Vinod G. J. Peris

Transport layer security: how much does it really cost?

The last couple of years has seen a growing momentum towards using the Internet for conducting business. One of the key enablers for business applications is the ability to setup secure channels across the Internet. The Secure Sockets Layer (SSL) protocol provides this capability and it is the most widely used transport layer security protocol. In this paper we investigate the performance of SSL both from a latency as well as a throughput point of view. Since SSL is primarily used to secure Web transactions, we use the SPECWeb96 benchmark suitably modified for use with the SSL protocol. We benchmark two of the more popular Web servers that are in use today and find that they are a couple of orders of magnitude slower when it comes to serving secure Web pages. We investigate the reason for this deficiency by instrumenting the SSL protocol stack with a detailed profiling of the protocol processing components. Based on our findings we suggest two modifications to the protocol that reduce the latency as well as increase the throughput at the server.

Design, implementation and performance of a content-based switch

In this paper, we share our experience in designing and building a content-based switch which we call L5. In addition to the layer 2-3-4 information available in the packet, a content-based switch uses application level information to route traffic in the network. Making routing decisions based on information contained in the payload is not a new idea. In fact application level proxies which are functionally equivalent to a content-based switch, have been around for years. Our contribution is in combining the functionalities of an application level proxy with the data handling capabilities of a switch into a single system. In this paper, we describe the architecture of the L5 system along with the details of how application level information can be efficiently processed in the switch hardware. We cover two specific application examples that we believe are ideal candidates for content-based switching: one is routing HTTP sessions based on uniform resource locators (URL) and the other is session-aware dispatching of secure socket layer (SSL) connections.

Scalable QoS provision through buffer management

In recent years, a number of link scheduling algorithms have been proposed that greatly improve upon traditional FIFO scheduling in being able to assure rate and delay bounds for individual sessions. However, they cannot be easily deployed in a backbone environment with thousands of sessions, as their complexity increases with the number of sessions. In this paper, we propose and analyze an approach that uses a simple buffer management scheme to provide rate guarantees to individual flows (or to a set of flows) multiplexed into a common FIFO queue. We establish the buffer allocation requirements to achieve these rate guarantees and study the trade-off between the achievable link utilization and the buffer size required with the proposed scheme. The aspect of fair access to excess bandwidth is also addressed, and its mapping onto a buffer allocation rule is investigated. Numerical examples are provided that illustrate the performance of the proposed schemes. Finally, a scalable architecture for QoS provisioning is presented that integrates the proposed buffer management scheme with WFQ scheduling that uses a small number of queues.

Efficient support of delay and rate guarantees in an internet

In this paper, we investigate some issues related to the efficient provision of end-to-end delay guarantees in the context of the Guaranteed (G) Services framework [16]. First, we consider the impact of reshaping traffic within the network on the end-to-end delay, the end-to-end jitter, as well as per-hop buffer requirements. This leads us to examine a class of traffic disciplines that use reshaping at each hop, namely rate-controlled disciplines. In this case, it is known that it is advantageous to use the Earliest Deadline First (EDF) scheduling policy at the link scheduler [8]. For this service discipline, we determine the appropriate values of the parameters that have to be exported, as specified in [16]. Subsequently, with the help of an example, we illustrate how the G service traffic will typically underutilize the network, regardless of the scheduling policy used. We then define a Guaranteed Rate (GR) service, that is synergetic with the G service framework and makes use of this unutilized bandwidth to provide rate guarantees to flows. We outline some of the details of the GR service and explain how it can be supported in conjunction with the G service in an efficient manner.

The cost of QoS support in edge devices an experimental study

This paper investigates the problem of making QoS guarantees available in access devices such as edge routers, that are commonly deployed in todays IP networks. We propose a specific design which we evaluate by carrying out a complete implementation, whose performance we then measure in the context of an experimental testbed. The results indicate that a reasonable level of service differentiation, i.e., rate and delay guarantees, can be provided with a minimal impact on the raw packet forwarding performance of edge devices.

Design and implementation of a QoS capable switch-router

An important challenge for the future growth of the Internet is to design routers that can forward the exponentially increasing volume of traffic, and at the same time provide the service differentiation needed by new applications. In this paper, we describe the architecture, implementation, and initial experiences with a system designed to meet this challenge. This system, which we call a QoS capable switch-router (QSR), combines the salient features of switching and routing technologies to provide high throughput and support the different classes of service being defined by the IETF. It consists of a core (ATM) switch fabric connecting intelligent adapters, each capable of both routing and switching pockets. A control engine is responsible for routing, RSVP signalling, and resource management. We have built a prototype network of 3 systems connected to several UNIX hosts, and have conducted preliminary performance measurements on this network.

The effect of traffic shaping in efficiently providing end-to-end performance guarantees

This paper reports new results concerning the capabilities of a family of service disciplines aimed at providing per-connection end-to-end delay (and throughput) guarantees in high-speed networks. This family consists of the class of rate-controlled service disciplines, in which traffic from a connection is reshaped to conform to specific traffic characteristics, at every hop on its path. When used together with a scheduling policy at each node, this reshaping enables the network to provide end-to-end delay guarantees to individual connections. The main advantages of this family of service disciplines are their implementation simplicity and flexibility. On the other hand, because the delay guarantees provided are based on summing worst case delays at each node, it has also been argued that the resulting bounds are very conservative which may more than offset the benefits. In particular, other service disciplines such as those based on Fair Queueing or Generalized Processor Sharing (GPS), have been shown to provide much tighter delay bounds. As a result, these disciplines, although more complex from an implementation point-of-view, have been considered for the purpose of providing end-to-end guarantees in high-speed networks. In this paper, we show that through “proper” selection of the reshaping to which we subject the traffic of a connection, the penalty incurred by computing end-to-end delay bounds based on worst cases at each node can be alleviated. Specifically, we show how rate-controlled service disciplines can be designed to outperform the Rate Proportional Processor Sharing (RPPS) service discipline. Based on these findings, we believe that rate-controlled service disciplines provide a very powerful and practical solution to the problem of providing end-to-end guarantees in high-speed networks.