1 / 78

Building a Campus Network Monitoring System for Research

Building a Campus Network Monitoring System for Research. Sue B. Moon EECS, Division of CS. Is Campus Network a Good Place to Monitor?. 1GE/10GE/100GE link speed comparable to backbone networks BcN (Broadband convergence Network) will turn access networks to backbone networks.

cooper-beard
Download Presentation

Building a Campus Network Monitoring System for Research

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building a Campus Network Monitoring Systemfor Research Sue B. Moon EECS, Division of CS

  2. Is Campus Network a Good Place to Monitor? • 1GE/10GE/100GE link speed • comparable to backbone networks • BcN (Broadband convergence Network) will turn access networks to backbone networks. • B/W distinction between access and backbone may no longer exist. • Source of “innovation” • research communities “invent” new things • first users of new applications • new attacks / vulnerable machines • extreme types of usage

  3. Speed Comparison

  4. Is Campus Network a Good Place to Monitor? • Bureacratic overhead • Lower bar to tap (or so I believe) • Less sensitive to business

  5. Goals • Share data with researchers • Gigascope with AT&T, UMass, ... • KISTI

  6. Data to Collect • Data Plane • Packet traces • NetFlow data • Sink hole data • Control Plane • Routing protocol tables/updates • Router configuration • SNMP statistics

  7. Monitoring System Infrastructure • Components • DAGMON • PCs • Storage • Analysis platform

  8. Projects in Mind • Port scanning activities • General study on security attacks

  9. Overview • Definition and implications of small-time scaling behaviors • Queueing delay vs. Hurst parameter • Observations from high-speed links • Flow composition • Large vs. small • Dense vs. sparse • Summary • Future directions

  10. Scaling Behaviors of Backbone Traffic • What does it mean? • Fluctuations in traffic volume over time • e.g. measured in 10ms, 1s or 1min intervals • Large-time scale (> 1 sec): Hurst parameter • 0.5 <= H < 1, measure of “correlation” over time • H > 0.5, long-range dependent or asym. self-similar • Small-time scale (1-100 ms): • Important to queueing performance, router buffer dimensioning

  11. How to Represent Time Scales • Dyadic time index system • Fixing a reference time scale T0 • At scale j (or –j): Tj = T0 / 2 • t j,k= (kTj, (k+1) Tj) • W j,k= 2j/2(Tj+1,2k - Tj+1,2k+1) • j

  12. Scaling Exponent and Wavelet Analysis • Energy function: • Energy Plot: • Second-order (local) scaling exponent: h • Suppose spectrum density function has the form • Long range dependence (asym. self-similar) process: • Fractional Brownian Motion: single h for all scales

  13. ~ Hurst Parameter & (Avg.) Queueing Delay • Poisson model • FBM model (Fractional Brownian Motion) H: Hurst parameter ~ H =0.5 => Poisson

  14. Traces • Collected from IPMON systems • OC3 to OC48 links • Peer, customer, intra-POP inter-router, inter-POP inter-router links • GPS timestamps • 40 bytes of header per packet • Trace 1: domestic tier-2 ISP (OC12-tier2-dom) • Trace 2: large corporation (OC12-corp-dom)

  15. Trace 1 Trace 2 Energy Plots

  16. Observations • Large time scale • Long-range dependent • asymptotically “self-similar” • Small time scale: more “complex” • Majority traces: uncorrelated or nearly uncorrelated • Fluctuations in volume tend to be “independent” • Some traces: moderately correlated

  17. Traffic Composition • How is traffic aggregated? • By flow size • Large vs. small • By flow density • Dense vs. sparse

  18. Flow Composition: Large vs. Small

  19. Byte Contribution

  20. Impact of Large vs. Small Flows on Scalings large: flow size > 1MB; small: flow size < 10KB Flow size alone does not determine small-time scaling behaviors (cf. large-time scaling behaviors)

  21. Dense vs. Sparse Flows • Density defined by inter-arrival times

  22. PDF of packet inter-arrival times

  23. Impact of Dense vs. Sparse Flows on Scalings dense: dominant packet inter-arrival time 2ms; sparse: > 2ms Flow density is a key factor in influencing small-time scalings!

  24. Effect of Dense vs. Sparse Flow Traffic Composition Semi-experiments using traces: vary mixing of dense/sparse flows OC12-tier2-dom OC12-corp-dom

  25. Where Does Correlation in Traffic Come From? • Effect of TCP window-based feedback control • Sparse flows: • packets from small flows arrive “randomly” • Dense flows: • Packets injected into network in bursts (window) • Burst of packets arrive every round-trip-time(RTT) • Speed and location of bottleneck links matters! • Larger bottleneck link => larger bursts • Deeper inside the network => more corr. flows

  26. So Within Internet Backbone Network … • Facts about today’s Internet backbone networks • bottleneck links reside outside backbone networks • bottleneck link speeds small relative to backbone links High degree of aggregation of mostly independent flows! • Consequences: • Queueing delay likely negligible! • And easier to model and predict • More so with higher speed links (e.g., OC192) • Can increase link utilization • Only higher degree of aggregation of independent flows Be cautious with high-speed “customer” links!

  27. Will Things Change in the Future? • But what happens if • More hosting/data centers and VPN customers directly connected to the Internet backbone? • have higher speed links, large-volume data transfers • User access link speed significantly increased? • e.g., with more DSL, cable modem users • Larger file transfer? • e.g. distributed file sharing (of large music/video files) • UDP traffic increases significantly? • e.g. Video-on-Demand and other real-time applications

  28. Status Quo of IP Backbone • Backbone network well-provisioned • High-level of traffic aggregation • Negligible delay jitter • Low average link utilization • < 30% • Protection in layer 3 • QoS? • Not needed inside the backbone • Is it ready for VoIP/Streaming media? • Yet to be decided

  29. Future Directions in Networking Research • Routing • No QoS with current routing protocols • Performance issues • BcN: bottleneck moves closer to you! • Wired/wireless integration • Sensitivity to loss • E2e optimization • Security • IPv6 vs NAT

  30. Fraction of Packets in Loops

  31. Single-Hop Queueing Delay PDF

  32. Data Set 3, Path 1 Multi-Hop Queueing Delay CCDF

  33. Multi-Hop Queueing Delay Data Set 3

  34. 90 Impact of Bottleneck Link Load

  35. Data Set 3, Path 1 Variable Delay Revisited: Tail

  36. Peaks in Variable Delay

  37. Closer Look • Queue Build up & Drain

  38. Backup Slides

  39. Impact of RTT

  40. Impact of Traffic Composition Trace 1 Trace 2

  41. Small-Time Scalings ofLarge vs. Small Flows

  42. Small-Time Scalings ofDense vs. Sparse Flows

  43. Small-Time Scalings ofDense/Sparse Large Flows

  44. Small-Time Scalings ofDense/Sparse Small Flows

  45. Trace 1 Trace 2 Fourier Transform Plots

  46. Gaussian? • Backbone traffic • close to Gaussian due to high-level of aggregation • Kurtosis • Close to 3 • Skewness • Close to 0 Trace 1

  47. Illustrations of Small Time Scale Behaviors NYC  Nexxia (OC12) @Home  PEN (OC-12) Moderately Correlated (Nearly) Uncorrelated

  48. What Affect the Small-Time Scalings? • composition of small vs. large flows • “correlation structure” of large flows

  49. Flow (/24) Size & Byte Distribution in 1-min Time Span

  50. Where Does Correlation in Traffic Come From? • Effect of TCP window-based feedback control • Small flows: • packets from small flows arrive “randomly” • Large flows: • Packets injected into network in bursts (window) • Burst of packets arrive every round-trip-time(RTT) • Speed and location of bottleneck links matters! • Larger bottleneck link => larger bursts • Deeper inside the network => more corr. flows

More Related