1. Field of the Invention
The present invention relates to distributing traffic load in a packet-switched network among application proxies that are subscriber aware, such as service gateways that charge for application activity, with load balancers; and, in particular, to distributing the load consistently for both control plane and data plane packets while leveraging accelerated policy-based routing engines on the load balancer for data plane traffic.
2. Description of the Related Art
Networks of general-purpose computer systems connected by external communication links are well known. The networks often include one or more network devices that facilitate the passage of information between the computer systems. A network node is a network device, computer system or other device connected by the communication links. As used herein, an end node is a network node that is configured to originate or terminate communications over the network. In contrast, an intermediate network node facilitates the passage of data between end nodes.
Information is exchanged between network nodes according to one or more of many well known, new or still developing protocols. In this context, a protocol consists of a set of rules defining how the nodes interact with each other based on information sent over the communication links. The protocols are effective at different layers of operation within each node, from generating and receiving physical signals of various types, to selecting a link for transferring those signals, to the format of information indicated by those signals, to identifying which software application executing on a computer system sends or receives the information. The conceptually different layers of protocols for exchanging information over a network are described in the Open Systems Interconnection (OSI) Reference Model. The OSI Reference Model is generally described in more detail in Section 1.1 of the reference book entitled Interconnections Second Edition, by Radia Perlman, published September 1999, which is hereby incorporated by reference as though fully set forth herein.
Communications between nodes are typically effected by exchanging discrete packets of data. Each packet typically comprises 1] header information associated with a particular protocol, and 2] payload information that follows the header information and contains information that may be processed independently of that particular protocol. In some protocols, the packet includes 3] trailer information following the payload and indicating the end of the payload information. The header includes information such as the source of the packet, its destination, the length of the payload, and other properties used by the protocol. Often, the data in the payload for the particular protocol includes a header and payload for a different protocol associated with a different, usually higher layer of the OSI Reference Model. The header for a particular protocol typically indicates a type for the next protocol contained in its payload. The higher layer protocol is said to be encapsulated in the lower layer protocol. The headers included in a packet traversing multiple heterogeneous networks, such as the Internet, typically include a physical (layer 1) header, a data-link (layer 2) header, an internetwork (layer 3) header and a transport (layer 4) header, as defined by the Open Systems Interconnection (OSI) Reference Model. In networking parlance, a tunnel for data is simply a protocol that encapsulates that data.
Routers and switches are network devices that determine which communication link or links to employ to support the progress of data packets through the network. A network node that determines which links to employ based on information in the internetwork header (layer 3) is called a router. Some protocols pass protocol-related information among two or more network nodes in special control packets that are communicated separately and which include a payload of information used by the protocol itself rather than a payload of data to be communicated for another application. These control packets and the processes at network nodes that utilize the control packets are said to be in another dimension, a “control plane,” distinct from the “data plane” dimension that includes the data packets with payloads for other applications at the end nodes.
Subscribers obtain access to a packet-switched network (PSN) of an Internet Service Provider (ISP) through a Network Access Server (NAS). A subscriber often uses a link-layer protocol to form a temporary tunnel between the subscriber's device and the NAS. The contents of the tunneling protocol payload are not involved in determining the path. The NAS determines whether an entity attempting access is in fact a subscriber authorized to access the network by exchanging packets with an Authentication, Authorization, and Accounting (AAA) server. Example well-known AAA servers include the Remote Authentication Dial In User Service (RADIUS) server, Terminal Access Controller Access Control System (TACACS), and the DIAMETER server. Once the entity is authenticated to be an authorized subscriber, then access is granted to the ISP network, the subscriber is assigned a network layer address, such as an Internet Protocol (IP) address, and internetwork-layer payloads are routed based on the internetwork and higher layer header information.
A modem ISP can offer different services to different subscribers. For example, the rate of data delivery of large Web pages to some subscribers can be increased by compressing the Web pages before delivery and un-compressing the Web pages at a process on the subscriber's own equipment. As is well known in the art, Web pages are transmitted over a network using the Hypertext Transfer Protocol (HTTP), an application-layer (layer 7) protocol. Certain Web pages can be blocked using a Web filtering service. A service that provides some combination of compression, filtering and local caching of Web pages is called Web optimization. Some subscribers use mobile devices, such as cell phones, that have smaller memory and display capacities than other network devices. Web pages are communicated to such mobile devices using special protocols, such as the Wireless Application Protocol (WAP), an application-layer protocol. HTTP payloads are translated to WAP payloads before delivery to these subscribers.
To deliver these special services, service gateways are included in the ISP packet switched networks. Service gateways are processes that operate on intermediate network devices between the source and the destination of data packets. The service gateways use a payload in a data packet to provide the networking service. Example services include payload translation, just described, and other payload changes, as well as special billing, rating, filtering services and other services that do not modify the contents of a payload. For example, Web compression gateways compress HTTP payloads of data packets directed to a subscriber's device and un-compress HTTP payloads of data packets originating from a subscriber's device. A WAP 1.x gateway converts HTTP payloads of data packets directed to a subscriber's device to WAP 1.x payloads and converts WAP 1.x payloads of data packets originating from a subscriber's device to HTTP payloads. Some ISPs offer different services to different subscribers. These are subscriber-aware services.
To ensure that a service gateway for a service offered by the ISP is included in packet-switched paths from the subscriber to any destination on the network accessed by the ISP network, the service gateway is included in routes to data plane destinations and a proxy for control plane destinations used to set up a subscriber's session on the network. For example, AAA server traffic for a NAS is directed to a service gateway, which serves as a proxy for the AAA server. A subscriber-aware service gateway monitors the AAA server traffic to determine the remote user's network identifier and whether the remote user has subscribed to the service provided by the gateway. For example, the service gateway monitors RADIUS to determine mapping of subscriber ID to currently assigned network ID; and, in addition, RADIUS is used to relay information on users' subscribed service profile to the network elements from a back-end database, typically behind the RADIUS server.
It is common for an ISP to include a cluster of service gateways so the service can be scaled to the number of subscribers. To distribute traffic among the service gateways in the cluster, a load balancing process (called a load balancer herein) is included in the path between the NAS (or other end node) and the cluster of service gateways. To handle the large volume of data plane traffic going through the service gateways, hardware accelerated policy-based routing (PBR) is used. According to PBR, a data packet is associated with a data flow based on one or more fields in the header section of the layer 3 protocol, and all packets in the same data flow are directed to the same next hop network address. In the case of a load balancer, the next hop network address uniquely identifiers one service gateway among the cluster. It is common to generate a unique data flow identifier based on a 5-tuple of fields in an layer 3 header, e.g., protocol, source network address, destination network address, source port, and destination port. PBR is often implemented using an Access Control List, which lists a flow identifier and the next hop network address for that flow. A flow that is not on the ACL is not processed further. With hardware-accelerated PBR, a router includes special logic circuits that determine the data flow of the data packet and compares the data flow to the ACL. If the data flow is in the ACL, then the data packet is forwarded to a particular service gateway of the cluster associated with that data flow in the ACL. In general, to conserve resources on intermediate network devices, a PBR ACL does not uniquely identify individual flows, but rather specifies a portion of subscriber IP address space that is routed to a service gateway.
For subscriber-aware services, the load balancer should send all traffic from the same subscriber, and the associated control plane traffic generated on this subscriber's behalf (such as AAA or RADIUS traffic from the NAS), to the same service gateway in the cluster for the duration of the subscriber's network session.
In some approaches, a dynamic association is made between a particular control plane message from the end node or NAS and a particular service gateway node. An example dynamic association is a round robin association in which successive control plane messages are forwarded to successive different nodes in the cluster. In some of these approaches, a sticky table is formed at the load balancer to store an entry that associates a particular subscriber with a particular service gateway so that subsequent messages from the same subscriber go to the same service gateway node for the duration of the session. When the session is ended, the entry is deleted from the sticky table. The sticky table is formed by monitoring the AAA traffic. Content-aware load-balancing is available from Cisco System, Incorporated of San Jose, Calif. as described in “Cisco IOS Software Release 12.1(11b)E for Supervisor Engines of the Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Internet,” Product Bulletin 1687, 2002, the entire contents of which are hereby incorporated by reference as if fully set forth herein. At the time of this writing, Product Bulletin 1687 is available at the Internet domain www.cisco.com in a file named prod_bulletin09186a00800923b0.htm in the directory /en/US/products/hw/routers/ps368.
The association of all data flows with a particular subscriber is possible using the sticky tables. An advantage of treating all data flows from the same subscriber is to protect against denial of service (DOS) attacks in which one or a few subscribers generate a large number of data flows—for example as a synchronization (SYN) message flood. Such protection is afforded by U.S. patent application Ser. No. 11/273,112 filed Nov. 14, 2005 and entitled “Techniques for Network Protection Based on Subscriber-Aware Application Proxies,” the entire contents of which are herby incorporated by reference as if fully set forth herein.
While suitable for many purposes, there are some deficiencies with the prior approaches. One deficiency is the requirement for the sticky table itself and the consumption of memory and processor resources to store and maintain the sticky table. Another deficiency arises in high availability deployments in which further resources are consumed in synchronizing the sticky table contents on the primary and one or more redundant load balancers. Another deficiency is that, to apply the information in the sticky table, each data packet in the data plane has to be checked against the sticky table instead of using PBR routing based on an ACL. This places a heavy load on the processing capability of the router, especially so because the data plane has orders of magnitude more traffic than the control plane. Furthermore, since hardware acceleration is not widely available for applying information from the sticky table, the hardware accelerated PBR engine is not available to accelerate the processing of the data plane traffic.
Based on the foregoing description, there is a clear need for service gateway load balancers that do not suffer all the deficiencies of prior art approaches. In particular there is a need for a service gateway load balancer that more quickly directs control plane and data plane traffic to the same service gateway and that does not require the use of a sticky table to ensure consistency between control plane load balancing (such as for RADIUS traffic) and data plane load balancing.