Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
An Annotation Layer for Network Management George Porter, Randy H. Katz Overview FTP R R IS SMTP Lack of visibility ISP Ingress Increased number and complexity of network services Unexpected Traffic Patterns II Web NFS DNS DNS Server tier R Problem: Users in the access tier complain of slow web access, can’t mount files, and “DNS operation timed out messages” Network Management Approach: Is the problem isolated to one client? To one service? Tools to discover problem: e.g., correlation between SMTP traffic from ISP ingress and excessive load on name service Experimental intervention to confirm relationship Ability to add new policy for redirection and request throttling Legitimate: new apps, flash traffic Illegitimate: worms, viruses, misconfiguration (Mextreme) IC Client But, need for more visibility and control DNS Dist Tier High speed links, distributed services, can’t modify routers A-Layer Network Management Principles Motivating Example Complex traffic/server interactions Need to protect good traffic in this environment Observations Network topology, link dynamics, traffic volume Standard protocols (TCP, UDP), standard services (NFS, DNS), rates, request/response completion rate, latency, RTT, network load Sources/sinks of traffic, inside-vs-outside Need for network-wide visibility despite traffic surges and network stress We encode annotations that are removable and do not reach endhosts These annotations are embedded in the flows they describe, saving overhead and router resources Annotations result in path-wide context accompanying packets along their network path to other iBoxes where it is needed iBox iBox 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Prior Protocol Type Authentication Field Authentication Field (10 bytes) Sequence Number Destination Address Source Address Annotation Layer Payload 12 bytes of payload in one AL unit We can leverage IPsec standards to distribute shared secrets to each iBox For authenticating annotations, we can rely on an HMAC message authentication field Annotations are stackable New policies (Actions) For experimental intervention (root cause discovery) To protect good traffic BW shaping, blocking, scheduling, fencing, selective drop Security Against non-operators using this infrastructure Against DoS attacks Alerting operators SNMP traps when anomalous amount of traffic seen Acts as distributed monitoring system for path- and session statistics Experimental intervention Ability to affect unknown traffic and test result on good traffic Traffic management BW shaping, policing, fencing, selective drop, scheduling, prioritization, network-level redirection Research Challenges And Opportunities Annotation Structure and Security AL unit headers (14 bytes) Actions Network statisics: Flow rates, protocol mixtures, top-talkers graph, “network hotspots” Correlations: Surge in one type of traffic correlated with drop in another Relationship between “good” network services and “unknown” traffic Unusual behavior (change in mean) Is a network service seeing unusually low or high number of requests? A-Layer Piggybacking iBox Network-wide visibility despite surges/overload/high loss rates Low overhead Path statistics gathering Some protocol visibility (TCP, IP, Services like DNS, NFS) Need to discover Changes to request-reply rate, completions, latency over time Correlations between different flows, protocols, parts of the network Analysis anno: X The A-Layer can enable a distributed, network-wide observation platform This enables statistics gathering, correlation discovery, path- and session statistic gathering iBoxes can utilize the A-Layer for experimental intervention and new policy implementation Through network-level actions such as bandwidth shaping and fencing Hope is to protect good traffic during periods of network stress