Committed Access Rate
Committed Access Rate (CAR) is a software feature that implements both classification of services and policing of traffic through rate−limiting, which, in effect, limits the input or output transmission rate of an interface based on a configurable set of criteria. Network administrators can use CAR to designate traffic−handling policies when traffic either conforms to or exceeds a specified rate limit. CAR’s rate−limiting feature manages the bandwidth policy for a network by ensuring that traffic falling within the specified rate parameters is sent while dropping packets that exceed the acceptable amount of traffic. CAR also specifies an exceed action, which can be set to drop packets.
CAR uses a token bucket measuring system. Tokens are inserted into the bucket at the committed rate, and the number of tokens in the bucket is limited by the configured burst size. Traffic arriving at the bucket when tokens are available is traffic that matches a configured conform action. If tokens are available when the traffic arrives, the appropriate number of tokens are removed from the bucket and the specified conform action is executed. If there is not an adequate number of tokens available, the traffic matches a configured exceed action. The token bucket is a culmination of three components: a Mean Rate (CIR), a Burst Size (Bc), and a Time Interval (Tc). Each of these components is further detailed in the following list:
Mean Rate (CIR)—The average rate at which you would like to transmit. The rate is averaged over an increment of time (Tc), and traffic that is under this rate will always
conform. This is measured in bits/second.
Burst Size (Bc)—The amount of data sent per time interval (Tc). When used with CAR, this is measured in bytes per burst interval.
Time Interval (Tc)—A measurement of Bc/CIR.
The token bucket formula for determining the Mean Rate of transfer is as follows:
Mean Rate (CIR) = Burst Size (Bc) / Time Interval (Tc)
The equation solves for Mean Rate (CIR) by dividing the Time Interval (Tc) by the Burst Size (Bc)eqn0 One other formula that relates to the token bucket measuring system solves for the Time Interval (Tc):
Time Interval (Tc) = Burst Size (Bc) / Mean Rate (Cir)
Each action, conform and exceed, can be configured to provide another action based on the available tokens:
Transmit—The packet is forwarded accordingly.
Drop—The packet is dropped and no further processing takes place on it.
Set precedence then transmit—The IP Precedence bit in the packet is rewritten. The packet is then transmitted.
Continue—The packet is compared to the next policy that is configured in the list of rate limits. If no other policy is configured, the packet is sent.
Set precedence and continue—The IP Precedence bits are rewritten to a specified value, and the packet is then compared to the next policy configured in the list of rate limits.
A security administrator can use CAR’s rate−limiting feature to control the maximum rate at which traffic is sent or received during times the router is receiving a stream of DoS attack packets. To define a rate limit, three values must be specified:
Average rate—The average rate at which you want to transmit. All traffic that is transmitted at or below the average rate meets the conform action. Traffic that is transmitted above the average rate meets the exceed action, depending on the values configured for normal burst and excess burst. This value is specified in bits per second.
Normal burst—The amount of traffic, specified in bytes per second, that is allowed to burst before partial amounts of traffic are subjected to the excess burst action.
Excess burst—The amount of traffic, specified in bytes per second, that is allowed in a burst before all traffic is subjected to the excess burst action. Setting this value to zero disables bursting.
When CAR rate−limiting is applied to a packet, CAR removes from the bucket tokens that are equivalent in number to the byte size of the packet. If a packet arrives and its byte size is greater than the number of tokens available in the standard token bucket, extended burst capability is engaged if it is configured. Extended burst is configured by setting the extended burst so it’s greater than the normal burst value. Setting the extended burst value equal to the normal burst value, in effect, disables extended burst.