building a campus network monitoring system for research n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Building a Campus Network Monitoring System for Research PowerPoint Presentation
Download Presentation
Building a Campus Network Monitoring System for Research

play fullscreen
1 / 78

Building a Campus Network Monitoring System for Research

151 Views Download Presentation
Download Presentation

Building a Campus Network Monitoring System for Research

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Building a Campus Network Monitoring Systemfor Research Sue B. Moon EECS, Division of CS

  2. Is Campus Network a Good Place to Monitor? • 1GE/10GE/100GE link speed • comparable to backbone networks • BcN (Broadband convergence Network) will turn access networks to backbone networks. • B/W distinction between access and backbone may no longer exist. • Source of “innovation” • research communities “invent” new things • first users of new applications • new attacks / vulnerable machines • extreme types of usage

  3. Speed Comparison

  4. Is Campus Network a Good Place to Monitor? • Bureacratic overhead • Lower bar to tap (or so I believe) • Less sensitive to business

  5. Goals • Share data with researchers • Gigascope with AT&T, UMass, ... • KISTI

  6. Data to Collect • Data Plane • Packet traces • NetFlow data • Sink hole data • Control Plane • Routing protocol tables/updates • Router configuration • SNMP statistics

  7. Monitoring System Infrastructure • Components • DAGMON • PCs • Storage • Analysis platform

  8. Projects in Mind • Port scanning activities • General study on security attacks

  9. Overview • Definition and implications of small-time scaling behaviors • Queueing delay vs. Hurst parameter • Observations from high-speed links • Flow composition • Large vs. small • Dense vs. sparse • Summary • Future directions

  10. Scaling Behaviors of Backbone Traffic • What does it mean? • Fluctuations in traffic volume over time • e.g. measured in 10ms, 1s or 1min intervals • Large-time scale (> 1 sec): Hurst parameter • 0.5 <= H < 1, measure of “correlation” over time • H > 0.5, long-range dependent or asym. self-similar • Small-time scale (1-100 ms): • Important to queueing performance, router buffer dimensioning

  11. How to Represent Time Scales • Dyadic time index system • Fixing a reference time scale T0 • At scale j (or –j): Tj = T0 / 2 • t j,k= (kTj, (k+1) Tj) • W j,k= 2j/2(Tj+1,2k - Tj+1,2k+1) • j

  12. Scaling Exponent and Wavelet Analysis • Energy function: • Energy Plot: • Second-order (local) scaling exponent: h • Suppose spectrum density function has the form • Long range dependence (asym. self-similar) process: • Fractional Brownian Motion: single h for all scales

  13. ~ Hurst Parameter & (Avg.) Queueing Delay • Poisson model • FBM model (Fractional Brownian Motion) H: Hurst parameter ~ H =0.5 => Poisson

  14. Traces • Collected from IPMON systems • OC3 to OC48 links • Peer, customer, intra-POP inter-router, inter-POP inter-router links • GPS timestamps • 40 bytes of header per packet • Trace 1: domestic tier-2 ISP (OC12-tier2-dom) • Trace 2: large corporation (OC12-corp-dom)

  15. Trace 1 Trace 2 Energy Plots

  16. Observations • Large time scale • Long-range dependent • asymptotically “self-similar” • Small time scale: more “complex” • Majority traces: uncorrelated or nearly uncorrelated • Fluctuations in volume tend to be “independent” • Some traces: moderately correlated

  17. Traffic Composition • How is traffic aggregated? • By flow size • Large vs. small • By flow density • Dense vs. sparse

  18. Flow Composition: Large vs. Small

  19. Byte Contribution

  20. Impact of Large vs. Small Flows on Scalings large: flow size > 1MB; small: flow size < 10KB Flow size alone does not determine small-time scaling behaviors (cf. large-time scaling behaviors)

  21. Dense vs. Sparse Flows • Density defined by inter-arrival times

  22. PDF of packet inter-arrival times

  23. Impact of Dense vs. Sparse Flows on Scalings dense: dominant packet inter-arrival time 2ms; sparse: > 2ms Flow density is a key factor in influencing small-time scalings!

  24. Effect of Dense vs. Sparse Flow Traffic Composition Semi-experiments using traces: vary mixing of dense/sparse flows OC12-tier2-dom OC12-corp-dom

  25. Where Does Correlation in Traffic Come From? • Effect of TCP window-based feedback control • Sparse flows: • packets from small flows arrive “randomly” • Dense flows: • Packets injected into network in bursts (window) • Burst of packets arrive every round-trip-time(RTT) • Speed and location of bottleneck links matters! • Larger bottleneck link => larger bursts • Deeper inside the network => more corr. flows

  26. So Within Internet Backbone Network … • Facts about today’s Internet backbone networks • bottleneck links reside outside backbone networks • bottleneck link speeds small relative to backbone links High degree of aggregation of mostly independent flows! • Consequences: • Queueing delay likely negligible! • And easier to model and predict • More so with higher speed links (e.g., OC192) • Can increase link utilization • Only higher degree of aggregation of independent flows Be cautious with high-speed “customer” links!

  27. Will Things Change in the Future? • But what happens if • More hosting/data centers and VPN customers directly connected to the Internet backbone? • have higher speed links, large-volume data transfers • User access link speed significantly increased? • e.g., with more DSL, cable modem users • Larger file transfer? • e.g. distributed file sharing (of large music/video files) • UDP traffic increases significantly? • e.g. Video-on-Demand and other real-time applications

  28. Status Quo of IP Backbone • Backbone network well-provisioned • High-level of traffic aggregation • Negligible delay jitter • Low average link utilization • < 30% • Protection in layer 3 • QoS? • Not needed inside the backbone • Is it ready for VoIP/Streaming media? • Yet to be decided

  29. Future Directions in Networking Research • Routing • No QoS with current routing protocols • Performance issues • BcN: bottleneck moves closer to you! • Wired/wireless integration • Sensitivity to loss • E2e optimization • Security • IPv6 vs NAT

  30. Fraction of Packets in Loops

  31. Single-Hop Queueing Delay PDF

  32. Data Set 3, Path 1 Multi-Hop Queueing Delay CCDF

  33. Multi-Hop Queueing Delay Data Set 3

  34. 90 Impact of Bottleneck Link Load

  35. Data Set 3, Path 1 Variable Delay Revisited: Tail

  36. Peaks in Variable Delay

  37. Closer Look • Queue Build up & Drain

  38. Backup Slides

  39. Impact of RTT

  40. Impact of Traffic Composition Trace 1 Trace 2

  41. Small-Time Scalings ofLarge vs. Small Flows

  42. Small-Time Scalings ofDense vs. Sparse Flows

  43. Small-Time Scalings ofDense/Sparse Large Flows

  44. Small-Time Scalings ofDense/Sparse Small Flows

  45. Trace 1 Trace 2 Fourier Transform Plots

  46. Gaussian? • Backbone traffic • close to Gaussian due to high-level of aggregation • Kurtosis • Close to 3 • Skewness • Close to 0 Trace 1

  47. Illustrations of Small Time Scale Behaviors NYC  Nexxia (OC12) @Home  PEN (OC-12) Moderately Correlated (Nearly) Uncorrelated

  48. What Affect the Small-Time Scalings? • composition of small vs. large flows • “correlation structure” of large flows

  49. Flow (/24) Size & Byte Distribution in 1-min Time Span

  50. Where Does Correlation in Traffic Come From? • Effect of TCP window-based feedback control • Small flows: • packets from small flows arrive “randomly” • Large flows: • Packets injected into network in bursts (window) • Burst of packets arrive every round-trip-time(RTT) • Speed and location of bottleneck links matters! • Larger bottleneck link => larger bursts • Deeper inside the network => more corr. flows