network management

advertisement
Network Management
Richard Mortier
Microsoft Research, Cambridge
(Guest lecture, Digital Communications II)
Overview






Introduction
Abstractions
IP network components
IP network management protocols
Pulling it all together
An alternative approach
Overview

Introduction






What’s it all about then?
Abstractions
IP network components
IP network management protocols
Pulling it all together
An alternative approach
What is network management?

One point-of-view: a large field full of acronyms



From question.com:


EMS, TMN, NE, CMIP, CMISE, OSS, AN.1, TL1, EML,
FCAPS, ITU, ...
(Don’t ask me what all of those mean, I don’t care!)
In 1989, a random of the journalistic persuasion asked
hacker Paul Boutin “What do you think will be the biggest
problem in computing in the 90s?” Paul's straight-faced
response: “There are only 17,000 three-letter acronyms.”
(To be exact, there are 26^3 = 17,576.)
Will ignore most of them 
What is network management?

Computer networks are considered to have
three operating timescales





Data: packet forwarding [ μs, ms ]
Control: flows/connections [ secs, mins ]
Management: aggregates, networks [ hours,days ]
…so we’re concerned with “the network”
rather than particular devices
Standardization is key!
Overview


Introduction
Abstractions





ISO FCAPS, TMN EMS, ATM
IP network components
IP network management protocols
Pulling it all together
An alternative approach
ISO FCAPS: functional separation

Fault


Configuration


Collect statistics, bill users, enforce quotas
Performance


Collect, store, track configurations
Accounting


Recognize, isolate, correct, log faults
Monitor trends, set thresholds, trigger alarms
Security

Identify, secure, manage risks
TMN EMS: administrative separation

Telecommunications Management Network
Element Management System

“...simple but elegant...” (!)







(my emphasis)
NEL: network elements (switches, transmission systems)
EML: element management (devices, links)
NML: network management (capacity, congestion)
SML: service management (SLAs, time-to-market)
BML: business management (RoI, market share, blah)
The B-ISDN reference model

Asynchronous Transfer Mode “cube”


Plane management…






Specific layers
Topology
Configuration
Fault
Operations
Accounting
Performance
control plane
higher layers
user plane
higher layers
ATM adaptation layer
ATM layer
physical layer
layer management

The whole network
…vs layer management

management plane
plane management

See IAP lectures, maybe 
Network management

Models of general communication networks




Tend to be quite abstract and exceedingly tedious!
Many practitioners still seem excited about OO
programming, WIMP interfaces, etc
…probably because implementation is hard due to so
many excessively long and complex standards!
My view: basic “need-to-know” requirements are
1.
2.
3.
4.
What should be happening? [ c ]
What is happening? [ f, p, a ]
What shouldn’t be happening? [ f, s ]
What will be happening? [ p, a ]
Network management

We’ll concentrate on IP networks



We’ll concentrate on the network core


Still acronym city: ICMP, SNMP, MIB, RFC 
Sample size: 102 routers, 105 hosts
Routers, not hosts
We’ll ignore “service management”

DNS, AD, file stores, etc
Overview



Introduction
Abstractions
IP network components




IP primer, router configuration
IP network management protocols
Pulling it all together
An alternative approach
IP primer (you probably know all this)

Destination-routed packets – no connections


Routers forward packets based on routeing tables


Tables populated by routeing protocols
Routers and protocols operate independently


Time-to-live field: allow removal of looping packets
…although protocols aim to build consistent state
RFCs ~= standards


Often much looser semantics than e.g. ISO, ITU standards
Compare for example OSPF [RFC2327] and IS-IS
[RFC1142, RFC1195], two link-state routeing protocols
So, how do you build an IP network?
1.
2.
3.
4.
5.

Buy (lease) routers
Buy (lease) fibre
Connect them all together
Configure routers appropriately
Configure end-systems appropriately
Assume you’ve done 1–3 and someone
else is doing 5…
Router configuration



Initialization
 Name the router, setup boot options, setup authentication options
Configure interfaces
 Loopback, ethernet, fibre, ATM
 Subnet/mask, filters, static routes
 Shutdown (or not), queueing options, full/half duplex
Configure routeing protocols (OSPF, BGP, IS-IS, …)




Process number, addresses to accept routes from, networks to advertise
Access lists, filters, ...
 Numeric id, permit/deny, subnet/mask, protocol, port
Route-maps, matching routes rather than data traffic
Other configuration aspects: traps, syslog, etc
Router configuration fragments
hostname FOOBAR
!
boot system flash slot0:a-boot-image.bin
boot system flash bootflash:
logging buffered 100000
debugging
interface
Loopback0
logging console informational
description router-1.network.corp.com
aaa new-model
ip address 10.65.21.43 255.255.255.255
aaa authentication
! login default tacacs local aaa
authentication login
consoleport
none
interface
FastEthernet0/0/0
router
ospf
aaa authenticationdescription
ppp default
if-needed
Link to 2Newtacacs
York
log-adjacency-changes
aaa authorization network
tacacs
!
ip address 10.65.43.21
255.255.255.128
passive-interface
FastEthernet0/0/0
ip tftp source-interface
Loopback0
ip access-group
175 in
passive-interface
FastEthernet0/1/0
no ip domain-lookup
ip helper-address 10.65.12.34
passive-interface
FastEthernet1/0/0
ip name-server 10.34.56.78
ip pim sparse-mode
passive-interface
FastEthernet1/1/0
!
ip cgmp
passive-interface
FastEthernet2/0/0
ip multicast-routing
ip dvmrp accept-filter 98 neighbor-list
99
passive-interface
FastEthernet2/1/0
ip dvmrp route-limit
7000
full-duplex
passive-interface FastEthernet3/0/0
ip cef distributed
!
access-list 24 remark
Mcast
ACL
10.65.23.45 0.0.0.255 area 1.0.0.0
interface network
FastEthernet4/0/0
access-list 24 permit
239.255.255.254
network
10.65.34.56 0.0.0.255 area 1.0.0.0
no ip address
access-list 24 permit
224.0.1.111
network
10.65.43.0
0.0.0.127 area 1.0.0.0
ip access-group 183
in
access-list 24 permit
239.192.0.0
0.3.255.255
ip pim sparse-mode
access-list 24 permit
232.192.0.0 0.3.255.255
ip cgmp
access-list 24 permit
224.0.0.0 0.0.0.255
shutdown
tftp-server
access-list slot1:some-other-image.bin
1011 deny
0000.0000.0000 ffff.ffff.ffff ffff.ffff.ffff 0000.0000.0000 0xD1 2 eq 0x42
full-duplex
tacacs-server
host
10.65.0.2
access-list 1011
permit
0000.0000.0000 ffff.ffff.ffff 0000.0000.0000 ffff.ffff.ffff
tacacs-server key xxxxxxxx
rmon event 1 trap Trap1 description "CPU Utilization>75%" owner config
rmon event 2 trap Trap2 description "CPU Utilization>95%" owner config
Router configuration



Lots of quite large and fragile text files
 00s/000s routers, 00s/000s lines per config
 Errors are hard to find and have non-obvious results
 Router configuration also editable on-line
How to keep track of them all?
 Naming schemes, directory hierarchies, CVS
 ssh upload and atomic commit to router
 Perhaps even a database
State of the art is pretty basic

Few tools to check consistency
Generally generate configurations from templates and have
human-intensive process to control access to running configs
Topic of current research [Feamster et al]


this counts as
quite advanced!
Overview




Introduction
Abstractions
IP network components
IP network management protocols



ICMP, SNMP, Netflow
Pulling it all together
An alternative approach
ICMP

Internet Control Message Protocol [RFC792]



IP protocol #1
In-band “control”
Variety of message types




echo/echo reply [ PING (packet internet groper) ]
time exceeded [ TRACEROUTE ]
destination unreachable, redirect
source quench
Ping (Packet INternet Groper)

Test for liveness

…also used to measure (round-trip) latency

Send ICMP echo
Valid IP host [RFC1122, RFC1123] must reply with
ICMP echo response

Subnet PING?




Useful but often not available/deprecated
“ACK” implosion could be a problem
RFCs ~= standards
Traceroute

Which route do my packets take to their destination?
 Send UDP packets with increasing time-to-live values
 Compliant IP host must respond with ICMP “time exceeded”
 Triggers each host along path to so respond

Not quite that simple
 One router, many IP addresses: which source address?

Router control processor, inbound or outbound interface
Routes often asymmetric, so return path != outbound path
 Routes change
Do we want full-mesh host-host routes anyway?!
 Size of data set, amount of probe traffic



This is topology, what about load on links?
SNMP


Protocol to manage information tables at devices
Provides get, set, trap, notify operations




get, set: read, write values
trap: signal a condition (e.g. threshold exceeded)
notify: reliable trap
Complexity mostly in the MIB design




Some standard tables, but many vendor specific
Non-critical, so often tables populated incorrectly
Many tens of MIBs (thousands of lines) per device
Different versions, different data, different semantics


Yet another configuration tracking problem
Inter-relationships between MIBs
IPFIX

IETF working group




Statistics reporting



Export of flow based data out of IP network devices
Developing suitable protocol based on Cisco NetFlow™ v9
[RFC3954, RFC3955]
Setup template
Send data records matching template
Many variables

Packet/flow counters, rule matches, quite flexible
Overview





Introduction
Abstractions
IP network components
IP network management protocols
Pulling it all together


Network mapping, statistics gathering, control
An alternative approach
An hypothetical NMS




GUI around ICMP (ping, traceroute), SNMP, etc
Recursive host discovery
 Broadcast ping, ARP, default gateway: start somewhere
 Recursively SNMP query for known hosts/connected networks
 Ping known hosts to test liveness
 Iterate
Display topology: allow “drill-down” to particular devices
Configure and monitor known devices
 Trap, Netflow™, syslog message destinations
 Counter thresholds, CPU utilization threshold, fault reporting
 Particular faults or fault patterns
 Interface statistics and graphs
A real NOC (Network Operations Centre)
[ from AT&T ]
An hypothetical NMS




All very straightforward? No, not really
 A lot of software engineering: corner cases, traceroute
interpretation, NATs, etc
 MIBs may contain rubbish
 Can only view inside your network anyway
Efficiency
 Rate pacing discovery traffic: ping implosion/explosion
 SNMP overloading router CPUs
Tunnelled, encrypted protocols becoming prevalent
Using NMSs also not straightforward
 How to setup “correct” thresholds?
 How to decide when something “bad” has happened?
 How to present (or even interpret) reams and reams of data?
Overview






Introduction
Abstractions
IP network components
IP network management protocols
Pulling it all together
An alternative approach

From the edges…
ENMA

Edge-based network management platform


Collect flow information from hosts, and
Combine with topology information from routeing protocols

Enable visualization, analysis, simulation, control

Avoid problems of not-quite-standard interfaces


Do the work where resources are plentiful


Management support is typically ‘non-critical’ (i.e. buggy )
and not extensively tested for inter-operability
Hosts have lots of cycles and little traffic (relatively)
Protocol visibility: see into tunnels, IPSec, etc
System outline
Packets
Routeing
protocol
Flows
Topology
Traffic matrix
Set of routes
Distributed
database
routes
srcs
dsts
Simulator
Visualize
Simulate
Control
Where is my traffic going today?

Pictures of current topology and traffic


In fact, where did my traffic go yesterday?


Routes+flows+forwarding rules  BIG PICTURE
Keep historical data for capacity planning, etc
A platform for anomaly detection

Historical data suggests “normality,” live
monitoring allows anomalies to be detected
Where might my traffic go tomorrow?

Plug into a simulator back-end


Run multiple ‘what-if’ scenarios




Discrete event simulator, flow allocation solver
…failures
…reconfigurations
…technology deployments
E.g. “What happens if we coalesce all the
Exchange servers in one data-centre?”
Where should my traffic be going?

Close the loop: compute link weights to
implement policy goals


Allows more dynamic policies


Recompute on order of hours/days
Modify network configuration to track e.g. time of
day load changes
Make network more efficient (~cheaper)?
Where are we now?

Three major components




Flow collection
Route collection
Distributed database
Building prototypes, simulating system
Data collection

Flow collection

Hosts track active flows



Used packet traces for feasibility study on (client, server)


Using low overhead event posting infrastructure, ETW
Built prototype device driver provider & user-space consumer
Peaks at (165, 5667) live and (39, 567) active flows per sec
Route collection


OSPF is link-state: passively collect link state adverts
Extension of my work at Sprint (for IS-IS and BGP); also
been done at AT&T (NSDI’04 paper)
The distributed database

Logically contains
1.
Traffic flow matrix (bandwidths), {srcs} × {dsts}
2.
…each entry annotated with current route from src to dst




N.B. src/dst might be e.g. (IP end-point, application)
Large dynamic data set suggests aggregation
Related work

{ distributed, continuous query, temporal } databases

Sensor networks
Potential starting points: Astrolabe or SDIMS (SIGCOMM’04)

Where/what/how much to aggregate?



Is data read- or write-dominated?
Which is more dynamic, flow or topology data?
Can the system successfully self-tune?
The distributed database



Construct traffic matrix from flow monitoring
 Hosts can supply flows they source and sink
 Only need a subset of this data to get complete traffic matrix
Construct topology from route collection
 OSPF supplies topology → routes
Wish to be able to answer queries like
 “Who are the top-10 traffic generators?”


“What is the load on link l ?”


Easy to aggregate, don’t care about topology
Can aggregate from hosts, but need to know routes
“What happens if we remove links {l…m} ?”

Interaction between traffic matrix, topology, even flow control
The distributed database

Building simulation model
 OSPF data gives topology, event list, routes
 Simple load model to start with (load ~ # subnets)
 Precedence matrix (from SPF) reduces flow-data query set

Can we do as well/better than e.g. NetFlow?
 Accuracy/coverage trade-off
How should we distribute the DB?
 Just OSPF data? Just flow data? A mixture?
How many levels of aggregation?
 How many nodes do queries touch?
What sort of API is suitable?
 Example queries for sample applications



Summary

Introduction


Abstractions


ICMP, SNMP, etc
Pulling it all together


IP, routers, configurations
IP network management protocols


ISO FCAPS, TMN EMS, ATM
IP network components


What is network management?
Outline of a network management system
An alternative approach: from the edges
The end







Questions
Answers?
http://www.cisco.com/
http://www.routergod.com/
http://www.ietf.org/
http://ipmon.sprintlabs.com/pyrt/
http://www.nanog.org/
Backup slides



Internet routeing
OSPF
BGP
Internet routeing

Q: how to get a packet from node to destination?

A1: advertise all reachable destinations and apply a
consistent cost function (distance vector)
A2: learn network topology and compute consistent
shortest paths (link state)



Each node (1) discovers and advertises adjacencies;
(2) builds link state database; (3) computes shortest paths
A1, A2: Forward to next-hop using longest-prefixmatch
OSPF (~link state routeing)

Q: how to route given packet from any node to
destination?
A: learn network topology; compute shortest paths

For each node





Discover adjacencies (~immediate neighbours); advertise
Build link state database (~network topology)
Compute shortest paths to all destination prefixes
Forward to next-hop using longest-prefix-match (~most
specific route)
BGP (~path vector routeing)





Q: how to route given packet from any node to destination?
A: neighbours tell you destinations they can reach; pick cheapest
option
For each node
 Receive (destination, cost, next-hop) for all destinations known to
neighbour
 Longest-prefix-match among next-hops for given destination
 Advertise selected (destination, cost+, next-hop') for all known
destinations
Selection process is complicated
Routes can be modified/hidden at all three stages
 General mechanism for application of policy
Download