Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Huan-Yun Wei1
Ying-Dar Lin
Corresponding author
All test results are verified by the vendors and are reproducible through our open tools. Nowadays most benchmark reports
are financed by vendors and may be biased, without practical testbeds. Guided by this neutral test, readers can obtain in-depth
sights when examining bandwidth management devices.
2
1. Introduction
Internet services provide an economic and convenient system to carry out business, such as
efficient information exchange among branch offices, or efficient customer/provider access to the
services. However, the importance of the services varies, and enterprises often fail to effectively utilize
the narrow but expensive WAN link bandwidth. For instance, the bandwidth required by ERP
(Enterprise Resource Planning), voice over IP (VoIP), and e-business may be occupied by less-important
applications such as FTP. Since end-to-end Internet QoS such as DiffServ [1] is still under experiment,
enterprises seek to at least manage their inbound and outbound links. Thus, policy-based bandwidth
management devices are employed at organizational edges to set and enforce organizational policies for
pursuing the utmost benefits.
Network administrators define policy rules to achieve resource management objectives for the
enterprise. Each policy rule contains condition and action fields to define specific actions for
specific conditions. Condition defines the packet-matching criteria, such as a certain subnet, application,
or protocol. Action defines the bandwidth parameters, such as at least 100kbps or at most 200kbps.
So each policy rule is class-based that it groups a set of traffic flows into a per-class queue according to
the specified packet filter (condition), and then the class of traffic is scheduled out at its corresponding
specified bandwidth (action). Moreover, the class-based rules can be further configured with bandwidth
borrowing among the classes to dynamically utilize available bandwidth effectively. Additionally, each
connection within a class can be guaranteed to have at least a certain amount of bandwidth. Throughout
this work we evaluate the effectiveness of various policy enforcements for the above three policy types:
(1) class-based rule; (2) connection rule within a class; (3) bandwidth borrowing rule among classes.
The following subsections review traditional and prevalent technologies to enforce these policy rules.
Traditional TechnologyQueuing
A straightforward method for bandwidth management is to queue less-important traffic and pass
important traffic as soon as possible. Queuing can be roughly categorized into (1) priority-based queuing
and (2) rate-based queuing. Priority-based queuing sets the priority among the classes and the highest
priority class is scheduled out first. This is suitable for short-lived, extremely important, or transactionoriented flows. However, priority-based queuing cannot quantitatively guarantee/limit the bandwidth for
a class. As an analogy, if everyone is VIP, then no one is real VIP. In contrast, rate-based queuing
employs various packet scheduling algorithms [2] that can decide from which class comes the next
packet for transmission. This can effectively limit senders who are trying to overburden the resource.
Besides, the minimum bandwidth for important applications can be quantitatively guaranteed. Floyd and
Jacobson [3] further investigate the bandwidth borrowing among the classes. Queuing has different
impacts upon UDP and TCP data flows. Next we briefly review UDP and TCP protocols.
1.
2.
Window Sizing: Since a TCP connection can be actively controlled through the feedback
Acks, the window-sizing method directly influences the amount of sending bytes by shrinking the
RWND in the TCP Acks. In this test, iPolicer, PacketShaper, WiseWAN, QoSWorks and Guardian
Pro belong to this type. Karandikar et al. [6] sponsored by Packeteer investigate the window-sizing
technique. Though window-sizing can directly control per-connection bandwidth, it needs to
readjust its Ack regulations when another connection enters or leaves the class.
Packet Dropping: Because a TCP sender slows down its transmission rate in response of
network congestion by halving its congestion window size, the packet-dropping method drops
packets and expects that the sender will slow down its rate when detecting the packet loss events
[7]. In this test, FloodGate (uses per-flow queuing) and ALTQ_CBQ+RED belong to this type.
This work designs a novel testbed for evaluating the effectiveness of various policy enforcement
techniques used by existing products or solutions. The testbed mimics the real-life Internet
characteristics such as WAN delay, delay jitter, and packet loss. Section 2 compares the relevant
information of the devices under test (DUT). Section 3 then describes the design of our testbed and the
test methodology. Section 4 demonstrates the test results. Finally, a summary of the test results and
conclusions are given in Section 5.
Grade
Model
S/W
(Announced) Ver.
OS,
Install at
HW/SW
Hardware
Boot CPU RAM
Interface
from
100Mbps
10Mbps
5.02
NT 4.0, Software
LAN
45 Mbps
4.1
NT 4.0, Software
and
1.6.4
Embedded NT,
Router
100-CR2202 [11][12]
Packeteers PacketShaper
Hardware
45 Mbps
4500 [13]
Sitaras QoSWorks
Same FreeBSD
Same NT server
HA*
Same NT server
10/100Mbps
Another NT server
10/100Mbps
Embedded Hard
Hardware
100 Mbps
32M
600
Hard
Log to
Over
BroadWeb/Acutes
Fail
P!!! 192M
Disk
10/100Mbps
Embedded Hard
QWX-10000 [14]
NetRealitys WiseWan
Hardware
5Mbps
4.0
Disk
Proprietary,
200/500 [15]
Hardware
32M
600
P
Disk
32M
133
V.35
Another NT server
(10Mbps log)
Note 1: Invited venders also include Lucents Access Point, Allots NetEnforcer these two decide not to join this test after examining our test plan and
Ciscos Cisco Assure (did not want to join at the beginning).
Note 2: Fail Over is defined as the capability of bypassing traffic when the power is off. HA means high availability module (optional).
Note 3: Sitira revealed to us that QoSWorks uses ALTQ_CBQ.
Packet Classifier
Src/Dst IP/Port#,
Host
mask, Prot. ID
list
Direction
UDP
WAN
Bandwidth Borrowing
(In/Out)
traffic
Inter-class Intra-class
Setup
ALTQ
Both
Auto
Compete2
Both
Degree1
Compete
CheckPoints FloodGate
Both
Degree
Degree
NetRealitys WiseWan
Both
Auto
Auto
Acute/Broadwebs iPolicer
Both
Packeteers PacketShaper
Both
Degree
Degree
Sitaras QoSWorks
Both
Auto
Auto
Degree means that administrators can manually specify the degree of bandwidth borrowing.
DUTs without connection guarantee let the flows within the class compete with each other.
which FTP-data port (port 20, for sending data) can be dynamically changed to another by negotiation in
the FTP-Cmd port (port 21, for sending FTP commands). If the DUT cannot recognize what negotiation
is in the FTP-Cmd port, obviously it cannot control the connection that is actually sending the data.
PacketShaper and WiseWAN have the richest layer-7 awareness. In terms of quantity of port-service
mapping entries, WiseWAN and PacketShaper are the richest. The next richest are FloodGate and
Guardian Pro. iPolicer, QoSWorks, and ALTQ have few or no built-in port-service mapping entries and
require manual lookups in the port-service mapping table. Although iPolicer can identify UDP, it cannot
control its bandwidth.
Vendor/
Model
Layer awareness
Layer
Layer-7 TYPE
TCP
ALTQ
60
CheckPoints FloodGate
URL/MIME-TYPE
NetRealitys WiseWan
Acute/BroadWebs iPolicer
ICMP IPX
# of other protocols
UDP
35
15
60
35
URL/MIME-TYPE
109
79
Above 250
12
Cannot control
Packeteers PacketShaper
URL
Above 200
Sitaras QoSWorks
*Note: This table only lists the protocols that can control rather than just recognize only.
100M H ub
Linux
2.2.14
P-III 700
Source
1 ~ 99
172.16.88.X
Q oSW orks
PacketShaper
IPolicer
253
R eportD ata
100
J
Telephone
V oice
Src 2
C
N T 4 Server
254
252
254
Cisco
Router 2514
254
FTP Server
Linux
2.2.14 100M
P-III 700
H ub
254
Linux
2.2.14
P-III 700
D estination
1 ~ 99
V .35 C able
C isco 1750
V O IP G atew ay
L
Sm artBits
V oice
D est2
100
V oice
D est1
V oice
Src 1
192.168.88.201
254
C isco
Router 2514
W A N Em ulator
Linux
2.2.14
P-III 700
RTP
(G .729)
254
10.1.1.X
172.16.89.X
tcpdum p
T TT
W iseW A N
Cisco 1750
V O IP G atew ay
172.16.87.X
FloodG ate
G uardianPro
P-III700
172.16.86.X
10.1.1.201
W in2K
P-III 700
CO M 2
Telephone
Sm artV oIpQ oS
Tool
Function
Description
Position in
Fig. 1
Ncftpput [16]
TCP Traffic
generator
SmartVoIpQoS
VoIP (UDP) traffic Traffic: Single VoIP flow with RTP format UDP packets.
[17]
generator
VoIP Gateway
Same as above
Same as above
ttt [18]
Real-time traffic
K and N
Packet sniffer
Dump each packets header to the RAM disk to avoid I/O overheads. A and H
Calculating statistics from the tcpdump result.
scripts [20]
Self-written wan
WAN Emulator
emulator [20]
A. Basic Test
This test evaluates the accuracy of the class bandwidth and the fairness among the connections
within the class. Besides, this test also investigates the stability of each DUT among its five-time runs.
The total WAN link bandwidth is set to T1 (1.544Mbps)4 and is partitioned into five classes (20, 40, 128,
256, and 1100kbps), with each class matching four TCP connections. Each class is set to guarantee that
Note that some operating systems merely support alias IP addresses, but cannot support alias interfaces, such as FreeBSD
and Windows 2000.
4
BroadWeb/Acute iPolicer does not have WAN link speed setup.
8
each connection has 1/4 of the class bandwidth5. All settings are fixed without any bandwidth
borrowing. This test repeats in consecutive five runs, with 200 seconds intervals in between. Within each
run, 20 FTP connections are simultaneously flowing from A to I (Table 6), with each class match 4
connections. After 250 seconds, all the ncftpput processes are killed. Data from 30 to 230 seconds are
analyzed. The statistics are explained in Table 7. Appendix C uses an intuitive example to illustrate the
following statistics.
Statistic
Accuracy
Quantify what?
Definition
bandwidth
i 1
Comparison
Standard
The closer to 1, the
better
Stability of
The differences of the accuracy CoV** of normalized goodput among the five runs It depends***.
accuracy
Fairness
better
fairness
class.
i 1
Stability of
Ratio
each class.
It depends***.
5
better
* Goodput is the effective throughput (bytes/time) excluding the bandwidth consumed by retransmission.
** CoV denotes coefficient of variation, which means standard deviation over mean.
*** If the accuracy tends to 1, it would be better for its stability to be 0. This implies the DUT always performs accurately. However, if the accuracy tends to
0, and its stability also tends to 0, it implies that the DUT always performs inaccurately. This also applies to fairness and its stability (Appendix C).
B. Robustness Test
Packets may be generated by different operating systems, hence different TCP implementations,
and pass through paths with various delays and loss rates. Long-distance TCP connections are expected
to be vulnerable to Internet losses because they require more time to obtain Acks for recovering to their
target bandwidth. Since many DUTs regulate TCP Acks, it is our concern whether they are compatible
with the major operation systems. Table 8 describes our test methodology.
Test Item
Description
DUT Settings
Comparison standard
Test Methodology
Under Heterogeneous Same as Basic WAN delays of the four connections in each class Same as the Basic Test
Internet Delays
Test.
Under Various
200kbps
Under Different
Sending Operating
test flow.
for A single TCP connection is tested under 0.5%, 1%, Whether the goodput can
2%, 4% and 8% periodic loss rates.
smoothly degrade.
How closely the byte-time
(2)TCP Source OS= {Linux 2.2.14, Windows 2000, lines of the operating
Systems
each other.
C. Advanced Test
This test includes bandwidth borrowing test and VoIP quality test. Bandwidth borrowing has been
described in Section 2. VoIP quality is separately tested through SmartBits and VoIP Gateway to
evaluate whether the DUTs can precisely allocate adequate bandwidth for voice traffic. Each test is
conducted under heavily-loaded FTP traffic. Detailed test methodologies are in Table 9.
Test Item
Description
DUT Settings
Inter-class
Bandwidth
Borrowing
Comparison
standard
Test Methodology
(1) Link speed=T1 (1.544Mbps), divided Connection 1 and 2 are started and stopped in (1) Stability of
into 2 classes A, B. A=B=777kbps.
sequence.
each
connection.
B matches connection 2.
(2) How
seamlessly the
Intra-class
total
Bandwidth
Borrowing
bandwidth line
can be when
connection 1
terminates.
PSQM1,
SmartVoIpQoS
Listening with
into 2 classes A, B.
(Cisco 1750)
traffic.
10
jitter,
PSQM (Perceptual Speech Quality Measurement) is calculated from delay, jitter, and loss statistics. PSQM rated as 6.5 has the poorest quality
The VoIP Gateway is set to continuously sample the sound even when the primary tester keeps silent. Thus the data flow is always around 30 kbps.
Note: The test crew had performed many five-run tests on iPolicer. It is only after the above phenomenon has been
verified that we include the most general one of the five-run tests in our analysis.
11
Figure 2: Results of accuracy and its stability (A1, B1: No Internet Delay; A2, B2: With Internet Delay)
A-2. Fairness and Stability of Fairness
Figure 3 (A1 is fairness, B1 is its stability, A2 and B2 will be discussed in robustness test) also
distinguishes three groups: PacketShaper is the most fair and stable; QoSWorks is less fair but is stable
in the 20kbps class, implying that it is less fair in the 20kbps class in all the five test runs (Appendix C).
FloodGate and WiseWAN are less fair and stable in the 20kbps class. iPolicer, Guardian Pro, and
ALTQ_CBQ+RED provide poor fairness. Pure CBQ has the poorest fairness under narrowband
(20~40kbps) classes. However, it is somewhat alleviated after applying RED to each class because RED
tends to drop more packets from the connection that is more aggressively sending the data.
12
Figure 3: Results of fairness and its stability (A1, B1: No Internet Delay; A2, B2: With Internet Delay)
A-3. Retransmission Ratio
Figure 4 A1 (A2 will be discussed in robustness test) shows large retransmission ratio in
narrowband classes (20~40kbps), except for PacketShaper and QoSWorks, but especially in WiseWAN,
iPolicer, FloodGate and ALTQ_CBQ+RED. As an analogy, a small exit often keeps many people
waiting before it. FloodGate and ALTQ_CBQ+RED use packet dropping to slow down TCP flows so
they have high retransmissions. WiseWAN has enormous packet losses at the Cisco router before
WiseWAN can control the traffic at the WAN link. Results of iPolicer are not easy to comprehend in
terms of the technologies it claims (adjusting the TCP window size).
13
Figure 4: Test results of retransmission ratio (A1: No Internet Delay; A2: With Internet Delay)
14
IPolicer
FloodG ate
200
PacketShaper
W iseW A N
G uardianPro
180
Q oSW orks
A LTQ _C B Q
160
0
0.5
8 Loss rate (% )
15
bandwidth of connection 2 (yyyy/tcp line). The test crew draws another baseline indicating the ideal
total link bandwidth (1.544Mbps) for comparison.
Inter-Class Bandwidth Borrowing Test Results
Figure 7 shows the inter-class bandwidth borrowing benchmark results. iPolicer does not have
this function, so we set the bandwidth of both of the two classes as 1.544Mbps. However, Cisco
Routers link is set to 2Mbps, thus the two 1.544Mbps flows through iPolicer exceeds the baseline
bandwidth. After connection 1 terminates, the total bandwidth narrows down to around 1.5Mbps
with some bandwidth fluctuation. WiseWAN and ALTQ can automatically borrow bandwidth among
classes, and the others can be further configured with the degree of bandwidth borrowing. Guardian
Pro has an unstable look when connection 2 starts to obtain a bandwidth share. ALTQ_CBQ and
ALTQ_CBQ+RED can only borrow a limited bandwidth (from 777kbps to 1.1Mbps). FloodGate,
PacketShaper and QoSWorks can perform inter-class bandwidth borrowing seamlessly.
(d) ALTQ_CBQ
(h) ALTQ_CBQ+RED
16
(a) Acute/Broadweb iPolicer (b) CheckPoint FloodGate (c) NetGuard Guardian Pro
(d) ALTQ_CBQ
20
2000
50
1500
40
Base
PacketShaper
FloodGate
Average Latency
WiseWAN
Max Latency
GuardianPro
QoSWorks
2.2
2.48
2.56
500
6.5
2.7
2.45
WiseWAN
PSQM
GuardianPro
Loss rate
QoSWorks
20
10
ALTQ_CBQ
WiseWAN
GuardianPro
Max Latency
QoSWorks
QoSWorks2 ALTQ_CBQ
15
2.6
Jitter (ms)
10
PacketShaper FloodGate
Average Latency
0
FloodGate
20
Base
5
PacketShaper
30
1000
ALTQ_CBQ
1
0
Base
60
70
6.5
6.5
6.5
6.5
6.5
6.23
100
80
60
2.6
2.2
40
20
30.6303
PSQM
1.0533
10.8978
10
PSQM
25
15
81.0739
100
3
2
3000
L o s s ra te (% )
(m s )
150
80
30
(m s )
200
50
837.5684
Latency (ms)
1529.3163
250
0
Base
PacketShaper
FloodGate
WiseWAN
GuardianPro
PSQM
Loss rate
QoSWorks
QoSWorks2
ALTQ_CBQ
exercises Packet Size Optimization (minifying the maximum transfer unit of FTP connections when
establishing the connections), the voice quality approaches the original voice both in Smartbits and
Gateway tests. While it is promising, readers should be aware that minifying the packet size of all other
TCP connections can cause large overhead. As an analogy, the overhead of several small trucks carrying
the goods is larger than that of a big truck carrying the same goods. This tradeoff depends on the
considerations of the network administrator.
T1 WAN link Speed
Calling time
Delay time
Voice quality
estimated by ears
(legibility)
Very good
Calling time
<1 sec
Delay time
Voice quality
estimated by ears
(legibility)
Very good
sec
Baseline (with background FTP)
iPolicer
FloodGate
Very good
About 7sec
About 1 sec
Very Poor<10%
Guardian Pro
Very good
About 3 sec
Ultra poor<1%
WiseWAN
Very good
About 7sec
Ultra poor<1%
PacketShaper
Very good
About 1 sec
About 1 sec
Poor (60%)
ALTQ_CBQ
About 2 sec
Very good
About 18 sec
About 1 sec
Very Poor<10%
QoSWorks
About 1 sec
Very good
About 17 sec
About 1 sec
Very Poor<10%
QoSWorks Optimized
About 6 sec
Very good
sec
5. Conclusions
This work designs a novel testbed that mimics the real-life Internet conditions, such as multiple
connections, heterogeneous WAN delays/delay jitters/packet loss rates, and different TCP source
implementations. Most test reports, such as those by the Tolly Group [22], are financed by the vendors
and may be biased. Additionally, the testbed in those reports is over-simplified, without in-depth test
items or with inadequate number of connections. This work first classifies the policy rules into three
major types: (1) class-based rule; (2) connection rule within a class; (3) bandwidth borrowing rule
among classes. The test methodology then quantifies the effectiveness of the above policy rule types of
each device in terms of accuracy, fairness, stability, robustness, bandwidth borrowing, and VoIP quality.
The test results reveal several things that can be reproducible with our open tools: (1) the narrowband
class-based rule and its fairness among the flows are harder to enforce when multiple TCP connections
18
compete for the same queue, resulting in large queue length and TCP retransmissions. (2) explicitly
sizing the TCP window could cause performance or fairness degradation even under slight packet loss
rates; (3) the open source solution can compete with commercial products in accurately limiting flow
aggregates; (4) the video/voice qualities of real-time applications significantly depends on the packet
sizes of all other traffic when using a narrowband (125kbps) access link. Detailed functionality
comparison among the DUTs gives further directions for enhancing open source solutions, such as
Packeteers traffic discovery and QoSWorkss intuitive user interface. The ALTQ package lacks perconnection bandwidth guarantee within the class that it needs further refinements to satisfy the
enterprises demand. Some vendors in this test use open sources but never do they open their kernel
patches. We are currently patching ALTQ with per-connection bandwidth guarantee and will feedback to
the Open Source community. After all, open source should be open.
6. References
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
19
[16]
[17]
[18]
[19]
[20]
[21]
[22]
Acknowledgements
We thank the vendors who so generously provided us with the devices and their verifications of
the test results. We are grateful to Ching-Chuan Chiang and Yi-Chung Liu for their help on the
preliminary tests and functionality comparisons.
Appendix
Appendix A. Detailed Functionality Comparison
A-1. Policy Console User Interface
As for the policy console user interface (Table A), a notable function is how many devices a
management console can control. Policy consoles of PacketShaper and QoSWorks can control only one
device since they use built-in web servers for configuration with Web browsers. Policy consoles of
others (except for ALTQ) can remotely control multiple devices located at different places. As for
schedule control, per-rule schedule control is more effective. For example, some rules can be inactive
during non-office hours, but VoIP rule should be always active to guarantee voice quality.
Vendor/Model
Type
Schedule
Management
Control
Console
ALTQ
Config File
NetGuards
GUI Win32
Per-rule
Guardian Pro
Application
CheckPoints
GUI Win32
FloodGate
Application
NetRealitys
WiseWan
GUI Java
Application
OS
Win NT/2000
devices
Per-rule
Global
Global
Alert
N/A
Log
devices
Per-rule
Monitor/Statistics
N/A
devices
20
Per-rule
Global
iPolicer
(Java Applet)
devices
Another NT IE 5.0
Packeteers
Single
device
Embedded
PacketShaper
(HTML)
Any
Web Server
Single
device
Embedded
Any
Email trap
SNMP
trap
SNMP
trap
Distribution/Traffic by address
Web Server
21
256kbps
1.1M bps
Ideal
Round 1 Round 2 Round 3 Round 4 Round 5
5
4
1
12
1
13
5
4
2
5
2
14
20
14
7
30
5
39
5
4
2
6
1
5
5
2
2
7
1
7
10
10
40
(14+7+30+5+39)/5=19 => A ccurate!!
10
5=19
A ccurat
C oV(14+7+30+5+39)/
(14,7,30,5,39)=2.
4 =>=>Poor
stabie!!
lity!!
10
C oV (14,7,30,5,39)=2.4 => Poor stability!!
32
32
128
32
32
C oV =0.23 C oV =0.25
C oV =0.36
C oV =0.35
C oV =0.39
64
C oV =0.23 C oV =0.25
C oV =0.36
C oV =0.35
C oV =0.39
64
256
64
64
275
(0.23+0.25+0.36+0.35+0.39)/5=0.32 => N otFair
275
(0.23+0.
5=0.
32 =>
=>GNood
otFai
r lity
23+0.25+0.
25+0.36+0.
36+0.35+0.
35+0.39)/
39)=0.
063
stabi
1100 Std(0.
275
Std(0.23+0.25+0.36+0.35+0.39)=0.063 => G ood stability
275
22