Measurement Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks http://www.cs.princeton.edu/courses/archive/fall14/cos561/ Why Measure? • Managing protocols – Generating reports – Diagnosing problems – Tuning network configuration – Planning future capacity • Evaluating protocols – Characterizing protocol behavior in the wild – Creating realistic models to drive protocol evaluation What to Measure • Traffic • Routing • Topology • Performance 3 Traffic Measurement 4 How to Monitor a Link Multicast switch Shared media (Ethernet, wireless) Host A Host A Host B Monitor Host B S w i t c h Host C Monitor Splitting a point-to-point link Line card that does monitoring Router A Router B Router A Monitor 5 Subselecting the Traffic • Look at a subset of the packets –Filter on packet-header fields –Sample packets (e.g., 1 out of 1000) • Collect the first n bytes of packet –Medium access control header (if present) –IP header (typically 20 bytes) –IP+UDP header (typically 28 bytes) –IP+TCP header (typically 40 bytes) –Application-layer message (entire packet) • What can you learn? 6 Data Analysis Challenges • Mapping IP addresses to names, users, institutions • Mapping transport port numbers to applications • Reconstructing application messages from packets • Missing data (sampling, monitor overload) • Routing changes • Asymmetric routing 7 Data Aggregation: Flow Monitoring flow 1 flow 2 flow 3 flow 4 • Grouping packets into flows – Packets with the same header fields – Close together in time • Approximating a “conversation” – Without access to the end-hosts • E.g., NetFlow, sFlow 8 Recording Flow Statistics • Packet header fields – Source and destination IP addresses – Source and destination TCP/UDP port numbers – Other IP & TCP/UDP header fields • Location – Input and output ports • Aggregate statistics – Start and finish time – Number of bytes or packets – Summary of TCP flags SYN ACK start 4 packets 1436 bytes ACK SYN, ACK, & FIN FIN finish 9 Network-Wide Traffic Measurement current state & traffic flow predicted control action: impact of routing fine grained: path matrix = bytes per path traffic matrix = bytes per ingress-egress • Observe directly as packets flow • Observe at ingress and project to paths • Infer from link loads and routing 10 Routing 11 Monitoring the Routes • Control plane –Routing-protocol messages • Techniques –Dump state from one or more routers –Participate in the routing protocol –Collect packets from routing-protocol messages • Challenges –Cooperation of the network administrator –Collection from enough vantage points –Delays in propagating routing messages 12 Monitoring Link-State Routing • Flooding of link-state advertisements –All routers knows the entire topology Can dump the state of any router –Monitor can participate in the routing protocol Can collect the routing-protocol messages 2 3 2 1 1 1 4 4 5 3 13 Monitoring Path-Vector Routing • Propagating a path to each neighbor –A router knows the path used by each neighbor –Monitor can become a neighbor of a router –Multiple vantage points to achieve coverage BGP session Monitor BGP session 14 BGP Table (“show ip bgp” at RouteViews) Network * 3.0.0.0/8 * * * * *> * Next Hop 205.215.45.50 167.142.3.6 157.22.9.7 195.219.96.239 195.211.29.254 12.127.0.249 213.200.87.254 Path 4006 701 80 5056 701 80 715 1 701 80 8297 6453 701 80 5409 6667 6427 3356 701 80 7018 701 80 3257 701 80 * 9.184.112.0/20 205.215.45.50 4006 6461 3786 * 195.66.225.254 5459 6461 3786 *> 203.62.248.4 1221 3786 * 167.142.3.6 5056 6461 6461 3786 * 195.219.96.239 8297 6461 3786 * 195.211.29.254 5409 6461 3786 AS 80 is General Electric, AS 701 is UUNET, AS 7018 is AT&T AS 3786 is DACOM (Korea), AS 1221 is Telstra Measuring the Forwarding Path • Data plane – What path is the traffic taking • Techniques – Extract the forwarding-table state – Record the path as the packet travels – Infer the path from end-to-end measurements • Challenges – Cooperation of the network administrator – Routing changes during the measurement – Overhead of collecting the data 16 Traceroute • Time-To-Live field in IP packet header – Source sends a packet with a TTL of n – Each router along the path decrements the TTL – “TTL exceeded” sent when TTL reaches 0 • Traceroute tool exploits this TTL behavior TTL=1 Time exceeded source TTL=2 Send packets with TTL=1, 2, 3, … and record source of “time exceeded” message destination 17 From My House to Princeton CS 1 192.168.0.1 (192.168.0.1) 2 c-68-37-226-1.hsd1.nj.comcast.net (68.37.226.1) 3 xe-2-1-0-sur01.hillsboro.nj.panjde.comcast.net (68.85.119.149) 4 ae-18-0-ar03.plainfield.nj.panjde.comcast.net (68.85.62.65) 5 he-3-10-0-0-cr01.newyork.ny.ibone.comcast.net (68.86.93.225) 6 he-0-12-0-0-pe03.111eighthave.ny.ibone.comcast.net (68.86.83.106) 7 be7922.ccr21.jfk10.atlas.cogentco.com (154.54.13.161) 8 be2057.ccr22.jfk02.atlas.cogentco.com (154.54.80.177) 9 te0-0-2-1.rcr12.phl03.atlas.cogentco.com (154.54.27.118) 10 te0-0-2-1.rcr12.phl03.atlas.cogentco.com (154.54.27.118) 11 38.122.150.2 (38.122.150.2) 12 core-87-router.princeton.edu (128.112.12.130) 13 csgate.princeton.edu (128.112.12.58) ... 18 RocketFuel Paper Discussion 19