul><ul><li>1000: from all lookup main </li></ul></ul><ul><ul><li>2000: from 142.150.0.0/16 lookup uoftA </li></ul></ul><ul><ul><li>32767: from all lookup default </li></ul></ul><ul><li>resnet contains a single default to syke </li></ul><ul><li>uoftA contains a default to skye </li></ul><ul><li>default contains a default to mull </li></ul><ul><li>main contains all the C4 routes </li></ul>
  41. 41. Linux Traffic Shaping Policy dev eth1 { egress { class ( <$rhftp> ) if ip_src == 128.100.17.10; class ( <$p2p> ) if ( (tcp_dport == 1214 || tcp_dport == 4661 || tcp_dport == 4662) && ip_src:16 == 128.100.0.0 ); class ( <$high> ) if 1 ; htb () { class ( rate 100Mbps , ceil 100Mbps ) { $rhftp = class ( rate 50kbps, ceil 75kbps ); $p2p = class ( rate 256kbps, ceil 325kbps ); $high = class ( rate 90Mbps, ceil 100Mbps ); } } } }
  42. 42. OpenBSD packet filtering <ul><li>pf runs as the native packet filtering engine </li></ul><ul><li>similar in syntax to ipfw </li></ul><ul><li>traffic shaping (ALTQ) integrated with pf </li></ul><ul><li>BSD only supports one main routing table </li></ul><ul><li>pf (like ipfw) supports a forwarding action to explicitly forward a packet </li></ul><ul><li>URLs </li></ul><ul><ul><li>www.openbsd.org </li></ul></ul><ul><ul><li>www.csl.sony.co.jp/person/kjc/software.html </li></ul></ul><ul><ul><li>www.benzedrene.cx/pf.html </li></ul></ul>
  43. 43. Results and Conclusions <ul><li>OSS Routers in service for > 18 months </li></ul><ul><li>Scaled easily from 1 to 3 machines </li></ul><ul><li>Currently running </li></ul><ul><ul><li>FreeBSD 4.x, 5.x, dummynet, ipfw </li></ul></ul><ul><li>Will be moving to Linux in next 3 months </li></ul><ul><li>Standard network monitoring via SNMP </li></ul><ul><li>CPU running < 40% </li></ul><ul><li>OSS is a viable option for policy based routing and shaping at the edge </li></ul>

×