measuring large traffic aggregates on commodity switches
DESCRIPTION
Measuring Large Traffic Aggregates on Commodity Switches. Lavanya Jose, Minlan Yu, Jennifer Rexford Princeton University, NJ. 1. Motivation. Large traffic aggregates? manage traffic efficiently understand traffic structure detect unusual activity. 2. Aggregate at fixed prefix-length?. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.vdocument.in/reader035/viewer/2022081517/568161b2550346895dd17943/html5/thumbnails/1.jpg)
Measuring Large Traffic Aggregates on Commodity
SwitchesLavanya Jose, Minlan Yu, Jennifer Rexford
Princeton University, NJ
1
![Page 2: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.vdocument.in/reader035/viewer/2022081517/568161b2550346895dd17943/html5/thumbnails/2.jpg)
Motivation•Large traffic
aggregates? - manage traffic
efficiently- understand traffic
structure- detect unusual
activity
2
![Page 3: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.vdocument.in/reader035/viewer/2022081517/568161b2550346895dd17943/html5/thumbnails/3.jpg)
Aggregate at fixed prefix-length?
• Top 10 /24 prefixes (by how much traffic they send)- could miss individual heavy users
• Top 10 IP addresses …- could miss heavy subnets where each individual
user is small
3
![Page 4: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.vdocument.in/reader035/viewer/2022081517/568161b2550346895dd17943/html5/thumbnails/4.jpg)
19
12
11 1
7
5 2
21
12 9
9 3 5 4
00**
000*
0000 0001 0010 0011 0100 0101 0110 0111
01** 010*
011*
01**40
0***0
1***40
****• All the IP prefixes• >= a fraction T of the link
capacity
Aggregate at all prefix-lengths? (Heavy Hitters)
HH: sends more than T= 10% of link
cap. 100
4
![Page 5: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.vdocument.in/reader035/viewer/2022081517/568161b2550346895dd17943/html5/thumbnails/5.jpg)
Hierarchical Heavy Hitters• All the IP prefixes• >= a fraction T of the link capacity• after excluding any HHH
descendants.
19
12
11 1
7
5 2
21
12 9
9 3 5 4
00**
000*
0000 0001 0010 0011 0100 0101 0110 0111
01** 010*
011*
01**40
0***0
1***40
****
HH: sends more than T= 10% of link
cap. 100HHH:
5
![Page 6: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.vdocument.in/reader035/viewer/2022081517/568161b2550346895dd17943/html5/thumbnails/6.jpg)
Related Work
•Offline analysis on raw packet trace [AutoFocus]- accurate but slow and expensive
•Streaming algorithms on Custom Hardware [Cormode’08, Bandi’07, Zhang’04, Sketch-Based] - accurate, fast but not commodity
Our Work:Commodity, fast and relatively
accurate 6
![Page 7: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.vdocument.in/reader035/viewer/2022081517/568161b2550346895dd17943/html5/thumbnails/7.jpg)
• Why commodity switches? - cheap, easy to deploy- let “network elements monitor themselves”
• Commodity OpenFlow switches - available from multiple vendors (HP, NEC, and
Quanta)- deployed in campuses, backbone networks- wildcard rules with counters to measure traffic
Priority Prefix Rule Count1 0010 0*** ... 152 001* **** ... 5
HHH on Commodity- Using OpenFlow
7
![Page 8: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.vdocument.in/reader035/viewer/2022081517/568161b2550346895dd17943/html5/thumbnails/8.jpg)
TCAM
Controller Software
FetchCounts
InstallRules
Constraints- <= N Prefix Rules
SRC IP
0010 0100 incrementcount
Priority Prefix Rule Count1 0010 0*** 152 001* **** 5
OpenFlow Measurement Framework
8
Switch
- Measuring Interval M- No pkts to Controller
![Page 9: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.vdocument.in/reader035/viewer/2022081517/568161b2550346895dd17943/html5/thumbnails/9.jpg)
Monitoring HHHes
19
12
11 1
7
5 2
21
12 9
9 3 5 4
00**
000*
0000 0001 0010 0011 0100 0101 0110 0111
01** 010*
011*
01**40
0***0
1***40
****Priority Prefix Rule Count1 0000 112 010* 123 0*** 17
HHH: after excluding any descendant prefix rulesTCAM: priority matching
9
![Page 10: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.vdocument.in/reader035/viewer/2022081517/568161b2550346895dd17943/html5/thumbnails/10.jpg)
Detecting New HHHes
• Monitor children of HHHes
• Use at most 2/T rules
19
12
11 1
7
5 2
21
12 9
9 3 5 4
00**
000*
0000 0001 0010 0011 0100 0101 0110 0111
01** 010*
011*
01**40
0***0
1***40
****
910 3 210
![Page 11: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.vdocument.in/reader035/viewer/2022081517/568161b2550346895dd17943/html5/thumbnails/11.jpg)
• Iteratively adjust wildcard rules:- Expand• If count > T, install rule for child instead.
- Collapse• If count < T, remove rule.
0***
****
00**
000*
001*
01**
010*
011*
1***
10** 11**
100*
101*
110*
111*
Priority Prefix Rule Count1 0*** 802 **** 0
Priority Prefix Rule Count1 001* 722 000* 53 **** 3
Priority Prefix Rule Count1 00** 772 01** 33 **** 0
Identifying New HHHes
11
![Page 12: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.vdocument.in/reader035/viewer/2022081517/568161b2550346895dd17943/html5/thumbnails/12.jpg)
Using Leftover Rules
• Why left over rules?- May not be 1/T HHHes.- May still be discovering new HHHes
• How to use leftover rules?- To monitor HHHes close to threshold- Data shows 2-3 new HHHes/ interval (a few secs)19
1
7
5 2
21
12 8
9 3 5 3
00**
000*
0000 0001 0010 0011 0100 0101 0110 0111
01** 010*
011*
01**40
0***0
1***40
****
11
12
11 9
12 10
12
![Page 13: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.vdocument.in/reader035/viewer/2022081517/568161b2550346895dd17943/html5/thumbnails/13.jpg)
• Real packet trace (400K pkts/ sec) from CAIDA- Measured HHHes for T=5% and T=10%- Measuring interval M from 1-60s
Evaluation- Method
13
![Page 14: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.vdocument.in/reader035/viewer/2022081517/568161b2550346895dd17943/html5/thumbnails/14.jpg)
Evaluation- Results
• 20 rules to identify 88-94% of the 10%- HHHes
• Accurate
- Gets ~9 out of 10 HHHes
- Uses left over TCAM space to quickly find HHHes
- Large traffic aggregates usually stable
• Fast
- Takes a few intervals for 1-2 new HHHes
- Meanwhile aggregates at coarse levels
12
11 1
000*0000
0001
14
![Page 15: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.vdocument.in/reader035/viewer/2022081517/568161b2550346895dd17943/html5/thumbnails/15.jpg)
Stepping back… not just for HHHes
• Framework- Adjusting <= N wildcard rules- Every measuring interval M- Only match and increment per packet
• Can solve problems that require- Understanding a baseline of normal
traffic- Quickly pinpointing large traffic
aggregates15
![Page 16: Measuring Large Traffic Aggregates on Commodity Switches](https://reader035.vdocument.in/reader035/viewer/2022081517/568161b2550346895dd17943/html5/thumbnails/16.jpg)
Conclusion• Solving HHH problem with OpenFlow- Relatively accurate, Fast, Low overhead- Algorithm with expanding /collapsing
• Future work- multidimensional HHH- Generic framework for measurement
• Explore algorithms for DoS, large traffic changes etc.
• Understand overhead• Combine results from different switches 16