Outline

1
Outline

• State of the Art Measurement Tools
• Measured Node Properties
• Measured Link Properties
• Measured Topology Properties
• Measured Traffic Properties (Gigascope)
• Large-scale Measurement Projects
• RIPE
• CAIDA
• PlanetLab

2
Measured Node Properties

• IP aliases Ally Mercator
• Single router has only one IP ID counter for
  multiple interfaces
• Geography location of the host Geocluster
• Owner AS Mao et al
• DNS, BGP whois
• Router role identification Rocketfuel
• Backbone vs. access routers
• Use DNS and topological ordering
• Configuration features
• nmap

3
NMap (Network Mapper)

• A free open source utility for network
  exploration or security auditing.
• Designed to rapidly scan large networks, although
  it works fine against single hosts.
• Nmap uses raw IP packets to determine
• what hosts are available on the network
• what services (application name and version)
  those hosts are offering
• what operating systems (and OS versions) they are
  running
• what type of packet filters/firewalls are in use,
  etc.

4
Features of Nmap

• Flexible can map out networks filled with IP
  filters, firewalls, routers, and other obstacles.
  
• Powerful used to scan huge networks of hundreds
  of thousands of machines.
• Portable most operating systems are supported,
  including Linux, Windows, FreeBSD, OpenBSD,
  Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS,
  etc.
• Easy start out as simply as "nmap -v -A targethos
  t". Both traditional command line and graphical
  (GUI) versions are available
• Free comes with full source code

5
Execution Sample

• ramblonet 52 sudo nmap -sS -O -v
  coatlicue.colorado.edu
• Starting nmap V. 2.3BETA6 by Fyodor
  (fyodor_at_dhp.com, www.insecure.org/nmap/)
• Host coatlicue.Colorado.EDU (198.11.19.5) appears
  to be up ... good.
• Initiating SYN half-open stealth scan against
  coatlicue.Colorado.EDU (198.11.19.5)
• Adding TCP port 114 (state Open).
• Adding TCP port 25 (state Open).
• Adding TCP port 443 (state Open).
• Adding TCP port 22 (state Open).
• Adding TCP port 80 (state Open).
• The SYN scan took 9 seconds to scan 1489 ports.

6

• Interesting ports on coatlicue.Colorado.EDU
  (198.11.19.5)
• Port State Protocol Service
• 22 open tcp ssh
• 25 open tcp smtp
• 80 open tcp http
• 111 filtered tcp sunrpc
• 114 open tcp audionews
• 443 open tcp https
• 2049 filtered tcp nfs
• 6000 filtered tcp X11
• TCP Sequence Prediction Classrandom positive
  increments Difficulty47220 (Worthy challenge)
• Remote operating system guess OpenBSD Post 2.4
  (November 1998) - 2.5
• Nmap run completed -- 1 IP address (1 host up)
  scanned in 12 seconds ramblonet 53

7
Measure Link Properties

• Loss
• End-to-end approach Internet Tomography
• Multicast-based
• Unicast-based
• Router response based approach Tulip
• Reordering Tulip
• parallel links
• Delay
• RTT easy
• One-way trip times (OTT) hard
• Require clock synchronization between hosts

8
Measure Link Properties II

• Delay variation cing
• Indication of congestion in the network
• Use ICMP timestamps to estimate delay variation
  of path segments
• Capacity
• Related metrics available bandwidth and
  bottleneck identification
• Variable packet size methods (traditional)
  pchar, clink
• Tailgating packet pair/train (more efficient)
  nettimer

9
Measured Topology Properties

• Four levels of topologies
• IP level Skitter
• Router level (after alias resolution) Mercator
• AS level Router Views, BGP
• POP level (backbone) Rocketfuel
• Routing policy
• IP level Rocketfuel
• AS level Gao et al
• Find AS relationship in BGP tables

10
Tier-1 ISP e.g., Sprint
Sprint US backbone network
11
Internet structure network of networks

• Tier-2 ISPs smaller (often regional) ISPs
• Connect to one or more tier-1 ISPs, possibly
  other tier-2 ISPs
• E.g. UUNet Europe, Singapore telecom

Tier 1 ISP
Tier 1 ISP
Tier 1 ISP
12
Measured Topology Properties II

• Workload Traffic Matrices Tomogravity

Want to compute the traffic yj along route j
from measurements on the links, xi
Courtesy of Y. Zhang at UT Austin
13
Measured Topology Properties II
Want to compute the traffic yj along route j
from measurements on the links, xi
x AT y
Courtesy of Y. Zhang at UT Austin
14
Internet Measurement Roadmap
15
Internet Measurement Roadmap II
16
Gigascope Motivations

• Very high data rates.
• Optical links gigabit/sec and higher (to
  OC192), Millions of packets/sec.
• Goal Evaluate queries over every bit of every
  packet.
• Problem Not enough cycles in a second.
• - 3 Ghz / 21 Mpacket/sec 142 cycles / packet
• Solution Push data reduction operators as far
  down the protocol stack as possible.
• Multiple data sources.
• SNMP, Netflow, BGP, packet sniffers, router
  tables, etc.
• Many layered protocols multimedia, VPN, etc.
• Overcome a prejudice that database technology is
  too slow and rigid for network monitoring.

17
Early Data Reduction in Gigascope

• Gigascope was designed to monitor very high speed
  (optical) links using complex query sets.
• Multiple levels of data reduction
• Data reduction in the NIC depends on NIC
  capabilities
• BPF filters
• Approximate filtering (bitmasks)
• Data reduction queries (replace the NIC run time
  system)
• Low level queries
• Run queries on kernel input buffers
• Preliminary filter for the query set
• Other possibilities .

18
Example Router Monitoring
High Level Queries

• Selection/projection/aggregation
• Pre-filter

Low Level Queries
Kernel
Libpcap / BPF filters
Circular Buffer
Router

• Approximate filter (selection)
• Selection/projection/aggregation queries
  (replace run time system)

Select Stream
Network Tap
19
PROTOCOL GAMEPROTOCOL (UDP) ullong
gp_header gp_header (snap_len 134) bool
gp_is_ack_request gp_is_ack_request (snap_len
134) bool gp_is_ack_response
gp_is_ack_response (snap_len 134) uint
gp_ack_id gp_ack_id (snap_len 134) uint
gp_sequence_number gp_sequence_number (snap_len
134)
select timestamp, sourceIP, destIP, source_port,
dest_port, len, total_length, gp_header from
GAMEPROTOCOL where sample_hash50, sourceIP,
destIP and protocol17 and offset0
20
Outline

• State of the Art Measurement Tools
• Measured Node Properties
• Measured Link Properties
• Measured Topology Properties
• Measured Traffic Properties (Gigascope)
• Large-scale Measurement Projects
• RIPE
• CAIDA
• PlanetLab

21
RIPE (European IP Networks)
22
RIPE Measurement

• Growth and Change of the Internet
• Interaction of Traffic and Networks
• Measure delay, packet loss, path, bandwidth and
  delay variation
• Data available under an acceptable agreement
• Routing Information
• Collect and store BGP table and make it available
• Similar to Routeviews in US

23
CAIDA

• The Cooperative Association for Internet Data
  Analysis
• Nonprofit org in the San Diego Supercomputing
  Center, part of UCSD
• Built a variety of tools
• Almost all can be free downloaded online!
• Collected and managed large amount of Internet
  data for analysis

24
Representative Tools

• Iffinder alias resolution
• Skitter large scale topology discovery
• Track Persistent Routing Changes
• Visualize Network Connectivity

25
Representative Tool GTrace

• Provides geographic interface to traceroute

26
Representative Tool AutoFocus

• A traffic analysis and visualization tool that
  describes the traffic mix of a link through
  textual reports and time series plots.

27
CAIDA Data Collection

• A large variety of data traces
• Various sources OC48 links, regional peering
  points, campus network, etc.
• Various types packets, topology, AS adjacency,
  etc.
• Anonymized data available online
• Network Telescope
• Globally announced but unused address space.
• A /8 network, almost 1/256 of the entire IPv4
  addresses, the largest telescope in the world
• Slammer worm has significant traffic reaching
  telescope
• Calculate the rate of scanning worms

28
Planet Lab

• The largest overlay network testbed
• Current distribution of 665 nodes over 315 sites

29
Projects on Planet Lab

• Content Dist. Networks
• CoDeeN, ESM, UltraPeer emulation, Gnutella
  mapping
• Management and Monitoring
• Ganglia, InfoSpect, Scout Monitor, BGP Sensors,
  etc.
• Overlay Networks
• RON, ROM, ESM, XBone, ABone, etc.
• Virtualization and Isolation
• Xen, Denali, VServers, SILK, Mgmt VMs, etc.
• Router Design implications
• NetBind, Scout, NewArch, Icarus, etc.
• Testbed Federation
• NetBed, RON, XenoServers

• Network measurement
• Scriptroute, PlanetProbe, I3, etc.
• Application-level multicast
• ESM, Scribe, TACT, etc.
• Distributed Hash Tables
• Chord, Tapestry, Pastry, Bamboo, etc.
• Wide-area distributed storage
• Oceanstore, SFS, CFS, Palimpsest, IBP
• Resource allocation
• Sharp, Slices, XenoCorp, Automated contracts
• Distributed query processing
• PIER, IrisLog, Sophia, etc.

30
What PlanetLab is about

• Create the open infrastructure for invention of
  the next generation of wide-area (planetary
  scale) services
• The foundation on which the next Internet can
  emerge
• Think beyond TCP/UDP/IP/DNS/BGP/OSPF
• as to what the net provides
• building-blocks upon which services will be based
• the next internet will be created as an overlay
  on the current one
• A different kind of network testbed
• not a collection of pipes and giga-pops
• not a distributed supercomputer
• geographically distributed network services
• alternative network architectures and protocols
• Focus and Mobilize the Network / Systems Research
  Community to define the emerging internet