(RADIATOR) rate limiting support for Radiator
João Pedro Gonçalves
joaop at co.sapo.pt
Fri Jan 14 05:24:33 CST 2005
Accounting tends to be a lot faster than Authentication, so using
different instances for Auth and Acct should allow to minimize the
issues.
The issues we have with bursts and badly configured routers are only
related to access-requests which take an
average of 60ms whereas Accounting Requests take an average of 2ms
(with MySQL sessions enabled) to be processed.
João Pedro Gonçalves
Portugal Telecom
On Jan 14, 2005, at 10:49, Christian Kratzer wrote:
> Hi,
>
> On Thu, 13 Jan 2005, Claudio Lapidus wrote:
>
>> Hello Christian
>>
>>> exactly what is it that you want to rate limit ? radius-requests ?
>>
>> There is a problem associated with very large access servers,
>> typically in
>> ADSL environments. When, due to some problem in the network or in the
>> box
>> itself, a lot (or all) of its users get disconnected at once, later,
>> when
>> the original problem is solved you end up with thousands of users
>> trying to
>> reconnect all at the same time, causing what is known as a "storm" of
>> Access-Requests. This poses a particular performance problem,
>> especially
>> when the radius server in turn must proxy the requests to some other
>> servers, propagating the problem further into the network.
>>
>> The solution could be a mechanism built into the server process that,
>> given
>> certain conditions, forwards to the proxy chain only a fraction of the
>> messages intended for it, in order to protect the remote server from
>> the
>> traffic spike. The remaining requests could well be denied, forcing
>> the end
>> user to try a reconnection some seconds later. This, at least in
>> theory,
>> would achieve some effect of "shaping" the Radius traffic upstream in
>> the
>> proxy chain.
>
> rejecting auth requests would of course help in these situations.
>
> The other problem in this context would be the storm of accounting
> requests for the stop records. I would not like to lose these if
> rate limiting kicks in.
>
> If rate limiting is implemented a similar mechanism to
> AcctFailedLogFileName to accept and save accounting requests might be
> needed. These accounting requests could then be later replayed and
> passed to the servers further
> down the line.
>
> Greetings
> Christian
>
> --
> Christian Kratzer ck at cksoft.de
> CK Software GmbH http://www.cksoft.de/
> Phone: +49 7452 889 135 Fax: +49 7452 889 136
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list