• HOME
  • About
  • Program Plan
  • Annual Report
  • Joining CAIDA
  • Staff
  • Jobs
  • Legal Agreements
  • How-To
  • Blog
  • Contact Us
• CATALOG
  • Datasets
  • Media
  • Papers
  • Recipes
  • Software
• RESEARCH
  • Topology
  • Security
  • Traffic Analysis
  • Economics and Policy
  • Visualization
• DATA
  • Overview
  • Data Sharing
  • Distribution Statistics
  • How-to
  • Data Usage FAQ
  • Papers using CAIDA Data
  • Acceptable Use Agreement
• TOOLS
  • Overview
• SERVICES
  • AS Rank
  • AS Rank API
  • BGPStream
  • BGPStream API
  • HI-CUBE (login required)
  • IODA
  • MANIC
  • MANIC API
  • Vela
  • Vela web API
  • Vela MIDAR API
  • Vela aliasq API
• PUBLICATIONS
  • Papers
  • Presentations
  • Blog
  • Visualizations
  • - Animations
  • - Posters
  • Networking Bibliography
• WORKSHOPS
  • Overview
  • AIMS
  • DUST
  • IMAPS
  • KISMET
  • WIE
  • WOMBIR
  • Collaborative
  • Archive
• PROJECTS
  • Ark
  • KISMET
  • MANIC
  • Macroscopic Topology
  • Spoofer
  • Network Telescope
  • IMPACT (PREDICT)
• FUNDING
  • PANDA
  • FANTAIL
  • PENMAN
  • SLAM
  • Censorship Outages
  • MapKIT
  • STARDUST
  • MADDVIPR
  • Program Plan

www.caida.org > funding : ngi1998 : content : reports : techrep1.xml

Predictability and Security of High Performance Networks: Expanding Control through Monitoring, Visualization, and Analysis

Objective

 

UCSD/CAIDA is focusing on advancing the capacity to monitor, depict, and predict traffic behavior on current and next generation networks. Such capabilities are critical to engineering and operating networks in an increasingly complicated internetworking environment.

Specifically, collaborators engaged in this effort intend to:

• develop unique measurement capabilities at OC48 and above speeds - tools for monitoring traffic flows are currently available up to OC12 speeds. However, faster speed networks, such as those comprising the Next Generation Internet (NGI) initiative, and ATM-based networks, such as DISA's, are left without any means of monitoring and analyzing actual traffic data, limiting engineers' abilities to optimize network configurations or assess the performance of emerging hardware/software, network protocols, practices. In this initiative, CAIDA and MCI Worldcom are collaborating with computer chip/hardware vendors and major providers to develop tools (Coral monitors) capable of providing realtime monitoring of optical, high performance networks.

• provide macroscopic analyses relating to the global Internet infrastructure - today's network measurements are at a microscopic level, e.g., lab simulations or measurements of individual networks. In this initiative, CAIDA is measuring and analyzing traffic behavior of the entire infrastructure. Target sites are intentionally selected to pervasively stratify the IPv4 address space, in pursuit of a comprehensive picture of the deployed commodity Internet. To our knowledge, this initiative (we are calling it 'Internet tomography') is the only measurement effort of this scale, offering unprecedented information and insight into inter-provider connectivity, routing behavior, and Internet performance.

• develop security monitoring capabilities without adversely affecting performance on high performance networks - firewalls are now being introduced at up to OC12 speeds, however, many networks, particularly research networks, need security tools that do not compromise performance - especially in the face of new protocols or applications. Under this effort CAIDA and the Pacific Institute for Computer Security are developing lightweight monitors that, continuously and in real-time, identify anomalous traffic patterns and trigger pre-defined enforcement countermeasures. [Note that the few extant commercial solutions filter on the first ATM cell of an IP packet, an approach vulnerable to subversion by padding headers. CAIDA's approach procures arbitrary length payload extraction, which requires optimized zero-copy SAR on host and subsequent BPF linkage. It is also essential to support evidence collection and session replay, for which header filtering alone is insufficient. The delivered tool will also provide a more general tool for network metrics by providing finer-grained filtering, e.g. by AS or protocol or source address.]

• collect, store and analyze massive volumes of Internet-wide traffic data - outside of CAIDA and the National Laboratory for Applied Network Research (NLANR) efforts, there are few sources of commercial Internet traffic data available to the networking research community. The activity measurement data being gathered through skitter is the only known source of infrastructure-wide information available to researchers. Through this effort, CAIDA is providing an invaluable source of information to the community. CAIDA also plans to correlate actively and passively measured data and routing table information from core Internet routers, to characterize and model infrastructure dynamics, including tracking global deployment growth of new hardware and software releases. We have already found examples where certain hardware/software versions manifest remarkably different skitter-measured behavior, and the effect of such releases on the larger picture can support network engineers in evolving next generation networking technologies.

 

Approach

UCSD/CAIDA's project is divided into four tasks: Coral monitors, tomography (skitter), security monitoring, and data storage/analysis. Our approach to each effort is described in the program plan, available at https://www.caida.org/funding/progplan/NGIprogplan98.xml, and is briefly summarized below.

Coral Monitors: The community's ability to monitor and advanced optical and high performance networks has not kept up with the raw development of deployment of fiber and switching capability at those bandwidths. WDM networks and OC48 and OC192 networks are gaining momentum, but engineers managing these networks remain incapable of monitoring or even identifying the presence of traffic on some links. This initiative draws upon state of the art developments in computer processing and data storage to develop tools capable of constant monitoring of traffic (not sampling) at OC48 speeds for research and engineering purposes. The base project focuses on developing an OC48 monitor. This initiative requires close participation of hardware vendors to develop an innovative architecture based on either a AGP 32-bit 264 MHz architecture (licensed by Phoenix) or a PCI host-bus interface configuration. The resulting tool capable of the requisite 528 MB/S bursting, permitting capture of every packet in one direction of a full 2.4 Gb OC48c links. Optional monitors would permit monitoring of traffic (light) on WDM networks and monitoring traffic at up to OC192 speeds.

Tomography (skitter): In order to gather more vital information about macro level Internet infrastructure, behaviors, platforms, and evolution, CAIDA will also use active measurement and other tools to gather, analyze and visualize traffic data. Up to 20 measurement hosts will be deployed monitoring up to 60,000 end-destinations distributed throughout the IPv4 address space. skitter, a light-weight active monitoring tool developed by CAIDA's Daniel McRobb, will be run on half-hour intervals to gather hop-by-hop connectivity, routing, and performance information which will be stored at SDSC for later analysis, correlation (with other data) and visualization.

Security: The security-related component of this project includes engineering and deployment of low-cost passive security monitors linked to active response modules. The Applied Telecom OC12 card used in the Coral OC12mon is being used as the foundation for development of algorithms supporting integration of low-level, high-performance, real-time packet filtering with security policy enforcement modules. The resulting tools should provide networks with a relatively inexpensive means of enhancing security on their networks without compromising the actual performance of the network - a critical consideration for all research networks.

Data Storage/Analysis: A raid array (350 Gb) will be used store active (skitter) and passive measurement data, and routing data. arts++ , binary file format library, will be deployed for storage of these data. Researchers collaborating with CAIDA, will be encouraged to analyze these tomography data for implications relating to current and next generation networking. CAIDA researchers will develop techniques for correlating and analyzing various forms of measurement and routing data.

 

Recent Accomplishments

Progress to date is discussed in the first quarterly report, available at https://www.caida.org/funding/ngi1998/content/reports/quarterly_1098.xml. Highlights include:

Coral OC48mon: The preliminary technical specifications for this monitor are to be complete in November 1998.

Tomography (skitter): As of November 1998, six host monitors were deployed measuring more than 23,000 sites using the new skitter measurement tool. Initial results and visualizations from this effort were presented to: IEPG, NANOG, XIWT, IOPS, DARPA PIs, Bell-Labs; and are featured in articles in Science, Boardwatch, Superinteressante, and the Sciences magazine. Science Photo Library is archiving images and Nature has requested an article for their January issue.

Security: Effort were initiated on development of appropriate packet-filtering software.

Database Storage/Analysis: A disk array is now being used to store traffic data utilizing the arts++ binary file format. Initial analyses of data has begun.

Current Plan (first year)

Plans for this project are described in the program plan at https://www.caida.org/funding/progplan/NGIprogplan98.xml. Deliverables include:

OC48mon:

• Preliminary OC48mon specifications (for presentation at ISMA and Kickoff Meeting)
• Draft OC48mon specifications for consideration by collaborators
• Final OC48mon specifications
• Development of prototype OC48mon

Tomography (skitter):

• Deploy 6-10 monitors and initiate collection of data from more than 25,000 end destination sites
• Develop preliminary visualizations of skitter data using Otter tool
• Deliver public presentations and complete technical papers covering the goals and status of the skitter tool

Security:

• Develop and test prototype packet filtering code for OC12mon
• Initiate security compliance monitoring/enforcement code for OC12mon

Database Storage/Analysis:

• Make infrastructure-wide measurement data available to 3^rd party researchers
• Store and initiate analysis on active and passive measurements and routing table data

Technology Transition:

Coral OC48mon: This monitor will permit monitoring and evaluation of traffic data on research networks such as NTON and SuperNet, both funded by DARPA, and the vBNS, funded by NSF. NTON and vBNS personnel are collaborating closely with CAIDA personnel to ensure that specifications for these monitors are responsive to their engineering and operational networking requirements for next generation networks. Abilene (Internet2) is also involved in the design specifications for this monitor.

Tomography (skitter): Active measurement data gathered through this initiative will provide the community with a unique and valuable source of infrastructure-wide data. Researchers from George Mason University, Notre-Dame, the University of Southern California, and Washington University, as well as researchers from AT&T Research, KAIST (Korea), and Waikato University (New Zealand) have requested data sets for analysis. Approximately six public presentations and one technical presentation are planned for the first year describing the relevance of these data for engineering and operating networks advanced networks.

Security: This software allows fine-grained access to broadband network traffic. As such, it permits a wide range of applications including network metrics, firewall control, and security-related evidence collection (e.g. session byte streams). Target communities would be major ISP security officers, law enforcement, and network engineers seeking greater control over traffic measurements. Software will be made publicly available for immediate deployment and for continued development by 3rd party research groups.

Database Storage/Analysis: Datasets and analyses results will be made publicly available on the CAIDA/NGI web site. Recommendations for additional research by 3rd parties will be identified and collaborations will be encouraged. Techniques for correlating various traffic data will be described.

Summary Information

• quad chart
• close up of quad chart graphic
  

Center for Applied Internet Data Analysis    |   Based at the University of California's San Diego Supercomputer Center