[email protected] A & M University1 Design, and Evaluation of a Partial State Router Phani...

[email protected] Texas A & M University 1

Design, and Evaluation of a Partial State Router

Phani AchantaA. L. Narasimha Reddy

Dept. of Electrical EngineeringTexas A&M University

June 22 2004, ICC


Motivation Increasing non-responsive traffic

Multimedia traffic reduced fairness

Increased DoS attacks Bandwidth denial attacks appear as non-

responsive traffic Need for mechanisms to control the

high bandwidth flows Identification of high bandwidth flows Control of High bandwidth flows


Previous work Per-flow queuing mechanisms address

these issues Maintain per flow state FQ, LQD Scalability concerns

Scalable single queue mechanisms cannot provide ‘flow isolation’ Stateless schemes base decisions on overall

characteristics observable at the router Droptail, RED, Diffserv Fail to contain aggressive flows


Previous work Denial of Service Attacks are

addressed on a per-attack basis Network ingress filtering

Need for scalable mechanisms Partial state mechanisms


Observations Internet traffic is heavy tailed

Bulk of traffic is carried by a few flows (elephants) Bulk of the flows are short-lived (mice)

Dropping packets from short-term flows does not alleviate the network congestion

Class based congestion control does not take into account responsiveness of the traffic

Need a scheme for a quantitative policy-driven control of bandwidth Partial State schemes


Partial State Routers Maintain a fixed amount of state State is managed by sampling or

caching techniques Challenge: How do you manage

state effectively to capture information about elephants?


Scheme - Outline

Partial state can be used to identify non-responsive flows, bandwidth hogs or high bandwidth flows

Normal flows are handled in a stateless fashion


LRU-FQ Partial state scheme Identification of high-bandwidth, non-

responsive flows Cache contains Least Recently Used (LRU) flows Probabilistically replaces the bottom entry of LRU List contains mostly non-responsive high

bandwidth flows Penalizing of non-responsive flows

Employ fair queuing mechanism between non-responsive (cached) and responsive classes

Ensures granular control of the proportion of non-responsive traffic that a router wants to handle


LRU-FQ flow chart – enqueue event

Packet Arrival

Is Flow in Cache?

Yes

No Does Cache Have

space?

Yes

Admit flow with Probability ‘p’

No

Is Flow Admitted?

Record flow detailsInitialize ‘count’ to 0

Yes

Increment ‘count’Move flow to top of cache No

Is‘count’ >= ‘threshold’

No

Yes

Enqueue in Partial stateQueue

Enqueue in NormalQueue


LRU-FQ flow chart – dequeue event

Dequeue event results in selection of a packet from either queues based on the Start Time Fair Queue algorithm

The weights assigned to the individual queues determine the service allotted to each class of flows


LRU cache behavior LRU policy with probabilistic admission

ensures only high bandwidth flows remain over a period of time

Non-responsive high bandwidth flows percolate to the top of the LRU cache.

Web mice which might corrupt the cache are controlled by the ‘threshold’ parameter


Implementation Issues on Linux


Linux IP packet forwarding

Packet Arrival Check & StorePacket

Enqueue pkt

Request SchedulerTo invoke bottom half

Device Prepares

packet Packet Departure

Error checkingVerify

Destination

Route to destinationUpdate Packet

Packet Enqueued

Scheduler invokesBottom half Scheduler runs

Device driver

Local packetDeliver to upper layers UPPER LAYERS

IP LAYER

LINK LAYER

Design space


Linux Kernel Traffic control

Filters are used to distinguish between different classes of flows

Each class of flows can be further categorized into subclasses using filters

Queuing disciplines control how the packets are enqueued and dequeued


LRU-FQ Implementation LRU-FQ is distributed among various

QoS components of Linux. LRU component of the scheme is

implemented as a filter. All parameters of LRU – threshold, probability, and cache size – are passed as parameters to the filter

LRU cache is maintained within the filter.


LRU-FQ implementation Start Time Fair queuing is

implemented as a queuing discipline. Each queue is scheduled based on its

weight Existing Linux FQ queue disciplines

work only for flows within a queue. Modified packet structure skbuff to

carry STFQ start and finish tags.


LRU-FQ ValidationTiming Analysis

95.6

95.62

95.64

95.66

95.68

95.7

95.72

0 5 10 15 20 25 30 35 40 45

Time Delay (usec)

Rec

eive

d T

put

(M

bp

s)

Normal Routing

Diffserv Routing

Start Time FQ & LRU

Timing Analysis


LRU-FQ validation


Experimental Setup and Results


Experimental Test bed


Experiment 1 – Non-responsive flows

Containing non-responsive flows: cache size=12,

threshold=125, p=1/50 20 TCP long term flows varying number of UDP

flows to study cache efficacy on varying weights of the queues.


Results – Non-responsive


Experiment 2 – Non-responsive flows

To study effectiveness of scheme with reduced non-responsive flow rates

threshold = 125, probability = 1/50

cache size=12 20 long term TCP flows


Results – Non-responsive


Experiment 3 – Web mice vs Elephants

Web mice versus elephants effect of long term

loads on web mice long term load

contains both responsive an non-responsive loads

probability=1/50, threshold=125, cache=12


Results – Web mice


Experiment 4 – Cache size Effect of varying cache size

to study impact of cache size on performance of the scheme

probability= 1/55, threshold = 125 number of TCP flows=20 equal weights for both queues.


Results – Cache size


Experiment 5 - Workloads Performance under normal

workloads working of scheme when non-

responsive loads are absent or use their fair share of bandwidth

cache size = 9, threshold =125 probability = 1/55


Results – Normal workload


Results – Mixed workload


Conclusion Proposed, implemented and

evaluated an LRU based partial state scheme (LRU-FQ)

LRU-FQ shown to enable quantitative control of non-responsive traffic

LRU-FQ shown to provide better performance for web mice flows


Future work Study of aggregate traffic instead of

flow-specific schemes source based aggregation can help

identifying DoS attacks from a single network

Identification of proportion of non-responsive traffic in order to automate tuning of the LRU-FQ scheme


DropTail FIFO based - Easy to implement Full Queues and Lock-Out problems variants – Drop from front, Random

Drop RED

manages the average queue length by marking or dropping packets early

does not contain aggressive flows

Stateless AQM schemes


Stateless AQM schemes BLUE

bases decisions on two events – packet losses due to Full queues and link idle times.

the two events control congestion signaling probability

does not contain aggressive flows. CHOKe

Incoming packets are matched with random packet in queue to arrive at a drop strategy.

does not contain aggressive flows.


Stateful AQM schemes Longest Queue Drop (LQD)

per flow queue of packets packets from longest queue dropped

upon exhaustion of buffers Flow RED (FRED)

employs per flow RED and Fair Queuing alleviates some RED problems but

requires per-flow queue


Packet State AQM schemes Diffserv

packets marked ‘in’ and ‘out’ based on QoS contract.

‘out’ packets dropped disproportionately thus securing QoS for ‘in’ packets.

Core-Stateless Fair Queuing packets carry the edge router’s estimate of

fair rate on the outgoing link the fair rate is used to arrive at the

forwarding probability.


Partial State AQM schemes Stabilized RED: SRED

identification of misbehaving flows – ‘zombie’ list list is pruned by probabilistic replacement of a

random entry with the incoming packet SACRED

random sampling and holding to maintain a cache of ‘marked’ flows

Random flows observed when average queue length exceeds a sampling threshold.

At dropping threshold, packets are dropped from observed flows exceeding a limit share threshold


Partial State AQM schemes Red-PD

makes use of the drop history observed at an RED router

arrives at a list of flows exceeding a target threshold

LRU-RED maintains an LRU to identify top ‘n’

flows. modifies RED to penalize them more

than normal flows.


Active Queue Management schemes1. Stateless

decisions based on overall characteristics observable at the router queue like average queue length, aggregate arrival and departure rates etc.

DropTail, RED, BLUE, CHOKe

2. Stateful per-flow state maintained to administer the

scheme. Longest Queue Drop (LQD), FRED


Active Queue Management schemes

3. Packet state state is maintained within packets routers base decisions on the state within

packets Diffserv, CSFQ

4. Partial state maintain a limited amount of state state is pruned using sampling and caching SRED, SACRED, RED-PD, LRU-RED


Denial of Service Solutions Network ingress filtering

filter spoofed addresses Traceback algorithms

throttle the attacker at the source network MULTOPS

multi-level tree containing packet statistics proposed for bandwidth attack detection


Observations Stateful schemes are effective but not

scalable Stateless schemes fail to protect normal

flows from aggressive flows Earlier partial state schemes rely on

RED mechanism for resource control Earlier work provides qualitative

improvement of performance for responsive flows and short term flows


Possible Applications of Partial State schemes Control of non-responsive proportion of

traffic Identification of top bandwidth hogs to

alleviate certain DoS scenarios Better service for web mice

lower delay bounds and larger connection rates weights of the fair queuing control the delay

Control of Bandwidth allocation for normal traffic buffers assigned per queue control the

bandwidth

[email protected] A & M University1 Design, and Evaluation of a Partial State Router Phani...

Documents

Transcript of [email protected] A & M University1 Design, and Evaluation of a Partial State Router Phani...