IP Control Gateway (IPCG) Xiaojun Zhang Email: zxj@pku.edu.cn Computer Center, Peking University Good afternoon, everybody. My name is Zhang Xiaojun, I am from Peking University. In next 20 minutes, I will introduce IP control gateway system briefly. This system is developed by the Computer Center of Peking University, it can control network packet forwarding according to end user’s requirement. 2019/4/8

Contents Background information Network access control IPCG design & implementation IPCG & network accounting system Conclusion The presentation includes the following parts: 1st is about the background information of IP control gateway. 2nd describes the access control technology in network. 3rd involves system design and implementation. 4th presents an accounting system built upon IP control gateway. Conclusion is the last one. 2019/4/8

Background(1/2) Old network accounting system Based on HTTP proxy Application dependence Poor performance About three years ago, our accounting system was based on HTTP proxy. But this system can not conform to the new network development. There are two reasons. Application dependent: The HTTP proxy server must know the application protocol, otherwise the application cannot be proxied. Poor performance: Almost all HTTP proxy server works in the user space of operating system, and cannot adapt to high network traffic. We need to improve the old accounting system. 2019/4/8

User-based Network Management Background(2/2) User-based Network Management Administrator control As we all known, the network accounting system is one of the most important network management task. In network environment, the user uses application via network. In order to achieve the user-based network management, the administrator must find an efficient method to control network accessing. User Network Application 2019/4/8

Network access control(1/1) Network Device-ACL limited, coarse granularity HTTP Proxy application dependent poor performance Firewall-ACL, Pattern, Rule… focus on network security General & open platform-(PC server + NIC) low cost Other specific technology R&D, high cost Let’s review the common network access control methods. The 1st is the Access Control List. This method is often used in network device, for instance, router or switch. But this method cannot achieve the fine-grind access control. The 2nd is the HTTP proxy. This method has been introduced above. The 3rd is the firewall technology. As same as the ACL, this method cannot achieve the fine-grind access control too, because the main objective of firewall is network security protection. The next method is based on PC server with network interface card. This method achieve network access control in software, and can be cheap. The last one is by virtual of specific technology, for example, ASIC or network processor, but it need more investment. 2019/4/8

IPCG design & implementation(1/4) Objectives Application independent High speed bandwidth: 1 gigabit Access control granularity: individual IP User-based: triggered by user, customize on demand Controller IP range: B-class address block Flexibility: configuration, employment, etc. According to the above introduction as well as our actual network management, we define the following network management objective: Application independent: network access control can support all network application, not only the old application but also the new application. Network access control must support one gigabit network speed. Because this speed is very common. Find-grind access control: the object system can grant different access permission on individual IP. User-based: the end user can actively apply network access permission according to his actual requirement. The controlled IP address range is a B-class address block at least. The system configuration and employment can be very flexible for administration. 2019/4/8

IPCG design & implementation(2/4) Functions Access control Access Permission Traffic statistics Collect traffic usage information (for accounting） Record IP packet content (for query) Through our careful performance comparison and analysis, we find the general and open method can meet our objectives. Therefore, we decide to adopt this method to achieve network access control, i.e. PC server with the network interface card. The final system structure is shown in left figure. IP control gateway is positioned between two network devices (for example: core switch and border router). Its main functions include access control and traffic statistics. The access control engine module control network packet forwarding according to the corresponding access permission. The tasks of lower two module are traffic usage information collection and IP packet content recording respectively. 2019/4/8

IPCG design & implementation(3/4) System configuration CPU: Intel Xeon up 2.0GHz x 2 MEM: 1GB HD: >80GB Control NIC: Intel 1000M NICx2(internal, external) Management NIC OS: RedHat Linux 7.2 This page displays the typical IP control gateway system configuration. The network interface card is Intel’s one gigabit NIC. The operating system is Linux. 2019/4/8

IPCG design & implementation(4/4) Traffic graph bit/s This is an actual traffic graph captured on May 26, 2004. In this graph, the maximum bidirectional throughput and packet forwarding rate are 1800Mbps and 400Kpps respectively. Through three year’s practice and trial, the performance of IP control gateway system is very satisfied. packet/s 2019/4/8

IPCG & network accounting system(1/1) User Authentication HTTPS User management LDAP IPCG query service User logon/logoff Traffic This is our new network accounting system architecture. First, the end user input his username, password and network access request to authentication gateway. Once authentication is ok, the user’s access permission will be granted by the IP control gateway. Then the user can use the network as usual. The user’s traffic usage information can be import to the billing database from IP control gateway on schedule. In this accounting system, HTTPS and LDAP are used in user authentication and user management respectively. In additional, the user logon or logoff and traffic information can be retrieved from IP control gateway. 2019/4/8

Conclusion(1/2) Features user-based network access control support up to 1 Gbps adopt general and open platform low cost, investment protection wide applicable Through the above introduction, we can summarize the following features of IP control gateway: 1 Network access control is the core function of IP control gateway. Every user can modify his network access permission according to his own demand at any time. 2 IP control gateway supports one gigabit network speed. 3 IP control gateway is implemented on the general and open platform, it is very convenient to upgrade and migrate. 4 The amount of IP control gateway cost is very low, thus investment can be protected at all. 5 As a standalone system, IP control gateway can be applied in accounting system and other application environment. 2019/4/8

Conclusion(2/2) Next plan network behavior analysis support IPv6 up to 10 Gbps IP control gateway can control packet forwarding according to the requirement of network management, and traffic data can match to its real user. These two functions are very useful to in-depth monitor and analyze network behavior. In the future, IP control gateway will be enhanced to support IPv6 protocol and 10 gigabit network speed. 2019/4/8

Thank you 2019/4/8 That is all of my speech. Thank you for your listening, thank you very much. 2019/4/8