D-Link NetDefend DFL-210 User Manual page 413

10.1.10. Traffic Shaping
Recommendations
knows what its capacity is and the precedence mechanism is totally dependent on this.
Pipe limits for VPN
Traffic shaping measures the traffic inside VPN tunnels. This is the raw unencrypted data without
any protocol overhead so it will be less than the actual VPN traffic. VPN protocols such as IPsec
can add significant overhead to the data and for this reason it is recommended that the limits
specified in the traffic shaping pipes for VPN traffic are set at around 20% below the actual
available bandwidth.
Relying on the group limit
A special case when a total pipe limit is not specified is when a group limit is used instead. The
bandwidth limit is then placed on, for example, each user of a network where the users must share a
fixed bandwidth resource. An ISP might use this approach to limit individual user bandwidth by
specifying a "Per DestinationIP" grouping. Knowing when the pipe is full is not important since the
only constraint is on each user. If precedences were used the pipe maximum would have to be used.
Limits should not be higher than the available bandwidth
If pipe limits are set higher than the available bandwidth, the pipe will not know when the physical
connection has reached its capacity. If the connection is 500 kbps but the total pipe limit is set to
600 kbps, the pipe will believe that it is not full and it will not throttle lower precedences.
Limits should be slightly less than available bandwidth
Pipe limits should be slightly below the network bandwidth. A recommended value is to make the
pipe limit 95% of the physical limit. The need for this difference becomes less with increasing
bandwidth since 5% represents an increasingly larger piece of the total.
The reason for the lower pipe limit is how NetDefendOS processes traffic. For outbound
connections where packets leave the NetDefend Firewall, there is always the possibility that
NetDefendOS might slightly overload the connection because of the software delays involved in
deciding to send packets and the packets actually being dispatched from buffers.
For inbound connections, there is less control over what is arriving and what has to be processed by
the traffic shaping subsystem and it is therefore more important to set pipe limits slightly below the
real connection limit to account for the time needed for NetDefendOS to adapt to changing
conditions.
Attacks on Bandwidth
Traffic shaping cannot protect against incoming resource exhaustion attacks, such as DoS attacks or
other flooding attacks. NetDefendOS will prevent these extraneous packets from reaching the hosts
behind the NetDefend Firewall, but cannot protect the connection becoming overloaded if an attack
floods it.
Watching for Leaks
When setting out to protect and shape a network bottleneck, make sure that all traffic passing
through that bottleneck passes through the defined NetDefendOS pipes.
If there is traffic going through your Internet connection that the pipes do not know about, they
cannot know when the Internet connection is full.
The problems resulting from leaks are exactly the same as in the cases described above. Traffic
"leaking" through without being measured by pipes will have the same effect as bandwidth
413
Chapter 10. Traffic Management