"Packet Shapers"

Hank Nussbacher hank at ibm.net.il
Fri Jul 31 06:43:43 UTC 1998

At 11:28 AM 7/30/98 -0400, Scott Gifford wrote:

I have been using a packet shaper (non commercial product) since 4/96
and have recently been reviewing/testing a number of commercial products
on the market. I will ignore the options and features every product has
but rather focus on those things to look at when checking these boxes:

1) alerts: a nice feature to have that no commercial product has yet is
an alert feature when a bandwidth limiting policy has been exceeded.
Example: You limit incoming icmp to 100kb and are suddenly hit by a
Smurf eating up 2Mb/sec. You want an alert sent to the NOC via email or
some other method.  Or you have policy limiting single stream outgoing
UDP to 256kb and suddenly see 4Mb/sec.  You definitely want an alarm
going off somewhere.  We have found that email alerts are invaluable.
Packeteer doesn't have it.

2) Bandwidth manipulation: some products do buffering, some play with
the TCP window.  You want both.  Packeteer has both.

3) Bypass: you want a hardware and software bypass in the event
something goes wrong. This is black box sitting in the data path. You
now have a strip of boxes: firewall->packetshaper->router (and perhaps
more). If something doesn't work, you don't want to start recabling to
bypass the packet shaper. Software bypass via a Web interface is a must,
and a hardware bypass is also critical. Packeteer has both.

4) Signon management: In a large ISP operation, many users will need to
have access to modify the rules and policies.  You will want a system
that has individual user signon rather than a single user/pswd.
Packeteer has only single user/pswd so therefore it is impossible to
track who has done what changes.

5) Topflows: In RMON there is the concept of Top 10.  When the network
slows down, you want the ability to see a list of the Top n users
consuming bandwidth in the past 1 minute/10 minutes/hour.  Packeteer
does not have that capability.

6) Flows: When a vendor says their box supports T3, one has to check a
little deeper and determine the number of max flows allowed.  For
example, Allot (www.allot.com) supports a T3 box, but tops out at 5000
concurrent flows.  Packeteer supports 20,000 concurrent flows.  Current
realtime numbers on my beta box show 2400 flows consuming 3.3Mb, and often
8000-9000 flows consuming 6.5Mb of bandwidth.  Based on those numbers, I
will hit 20,000 flows long before I hit 20Mb of bandwidth.  I do not
think the packet shaper vendors have much of an idea in the ISP market
as to the large number of flows involved.  They know corporate networks.

7) Platform: Look at the OS platform.  Packeteer using a proprietary OS,
others may package Linux or NT.  None have done any OS hardening on the
system so it is best to run something like ISS against the packet shaper
to determine what security holes exist.  Imagine you start using a
packet shaper in production only to have the hackers hack it and set
their own super-duper policies.

8) Audit trail: The product should have the ability to have some sort of
syslog based on modifications done by personnel.  Packeteer has
something that is not accessible via the web and is more for debugging.

9) Filters & CPU: Look for products that can support CIDR notation and
not the long masks.  Packeteer doesn't support CIDR notation masking for
filters.  Some limit the size of the filter (also called policy, access-
list, pipe rule, etc.).  Packeteer limits it to 16 lines.  The larger
the filter the slower the box.  Test it out.

10) ToD: All boxes have the ability to control based on source IP,
destination IP and port.  Not all have the ability to control based on
time of day.  Suppose you want incoming news to be limited to 128kb
during the day but open it up from 2-8am to 800kb.  Packeteer has a line
command called "schedule".  Look for GUI's to do this.

11) Flow limiting: sometimes you want the ability to not only control
bandwidth but also the number of flows.  Example: you allow IP phone via
the Internet via port xxxx but want to guarantee 8kb/sec per flow, but
you only have 64kb of bandwidth allocated for that port.  You want to
have the ability to state that a maximum of 8 flows can use that virtual
pipe and the 9th won't get the service.  Packeteer says they have this
ability but I have not verified it.

12) Graphs: you want the ability for realtime graphs for each policy so
you can see how your rule changes have affected the bandwidth.
Packeteer has this capability.

13) Multihoming: this is the one *every* vendor fails on and is perhaps
the one we need.  These packet shaper boxes assume either one outgoing
line from the router, or if there are multiple lines - that they are
load balanced (NReality - www.nreality.com places their box on the FR
line itself after the router - and last I checked only support FR).  But
in most ISP cases, you are multihomed with 3-4 outgoing lines - which
are not fully balanced.  Suppose one line is 90% and the others are 30%.
The packet shaper can't see any of this and therefore the policy rules
are not perfect.  The line that is 90% satuarted is hearing 4,000 nets
via BGP.  How do you get that routing info the packet shaper?  None have
some sort of BGP import and when I tell them I want to import 52,000
prefixes and build policy rules based on that - they look at me like I
am from Mars.  In the near future we will be exploring this avenue for
Internet-2 in Israel.

14) Transparent proxy: remember that line of boxes?  firewall->packet
shaper->router?  Now add in a transparent proxy.  Ugh.  Look for a
vendor that will include a transparent proxy capability in their box.  I
wouldn't be suprised if Alteon and Packeteer were to merge.  These kind
of mergers have to happen.  Checkpoint already has packet shaping in
their firewall via an addon product called Floodgate.  Cisco bought up
Classdata (www.classdata.com) so expect to see more of these
capabilities in firewalls and routers.

If you have read articles in Network World, Data Communications, etc. on
this topic you will not find this level of detail there. This only comes
with actually using and testing these boxes.

Scott, these products do work and are not snake oil.  I trust this helps you


>I was wondering if anybody out there has had any experience with "Packet
>Shapers," which claim to be able to limit traffic to a particular host,
>host+port, or host+port+url without dropping packets.  They apparently watch
>traffic flows and keep track of connections, then dink around with TCP
>window size information to slow traffic down if needed.
>The one we have been looking at is called "The Packeteer"
>(http://www.packeteer.com), but I have seen a few others (one of which had a
>really good picture of a pig in the ad).
>Do these things work as advertised?  Is anybody actively using them inside
>their networks?  I don't know enough down-and-dirty information about TCP to
>know if this should work, or if it's just a plastic shell filled with
>Thanks for any information.  Email if you like, I will post a summary if
>people are interested.

More information about the NANOG mailing list