Slashdot Mirror
Application Layer Packet Shaping on Linux
sommere writes "We have added application layer (layer-7) filtering to Linux. That means that you can set up your linux-router/linux-switch to prioritize mail over the web over kazaa or gnutella regardless of what port each program is using. Colleges have been paying thousands of dollars for packet shapers to prioritize their networks, now you can do it for free. Get your kernel patch at l7-filter.sourceforge.net."
It cost my school 15 grand for 100mbit of shaping to be exact. Try using Kazaa when there are 4 huge dorms full of students trying to access kazaa, irc, ftp, hotline and some other protcols on 150k. Not fun
Tim Smith - Ramblings from Nerd Land
This type of thing has been in OpenBSD long time now (altq) but it nice to see that this type of thing is done in linux.
The problem in the world today is communication. Too much communication - Homer Simpson
Performance isn't an issue--ImageStream has a full line of commercial Linux-based routers in use in over 70 countries worldwide. They offer wirespeed performance and interfaces from T1/E1 to DS3/E3 through OC12 and OC48.
http://www.imagestream.com/
Don't take my word for it, either. ImageStream's Rebel Router with a DS3 interface was reviewed in Linux Journal and Network Computing last year. Both publications confirmed the wirespeed specification.
I've been doing traffic shaping based on port policies for months using the CBQ.init Script.
What's the advantage of using Layer-7 shaping, when CBQ does it quite efficiently?
Errr, how? Copy&Paste the packet contents? Write a wrapper? And what about unwrapper? How many kazaa users worldwide will receive your kazaa packet if you sent it through ICQ and uuencoded?
Of course you may set up a tunnel between your home box and some remote host of some friend, outside the shaped network. But then the admin will notice excessive transfers over that tunnel between the two hosts and downgrade your transfers using old-fashioned source&dest IP match.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Now that would be useful to have in the kernel.
I know you can do a certain amount with Apache, but to be able to slot a nice little Linux box in where an Alteon would normally sit would be a)cool and b)cheap.
oh brave new world, that has such people in it!
Sorry to be dense but I still dont understand.
If I send a plane jane udp or tcp packet why is the protocol neccessarily evident? to be specific, suppose my packet just consisted of an encryted wad of digits with just enough UDP information to deliver it to a certain socket on a certain port at a certain IP address. How would the router know it was a gnutella packet or anything else.
I realize that perhaps mail and http packets have enough header info for a person to perhaps figure out what they are. But would it not be easy to disguise gnutella packets as say mail packets with a bogus header but sent to something other than port 110?
For those not ready to upgrade to Linux 2.5, and for those on other platforms, there is Trickle, a userland traffic shaper for Linux, *BSD and Solaris. It works on a per-process basis (or on groups of processes to limit aggregate traffic consumption), does not require root-level access nor kernel patches, and is, of course, open source.
"Another thing: couldn't the ??AA get ISPs to use this feature, not to kill P2P sharing, but to reduce its priority (perhaps as a compromise from not being able to kill P2P outright)?"
This type of technology already exists and it easily afforable by any half-decent ISP $15-30 thousand maybe a little more. The fact that it currently possible and ISP's are NOT doing it right now answers your question for me.
As far as a DOS potentional goes this would actually help more than hurt. If someone is DOS'ing a particular service you can deprioritize the traffic and greatly reduce the impact.
Ignore encrypted for a moment. You can disguise stuff inside mail or http traffic. But if you look inside, you may find patterns. Say your HTTP encapsulated gnutella always contain the text string "gnutella-http" in the first 20 bytes. Boom, that's your signature right there. Signatures, of course, are reactionary not proactive. Say someone comes out with the encapsulated gnutella protocols. Your traffic shaping vendor (be it Packeteer, Allot, or the open source guys) does an analysis on this new protocol, discovers some form of a pattern, and makes a new signature. Then you update your traffic shaper's software.
Now encrypted is a different story. It's harder to inspect, as you can't actually look at the traffic data and it's mostly random looking. The most you can do there is try to see message length, frequency of messages, or responses to try and get a pattern.
FreeBSD has had this for years. Why keep on reinventing the wheel? Fight NIH!
Ever heard of Esmith? http://www.e-smith.org/
;) Are you saying the average home user needs Application Layer Packet Shaping or that there are no easy to setup linux "server distros"? I guess maybe you meant both, but considering most homes aren't even running the easy to use linux servers out there now the availability of ALPS probably won't change that.
Mandrake and Red Hat will work fine as well.
Or I guess you could buy a Netwinder www.netwinder.net which really is plug and play.
"If Linux is going to break into home of joe average that might very well be the way."
Well realistically that's really not likely to happen. Joe average doesn't go around setting up servers. Of course no offense, but I'm not really sure what your initial point was
For businesses it might spur more linux adoption though.
If you wanna get rich, you know that payback is a bitch
DirtyD, I think :)
somehow that is appropriate
errr....umm...*whooosh* *whoosh* Is this thing on ?
If you put your ISP on a commodity linux box and expect five 9's you need to back off the medication.
While not five 9's, I do run an ISP off of commodity Linux boxes and achieve three 9's (8.77 hours out of the year downtime) -- we're a commercial ISP and frankly, if that's not good enough for you, go buy someone else's service. I can't get three 9's downtime out of my upstream ISP if you count the scheduled downtime (which my three 9's figure does count).
Not at Layer-7, that's what makes it ideal. The expensive shapers like Packeteers work the same way. It doesn't matter what port, it actually looks at the traffic itself at the application layer.
Jason
"FORMAT C:" - Kills bugs dead!
Mmm... But a small Cisco router or firewall can't do advanced packetshaping.
Not even the large ones can do really advanced shaping.
You'll need specialised boxes that *aren't* routers or firewalls at all but only do packetshaping.
They're usually totaly transparent to the network, except that they shape the traffic.
The best product I know in this field is the Packeteer Packetshaper, but there might be other products that are as good or even better out there...
/.Mattsson - My native language is not English, so please don't whine over linguistic errors. (That's lame anyway...)
I just downloaded their protocol definitions and took a look - they differentiate kazaa and generic http by looking for the "user-agent: kazaa" line in the header.
so there you go.
Maybe this is a better example. Cisco vs Code Red.
often encountered in the phrase "Unix boxen", used to describe
commodity Unix hardware. The connotation is that any two
Unix boxen are interchangeable.
--FOLDOC