A Standard TCP connection with:

1

• A Standard TCP connection with
• 1500-byte packets
• 100 ms round-trip time
• steady-state throughput of 10 Gbps
• requires average congestion window of 83,333
  segments
• at most one drop (mark) every 5,000,000,000
  packets equivalently, one drop every 1 2/3 hours).

2
41,000 packets
60,000 RTTs 100 minutes
3

• In practice, users do one of
• open N parallel TCP connections
• use MulTCP (roughly an aggregate of N virtual TCP
  connections).
• Can we do better?

4

• At one end of spectrum
• simple, incremental, and easily-deployable
  changes to current protocols
• HighSpeed TCP (TCP with modified parameters)
• QuickStart (IP option to allow high initial
  congestion windows.)
• At other end of spectrum
• new transport protocol, more explicit feedback
  from routers

5
Another choice of response function
Scalable TCP - S 0.15/p
6
High speed TCP

• additive increase, multiplicative decrease
• increments, decrements depend on window size

7
Scalable TCP

• multiplicative increase, multiplicative decrease
• verdict out as to which is best of these and
  other competing designs

8
Network Measurement/Management

• motivation
• measurement strategies
• passive
• sampling
• active
• network tomography

9
Motivation

• service providers, service users
• monitoring
• anomaly detection
• debugging
• traffic engineering
• pricing, peering, service level agreements
• architecture design
• application design

10

• active probe tools send stimulus (packets) into
  network measure response
• network, transport, application layer probes
• can measure many things
• delay/loss
• topology/routing behavior
• bandwidth/throughput
• earliest tools use Internet Control Message
  Protocol (ICMP)

11
ping

• uses ICMP Echo capability
• C\WINDOWS\Desktopgtping www.soi.wide.ad.jp
• Reply from 203.178.137.88 bytes32 time253ms
  TTL240
• Reply from 203.178.137.88 bytes32 time231ms
  TTL240
• Reply from 203.178.137.88 bytes32 time225ms
  TTL240
• Reply from 203.178.137.88 bytes32 time214ms
  TTL240
• Ping statistics for 203.178.137.88
• packets Sent 4, Received 4, Lost 0 (0
  loss),
• approximate round trip times in milliseconds
• Minimum 214ms, Maximum 253ms, Average 230ms

12
traceroute

• diagnostic tool in widespread use by users and
  providers
• finds outward path to given host, round trip
  times along path
• uses transport layer to force network layer to
  reveal details
• fortunate that it exists despite separation
  between layers

13
Example traceroute

• for n1,2,,nmax
• send pkt with TTL n
• pkt dies at nth router
• router returns ICMP pkt with router address

traceroute to mafalda.inria.fr (128.93.52.46), 30
hops max, 38 byte packets 1 cs-gw
(128.119.240.254) 0.924 ms 0.842 ms 0.847 ms
2 lgrc-rt-106-8.gw.umass.edu (128.119.3.154)
1.089 ms 0.633 ms 0.499 ms 3
border4-rt-gi-7-1.gw.umass.edu (128.119.2.194)
0.914 ms 0.589 ms 0.647 ms
12 inria-g3-1.cssi.renater.fr (193.51.180.174)
85.851 ms 85.930 ms 85.677 m 13
royal-inria.cssi.renater.fr (193.51.182.73)
86.818 ms 86.395 ms 86.326 m 14 193.48.202.2
(193.48.202.2) 87.635 ms 86.293 ms 86.495
ms 15 rocq-gw-bb.inria.fr (192.93.1.100) 89.157
ms 88.419 ms 87.811 ms
14
traceroute example
15
Passive measurements

• Capture packet data as it passes by
• packet capture applications (tcpdump) on hosts
  use packet capture filters
• requires access to the wire
• promiscuous mode network ports to see other
  traffic
• flow-level, packet-level data on routers
• SNMP MIBs
• Cisco NetFlow
• hardware-based solutions
• Endace, Inc.s DAG cards OC12/48/192

16
Example from tcpdump

• 044700.410393 sunlight.cs.du.edu.4882 gt
  newbury.bu.edu.http S 16169425321616942532(0)
  win 512 (ttl 64,
• id 47959) 044703.409692 sunlight.cs.du.edu.4882
  gt newbury.bu.edu.http S 16169425321616942532(0)
  win
• 32120 (ttl 64, id 47963) 044703.489652
  newbury.bu.edu.http gt sunlight.cs.du.edu.4882 S
• 33893878803389387880(0) ack 1616942533 win 31744
  (ttl 52, id 27319)
• 044703.489652 sunlight.cs.du.edu.4882 gt
  newbury.bu.edu.http . ack 1 win 32120 (DF) (ttl
  64, id 47964)
• 044703.489652 sunlight.cs.du.edu.4882 gt
  newbury.bu.edu.http P 167(66) ack 1 win 32120
  (DF) (ttl 64, id
• 47965) 044703.579607 newbury.bu.edu.http gt
  sunlight.cs.du.edu.4882 . ack 67 win 31744 (DF)
  (ttl 52, id
• 27469)
• 044704.249539 newbury.bu.edu.http gt
  sunlight.cs.du.edu.4882 . 11461(1460) ack 67
  win 31744 (DF) (ttl 52, id
• 28879) 044704.249539 newbury.bu.edu.http gt
  sunlight.cs.du.edu.4882 . 14612921(1460) ack 67
  win 31744
• (DF) (ttl 52, id 28880)
• 044704.259534 sunlight.cs.du.edu.4882 gt
  newbury.bu.edu.http . ack 2921 win 32120 (DF)
  (ttl 64, id 47968)
• 044704.349489 newbury.bu.edu.http gt
  sunlight.cs.du.edu.4882 P 29214097(1176) ack 67
  win 31744 (DF) (ttl
• 52, id 29032)
• 044704.349489 newbury.bu.edu.http gt
  sunlight.cs.du.edu.4882 . 40975557(1460) ack 67
  win 31744 (ttl 52, id
• 29033)

17
Passive IP flow measurement

• IP Flow defined as unidirectional series of
  packets between source/dest IP/port pair over
  period of time
• exported by applications such as Ciscos NetFlow

18
Netflow example

• addin

courtesy, D. Plonka
19
Challenges

• flow obviations are memory/processor intensive
• how to do flow observations at high speeds
• use sampling

20
Need for packet sampling

• keep cache of active flows
• for keys seen, but corresponding flow not yet
  terminated
• packet classification
• each arriving packet cache lookup to match key
• if match modify cache entry, e.g., increment
  counters, adjust timers
• else instantiate new cache entry
• cache resources for high end routers
• memory 1,000s of active flows
• speed look up at line rate
• ? lots of fast memory

21
Packet sampling

• form flows from sampled packet stream (e.g. 1 in
  N periodic)
• call these packet sampled flows
• reduce effective packet rate
• reduces cost slower memory sufficient

22
Packet sampling

• Simple example recover original packet rate
• sample packets with probability q,
• measure rate of sampled traffic l(q),
• infer rate of original traffic l(q)/q.

23

• IP flow set of packets with same 5-tuple

24
Original traffic
25
Packet sampling

• recovering original flow sizes not easy

26
Packet sampling in latest Cisco router
27
Original traffic
28
Flow sampling
29
Flow statistics from packet sampling

• measured flows
• set of packets with common property, observed in
  some time period
• common property key built from header fields
  (e.g. src/dst address, TCP/UDP ports)
• flow termination criteria
• interpacket timeout
• protocol signals (e.g. TCP FIN)
• ageing, flushing,
• flow summaries
• reports of measured flows exported from routers
• flow key, flow packets/bytes, first/last packet
  time, router state

30
Packet sampling

• compare properties of packet sampled flows and
  original flows
• rate of production of flow statistics
• number of concurrently active flows
• dependence on sampling rate, interpacket timeout
• modeling, analysis, prediction of packet sampled
  flow statistics, given original flows
• inversion and inference
• recover properties of original flows from packet
  sampled flow statistics

31
Rate and active flows aggregate traffic

• rate and active flows decreasing,
• eventually proportional to 1/N
• probability to at least one of p packets ? p/N
  for large N

32
Rate, active flows application

• application identified by port number
• rate of flow production
• can increase with N for some applications,
  eventually decreasing
• napster, ms-streaming, realaudio
• mean active flows
• decreases with N

33
Flow splitting under sampling
time
Single flow
Interpacket timeout T
Can become multiple flows under sampling

• sampling increases interpacket times
• flow splitting when interpacket time exceed
  interpacket timeout
• flows vulnerable to splitting call these sparse
• flows with many packets, not too fast packet rate
• e.g. streaming, p2p applications
• Question if increase T, as N increases can we
  better maintain flow semantics?

34
Rates, active flows trade-offs

• increase timeout T
• potentially less splitting fewer measured flows,
  more active flows
• left non-sparse application (www mean flow
  length 6 pkts)
• little flow splitting in any case
• if larger T roughly linear increase in active
  flows, flow rate roughly unchanged
• right sparse application (napster mean flow
  length 455 pkts)
• smaller N big trade off between rate and active
  flows
• larger N trade-off washes out (typically only 1
  packet sampled)

35
Inferring original flow statistics from packet
sampled flow statistics
36
Characteristics of interest

• motivation
• assume only packet sampled flow statistics
  available
• want to determine characteristics of original
  flows
• which?
• packet/byte rates
• arrival rate of original flows
• average packets/ bytes per original flow
• why difficult?
• some flows are missed altogether
• trick supplement with protocol level
  information, when available

37
Easy estimates

• original packet and bytes
• model packets independently sampled with
  probability 1/N
• estimates
• original packets by Pest N sampled
  packets
• original bytes by Best N sampled bytes
• properties (Bernoulli sampling)
• unbiased estimators EPest P EBest B
• standard error bounds

38
Estimating number of TCP flows

• M of original TCP flows
• use trick for TCP flows reported by Cisco NetFlow
• flow statistics include cumulative OR of packets
  code bits
• hence can tell whether TCP flags set in at least
  one flow packet
• model (SYN flags in TCP flows are well-behaved)
• each TCP flow contains one SYN packet
• expect close adherence to model, modulo
  retransmits, packet drops
• experiments
• long flow traces very rare not to see at least
  one SYN
• similar model for FIN packets not so accurate
• poor termination, SYN flood attacks
• estimation
• each SYN packet sampled with probability 1/N
• estimate M1 N sampled flows with SYN flag
  set
• properties unbiased estimator of M original
  TCP flows

39
Estimating number of original TCP flows (2)

• estimator M1 uses only sampled SYN flows
• decrease estimator variance by using all flow
  statistics?
• basis estimate number of flows M0 not sampled at
  all
• N0 (N - 1) flow has only SYN sampled
• EN0 EM0

40
Estimating number of original TCP
flows,byte/packets per flow

• consequences
• if no flow splitting
• measured flows original flows with ?1
  packetsampled
• M2 M0 sampled flows is unbiased estimator
  if no flow splitting
• EM2 Eunsampled flows Esampled
  flows original flows
• comparison
• M1 higher variance (less data), unbiased by flow
  splitting
• M2 lower variance (more data), biased by flow
  splitting
• corresponding estimates of mean packets per flow,
  bytes per flow
• packets pest, i Pest / Mi bytes best, i
  Best / Mi i 1,2

41
Estimation Accuracy

• Restricted packet trace
• select only packets in original TCP flows
  starting a SYN packet
• error comparable with standard deviation, but
  some bias
• 7 times std_dev for N 10, lt 1 std_dev for
  N1,000
• M1 increases small number of flows with more
  than 1 SYN packet
• can improve accuracy of pest, 2 by scaling T ? N
• suppress splitting of sparse flows
• pest, 1 gives best accuracy

42
Flow sampling

• flow metrics much easier
• 1 out of N flows sampled
• estimate for M, of flows Nflows sampled
• Eflow size, pkts, Pest ?i pkts in flow i
• Eflow size, bytes, Best ?i bytes in flow i
• flow size distribution easy to estimate

43
Observations from flow summaries

• flow arrivals described by Poisson process
• packet arrivals described by a long range
  dependent process
• Why?
• flow sizes heavy-tailed

44
Next time active probes and network tomography