Servers in Action: Towards Distributed Traffic Measurement in Data - - PowerPoint PPT Presentation

1

Servers in Action: Towards Distributed Traffic Measurement in Data Centers

Praveen Tammana & Myungjin Lee

School of Informatics University of Edinburgh MSN’14 - Cosener's House, Abingdon

2

Network Measurement in Data Centers

• Data center applications

– High Bandwidth – Latency sensitive

• Network Management

– Control

• Routing, Access control

– Measurement

• Traffic engineering, Security applications
• Basic requirements

– Accuracy, Scalability

• Data center requirements

– Programmable, Responsive, Evolvable

3

Data Center Measurement Requirements

• Responsiveness : Quick control

loop decisions (Heavy flow scheduling)

• Programmability: Adaptable to

dynamic workloads

• Evolvability: Software based

measurement module (bloom filter, trie, hashtable)

Core Edge Aggregate

4

Network Measurement Framework

Accounting Traffic Engineering Fault diagnosis SLA monitoring Anomaly detection worms, portscans, botnets Forensic analysis Network Management Tasks Flow Collector Flow Monitoring

• Software
• Hardware

5

Software Based - Flow Monitoring

• Sampling

– NetFlow, sFlow – High traffic rates compliance with limited

switch resources (SRAM, CPU)

• Problem

– Not Accurate (Basic Requirement)

➔ Flow coverage and accuracy are

compromised.

➔ Not suitable for management tasks

that requires fine grained flow details.

Accounting Traffic Engineering Fault diagnosis SLA monitoring Anomaly detection worms, portscans, botnets Forensic analysis

sampled Packet stream

Counters Task 1 Task 2 Task N

# Bytes/Pkts

Management Tasks

6

Hardware Based - Flow Monitoring

• Task Oriented

– Task 1 : Anomaly Detection – Task 2 : Traffic Engineering

• Problem

– Not Evolvable (DC Requirement)

• Higher speed links (40/100

Gbps)

• SLA monitoring in data centers

Packet stream

Counters (SRAM) Counters Counters

# Bytes/Pkts

Task 1 Task 2 Task N

7

Data Center Network Is Evolving

(Net Optics 2013)

8

Distributed Traffic Measurement

• Our approach :

– Distribute flow monitoring

• verhead between switches

and servers

Statistic pkts S t a t i s t i c p k t s

f1 f2 f3 f4 f5

Flows Monitor Flows 1 2 3 Aggregate pkts

Report results

Collector

9

Distributed Traffic Measurement

Core Edge

Administrators have complete control of switches and servers

• High computational resources (multiple cores, large memory)
• Hosts observe relevant traffic of running services
• Monitors less traffic than switch

Aggregate

10

Proposed Framework

Measurement module

• Producers
• Monitor traffic and generates

statistic packets (s-pkts) (e.g., per flow record)

• Feeds s-pkts to ToR switch

Aggregation module

• Consumers
• Aggregates statistic

packets (s-pkts)

• Counters can be stored in

high density DRAM

11

Proposed Framework – Packet Processing

Measurement module NIC

• 1. Copy of

regular packets Reglular packets

12

Measurement module NIC

• 1. Copy of

regular packets

Regular packets

• 2. statistic

packets (s-pkts)

Proposed Framework – Packet Processing

13

Aggregation Module

• 3. Copy of

statistic packets (s-pkts)

Reglular packets

Measurement module NIC

• 1. Copy of

regular packets

Regular packets

• 2. statistic

packets (s-pkts) Ingress port Egress port

Proposed Framework – Packet Processing

14

On going work : Statistic Packet Forwarding

• How to forward statistic packet ?

– Packet path encoding and IP source route option – Use switch forwarding table

15

Usecase – Hierarchical Heavy Hitter (HHH)

40 40 19 12 7 1 5 2 21 12 9 9 3 5 4

Threshold : T=10

11 **** 0*** 1*** 00** 01** 000* 001* 010* 011* 0000 0001 0010 0011 0100 0101 0110 0111 HHH: Longest IP prefix occupies more than fraction T of link bandwidth after excluding any descendant HHH

Traffic volume for each IP Prefix

16

HHH Detection

f1 f2 f3 f4 f1 f5

HHH Measurement Module HHH Aggregation Module Collector Report HHH Pre-filtering IP Prefix Trie (Source IP) Statistic pkts

f1 f2 f3 f1

HHH Measurement Module Pre-filtering Statistic pkts

17

Evaluation

• Simulation setup

– Measurement module : Customized YAF – Aggregation module : IP Prefix Trie – Packet trace – T. Benson : University data center

• Aggregation module performance

– HHH Accuracy – Computation overhead on Servers and switches – Compared with NetFlow

18

Preliminary Results

Aggregation module overhead (AMO)

• ver NetFlow overhead (NFO)

HHH Accuracy Varying Sampling Rates

FPR : False Positive Rate FNR : False Negative Rate

19

Preliminary Results

Aggregation module overhead (AMO)

• ver NetFlow overhead (NFO)

HHH Accuracy Varying Sampling Rates

FPR : False Positive Rate FNR : False Negative Rate

Correctness : 100% Sampling rate – 100% Accuracy Overhead: AMO is just < 2% of NFO

20

Conclusions and Future work

• Conclusions

– Our framework offloads overhead on switch – Evolves along with data center traffic volume – Provides more flexibility to data centre operators

• Future Work

– Prototyping proposed framework – Exploring performance across different measurement tasks – Endhost based network trouble shooting (e.g., packet loss, delay) – Impact of packet loss on accuracy – Distributing measurement task overhead across network

21

Thank You Questions Praveen Tammana praveen.tammana@ed.ac.uk University of Edinburgh

22

Challenges

– Handling multiple paths between End Hosts – Consistency with forwarding rules update

23

Measurement Tasks

• Hierarchical Heavy Hitter (HHH)
• Heavy Hitter
• Superspreader
• Flow Size Distribution
• DDoS

24

Proposed Framework : s-pkt forwarding

S R T1 S T2 A1 Flow Path : S → T1 → A1 → T2 → R Encodes path information into packet

25

Proposed Framework : s-pkt Forwarding

S R T1 S T2 A1 Flow Path : S → T1 → A1 → T2 → R s-pkt : R → T2 → A1 → T1

s-pkt s-pkt s

• p

k t

• 1. Generate s-pkt
• 2. Enables IP source routing option