Measuring Large Traffic Aggregates on Commodity Switches
description
Transcript of Measuring Large Traffic Aggregates on Commodity Switches
![Page 1: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.fdocuments.net/reader035/viewer/2022070423/5681668e550346895dda5dcd/html5/thumbnails/1.jpg)
Measuring Large Traffic Aggregates on Commodity
SwitchesLavanya Jose, Minlan Yu, Jennifer Rexford
Princeton University, NJ
1
![Page 2: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.fdocuments.net/reader035/viewer/2022070423/5681668e550346895dda5dcd/html5/thumbnails/2.jpg)
Motivation•Large traffic
aggregates? - manage traffic
efficiently- understand traffic
structure- detect unusual
activity
2
![Page 3: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.fdocuments.net/reader035/viewer/2022070423/5681668e550346895dda5dcd/html5/thumbnails/3.jpg)
Aggregate at fixed prefix-length?
• Top 10 /24 prefixes (by how much traffic they send)- could miss individual heavy users
• Top 10 IP addresses …- could miss heavy subnets where each individual
user is small
3
![Page 4: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.fdocuments.net/reader035/viewer/2022070423/5681668e550346895dda5dcd/html5/thumbnails/4.jpg)
19
12
11 1
7
5 2
21
12 9
9 3 5 4
00**
000*
0000 0001 0010 0011 0100 0101 0110 0111
01** 010*
011*
01**40
0***0
1***40
****• All the IP prefixes• >= a fraction T of the link
capacity
Aggregate at all prefix-lengths? (Heavy Hitters)
HH: sends more than T= 10% of link
cap. 100
4
![Page 5: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.fdocuments.net/reader035/viewer/2022070423/5681668e550346895dda5dcd/html5/thumbnails/5.jpg)
Hierarchical Heavy Hitters• All the IP prefixes• >= a fraction T of the link capacity• after excluding any HHH
descendants.
19
12
11 1
7
5 2
21
12 9
9 3 5 4
00**
000*
0000 0001 0010 0011 0100 0101 0110 0111
01** 010*
011*
01**40
0***0
1***40
****
HH: sends more than T= 10% of link
cap. 100HHH:
5
![Page 6: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.fdocuments.net/reader035/viewer/2022070423/5681668e550346895dda5dcd/html5/thumbnails/6.jpg)
Related Work
•Offline analysis on raw packet trace [AutoFocus]- accurate but slow and expensive
•Streaming algorithms on Custom Hardware [Cormode’08, Bandi’07, Zhang’04, Sketch-Based] - accurate, fast but not commodity
Our Work:Commodity, fast and relatively
accurate 6
![Page 7: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.fdocuments.net/reader035/viewer/2022070423/5681668e550346895dda5dcd/html5/thumbnails/7.jpg)
• Why commodity switches? - cheap, easy to deploy- let “network elements monitor themselves”
• Commodity OpenFlow switches - available from multiple vendors (HP, NEC, and
Quanta)- deployed in campuses, backbone networks- wildcard rules with counters to measure traffic
Priority Prefix Rule Count1 0010 0*** ... 152 001* **** ... 5
HHH on Commodity- Using OpenFlow
7
![Page 8: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.fdocuments.net/reader035/viewer/2022070423/5681668e550346895dda5dcd/html5/thumbnails/8.jpg)
TCAM
Controller Software
FetchCounts
InstallRules
Constraints- <= N Prefix Rules
SRC IP
0010 0100 incrementcount
Priority Prefix Rule Count1 0010 0*** 152 001* **** 5
OpenFlow Measurement Framework
8
Switch
- Measuring Interval M- No pkts to Controller
![Page 9: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.fdocuments.net/reader035/viewer/2022070423/5681668e550346895dda5dcd/html5/thumbnails/9.jpg)
Monitoring HHHes
19
12
11 1
7
5 2
21
12 9
9 3 5 4
00**
000*
0000 0001 0010 0011 0100 0101 0110 0111
01** 010*
011*
01**40
0***0
1***40
****Priority Prefix Rule Count1 0000 112 010* 123 0*** 17
HHH: after excluding any descendant prefix rulesTCAM: priority matching
9
![Page 10: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.fdocuments.net/reader035/viewer/2022070423/5681668e550346895dda5dcd/html5/thumbnails/10.jpg)
Detecting New HHHes
• Monitor children of HHHes
• Use at most 2/T rules
19
12
11 1
7
5 2
21
12 9
9 3 5 4
00**
000*
0000 0001 0010 0011 0100 0101 0110 0111
01** 010*
011*
01**40
0***0
1***40
****
910 3 210
![Page 11: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.fdocuments.net/reader035/viewer/2022070423/5681668e550346895dda5dcd/html5/thumbnails/11.jpg)
• Iteratively adjust wildcard rules:- Expand• If count > T, install rule for child instead.
- Collapse• If count < T, remove rule.
0***
****
00**
000*
001*
01**
010*
011*
1***
10** 11**
100*
101*
110*
111*
Priority Prefix Rule Count1 0*** 802 **** 0
Priority Prefix Rule Count1 001* 722 000* 53 **** 3
Priority Prefix Rule Count1 00** 772 01** 33 **** 0
Identifying New HHHes
11
![Page 12: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.fdocuments.net/reader035/viewer/2022070423/5681668e550346895dda5dcd/html5/thumbnails/12.jpg)
Using Leftover Rules
• Why left over rules?- May not be 1/T HHHes.- May still be discovering new HHHes
• How to use leftover rules?- To monitor HHHes close to threshold- Data shows 2-3 new HHHes/ interval (a few secs)19
1
7
5 2
21
12 8
9 3 5 3
00**
000*
0000 0001 0010 0011 0100 0101 0110 0111
01** 010*
011*
01**40
0***0
1***40
****
11
12
11 9
12 10
12
![Page 13: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.fdocuments.net/reader035/viewer/2022070423/5681668e550346895dda5dcd/html5/thumbnails/13.jpg)
• Real packet trace (400K pkts/ sec) from CAIDA- Measured HHHes for T=5% and T=10%- Measuring interval M from 1-60s
Evaluation- Method
13
![Page 14: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.fdocuments.net/reader035/viewer/2022070423/5681668e550346895dda5dcd/html5/thumbnails/14.jpg)
Evaluation- Results
• 20 rules to identify 88-94% of the 10%- HHHes
• Accurate
- Gets ~9 out of 10 HHHes
- Uses left over TCAM space to quickly find HHHes
- Large traffic aggregates usually stable
• Fast
- Takes a few intervals for 1-2 new HHHes
- Meanwhile aggregates at coarse levels
12
11 1
000*0000
0001
14
![Page 15: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.fdocuments.net/reader035/viewer/2022070423/5681668e550346895dda5dcd/html5/thumbnails/15.jpg)
Stepping back… not just for HHHes
• Framework- Adjusting <= N wildcard rules- Every measuring interval M- Only match and increment per packet
• Can solve problems that require- Understanding a baseline of normal
traffic- Quickly pinpointing large traffic
aggregates15
![Page 16: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.fdocuments.net/reader035/viewer/2022070423/5681668e550346895dda5dcd/html5/thumbnails/16.jpg)
Conclusion• Solving HHH problem with OpenFlow- Relatively accurate, Fast, Low overhead- Algorithm with expanding /collapsing
• Future work- multidimensional HHH- Generic framework for measurement
• Explore algorithms for DoS, large traffic changes etc.
• Understand overhead• Combine results from different switches 16