CAIDA NGI Quarterly Report

CAIDA NGI Quarterly Report - January 2000

RECIPIENT'S PROGRESS STATUS AND MANAGEMENT REPORT

Predictability and Security of High Performance Networks

For the period 01 October 1999 to 31 December 1999

Report #6

CDRL A001

CONTRACT N66001-98-2-8922

January 31, 2000

Quarterly Status Report

Predictability and Security of High Performance Networks

For the period 01 October 1999 to 31 December 1999

Contract N66001-98-2-8922

CDRL A001

1.0 Purpose of Report

This status report is the quarterly cooperative agreement report (CDRL A001) which summarizes the effort expended by the UCSD's Cooperative Association for Internet Data Analysis (CAIDA) program in support of SPAWARSYSCEN-SAN DIEGO and DARPA on Agreement N66001-96-2-8922.

2.0 Project Members

UCSD utilized (10/01/99 to 12/31/99):

Dr. KC Claffy, , 400 hours

Daniel McRobb, 308 hours

David Moore, 528 hours

Other Staff, 3904 hours

University of Waikato actual hours unavailable
(see financial information)

3.0 Project Description

UCSD/CAIDA is focusing on advancing the capacity to monitor, depict, and predict traffic behavior on current and advanced networks, through developing and deploying tools to better engineer and operate networks and to identify traffic anomalies in real time. CAIDA will concentrate efforts in the development of tools to automate the discovery and visualization of Internet topology and peering relationships, monitor and analyze Internet traffic behavior on high speed links, detect and control resource use (security), and provide for storage and analysis of data collected in aforementioned efforts.

4.0 Performance Against Plan

A. Task 1. Coral OC48mon

A delay on OC48 monitor DAG4.0 capture card fabrication slowed progress on development of the OC48 monitor. The current fabricator, Jawed, is awaiting delivery of one final component before fabrication will begin. Due to the delay in obtaining the Vitesse chipset (reported in October 31 quarterly report) and the fabrication delays, Task 1 hardware is approximately 3 quarters behind schedule. Development of associated analysis software, CoralReef, is continuing.

Per discussions with Mari Maeda in August of 1999, preliminary scoping of a gig-ether monitor started this quarter. Actual development will not occur until after successful testing of the DAG 4.0 capture card.

B. Task 2. Tomography

Task 2 is proceeding according to plan, with the following Program Plan directives completed:

Enhancement of the Skitter/Tomography analysis/visualization tools (see section 11.1, Work Focus)
Continued briefings to Internet community on purpose and initial results of Skitter and solicited their inputs (see section 11.2, Significant Events)
Added additional measurement host through the DNS root name server initiative

C. Task 3. Security

CAIDA is in the process of recruiting to replace the Security Task leadership position vacated by Andrew Gross in August, 1999. Due to the lack of personnel, this Task is approximately one quarter behind schedule.

CoralReef (https://www.caida.org/Tools/CoralReef) version 3.2.1 with added security applications was released to the public this quarter (see section 11.1, Work Focus).

D. Task 4. Data Storage/Analysis

This task is performing according to plan, with the following Program Plan directives completed:

· Expanded collection/storage of data

· Enhanced analysis code and reporting formats

· Created new analysis scripts (see section 11, Summary of Activity)

· Conducted a case study examining traffic in the Asia Pacific region

E. Option 1

Option 1 is proceeding according to plan, with the following directives accomplished:

Two additional skitter monitors were shipped during Quarter 2, one to Bill Manning at ISI for the "L" root server, and one to Jeffrey Osborne at NASA Ames for the "E" root server.
A 30 gigabit visualization host machine was deployed on the CAIDA network that will be used for visualization of massive datasets (see section 11.1, Work Focus).

5.0 Major Accomplishments to Date

The following major accomplishments were achieved during Quarter 2:

Under Task 1, conversion was completed of all CoralReef analysis software programs that did not rely on ATM specific information to run on other types of networks besides ATM . As a result, nearly all CoralReef programs now support tcpdump/pcap. This is a step towards CoralReef becoming POS compatible, which important for it to work with the OC48 DAG4.0 capture card.

Task 2 accomplishments include the release of additional skitter datasets to the community for use in third-party research, see https://www.caida.org/data/skitter/skitter_data_use.xml for details. We also analyzed options for revising the global skitter destination list (see section 11.1, Work Focus).

Accomplishments under Task 3 include the public release of CoralReef version 3.2.1 with added security applications on 12/17/99 (see section 11.1, Work Focus).

Major Task 4 accomplishments include a case study examining traffic in the Asia Pacific region, with preliminary analysis to be discussed in an INET2000 paper. We also posted a web page with daily updated analysis summaries for each skitter monitor, see http://sk-summary.caida.org/cgi-bin/main.pl.

Option 1 accomplishments include shipment of two additional skitter monitors, one to Bill Manning at ISI for the "L" root server, and one to Jeffrey Osborne at NASA Ames for the "E" root server. We also posted a web page with daily updated analysis for the DNS "F" root server skitter monitor, see http://sk-summary.caida.org/cgi-bin/main.pl.

6.0 Artifacts Developed During the Past Quarter

No artifacts of note were developed during this quarter.

7.0 Issues

We are still awaiting incremental funding for Fiscal Year 2000 on this project. We are also awaiting official approval and funding for Option 1 activities.

7.1 Open issues with no plan, as yet, for resolution:

None.

7.2 Open issues with plan for resolution:

Delays in fabrication of the OC48 monitor capture cards by Jawed is affecting progress on Task 1. We are exploring the option of moving the responsibility of fabrication to an alternate source in attempts to expedite this process.

Based on written approval provided by DARPA PM Mari Maeda dated September 1, 1999, CAIDA began work on Option 1 of this award. However, the funding for this award is not yet obligated, nor has SPAWAR formally approved the equipment purchased during Quarter 2. UCSD is still operating "at risk" at this time.

7.3 Issues resolved:

None.

8.0 Near-term Plan

The material below reflects the activities planned during Year 2, Quarter 3 of this project, January 1, 2000 - March 31, 2000. It is organized according to the categories identified in the Project Program Plan

(see https://www.caida.org/funding/progplan/NGIprogplan98.xml).

A. General/Administrative Outreach and Reporting

The following Administrative Outreach and Reporting items are planned for Quarter 3:

Quarterly meeting with SPAWAR Officials
We plan to deliver technical presentations to organizations interested in the technical aspects of this NGI research, including a presentation to: the National Science Foundation (NSF) in Washington D.C. on January 11, 2000, the Science Applications International Corporation (SAIC) meeting in San Diego, California, January 12, the Cisco University Research Program Brown Bag, San Jose, California, January 19, NANOG 18 in San Jose, California, February 7-8, 2000, a presentation to ISI staff concerning the DNS root name server initiative in Marina del Rey, California, February 24, 2000, and a presentation to the DARPA PM in Washington D.C. on the current state of Internet traffic analysis on March 13, 2000.
Nevil Brownlee, Director of Technology Development at the University of Auckland, New Zealand, began his sabbatical with CAIDA in San Diego on January 17, 2000 assisting with efforts under Tasks 1, 2 and 4
Submit Quarterly Report to SPAWAR covering progress, status and management
Submit Quarterly Financial Status Report (UCSD Extramural Funds Dept. submits)
Submit Quarterly Report of Federal Cash Transactions (UCSD Extramural Funds Dept. submits)

B. Task 1. Coral OC48mon

Planned objectives for Task 1 during Quarter 3 are as follows:

Board testing of DAG4.0 cards by Waikato team in New Zealand
DAG4.0 OC48 card testing by Waikato staff member David Miller and CAIDA team in San Diego
Continue discussions of OC48mon development and use with the community
Modify OC48 card designs, as required, based on test results and new Vitesse 2212 chipset and PCI 66/64 bus
Make additional internal library changes in CoralReef analysis software for DAG4.0 card support

C. Task 2. Tomography Mapping/Modeling

Task 2 Quarter 3 objectives include:

Development and refinement of the skitter destination list will be a significant activity for Quarter 3, see section 11.1, Work Focus
Continued briefings to Internet community on purpose and initial results of skitter and solicit their inputs
Expansion of the range of skitter datasets available to the community; continue to solicit collaborative involvement by third parties
Deployment of 2 additional skitter measurement hosts

D. Task 3. Security

Task 3 Quarter 3 objectives include:

Development of a set of recommendations for additional security applications/implementations of Coral or related traffic monitoring tools
Exploration of possibly of combining third-party security application with existing CoralReef security applications.

E. Task 4. Storage/Analysis

Task 4 Quarter 3 objectives include:

Expansion collection/storage of data (see section 11.1, Work Focus)
Enhancement of analysis code and reporting formats (see section 11.1, Work Focus)
Posting analyzed data to a public CAIDA web site

F. Option 1

Option 1 objectives include:

Deployment of 2 additional skitter machines at DNS root server sites
Continued refinement of analysis to data collected from skitter machines located at DNS root server locations
Prepare presentation on the DNS root server initiative to be given at Information Sciences Institute on February 24

9.0 Completed Travel

- Dr. Claffy and Tracie Monk traveled to Washington DC to attend the DARPA ITO PI meeting December 15-17.

- Dr. Claffy gave a presentation entitled "Predictability of High Performance Networks: Monitoring, Analysis, & Visualization", see https://www.caida.org/publications/presentations/Ngi9912/.

-Tracie Monk and Dr. Claffy attended the Internet Engineering Task Force (IETF) 46 meeting in Washington D.C., November 7-12, 1999.

Additional relevant travel that was not charged to this award:

-Dr. Claffy attended NANOG 17 in Montreal, Canada, October 3-5, 1999, see

http://www.nanog.org/mtg-9910/agen9910.html.

-Dr. Claffy traveled to Stardust's IBAND conference on October 22 in San Francisco, and gave a presentation entitled " State of the Art in Internet Measurement and Data Analysis:

Topology, Workload, Performance and Routing Statistics" see https://www.caida.org/publications/presentations/Soa9911/.

-Dr. Claffy traveled to Reston, VA and gave a talk concerning the status of CAIDA tools and traffic analysis to MCI/UUnet engineers on October 27^th, 1999.

-Dr. Claffy traveled the USENIX LISA 99' conference on November 12 in Seattle Washington, and made a Key Note presentation entitled "State of the Art in Internet Measurement and Data Analysis: Topology, Workload, Performance and Routing Statistics".

-Dr. Claffy traveled to Stanford, California to present a talk entitled "Traffic Observation in a Stateless Data Networking Environment" at the CISAC/SAIC conference on International Cooperation to Combat Cyber Crime and Terrorism on December 5-7, 1999, see https://www.caida.org/publications/presentations/Crisp9912/

10.0 Equipment Purchases and Description

No equipment was purchased this quarter.

11.0 Summary of Activity

11.1 Work Focus:

General/Administrative Outreach and Reporting

A meeting with SPAWAR/DARPA representatives Steve Spendlove, Paul Fox and Lewis Gutman was held January 20, 1999 at the San Diego Supercomputer Center to discuss progress for Year 2, Quarter 2. Dr. Claffy made several additional presentations on skitter and Coral and security (see section 11.2, Significant Events).

Task 1. Coral OC48mon

Work focus on Task 1 for Quarter 2 consisted mainly of resolving issues surrounding the DAG4.0 capture card fabrication delays, scoping a gig-ether monitor, and Nevil Brownlee's sabbatical at CAIDA.

A delay on OC48 monitor DAG4.0 capture card fabrication has slowed progress on development of the OC48 monitor. Jawed is awaiting delivery of one final component before fabrication will begin.

Discussion with DARPA contractors about testing and deploying the prototype OC48mon are continuing. Potential contractors for OC48mon deployment include NTON, MCNC, Abilene, vBNS, and several commercial ISPs.

Per discussions with Mari Maeda in August of 1999, preliminary scoping of a gig-ether monitor has begun. Actual development will not occur until after successful testing of the DAG 4.0.

Nevil Brownlee of the University of Auckland arrived at SDSC on January 17 to begin his sabbatical with CAIDA. His primary work will focus on enhancements to CoralReef (analysis software for OC48 monitor on Task 1) and data analysis efforts in Task 4.

The University of Waikato OC48 card development team was able to identify a Hewlett Packard PC workstation with a 64-bit 66 MHz PCI bus which can be used to house the DAG4.0 capture card. This machine is available for $4000.00, approximately 1/5 the original anticipated cost of the compatible OC48 monitor PC.

Task 2. Tomography Mapping/Modeling

Task 2, Quarter 2 work focus was centered on revisions to the global skitter target destination list, enhancements to the skitter module to collect additional data, and release of additional datasets to the community for use in third-party research.

The global skitter target destination list is losing 1% of its destinations per month. 8000 non-responsive destinations were removed, leaving 21,000 targets. Over 800 original destinations were re-added following identification of new IP addresses for the domain names.

We had multiple discussions concerning potential modifications to skitter that would allow for discovery of why certain destinations no longer respond. For example, some skitter destinations are blocked by firewalls, and select firewall software packages provide a response packet that could be logged to verify these incidences. We plan to modify skitter to collect any potential additional information provided by firewall software to allow verification of firewall blocking.

At the present, skitter only supports measurements of round trip times (RTTs) to end destinations. We intend to modify skitter to also include the capability to take RTT measurements to intermediary hops along the path. This information could improve accuracy of geographically locating nodes. Additionally, by correlating multiple paths involving the same network link from multiple monitors, we may be able to extract additional information about the performance of intermediary links instead of entire paths.

Development of a revised destination list will be significant activity for Quarter 3. We plan to devise techniques to allow automated generation of destinations by using cache logs and routing table information to automatically select and incorporate a new destination every time a destination is lost. We also plan to greatly expand the number of global destinations by selecting a destination from each prefix entry in the routing table, approximately 75,000 entries. This will allow for a greater stratification of the global IP4 address space than the current 21,000 target destination list allows.

An additional skitter dataset was made available to the community for use in third-party research, see https://www.caida.org/data/skitter/skitter_data_use.xml for details. We intend to make all skitter data that is more than 6 months old available to third-party skitter researchers this quarter. This will allow skitter collaborators to use comprehensive and complete datasets in their research instead of limiting them to the small sub-sets of skitter destinations currently available to them.

Preparations are underway to send skitter monitors to Joe St. Sauver at the University of Oregon, and to David Kramer at Datareturn in Dallas, Texas.

A number of presentations on skitter data and tools were made during Quarter 2, and one abstract was accepted (see section 11.2, Significant Events).

Task 3. Security

Security Task work focus during Quarter 3 focused on modifications and improvements to the crl_filter security feature and to the crl_portmapper device.

We made changes to the crl_filter feature of the security module during Quarter 2, which provides "tcpdump" to Coral devices. It is now possible to combine this feature with other existing tcpdump tools. crl_filter provides command line BPF filtering rules.

Release of crl_portmap, a prototype monitoring tool that scans for suspicious activity to the portmapper (RPC) service, occurred during Quarter 2. Once crl_portmap detects suspicious activity, all traffic to and from the probing host is logged out in tcpdump format. Attackers often probe portmapper early in their attempt to breach security. By detecting this early, we have the capability to log the rest of their activities for future analysis and possible use in prosecution.

Prototype security module code was made available for beta testing by the public during Quarter 2 via the public release of CoralReef version 3.2.1.

Task 4. Storage/Analysis

We conducted comprehensive analyses of skitter data under Task 4 during Quarter 2. A brief description of analyses and findings are described below.

BGP AS source path:

We conducted analysis to compare the BGP AS source path to the sequences of ASes encountered along the forwarding path. The comparison was done between AS paths from our local router (Pinot) and origin ASes from Route-Views router at the University of Oregon for each hop address along the path. Findings include that for the vast majority of paths, the announced path and the one seen by skitter agree. Where they do not agree, three basic cases were found:

a) The skitter path has a single AS that was not seen in the announced path. In the cases observed, this is typically an exchange point, and the extra AS hop is due to a 3rd party AS that advertises a route to the exchange point network but does not actually forward the traffic. For our local skitter host, Riesling (the only host we looked at), this was most often Verio advertising 192.157.69/24, part of a netblock owned by Sprint.

b) Another case reveals that the destination's AS was reached followed by a few hops mapped to a 3rd party AS that did not appear on the AS path before returning to the destination AS again. This can be interpreted as an AS proxy-advertising networks for another AS that also does its own BGP. The routing protocol among these hops may not be BGP, but if it is, this situation could create routing loops. Examples of this were found in Columbia and France.

c) Finally, there is the case where an AS was switched for another AS. This could simply be the result of a change in route between the time the path was collected and the time the routing table was recorded from pinot, see https://anala.caida.org/~mccreary/skitter/as_path.html

Next steps are to produce a full categorization of the paths recorded from Riesling, i.e. how many of each type of discrepancy was found. Analyzing data from other skitter sources requires a local routing table from each site, which we currently do not have.

Incomplete Path Analysis:

Analysis on incomplete paths found in skitter datasets was conducted during Quarter 2. This work consisted of classifying and analyzing unreachable skitter targets with a goal of finding persistent routing loops due to BGP policy problems. Since raw skitter data did not provide all the necessary information to expose BGP problems, we used ping and traceroute to collect additional data that allows the classification of unreachable targets into separate groups based on the reason they were unreachable.

As a result of analyzing ICMP time exceeded error messages, multiple inter-domain routing loops of various sizes were found, including a 17-hop trans-pacific routing loop between San Francisco and Australia. This loop included hops in multiple ISPs, including Netconnect, Telstra and AlterNet. We notified Netconnect about the configuration error on their router that was causing the loop, and they corrected the problem.

Path Frequency Per Destination:

Additional research focused on the frequency of a given path for a given destination, with the objective to determine if the Most Frequent Path was a good method for normalizing traces by destination. It appears that for a majority of destinations, one path dominates more then 90% of the time. The next large cluster is around 50%, which makes sense if you consider that this would be the result of load sharing, where it takes one or the other IP address about 50% of the time. Another interesting finding is that there are some traces that are significantly unstable. For example, in the Riesling host there is a destination for which every single path was different for the 13 traces taken. In the Chenin host data, there was a destination in which 127 different paths were found in a single day. Because of these we will only use most frequent path for analysis that require intermediate hops, such as the last four tables/images on the summary page, http://sk-summary.caida.org/cgi-bin/main.pl.

IP Forwarding Trees:

Analysis was conducted on finding forwarding trees in the graph created by the IP paths. Attempts at devising method for rating these trees in terms of importance ( or critical`ness' ) will continue during Quarter 3. One possibility is to rate the tree based on the number of destinations that are fully dependent on this tree for their reachability via skitter paths. Each node gets a rating based on the number of destinations for which it appears in every path to that destination. A forwarding tree is a group of nodes connected by forwarding links, i.e., links going from vertices of outdegree 1 as seen through skitter paths, i.e. which make a "predetermined hop" from IP interface to next interface, the latter being the only interface which can follow the former in the skitter paths.

We constructed a summary page up for each of the skitter hosts, see http://sk-summary.caida.org/cgi-bin/main.pl, and for the DNS root serve skitter machine, see http://sk-summary.caida.org/cgi-bin/main.pl. The summary page creates a graphical analysis on a daily basis for various aspects of skitter data, including RTT vs. Hopcount, RTT vs. longitude, and quality of service.

An abstract describing the Asia-Pacific research was accepted to the INET 2000 conference. This abstract is now available at https://www.caida.org/publications/papers/2000/asia_paper/ , The final paper will be submitted February 1, 2000.

Option 1.

DNS Root Server:

Option 1 work focus centered on deployment of skitter host machines to root name server sites, and deployment of the 30 gigabit visualization host on the CAIDA internal network.

Two additional skitter monitors were shipped during Quarter 2, one to Bill Manning at ISI for the "L" root server, and one to Jeffrey Osborne at NASA Ames for the "E" root server. Preparations are currently underway to send another skitter monitor to Mark Kosters at the "J" root server.

Preliminary analyses of the data collected from the "F" root server are available at: https://www.caida.org/tools/measurement/skitter/RSSAC/.

Visualization of Massive Datasets

A 30 gigabit visualization host machine was deployed on the CAIDA network that will be used for the visualization of massive datasets. This machine hosts NetGeo services (see https://www.caida.org/tools/utilities/netgeo/) which were announced publicly this quarter. NetGeo is a database and collection of Perl scripts used to map IP addresses, domain names and AS numbers to geographical locations. NetGeo was developed under an NSF award, but we will use it internally to aid in visualization efforts and facilitate geographic-based analyses of skitter data and enable remote researchers to map IP address and domain names to geographic coordinates for network visualization purposes.

11.2 Significant Events

01/20/00 San Diego, CA- Tracie Monk, Amy Blanchard and Dr. Claffy presented updates on CAIDA NGI project tasks for Year 2, Quarter 2 at a meeting with Steve Spendlove, Paul Fox and Lewis Gutman of SPAWAR. Topics of discussion included technical progress and plans for each task, relevant papers, presentations, and conferences, and budget issues.

12/15/99-12/17/99 Washington, D.C.- Dr. Claffy and Tracie Monk attended the DARPA ITO PI meeting. Dr. Claffy gave a presentation entitled "Predictability of High Performance Networks: Monitoring, Analysis, & Visualization", see https://www.caida.org/publications/presentations/Ngi9912/.

11/09/99 Washington D.C. - Tracie Monk and Dr. Claffy met with DARPA Program Manager Mari Maeda and discussed analysis tools, the DNS Root server initiative, and the funding of Option 1.

Publications:

An INET 2000 abstract describing skitter Asia Pacific research (See Work Focus on October 31, 1999 quarterly report) entitled "Measurement of Internet Topology in the Pacific Rim Countries" was accepted, with full paper due February 1, 2000.

Dr. Claffy's paper entitled "Internet Measurement and Data AnalysisTopology, Workload, Performance, and Routing Statistics" was published in German-American Frontiers of Engineering, 1999.

FINANCIAL INFORMATION:

Contract #: N66001-98-2-8922

Contract Period of Performance: 16/07/1998 to 15/07/2000

Ceiling Value: $6,655,449

Current Obligated Funds: $1,663,659

Reporting Period: 10/01/1999 to 12/31/1999

Actual Costs Incurred:

Current Period:

UCSD

Labor Hours 5140 Cost $ 187,154.00

ODC's Cost $ 8,313.00

IDC's Cost $ 86,839.00

Waikato Cost $ 31,253.00

TOTAL: Hours 5140 Cost $ 313,559.00

Cumulative to date:

UCSD

Labor Hours 14363 Cost $ 521,461.00

ODC's Cost $ 239,891.00

IDC's Cost $ 265,976.00

GA Hours 366 $ 81,106.00

Waikato Cost $ 79,110.00

TOTAL: Hours 14729 Cost $ 1,187,544.00

Note: additional financial information in tabular form, including breakdown by subcontract and estimated expenditures for Quarter 6, is attached to this report.