Topology Inference from BGP Routing Dynamics David Andersen, Nick - - PowerPoint PPT Presentation

▶

Jul 22, 2023 425 likes •640 views

Topology Inference from BGP Routing Dynamics David Andersen, Nick Feamster, Steve Bauer, Hari Balakrishnan MIT Laboratory for Computer Science October 2002 http://nms.ls.mit.edu/ron/ Current Topologies: AS Topologies AT&T MIT BBN

SLIDE 1

Topology Inference from BGP Routing Dynamics

David Andersen, Nick Feamster, Steve Bauer, Hari Balakrishnan

MIT Laboratory for Computer Science

October 2002

http://nms.l s.mit.edu/ron/

SLIDE 2

Current Topologies: AS Topologies

MIT Sprint AT&T BBN UUNET

✔ Simple to construct ✔ Completely passive - BGP snapshot ✘ Obnoxiously free of interesting detail

SLIDE 3

A few paths contain most prefixes

AT&T (7018): 1250 UUNET (701 702): 1250 Source (AS) #prefixes Supernet (3908): 793 (hong Kong) REACH (1221): 1282 UUNET (701): 2053

14000

0.8 0.9 1

2000 4000 6000 8000 10000

Number of origin AS’s Cumulative distribution 0.6 0.5 0.4 0.3 0.2 0.1 Fraction of announced prefixes 0.7

13 common paths contain 10% of prefixes Binning large ISPs misses critical detail

SLIDE 4

Current Topologies: Router-Level

ATT−1

mit1 mit2

BBN1 BBN2 BBN3 BBN4 UU−1

✔ Lots of juicy detail ✘ Requires active probing

Annoys the paranoid (and can be blocked)
Consumes time and bandwidth

➔Best of both worlds?

SLIDE 5

New: Implied Logical Topologies

Net 2 Net 1 Net 4 Net 3

Group prefixes that “behave similarly” What do the resulting clusters mean?

SLIDE 6

BGP update streams

2002-01-10 23:51:05 198.140.178.0/24 2002-01-10 23:51:05 192.107.237.0/24 2002-01-10 23:55:53 199.230.128.0/23 2002-01-10 23:56:21 216.9.174.0/23 2002-01-10 23:56:21 216.9.172.0/24

Colored prefixes updated at (nearly) same time

➔ Cluster prefixes that often do this

SLIDE 7

Mechanics

2002-01-10 23:51:05 198.140.178.0/24 2002-01-10 23:51:05 192.107.237.0/24 2002-01-10 23:55:53 199.230.128.0/23 2002-01-10 23:56:21 216.9.174.0/23 2002-01-10 23:56:21 216.9.172.0/24

Group by 30-second intervals

(in practice, bin length choice flexible) (BGP min-route-adver time)

SLIDE 8

Creating BGP update vectors

time p1 updates p2 updates u u

I seconds

1 1 1 1 1

(t) p1 (t) p2

Update stream is a 0/1 signal

Did an update happen in time

[t; t + 30s℄? Now we have a bunch of 0/1 vectors to

compare...

SLIDE 9

BGP update vectors

time

Prefix A 1 1 Prefix B 1 1 1 Prefix C 1 1 How close are two vectors?

Correlation coefficient

SLIDE 10

Correlation Coefficient

A 1 1 B 1 1 1 C 1 1 corr

(p 1 ; p 2 ) = E [(p 1

1 )(p 2

2 )℄

Expresses correlation well Susceptable to some “coincidental” correlation

SLIDE 11

How to Group Prefixes?

E−A: 0.001 A B C D E Resulting Cluster Input Distances A−B: 1 ... A−C: 0.75 B−C: 0.5 D−E: 0.25

Single-linkage clustering

Simple and efficient Creates a similarty hierarchy: A & B most

similar, etc.

SLIDE 12

How to Group Prefixes?

E−A: 0.001 A B C D E Resulting Cluster Input Distances A−B: 1 ... A−C: 0.75 B−C: 0.5 D−E: 0.25

Single-linkage clustering

Simple and efficient Creates a similarty hierarchy: A & B most

similar, etc.

SLIDE 13

How to Group Prefixes?

E−A: 0.001 A B C D E Resulting Cluster Input Distances A−B: 1 ... A−C: 0.75 B−C: 0.5 D−E: 0.25

Single-linkage clustering

Simple and efficient Creates a similarty hierarchy: A & B most

similar, etc.

SLIDE 14

How to Group Prefixes?

E−A: 0.001 A B C D E Resulting Cluster Input Distances A−B: 1 ... A−C: 0.75 B−C: 0.5 D−E: 0.25

Single-linkage clustering

Simple and efficient Creates a similarty hierarchy: A & B most

similar, etc.

SLIDE 15

Data Capture and Analysis

BBN AS 10578

Collection Host Border Router

AS 3 (MIT)

Studied 90 days of BGP traffic at MIT Examined 2 “huge” origin ASes

– UUNET: 2338 prefixes – AT&T: 1310 prefixes

How do clusters relate to real-word features?

SLIDE 16

Anecdotes

Many “expected” results - same city, etc.

We’ll get to those in a second.

135.36.0.0/16, 135.12.0.0/14. Denver vs. New

Jersey. Lucent vs. Agere – a spinoff in 2000,

identical network behavior. (... CIA?)

6 Sandia labs prefixes - internet2 routes, but

flapped to backup UUNET route.

Many transient discoveries: backups, etc.

SLIDE 17

Topological similarities

Measureable quantities: path, location

Compute pairwise similarity for metric (shared

path length, or shared pop)

Average similarity as clustering proceeds If match with logical clustering,

similarity strongest for leaf clustering, weakest at end. ➔Logical topology: integration of topological,

rganizational, and administrative factors.

SLIDE 18

Leaves share more hops in traceroute

8 10 12 14 16 18 20 22 500 1000 1500 2000 Number of traceroute hops Number of clusters UUNET max hops UUNET shared hops

Path length varies less with clustering More shared hops in earlier clustering Data noisy: loops, etc., but still works

SLIDE 19

Leaves often share the ISP POP

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 500 1000 1500 2000

Avg. fraction of same-POP clustering

Number of clusters UUNET AT&T

UUNET: 50% clustered at 95% accuracy AT&T: 30% clustered at 97% accuracy

SLIDE 20

What does it all mean?

Update clusters reflect reality:

– Topology – Prefix assignment – Fate sharing

Passive window into remote networks Facilitate network mapping and data collection What else can be extracted from this signal?

Topology Inference from BGP Routing Dynamics

David Andersen, Nick Feamster, Steve Bauer, Hari Balakrishnan

MIT Laboratory for Computer Science

October 2002

Current Topologies: AS Topologies

MIT Sprint AT&T BBN UUNET

✔ Simple to construct ✔ Completely passive - BGP snapshot ✘ Obnoxiously free of interesting detail

A few paths contain most prefixes

14000

0.8 0.9 1

2000 4000 6000 8000 10000

Number of origin AS’s Cumulative distribution 0.6 0.5 0.4 0.3 0.2 0.1 Fraction of announced prefixes 0.7

Current Topologies: Router-Level

✔ Lots of juicy detail ✘ Requires active probing

➔Best of both worlds?

New: Implied Logical Topologies

Net 2 Net 1 Net 4 Net 3

BGP update streams

2002-01-10 23:51:05 198.140.178.0/24 2002-01-10 23:51:05 192.107.237.0/24 2002-01-10 23:55:53 199.230.128.0/23 2002-01-10 23:56:21 216.9.174.0/23 2002-01-10 23:56:21 216.9.172.0/24

➔ Cluster prefixes that often do this

Mechanics

2002-01-10 23:51:05 198.140.178.0/24 2002-01-10 23:51:05 192.107.237.0/24 2002-01-10 23:55:53 199.230.128.0/23 2002-01-10 23:56:21 216.9.174.0/23 2002-01-10 23:56:21 216.9.172.0/24

(in practice, bin length choice flexible) (BGP min-route-adver time)

Creating BGP update vectors

Did an update happen in time

compare...

BGP update vectors

Prefix A 1 1 Prefix B 1 1 1 Prefix C 1 1 How close are two vectors?

Correlation Coefficient

A 1 1 B 1 1 1 C 1 1 corr

How to Group Prefixes?

E−A: 0.001 A B C D E Resulting Cluster Input Distances A−B: 1 ... A−C: 0.75 B−C: 0.5 D−E: 0.25

Single-linkage clustering

similar, etc.

How to Group Prefixes?

E−A: 0.001 A B C D E Resulting Cluster Input Distances A−B: 1 ... A−C: 0.75 B−C: 0.5 D−E: 0.25

Single-linkage clustering

similar, etc.

How to Group Prefixes?

E−A: 0.001 A B C D E Resulting Cluster Input Distances A−B: 1 ... A−C: 0.75 B−C: 0.5 D−E: 0.25

Single-linkage clustering

similar, etc.

How to Group Prefixes?

E−A: 0.001 A B C D E Resulting Cluster Input Distances A−B: 1 ... A−C: 0.75 B−C: 0.5 D−E: 0.25

Single-linkage clustering

similar, etc.

Data Capture and Analysis

BBN AS 10578

Collection Host Border Router

AS 3 (MIT)

– UUNET: 2338 prefixes – AT&T: 1310 prefixes

Anecdotes

We’ll get to those in a second.

identical network behavior. (... CIA?)

flapped to backup UUNET route.

Topological similarities

Measureable quantities: path, location

path length, or shared pop)

similarity strongest for leaf clustering, weakest at end. ➔Logical topology: integration of topological,

Leaves share more hops in traceroute

Leaves often share the ISP POP

What does it all mean?

– Topology – Prefix assignment – Fate sharing

Similar signals?