Network Quotas for Individuals A better answer to the P2P bandwidth problem

1
Network Quotas for Individuals A better answer
to the P2P bandwidth problem?
Bruce Curtis North Dakota State University
2
NDSU Implemented a Usage Based Rate Limit System

• On April 2nd 2002 NDSU started testing a new (for
  us) system for limiting bandwidth usage in our
  residence halls.

3
Back to Why?

• Looking back I guess that since day one I was
  motivated by the idea of personal
  accountability. I liked the principle that a
  users actions should affect them more directly,
  rather than have the pain of network slowness be
  spread to the whole ResNet community.

4
More Why?

• With this system we dont have to decide which
  apps are mis-behaved.
• We dont have to keep updating access-lists or
  wait for vendors to update code to recognize the
  latest P2P or other app.
• It may just be a matter of time before P2P apps
  start using random ports and/or encryption.
• (Kazaa now is configured with a random port by
  default. Blubster touts anonymity. Freenet
  encryption?)

5

• This will apply only to traffic going to or
  coming from the Internet. On campus traffic, like
  reading your Mail_at_NDSU e-mail or using
  Blackboard, will not be counted nor will usage
  between 200 AM and 600 AM. The bandwidth usage
  will be reset daily at 600 AM.
• If a resident exceeds their daily allocation,
  they will be placed into a shared, limited pool
  with other users that have exceeded their
  allocation. They will not be disconnected they
  will be sharing 300 kbps, which may be very slow
  for the remainder of the day.

6
The Network
7
Information Flows
8
i1 and i2 traffic flows
9
Original Implementation Details

• Track usage by ethernet number
• Add to CAR access lists every 5 minutes
• Rebuild CAR access lists from scratch hourly to
  avoid limiting someone who inherited via DHCP an
  IP number that is in the access lists.

10
Changing Ethernet or IP

• Ethernet numbers in ResNet must be registered.
  We use the NetReg package from Southwestern U.
  Each ethernet number must be registered before it
  can access the Internet.
• Changing the IP number only helps for 5 minutes
  until the access lists are updated from the usage
  info and arp table.
• Cross checks and countermeasures could be set up
  monitor when these things are tried.

11
Limiting Issues

• Our bandwidth target was 15 Mbps so we chose the
  limited pool size to be 10 of that which is 1.5
  Mbps.
• We have 5 subnets.
• So 1.5 Mbps / 5 pools 300 kbps per pool
• In other words we sacrifice 1.5 Mbps to
  discourteous users taking more than their share
  of bandwidth.
• If successful the quota should affect 10 of the
  users and restrict them to using only 10 of the
  bandwidth. (After reaching their quota)

12
Picking the Numbers

• We postulated a bandwidth hungry but legitimate
  educational activity for an estimated quota.
• A video class offered via H.323 for an hour would
  take 384 Kbps some overhead.
• 500 Kbps 60 s/m 60 m/hr / 8 bits/byte 225
  MB
• We count both inbound and outbound data so 225
  2 450 MB
• Allowing for other daily traffic we picked 600 MB
  as our initial quota for the test.

13
(No Transcript)
14
68
31
15
13
61
16
Before
There are about 500 AudioGalaxy users
Put in flowscan out graph and mention that about
500 users Are running audiogalaxy. But first
put in before and after outbound graphs.
17
(No Transcript)
18
Probation

• Implemented the concept of probation.
• If a student was over their quota yesterday their
  traffic will be limited. But the probation rate
  limits will be 5 times the quota rate limits.
• Probation works well and keeps chronic offenders
  under control which avoids reset spikes.
• But it is complicated to explain to students.

19
Quota reset spike
Smaller spikes
No spike
Transition to yesterdays quota scheme, kazaa
spikes on left, not on right
20
Closeup of Kazaa Spikes
7 Mbps 60 s/m 15 m / 8 bits/byte 787.5
Mbytes Someone reached their quota in 15
minutes. Probation tends to smooth the spikes to
be wider and less tall.
21
Tunnels

• The University of Waterloo evolved to a similar
  situation in which on-campus traffic did not
  count against a students quota.
• They had a problem with tunnels. Students would
  set up a tunnel to a computer on the main campus
  and thus access the internet without affecting
  their quota.

22
Tunnels

• I dont believe that we will have the same
  problem with tunnels. Our previous method was
  more restrictive and we did not have a problem
  with tunnels.
• A large bump in P2P traffic from our main campus
  would be easily spotted in our flowscan graphs.
• (We have had no problems with tunnels,now the
  most likely problem would be remote control of a
  computer on our main campus.)

23
Links to Info on Other Similar Systems

• University of Waterloo
• http//ist.uwaterloo.ca/cn/Residence/history.html
• http//ist.uwaterloo.ca/cn/Residence/rn-excess.htm
  l
• http//ist.uwaterloo.ca/cn/Residence/logic.html
• University of Texas
• http//resnet.utexas.edu/
• www.ncne.org/training/techs/2001/0128/presentation
  s/
• 200101-kline1_files/v3_document.htm
• Dyband commercial product
• http//dyband.com/products/prodInfo/wp-ipTrafficMg
  t.htm
• Mayville State University

24
Internet2 Campus Bandwidth Working Group

• Home Page
• http//cbm.internet2.edu/
• Matrix Link
• http//qos.internet2.edu/wg/cbm/cbm-matrix.html

25
Changes and Updates

• Original
• Cisco 5000
• CAR
• Complexity in code
• Config by Telnet
• 5 Pools
• 12 Residence Halls
• Track usage by ethernet number

• Now
• Cisco 4000
• Policy Map/ Policing
• Complexity in config
• Config by FTP
• 1 Pool
• 13 Residence Halls
• Track usage by user id (multiple computers)

26
Biggest Change From Students Point of View

• Lowered the Quota from 600 to 200 MegaBytes per
  day Fall semester 2002
• Surprisingly users exceeding the quota stayed
  about 10

27
(No Transcript)
28
External Changes

• Gone
• Audogalaxy,Scour,CuteMX
• New
• Blubster, Ares, Sharaza

29
Problems

• MAC thieves/spoofers
• Using another person's MAC address

30
NDSU Monthly i1 95th Percentile
31
Future Possibilities

• Quota applied to Main Campus
• Differentiate Student, Faculty/Staff, Server
• Seperate Public ports (Wireless Project)
• By DHCP log info

32
(No Transcript)
33
(No Transcript)
34
Abacast
35
Nightime Quota
Compromised
36
Thanks

• Brian Asker Our student who developed the web
  pages with the quota meter on them.
• John Underwood Our Help Desk and ResNet Manager
  who provided valuable input, feedback and I stole
  the free cable joke from him.

37

• In email Marty Hoag mentioned that we should tell
  the students
• The good news is that we are no longer filtering
  on content. The bad news is that you are
  accountable for your usage. -)