Bandwidth Management

Tools for slicing the pie

Cal Frye, Network Administrator

Wednesday, February 11, 2009 1
 Bandwidth is a Problem
Unless you don’t have a problem...Oberlin enjoys a
90Mb/s connection, using two T3 lines from Qwest.
More and more applications are hosted off-site.

• Course catalog
• Blackboard
• Web site CMS
• Library catalogs, databases
• Media services
• The hidden cost of outsourcing...

Wednesday, February 11, 2009 2

 The
Internet is
for...

Wednesday, February 11, 2009 3

 One Man’s YouTube is
Another Man’s Blackboard...
Which are your
critical apps?
Can you ever
know?
We do know
there’s bad stuff
going on...

Wednesday, February 11, 2009 4

 There Are Choices...

Packetshaper Packetlogic
NetEnforcer ET/BWMGR
NetEqualizer Ascensit, et al.

Oberlin’s experiences

Wednesday, February 11, 2009 5

 Classify Every
Traffic Type?
The “Traditional” approach
“Traffic Discovery” results
Treat each application separately
Single out hosts for “special
treatment”
Very granular and detailed picture

Wednesday, February 11, 2009 6

 How to Spend All Your Time on
Bandwidth Management

Granularity can be bad.

Squish each new P2P
application as it comes up...
New app, new policy...
And your job is very secure!

Wednesday, February 11, 2009 7

 How’s That Working Out for You?

Wednesday, February 11, 2009 8

 Oberlin’s Network

Wednesday, February 11, 2009 9

 Shaping “teh interTubes”

Sort of the standard

illustration
How is this done?
Adjusting TCP/IP
parameters (window,
flow control)
Queueing buffers

Wednesday, February 11, 2009 10

 Deep Packet Inspection
To a degree,
Shaping by
application is still
necessary
Latency, jitter
matter
Some apps are
more aggressive
than others

Wednesday, February 11, 2009 11

 Oberlin’s Traffic
Wednesday, February 11, 2009 12
 The Gulag Applications
Peer-to-Peer apps
Restrict inbound
Squash outbound
Encryption is an issue
Spam, infections, bots

Wednesday, February 11, 2009 13

 MunchkinLAN

Wednesday, February 11, 2009 14

 Our Partition Scheme
Gulag Restrictions
Promised_LAN
LANada
Munchkin_LAN
Work_LAN
Play_LAN

Wednesday, February 11, 2009 15

 Dynamic Partitioning
is part of the Answer
Wednesday, February 11, 2009 16
 Dynamic Partitions
Wednesday, February 11, 2009 17
 What is “Procera?”

Procera = “tall”
Not the mushroom, Lepiota
procera.

Nor the beetle, Phyllotreta

procera.

Not the ceramic denture material.

Nor the tree Ulmus procera.

Google isn’t always your friend...

Wednesday, February 11, 2009 18

 PacketLogic 7720 (7600)
Procera Networks is a
Los Gatos, CA
company, inc. in 2002
and trading on AMEX
• www.proceranetworks.com
Packetlogic is the
product of a Swedish • pktlogic-edu@oberlin.edu
company, Netintact AB,
now merged with • University of Cambridge

Procera
•
Enterprises, ISPs, ILECs in
Europe, Korea, SA, as well as
US

Wednesday, February 11, 2009 19

Wednesday, February 11, 2009 20
 Speed from Simplicity
Until the pipe is full, you don’t
have a problem.
Once the limit is reached,
priority queueing speeds crucial
or sensitive traffic.
The most restrictive rule applies
to each traffic type.
Latency can be a shaping goal.

Wednesday, February 11, 2009 21

 TCP or UDP
There are many options
for shaping TCP traffic.
Connectionless flows
don’t have the range of
alternatives available.
For UDP traffic,
Packetshaper and
Packetlogic approaches
are essentially identical.

Wednesday, February 11, 2009 22

 A Week in the Life...
Wednesday, February 11, 2009 23
 Host Objects Groups

LANada is just like here, but across the

border...
On-campus labs are treated like ResNet.
There are a few other special cases.

Wednesday, February 11, 2009 24

 Many, many queues
“Dynamic partitions” use one queue/host.
Volume-based shaping creates queues for each host.
My chat class creates a queue for each connection.
A packet will be placed in several queues at once.
Normally, the queue with
the least bandwidth
determines when the
packet is released.

Wednesday, February 11, 2009 25

 When You Pirate mp3s
Reduce DMCA
notifications...
Severely restrict P2P
uploads.
Block altogether and
you see other problems.
Deep identification may
improve the odds.

Wednesday, February 11, 2009 26

 Our shaping rules

The Largest groups “borrow” bandwidth from each other

Dynamic partitioning remains in place for ResNet.
Aid the needy, limit the greedy -- Network Socialism at
work.
Figures shown are for queues, not caps.

Wednesday, February 11, 2009 27

 Borrowing from queues
The shaping rule includes three queues in order:
Packet in queue 1, priority 2
Packet in queue 2, priority 3
Packet in queue 3, priority 4
The first queue that releases its copy of the packet
releases the packet onto the wire.
Works best when queue 1 is full, but others are not

Wednesday, February 11, 2009 28

 Bandwidth Borrowing
Servers shaping rule:

The first
shaping queue
applies, but

You can borrow

from others if
assigned.

Borrowing occurs at a reduced priority, on down the list.

The first queue to release a packet transmits it.

Wednesday, February 11, 2009 29

 BitTorrent
Wednesday, February 11, 2009 30
 Peer
-to-
Peer
Apps
are
numerous,

new
definitions
come out
frequently

Wednesday, February 11, 2009 31

 The Internet is for...
What if you need/want more controls?
How deeply into the packet do these devices see?
There are differences between the products.

Wednesday, February 11, 2009 32

 Content Filtering?
Overall, bandwidth managers are better with
types than content.

But a crude degree of content identification

might be available, based on filenames or
keywords.

Violates “NetNeutrality?” Depends on your use.

If you intend to eliminate porn on your network,

you’ll need several tools and approaches. Good
luck with that!

Music/video downloads may be simpler to catch,

but still I wouldn’t expect 100% success.

Wednesday, February 11, 2009 33

 Copyright violators’ quarantine

Combine a set of subnets with the P2P class list to

create a firewall rule for copyright violators.
We used to block ALL
network traffic in
infringement cases.

Now we just block P2P

traffic.

DHCP assigns
addresses in these
ranges.

Wednesday, February 11, 2009 34

 Firewall Rules
Wednesday, February 11, 2009 35
 PL defines
StormWorm
as a traffic
class by
itself, and
we firewall
on that
basis.

StormWorm in the Gulag

Wednesday, February 11, 2009 36
 Surveillance Abilities
If we can’t prevent
certain traffic types,
can we at least spot
‘em when they go by?
Was a host cited in a
DMCA complaint really
using BT at the time?
Who’s connected to
IRC -- any bots, there?

Wednesday, February 11, 2009 37

 BitTorrent
Wednesday, February 11, 2009 38
 IRC identification
Wednesday, February 11, 2009 39
 IRC investigation
Wednesday, February 11, 2009 40
 CALEA

We believe we are exempt

from CALEA compliance.
But Procera offers the PL
line to ISPs as a means of
providing LE with CALEA
information.
Being Oberlin...

Wednesday, February 11, 2009 41

 Procera Networks Contacts

David Ahee
VP Sales , Americas
Procera Networks Inc.
508-740-5393
David.ahee@proceranetworks.com

Mike Hinkler
Director, Sales & Business Development
Procera Networks Inc.
214-850-8589
mike.hinkler@proceranetworks.com

Robert Auger
Solutions Engineer
Procera Networks Inc.
952-994-2793
Robert.auger@proceranetworks.com

Wednesday, February 11, 2009 42

 Demonstration time

Thanks! Questions? Let’s look at the live system.

Wednesday, February 11, 2009 43