Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rethinking NetFlow: A Case for a Coordinated “RISC” Architecture for Flow Monitoring Vyas Sekar Joint work with Mike Reiter, Hui Zhang David Andersen,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Rethinking NetFlow: A Case for a Coordinated “RISC” Architecture for Flow Monitoring Vyas Sekar Joint work with Mike Reiter, Hui Zhang David Andersen,"— Presentation transcript:

1 Rethinking NetFlow: A Case for a Coordinated “RISC” Architecture for Flow Monitoring Vyas Sekar Joint work with Mike Reiter, Hui Zhang David Andersen, Anupam Gupta, Ramana Kompella, Walter Willinger 1

2 Flow Monitoring is critical for effective Network Management 2 Traffic Engineering Analyze new user apps Anomaly Detection Network Forensics Worm Detection Accounting Botnet analysis ……. Many management applications Evolving and growing over time Need high-fidelity measurements

3 Requirements for monitoring 3 Network Operations Center Flow reports report = ( flow = same src-dst, ports, proto) + pkt/byte counters Respect resource constraints High flow coverage Provide network-wide goals Low data management overhead High-fidelity for all applications

4 Sampling due to resource constraints Routers cannot record every packet/flow – Constraints: CPU, Memory, Bandwidth Resource constraints don’t go away! – Network demands scale even as routers become more powerful Some form of sampling is inevitable – Record/report only a subset of the traffic 4

5 Current solution 5 Respect resource constraints High flow coverage Provide network-wide goals Low data management overhead Uniform packet sampling, e.g., Cisco NetFlow Each router independently samples packets Aggregates sampled packets into flow reports    Biased towards large flows Redundant measurements Too coarse High-fidelity for all applications  Not very good for security

6 How do we meet the requirements? High-fidelity for all applications Respect resource constraints High flow coverage Provide network-wide goals Low data mgmt overhead Part 1: Coordinated Sampling Part 2: “RISC” monitoring 6

7 How do we meet the requirements? High-fidelity for all applications Respect resource constraints High flow coverage Provide network-wide goals Low data mgmt overhead Part 1: Coordinated Sampling Part 2: “RISC” monitoring 7

8 High-level idea 8 Sampling algorithm not biased to large flows Packet sampling has low flow coverage due to bias toward large flows Routers sample independently  Wasted measurements Can’t reason about network-wide goals Treat routers in the network as a system to be managed in a coordinated fashion!

9 9 Part 1 Outline Motivation Design of cSamp (Coordinated Sampling) Evaluation Practical deployment

10 Design Random flow sampling (single router) – Sample flows not packets Hash-based coordination (single path) – Efficient, non-redundant sampling – Coordination without explicit communication Network-wide optimization (whole network) – Satisfy network-wide constraints and objectives 10

11 Design (single router) Random flow sampling – Sample flows not packets 11

12 Flow sampling 12 1613111 Flow memory (flow, counter #pkts) 3 [3,10] Hash range 6 Sample flows, not packets, to increase flow coverage 1131611 Compute hash, log if in range Version IHL TOS Length Identification Flags Offset TTL Protocol Checksum Source IP address Destination IP address …… SourcePort DestinationPort Hash Flowid  [0,Max] 1131611 Packet header 1 1

13 Design (single path) Random flow sampling (single router) – Sample flows not packets Hash-based coordination – Efficient, non-redundant sampling – Coordination without explicit communication 13

14 Hash-based coordination 14 Flow memory 1 [1,4] Hash range 3 Flow memory 8 [7,9] Hash range Non-overlapping hash-ranges avoids redundant monitoring Coordination without communication Stream: 11816135 R1 R2 4 1 1

15 Design (whole network) Random flow sampling (single router) – Sample flows not packets Hash-based coordination (single path) – Efficient, non-redundant sampling – Coordination without explicit communication Network-wide optimization – Satisfy network-wide constraints and objectives 15

16 Network-wide view 16 Many paths = Origin-Destination (OD) pairs in a network e.g., NYC-PIT, PIT-SFO Moving from a single-path to network?

17 Network-wide coordination 17 Assign non-overlapping ranges per OD-pair/path [1,5] [1,3] [3,7] [1,2] [7,9] [5,8]

18 cSamp algorithm on each router 18 [5,10] [1,4] Sampling Manifest 1. Get OD-Pair from packet 3. Look up hash-range for OD-pair from sampling manifest 2. Compute hash (flow = packet 5-tuple) 4.Log if hash falls in range for this OD-pair Red vs. Green? Flow memory 2 2 1 OD Range

19 Overall system architecture 19 [1,5] [5,9] [3,7] [1,2] [7,9] [5,8] Network Operations Center Generate sampling manifests Applications Configuration Dissemination Flow reports

20 Framework for generating manifests 20 Network-wide optimization OD-pair info Traffic, Path(routers) Router constraints e.g., SRAM for flow records Sampling manifests { } per router Objective: Max  i ε ODPairs Coverage i  Traffic i Subject to achieving maximum Min i ε ODPairs {Coverage i } Linear Program Inputs Output

21 21 Part 1 Outline Motivation Design of cSamp (Coordinated Sampling) Evaluation Practical deployment

22 cSamp vs. other sampling solutions Metrics reflect initial goals – Coverage, network-wide goals, redundancy Flow sampling – Fixed-rate and Maximal flow sampling – Use same memory (400K flow records) Packet sampling – 1-in-100 and 1-in-50 (edge) – Allow infinite memory 22

23 Total flow coverage 23 cSamp is 2-3X better than packet sampling, 30% over maximal flow sampling

24 Minimum fractional coverage 24 cSamp is significantly better than other solutions! Maximal flow sampling is inadequate for network-wide objectives

25 How do these solutions fare? 25 Requirements Packet Sampling (NetFlow) Flow Sampling cSamp Respect resource constraints High flow coverage  Network-wide goals  Minimize redundant measurements 

26 26 Part 1 Outline Motivation Design of cSamp (Coordinated Sampling) Evaluation Practical deployment

27 Practical Issues 27 2. Is the optimization scalable? Need two improvements (binary search + max-flow) 3. What about multi-path routing? Simple, lightweight extension 1.What about traffic dynamics? History + short-term adaptation 4. How do interior routers identify OD-pairs? Assume ingress routers mark packets

28 28 Why we may want to avoid this …. Extra overhead on ingress OD-pair id might be ambiguous (multi-egress peers) Need to modify packet headers or add shim header May require overhaul of routing infrastructure How do interior routers identify OD-pairs? Assume ingress routers mark packets

29 29 Can we realize the benefits of cSamp without requiring OD-pair identification? Use local info. at router to make sampling decisions “Stitch” coverage for a path across routers on that path

30 R1R3R2R1R4R0 What local info can I get from packet and routing table? {Previous Hop, My Id, NextHop} SamplingSpec Granularity at which sampling decisions are made SamplingSpec Granularity at which sampling decisions are made How much traffic to sample for this SamplingSpec? SamplingAtom Discrete hash- ranges, select some of them to log SamplingAtom Discrete hash- ranges, select some of them to log 30

31 = = “Stitching” together coverage union R1 R2 R4 R3 R5 R6 R7 31

32 Problem Formulation 32 Coverage for path P i Load on router R j Maximize: Total flow coverage:  i T i C i Minimum fractional coverage: min i {C i } Subject To:  j, Load j  L j

33 Maximize: Total flow coverage:  i T i C i Min. frac coverage: min i {C i } Subject To:  j, Load j  L j Sorry.. NP-hard! Can’t even approximate min without resource augmentation Sorry.. NP-hard! Can’t even approximate min without resource augmentation Total flow coverage: Submodular maximization with partition-knapsack constraints Efficient greedy algorithm with near-optimal performance Min. fractional flow coverage: Intelligent augmentation much better than theoretical guarantee Partial/incremental deployment of adding OD-pair identifiers 33

34 Total flow coverage 34 cSamp-T (“tuple”, “tuple+”) gives near-ideal total coverage cSamp-T (tuple+) gives near-ideal total flow coverage vs. cSamp

35 Minimum fractional coverage 35 With smart resource augmentation, cSamp-T gives good min. frac. coverage

36 How do we meet the requirements? High-fidelity for all applications Respect resource constraints High flow coverage Provide network-wide goals Low data mgmt overhead Part 1: Coordinated Sampling Part 2: “RISC” monitoring 36

37 37 FSD Heavy Hitters Entropy Super Spreaders Change Detection Outdegree histogram Port Addr Port Addr Port Addr Port Addr Src Dst Src Dst What functionality should we put on routers ?

38 Current Research: Application-Specific! FSD Port Addr Port Addr Separate Counters & Estimation algorithms Per App Separate Counters & Estimation algorithms Per App Heavy Hitters Entropy Super Spreaders Change Detection Outdegree histogram Port Addr Port Addr Src Dst Src Dst Why? Application-specific approaches provide higher fidelity Traffic 38

39 Alternative: “RISC” Traffic Why? Late-binding to applications, Easier to implement, “Future-proof” FSD Heavy Hitters Entropy Super Spreaders Change Detection Outdegree histogram Port Addr Port Addr Port Addr Port Addr Src Dst Src Dst Generic Data Collection 39 Decouple Collection and Computation Decouple Collection and Computation

40 RISC vs. Application-Specific Revisit this perception that RISC does not provide good performance Requirements Application Specific RISC 1.0 NetFlow RISC 2.0 Fidelity across applications  ? Implementation Complexity  ? Processing Overhead  ? Changing Applications  ? Enable Diagnostics  ? 40

41 Why this might make sense? 41 Each app-specific algorithm requires dedicated counters Primary bottleneck for high-speed monitoring = SRAM counters Look at aggregate memory usage across applications Pool in these resources into a few sampling primitives Run these with sufficient fidelity!

42 Challenges 42 What RISC primitives should we implement? Does it perform comparably to application-specific approaches? Combination of flow sampling, sample and hold, cSamp Yes! RISC with aggregate resources is comparable or even better

43 Challenges 43 What RISC primitives should we implement? Does it perform comparably to application-specific approaches? Combination of flow sampling, sample and hold, cSamp Yes! RISC with aggregate resources is comparable or even better

44 44 Requirements RISC 2.0 Fidelity across applications ? Implementation Complexity ? Processing Overhead ? Changing Applications ? Enable Diagnostics ? Two broad classes “Structure”  Flow Sampling “Volume”  Sample and Hold Two broad classes “Structure”  Flow Sampling “Volume”  Sample and Hold Provide flow reports like NetFlow Coordination Network-wide Optimization Coordination Network-wide Optimization What RISC primitives should we implement?

45 Sample and Hold 45 1613111 Flow memory (flow, counter #pkts) 1 6 Accurate counts of “heavy hitters” with few counters 1131611 Algorithm If flow is already logged  update Sample packet with probability p If new flow  create counter 1131611 1 1 234

46 Putting the pieces together 46

47 Challenges 47 What RISC primitives should we implement? Does it perform comparably to application-specific approaches? Combination of flow sampling, sample and hold, cSamp Yes! RISC with aggregate resources is comparable or even better

48 FSD Heavy Hitters Entropy Super Spreaders Change Detection Outdegree histogram Port Addr Port Addr Port Addr Port Addr Src Dst Src Dst FlowSamp + Sample & Hold Calculate aggregate memory usage Compute “Relative Accuracy Difference” +  good -  bad Compute “Relative Accuracy Difference” +  good -  bad 48

49 Sensitivity to Application Portfolio 49 Bigger app. portfolio or Some resource intensive apps  Better gains for RISC approach “Relative Accuracy Difference” +  good -  bad “Relative Accuracy Difference” +  good -  bad Bigger portfolio  More resources

50 Evaluation: Single Router 50 RISC > Application-specific for most applications Worse for heavyhitter, but not by much! “Relative Accuracy Difference” +  good -  bad “Relative Accuracy Difference” +  good -  bad

51 Network-wide evaluation: Per-Ingress 51 Results for network-wide per ingress mirror single router evaluation RISC > Application-specific for most applications “Relative Accuracy Difference” +  good -  bad “Relative Accuracy Difference” +  good -  bad

52 RISC vs. Application-Specific Requirements Application Specific RISC 1.0 NetFlow RISC 2.0 FS, SH, cSamp Fidelity across applications  Implementation Complexity  Processing Overhead  Changing Applications  Enable Diagnostics  Yes, We Can! 52

53 Meeting requirements for Flow Monitoring High-fidelity for all applications Respect resource constraints High flow coverage Provide network-wide goals Low data mgmt overhead Coordinated Sampling With “RISC” primitives 53

54 Looking beyond flow monitoring WAN optimization, Content-Aware Networking “Intelligent and targeted caching of traffic at selected nodes of the network can help engineer traffic by reducing load and avoiding hot spots, cut end-to-end latency, and enhance the end-user experience.” – SmartRE (with Ashok Anand, Aditya Akella) Intrusion Detection/Prevention for Enterprises (ongoing work.. ) 54

55 Thanks! www.cs.cmu.edu/~vyass www.cs.cmu.edu/~4D vyass@cs.cmu.edu 55

Download ppt "Rethinking NetFlow: A Case for a Coordinated “RISC” Architecture for Flow Monitoring Vyas Sekar Joint work with Mike Reiter, Hui Zhang David Andersen,"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems Victor Heorhiadi, Michael K. Reiter, Vyas Sekar UNC Chapel Hill UNC Chapel.

New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems Victor Heorhiadi, Michael K. Reiter, Vyas Sekar UNC Chapel Hill UNC Chapel.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
SmartRE: An Architecture for Coordinated Network-Wide Redundancy Elimination Ashok Anand, Vyas Sekar, Aditya Akella University of Wisconsin, Madison Carnegie.

SmartRE: An Architecture for Coordinated Network-Wide Redundancy Elimination Ashok Anand, Vyas Sekar, Aditya Akella University of Wisconsin, Madison Carnegie.
A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,

A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,
Evaluation of Header Field Entropy for Hash-Based Packet Selection Evaluation of Header Field Entropy for Hash-Based Packet Selection Christian Henke,

Evaluation of Header Field Entropy for Hash-Based Packet Selection Evaluation of Header Field Entropy for Hash-Based Packet Selection Christian Henke,
Copyright © sFlow.org. 2004 All Rights Reserved sFlow & Benefits Complete Network Visibility and Control You cannot control what you cannot see.

Copyright © sFlow.org All Rights Reserved sFlow & Benefits Complete Network Visibility and Control You cannot control what you cannot see.
Revisiting the Case for a Minimalist Approach for Network Flow Monitoring Vyas Sekar, Michael K Reiter, Hui Zhang 1.

Revisiting the Case for a Minimalist Approach for Network Flow Monitoring Vyas Sekar, Michael K Reiter, Hui Zhang 1.
1 EL736 Communications Networks II: Design and Algorithms Class8: Networks with Shortest-Path Routing Yong Liu 10/31/2007.

1 EL736 Communications Networks II: Design and Algorithms Class8: Networks with Shortest-Path Routing Yong Liu 10/31/2007.
Distributed Algorithms for Secure Multipath Routing

Distributed Algorithms for Secure Multipath Routing
Traffic Engineering With Traditional IP Routing Protocols

Traffic Engineering With Traditional IP Routing Protocols
Beneficial Caching in Mobile Ad Hoc Networks Bin Tang, Samir Das, Himanshu Gupta Computer Science Department Stony Brook University.

Beneficial Caching in Mobile Ad Hoc Networks Bin Tang, Samir Das, Himanshu Gupta Computer Science Department Stony Brook University.
Traffic Engineering Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.

Traffic Engineering Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
December 20, 2004MPLS: TE and Restoration1 MPLS: Traffic Engineering and Restoration Routing Zartash Afzal Uzmi Computer Science and Engineering Lahore.

December 20, 2004MPLS: TE and Restoration1 MPLS: Traffic Engineering and Restoration Routing Zartash Afzal Uzmi Computer Science and Engineering Lahore.
Scalable Information-Driven Sensor Querying and Routing for ad hoc Heterogeneous Sensor Networks Maurice Chu, Horst Haussecker and Feng Zhao Xerox Palo.

Scalable Information-Driven Sensor Querying and Routing for ad hoc Heterogeneous Sensor Networks Maurice Chu, Horst Haussecker and Feng Zhao Xerox Palo.
User-level Internet Path Diagnosis R. Mahajan, N. Spring, D. Wetherall and T. Anderson.

User-level Internet Path Diagnosis R. Mahajan, N. Spring, D. Wetherall and T. Anderson.
Dynamic routing – QoS routing Load sensitive routing QoS routing.

Dynamic routing – QoS routing Load sensitive routing QoS routing.
1 An Information Theoretic Approach to Network Trace Compression Y. Liu, D. Towsley, J. Weng and D. Goeckel.

1 An Information Theoretic Approach to Network Trace Compression Y. Liu, D. Towsley, J. Weng and D. Goeckel.

Similar presentations

Ads by Google