Network Throttle
53 views
Skip to first unread message
jawaide...@gmail.com
Jun 8, 2012, 4:29:11 AM6/8/12
to vcap-dev
Dose Cloud Foundry provides a way to set quota or throttle the network
bandwidth? How do we protect an application from abusing the network?
bandwidth? How do we protect an application from abusing the network?
Chunjie Zhu
Jun 8, 2012, 6:39:13 AM6/8/12
to vcap...@cloudfoundry.org
1. "Does Cloud Foundry provides a way to set quota or throttle the network bandwidth?"
Not yet. Actually if we put each application into a warden container (https://github.com/cloudfoundry/warden), then we can achieve the quota/throttle settings for this application in the link layer.
The link between inner container and outside container is through Linux veth, a virtual ethernet device driver. So if veth supports quota/throttle then it's done. Unfortunately, veth does not support this feature, while some real ethernet device driver like bnx2 does have rate limit mechanism. But it is really not difficult to modify veth device driver to add this feature.
To make veth support quota, first add skb queue for veth, and then add some kind of queue length (or even the skb data total length) check in veth veth_xmit function. If quota exceeds then skbs are dropped, do not worry about TCP connections, they will timeout-then-retry. For the userland usage, change ethtool to adopt the quota settings.
With full due respect, I think it may be not a classic use case because veth has been present for lots of years but it does not have quota feature until now.
2. "How do we protect an application from abusing the network?"
For the incoming traffic, such as, clients send http request to application in Cloud Foundry, we can deploy some IDS/IPS or Application Firewall to filter/block some malicious request, such as SYN flooding/XSS/OSFR.
For the outgoing traffic, such as, application requests service from database server/storage server in Cloud Foundry or application returns response to clients, some kind of network traffic monitor can be used. Most likely, applications in Cloud Foundry are not malware, so it is nice that we only monitor traffic but do not block traffic. If there are really some malware abusing network, then an alert report should be given by the monitor and some security expert shall handle this manually, I think.
If we want to do the above task, do we need to install a network traffic monitor on each machine? VMware vSphere provides a great security framework, vmsafe, it is able to monitor/block all virtual machines' network traffic within a same ESXi server. That is to say, only one copy of vmsafe is installed.
Regards,
Chunjie
Not yet. Actually if we put each application into a warden container (https://github.com/cloudfoundry/warden), then we can achieve the quota/throttle settings for this application in the link layer.
The link between inner container and outside container is through Linux veth, a virtual ethernet device driver. So if veth supports quota/throttle then it's done. Unfortunately, veth does not support this feature, while some real ethernet device driver like bnx2 does have rate limit mechanism. But it is really not difficult to modify veth device driver to add this feature.
To make veth support quota, first add skb queue for veth, and then add some kind of queue length (or even the skb data total length) check in veth veth_xmit function. If quota exceeds then skbs are dropped, do not worry about TCP connections, they will timeout-then-retry. For the userland usage, change ethtool to adopt the quota settings.
With full due respect, I think it may be not a classic use case because veth has been present for lots of years but it does not have quota feature until now.
2. "How do we protect an application from abusing the network?"
For the incoming traffic, such as, clients send http request to application in Cloud Foundry, we can deploy some IDS/IPS or Application Firewall to filter/block some malicious request, such as SYN flooding/XSS/OSFR.
For the outgoing traffic, such as, application requests service from database server/storage server in Cloud Foundry or application returns response to clients, some kind of network traffic monitor can be used. Most likely, applications in Cloud Foundry are not malware, so it is nice that we only monitor traffic but do not block traffic. If there are really some malware abusing network, then an alert report should be given by the monitor and some security expert shall handle this manually, I think.
If we want to do the above task, do we need to install a network traffic monitor on each machine? VMware vSphere provides a great security framework, vmsafe, it is able to monitor/block all virtual machines' network traffic within a same ESXi server. That is to say, only one copy of vmsafe is installed.
Regards,
Chunjie
From: "jek...@hotmail.com" <jawaide...@gmail.com>
To: "vcap-dev" <vcap...@cloudfoundry.org>
Sent: Friday, June 8, 2012 4:29:11 PM
Subject: [vcap-dev] Network Throttle
To: "vcap-dev" <vcap...@cloudfoundry.org>
Sent: Friday, June 8, 2012 4:29:11 PM
Subject: [vcap-dev] Network Throttle
Reply all
Reply to author
Forward
0 new messages