No subject
Mon Jan 7 09:52:59 UTC 2008
1.1. Overview
This module implements rate limiting for SIP requests. In
contrast to the PIKE module this limits the flow based on a
per SIP request type basis and not per source IP. The MI
interface can be used to change tunables while running
openSER. Currently supported requests are INVITE, REGISTER and
SUBSCRIBE.
The module does not implement any actions on blocking - it
just simply reports that there is a high traffic; what to do,
is the administator decision (via scripting).
_________________________________________________________
1.2. Use Cases
Limiting the rate messages are processed on a system directly
influences the load. The ratelimit module can be used to
protect a single host or to protect an openSER cluster when
run on the dispatching box in front.
A sample configuration snippet might look like this:
...
if (is_method("INVITE|REGISTER|SUBSCRIBE") {
if (!rl_check()) {
sl_send_reply("503", "Service Unavailable");
exit;
};
};
...
Upon every incoming request listed above rl_check is invoked.
It returns an OK code if the current per request load is below
the configured threshold. If the load is exceeded the function
returns an error and an administrator can discard requests
with a stateless response.
_________________________________________________________
1.3. Rate Limiting Algorithms
The ratelimit module supports two different algorithms to be
used by rl_check to determine whether a message should be
blocked or not.
_________________________________________________________
1.3.1. Tail Drop (TD)
This is a trivial algorithm that imposes some risks when used
in conjunction with long timer intervals. At the start of each
interval an internal counter is reset and incremented for each
incoming message. Once the counter hits the configured limit
rl_check returns an error.
The downside of this algorithm is that it can lead to SIP
client synchronization. During a relatively long interval only
the first requests (i.e. REGISTERs) would make it through.
Following messages (i.e. RE-REGISTERs) will all hit the SIP
proxy at the same time when a common Expire timer expired.
Other requests will be retransmissed after given time, the
same on all devices with the same firmware/by the same vendor.
_________________________________________________________
1.3.2. Random Early Detection (RED)
Random Early Detection tries to circumvent the synchronization
problem imposed by the tail drop algorithm by measuring the
average load and adapting the drop rate dynamically. When
running with the RED algorithm (enabled by default) SER will
return errors to the SER routing engine every n'th packet
trying to evenly spread the measured load of the last timer
interval onto the current interval. As a negative side effect
SER might drop messages although the limit might not be
reached within the interval. Decrease the timer interval if
you encounter this.
_________________________________________________________
Regards,
Ovidiu Sas
----------------------------------------------------------------------
>Comment By: Henning Westerholt (henningw)
Date: 2008-01-16 09:34
Message:
Logged In: YES
user_id=337916
Originator: NO
Hi Bogdan, hi Osas,
i had this on my mind too after a short review.. Combining the both into
one would make sense. But we should go for the new name 'ratelimit', this
is a little bit more userfriendly than pike, in my opinion.
Cheers,
Henning
----------------------------------------------------------------------
Comment By: Ovidiu Sas (osas)
Date: 2008-01-15 21:40
Message:
Logged In: YES
user_id=1395524
Originator: YES
Hi Bogdan,
I won't commit until you give me the green light :)
More information about the Devel
mailing list