At 11:28 AM 7/30/98 -0400, Scott Gifford wrote: I have been using a packet shaper (non commercial product) since 4/96 and have recently been reviewing/testing a number of commercial products on the market. I will ignore the options and features every product has but rather focus on those things to look at when checking these boxes: 1) alerts: a nice feature to have that no commercial product has yet is an alert feature when a bandwidth limiting policy has been exceeded. Example: You limit incoming icmp to 100kb and are suddenly hit by a Smurf eating up 2Mb/sec. You want an alert sent to the NOC via email or some other method. Or you have policy limiting single stream outgoing UDP to 256kb and suddenly see 4Mb/sec. You definitely want an alarm going off somewhere. We have found that email alerts are invaluable. Packeteer doesn't have it. 2) Bandwidth manipulation: some products do buffering, some play with the TCP window. You want both. Packeteer has both. 3) Bypass: you want a hardware and software bypass in the event something goes wrong. This is black box sitting in the data path. You now have a strip of boxes: firewall->packetshaper->router (and perhaps more). If something doesn't work, you don't want to start recabling to bypass the packet shaper. Software bypass via a Web interface is a must, and a hardware bypass is also critical. Packeteer has both. 4) Signon management: In a large ISP operation, many users will need to have access to modify the rules and policies. You will want a system that has individual user signon rather than a single user/pswd. Packeteer has only single user/pswd so therefore it is impossible to track who has done what changes. 5) Topflows: In RMON there is the concept of Top 10. When the network slows down, you want the ability to see a list of the Top n users consuming bandwidth in the past 1 minute/10 minutes/hour. Packeteer does not have that capability. 6) Flows: When a vendor says their box supports T3, one has to check a little deeper and determine the number of max flows allowed. For example, Allot (www.allot.com) supports a T3 box, but tops out at 5000 concurrent flows. Packeteer supports 20,000 concurrent flows. Current realtime numbers on my beta box show 2400 flows consuming 3.3Mb, and often 8000-9000 flows consuming 6.5Mb of bandwidth. Based on those numbers, I will hit 20,000 flows long before I hit 20Mb of bandwidth. I do not think the packet shaper vendors have much of an idea in the ISP market as to the large number of flows involved. They know corporate networks. 7) Platform: Look at the OS platform. Packeteer using a proprietary OS, others may package Linux or NT. None have done any OS hardening on the system so it is best to run something like ISS against the packet shaper to determine what security holes exist. Imagine you start using a packet shaper in production only to have the hackers hack it and set their own super-duper policies. 8) Audit trail: The product should have the ability to have some sort of syslog based on modifications done by personnel. Packeteer has something that is not accessible via the web and is more for debugging. 9) Filters & CPU: Look for products that can support CIDR notation and not the long masks. Packeteer doesn't support CIDR notation masking for filters. Some limit the size of the filter (also called policy, access- list, pipe rule, etc.). Packeteer limits it to 16 lines. The larger the filter the slower the box. Test it out. 10) ToD: All boxes have the ability to control based on source IP, destination IP and port. Not all have the ability to control based on time of day. Suppose you want incoming news to be limited to 128kb during the day but open it up from 2-8am to 800kb. Packeteer has a line command called "schedule". Look for GUI's to do this. 11) Flow limiting: sometimes you want the ability to not only control bandwidth but also the number of flows. Example: you allow IP phone via the Internet via port xxxx but want to guarantee 8kb/sec per flow, but you only have 64kb of bandwidth allocated for that port. You want to have the ability to state that a maximum of 8 flows can use that virtual pipe and the 9th won't get the service. Packeteer says they have this ability but I have not verified it. 12) Graphs: you want the ability for realtime graphs for each policy so you can see how your rule changes have affected the bandwidth. Packeteer has this capability. 13) Multihoming: this is the one *every* vendor fails on and is perhaps the one we need. These packet shaper boxes assume either one outgoing line from the router, or if there are multiple lines - that they are load balanced (NReality - www.nreality.com places their box on the FR line itself after the router - and last I checked only support FR). But in most ISP cases, you are multihomed with 3-4 outgoing lines - which are not fully balanced. Suppose one line is 90% and the others are 30%. The packet shaper can't see any of this and therefore the policy rules are not perfect. The line that is 90% satuarted is hearing 4,000 nets via BGP. How do you get that routing info the packet shaper? None have some sort of BGP import and when I tell them I want to import 52,000 prefixes and build policy rules based on that - they look at me like I am from Mars. In the near future we will be exploring this avenue for Internet-2 in Israel. 14) Transparent proxy: remember that line of boxes? firewall->packet shaper->router? Now add in a transparent proxy. Ugh. Look for a vendor that will include a transparent proxy capability in their box. I wouldn't be suprised if Alteon and Packeteer were to merge. These kind of mergers have to happen. Checkpoint already has packet shaping in their firewall via an addon product called Floodgate. Cisco bought up Classdata (www.classdata.com) so expect to see more of these capabilities in firewalls and routers. If you have read articles in Network World, Data Communications, etc. on this topic you will not find this level of detail there. This only comes with actually using and testing these boxes. Scott, these products do work and are not snake oil. I trust this helps you somewhat. -Hank
I was wondering if anybody out there has had any experience with "Packet Shapers," which claim to be able to limit traffic to a particular host, host+port, or host+port+url without dropping packets. They apparently watch traffic flows and keep track of connections, then dink around with TCP window size information to slow traffic down if needed.
The one we have been looking at is called "The Packeteer" (http://www.packeteer.com), but I have seen a few others (one of which had a really good picture of a pig in the ad).
Do these things work as advertised? Is anybody actively using them inside their networks? I don't know enough down-and-dirty information about TCP to know if this should work, or if it's just a plastic shell filled with snake-oil...
Thanks for any information. Email if you like, I will post a summary if people are interested.
------Scott.