Managing P2P Applications or Where Did My Internet Bandwidth Go? David L. Merrifield University of Arkansas [email protected] June 19, 2003.

Managing P2P ApplicationsManaging P2P Applicationsoror

Where Did My Internet Bandwidth Go?Where Did My Internet Bandwidth Go?

David L. MerrifieldDavid L. MerrifieldUniversity of ArkansasUniversity of Arkansas

[email protected]@uark.eduJune 19, 2003June 19, 2003

The First Peer-to-Peer (P2P) ApplicationThe First Peer-to-Peer (P2P) Application

Widely Accepted by the Internet PublicWidely Accepted by the Internet Public

May 1999 – Napster created by May 1999 – Napster created by Northeastern University students Shawn Northeastern University students Shawn Fanning and Sean Parker and takes the Fanning and Sean Parker and takes the college world by stormcollege world by stormDecember 7, 1999 – RIAA sues Napster December 7, 1999 – RIAA sues Napster on grounds of copyright infringementon grounds of copyright infringementApril 13, 2000 – Metallica files suit against April 13, 2000 – Metallica files suit against Napster and three universities for Napster and three universities for copyright infringementcopyright infringement

May 5, 2000 – Judge rules that Napster is May 5, 2000 – Judge rules that Napster is in violation of DMCAin violation of DMCAOctober 31, 2000 – Napster announces October 31, 2000 – Napster announces that it will partner with Bertelsmann AG to that it will partner with Bertelsmann AG to develop subscription-based distributiondevelop subscription-based distributionMarch 2001 – Napster attempts file March 2001 – Napster attempts file blocking and filtering techniques to blocking and filtering techniques to eliminate copyrighted material from eliminate copyrighted material from distributiondistribution

July 2001 – Judge orders Napster offline July 2001 – Judge orders Napster offline until copyrighted material is removed until copyrighted material is removed entirelyentirelyOctober 2001 – Napster begins self October 2001 – Napster begins self destructingdestructingMarch 2002 – Federal appeals court March 2002 – Federal appeals court orders Napster offlineorders Napster offlineSeptember 2002 – Judge blocks sale of September 2002 – Judge blocks sale of Napster to BertelsmannNapster to Bertelsmann

November 2002 – Roxio bought Napster’s November 2002 – Roxio bought Napster’s name and technology in bankruptcy name and technology in bankruptcy auction for $5Mauction for $5M

Napster may be gone, but it was only the Napster may be gone, but it was only the beginning…beginning…

What is the P2P Problem?What is the P2P Problem?

MP3

What is the P2P Problem?What is the P2P Problem?

MP3MP3MP3MP3MP3MP3MP3

What is the P2P Problem?What is the P2P Problem?More inbound than outbound trafficDouble-Humped Curve

What is the P2P Problem?What is the P2P Problem?Near 100% outbound utilization More evening activity

Steps to Managing P2P UseSteps to Managing P2P Use

Ignore the problemIgnore the problem

Management by written policyManagement by written policy

Port blockingPort blocking

Rate limitingRate limiting

Bandwidth quotasBandwidth quotas

QoSQoS

Ignore The ProblemIgnore The Problem

Disruptive to your legitimate usersDisruptive to your legitimate users

Consumes your expensive bandwidthConsumes your expensive bandwidth

Presents security exposuresPresents security exposures

Presents copyright issuesPresents copyright issues

Management by Written PolicyManagement by Written Policy

ThouShaltNot…

P2P

Port BlockingPort Blocking

Port blocking as a means to block P2P Port blocking as a means to block P2P applicationsapplications

Not effective for all P2P applicationsNot effective for all P2P applications

Some P2P apps use other well-known Some P2P apps use other well-known ports, such as port 80 (web)ports, such as port 80 (web)

Some P2P apps negotiate ports, so actual Some P2P apps negotiate ports, so actual ports used are not predictableports used are not predictable

Rate LimitingRate Limiting

Limit the abusing usersLimit the abusing users– Set limit on individual or total throughputSet limit on individual or total throughput

Limit the abusing applicationsLimit the abusing applications– Set limit on application throughputSet limit on application throughput

Rate LimitingRate Limiting

University of Arkansas ExperienceUniversity of Arkansas Experience– September 2001September 2001– Outbound Bandwidth at Max Most of DayOutbound Bandwidth at Max Most of Day– High Packet Drop RatesHigh Packet Drop Rates– Very Poor Internet PerformanceVery Poor Internet Performance– No One Was HappyNo One Was Happy

Rate LimitingRate Limiting

University of Arkansas ExperienceUniversity of Arkansas Experience– November 2001November 2001– Implemented Committed Access Rate (CAR) Implemented Committed Access Rate (CAR)

on Cisco 7507 Border Routeron Cisco 7507 Border Router– Limited Aggregate Dorm Traffic to 5 MbpsLimited Aggregate Dorm Traffic to 5 Mbps

UARK Internet Bandwidth

Blue LineOutboundTraffic

Green SolidInboundTraffic

Rate LimitingRate Limiting

University of Arkansas ExperienceUniversity of Arkansas Experience

UARK Internet Outbound Packet Rate

UARK Ping Statistics

Blue LineOutboundPacket Rate

Green SolidOutboundPacket Drops

Rate LimitingRate Limiting

University of Arkansas ExperienceUniversity of Arkansas Experience– Beware that some routers experience high Beware that some routers experience high

CPU utilizations and performance is degraded CPU utilizations and performance is degraded when rate limiting is being done.when rate limiting is being done.

Router CPU Utilization

RouterCPU usageincreased20% whenCAR wasenabled onCisco 7507

Bandwidth QuotasBandwidth Quotas

Bruce Curtis, North Dakota State Bruce Curtis, North Dakota State UniversityUniversity

Implemented bandwidth quotas for Implemented bandwidth quotas for residence hallsresidence halls

Every user is authenticated before they Every user is authenticated before they can use the networkcan use the network

Bandwidth utilization is measured via flow Bandwidth utilization is measured via flow data collected at border routerdata collected at border router

Bandwidth QuotasBandwidth Quotas

AuthenticationServer

Internet

1. User authenticates

FlowDataCollector

Bandwidth QuotasBandwidth QuotasFlowDataCollector2. User queued to use high-speed

Internet pipe

InternetAuthenticationServer

Bandwidth QuotasBandwidth QuotasFlowDataCollector

InternetAuthenticationServer

3. If user exceeds bandwidth quota, queued to use low-speed pipe

OverQuota!!!

Bandwidth QuotasBandwidth Quotas

Fair share quota established for every Fair share quota established for every useruser

300 MB per day300 MB per day

If limit exceeded, user is placed in a rate-If limit exceeded, user is placed in a rate-limiting pool (aggregate limit of 300 Kbps)limiting pool (aggregate limit of 300 Kbps)

About 15% of users regularly exceed limitAbout 15% of users regularly exceed limit

Limits are reset daily at 6:00 A.M.Limits are reset daily at 6:00 A.M.

Quality of ServiceQuality of Service

Use external device to manage traffic by Use external device to manage traffic by application or user or bothapplication or user or both

Build and apply policies about the way Build and apply policies about the way applications and users use bandwidthapplications and users use bandwidth

Quality of DisserviceQuality of Disservice

Quality of ServiceQuality of Service

Two major competitorsTwo major competitors– Packeteer PacketShaperPacketeer PacketShaper

– Allot NetEnforcerAllot NetEnforcer

Quality of ServiceQuality of Service

Internet

BorderRouter

Firewall

LAN

Quality of ServiceQuality of Service

Classify traffic by:Classify traffic by:– Application signatureApplication signature– ProtocolProtocol– Port numberPort number– SubnetSubnet– URLURL– Host nameHost name– LDAP host listLDAP host list– Diffserv settingDiffserv setting– 802.1p/q802.1p/q

– MPLS tagMPLS tag– IP precedence bitsIP precedence bits– IP or MAC addressIP or MAC address– Direction (in vs. out)Direction (in vs. out)– SourceSource– DestinationDestination– MIME typeMIME type– Web browserWeb browser– Oracle databaseOracle database

Quality of ServiceQuality of Service

Shape trafficShape traffic– Per application minimumPer application minimum– Per application maximumPer application maximum– Per session minimumPer session minimum– Per session maximumPer session maximum– Dynamic per-user minimum & maximumDynamic per-user minimum & maximum– TCP & UDP rate controlTCP & UDP rate control– DoS attack avoidanceDoS attack avoidance

Quality of ServiceQuality of Service

Sample configurationSample configuration– Group P2P apps (KaZaa, Morpheus, Group P2P apps (KaZaa, Morpheus,

eDonkey, BearShare, etc.) into one classeDonkey, BearShare, etc.) into one class– Limit the P2P class to 15% of capacity of Limit the P2P class to 15% of capacity of

inbound Internet linkinbound Internet link– Limit the P2P class to 5% of capacity of Limit the P2P class to 5% of capacity of

outbound Internet linkoutbound Internet link

PacketeerPacketeer

PacketeerPacketeer

PacketeerPacketeer

Packeteer PacketShaperPacketeer PacketShaper

SeriesSeries 15501550 25002500 45004500 65006500 85008500Max Throughput Max Throughput (Mbps)(Mbps)

22 1010 4545 100100 200200

Max ClassesMax Classes 256256 512512 512512 1,0241,024 2,0482,048

Max Dynamic Max Dynamic PartitionsPartitions

128128 512512 512512 5,0005,000 20,00020,000

Max Static PartitionsMax Static Partitions 128128 256256 256256 512512 1,0241,024

Max PoliciesMax Policies 256256 512512 512512 1,0241,024 2,0482,048

Max IP HostsMax IP Hosts 5,0005,000 10,00010,000 25,00025,000 25,00025,000 100,000100,000

Max IP FlowsMax IP Flows 7,5007,500 30,00030,000 75,00075,000 150,000150,000 300,000300,000

Allot NetEnforcerAllot NetEnforcerModel Bandwidth Pipes Policies Connections

AC-102/128 128 Kbps 128 1,024 6,000

AC-102/512 512 Kbps 128 1,024 6,000

AC-202/2M 2 Mbps 256 2,048 12,000

AC-202/10M 10 Mbps 512 2,048 20,000

AC-302 45 Mbps 1,024 4,096 64,000

AC-402 100 Mbps 1,024 4,096 96,000

AC-601 100 Mbps 2,048 8,192 128,000

AC-702 155 Mbps 2,048 8,192 128,000

AC-802 310 Mbps 2,048 8,192 128,000

ConclusionConclusion

P2P applications are here to stayP2P applications are here to stay

Legality and copyright issues aside, the Legality and copyright issues aside, the network bandwidth consumed can network bandwidth consumed can overwhelm most networksoverwhelm most networks

Management by decree may work in small Management by decree may work in small environments, but not large onesenvironments, but not large ones

Effective management techniques usually Effective management techniques usually involve bandwidth shaping or quotasinvolve bandwidth shaping or quotas

The EndThe End

Questions?Questions?