Computation of the Interface and Policy Counters for the Detection of Corruption in the FPGA Statistics

The mechanism to detect corruption in the FPGA statistics functions by comparing the interface statistics (for either incoming or outgoing packets) and the aggregate of policy statistics (attached to input or output interfaces). These interface and policy counter values are obtained from the output of the show ip interface or show ipv6 interfacecommand. A differential count of the interface and policy statistics is computed and the value is matched against a threshold value that you specified. If a discrepancy is observed during the detection process, the SRC client stops reporting statistics to the SRC server.

The detected discrepancy is recorded in a system logging message. The subscriber that logs in over a defective slot is logged out and new subscriber sessions are blocked on the defective slot.

To perform a comparison of the interface statistical counters and the policy statistical counters, the detection mechanism computes the policy counters based on certain factors and attributes. The following sections describe the calculation methods of policy counters for the detection of corrupted FPGA statistics.

Processing the Extra Header in Policy Counters

The policy counter that denotes the number of bytes of traffic to which policies are applied is always higher than the interface counter that denotes the number of bytes of traffic processed by an interface. The higher value of the policy counter is because of the extra header that it takes into consideration. In an L2TP topology, the following attributes are accounted for ingress and egress policy counter in bytes:

• Policy counter in bytes for ingress interfaces contains an additional value of 10 bytes per packet, which is caused by the headers (PPP header of 4 bytes and L2TP header of 6 bytes).
• Policy counter in bytes for egress interfaces contains an additional value of 38 bytes per packet, which is caused by the headers (IP header of 20 bytes, UDP header of 4 bytes, PPP header of 4 bytes, and L2TP header of 6 bytes).

The policy counter is calculated using the following formula:

Policy counter in bytes = (Policy counter in packets x Extra header) + Interface counter in bytes

Processing the Egress Policy Counters

The egress policy counters, as a measure of the number of packets and bytes, are always larger than the egress interface counters because some packets might be filtered by the outbound policy before they are forwarded out of the interface. The filtered packets and bytes counter is accounted as Out Policed Packets or Out Policed Bytes (in the output of the show ip interface command).

The policy counters, as a measure of the number of packets and bytes for egress policies, is calculated using the following formula:

Egress policy counter in packets = Policy counter in packets – Out Policed Packets counter

Egress policy counter in bytes = Policy counter in bytes – Out Policed Bytes Counter

Processing the Received Multicast Packets with Applied Policies

When the router receives certain destination packets on the PPP link, the policy statistics counter is not incremented because some of the packets are discarded even before they reach the policy statistics counter.

The interface counters, as a measure of the number of packets and bytes of traffic arriving on an interface, is calculated using the following formula:

Ingress interface counter in bytes = Multicast byte counter + Policy counter in bytes

Ingress interface counter in packets = Multicast packets counter + Policy counter in packets

This method of calculating counters is needed because in a multicast network, the number of received multicast packets is equal to the number of discarded packets.

Comparing the Interface and Policy Counters Over Two Polling Intervals

After computing the ingress and egress interface and policy counters to account for the extra header and multicast packet extra bytes, the interface and policy counters in bytes are stored in the application software. The detection mechanism for corruption in the FPGA statistics logic compares two successive retrieved values of the statistical counters to detect corruption as follows. Assume that interface and policy statistics are obtained at two intervals, namely interval_1 and interval_2. Interface_counter1 and Policy_counter1 counters are collected at interval_1, and Interface_counter2 and Policy_counter2 counters are collected at interval_2.

Difference between policy counters at interval_1 and interval_2 = delta_policy_counter = (policy_counter2 – policy_counter1)

Difference between interface counters at interval_1 and interval_2 = delta_interface_counter = (interface_counter2 – interface_counter1)

Difference between interface and policy counters collected at two intervals = delta_interface_counter – delta_policy_counter

The difference between the interface and policy counters derived at two successive intervals is compared against the configured threshold. The threshold is the maximum permissible deviation between interface and policy counter values. If the threshold is higher than the difference between the interface and policy counters, no corruption has occurred in the FPGA statistics. If the threshold is lower than the difference between the interface and policy counters, corruption has occurred in the FPGA statistics.