With the increasingly strong encryption trend of peer-to-peer applications, the traditional recognition method based on Application protocol Data feature is often difficult to work, which requires the protocol recognition engine to analyze the traffic behavior synthetically, and to judge the type of application according to the statistical characteristics, connection correlation and so on.
With the deepening of education informatization, our country has built a large scale education network, which provides superior access conditions for colleges and universities. However, with the ever-changing Internet application consuming more and more bandwidth, the number of terminal access in Campus network has always been in high speed, which brings new challenges to the operation and maintenance of college network. In this case, how to manage the traffic more rationally, and provide better guarantee for teaching scientific research task, has become the general concern of the directors of the University Information Center.
In the face of the torrent, the best approach is to actively divert, rather than passive plugging. Nowadays, it is universally accepted that the application flow is combed through the flow control products. In many colleges and universities, the flow control products have become the necessary equipment for network export, which directly determines the utilization of the network bandwidth and the user application experience. After a long period of follow-up analysis, the author sums up some experiences and suggestions on the evaluation of the network export environment of the university.
Protocol recognition to three-dimensional
As we all know, the working mechanism of flow control products is similar to those of anti-virus gateway and IPs, and mainly relies on the data characteristic of application protocol to judge the application attribution of traffic. Its core is protocol identification engine, which includes recognition rate, false recognition rate, protocol type and performance. Many users think that the number of protocols that can be identified is very important (vendors tend to emphasize this too), but in fact, the rate of the flow control products in the real environment is the most important indicator. This is like the antivirus gateway, some products in the specification table published in the number of virus signatures only tens of thousands of, but each signature covers the same virus family of all variants, the actual killing ability can even exceed some other nominal built-in hundreds of thousands of signature products.
With the increasingly strong encryption trend of peer-to-peer applications, the traditional recognition method based on Application protocol Data feature is often difficult to work, which requires the protocol recognition engine to analyze the traffic behavior synthetically, and to judge the type of application according to the statistical characteristics, connection correlation and so on. Some flow control products have already provided this kind of heuristic processing mechanism, can match with the traditional way, realizes the better flow control effect. However, according to the behavior characteristics of traffic, it will also increase the error recognition rate of application protocol to some extent, and even affect the connectivity of the network in extreme cases. Therefore, when the accurate identification can not be guaranteed, the flow control products to provide users with the means of correction, or part of the function as an option to deliver.
Application of Protocol feature update response speed is also a very important evaluation indicators, in the explosive growth of the Internet applications, all manufacturers have spared no effort to carry out more and more grasp the package, analysis, testing, update work. No one can give an accurate answer as to how long this model will last in the future. But from the development of other security products, the flow control manufacturers may have to explore new ways in the technology implementation mechanism or operation mode.
The development of flow control technology
The flow control product itself is born because of the demand of flow controlling, the development has been more mature so far. But in front of the changing application demand, its function and realization mechanism has been adjusting, striving for better optimization and control effect. At present, the core concept of flow control has been developed from the traditional controlling downward flow to the control of upstream flow. While the former is easy to implement, it only has a certain effect on TCP traffic (such as adjusting TCP Window). For UDP traffic, this way not only effect is not obvious, and easy to generate traffic is poor, the bandwidth of the resource caused great waste. Considering that the current bandwidth ratio of the largest network video and most peer-to-peer download applications are mainly UDP communication, flow control products must have to control the upstream flow to suppress the downward flow of the mechanism, so as to reduce the flow difference, improve bandwidth utilization.
When the bandwidth resource is tense, the flow control product usually adopts the method of packet loss to realize the purpose of compressing traffic. In the discard mechanism of packet, there are two kinds of queues and not queues that are common nowadays. Queue mode is relatively traditional, the flow control engine will put the packet into the queue, and then the queue Scheduler Unified scheduling, many open source software has adopted this implementation method. The advantage of this is that the network fluctuations are small, especially the TCP traffic will be more smooth, but the resources occupy a relatively large, system pressure will increase. If the queue is not used, the flow control engine will generally adopt the token bucket mechanism. When the token is insufficient, the current packet is discarded directly. Its advantage is that system pressure is small, occupy resource is little, basically have no delay. Overall, the two mechanisms of packet loss
There are advantages and disadvantages, but for college network exports such a large flow of scenarios, the non-queue mode is obviously more applicable.
The overall control can manage the network traffic, but it can't solve the fairness problem caused by the single point traffic too big. Therefore, to achieve better flow control effect, we must adopt entire areas management ideas. This requires that the flow control products in the overall carding of export flows at the same time, can provide for the IP/IP group control capabilities, to maintain a certain degree of fairness. In addition, bandwidth assurance/bandwidth borrowing is also a more common function in streaming products. According to the experience of the past, this function has a very good effect in the scene of small export bandwidth such as enterprise, Internet bar and so on, which is not obvious in the large flow environment such as university and operator.
Application routing is becoming mainstream
Only the control of traffic can not completely solve the problem, in conditions permitting, also need to actively divert, in order to strive for a better network application experience. The more common approach is to distribute Peer-to-peer downloads, network video, and other non-critical applications to high bandwidth, low-cost lines. The implementation mechanism of these applications determines that even in a poor quality of the link environment, can still achieve acceptable results. and video conferencing, distance learning and other key applications of the experience must be guaranteed, they should enjoy the best link resources. To sum up, application routing has become one of the standard functions of current flow control products, and will be widely used in the future. This is especially true in colleges and universities.
At present, the flow control product usually has 3 kinds of realization application Road
The deployment mode by, respectively:
1. For different applications, the use of different DSCP tags, routers/firewalls based on the DSCP to do the policy route;
2. For different applications, the implementation of different source address NAT, router/firewall based on the source address to do Policy routing;
3. Replace the router/firewall to do the access, directly for different applications to do policy routing.
The first approach is simpler to implement, but the authors found in many deployments that there are not many routers/firewalls that can route policy based on DSCP. Basically all routers or firewalls support policy-based routing based on the source address, so the second approach is more general (and, of course, this generic is premised on increasing the flow-control product load). The third way to achieve the simplest, but the network topology changes are relatively large, the equipment also bear the heaviest load, at present in colleges and universities are relatively rare. However, the convergence trend between the streaming product and the router/firewall is obvious, I believe the proportion of the third deployment mode will increase gradually in the future. Individual colleges and universities currently adopt a separate flow control for each link, not only can not implement the application route, the flow also lacks the overall ability to perceive and control, unless it is a very special situation, it is not recommended to use this deployment mode.
There are two important issues to consider when applying routing is enabled. The first is the interoperability between different operators, large portals or online video sites have their own DNS (CDN) Load balancing services, through the different operators of DNS resolution of the address must be a difference. If the destination address is a telecommunications IP, but after the application route traffic point to the Unicom line, so far as not to optimize the effect, but will reduce the application experience. Therefore, in many cases, the application of routing needs to be paired with DNS redirection, if the flow of traffic to the Unicom link, the DNS request through the Unicom DNS server resolution, to get the normal access effect.
The second is the application of the connection dependency problem. In some applications, there is a single session containing multiple connections, if part of the connection to the Education network, the other part of the other operators, light impact on the application experience, heavy will interrupt the application. In this case, the problem of feature integrity can be solved by the higher requirements of the convection control engine, and only the judgment mechanism mentioned above based on the behavior characteristics of the application protocol is presented. However, the success rate of the application route is not equal to the recognition rate of the application, some applications are the first data of the server, it is difficult to realize the diversion. Therefore, when analyzing and describing the application features, the manufacturer should also take into account the need of application routing.
Collaboration: The optimization effect of 1+1>2
The flow control product deploys in the university network exportation, carries on the management and the optimization to the entrance and exit campus network all traffic, the status is no less than the router and the core switch. Although traffic management is its main function, if it can collaborate with other devices, it will have a better optimization effect and maximize its value.
At present, the most suitable for the flow control products with a cache acceleration device. With application routing, streaming products can redirect specific applications and contents of university network export traffic (such as file downloads or web video applications), pointing to cache acceleration devices. At this point it is the same as a client of the cache acceleration device, which is completely transparent to the end-user. One notable difference between using a streaming product to implement redirection and traditional port-based redirection is that the former can be based on accurate application identification results, only to forward cache acceleration device needs to deal with the flow, thereby enhancing the cache system utilization and hit ratio, while reducing the I/O and file management system pressure, so that it more "concentrate "To do business-related work.
Another suitable for work with the flow control products is the audit system. Generally speaking, the audit system needs to obtain data through the switch mirroring port. Because mirroring is all traffic, the auditing system must filter out packets that are not in the business scope while receiving all the packets, which will take up a lot of system resources. The flow control product can use its formidable protocol recognition ability, will need to audit the application flow (such as http,im and so on) selectively mirror to the audit system, thus can reduce the audit system pressure greatly, avoids the audit incomplete problem which because of the performance.
In fact, almost all serial or bypass devices that work on a particular business can benefit from the application routing of streaming products and the ability to apply traffic mirroring. Some universities have rejected WAF or antivirus gateways because of performance problems, and after analysis, their performance bottlenecks are largely due to unnecessary I/O processing, rather than security services. It is important to note that the application of routing and the use of traffic mirroring functions in the flow control products are not very popular, their implementation mechanism will bring additional load for the device, the impact on performance is relatively large. Therefore, teachers are advised to make a judgment based on the test results in the actual environment when evaluating the selection.
Article: Http://bbs.netzone.com/forum.php?mod=vie