Outline
• State of the Art Measurement Tools
– Measured Node Properties
– Measured Link Properties
– Measured Topology Properties
– Measured Traffic Properties (Gigascope)
• Large-scale Measurement Projects
– RIPE
– CAIDA
– PlanetLab
Measured Node Properties
• IP aliases [Ally & Mercator]
– Single router has only one IP ID counter for multiple
interfaces
• Geography – location of the host [Geocluster]
• Owner – AS [Mao et al]
– DNS, BGP & whois
• Router role identification [Rocketfuel]
– Backbone vs. access routers
– Use DNS and topological ordering
• Configuration features
– nmap
NMap (Network Mapper)
• A free open source utility for network exploration
or security auditing.
• Designed to rapidly scan large networks, although it
works fine against single hosts.
• Nmap uses raw IP packets to determine
– what hosts are available on the network
– what services (application name and version) those hosts
are offering
– what operating systems (and OS versions) they are
running
– what type of packet filters/firewalls are in use, etc.
Features of Nmap
• Flexible: can map out networks filled with IP
filters, firewalls, routers, and other obstacles.
• Powerful: used to scan huge networks of hundreds
of thousands of machines.
• Portable: most operating systems are supported,
including Linux, Windows, FreeBSD, OpenBSD,
Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS,
etc.
• Easy: start out as simply as "nmap -v A targethost". Both traditional command line and
graphical (GUI) versions are available
• Free: comes with full source code
Execution Sample
ramblo:net {52} sudo nmap -sS -O -v coatlicue.colorado.edu
Starting nmap V. 2.3BETA6 by Fyodor (fyodor@dhp.com,
www.insecure.org/nmap/)
Host coatlicue.Colorado.EDU (198.11.19.5) appears to be up ...
good.
Initiating SYN half-open stealth scan against
coatlicue.Colorado.EDU (198.11.19.5)
Adding TCP port 114 (state Open).
Adding TCP port 25 (state Open).
Adding TCP port 443 (state Open).
Adding TCP port 22 (state Open).
Adding TCP port 80 (state Open).
The SYN scan took 9 seconds to scan 1489 ports.
Interesting ports on coatlicue.Colorado.EDU (198.11.19.5):
Port State Protocol Service
22 open tcp ssh
25 open tcp smtp
80 open tcp http
111 filtered tcp sunrpc
114 open tcp audionews
443 open tcp https
2049 filtered tcp nfs
6000 filtered tcp X11
TCP Sequence Prediction: Class=random positive increments
Difficulty=47220 (Worthy challenge)
Remote operating system guess: OpenBSD Post 2.4 (November 1998) 2.5
Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds
ramblo:net {53}
Measure Link Properties
• Loss
– End-to-end approach: Internet Tomography
• Multicast-based
• Unicast-based
– Router response based approach [Tulip]
• Reordering [Tulip]
– parallel links
• Delay
– RTT easy
– One-way trip times (OTT) hard
• Require clock synchronization between hosts
Measure Link Properties II
• Delay variation [cing]
– Indication of congestion in the network
– Use ICMP timestamps to estimate delay variation of
path segments
• Capacity
– Related metrics: available bandwidth and bottleneck
identification
– Variable packet size methods (traditional) [pchar,
clink]
– Tailgating packet pair/train (more efficient)
[nettimer]
Measured Topology Properties
• Four levels of topologies
– IP level [Skitter]
– Router level (after alias resolution) [Mercator]
– AS level [Router Views, BGP]
– POP level (backbone) [Rocketfuel]
• Routing policy
– IP level [Rocketfuel]
– AS level [Gao et al]
• Find AS relationship in BGP tables
Tier-1 ISP: e.g., Sprint
Sprint US backbone network
Seattle
Tacoma
DS3 (45 Mbps)
OC3 (155 Mbps)
OC12 (622 Mbps)
OC48 (2.4 Gbps)
POP: point-of-presence
to/from backbone
Stockton
…
…
Kansas City
.
…
Anaheim
peering
…
…
San Jose
Cheyenne
New York
Pennsauken
Relay
Wash. DC
Chicago
Roachdale
Atlanta
to/from customers
Fort Worth
Orlando
Internet structure: network of networks
• “Tier-2” ISPs: smaller (often regional) ISPs
– Connect to one or more tier-1 ISPs, possibly other tier-2 ISPs
– E.g.: UUNet Europe, Singapore telecom
Tier-2 ISP pays
tier-1 ISP for
connectivity to
rest of Internet
tier-2 ISP is
customer of
tier-1 provider
Tier-2 ISP
Tier-2 ISP
Tier 1 ISP
Tier 1 ISP
Tier-2 ISP
NAP
Tier 1 ISP
Tier-2 ISP
Tier-2 ISPs
also peer
privately with
each other,
interconnect
at NAP
Tier-2 ISP
Measured Topology Properties II
• Workload: Traffic Matrices [Tomogravity]
Only measure at links
1
route 1
route 3
router
route 2
3
2
Want to compute the traffic yj along
route j from measurements on the
links, xi
 x1   1 0 1  y1 
  
 
 x2    1 1 0  y2 
 x   0 1 1  y 
 3 
 3 
Courtesy of Y. Zhang at UT Austin
Measured Topology Properties II
Only measure at links
1
route 1
route 3
router
route 2
3
2
Want to compute the traffic yj along
route j from measurements on the
links, xi
x = AT y
Courtesy of Y. Zhang at UT Austin
Internet Measurement Roadmap
Internet Measurement Roadmap II
Gigascope: Motivations
• Very high data rates.
– Optical links : gigabit/sec and higher (to OC192),
Millions of packets/sec.
• Goal : Evaluate queries over every bit of every packet.
• Problem : Not enough cycles in a second.
- 3 Ghz / 21 Mpacket/sec = 142 cycles / packet
• Solution : Push data reduction operators as far down
the protocol stack as possible.
•Multiple data sources.
– SNMP, Netflow, BGP, packet sniffers, router tables, etc.
– Many layered protocols: multimedia, VPN, etc.
•Overcome a prejudice that database technology is
too slow and rigid for network monitoring.
Early Data Reduction in Gigascope
• Gigascope was designed to monitor very high speed
(optical) links using complex query sets.
• Multiple levels of data reduction:
– Data reduction in the NIC : depends on NIC capabilities
• BPF filters
• Approximate filtering (bitmasks)
• Data reduction queries (replace the NIC run time system)
– Low level queries
• Run queries on kernel input buffers
• Preliminary filter for the query set
– Other possibilities ….
Example: Router Monitoring
High Level Queries
Low Level Queries
Kernel
Circular Buffer
Router
Select
Stream
Network
Tap
Network
Interface card
•Selection/projection/aggregation
•Pre-filter
Libpcap / BPF filters
•Approximate filter (selection)
•Selection/projection/aggregation
queries (replace run time system)
PROTOCOL GAMEPROTOCOL (UDP) {
ullong gp_header gp_header (snap_len 134);
bool gp_is_ack_request gp_is_ack_request (snap_len 134);
bool gp_is_ack_response gp_is_ack_response (snap_len 134);
uint gp_ack_id gp_ack_id (snap_len 134);
uint gp_sequence_number gp_sequence_number (snap_len 134);
}
select timestamp, sourceIP, destIP, source_port,
dest_port, len, total_length, gp_header
from GAMEPROTOCOL
where sample_hash[50, sourceIP, destIP] and protocol=17 and offset=0
Outline
• State of the Art Measurement Tools
– Measured Node Properties
– Measured Link Properties
– Measured Topology Properties
– Measured Traffic Properties (Gigascope)
• Large-scale Measurement Projects
– RIPE
– CAIDA
– PlanetLab
RIPE (European IP Networks)
RIPE Measurement
• Growth and Change of the Internet
• Interaction of Traffic and Networks
– Measure delay, packet loss, path, bandwidth and
delay variation
– Data available under an acceptable agreement
• Routing Information
– Collect and store BGP table and make it available
– Similar to Routeviews in US
CAIDA
• The Cooperative Association for Internet Data
Analysis
• Nonprofit org in the San Diego Supercomputing
Center, part of UCSD
• Built a variety of tools
– Almost all can be free downloaded online!
• Collected and managed large amount of
Internet data for analysis
Representative Tools
• Iffinder: alias resolution
• Skitter: large scale topology discovery
– Track Persistent Routing Changes
– Visualize Network Connectivity
Representative Tool: GTrace
Provides geographic interface to traceroute
Representative Tool: AutoFocus
A traffic analysis
and visualization
tool that
describes the
traffic mix of a
link through
textual reports
and time series
plots.
CAIDA Data Collection
• A large variety of data traces
– Various sources: OC48 links, regional peering points,
campus network, etc.
– Various types: packets, topology, AS adjacency, etc.
– Anonymized data available online
• Network Telescope
– Globally announced but unused address space.
– A /8 network, almost 1/256 of the entire IPv4
addresses, the largest telescope in the world
– Slammer worm has significant traffic reaching telescope
• Calculate the rate of scanning worms
Planet Lab
• The largest overlay network testbed
– Current distribution of 665 nodes over 315 sites
Projects on Planet Lab
•
Network measurement
•
– CoDeeN, ESM, UltraPeer
emulation, Gnutella mapping
– Scriptroute, PlanetProbe, I3,
etc.
•
Application-level multicast
•
Distributed Hash Tables
– Chord, Tapestry, Pastry,
Bamboo, etc.
•
Wide-area distributed storage
– Oceanstore, SFS, CFS,
Palimpsest, IBP
•
Resource allocation
– Sharp, Slices, XenoCorp,
Automated contracts
•
Distributed query processing
– PIER, IrisLog, Sophia, etc.
Management and Monitoring
– Ganglia, InfoSpect, Scout
Monitor, BGP Sensors, etc.
– ESM, Scribe, TACT, etc.
•
Content Dist. Networks
•
Overlay Networks
– RON, ROM++, ESM, XBone,
ABone, etc.
•
Virtualization and Isolation
– Xen, Denali, VServers, SILK,
Mgmt VMs, etc.
•
Router Design implications
– NetBind, Scout, NewArch,
Icarus, etc.
•
Testbed Federation
– NetBed, RON, XenoServers
What PlanetLab is about
•
Create the open infrastructure for invention of the next generation of
wide-area (“planetary scale”) services
•
The foundation on which the next Internet can emerge
– Think beyond TCP/UDP/IP/DNS/BGP/OSPF…
– …as to what the net provides
– building-blocks upon which services will be based
– “the next internet will be created as an overlay on the current one”
•
A different kind of network testbed
– not a collection of pipes and giga-pops
– not a distributed supercomputer
– geographically distributed network services
– alternative network architectures and protocols
•
Focus and Mobilize the Network / Systems Research Community to
define the emerging internet