In traditional networking systems, it is often difficult to protect against high levels of network traffic that can lead to system inefficiencies or even complete system breakdowns. For example, various denial of service (DOS) attacks can lead to such high levels of network traffic. A typical DOS attack operates by inundating a system with unexpectedly large amounts of network control traffic, to the point of tying up or breaking down normal services provided by the system. High levels of network traffic may also be undesirable under more normal operations, outside of any DOS attack. For instance, on occasion large number of users of a connection-oriented service may all attempt to connect to a system at one time. The system may not be able to handle the peak in network control traffic resulting from requests for connection from these users all at once. Again, high levels of network traffic may lead to loading of resources beyond their capabilities, which can cause the tie up or break down of normal services provided by the system. Thus, undesirably high levels of network traffic is a potentially catastrophic problem that can arise in many different situations in a network environment.
Existing designs have not provided a satisfactory solution to this problem. Such designs either discard network traffic indiscriminately or do so according to some sort of rudimentary priority assignment. Also, such designs typically fail to provide any feedback mechanism for recognizing the escalation of network traffic, other than the eventual overflow of buffers. As a result, existing designs often contribute to significant yet avoidable losses in network capabilities under high network traffic conditions.
The present invention relates to a method for managing packets in a network comprising the steps of receiving a packet, assigning the packet to a selected one of a plurality of classes, checking a counter associated with the selected class, advancing the counter toward the target value and forwarding the packet if the counter is not equal to a target value, dropping the packet if the counter is equal to the target value, and from time to time, resetting the counter to a reset value not equal to the target value to allow more packets from the selected class to be forwarded.
In one embodiment, the counter is scheduled to be repeatedly reset according to a period, which may be implemented by use of a timer. The period can be changed to effectuate a different rate of packet forwarding for the selected class. The reset value can also be changed to effectuate a different rate of packet forwarding for the selected class. Further, the target value can also be changed to effectuate a different rate of packet forwarding for the selected class. In one embodiment, a different rate of packet forwarding for the selected class is effectuated in response to at least one measure of processor load. A different rate of packet forwarding for the selected class may also be effectuated in response to at least one measure of storage load. Further, a different rate of packet forwarding for the selected class may be effectuated in response to at least one measure of packet congestion. The counter may be reset as a task having a lower priority than at least another task. Also, the lower priority task may be scheduled according to a period.
According to one embodiment, the receiving, assigning, checking, forwarding, and dropping steps are performed by a first process, and the resetting step is performed by a second process. The first process may be associated with a data plane, and the second process may be associated with a control plane.
FIGS. 3A-C illustrate an example of how packets of a particular class are forwarded and dropped in accordance with one embodiment of the invention.
FIGS. 4A-C illustrate processing of three different classes of packets in accordance with one embodiment of the invention.
In accordance with one embodiment of the invention, network device 102 receives packets of information from network devices 104, 106, 108, and 110. Network device 102 may also transmit packets to network devices 104, 106, 108, and 110. Here, the term “packet” refers generally to a portion of digital information. While it is not necessary, a packet may include a header and a payload, which can contain another packet. Thus, a packet may comprise data arranged in a nested fashion. The packets may represent various types of data associated with different protocols, at different levels communication, and possibly for different networking systems. The packets may also refer to data packets or control packets. For example, the packets may represent Point-to-Point Protocol (PPP) configuration request packets, PPP echo request packets, PPP echo reply packets, Point-to-Point Protocol over Ethernet (PPPoE) discovery packets, broadcast Internet Protocol (IP) packets, route protocol packets, just to name a few. According to the present embodiment, network device 102 efficiently manages undesirably high levels of network traffic by discarding at least a portion of the received packets in a systematic and efficient manner.
As shown in
Referring back to
FIGS. 3A-C illustrate an example of how packets of a particular class are forwarded and dropped in accordance with one embodiment of the invention. Here, a counter associated with this particular class ensures that a maximum number of 6 packets from the class are allowed to be forwarded, until the counter is reset. A timer associated with the class is used to reset the counter once every 2 seconds.
According to one embodiment, a count-down counter can be employed. For example, the count-down timer for a particular class may be initially set to a value of 6. Before forwarding each packet from this class, the current value of the count-down counter is checked. If the current value of the count-down counter is non-zero, the count-down timer is decremented by 1 and the packet in question is forwarded. If the current value of the count-down counter is zero, the packet in question is dropped. Thus, once the count-down timer reaches zero, additional packets from this class would be dropped until the count-down timer is reset to 6 or some other non-zero value. Alternatively, a count-up counter, or some other type of counting mechanism, may be used.
For each class of packets, the rate by which packets are forwarded may thus be adjusted by either changing the reset value of the count-down counter (or the target value of a count-up counter), or changing the frequency by which counters are reset, or both. For example, resetting a count-down counter to a high value allows more packets to be forwarded before the count-down counter decrements to zero. Resetting a count-down counter more frequently allows the counter to restart at a non-zero value more often, and thus allowing more packets to be forwarded over a given period of time. In this manner, the rate by which packets are forwarded can be systematically controlled, on a class-by-class basis.
FIGS. 4A-C illustrate processing of three different classes of packets in accordance with one embodiment of the invention. Each class is associated with a counter that keeps track of how many packets from the class are forwarded, as well as a timer that resets the counter periodically. The table below summarizes, for each class, the maximum number of packets allowed to be forwarded until the next reset of the counter, as well as the period by which the counter is reset using the timer.
As shown in FIGS. 4A-C, the packets that are allowed to be forwarded are marked as unshaded, and the packets to be dropped are marked as shaded. The number of packets and specific counter and timer values demonstrated in FIGS. 4A-C are chosen to provide a simple illustration. Different numbers and values are within the scope of the present invention.
According to one embodiment of the invention, feedback information can be used to throttle the rate by which packets are forwarded. Such use of feedback can also be implemented on a class-by-class basis. For example, for a given class, the maximum number of packets allowed to be forwarded until the next reset of the counter, as well as the period by which the counter is reset using the timer, or both, can be dynamically modified in response to certain conditions, such as indications of excessive processor load, storage load, and/or some other measure. Thus, the rate by which packets of a particular class are forwarded can be decreased, for instance, if build-up of packets for that class, build-up of packets generally, or some other condition, is detected. This allows the system to adjust to changing conditions to maximize the efficient use of packet processing resources.
According to another embodiment of invention, the task of resetting the counter associated with a given class can be performed by a device, such as a processor, as a lower priority task. The task may still be scheduled to occur on a periodic basis. For example, the counter reset may be carried out by a processor as an interrupt-driven event that corresponds to a lower priority interrupt occurring once per second. However, if the processor is busy performing higher priority tasks when a particular counter reset is scheduled to occur, the counter reset may not be performed right away. Because the counter is not reset, packets of the corresponding class will continue to be dropped once the maximum number of packet allowed to be forwarded (until the next reset of the counter) is reached. These packets are dropped until the processor is less busy and able to perform the lower priority task of resetting the counter, effectively slowing rate by which packets are forwarded. This results in an additional approach by which the rate of packet forwarding can be dynamically controlled in response to indications of load on the system. In the present example, the combination of the maximum number of packet allowed to be forwarded until the next counter reset and the period of the counter reset (for example, maximum count of 6 packets and a counter reset period of 2 seconds) may establish a ceiling for the rate of packet forwarding for a particular class. That is, packets will not be forwarded faster than 6 packets every 2 seconds. However, the rate may not necessarily stay at 6 packets every 2 seconds—it may slow down in response to the processor becoming busy.
According to at least one embodiment of the invention, one or more classes of packets can be dynamically added or deleted during operation of the system. This provides additional flexibility in the management of packets. As new packet classes are needed, they can be quickly added without re-compiling software code. Also, as certain packet classes become less useful, they can be quickly deleted in a similar manner.
Further, the data plane 202 and the control plane 204 can both contribute to control of packet forwarding. In one embodiment, data plane 202 may be responsible for assigning each packet to the appropriate class, checking the counter associated with the class to see if the more packets from the class can be forwarded, forwarding the packet to data plane 204 and increments/decrements the counter when appropriate, and discarding the packet when appropriate. Data plane 204 may perform these tasks at relatively higher speeds, for a large number of packets. Control plane 204, on the other hand, may simply be responsible for resetting the counter for each class. By setting the reset/target value of the counter, control plane 204 can control the maximum number of packet allowed to be forwarded until the next reset of the counter is reached. Control plane 204 can also control how often the counter for each class is reset. In this manner, control plane 204 can adjust the rate by which packets of the class are forwarded to control plane 204 on a class-by-class basis. Control plane 204 may perform these tasks at relatively lower speeds. Such division of tasks between data plane 202 and control plane 204 may be implemented according to one embodiment of the invention.
Referring back to
This application claims priority from U.S. Provisional Application No. 60/455,731, filed Mar. 13, 2003. The 60/455,731 application is incorporated herein by reference.
Number | Date | Country | |
---|---|---|---|
60455731 | Mar 2003 | US |