Beyond the Line

1
Beyond the Line

• Euro-IX Forum
• Barcelona
• September 24th 2002

2
Per Gregers Bilse

• bilse_at_networksignature.com
• bilse_at_qbfox.com
• Systems software and compiler development for
  Borland (Turbo Prolog), ports to OS/2 and UNIX.
• Network Engineer / Architect / Manager /
  Director, EUnet, Amsterdam, The Netherlands.
• Technical Leader, Cisco Systems, London, UK
• Backbone Director, Metromedia / AboveNet, London,
  UK
• Consultant and Contractor, London, UK

3
NETWORK MONITORING WELCOME TO THE STONE AGE

• severe lack of monitoring and management tools at
  Level 3
• existing tools work in terms of "lines" and
  "interfaces"
• these are level 2 entities
• more often than not, "network management" is
  "server management"
• focus on server load, uptime, packet loss,
  latency, services
• other efforts experimental, conceptual, off
  target, dont scale, and/or very expensive

4
STILL STONE AGE

• is this a people problem?
• software gurus understand data structures, bytes,
  port and protocol numbers they take the OSI
  reference model literally (and even try to
  implement it)
• network gurus understand architecture, routing,
  systems, queueing, congestion they see the OSI
  reference model as a conceptual framework (and
  die-hards swear by the DARPA four-layer model)
• the two sides rarely talk

5
Something made by a software guru ...
6
Something made by a network guru
7
STILL STONE AGE

• network guru tools look at number of
  announcements, address space covered, routing
  stability, etc
• important, but its limited what one can do with
  the information
• software guru tools focus on Level 4, inside the
  packet, bypassing Level 3
• Level 4 not interesting, the data has to be
  carried anyway
• give or take a little, the best they do on Level
  3 is to collect lists of IP addresses
• SNMP offers MIBs for everything, but this is not
  useful
• performance issues makes SNMP useless for large
  volume data
• even if performance was OK, nobody can do
  anything useful with the data

8
THE STONE AGE IN CONCLUSION

• network abstraction is poorly understood outside
  the core networking community
• Level 2 is all about MAC addresses
• Level 3 is all about IP addresses
• Level 4 is all about protocol and port numbers
• Etc
• software developers dont embrace lateral
  abstractions such as the Autonomous System
  because it doesnt exist in the OSI model
• there is a perceived problem of being unable to
  handle large volumes of data
• there is no understanding of the need for real
  time or near real time tools

9
INTRODUCTION TO THE BRONZE AGE NETWORK SIGNATURE

• a set of extreme performance server applications
• receives netflow or packet header information
• looks up corresponding BGP attribute information
• aggregates flow information around BGP
  information
• stores aggregated information on disk
• produces graphs and plots from aggregated
  information
• can use any BGP attributes, currently focus on
  paths
• works in almost real time (two minutes behind)

10
The innards From raw materials to finished
product
11
Performance

• Prototype developed on low end Linux PC
• 800MHz AMD Duron on VIA686 (PC Chips)
  motherboard
• 256Mb PC100 memory
• Soft RAID on UDMA33 disks
• Many performance evaluations, typical scenario
• three full BGP feeds
• mix of real and simulated netflow information
  equal to 1.8Gbps source traffic
• 10-20k active paths on ring
• CPU load is variable
• can in any case handle data for several Gbps of
  unsampled traffic on fast PC
• trivial to bolster with retrospective sampling
• PNG image compression takes considerably more CPU
  than most other things.

12
Data extractions

• we store, and work with, the hardest part full
  AS path
• peer and/or home AS is easy
• we can extract anything we like from the path,
  including
• peer AS
• home AS
• in fact, any AS as home or transit
• actually, any set of ASs as peer, home,
  intermediate, and/or transit
• we can sort and group on
• path length
• packet count
• traffic volume
• protocol group, eg paths with a lot of ICMP

13
AS spectrum (excerpt)
14
Complete peer spectrum with summarised traffic
15
Complete paths, sorted
16
One hour history
17
Possible uses

• network planning and optimisation (next slide)
• real time network monitoring, detection of
  anomalous/malicious traffic (DOS)
• can do a lot with fancy colours
• future extensions with rule-based traffic
  evaluation
• exchange case what if I were to connect to
  another exchange?
• the impossible dream A Network Signature.
• we have both routing information and
  corresponding traffic information
• compare to historical data
• one hour ago
• one week ago
• one month ago
• even this time last year
• result are we normal today?

18
The big question
19
Availability

• web based version available as alpha/beta test on
  AMS-IX next week, free for one year
• supports cisco netflow export version 1 and 5
  Juniper and other formats can be supported at any
  time, just need format specification
• corporate/private multirouter version to be
  arranged
• currently licensed as a supported service, to
  avoid cost of manuals, technical support,
  multiple OS version support, complicated
  contracts, etc
• open to suggestions, ideas, cooperation, etc
• native, real time application TBA

20
How to use

• register router(s) with the Network Signature
  package (web interface)
• IP address
• optional list of SNMP interface numbers
• AS number
• set up BGP session(s) with Network Signature BGP
  daemon
• configure netflow export set IP address,
  version, and cache timeout
• configure netflow accounting on relevant
  interfaces
• sit back, relax, enjoy

21
Thanks!

• Special thanks go to
• Job Witteman and the AMS-IX crew
• Alex Bik and Business Internet Trends, bit.nl
• Linux and the cheap PC
• All the people who said it couldnt be done
• bilse_at_qbfox.com
• bilse_at_networksignature .com