There are many emerging trends in the communications world, including the increase in network technology and the proliferation of data networks. To ensure security of communications and to avoid networking congestion problems, network designers have either incorporated security appliances, such as firewalls and virtual private networks, and traffic management devices in their systems or enhanced their routers with these functionalities.
A firewall is an Internet security appliance designed to screen traffic coming into and out of a network location. A virtual private network provides a secure connection through a public network such as the Internet, between two or more distant network appliances using a virtual private networking technology. Traffic management devices are used to monitor and/or control traffic passing through network devices to maintain a network's quality-of-service (QOS) level.
Traffic shaping is a technique for regulating traffic. Traffic shaping refers to a process of analyzing an allocated bandwidth utilized by various types of network traffic through a network appliance. Traffic shaping policies can be used to prioritize users in accordance with an IP address or other criteria to provide different levels of service to different users of a network appliance.
A leaky bucket is one example of a conventional technique used to control traffic flow. A splash is added to the bucket for each incoming byte received by the network appliance when the bucket is not full. The splash results in an increment in a counter associated with the bucket. The bucket leaks away at a constant rate (bytes are allowed to pass from the bucket through the network appliance). When the bucket is full (the counter is at a maximum value), bytes cannot pass through the network appliance (i.e., no additional bytes can be added to the bucket). As the bucket begins to empty in accordance with the leak rate, bytes once again can begin to be added to the bucket so that they can be moved through the network appliance. Leaky buckets are characterized by three parameters: the sustained information rate (SIR), the peak information rate (PIR) and the burst length (BL). The SIR is bound by the long-term data rate and defines the rate that data leaks from the bucket. BL defines the depth of the bucket and is equal to the maximum amount of data allowed to be passed when the bucket is empty. PIR defines the maximum rate at which the source can send data.
A token bucket is another example of a conventional technique used to control traffic flow. With token buckets, tokens are added to the bucket at a constant rate of the SIR. The token is a convention that is used to represent a defined unit of data (e.g., a byte or a packet). The token bucket has a depth of BL. When the token bucket is full no more tokens can be added to the bucket. When data comes in to the network appliance, if there are enough tokens in the token bucket, the data will be passed. Otherwise, the data will be held until the token bucket accumulates enough tokens.
A credit/debit token bucket is another example of a conventional technique used to control traffic flow. In the example discussed above for the token bucket, no data can be passed when there are insufficient tokens in the token bucket. This may cause some unacceptable delays. A credit/debit token bucket allows for oversubscription of tokens. Unlike normal token buckets, the number of tokens in a credit/debit token bucket can be negative. Based on the number of tokens in the bucket, a credit/debit token bucket can be in either one of the three states. If the number of tokens is positive the bucket has credit. If the number of tokens is negative the bucket owes a debit. Otherwise the bucket is in an even state. The operation of a conventional credit/debit token bucket is as follows. Tokens are added to a credit/debit token bucket in the same way as added to a normal token bucket. The difference between a normal token bucket and credit/debit token bucket is how incoming data is handled. In a credit/debit token bucket, as long as the data comes in and the credit/debit token bucket is in the credit or even state, the data is granted permission to pass and the number of tokens is decremented accordingly. After the decrementing operation (to remove the corresponding number of tokens from the bucket based on the amount of data that was passed), the number of tokens in the bucket can be negative, even, or still positive. If data comes in while the credit/debit token bucket is in a debit state, the data is held until the credit/debit bucket returns to the credit or even state (i.e., pays off all of its debt). Thereafter, the network appliance can pass the held data.
As described above a bucket has a definite depth. For example, a token bucket can accept a definite number of tokens before it becomes full. Traditionally, when the bucket became full, the excess (e.g., the excessive tokens) was discarded (i.e., to satisfy a guaranteed bandwidth requirement). If an unlimited or undefined depth bucket were used then the underlying policy may become oversubscribed. In order to ensure that oversubscription does not occur, traditionally these excessive tokens were discarded. What would be desirable is a system that would allow a bucket to share its excess while still providing a guaranteed bandwidth to an associated policy.