Flow Monitoring With Cisco Routers

Transcription

1 CSAMP: A System for Network- Wide Flow Monitoring Vyas Sekar,Michael K. Reiter, Walter Willinger, Hui Zhang,Ramana Rao Kompella, David G. Andersen Presentation by Beletsioti Georgia

2 Flow measurements today There was a router-centric view of current measurements solutions in network, until now. Routers are completely independent of each other, so we have much more flow measurements that we need and inefficient use of router resources So we pass from a router-centric approach to a systemwide approach of monitoring network

3 What is Csamp? Csamp, a system for Network-Wide Flow Monitoring Csamp is made because current flow monitoring solutions are inadequate for many network management applications Csamp is a system for coordinated flow monitoring within an AS (Autonomous System) The goal of csamp is to assign sampling responsibilities to routers in a coordinated manner to optimize network-wide flow monitoring objectives. Coordinated Sampling

4 Motivation Design System Architecture Discussion & Future Work Evaluation Conclusions

5 Motivation In past many people tried to design such network-wide flow monitoring systems, but they were not such efficient such Csamp There are 5 criteria that a flow monitoring system should satisfy provide high flow coverage minimize redundant reports satisfy network-wide flow monitoring objectives work within router resource constraints be general enough to support a wide spectrum of flow monitoring applications

6 Design of Csamp 3 basic ideas Flow sampling instead of packet sampling Hash-based coordination Network-wide optimization

7 Random flow sampling preserves the fidelity of traffic estimation (single router) Each router has a table of hash ranges indexed using a key. By receiving a packet the router looks the hash range (key = hash of packet s header fields), computes the 5-tuple (srcip, dstip, srcport, dstport, protocol) of an IP flow, if the hash falls in the range of the cell, this hash is used as index to a flow table, if the flow already exists it updates the entry else it creates a new one.

8 Random flow sampling preserves the fidelity of traffic estimation (single router) On a single router, do random *flow* (not packet) sampling. Each packet header is hashed Hash range {1,6} {7,9} ok We have an entry in flow table Use as index If falls {10, 12}.. Flow table If flow already exists update else create new entry Computes 5-tuple

9 Hash-based coordination uses hash-based selection (using the same hash function but having different hash ranges) to eliminate duplicate measurements in the network. So different routers can monitor disjoint flows without requiring explicit communication between routers (multiple routers, single path)

10 Hash-based coordination multiple routers Hash range Flow table Hash range Flow table Hash range Flow table Hash of any flow will match at most one router s hash range!!

11 Network-wide optimization uses optimization framework to specify and satisfy network wide monitoring objectives while respecting router resource constraints. Note : Many paths = Origin - Destination (OD) pairs in network Single path network Multiple origin-destination pairs in the network. Per origindestination pair, assign non-overlapping ranges to each router.each router has a sampling manifest that specifies the hash range for each origin-destination pair that it might see. For each packet, see if it should be logged (based on hash and origin-destination), and log it. The routers then generate flow reports which can be sent back to existing applications

12 {1,5} {7,9} Hash range for each OD pair Get OD-pair from packet Green or Yellow????

13 Csamp algorithm for router Get OD-pair from packet (usually based on packet information, src & dst IP addresses) Compute hash (flow = packet 5-tuple) Look up hash-range for OD-pair from sampling manifest Log if hash falls in range for this OD-pair

14 To achieve flow monitoring goals specified in terms of OD- pairs, csamp optimization engine needs the traffic matrix and routing information. Traffic matrices obtained by using estimation techniques that may have errors, so appropriate techniques are used in order to minimize the error.

15 input Traffic matrix Routing information Optimization engine output Sampling manifests dissemination Make reports

16 System Architecture Mechanisms Obtaining Origin Destination pairs in network for packets the ingress routers mark each packet header with the OD-pair identifier (given by optimization engine). Responding to long-term (e.g. uses traffic during previous week) & short-term traffic dynamics avoiding underfitting and overfitting the optimization engine must be able to predict the traffic matrix to compute the sampling manifests

17 Manage memory resources on routers We store only flow counters in StaticRam(SRAM) instead of storing the whole flow record (the IP 5-tuple, the OD-pair identifier, and counters). Computing the optimal solution In order to respond in near-real time to network dynamics, use new more efficient algorithms. Handling routing changes Precompute sampling manifests for different scenarios in a given measurement cycle, so if there is a change an appropriate sampling manifest corresponding to this scenario is already available.

18 Evaluation Comparison between Csamp and other previous systems

19 Coverage

20 Redundant flow reporting

21 Flow coverage per OD-pair

22 Coverage VS optimal solution Estimated traffic with our engine Vs Actual traffic

23 Discussion & Future Work OD-pair identifiers Modifications to packet header Upgrades to border routers to compute the engress router for each packet Router memory exhaustion A router s flow memory might be exhausted due to traffic dynamics Find better choice of eviction of flow records Changes cause loss of flow coverage or duplicates Applications Confirm that csamp provides better fidelity to traditional traffic engineering applications

24 Conclusion Existing solutions focus on incrementally improving single-router sampling algorithms, instead of Csamp, a system that takes a network wide approach to flow monitoring.

25 So.. Much greater monitoring coverage Better use of router resources Satisfy better flow monitoring goals compared to existing solutions

26 Questions???