290 likes | 461 Views
Opportunistic Flow-Level Latency Estimation Using Consistent NetFlow. Group 4:Garnsey, Dennis Kang, Kang Liu, Weiming Xu , Yang Lin, Shijie Chen, Zhouyuan. Summary.
E N D
Opportunistic Flow-Level Latency EstimationUsing Consistent NetFlow Group 4:Garnsey, Dennis Kang, Kang Liu, Weiming Xu, Yang Lin, Shijie Chen, Zhouyuan Opportunistic Flow-Level Latency Estimation Using Consistent NetFlow
Summary • This paper presents a study in the use of time-stamps in NetFlow to estimate network latency and discusses ways to retrofit latency measurements to existing networks using NetFlow. • Some of the techniques covered include • Hash-based sampling to provide consistent NetFlow • Opportunistic Latency Estimation – using smaller flows to estimate the average latency and standard deviation of longer flows • NetFlow is used for Fault, Performance and Security Management Opportunistic Flow-Level Latency Estimation Using Consistent NetFlow
What is latency and why is it important? • Caused by • The speed of light • Switching and processing • Queuing and shaping • Typical latencies • Within Sydney 10 milliseconds • Within Australia - 30 - 100 milliseconds • Australia to the US - 200 milliseconds From http://www.akamai.com/html/technology/dataviz2.html Delay in data propagation introduced by links and network devices 2009 Google announced that the next major update to the Page Rank Algorithm (search result indexing) will start taking into account the pages load (response time)
What is a NetFlow record and why is it useful? • NetFlow originally a routing technology • Routers swap the destination mac address on packets and forward to egress port • NetFlow cached the destination mac and egress port to speed up routing • Superseded by other routing technologies (hardware rather than CPU based) • still needed when routing decision requires CPU (e.g. ACLs) • NetFlow records are still in router • Exporting them to a collector provides valuable information about network traffic patterns • Contains network and application info – otherwise need RMON Opportunistic Flow-Level Latency Estimation Using Consistent NetFlow
What is consistent NetFlow? • Problem • How do we correlate a NetFlow record from one router with a NetFlow record from another router? • Issues • Time synchronisation of routers may not be accurate so time stamps don't match • Packet loss • Cache expiry due to load • Different sampling across routers - may be random • Solution • Hash-based sampling Opportunistic Flow-Level Latency Estimation Using Consistent NetFlow
Consistent NetFlow • Sample packets at every link • Pseudo random sampling (e.g., 1-out-of-100) • Compute a hash over the invariant fields (same on each hop) of the packet • Packet is selected for reporting if the hash falls within a given range • All routers use the same hash, input fields and selection range • Result is consistent flow selection • Details of consistent sampling • x: subset of invariant bits in the packet • Hash function: h(x) = x mod A • Sample if h(x) < r, where r/A is a thinning factor Opportunistic Flow-Level Latency Estimation Using Consistent NetFlow
People and Standards “PSAMP selection operations include random selection, deterministic selection (Filtering), and deterministic approximations to random selection (Hash-based Selection).” - RFC 5474 • Nick Duffield (AT&T Labs) • 2000-2002 – Trajectory Sampling (hash based sampling) • 2009 Co-author RFC 5474 PSAMP • 2012 Co-author Opportunistic Flow-Level Latency Estimation Using Consistent Netflow • PSAMP/IPFIX (some overlap, but complementary) • IPFIX is standardisation track for NetFlow Export • Describes how IP flow information is to be formatted and transferred from an exporter to a collector • PSAMP is standardisation track for Flow sampling • network elements to select subsets of packets by statistical and other methods, and to export a stream of reports on the selected packets to a Collector Opportunistic Flow-Level Latency Estimation Using Consistent NetFlow
Opportunistic latency estimation • NetFlow records have timestamps – start of flow and end of flow • Can we estimate average latency and standard deviation from flow time-stamps? • Opportunistic – measure latency of shorter flows which occur during the same time frame as a longer flow, and interpolate the packet delay within the longer flow Opportunistic Flow-Level Latency Estimation Using Consistent NetFlow
Basic knowledge Prerequisite: There are two basic assumptions this approach relies on: 1. Time Synchronization—the fundamental requirement for enabling accurate one-way delay measurements. 2. Packet Forwarding Order— the stream of packets follows a serial order (FIFO) Flow correlation: Two approaches to associate flow records: Mapping Packet Label to a Timestamp Timing Checks to Eliminate Inconsistencies Delay correlation: Central premise of Foundations of Delay Correlation: When two packets traverse a link closely separated in time, then the queuing delays that experience are positively correlated.
Interpolation of Packet Delays Delay difference of two known packets Time difference of two known packets The delay we estimate Closest delay in the past
EVALUATION • Estimator Accuracy • Comparison to Active Probes • Accuracy With Respect to Flow Duration • Comparison to Interpolation and Trajectory Sampling
Sampling and Loss Rate Variation 1.Impact of Sampling Rate As shown above, relative errors decrease with the packet sampling rate increasing two variables that control the effective number of sampled packets: packet sampling rate and loss rate
Sampling and Loss Rate Variation 2.Impact of Packet Loss Rate relative error reduces as increasing the packet loss rate when using Multiflow and WISC traces. three traces WISC-R1, -R2 and -R3 have small (0.01%), medium (0.12%), and high (4.59%) packet loss rates, respectively,
Accuracy of Standard Deviation Estimates The increase of the packet loss rate reduces the relative error of standard deviation of flow-level latency. But the estimation of Endpoint cannot be trusted as Multiflow because of its poor accuracy. Using WISC traces also shows the same trend, but the improvement in accuracy of standard deviation estimates among traces is less than that in mean estimation accuracy.
Conclusion • Problem being solved • NetFlow time stamps should be able to be used to as data for measurement for network latency • Proposal • Use hash-based sampling for consistent NetFlow • Opportunistic Latency Estimation using time stamps from shorter flows to estimate average and standard deviation of latency with longer flow • Experimental evaluation • Uses real and synthetic data and real and theoretical delay modeling • Check accuracy of hash-based NetFlow • Check accuracy of estimators – endpoint, multiflow and hybrid • Compare with real data and alternative estimators (trajectory sampling) Opportunistic Flow-Level Latency Estimation Using Consistent NetFlow
Results • Estimator accuracy • The multiflow estimator was more accurate than either the endpoint estimator or active probes for packet sampling. • For flow sampling the endpoint estimator is more accurate. • Over a range of flow sizes, endpoint performs better up to about size 3-4 and then accuracy decreases. • The flow sampling above contained a large number of small flows which was why the endpoint estimator was more accurate. Opportunistic Flow-Level Latency Estimation Using Consistent NetFlow
Criticism • NF records are useful for network management, but problems that are not addressed here are • NF is resource intensive • Resources used by NF could be needed for data traffic • Some network management systems (Riverbed, Tenable) correlate NF records, however not in the deterministic manner as proposed here. • Given that this approach still relies on sampling, NF will still not replace Wireshark and network sniffing in the network management tool for packet capturing, and SNMP will still be used for lower level utilization reporting. NF sits midway between the two. • PSAMP is not commercially available yet (to my knowledge), so this approach is still evolving • The utility of per-flow average delays and standard deviations is not clear and may not be known until it becomes commercially available (if ever). Opportunistic Flow-Level Latency Estimation Using Consistent NetFlow
Opportunistic Flow-Level Latency EstimationUsing Consistent NetFlow Supplementary slides Opportunistic Flow-Level Latency Estimation Using Consistent NetFlow
Switch Layer Introductiongathering information from the network SNMP packet counters on interfaces NetFlow tables in CPU IP Layer Network Monitoring SNMP packet counters on interfaces SNMP tcp conn entries on end hosts Applications
NetFlow • Netflow n-tuple may include • Flow Usage counters • Start time and end time • Interfaces used • QoS flags • IP Addresses • Applications ports • Routing information
NetFlow V5 Header 0 8 16 24 31 Format of NetFlow V.5 Header http://www.plixer.com/support/netflow_v5.html
NetFlow V5 Flow Record 0 8 16 24 31 Format of NetFlow V.5 Flow Record See http://www.plixer.com/support/netflow_v5.html
NetFlow V9 Template Format of NetFlow V.9 Template The distinguishing feature of the NetFlow Version 9 format is that it is template based. Templates provide an extensible design to the record format to allow future enhancements to NetFlow services without requiring changes to the basic flow-record format.
NetFlow V9 Header 0 8 16 24 31 Format of NetFlow V.9 Header From http://www.plixer.com/support/netflow_v9.html
NetFlow V9 Flow Record Partial format of NetFlow V.9 Flow Record From http://www.plixer.com/support/netflow_v9.html 87 fields possible - too many to fit on slide