1. High speed links, distributed services, can’t modify routers  Lack of visibility But, need for more visibility and control  Increased number and complexity of network services  Unexpected Traffic Patterns Legitimate: new apps, flash traffic Illegitimate: worms, viruses, misconfiguration (Mextreme) Complex traffic/server interactions Need to protect good traffic in this environment Problem:  Users in the access tier complain of slow web access, can’t mount files, and “DNS operation timed out messages”  Network Management Approach:  Is the problem isolated to one client? To one service?  Tools to discover problem: e.g., correlation between SMTP traffic from ISP ingress and excessive load on name service  Experimental intervention to confirm relationship  Ability to add new policy for redirection and request throttling George Porter, Randy H. Katz An Annotation Layer for Network Management Research Challenges And Opportunities Annotation Structure and Security Overview A-Layer Network Management Principles Observations A-Layer Piggybacking Analysis Actions Motivating Example Dist Tier Client R ICIC DNS Web DNS NFS FTP Server tier ISIS R R I SMTP DNS ISP Ingress iBox anno: X  Network-wide visibility despite surges/overload/high loss rates  Low overhead  Path statistics gathering  Some protocol visibility (TCP, IP, Services like DNS, NFS)  Need to discover Changes to request-reply rate, completions, latency over time Correlations between different flows, protocols, parts of the network  New policies (Actions) For experimental intervention (root cause discovery) To protect good traffic  BW shaping, blocking, scheduling, fencing, selective drop  Security Against non-operators using this infrastructure Against DoS attacks Network topology, link dynamics, traffic volume Standard protocols (TCP, UDP), standard services (NFS, DNS), rates, request/response completion rate, latency, RTT, network load Sources/sinks of traffic, inside-vs-outside Network statisics: Flow rates, protocol mixtures, top-talkers graph, “network hotspots” Correlations: Surge in one type of traffic correlated with drop in another Relationship between “good” network services and “unknown” traffic Unusual behavior (change in mean) Is a network service seeing unusually low or high number of requests? Alerting operators SNMP traps when anomalous amount of traffic seen Acts as distributed monitoring system for path- and session statistics Experimental intervention Ability to affect unknown traffic and test result on good traffic Traffic management BW shaping, policing, fencing, selective drop, scheduling, prioritization, network-level redirection Need for network-wide visibility despite traffic surges and network stress We encode annotations that are removable and do not reach endhosts These annotations are embedded in the flows they describe, saving overhead and router resources Annotations result in path-wide context accompanying packets along their network path to other iBoxes where it is needed We can leverage IPsec standards to distribute shared secrets to each iBox For authenticating annotations, we can rely on an HMAC message authentication field Annotations are stackable The A-Layer can enable a distributed, network-wide observation platform This enables statistics gathering, correlation discovery, path- and session statistic gathering iBoxes can utilize the A-Layer for experimental intervention and new policy implementation Through network-level actions such as bandwidth shaping and fencing Hope is to protect good traffic during periods of network stress