Distributed Agent Method for User Based IP Accounting

Transcription

1 Distributed gent Method for User Based IP ccounting e Zhang Bernd Reuther Paul Mueller Department of Computer Science, University of Kaiserslautern Postfach 3049, Kaiserslautern, ermany gezhang@informatik.uni-kl.de reuther@informatik.uni-kl.de pmueller@rhrk.uni-kl.de 1 Introduction Rapid development of the Internet results in more and more IP traffic. Beside other reasons the motivation of reasonable network usage plays an important role for utilization accounting even in L. In traditional IP accounting an IP address is considered to identify the producer of IP traffic flows, and the IP accounting required producer information and other accounting information of the IP traffic can be extracted directly from the IP packages. n accounting meter usually can be placed in a key position of an accounting areas, e.g. in a router [1272], where all the IP traffic flows can be captured. But in multi-user system an IP address cannot uniquely identify the producer of the IP traffic flows, the traditional IP accounting cannot meet the finer granularity requirement in this situation. But if accounting is used in a L to motivate reasonable network usage, then it is important to be able to assign costs to users and not only to device. Here we introduce a user based accounting model, which is able to distinguish users even on multi-user computers. Since the distinction of users can be done within the hosts only, distributed agents are used to obtain the additional accounting information from multi-user computers. 2 raditional IP accounting 2.1 IP accounting and IP billing system architecture ccounting is he collection of resource consumption data for the purposes of capacity and trend analysis, cost allocation, auditing, and billing. [RFC2975]. Whereby Billing is the process of utilizing the processed ccounting Records on a per user basis to generate the invoice. n IP Billing system consists of three layers: raffic Meter Layer, Mediation Layer and Billing / OSS / BSS (Operating / Business Support System) Layer. he raffic Meter Layer records the network activities in Raw Data Records (RDR) like an electricity meter. he Mediation Layer collects the Raw Data Records from various meters, and processes the Raw Data Records to produce the Usage Records, stores the Usage Records in database, distributes the Usage Records to different applications in layer 3. he applications (e.g. Billing, Fraud Detection, rend nalysis etc.) in layer 3 respectively process the Usage Records for different application purposes and generate various reports. IP accounting includes the layer 1 and layer 2 in the IP billing system architecture.

2 S Y S M M M Layer3--- Billing/OSS/BSS Layer Layer2---Mediation Layer Layer1---raffic Meter Layer Figure 1 IP Billing System rchitecture R U L S S 2.2 erminology he meaning of the term user depends on the context where the term is used. When talking about traditional IP accounting systems a user is a host that is the source or the sink of IP traffic. Within IP billing systems the term user means the person or institution, which is responsible for some IP traffic, i.e. who has to pay for the IP traffic. In a multi-user system a login name or an identifier represents a so-called user. his user may be one real person or a group of real persons. Because of this ambiguous usage of the term user we will present some definitions of terms, which will be used within this paper: Host-Identifier or HID is a unique identifier for an end-system of the network layer. In the context of IP networks an IP address can be used as a synonym for a Host-Identifier. User-Identifier or UID is a unique identifier for an account on a computer system. his term is commonly used in the context of multi-user systems. raffic-originator ::= <Host-Identifier, [User-Identifier]>. raffic- Originator (O) is responsible for specific outgoing and incoming traffic flows. User::= <raffic-originator1 [, raffic-originator]> is a unique identifier for real person or a group of persons which are associated with one or more Os. ach O is associated with exactly one User. Usually a User identifies one real person who has access to one or more single-user systems or accounts on multi-user systems. When a group of real persons share an account or a single-user system, this group may be described by one User. Purchaser::= <User1 [,, User]> is a unique identifier of a person or an institution who will pay for the traffic that is originated by one or more Users. 2.3 he limitation of traditional IP accounting method he general IP accounting process can be described in two steps: 1) he raffic Meter collects IP traffic information from various etwork lements, and stores these information in the form of Raw Data Records. Usually the raffic Meter locates at a key point of the network (e.g. router, gateway etc.), where all the required IP traffic can be captured. 2) he Mediation layer collects the RDRs, and then processes (Validation, deduplication, filtering, correlation, aggregation and normalizing) the RDRs to produce the Usage Records.

3 During the process of the IP traffic information processing, the traditional IP accounting method will regard the HID, i.e. IP addresses, in the RDRs as the user information, and these IP addresses will be mapped to corresponding users by the Correlation module in the IP mediation layer. he function of the Correlation module is to merge several RDRs, which have some relationships, to create a single record; this can provide a single, complete view of information about an event [Lucent]. In the traditional IP accounting system the Correlation process is based on IP address. he process of correlating IP traffic to the corresponding producer can be described as below: f(hid i )=O i (1) i Hosts in IP accounting area In formula (1) HID i is the IP address of HOS i, O i is the producer of IP traffic that come from HOS i. he above described method works well in single user systems. But in the multiuser systems, several users can share one IP address at the same time, therefore IP traffic with same IP address might be produced by different persons. For example, there are two persons and B, and they have account UID a and UID b respectively in multi-user system HID i. In HID i UID a generates a package and UID b generates a package B. ccording to formula (1), only the HID i will be used to identify the producer of the packages, therefore package and package B are correlated to the same producer O i. From this example we know, the traditional IP accounting method cannot meet the finer granularity requirement in multi-user systems. o solve the above described problem, not only the host information, but also the user information should be provided to identify the producers of IP traffic from the multi-user system. he new correlation process should be described as below: f( HID i, UID j )=O ij (2) i Hosts in IP accounting area, j accounts in one host In formula (2) HID i is the IP address of HOS i. UID j is an identifier of a user of HOS i. O ij is the producer of IP traffic that come from HOS i. With HID and UID the producer of IP traffic can be uniquely identified. We call this new method user based IP accounting, and our IPO (utzer Basiertes IP ccounting) project aims at solving the problem in traditional IP accounting. 3 Principle of user based IP accounting User based IP accounting collects traffic information and processes the RDRs on the basis of Users. he IP address is not the unique parameter to identify the producer of IP traffic. User ID will be used with IP address together to uniquely identify the producer of IP traffic. o obtain the UID information of corresponding IP traffic from the computer system, the traditional centralized key position accounting information collection method should be changed. Because the UID information of one computer system cannot be obtained outside it, a mechanism must be introduced to implement the UID information collection. Here this mechanism is an gent for the purpose of IP

4 accounting. he gents will locate in different computer systems, usually in multiuser systems, since in single user systems the UID information can be ignored in correlating the IP traffic to corresponding O. he distributed gents will collect their located systems UID information of corresponding IP traffic respectively. distributed gent model for user based IP accounting can be illustrated in figure 2: Multi-user system / IP1 User1 User2 Usern IP raffic 1 IP raffic 2 IP raffic n User1 User2 Usern User1 User2 Usern Multi-user system / IP2 IP raffic 1 IP raffic 2 IP raffic n Multi-user system / IPn IP raffic 1 IP raffic 2 IP raffic n D U R D U R W O R K raffic Meter Correlation Module Raw Data Records Per User Usage Records Figure 2 D U R Distributed gent model for user based IP accounting he user based IP accounting architecture is based on the traditional IP accounting architecture. he user based IP accounting process with gent method can be described as below: 1) he gent checks all traffic flows of its located system, and then extracts the corresponding O and other information to identify each flow. ll the generated User-rafficFlow relationship information will be stored in a Dynamic User- rafficflow Relationship able (DUR). 2) raffic Meter collects the IP traffic information to generate the Raw Data Records. 3) In the mediation layer the RDRs will be collected and processed together with DURs to generate the Usage Records. he Dynamic User-rafficFlow Relationship able is used to record the O information of each traffic flow, it is generated by the gent. he Correlation Module uses the DUR to map the RDRs to the corresponding users and adds the user information to the new generated Usage Records. he HID and UID parameters in formula (2) are collected in the DUR. With these information the Correlation Module can accurately identify the producer of IP traffic. n gent can be a standalone software or a part of the multi-user system kernel, which locates in the multi-user system. It checks all IP traffic from its located system. Its main functions are: 1) Capturing IP traffic flows and extracting the traffic flow attribute items from them. 2) Retrieving the corresponding O attribute items of the traffic flow from the system.

5 3) Combining the O attribute and the IP traffic attribute items together to generate a record into the DUR. If the gent collects more detailed traffic information, such as the attributes of received bytes, sent bytes etc., and stores them into the DUR, the records in this table can also be used as RDRs. In this case an gent can be considered as a standalone meter. Considering the performance reason, usually the gent will not be used a standalone meter. fter the collection of the O information by the distributed gents, the legacy accounting protocols [RFC2975] such as Radius, acacs+ and SMP etc. can be used to convey these information. For example, according to the above described user based IP accounting principle, the realization of the gent can be designed as a SMP agent in the multi-user system. t first the collected O information will be stored into MIB database, then the SMP protocol can be used to transport these O information data from the MIB database to the meters. Using this method, a user based IP accounting MIB standard should be defined. he [RFC2722], [RFC2720] described standards can be modified to meet this requirement. 4 Realization of distributed gent method for user based IP accounting ccording to the principle of user based IP accounting, the key of the realization of user based IP accounting is the realization of the gent, which can generate the DUR. In order to collect the corresponding O information of IP traffic flows, the gent must be located within the multi-user system. Because the gent needs to obtain the O information of the IP traffic, usually the realization of the gent is OS dependent, in other words it is OS kernel dependent. Here we consider about two realization methods: 1) Kernel modification. he principle of this method is, directly modifying the tcpip driver, inserting the gent function of the user based IP accounting into the driver. By this means, the build-in user based IP accounting gent can generate the DUR. Because the gent is located in the tcpip driver, it can check all IP traffic and obtain the corresponding O information. his method is based on this precondition: the OS source code can be obtained and modified. It is fit for OS producer to make this modification, or for open source code OS (e.g. Linux). 2) Kernel patch. he principle of this method is, making the network requirements to tcpip driver to be redirected to the gent. his method does not require the modification of the system kernel; the gent will be realized as a kernel patch. In the redirection technique, the request to original network function will be redirected to the new defined network system call, which can capture all the network traffic flows and record the traffic and corresponding O information to generate the DUR. his method is fit for the non-os producers, who cannot modify the OS source code. In our IPO project we have implemented a prototype gent software IPrafficRecorder (IPR) for Solaris and Windows 2000 Server operating systems respectively.

6 Comparing the two above described user based IP accounting realization methods with each other; the kernel modification method is a better solution. Because in this method, the gent works in the tcpip driver, all the IP traffic related operation can be traced and recorded. But for the kernel patch method, since it works outside the tcpip driver, some in the tcpip driver fulfilled IP traffic related operations cannot be recorded. For example, the three-way handshake of the tcp connection is completed in the tcpip driver; the kernel patch method cannot capture the packages related with this process. For the kernel patch method, it can meter most of the IP traffic, and it is a simple method without modifying the kernel code. Our prototype gent software IPrafficRecorder is realized with kernel patch method. 5 Conclusion In this paper we have presented a user based IP accounting technology. It can provide more accurate accounting information than the traditional IP address based accounting technology, and it extends the traditional IP accounting technology. he key of user based IP accounting is the distributed gents, which are located in different computer systems and collect O information of IP traffic from their located systems. hese O information will then be stored in the Dynamic User- rafficflow able, which can be used to correlate the user with the IP traffic. he extended legacy accounting protocol methods can be used to convey the O information. For the realization of the user based IP accounting, two methods, kernel modification method and kernel patch method, have been suggested. In our IPO project we have implemented a user based IP accounting prototype with the kernel patch method in Solaris and Windows 2000 server respectively. In the future we will develop a user based IP accounting system in the computer center of University of Kaiserslautern, and this user based IP accounting system will mainly run in the Solaris, Linux and Windows 2000 Server. nd the kernel patch method will be used to implement this. he kernel modification method maybe a suggestion for the OS producers. o realize the kernel modification method, some standards of the user based IP accounting should be defined. 6 References [Lucent] Lucent echnologies, BILLDS Data Manager, [RFC1272] C. Mills, D. Hirsh,.R. Ruth: Internet ccounting: Background, RFC1272, ovember 1991 [RFC2720]. Brownlee: raffic Flow Measurement: Meter MIB, RFC2720, October 1999 [RFC2722]. Brownlee, C. Mills,. Ruth: raffic Flow Measurement: rchitecture, RFC2722, October 1999 [RFC2975] B.boda,J.rkko, D. Harrington: Introduction to ccounting Management, RFC2975, October 2000