300 likes | 306 Views
Outline. State of the Art Measurement Tools Measured Node Properties Measured Link Properties Measured Topology Properties Measured Traffic Properties (Gigascope) Large-scale Measurement Projects RIPE CAIDA PlanetLab. Measured Node Properties. IP aliases [Ally & Mercator]
E N D
Outline • State of the Art Measurement Tools • Measured Node Properties • Measured Link Properties • Measured Topology Properties • Measured Traffic Properties (Gigascope) • Large-scale Measurement Projects • RIPE • CAIDA • PlanetLab
Measured Node Properties • IP aliases [Ally & Mercator] • Single router has only one IP ID counter for multiple interfaces • Geography – location of the host [Geocluster] • Owner – AS [Mao et al] • DNS, BGP & whois • Router role identification [Rocketfuel] • Backbone vs. access routers • Use DNS and topological ordering • Configuration features • nmap
NMap (Network Mapper) • A free open source utility for network exploration or security auditing. • Designed to rapidly scan large networks, although it works fine against single hosts. • Nmap uses raw IP packets to determine • what hosts are available on the network • what services (application name and version) those hosts are offering • what operating systems (and OS versions) they are running • what type of packet filters/firewalls are in use, etc.
Features of Nmap • Flexible: can map out networks filled with IP filters, firewalls, routers, and other obstacles. • Powerful: used to scan huge networks of hundreds of thousands of machines. • Portable: most operating systems are supported, including Linux, Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, etc. • Easy: start out as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are available • Free: comes with full source code
Execution Sample ramblo:net {52} sudo nmap -sS -O -v coatlicue.colorado.edu Starting nmap V. 2.3BETA6 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Host coatlicue.Colorado.EDU (198.11.19.5) appears to be up ... good. Initiating SYN half-open stealth scan against coatlicue.Colorado.EDU (198.11.19.5) Adding TCP port 114 (state Open). Adding TCP port 25 (state Open). Adding TCP port 443 (state Open). Adding TCP port 22 (state Open). Adding TCP port 80 (state Open). The SYN scan took 9 seconds to scan 1489 ports.
Interesting ports on coatlicue.Colorado.EDU (198.11.19.5): Port State Protocol Service 22 open tcp ssh 25 open tcp smtp 80 open tcp http 111 filtered tcp sunrpc 114 open tcp audionews 443 open tcp https 2049 filtered tcp nfs 6000 filtered tcp X11 TCP Sequence Prediction: Class=random positive increments Difficulty=47220 (Worthy challenge) Remote operating system guess: OpenBSD Post 2.4 (November 1998) - 2.5 Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds ramblo:net {53}
Measure Link Properties • Loss • End-to-end approach: Internet Tomography • Multicast-based • Unicast-based • Router response based approach [Tulip] • Reordering [Tulip] • parallel links • Delay • RTT easy • One-way trip times (OTT) hard • Require clock synchronization between hosts
Measure Link Properties II • Delay variation [cing] • Indication of congestion in the network • Use ICMP timestamps to estimate delay variation of path segments • Capacity • Related metrics: available bandwidth and bottleneck identification • Variable packet size methods (traditional) [pchar, clink] • Tailgating packet pair/train (more efficient) [nettimer]
Measured Topology Properties • Four levels of topologies • IP level [Skitter] • Router level (after alias resolution) [Mercator] • AS level [Router Views, BGP] • POP level (backbone) [Rocketfuel] • Routing policy • IP level [Rocketfuel] • AS level [Gao et al] • Find AS relationship in BGP tables
Seattle POP: point-of-presence DS3 (45 Mbps) OC3 (155 Mbps) OC12 (622 Mbps) OC48 (2.4 Gbps) Tacoma to/from backbone peering New York … …. Stockton Cheyenne Chicago Pennsauken Relay Wash. DC San Jose Roachdale Kansas City … … … Anaheim to/from customers Atlanta Fort Worth Orlando Tier-1 ISP: e.g., Sprint Sprint US backbone network
“Tier-2” ISPs: smaller (often regional) ISPs Connect to one or more tier-1 ISPs, possibly other tier-2 ISPs E.g.: UUNet Europe, Singapore telecom NAP Tier-2 ISPs also peer privately with each other, interconnect at NAP • Tier-2 ISP pays tier-1 ISP for connectivity to rest of Internet • tier-2 ISP is customer of tier-1 provider Tier-2 ISP Tier-2 ISP Tier-2 ISP Tier-2 ISP Tier-2 ISP Internet structure: network of networks Tier 1 ISP Tier 1 ISP Tier 1 ISP
Only measure at links 1 route 1 router 2 route 3 route 2 3 Measured Topology Properties II • Workload: Traffic Matrices [Tomogravity] Want to compute the traffic yjalong route j from measurements on the links, xi Courtesy of Y. Zhang at UT Austin
Only measure at links 1 route 1 router 2 route 3 route 2 3 Measured Topology Properties II Want to compute the traffic yjalong route j from measurements on the links, xi x = AT y Courtesy of Y. Zhang at UT Austin
Gigascope: Motivations • Very high data rates. • Optical links : gigabit/sec and higher (to OC192), Millions of packets/sec. • Goal : Evaluate queries over every bit of every packet. • Problem : Not enough cycles in a second. • - 3 Ghz / 21 Mpacket/sec = 142 cycles / packet • Solution : Push data reduction operators as far down the protocol stack as possible. • Multiple data sources. • SNMP, Netflow, BGP, packet sniffers, router tables, etc. • Many layered protocols: multimedia, VPN, etc. • Overcome a prejudice that database technology is too slow and rigid for network monitoring.
Early Data Reduction in Gigascope • Gigascope was designed to monitor very high speed (optical) links using complex query sets. • Multiple levels of data reduction: • Data reduction in the NIC : depends on NIC capabilities • BPF filters • Approximate filtering (bitmasks) • Data reduction queries (replace the NIC run time system) • Low level queries • Run queries on kernel input buffers • Preliminary filter for the query set • Other possibilities ….
Network Interface card Example: Router Monitoring High Level Queries • Selection/projection/aggregation • Pre-filter Low Level Queries Kernel Libpcap / BPF filters Circular Buffer Router • Approximate filter (selection) • Selection/projection/aggregation queries (replace run time system) Select Stream Network Tap
PROTOCOL GAMEPROTOCOL (UDP) { ullonggp_header gp_header (snap_len 134); boolgp_is_ack_request gp_is_ack_request (snap_len 134); boolgp_is_ack_response gp_is_ack_response (snap_len 134); uintgp_ack_id gp_ack_id (snap_len 134); uintgp_sequence_number gp_sequence_number (snap_len 134); } selecttimestamp, sourceIP, destIP, source_port, dest_port, len, total_length, gp_header from GAMEPROTOCOL wheresample_hash[50, sourceIP, destIP] and protocol=17 and offset=0
Outline • State of the Art Measurement Tools • Measured Node Properties • Measured Link Properties • Measured Topology Properties • Measured Traffic Properties (Gigascope) • Large-scale Measurement Projects • RIPE • CAIDA • PlanetLab
RIPE Measurement • Growth and Change of the Internet • Interaction of Traffic and Networks • Measure delay, packet loss, path, bandwidth and delay variation • Data available under an acceptable agreement • Routing Information • Collect and store BGP table and make it available • Similar to Routeviews in US
CAIDA • The Cooperative Association for Internet Data Analysis • Nonprofit org in the San Diego Supercomputing Center, part of UCSD • Built a variety of tools • Almost all can be free downloaded online! • Collected and managed large amount of Internet data for analysis
Representative Tools • Iffinder: alias resolution • Skitter: large scale topology discovery • Track Persistent Routing Changes • Visualize Network Connectivity
Representative Tool: GTrace Provides geographic interface to traceroute
Representative Tool: AutoFocus A traffic analysis and visualization tool that describes the traffic mix of a link through textual reports and time series plots.
CAIDA Data Collection • A large variety of data traces • Various sources: OC48 links, regional peering points, campus network, etc. • Various types: packets, topology, AS adjacency, etc. • Anonymized data available online • Network Telescope • Globally announced but unused address space. • A /8 network, almost 1/256 of the entire IPv4 addresses, the largest telescope in the world • Slammer worm has significant traffic reaching telescope • Calculate the rate of scanning worms
Planet Lab • The largest overlay network testbed • Current distribution of 665 nodes over 315 sites
Network measurement Scriptroute, PlanetProbe, I3, etc. Application-level multicast ESM, Scribe, TACT, etc. Distributed Hash Tables Chord, Tapestry, Pastry, Bamboo, etc. Wide-area distributed storage Oceanstore, SFS, CFS, Palimpsest, IBP Resource allocation Sharp, Slices, XenoCorp, Automated contracts Distributed query processing PIER, IrisLog, Sophia, etc. Content Dist. Networks CoDeeN, ESM, UltraPeer emulation, Gnutella mapping Management and Monitoring Ganglia, InfoSpect, Scout Monitor, BGP Sensors, etc. Overlay Networks RON, ROM++, ESM, XBone, ABone, etc. Virtualization and Isolation Xen, Denali, VServers, SILK, Mgmt VMs, etc. Router Design implications NetBind, Scout, NewArch, Icarus, etc. Testbed Federation NetBed, RON, XenoServers Projects on Planet Lab
What PlanetLab is about • Create the open infrastructure for invention of the next generation of wide-area (“planetary scale”) services • The foundation on which the next Internet can emerge • Think beyond TCP/UDP/IP/DNS/BGP/OSPF… • …as to what the net provides • building-blocks upon which services will be based • “the next internet will be created as an overlay on the current one” • A different kind of network testbed • not a collection of pipes and giga-pops • not a distributed supercomputer • geographically distributed network services • alternative network architectures and protocols • Focus and Mobilize the Network / Systems Research Community to define the emerging internet