1. 1 Sonia Fahmy Students: Minseok Kwon, Ossama Younis Department of Computer Sciences Purdue University For slides, technical reports, and implementations, please see: http://www.cs.purdue.edu/~fahmy/ This work was supported by NSF ANI-0238294 (CAREER) and the Schlumberger Foundation Overlay Networks: A Dual Layer View

2. 2 Why Overlays? Overlay networks help overcome deployment barriers to network-level solutions The advantages of overlays include flexibility, adaptivity, and ease of deployment Applications Application-level multicast (e.g., End System Multicast/Narada) Inter-domain routing pathology solutions (e.g., Resilient Overlay Networks) Content distribution Peer-to-peer networks

3. 3 Overlay Multicast Overlay link Source Routers and underlying links Receivers

4. 4 Why Characterize Overlays? Overlay multicast consumes additional network bandwidth and increases latency over IP multicast  quantify the overlay performance penalty Little work has been done on characterizing overlay multicast tree structure, especially large trees Such characterization gives insight into overlay properties and their causes, and a deeper understanding of different overlay multicast approaches  better overlay design Real data from ESM experiments Simulations Analytical models Characterizing Overlay Networks

5. 5 Our Hypothesis Observations Many high degree high bandwidth routers heavily utilized in upper levels of ESM/TAG trees, which tend to be longer. Many hosts are connected to lower degree low bandwidth routers, clustered close together at lower levels of the trees. This lowers multicast cost Causes Overlay host distribution Overlay protocol (full/partial info/overhead, delay/bandwidth/diameter/degree, source- based/shared tree/trees/mesh) Topology (connectivity and degrees)

6. 6 Overlay Tree Metrics Overlay cost = number of underlying hops traversed by every overlay link Link stress = total number of identical copies of a packet over the same underlying link Overlay cost = ∑stress(i) for all router-to-router links i Number of hops and delays between parent and child hosts in an overlay tree Degree of hosts = host contribution to the link stress of the host-to-first-router link Degree of routers and hop-by-hop delays of underlying links traversed by overlay links Mean bottleneck bandwidth between the source and receivers Relative Delay Penalty (RDP), mean/longest latency

7. 7 Metrics: Examples Overlay cost = 12 Link stress on A = 2 RDP of B = (15+15+10)/20 = 2 Overlay link Source Receivers A B 15 ms 10 ms 20 ms C

8. 8 Overlay Tree Structure Questions What do overlay multicast trees look like? Why? How much additional cost do they incur over IP multicast? Methodology Use overlay trees (65 hosts) in ESM experiments (from CMU) in November 2002. Use public traceroute servers and synthesize approximate routes. (Most university hosts are connected to the Internet 2 backbone network) PlanetLab experiments and tree/traceroute data

9. 9 Results: End System Multicast Number of hops between two hosts versus level of host in overlay trees Distributions of per-hop delay for different overlay tree levels (a) Tree level 1 (b) Tree levels 4-6

10. 10 Results: End System Multicast Frequency of occurrence of number of hop values between two hosts Degree of host versus level of host in overlay tree

11. 11 Experiments on PlanetLab Internet Experiments Implement and experiment with TAG (Topology-Aware Grouping) on the PlanetLab (http://www.planet-lab.org) wide-area platformhttp://www.planet-lab.org Additional experiments with NICE and HyperCast Run several sets of experiments with nodes in the United States, Europe, and Asia

12. 12 Overlay Tree Structure: Simulations Topologies Contains 4k routers connected in ways consistent with router- level power-law and small-world properties GT-ITM topology with 4k routers Delays and bandwidths according to realistic distributions Overlay multicast algorithms ESM (End System Multicast) [SIGCOMM 2001] A host has the upper degree bound (we use 6) on the number of its neighbors TAG (Topology-Aware Grouping) [extended NOSSDAV 2002] Uses ulimit=6 and bwthresh=100 kbps for partial path matching MDDBST (Minimum Diameter Degree-Bounded Spanning Tree) [NOSSDAV 2001, INFOCOM 2003] Minimizes the number of hops in the longest path, and bounds the degree of hosts in overlay trees (degree bound = edge bw/min bw)

13. 13 Results: Number of Hops Uniform host distribution Non-uniform host distribution MDDBST not as clear as ESM, because it minimizes max. cost

14. 14 Results: Isolation of Topology Effects Variability in router degrees Clustering (small world)

15. 15 Results: Degree Router degree versus overlay tree level of destination host Frequency of router degree

16. 16 Results: Latency and Bandwidth Relative delay penalty (RDP) ESM achieves a good balance, but scalability is a concern Mean bottleneck bandwidth

17. 17 Overlay Multicast Tree Cost Network Model L O (h,k,n) denotes overlay cost for an overlay O when n is the number of hosts We only count hops in router subsequences We use n instead of m Why an underlying tree model? Simple analysis Consistency with real topologies [Radoslavov00] Transformation from a graph to a k-ary tree with minimum cost tree Why least cost tree? Modeling and analysis are simplified Many overlay multicast algorithms optimize a delay-related metric, which is typically also optimized by underlying intra-domain routing protocols A lower bound on the overlay tree cost can be computed h k Source HostReceiver

18. 18 Network Models with Unary Nodes Self-similar Tree Model (k=2, θ=1, h=3) Unary node with only one child Number of unary nodes created between adjacent nodes at levels i-1 and i Branching node To incorporate the number-of-hops distribution, use a self-similar tree model [SODA2002]

19. 19 Receivers at Leaf Nodes k Source α h  (a) α k Level l (b) Overlay link Receiver

20. 20 Receivers at Leaf Nodes The overlay cost in (a): The overlay cost in (b): where if otherwise The sum of (a) and (b): n 1-θ is observed where

21. 21 Receivers at Leaf Nodes where θ=0.15

22. 22 Receivers at Leaf or Non-leaf Nodes α β …… …… kpk(1-p) L υ (h-1,k,n) L υ (h-2,k,n) L υ (h-3,k,n) h k(1-p) kp k(1-p) (a) α β kp k(1-p) …… … … kp Level l (A) (B) (b)

23. 23 Receivers at Leaf or Non-leaf Nodes The overlay cost in (a): The overlay cost in (b): where The sum of (a) and (b):

24. 24 Receivers at Leaf or Non-leaf Nodes where θ=0.15

25. 25 Cost Model Validation The analytical results are validated using traceroute- based simulation topologies and our earlier topologies Normalized overly cost via simulations ESM and MDDBST have n 0.8 - n 0.9 ; TAG has a slightly higher cost due to partial path matching Cost with GT-ITM/uniform hosts is higher than with non- uniform/power-law/small-world The normalized overlay tree cost for the real ESM tree is n 0.945

26. 26 Related Work Chuang and Sirbu (1998) found that the ratio between the total number of multicast links and the average unicast path length exhibits a power-law (m 0.8 ) Chalmers and Almeroth (2001) found the ratio to be around m 0.7 and multicast trees have a high frequency of unary nodes Phillips et al.(1999), Adjih et al.(2002) and Mieghem et al.(2001) mathematically model the efficiency of IP multicast Radoslavov (2000) characterized real and generated topologies with respect to neighborhood size growth, robustness, and increase in path lengths due to link failure. They analyzed the impact of topology on heuristic overlay multicast strategies Jin and Bestavros (2002) have shown that both Internet AS-level and router-level graphs exhibit small-world behavior. They also outlined how small-world behavior affects the overlay multicast tree size Overlay multicast algorithms include End System Multicast (2000,2001), CAN-based multicast (2002), MDDBST (2001,2003), TAG (2001), etc.

27. 27 Conclusions We have investigated the efficiency of overlay multicast using theoretical models, experimental data, and simulations. We find that:  The number of routers/delay between parent and child hosts tends to decrease as the level of the host in the ESM/TAG overlay tree increaseslower cost  Routing features in overlay multicast protocols, non- uniform host distribution, along with power-law and small-world topology characteristics contribute to these phenomena  We can quantify potential bandwidth savings of overlay multicast compared to unicast (n 0.9 n 0.8 )

28. 28 Ongoing Work We are conducting larger scale simulations and experiments using PlanetLab We are examining other and more dynamic metrics with other overlay protocols We will precisely formulate the relationship between the overlay trees, overlay protocols and Internet topology characteristics We are investigating the possibility of inter-overlay cooperation to further reduce the overlay performance penalty

29. 29 Other Work… Exploiting network tomography for monitoring and traffic engineering FlowMate on-line passive flow clustering: design and implementation [ICNP 2002, ToN] Distributed network delay and loss monitoring [CC 2003] Testing security mechanisms [Computers&Security 2003, CACM 2004] Sensor networks [INFOCOM 2004, IWQoS 2004]

30. 30 Overlays A and B may or may not cooperate. Cooperative Overlays Overlay A Overlay B Co-located nodes Shared routers and links

31. 31 A Spectrum of Overlay Cooperation Independent overlaysMerged overlays Sharing information e.g., control info, queries Shared measurement Cooperative forwarding Inter-overlay Traffic engineering Less cooperationMore cooperation

32. 32 Cooperative Forwarding Overlay B Overlay A Route X Route Y Route Y is better than route X which only uses hosts in overlay A. Can be proactive or reactive for long-lived flows.

33. 33 Cooperation Mechanisms Privilege levels Full privileges and obligations: a host (active member) is authorized to use all the services provided by its home overlay network(s). Limited privileges and obligations: a host (passive member) has limited capabilities such as routing and replication. Each overlay selects a set of nodes that other overlays can exploit as passive members (transit nodes) according to peering relationships. Inter-overlay agents selected according to: Number of co-located overlay nodes; Number of different overlays represented in neighbor nodes; Minimum maximum delay to other hosts in home overlay Passive membership selected according to: Performance improvement of other overlays, e.g., Number of members that have this passive member as their next hop (maximum-next-hop) Compatibility and loads of other overlays Trust-based priority to determine which overlays are cooperative

34. 34 Additional Cooperative Services Shared measurement service Control information sharing (e.g., randomized routing time intervals and traffic equilibrium computation for multiple overlays) Query forwarding in peer-to-peer networks Inter-overlay traffic engineering

35. 35 Related Work Overlay broadcasting (Y. Chawathe et al.) Studies possibility of cooperation among overlays. Routing underlay (A. Nakao et al.) Provides shared network layer information to overlay nodes. Tomography-based overlay network monitoring (Y. Chen et al.) Requires O(n) measurements for all the O(n 2 ) overlay paths. Selfish source and overlay routing (L. Qiu et al.) Other overlay networks Include RON, Detour, End System Multicast, etc.

36. 36 Current Plan We are designing a cooperative overlay architecture for heterogeneous overlay networks to collaborate. Our goal is to prove that overlay cooperation reduces competition, improves overall performance, and preserves heterogeneity [ICNP2003 poster]. Ongoing Work We are currently implementing our algorithms on PlanetLab. We will examine other types of overlay cooperation services with particular attention to the complexity, scalability, and security issues.

37. 37 Is “On-line” Tomography Useful and at What Time Scale? What is “tomography”? A method of producing (inferring) an image of the internal structures of a solid object by the observation and recording of the differences in the effects on the passage of waves of energy impinging on those structures. What is “network tomography”? Internet mapping (routes, per-segment delays, per-segment losses, per-segment bandwidth, shared bottlenecks) via composing end-to-end measurements.

38. 38 Why FlowMate? Source Receiver

39. 39 Why FlowMate? Partitioning flows emerging from the same source (busy server) according to shared bottlenecks is useful for:  Customized, more fair and more responsive coordinated congestion management.  Overlay networks (e.g., application-layer multicast and peer-to-peer applications).  Load balancing.  Pricing.  Traffic engineering and admission control.

40. 40 The Problem Input: A set of flows (micro or macro), F, originating at the same source, where F = { f 1, f 2, …, f n } Required: Periodically map each flow f i (1  i  n) to a cluster g j (1  j  m)  G = { g 1, g 2, …, g m }, m  n, where all flows f  g j  G share a common bottleneck

41. 41 FlowMate Features Employs passive probing to reduce probe generation and processing overhead, and network load with a large number of flows. Employs on-line clustering based on constantly changing shared bottlenecks. Works with or without receiver timestamp support (and no router support). Reduces overhead using representatives. Uses limited history for stability (no samples).

42. 42 Architecture Transport layer implementation enables more accurate timestamping

43. 43 Basic Algorithm [O(NG)] Initialize: Empty cluster list and flow table. Repeat forever: - Collect delay Information. - Check triggering condition. - If (triggered): cluster flows and generate clusters. - Delete delay samples and maintain compact history information. Partitioning: - Select delay samples. - Assign a representative flow for each cluster. - Each flow is tested against each representative, and joins the cluster with highest correlation. - A flow either joins a cluster or forms a new one.

44. 44 Shared Bottleneck Test For two flows f1 and f2 sharing a common bottleneck in sr [Rubenstein00]: The cross correlation measure of multiplexed (f1, f2) packets, spaced apart by time t > 0, is higher than the auto correlation measure of packets of f1 or f2, spaced apart by time T > t. s r

45. 45 In-Band Delay Sampling One way delay (reasonable clock skew OK). Extend the time-stamped ACK (RFC 1323) to include packet reception time. Select samples according to inter-packet spacing. time Samples chosen as probes

46. 46 Triggering Clustering Time d_min d_max t Clustering not invoked Clustering may be invoked if enough samples for all flows Clustering must be invoked if not invoked since t Last time clustering was invoked Every flow with at least M samples is considered

47. 47 Our Accuracy Index Sources of inaccuracies: false sharing and cluster splits A cluster split is not as harmful as false sharing Let k j denote the resulting number of splits of a correct cluster: Example: correct: {1,2,3},{4,5,6}, result: {1,2},{3,4,5},{6}, I=0.67

48. 48 Simulation Configuration Configuration: Cross and reverse traffic: CBR sources Forward traffic: FTP, Telnet, or HTTP/1.1 Background traffic: 3 “StarWars” flows (self-similar traffic)

49. 49 Foreground Load FlowMate accuracy (using a simpler topology) Different loads Staggered start times Correlation periods: 1, 2, 4, 6, 8, 10 seconds.

50. 50 Background Load Load and on/off periods have little impact on average accuracy

51. 51 Bursty Flows Telnet traffic HTTP/1.1 traffic Sampling: Flow life-time (P2P FTPs (elephants), HTTP/1.0 vs. 1.1), Packet interleaving patterns, Delayed ACKs

52. 52 Router Buffering Buffer size vs avg index Drop policy

53. 53 Naïve coordinated congestion management demonstrates better fairness and responsiveness Sample Application

54. 54 Related Work Two-flow correlation tests based on delay or loss of all Poisson probe samples [Rubenstein et al., SIGMETRICS 2000]. Semi-active Bayesian probing (using shared packet loss correlations) [Harfoush et al., ICNP 2000]. Shannon or Renyi entropy-based flow clustering [Katabi et al., MIT-TR-2001 and IC3N01]. Other tomography work, e.g., [AT&T, UMass, BU, Rice, Berkeley]. Congestion Management schemes, e.g., Congestion Manager (CM) [Balakrishnan et al, SIGCOMM 99], Ensemble, Int, FastStart.

55. 55 Conclusions FlowMate is an on-line flow partitioning scheme that does not require active probing. Partitioning is periodically performed at the flow origin for a large set of flows. FlowMate appears to be robust under heavy background load and has low overhead. High burstiness of flows to be partitioned is the main factor that degrades performance. FlowMate can be useful to many applications, such as overlay networks, congestion management, load balancing, and pricing. We have integrated FlowMate into Linux v2.4.17 and performed experiments on Emulab and Planetlab.

56. 56 Distributed Clustering for Sensor Networks Goals:  Scalability (to thousands of nodes)?  Prolonged network lifetime?  Data and state aggregation?  Robustness in the face of unexpected failures?  Security of sensor communications? Approach Clustering  Requirements:  Completely distributed  O(1) iterations to terminate  Low message/processing overhead  High energy, well- spread cluster heads  Balanced clusters Approaches HEED (Hybrid, Energy- Efficient, Distributed clustering) and READ (Robust, Energy- Aware Distributed clustering) Network:  Rectangular field with a large number of dispersed sensor nodes Sensor nodes:  Location un-aware and quasi-stationary  Homogeneous  Unattended (infeasible to recharge) Example applications:  Seismic monitoring or field surveillance.

57. 57 Anomaly Detection and Security Testing Tomography-based anomaly detection: 1. Infer per-segment delays, losses and traffic properties through tomography among a set of cooperating end hosts 2. Detect attacks, configuration problems, and flash crowds on-line based on inferred properties Firewall testing: 1. Develop a vulnerability type versus firewall operation matrix 2. Place Common Vulnerabilities Exposure (CVE), and other firewall problems in appropriate matrix cells 3. Find clusters in matrix; predict problems; automate firewall testing Packet Egress Packet may be dropped Stream may be dropped Address Lookup NAT/PAT Routing Decision Application Level Packet Reassembly Port Filtering Sanity Checks Dynamic Rule Set NAT/PAT Packet Ingress