Mille-Feuille: Putting ISP traffic under the scalpel Olivier Tilmans UCLouvain HotNets-XV Nov. 9, 2016 Joint work with T. Bühler (ETH Zürich), S. Vissicchio (UCL) and L. Vanbever (ETH Zürich) Picture: Georges Seguin CC BY-SA 3.0, via Wikimedia Commons
“What happens to the Skype traffic in my network?”
ISP operators only have access to poor and coarse-grained visibility over their network. � Netflow, sFLOW, provide aggregated statistics over random packet sampling. � Active probing scales poorly. � Router Configuration/syslog analysis only covers a fraction of the control-plane. 3
ISP operators only have access to poor and coarse-grained visibility over their network. � Netflow, sFLOW, provide aggregated statistics over random packet sampling. � Active probing scales poorly. � Router Configuration/syslog analysis only covers a fraction of the control-plane. These techniques cannot provide real time information about the network state. 3
Research to provide complete traffic visibility in DC networks, leverages degrees of freedom unavailable in ISP networks. ISP networks present unique challenges: � No control on the end hosts. � Geographically distributed. � Wide-range of heterogeneous network equipments. 4
We aim to provide ISP operators a fine-grained visibility over their networks.
Consider the following part of an ISP network. Router Link 6
Consider the following part of an ISP network. Router A B Link C D 6
Consider the following part of an ISP network. A B 2/8 Skype C D Destination Expected prefix traffic flow 6
Mille-Feuille improves ISP monitoring with a traffic slicing primitive. A B Skype 10 9 8 C 7 6 5 4 3 D 2 1 packet #10 towards 2/8 7
Mille-Feuille improves ISP monitoring with a traffic slicing primitive. A B Skype 10 9 8 C 7 6 5 4 3 D 2 1 7 Mirrored packet 6 encapsulated towards the collector 5 Traffic slice collector 7
Mille-Feuille improves ISP monitoring with a traffic slicing primitive. A B Skype 10 9 8 C 7 6 5 4 3 D 2 1 7 Traffic slice target prefix: 2/8 6 duration: 3 packets 5 Traffic slice collector 7
By concurrently capturing slices at different routers for the same prefix, Mille-Feuille can infer measurements about the traffic. A B Skype 10 9 8 C 7 6 5 4 3 D 2 1 3 5 2 4 3 2 1 8
By concurrently capturing slices at different routers for the same prefix, Mille-Feuille can infer measurements about the traffic. A B Skype 10 9 8 C 7 6 5 4 3 D 2 1 3 5 2 4 2 packets match 3 2 1 Path (C D) is alive 8
Capturing traffic slices is powerful. � Slices contain the complete packet payload. Can remotely dissect traffic. � Concurrent slices enable to trace a packet across the network and compute properties. e.g., proof of traversal, upper-bound on queuing delays. � Fine-grained control on duration, point of capture and target prefix of slices. Explicit control on measurement overhead. 9
We implemented a collector prototype. � Uses hardware-based mirroring features available in commercial routers. e.g., Cisco ERSPAN. � Dynamically program the intra-domain routing protocol (OSPF) using Fibbing. can capture a traffic slice for any subprefix, network-wide. 10
We statically provision a mirroring VLAN on all links that must be monitored. C Default VLAN Default VLAN : 0/0: - - forward to IP NH A B Mirroring VLAN : encapsulate to collector forward to IP NH Mirroring VLAN 11
By default, all traffic is forwarded on the default VLAN. C Destination prefix 0/0: - - A B 11
The collector sends an OSPF message to start a traffic slice. Set NH: Mirroring VLAN For prefix: red prefix C 0/0: - - A B 11
The OSPF message is flooded and reaches A, which then forwards traffic on the mirroring VLAN. C red: - - 0/0: - - A B 11
B then mirrors the packets towards the red prefix to the collector C red: - - 0/0: - - A B 11
The collector stops the traffic slice similarly Set NH: Default VLAN For prefix: red prefix C red: - - 0/0: - - A B 11
The collector stops the traffic slice similarly Captured traffic slice C 0/0: - - A B 11
Our preliminary tests show that Mille-Feuille can work in practice. � We were able to capture traffic slices as thin as 14 ms � We control the slice duration through the delay between the activation and deactivation message. � We were able to concurrently (de)activate 1000 mirroring rules in 0.93 ms , and 10 000 in 30 ms. 12
Mille-Feuille is a measurement framework realizing a deterministic sampling of the network in real time. §3, §4 Inputs Mille-Feuille Output B Violation A p1 ▁▂▃▅▂▇ Selection Scheduling Analysis + + p2 ▃▁▇▁▁█ C 11 ms (>10 ms) for traffic to p1 (Google) Reqs Topology Statistics mirror p2 for y ms p1 mirrored traffic between A and C §2 (optional) A C mirror p1 for x ms 11ms 13
In Mille-Feuille, operators specify high-level measurement requirements and an associated measurement budget. 1/8 Google A B 2/8 Skype C D ( Path (C A B) for Google; Path (*) within (20 ms) for Skype; ) every (1 s) in (30 ms) using (1 Gbps) 14
What? From traffic estimates, Mille-Feuille iteratively selects subprefixes to monitor. 1/8 Traffic distribution A B Google 1/8 15 Gbps 15Gbps 2/8 C D Skype 1Gbps 2/8 1 Gbps Traffic demand 15
What? From traffic estimates, Mille-Feuille iteratively selects subprefixes to monitor. 1/8 Traffic distribution A B Google 1/8 15 Gbps 1/24 .5 Gbps 15Gbps 2/8 C D Skype 1Gbps 2/8 1 Gbps 2/16 .1 Gbps Traffic demand Target prefixes for schedule #1: 1.0.0.0/24, 2.0.0.0/16 15
What? From traffic estimates, Mille-Feuille iteratively selects subprefixes to monitor. 1/8 Traffic distribution A B Google 1/8 15 Gbps 1/24 .5 Gbps 15Gbps 2/8 C D Skype 1Gbps 2/8 1 Gbps 2/16 .1 Gbps Traffic demand Target prefixes for schedule #1: 1.0.0.0/24, 2.0.0.0/16 Target prefixes for schedule #2: 1.0.1.0/24, 2.0.1.0/16 ... 15
Where? Mille-Feuille creates mirroring rules and assigns them to one or more routers. Mirror Mirror 1.0.0.0/24 1.0.0.0/24 1/8 Google A B 15Gbps 2/8 Skype C D 1Gbps Mirror Mirror 2.0.0.0/16 2.0.0.0/16 16
When? Mille-Feuille spreads the measurement campaign across time to meet the budget 0 ms � t < 15 ms 1/8 Google A A B B Mirror: 1.0.0.0/8 Traffic: 0.5 Gbps 15Gbps 2/8 Skype C D 1Gbps 15 ms � t < 30 ms 1/8 A B Google 15Gbps 2/8 C C D D Skype 1Gbps Mirror: 2.0.0.0/16 Traffic: 0.1 Gbps 17
Mille-Feuille: Putting ISP traffic under the scalpel � We collect thin traffic slices by programming the intra-domain routing protocol. � We realize a deterministic sampling of the state of the network. � We limit the measurement overhead according to a budget .
Recommend
More recommend
