1 / 45

Design, and Evaluation of a Partial State Router

Design, and Evaluation of a Partial State Router. Phani Achanta A. L. Narasimha Reddy Dept. of Electrical Engineering Texas A&M University June 22 2004, ICC. Motivation. Increasing non-responsive traffic Multimedia traffic reduced fairness Increased DoS attacks

wyatt
Télécharger la présentation

Design, and Evaluation of a Partial State Router

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Design, and Evaluation of a Partial State Router Phani Achanta A. L. Narasimha Reddy Dept. of Electrical Engineering Texas A&M University June 22 2004, ICC Texas A & M University

  2. Motivation • Increasing non-responsive traffic • Multimedia traffic • reduced fairness • Increased DoS attacks • Bandwidth denial attacks appear as non-responsive traffic • Need for mechanisms to control the high bandwidth flows • Identification of high bandwidth flows • Control of High bandwidth flows Texas A & M University

  3. Previous work • Per-flow queuing mechanisms address these issues • Maintain per flow state • FQ, LQD • Scalability concerns • Scalable single queue mechanisms cannot provide ‘flow isolation’ • Stateless schemes base decisions on overall characteristics observable at the router • Droptail, RED, Diffserv • Fail to contain aggressive flows Texas A & M University

  4. Previous work • Denial of Service Attacks are addressed on a per-attack basis • Network ingress filtering • Need for scalable mechanisms • Partial state mechanisms Texas A & M University

  5. Observations • Internet traffic is heavy tailed • Bulk of traffic is carried by a few flows (elephants) • Bulk of the flows are short-lived (mice) • Dropping packets from short-term flows does not alleviate the network congestion • Class based congestion control does not take into account responsiveness of the traffic • Need a scheme for a quantitative policy-driven control of bandwidth • Partial State schemes Texas A & M University

  6. Partial State Routers • Maintain a fixed amount of state • State is managed by sampling or caching techniques • Challenge: How do you manage state effectively to capture information about elephants? Texas A & M University

  7. Scheme - Outline • Partial state can be used to identify non-responsive flows, bandwidth hogs or high bandwidth flows • Normal flows are handled in a stateless fashion Texas A & M University

  8. LRU-FQ Partial state scheme • Identification of high-bandwidth, non-responsive flows • Cache contains Least Recently Used (LRU) flows • Probabilistically replaces the bottom entry of LRU • List contains mostly non-responsive high bandwidth flows • Penalizing of non-responsive flows • Employ fair queuing mechanism between non-responsive (cached) and responsive classes • Ensures granular control of the proportion of non-responsive traffic that a router wants to handle Texas A & M University

  9. LRU-FQ flow chart – enqueue event Does Cache Have space? Is Flow in Cache? No No Admit flow with Probability ‘p’ Packet Arrival Yes Yes Is Flow Admitted? Record flow details Initialize ‘count’ to 0 Yes Increment ‘count’ Move flow to top of cache No Is ‘count’ >= ‘threshold’ No Yes Enqueue in Normal Queue Enqueue in Partial state Queue Texas A & M University

  10. LRU-FQ flow chart – dequeue event • Dequeue event results in selection of a packet from either queues based on the Start Time Fair Queue algorithm • The weights assigned to the individual queues determine the service allotted to each class of flows Texas A & M University

  11. LRU cache behavior • LRU policy with probabilistic admission ensures only high bandwidth flows remain over a period of time • Non-responsive high bandwidth flows percolate to the top of the LRU cache. • Web mice which might corrupt the cache are controlled by the ‘threshold’ parameter Texas A & M University

  12. Implementation Issues on Linux Texas A & M University

  13. Linux IP packet forwarding Local packet Deliver to upper layers UPPER LAYERS Route to destination Update Packet Error checking Verify Destination IP LAYER Packet Enqueued Scheduler invokes Bottom half Design space Scheduler runs Device driver LINK LAYER Request Scheduler To invoke bottom half Device Prepares packet Packet Departure Packet Arrival Check & Store Packet Enqueue pkt Texas A & M University

  14. Linux Kernel Traffic control • Filters are used to distinguish between different classes of flows • Each class of flows can be further categorized into subclasses using filters • Queuing disciplines control how the packets are enqueued and dequeued Texas A & M University

  15. LRU-FQ Implementation • LRU-FQ is distributed among various QoS components of Linux. • LRU component of the scheme is implemented as a filter. All parameters of LRU – threshold, probability, and cache size – are passed as parameters to the filter • LRU cache is maintained within the filter. Texas A & M University

  16. LRU-FQ implementation • Start Time Fair queuing is implemented as a queuing discipline. • Each queue is scheduled based on its weight • Existing Linux FQ queue disciplines work only for flows within a queue. • Modified packet structure skbuff to carry STFQ start and finish tags. Texas A & M University

  17. LRU-FQ Validation Timing Analysis Texas A & M University

  18. LRU-FQ validation Texas A & M University

  19. Experimental Setup and Results Texas A & M University

  20. Experimental Test bed Texas A & M University

  21. Experiment 1 – Non-responsive flows • Containing non-responsive flows: • cache size=12, threshold=125, p=1/50 • 20 TCP long term flows • varying number of UDP flows to study cache efficacy on varying weights of the queues. Texas A & M University

  22. Results – Non-responsive Texas A & M University

  23. Experiment 2 – Non-responsive flows • To study effectiveness of scheme with reduced non-responsive flow rates • threshold = 125, probability = 1/50 • cache size=12 • 20 long term TCP flows Texas A & M University

  24. Results – Non-responsive Texas A & M University

  25. Experiment 3 – Web mice vs Elephants • Web mice versus elephants • effect of long term loads on web mice • long term load contains both responsive an non-responsive loads • probability=1/50, threshold=125, cache=12 Texas A & M University

  26. Results – Web mice Texas A & M University

  27. Results – Web mice Texas A & M University

  28. Experiment 4 – Cache size • Effect of varying cache size • to study impact of cache size on performance of the scheme • probability= 1/55, threshold = 125 • number of TCP flows=20 • equal weights for both queues. Texas A & M University

  29. Results – Cache size Texas A & M University

  30. Experiment 5 - Workloads • Performance under normal workloads • working of scheme when non-responsive loads are absent or use their fair share of bandwidth • cache size = 9, threshold =125 • probability = 1/55 Texas A & M University

  31. Results – Normal workload Texas A & M University

  32. Results – Mixed workload Texas A & M University

  33. Conclusion • Proposed, implemented and evaluated an LRU based partial state scheme (LRU-FQ) • LRU-FQ shown to enable quantitative control of non-responsive traffic • LRU-FQ shown to provide better performance for web mice flows Texas A & M University

  34. Future work • Study of aggregate traffic instead of flow-specific schemes • source based aggregation can help identifying DoS attacks from a single network • Identification of proportion of non-responsive traffic in order to automate tuning of the LRU-FQ scheme Texas A & M University

  35. Stateless AQM schemes • DropTail • FIFO based - Easy to implement • Full Queues and Lock-Out problems • variants – Drop from front, Random Drop • RED • manages the average queue length by marking or dropping packets early • does not contain aggressive flows Texas A & M University

  36. Stateless AQM schemes • BLUE • bases decisions on two events – packet losses due to Full queues and link idle times. • the two events control congestion signaling probability • does not contain aggressive flows. • CHOKe • Incoming packets are matched with random packet in queue to arrive at a drop strategy. • does not contain aggressive flows. Texas A & M University

  37. Stateful AQM schemes • Longest Queue Drop (LQD) • per flow queue of packets • packets from longest queue dropped upon exhaustion of buffers • Flow RED (FRED) • employs per flow RED and Fair Queuing • alleviates some RED problems but requires per-flow queue Texas A & M University

  38. Packet State AQM schemes • Diffserv • packets marked ‘in’ and ‘out’ based on QoS contract. • ‘out’ packets dropped disproportionately thus securing QoS for ‘in’ packets. • Core-Stateless Fair Queuing • packets carry the edge router’s estimate of fair rate on the outgoing link • the fair rate is used to arrive at the forwarding probability. Texas A & M University

  39. Partial State AQM schemes • Stabilized RED: SRED • identification of misbehaving flows –‘zombie’ list • list is pruned by probabilistic replacement of a random entry with the incoming packet • SACRED • random sampling and holding to maintain a cache of ‘marked’ flows • Random flows observed when average queue length exceeds a sampling threshold. • At dropping threshold, packets are dropped from observed flows exceeding a limit share threshold Texas A & M University

  40. Partial State AQM schemes • Red-PD • makes use of the drop history observed at an RED router • arrives at a list of flows exceeding a target threshold • LRU-RED • maintains an LRU to identify top ‘n’ flows. • modifies RED to penalize them more than normal flows. Texas A & M University

  41. Active Queue Management schemes • Stateless • decisions based on overall characteristics observable at the router queue like average queue length, aggregate arrival and departure rates etc. • DropTail, RED, BLUE, CHOKe • Stateful • per-flow state maintained to administer the scheme. • Longest Queue Drop (LQD), FRED Texas A & M University

  42. Active Queue Management schemes • Packet state • state is maintained within packets • routers base decisions on the state within packets • Diffserv, CSFQ • Partial state • maintain a limited amount of state • state is pruned using sampling and caching • SRED, SACRED, RED-PD, LRU-RED Texas A & M University

  43. Denial of Service Solutions • Network ingress filtering • filter spoofed addresses • Traceback algorithms • throttle the attacker at the source network • MULTOPS • multi-level tree containing packet statistics • proposed for bandwidth attack detection Texas A & M University

  44. Observations • Stateful schemes are effective but not scalable • Stateless schemes fail to protect normal flows from aggressive flows • Earlier partial state schemes rely on RED mechanism for resource control • Earlier work provides qualitative improvement of performance for responsive flows and short term flows Texas A & M University

  45. Possible Applications of Partial State schemes • Control of non-responsive proportion of traffic • Identification of top bandwidth hogs to alleviate certain DoS scenarios • Better service for web mice • lower delay bounds and larger connection rates • weights of the fair queuing control the delay • Control of Bandwidth allocation for normal traffic • buffers assigned per queue control the bandwidth Texas A & M University

More Related