Handling Downstream Latency and Traffic Spikes
This section explains the following:
Proxy threads and proxy floods are used only when Block=0 is set in the [Acct] section of the RealmName.pro file. See the Juniper Networks Steel-Belted Radius Carrier Reference Guide for more information.
This section provides information on the following thread control settings in the [Settings] section of the radius.ini configuration file:
Max-Auth-Threads = 1 to 100,000 (default 100)
Max-Acct-Threads = 1 to 100,000 (default 200)
Max-Proxy-Threads = 1 to 100,000 (default 100)
Each thread setting controls the maximum number of threads allocated to handle the system load. The auth and acct thread settings manage the state and latency of the process as a whole, with the proxy threads coming into play for those proxies whose Block=0. Authentication and accounting, in this case, pass the work to another proxy thread and return a result immediately, and then wait for another transaction.
Auth-Receive-Realtime-Thread-Priority (default value is 2,147,483,647, not real time) in the [Settings] section of the radius.ini file
Acct-Receive-Realtime-Thread-Priority (default value is 2,147,483,647 not real time) in the [Settings] section of the radius.ini file
For WorkerThreadStackSize in the [Settings] section of the radius.ini file, the default value is 524,288 bytes (512K) for both Solaris and Linux. If a value is set for WorkerThreadStackSize, it overrides the system default stack size for worker threads (128K through 256K is sufficient in most cases); however if the value is too small, SBRC may core.
When all the auth and acct threads are in use simultaneously and flood queues are enabled, packets received are placed in a queue to be processed on a best-effort basis, in a defined order.
To see the flood queue in action, turn on the Flood info parameter in the [Status] setting of the radius.ini file. See the Juniper Networks Steel-Belted Radius Carrier Reference Guide for more information.
Set the Max-Auth-Floods, Max-Acct-Floods, and Max-Proxy-Floods values to 0, which is the number of packets retained by the flood queue. The memory utilization overhead will be slightly higher than the average packet size times the number of floods.
The value for Max-Auth-Threads-In-Flood, Max-Acct-Threads-In-Flood, and Max-Proxy-Threads-In-Flood by default is half the total threads for the type. The minimum value is 1 and the maximum value is the number of threads configured. This is the maximum number of threads that will be allowed to process packets in the flood queue, rather than taking new work.
The value for Auth-Flood-Queue-Shape, Acct-Flood-Queue-Shape, and Proxy-Flood-Queue-Shape is FIFO, LIFO, or RAND. This is the order in which the queue is drained, as well as the order in which packets are dropped if the flood queue is filled.
FIFO (First-In-First-Out)–Drops the new packet if the queue is full; recommended for most instances.
LIFO (Last-In-First-Out)–Drops the oldest packet in the queue when the queue is full, always puts the new packet at the start of the queue, and always gets the last packet in the queue first. Recommended when you know you will have to throw packets away, in certain cases, to keep up with workload.
RAND (Random-in-Random-Out)–If the queue is full, drops either the first packet in the queue or the packet being received in order to get an item of work out of the queue. Pops a random packet in the middle of the queue as the next item. This is rarely recommended, but approximates random delays. For certain use cases, it helps to moderate the effects of DDOS attacks (for example, avoid one NAS being loaded with responses).