Metafont: Putting ISP traffic under the scalpel
Transcript of Metafont: Putting ISP traffic under the scalpel
Mille-Feuille: Putting ISP traffic under the scalpel
Olivier TilmansUCLouvain
HotNets-XVNov. 9, 2016
Joint work withT. Bühler (ETH Zürich), S. Vissicchio (UCL) and L. Vanbever (ETH Zürich)
Picture: Georges Seguin CC BY-SA 3.0, via Wikimedia Commons
“What happens to the Skype trafficin my network?”
ISP operators only have access to poor andcoarse-grained visibility over their network.
� Netflow, sFLOW, provide aggregated statistics overrandom packet sampling.
� Active probing scales poorly.
� Router Configuration/syslog analysis only coversa fraction of the control-plane.
These techniques cannot provide real time informationabout the network state.
3
ISP operators only have access to poor andcoarse-grained visibility over their network.
� Netflow, sFLOW, provide aggregated statistics overrandom packet sampling.
� Active probing scales poorly.
� Router Configuration/syslog analysis only coversa fraction of the control-plane.
These techniques cannot provide real time informationabout the network state.
3
Research to provide complete traffic visibility inDC networks, leverages degrees of freedomunavailable in ISP networks.
ISP networks present unique challenges:
� No control on the end hosts.
� Geographically distributed.
� Wide-range of heterogeneous network equipments.
4
We aim to provide ISP operators afine-grained visibility over their networks.
Consider the following part of an ISP network.
Router
Link
6
Consider the following part of an ISP network.
Router A
C
B
D
Link
6
Consider the following part of an ISP network.
A
C
B
D Skype2/8
Destinationprefix
Expectedtraffic flow
6
Mille-Feuille improves ISP monitoringwith a traffic slicing primitive.
12345678910
A
C
B
D Skype
packet #10towards 2/8
7
Mille-Feuille improves ISP monitoringwith a traffic slicing primitive.
12345678910
A
C
B
D Skype
Traffic slicecollector
56
7Mirrored packetencapsulated towardsthe collector
7
Mille-Feuille improves ISP monitoringwith a traffic slicing primitive.
12345678910
A
C
B
D Skype
Traffic slicecollector
56
7Traffic slicetarget prefix: 2/8duration: 3 packets
7
By concurrently capturing slices at differentrouters for the same prefix, Mille-Feuille caninfer measurements about the traffic.
12345678910
A
C
B
D Skype
54
32
321
2 packets matchPath(C D) is alive
8
By concurrently capturing slices at differentrouters for the same prefix, Mille-Feuille caninfer measurements about the traffic.
12345678910
A
C
B
D Skype
54
32
3212 packets match
Path(C D) is alive
8
Capturing traffic slices is powerful.
� Slices contain the complete packet payload.Can remotely dissect traffic.
� Concurrent slices enable to trace a packet across thenetwork and compute properties.e.g., proof of traversal, upper-bound on queuing delays.
� Fine-grained control on duration, point of captureand target prefix of slices.Explicit control on measurement overhead.
9
We implemented a collector prototype.
� Uses hardware-based mirroring features available incommercial routers.e.g., Cisco ERSPAN.
� Dynamically program the intra-domain routing protocol(OSPF) using Fibbing.can capture a traffic slice for any subprefix, network-wide.
10
We statically provision a mirroring VLANon all links that must be monitored.
A B
C
0/0: - -
red: - -0/0: - -
MirroringVLAN
DefaultVLAN Default VLAN:
forward to IP NHMirroring VLAN:
encapsulate to collectorforward to IP NH
11
By default, all traffic is forwardedon the default VLAN.
A B
C
0/0: - -
red: - -0/0: - -
Destination prefix
11
The collector sendsan OSPF message to start a traffic slice.
Set NH: Mirroring VLANFor prefix: red prefix
A B
C
0/0: - -
red: - -0/0: - -
11
The OSPF message is flooded and reaches A,which then forwards traffic on the mirroring VLAN.
A B
C
0/0: - -
red: - -0/0: - -
11
B then mirrors the packets towardsthe red prefix to the collector
A B
C
0/0: - -
red: - -0/0: - -
11
The collector stops the traffic slice similarly
Set NH: Default VLANFor prefix: red prefix
A B
C
0/0: - -
red: - -0/0: - -
11
The collector stops the traffic slice similarly
Capturedtraffic slice
A B
C
0/0: - -
red: - -0/0: - -
11
Our preliminary tests show thatMille-Feuille can work in practice.
� We were able to capture traffic slices as thin as 14ms
� We control the slice duration through the delay betweenthe activation and deactivation message.
� We were able to concurrently (de)activate 1000 mirroringrules in 0.93ms, and 10 000 in 30ms.
12
Mille-Feuille is a measurement frameworkrealizing a deterministic sampling of thenetwork in real time.
Statistics
(optional)
▁▂▃▅▂▇
▃▁▇▁▁█p1p2
+ +Violation
Output
mirror p1 for x ms
mirror p2 for y ms
A
C
B
C
p1 mirrored traffic
A
Inputs Mille-Feuille
Reqs Topology
11ms
11 ms (>10 ms) for
traffic to p1 (Google) between A and C§2
§3, §4
Selection Scheduling Analysis
13
In Mille-Feuille, operators specify high-levelmeasurement requirements and an associatedmeasurement budget.
A
C
B
D
Skype
1/8
2/8
(Path(C A B) for Google;Path(*) within(20ms) for Skype;
) every(1 s) in(30ms) using(1 Gbps)
14
What? From traffic estimates, Mille-Feuilleiteratively selects subprefixes to monitor.
A
C
B
D
Skype
1/8
2/815Gbps
1Gbps
Traffic demand
Traffic distribution
1/8 15 Gbps
1/24 .5 Gbps
2/8 1 Gbps
2/16 .1 Gbps
Target prefixes for schedule #1: 1.0.0.0/24, 2.0.0.0/16Target prefixes for schedule #2: 1.0.1.0/24, 2.0.1.0/16. . .
15
What? From traffic estimates, Mille-Feuilleiteratively selects subprefixes to monitor.
A
C
B
D
Skype
1/8
2/815Gbps
1Gbps
Traffic demand
Traffic distribution
1/8 15 Gbps1/24 .5 Gbps
2/8 1 Gbps2/16 .1 Gbps
Target prefixes for schedule #1: 1.0.0.0/24, 2.0.0.0/16
Target prefixes for schedule #2: 1.0.1.0/24, 2.0.1.0/16. . .
15
What? From traffic estimates, Mille-Feuilleiteratively selects subprefixes to monitor.
A
C
B
D
Skype
1/8
2/815Gbps
1Gbps
Traffic demand
Traffic distribution
1/8 15 Gbps1/24 .5 Gbps
2/8 1 Gbps2/16 .1 Gbps
Target prefixes for schedule #1: 1.0.0.0/24, 2.0.0.0/16Target prefixes for schedule #2: 1.0.1.0/24, 2.0.1.0/16. . .
15
Where? Mille-Feuille creates mirroring rulesand assigns them to one or more routers.
A
C
B
D
Skype
1/8
2/815Gbps
1Gbps
Mirror2.0.0.0/16
Mirror2.0.0.0/16
Mirror1.0.0.0/24
Mirror1.0.0.0/24
16
When? Mille-Feuille spreads the measurementcampaign across time to meet the budget0ms 6 t < 15ms
A
C
B
D
Skype
1/8
2/815Gbps
1Gbps
A B
Mirror: 1.0.0.0/8Traffic: 0.5Gbps
15ms 6 t < 30ms
A
C
B
D
Skype
1/8
2/815Gbps
1GbpsC D
Mirror: 2.0.0.0/16Traffic: 0.1 Gbps
17
Mille-Feuille: Putting ISP traffic under the scalpel
� We collect thin traffic slices byprogramming the intra-domainrouting protocol.
� We realize a deterministic samplingof the state of the network.
� We limit the measurement overheadaccording to a budget.