Local Management for QoS parameters Marius C. BREABĂN, Adrian GRAUR, Alin D. POTORAC, Doru G. BĂLAN Ștefan cel Mare - University of Suceava Str. Universității, nr. 13, RO-720229, Suceava , Romania
[email protected] Abstract - The video, voice, multimedia next-generation applications are using real-time data transmissions. Therefore, taking into account that all these applications are transmitted "over IP", variable bandwidth has to be provided for specific situations in order to prevent network congestion. The active equipments meet these requirements and provide the network management. However, how will it be if the network equipments could be replaced by a software able to take over their capacities? The current paper presents a new approach concerning the setting of QoS parameters, by replacing the active network equipments with an application for data traffic limitations, providing a certain guaranteed bandwidth for a certain user, depending on the belonging to a certain group of users from ”Active Directory”. Key words – QoS, bandwidth limitation.
I. INTRODUCTION The distributed control and transport protocols running inside the switches and routers are the key technologies that allow information, in the form of digital packets, to travel around the world. However, despite their widespread adoption, traditional IP networks are complex and difficult to manage. In order to implement the desired network policies, at a very high level, the operators must configure each network equipment separately, using low-level and often vendorspecific commands and this require advanced programming knowledge. In addition to the configuration complexity, the network environments have to support the dynamics of faults and adapt to configuration changes. Automatic reconfiguration and response mechanisms are virtually non-existent in current IP networks. Therefore, the application of the necessary policies in such dynamic environment is extremely difficult. In order to make things even more complicated, the current networks are also vertically integrated. In the current patterns of network topology, the control mechanism (which decides how to support the network traffic) and data traffic mechanism (which redirects the traffic according to the decision taken by the network control mechanism), are bundled inside the networking devices, reducing the flexibility and hindering the innovation and the evolution of the networking infrastructure. [1] From this perspective, due to the activity’s specific dynamicity (the evolution of the real time applications),
corporations consume many resources to provide data traffic guarantees with certain bandwidths and this became a major problem. Compared to the traditional applications, such is web browsing and FTP, where the network capacity to provide QoS is not critical, these applications are able to tolerate several imperfections of the transmission channel, the real time applications needs a high level quality channel for voice and video content, being related with the user sensorial perception. Therefore, the solution is represented by Software Defined Networks (SDNs), which offers the possibility of software management for certain current networks infrastructures parameters. The SDN represents a software architecture that allows network management and data traffic policy implementation in a centralized manner, while the transport rules are distributed among several equipments. Compared to the traditional network systems, the modern SDNs offers management solutions in a totally different manner, which is by far stronger, more efficient and more flexible. In the SDN model, the application policy calculus is performed locally, in real time (for instance QoS, ACL-access list control) and the policies’ quality, security and monitoring are managed in a unitary way, then being transmitted to the network nodes. (switch, router). [2] II. SDN QoS MODEL A. Traffic limitation through current patterns In a private network management, through the traffic limitation rate the input and output traffic can be controlled, thus ensuring that the user or application does not exceed the maximum rate or monopolize the transmission allocated bandwidth. This control applies both for Fast Ethernet ports and Gigabit Ethernet ports. Thus, policies for bandwidth allocation to specific workstations or applications can be established. The traffic limitation rate, along with other features such as Access Control List (ACL), can lead to savings by avoiding the purchases of additional WAN capacity, by carefully manage how much and when a certain bandwidth is available. As presented in the article ”Contribution for limiting and testing network policies” [3], the traffic policing allows to control the maximum traffic rate sent or received on a network
interface in multiple priority levels or classes of services (CoS). Traffic Policing uses the token bucket algorithm and can use the values set by the user to determine the maximum rate of traffic allowed on an interface at a given moment in time. The token bucket algorithm is applied to all traffic inputs or outputs (depending on the applications needs) and is useful in managing the network bandwidth when multiple large packets are sent into the same traffic channel. This algorithm offers to users three types of behavior for each package: conformity, excess and optional, force the traffic rules. The traffic entering the network interface with the configured policing belongs to one of these categories. Within these three categories, users can choose the type of behavior for data packages’ treatment. The traffic policing is often configured on interfaces at the edge of the network (at the switch level) in order to limit the incoming or outgoing traffic rate of the network. In the most common configurations, the traffic that is conforming is transmitted and the one in excess is sent with low priority or is abandoned. Users can change these configuration options to correspond to their network needs. The traffic shaping allow to control the interface outgoing/incoming traffic in order to match the data flow needs of target interface and to ensure that traffic corresponds to the policies applied to it. Therefore, the data traffic can be assigned to a specific profile interface configured to meet the target, thereby eliminating bottlenecks in the topologies with mismatches in the data transfer rate. Traffic shaping is used to control the access to available bandwidth, so as to ensure that traffic corresponds to the policies established for it and adjust the data traffic flow in order to avoid congestion that may occur if traffic exceeds the access speed to the destination interface. So, traffic shaping is accomplished through traffic classification after input data flow matching criteria based on a "class-map". Each class map defines a traffic classification. The class map allows traffic classification of the network based on the following criteria: • ISO Layer 3 and 4 - information about traffic flow source or destination IP address, source port, destination IP address virtual IP protocol and port or protocol management; • ISO Layer 7 protocol information-HTTP cookies, HTTP URL, HTTP header, HTTP content, or FTP request commands. Traffic classification process consists of the following three steps: 1. Create a class map using specific associated commands that comprise a set of matching criteria to the Layer 3 and Layer 4 traffic traffic classifications or Layer 7 protocol classifications. 2. Create a policy map using specific associated commands. 3. The activation of a policy map and the attachment to a specific interface or globally on all interfaces of a VLAN. [4]
The traffic shaping advantages are: • allow access control of bandwidth when, for example, policy demand that the rate of traffic transfer on one interface does not exceed the average of a certain value even if the access rate exceeds the defined speed. • used for a network with different access rates. Traffic shaping prevents packet loss. A policy map defines a number of actions (functions) that can be applied to a set of traffic classification data entry. The traffic policing measures the incoming traffic and maintains the output transfer rate to a configured value. The switch that was the subject of tests supports a single rate and a single token bucket policing principle. This means that the switch measure the traffic transfer rate and treats in two ways, matching the traffic and excess. [5] Switch-type equipments provide the limitation of bandwidth traffic, according to incoming traffic on an interface, offering the possibility of filtering the traffic among VLAN and only for certain IP or MAC addresses. The challenge is to provide traffic limitations for a specific user, according to the users group membership and move the responsibility of the performed limitation from the switch to the workstation. B. Traffic limitation application proposal In the new approach of traffic limitation we propose a software solution to allow data traffic limitation for a user, depending on his affiliation of a specific group of users. This new approach implies reducing the effort of limiting the data traffic on the switch and moving it on the workstation, in which case, on may renounce to the management of traffic limitations on the switches. Even more, it would represent a better solution for providing a correctly defined bandwidth for each user, accordingly with to the network access rights. It has to be mentioned that, this new solution, is fitted for small or middle size corporations, where users control is performed by using an Active Directory type server and the users prove their identity before having access to the resources of the system. Therefore, we focused on three research directions, as follows: - reading the rights after the use of access credentials on the workstation and generating a file that contains the information related to the users group membership, as it is defined on the Active Directory server; - providing a variable bandwidth, for the incoming and outgoing traffic through the network interface of the workstation, by using a local proxy type software; - developing a software able to take over the information belonging to a group of users and connecting it to the local ”proxy” software. The reading of credentials is accomplished after the logging in operation, by automatically executing a gpresult command (Group Policy Result) in a command-line (cmd) window, as presented in Figure no. 1.
Figure 1. HTML file generating order The automatically rolling is performed by introducing in a Windows script the gpresult command and transforming it into a windows service, using Window Resource Kits utilitary. [6] The command generates an .html file, as presented in figures no. 2 and no. 3 and contains the information about the user, as defined in the group policy on the Active Directory server, being overwritten at each logging in.
Figure 2. The Html report for the administrative user rights[7]
meaning that the report from figure 2 was generated from a profile of a user having administrative rights and the report from figure no.3 was generated from a profile of a user having limited rights. The second research direction is represented by the installation of a local proxy software so as to provide filtering of data traffic through the system network interface, all at various bandwidth. For this propose it was chosen the Fiddler web debbuger utility which is a free software used to develop the web and proxy for any browser, system or platform. [7] This software, besides being a traffic monitoring tool on the network interface of the host system, has also a local proxy role, thus ensuring the traffic data filtering, simulating some network tests, using some traffic rules established by the administrative user and that are defined in the Java type files, as presented in Figure no. 4. [8]
Figure 4. The data packets delay rules customisation [8] Traffic limitations are accomplished by changing the delay parameters of the request-trickle-delay data packets for upload, and of the response-trickle-delay for download per each 1 Kb of traffic, as presented in figure no. 5.
Figure 5. The delay basis script of data packets [7] Figure 3. The Html report for the limited user rights [7] From the generated files, we will analyze the information from the Group Policy Objects field. From the analysis of figures 2 and 3 we can see that, accordingly with the users rights defined on the Active Directory server, the two reports are different at the Security Group Membership when Group Policy was applied fields,
As presented in ITU G.114 recommendation, for data transmission, the loss of packets due to the delays may be recomposed at the destination. For audio or video flows, VoIP or of videoconferences, these delays must be strictly checked.[9] Thus, for providing a traffic data rate of almost 3 Mbps, the delay was set at 16 for upload and download, as presented in Figure no. 6.
html report, the Security Group Membership when Group Policy was applied field as specified for the users group, will call fiddler service, and automatically apply the traffic limits into the established java file of traffic rules and will restart the service for undertaking the new settings of data traffic rights. III. CONCLUSIONS Figure 6. Customization script the data packets delay for 3 Mbps [8] To provide traffic around 2 Mbps, the delay was set at 8 for upload and download, as presented in figure no 7. [8]
Figure 7. Customization script the data packets delay for 2 Mbps [8] Therefore, by changing the file that establishes the packets’ delaying rules, as obtained by testing, the desired traffic limitations can be obtained. As well as the gpresult reading command belonging to user rights from Active Directory server, this software is transformed into a Windows service, using Window Resource Kits utility, as presented in figure no. 8. [10]
Figure 8. Fiddler software transformation into Windows Service We mention that converting Windows script wich contains the read command of the users rights from Active Directory server respectively the software for data traffic limitations into Windows services allows their launching together with the authentication process and simultaneous turning on of data traffic limiter. The third part of the research is represented by the Java application which will take over the information from the
As presented, this is a new approach software solution to grant access to a larger or a smaller traffic bandwidth according to the position of the users into a specified group of an organization. The data traffic limitation application is actually a system comprising a three step process offering a solution to successfully replace the switch type equipments QoS. If, as foreseen in the article ”Contribution for limiting and testing network policies” [3] , the current solutions for data traffic limitation operate for the layer 3 and layer 4 ISO/OSI model – that contain information about the data flow, the source and the destination of IP address, the source port, the destination IP and the port or the management protocol, namely layer 7 ISO/OSI model – HTTP address, HTTP header, HTTP content or FTP request commands, the developed application will only operate for the layer 7 ISO/OSI model.[10] As a developing direction, there would be the testing of the application in conditions of intensive data traffic, using iperf utility, with a UDP communication between the two systems at larger constant speed. The UDP protocol was chosen because it does not perform the errors check, compared with the TCP protocol, providing a data transfer rate value close to the one established by the user. After the authentication with users accounts having limited or full administrative rights, the traffic automatic limitations are accordingly provided. REFERENCES [1] Diego Kreutz, Member IEEE, Fernando M. V. Ramos, Member IEEE, Paulo Verissimo, Fellow IEEE, Christian Esteve Rothenberg, Member IEEE, Siamak Azodolmolky, Senior Member IEEE and Steve Uhlig, Member IEEE, ”Software-Defined Networking: A Comprehensive Survey”, arXiv:1406.0440v3 [cs.NI] 8 Oct 2014 [2] Thomas D. Nadeau& Ken Gray, ”Software Defined Netwotks-an authoritative review of network programmability technologies”, O’Reilly Media, pp 10-47, 2013 [3] Marius C Breabăn, Adrian Graur, Alin D. Potorac, Doru Bălan ”Contribution for limiting and testing network policies” EFEA 2016, http://soe.northumbria.ac.uk/efea2016/ [4] J. Tadrous; A. Eryilmaz; H. El Gamal, ”Proactive Content Download and User Demand Shaping for Data Networks” IEEE/ACM Transactions on Networking , Vol. 23, pp. 1917-1930, 2015 [5] Cisco 3700 Series Application Control Engine Appliance Administration Guide, Cisco Software Version A1(7) November 2007, [6] https://technet.microsoft.com/en-us/library/cc733160(v=ws.11).aspx [available at July 12, 2016] [7] https://www.telerik.com/download/fiddler/fiddler2 [available at July 12, 2016] [8] http://docs.telerik.com/fiddler/Extend-Fiddler/AddRules [available at July 12, 2016] [9] https://www.itu.int/rec/T-REC-G.114/en [available at July 12, 2016] [10] https://support.microsoft.com/en-us/kb/137890 [available at July 12, 2016]
