wiki

User Tools

Site Tools

Trace: mpio_sddpcm diag_tool_aix aix_ipalias restore_mksysb net_10g aix_traffic_regulation
aix:aix_traffic_regulation

AIX TCP Traffic Regulation (TCP TR)

https://www.ibm.com/support/pages/how-tcp-traffic-regulation-tcp-tr-works-aix

The TCP Traffic Regulation (TCP TR) allows administrative control to limit the maximum allowed number of incoming TCP socket connections on a particular port, or range of ports, to a finite, user-specified pool, and at the same time ensure diversity of resources across IP addresses.

1. Configure TCP TR To enable TCP TR: 

# no -o tcptr_enable = 1

To disable TCP TR: 

# no -o tcptr_enable = 0

To add policy: 

# tcptr -add <start port> <end port> <max connections> [divisor]

To delete policy: 

# tcptr -delete <start port> <end port>

To display current TCP TR polices: 

# tcptr -show
TCP Traffic Regulation Policies:
StartPort=1     EndPort=12    MaxPool=256        Div=1  Used=0
StartPort=13    EndPort=13    MaxPool=256        Div=1  Used=0
StartPort=14    EndPort=20    MaxPool=256        Div=1  Used=0
StartPort=21    EndPort=21    MaxPool=256        Div=1  Used=0
StartPort=22    EndPort=25    MaxPool=256        Div=1  Used=4
StartPort=26    EndPort=36    MaxPool=256        Div=1  Used=0
StartPort=37    EndPort=37    MaxPool=256        Div=1  Used=0
StartPort=38    EndPort=110   MaxPool=256        Div=1  Used=0
StartPort=111   EndPort=111   MaxPool=256        Div=1  Used=0
StartPort=112   EndPort=9089  MaxPool=256        Div=1  Used=0
StartPort=9090  EndPort=9090  MaxPool=256        Div=3  Used=0
StartPort=9091  EndPort=65535 MaxPool=256        Div=1  Used=3

2. Algorithm used to accept and reject the connection request When a new connection request is received, the tcptr command uses the following algorithm to allow or deny the new socket connections:

If a new connection request is received and (MaxPool - Used) = 0, the request is reject.

If a new connection request is received and (MaxPool - Used) > 0 and the request is from a IP Address that already had connection with this port or port range, then: 

     if   Used-per-IP < [(MaxPool - Used) / 2 ^divisor]   then
            Allow the new connection
     else
            Deny the new connection

MaxPool = Maximum allowed connections for a port (or port range)

Used = Used connections by all IP Addresses

Used-per-IP = Currently used connection for a particular IP Address

divisor = positive integer which is used in the division

Note: If divisor is not specified then default value of 1 is used. If divisor is 0 then only one IP address per remote host is allowed.

3. Cases Following three cases show example of how algorithm is used in accepting or rejecting the connection request and how connection are distributed across remote IP addresses.

► Case 1 Set a TCP Traffic Regulation Policy that covers a TCP port 21, and to set a maximum incoming connection pool of 10 with an available connections divisor of 1.

On hostA: # tcptr -add 21 21 10 1

Initial state: TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=1 Used=0

⇒ Connection # 1 from host1 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 0 < [(10 - 0) / 2^1] 0 < 5 is True so connection is accepted

* * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=1 Used=1

⇒ Connection # 2 from host1 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 1 < [(10 - 1) / 2^1] 1 < 4.5 is True so connection is accepted

* * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=1 Used=2

⇒ Connection # 3 from host1 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 2 < [(10 - 2) / 2^1] 2 < 4.0 is True so connection is accepted * * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=1 Used=3

⇒ Connection # 4 from host1 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 3 < [(10 - 3) / 2^1] 3 < 3.5 is True so connection is accepted * * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=1 Used=4

⇒ Connection # 5 from host1 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 4 < [(10 - 4) / 2^1] 4 < 3 is False so connection is rejected * * * REJECTED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=1 Used=4

⇒ Connection # 1 from host2 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 0 < [(10 - 4) / 2^1] 0 < 3 is True so connection is accepted * * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=1 Used=5

⇒ Connection # 2 from host2 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 1 < [(10 - 5) / 2^1] 0 < 2.5 is True so connection is accepted * * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=1 Used=6

⇒ Connection # 3 from host2 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 2 < [(10 - 6) / 2^1] 2 < 2 is False so connection is rejected * * * REJECTED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=1 Used=6

⇒ Connection # 1 from host3 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 0 < [(10 - 6) / 2^1] 0 < 2 is True so connection is accepted * * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=1 Used=7

⇒ Connection # 2 from host3 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 1 < [(10 - 7) / 2^1] 0 < 1.5 is True so connection is accepted * * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=1 Used=8

⇒ Connection # 3 from host3 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 2 < [(10 - 8) / 2^1] 2 < 1 is False so connection is rejected * * * REJECTED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=1 Used=8

⇒ Connection # 1 from host4 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 0 < [(10 - 8) / 2^1] 0 < 1 is True so connection is accepted * * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=1 Used=9

⇒ Connection # 2 from host4 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 1 < [(10 - 9) / 2^1] 1 < 0.5 is False so connection is rejected * * * REJECTED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=1 Used=9

⇒ Connection # 1 from host5 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 0 < [(10 - 9) / 2^1] 0 < 0.5 is True so connection is accepted * * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=1 Used=10

Now on any new connection request to port 21 from any IP address will be rejected because Used is same as MaxPool.

The figure below shows the netstat -Aa output on hostA showing 10 connections distributed across 5 remote IP addresses.

image-20190216185638-2 ► Case 2 Set a TCP Traffic Regulation Policy that covers a TCP port 21, and to set a maximum incoming connection pool of 10 with an available connections divisor of 2.

On hostA: #tcptr -add 21 21 10 2

Initial state: TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=2 Used=0

⇒ Connection # 1 from host1 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 0 < [(10 - 0) / 2^2] 0 < 2.5 is True so connection is accepted

* * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=2 Used=1

⇒ Connection # 2 from host1 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 1 < [(10 - 1) / 2^2] 1 < 2.25 is True so connection is accepted

* * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=2 Used=2

⇒ Connection # 3 from host1 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 2 < [(10 - 2) / 2^2] 2 < 2 is False so connection is accepted

* * * REJECTED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=2 Used=2

⇒ Connection # 1 from host2 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 0 < [(10 - 2) / 2^2] 0 < 2 is True so connection is accepted * * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=2 Used=3

⇒ Connection # 2 from host2 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 1 < [(10 - 3) / 2^2] 1 < 1.75 is True so connection is accepted * * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=2 Used=4

⇒ Connection # 3 from host2 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 2 < [(10 - 4) / 2^2] 2 < 1.5 is False so connection is rejected * * * REJECTED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=2 Used=4

⇒ Connection # 1 from host3 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 0 < [(10 - 4) / 2^2] 0 < 1.5 is True so connection is accepted * * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=2 Used=5

⇒ Connection # 2 from host3 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 1 < [(10 - 5) / 2^2] 1 < 1.25 is True so connection is accepted * * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=2 Used=6

⇒ Connection # 3 from host3 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 2 < [(10 - 6) / 2^2] 2 < 1 is False so connection is rejected * * * REJECTED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=2 Used=6

⇒ Connection # 1 from host4 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 0 < [(10 - 6) / 2^2] 0 < 1 is True so connection is accepted * * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=2 Used=7

⇒ Connection # 2 from host4 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 1 < [(10 - 7) / 2^2] 1 < 0.75 is False so connection is rejected * * * REJECTED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=2 Used=7

⇒ Connection # 1 from host5 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 0 < [(10 - 7) / 2^2] 0 < 0.75 is True so connection is accepted * * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=2 Used=8

⇒ Connection # 2 from host5 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 1 < [(10 - 8) / 2^2] 1 < 0.5 is False so connection is rejected * * * REJECTED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=2 Used=8

⇒ Connection # 1 from host6 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 0 < [(10 - 8) / 2^2] 0 < 0.5 is True so connection is accepted * * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=2 Used=9

⇒ Connection # 2 from host6 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 1 < [(10 - 8) / 2^2] 1 < 0.5 is False so connection is rejected * * * REJECTED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=2 Used=9

⇒ Connection # 1 from host7 to port 21 on hostA

Used-per-IP < [(MaxPool - Used) / 2 ^divisor] 0 < [(10 - 9) / 2^2] 0 < 0.25 is True so connection is accepted * * * ESTABLISHED * * * TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=2 Used=10

Now on any new connection request to port 21 from any IP address will be rejected because Used is same as MaxPool.

The figure below shows the netstat -Aa output on hostA showing 10 connections distributed across 7 remote IP addresses.

image-20190217120211-1 ► Case 3 Set a TCP Traffic Regulation Policy that covers a TCP port 21, and to set a maximum incoming connection pool of 10 with an available connections divisor of 3.

On hostA: #tcptr -add 21 21 10 3

Initial state: TCP Traffic Regulation Policies: StartPort=21 EndPort=21 MaxPool=10 Div=3 Used=0

The algorithm calculation for connection acceptance and rejection is not shown for this case because it is same as case 1 and case 2.

The figure below shows the netstat -Aa output on hostA showing 10 connections distributed across 9 remote IP addresses.

image-20190304175154-1

Following table shows summary of all 3 cases with MaxPool 10. It shows that as divisor increases, number of unique remote IP addresses increases and maximum number of connection allowed per remote IP address decreases.

image-20190302235846-1

4. Rejecting a Connection Request The figure below shows the “reset” (RST) is transmitted in packet 190 by hostA when connection request is rejected. The RST is sent after three-way handshake (SYN, SYN/ACK and ACK).

image-20190218104723-1

5. Troubleshooting If the TCP connection request is rejected due to unknown reason then use following steps to see if it is due to TCP TR.

- Run “no -a | grep tcptr_enable” to check if it is set to 1.

- If it is tcptr_enable is 1 then run “tcptr -show” to list the policy.

- Collect iptrace capturing the connection rejection and check if behavior is same what is described in section 4 above.

- If there is a policy set for the tcp server port of the rejected connection and “Used” is equal to “MaxPool” then (1) adjust 

 MaxPool and Divisor to allow more connections or (2) set tcptr_enable to 0 for a quick test to disable TCP TR.

- TCP TR does not affect UDP and ICMP connection.

- TCP TR does not affect established TCP connection.

aix/aix_traffic_regulation.txt · Last modified: 2023/07/05 17:02 by manu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki