Traffic Management; Traffic Shaping; Introduction; Traffic Shaping Basics - D-Link NetDefend DFL-210 User Manual

Chapter 10. Traffic Management
This chapter describes how NetDefendOS can manage network traffic.
• Traffic Shaping, page 209
• Threshold Rules, page 221
• Server Load Balancing, page 223

10.1. Traffic Shaping

10.1.1. Introduction

A weakness of the TCP/IP protocol is the lack of true Quality of Service (QoS) functionality. QoS in
networks is the ability to be able to guarantee and limit bandwidth for certain services and users.
Protocols such as the Differentiated Services (Diffserv) architecture have been designed to try and
solve the QoS problem in large networks by using information in packet headers to provide network
devices with QoS information. NetDefendOS provides support for Diffserv by forwarding the 6 bits
which make up the Diffserv Differentiated Services Code Point (DSCP) as well as copying these
bits from the data traffic inside VPN tunnels to the encapsulating packets.
However the use of architectures like Diffserv still falls short if applications themselves supply the
network with QoS information. From a security standpoint, it is rarely acceptable that applications
(ie. network users) decide the priority of their own traffic. In scenarios where the users cannot be
trusted, it should be the network equipment that makes the decisions about priorities and bandwidth
allocations.
In complex network topologies where different standards and different products exist, it is even
more difficult to prioritize, guarantee or limit data traffic. The Internet is a good example of such a
network topology. In a well-delimited network however, there are much better possibilities to use
different methods in order to control traffic. A well-delimited network is defined mostly by the ad-
ministrative limits, not the size of the network. The traffic in larger WANs could also be managed,
assuming that the network is designed in a homogeneous way.
NetDefendOS provides QoS functionality by allowing the administrator to apply limits and guaran-
tees to the network traffic itself, rather than trusting the applications and users to make these
choices. This is well suited to managing bandwidth for a small LAN as well as in one or more bot-
tlenecks in larger WANs.

10.1.2. Traffic Shaping Basics

The simplest way to obtain quality of service in a network, seen from a security as well as a func-
tionality perspective, is to have the components in the network, not the applications, be responsible
for network traffic control in well-defined bottleneck points.
Traffic shaping works by measuring and queuing IP packets, in transit, with respect to a number of
configurable parameters. Different rate limits and traffic guarantees can be created as policies based
on the source, destination and protocol, similar to the way IP rule-set policies are created. Traffic
shaping works by:
• Applying bandwidth limits by queuing packets that would exceed configured limits, and sending
them later when demand for bandwidth is lower.
• Dropping packets if the packet buffers are full. The packet to be dropped should be chosen from
those that are responsible for the "jam".
209