Overlay Networks: A Dual Layer View Sonia Fahmy Students: Minseok Kwon, Ossama Younis Department of Computer Sciences Purd...
Why Overlays? <ul><li>Overlay networks help overcome deployment barriers to network-level solutions </li></ul><ul><li>The ...
Overlay Multicast Overlay link Source Routers and  underlying links Receivers
Why Characterize Overlays? <ul><li>Overlay multicast consumes additional network bandwidth and increases latency over IP m...
Our Hypothesis <ul><li>Observations </li></ul><ul><ul><li>Many high degree high bandwidth routers heavily utilized in uppe...
Overlay Tree Metrics <ul><li>Overlay cost = number of underlying hops traversed by  every  overlay link </li></ul><ul><li>...
Metrics: Examples <ul><li>Overlay cost = 12 </li></ul><ul><li>Link stress on A = 2 </li></ul><ul><li>RDP of B = (15+15+10)...
Overlay Tree Structure <ul><li>Questions </li></ul><ul><ul><li>What do overlay multicast trees look like? Why? </li></ul><...
Results: End System Multicast <ul><li>Number of hops between two hosts versus level of host in overlay trees </li></ul><ul...
Results: End System Multicast <ul><li>Frequency of occurrence of number of hop values between two hosts </li></ul><ul><li>...
Experiments on PlanetLab <ul><li>Internet Experiments </li></ul><ul><ul><li>Implement and experiment with TAG (Topology-Aw...
Overlay Tree Structure: Simulations <ul><li>Topologies </li></ul><ul><ul><li>Contains 4k routers connected in ways consist...
Results: Number of Hops <ul><li>Uniform host distribution </li></ul><ul><li>Non-uniform host distribution </li></ul>MDDBST...
Results: Isolation of Topology Effects <ul><li>Variability in router degrees </li></ul><ul><li>Clustering (small world) </...
Results: Degree <ul><li>Router degree versus overlay tree level of destination host </li></ul><ul><li>Frequency of router ...
Results: Latency and Bandwidth <ul><li>Relative delay penalty (RDP) </li></ul>ESM achieves a good balance, but scalability...
Overlay Multicast Tree Cost <ul><li>Network Model </li></ul><ul><ul><li>L O (h,k,n)  denotes overlay cost for an overlay  ...
Network Models with Unary Nodes Self-similar Tree Model   (k=2,  θ =1, h=3) Unary node with only one child Number of unary...
Receivers at Leaf Nodes k Source α h  (a) Overlay link Receiver α k Level l (b)
Receivers at Leaf Nodes The overlay cost in (a): The overlay cost in (b): where  if  otherwise  The sum of (a) and (b):  n...
Receivers at Leaf Nodes where θ =0.15
Receivers at Leaf or Non-leaf Nodes α β … … … … kp k(1-p) L υ (h-1,k,n) L  υ (h-2,k,n) L  υ (h-3,k,n) h k(1-p) kp kp k(1-p...
Receivers at Leaf or Non-leaf Nodes The overlay cost in (a): The overlay cost in (b): where  The sum of (a) and (b):
Receivers at Leaf or Non-leaf Nodes where θ =0.15
Cost Model Validation <ul><li>The analytical results are validated using traceroute-based simulation topologies and our ea...
Related Work <ul><li>Chuang and Sirbu (1998) found that the ratio between the total number of multicast links and the aver...
Conclusions <ul><li>We have investigated the efficiency of overlay multicast using theoretical models, experimental data, ...
Ongoing Work <ul><li>We are conducting larger scale simulations and experiments using PlanetLab </li></ul><ul><li>We are e...
Other Work… <ul><li>Exploiting network tomography for monitoring and traffic engineering </li></ul><ul><ul><li>FlowMate on...
Cooperative Overlays Overlays A and B may or may not cooperate. Overlay A Overlay B Co-located nodes Shared routers and li...
A Spectrum of Overlay Cooperation Independent overlays Merged overlays Sharing information e.g., control info,  queries Sh...
Cooperative Forwarding Overlay B Overlay A <ul><li>Route Y is better than route X which only uses hosts in overlay A. Can ...
Cooperation Mechanisms <ul><li>Privilege levels </li></ul><ul><ul><li>Full privileges and obligations : a host ( active me...
Additional Cooperative Services <ul><li>Shared measurement service </li></ul><ul><li>Control information sharing (e.g., ra...
Related Work <ul><li>Overlay broadcasting (Y. Chawathe et al.) </li></ul><ul><ul><li>Studies possibility of cooperation am...
Current Plan <ul><li>We are designing a cooperative overlay architecture for heterogeneous overlay networks to collaborate...
Is “On-line” Tomography Useful and at What Time Scale? <ul><li>What is  “ tomography ” ? A method of producing (inferring)...
Why FlowMate? Source Receiver Receiver Receiver Receiver
Why FlowMate? <ul><li>Partitioning flows emerging from the same source (busy server) according to shared bottlenecks is us...
The Problem <ul><li>Input: </li></ul><ul><ul><li>A set of flows (micro or macro),  F , originating at the same source, whe...
FlowMate Features <ul><li>Employs  passive  probing to reduce probe generation and processing overhead, and network load w...
Architecture Transport layer implementation enables more accurate timestamping
Basic Algorithm [O(NG)] Initialize:  Empty cluster list and flow table. Repeat forever: - Collect delay Information. - Che...
Shared Bottleneck Test <ul><li>For two flows f1 and f2 sharing a common bottleneck in s  r [Rubenstein00]: The  cross  co...
In-Band Delay Sampling <ul><li>One way delay (reasonable clock skew OK). </li></ul><ul><li>Extend the time-stamped ACK (RF...
Triggering Clustering <ul><li>Every flow with at least M samples is considered </li></ul>Time d_min d_max t Clustering not...
Our Accuracy Index <ul><li>Sources of inaccuracies: false sharing and cluster splits </li></ul><ul><li>A cluster split is ...
Simulation Configuration <ul><li>Configuration: </li></ul><ul><li>Cross and reverse traffic: CBR sources </li></ul><ul><li...
Foreground Load <ul><li>FlowMate accuracy (using a simpler topology) </li></ul><ul><li>Different loads   Staggered start t...
Background Load <ul><li>Load and on/off periods have little impact on average accuracy </li></ul>
Bursty Flows <ul><li>Telnet traffic     HTTP/1.1 traffic </li></ul>Sampling: Flow life-time (P2P FTPs (elephants), HTTP/1....
Router Buffering <ul><li>Buffer size vs avg index  Drop policy </li></ul>
<ul><li>Naïve coordinated congestion management demonstrates better fairness and responsiveness </li></ul>Sample Application
Related Work <ul><li>Two-flow correlation tests based on delay or loss of all Poisson probe samples [Rubenstein et al., SI...
Conclusions <ul><li>FlowMate is an on-line flow partitioning scheme that does not require active probing. Partitioning is ...
<ul><li>Goals: </li></ul><ul><ul><li>Scalability (to thousands of nodes)? </li></ul></ul><ul><ul><li>Prolonged network lif...
Anomaly Detection and Security Testing <ul><li>Tomography-based anomaly detection: </li></ul><ul><li>1. Infer per-segment ...
Upcoming SlideShare
Loading in …5
×

Sonia Fahmy Students: Minseok Kwon, Ossama Younis

723 views
644 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
723
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Sonia Fahmy Students: Minseok Kwon, Ossama Younis

  1. 1. Overlay Networks: A Dual Layer View Sonia Fahmy Students: Minseok Kwon, Ossama Younis Department of Computer Sciences Purdue University For slides, technical reports, and implementations, please see: http://www.cs.purdue.edu/~fahmy/ This work was supported by NSF ANI-0238294 (CAREER) and the Schlumberger Foundation
  2. 2. Why Overlays? <ul><li>Overlay networks help overcome deployment barriers to network-level solutions </li></ul><ul><li>The advantages of overlays include flexibility, adaptivity, and ease of deployment </li></ul><ul><li>Applications </li></ul><ul><ul><li>Application-level multicast (e.g., End System Multicast/Narada) </li></ul></ul><ul><ul><li>Inter-domain routing pathology solutions (e.g., Resilient Overlay Networks) </li></ul></ul><ul><ul><li>Content distribution </li></ul></ul><ul><ul><li>Peer-to-peer networks </li></ul></ul>
  3. 3. Overlay Multicast Overlay link Source Routers and underlying links Receivers
  4. 4. Why Characterize Overlays? <ul><li>Overlay multicast consumes additional network bandwidth and increases latency over IP multicast  quantify the overlay performance penalty </li></ul><ul><li>Little work has been done on characterizing overlay multicast tree structure, especially large trees </li></ul><ul><li>Such characterization gives insight into overlay properties and their causes, and a deeper understanding of different overlay multicast approaches  better overlay design </li></ul>Real data from ESM experiments Simulations Analytical models Characterizing Overlay Networks
  5. 5. Our Hypothesis <ul><li>Observations </li></ul><ul><ul><li>Many high degree high bandwidth routers heavily utilized in upper levels of ESM/TAG trees, which tend to be longer . Many hosts are connected to lower degree low bandwidth routers, clustered close together at lower levels of the trees. This lowers multicast cost </li></ul></ul><ul><li>Causes </li></ul><ul><ul><li>Overlay host distribution </li></ul></ul><ul><ul><li>Overlay protocol (full/partial info/overhead, delay/bandwidth/diameter/degree, source-based/shared tree/trees/mesh) </li></ul></ul><ul><ul><li>Topology (connectivity and degrees) </li></ul></ul>
  6. 6. Overlay Tree Metrics <ul><li>Overlay cost = number of underlying hops traversed by every overlay link </li></ul><ul><li>Link stress = total number of identical copies of a packet over the same underlying link </li></ul><ul><li>Overlay cost = ∑stress(i) for all router-to-router links i </li></ul><ul><li>Number of hops and delays between parent and child hosts in an overlay tree </li></ul><ul><li>Degree of hosts = host contribution to the link stress of the host-to-first-router link </li></ul><ul><li>Degree of routers and hop-by-hop delays of underlying links traversed by overlay links </li></ul><ul><li>Mean bottleneck bandwidth between the source and receivers </li></ul><ul><li>Relative Delay Penalty (RDP), mean/longest latency </li></ul>
  7. 7. Metrics: Examples <ul><li>Overlay cost = 12 </li></ul><ul><li>Link stress on A = 2 </li></ul><ul><li>RDP of B = (15+15+10)/20 = 2 </li></ul>Overlay link Source Receivers A B 15 ms 15 ms 10 ms 20 ms C
  8. 8. Overlay Tree Structure <ul><li>Questions </li></ul><ul><ul><li>What do overlay multicast trees look like? Why? </li></ul></ul><ul><ul><li>How much additional cost do they incur over IP multicast? </li></ul></ul><ul><li>Methodology </li></ul><ul><ul><li>Use overlay trees (65 hosts) in ESM experiments (from CMU) in November 2002. Use public traceroute servers and synthesize approximate routes. (Most university hosts are connected to the Internet 2 backbone network) </li></ul></ul><ul><ul><li>PlanetLab experiments and tree/traceroute data </li></ul></ul>
  9. 9. Results: End System Multicast <ul><li>Number of hops between two hosts versus level of host in overlay trees </li></ul><ul><li>Distributions of per-hop delay for different overlay tree levels </li></ul>(a) Tree level 1 (b) Tree levels 4-6
  10. 10. Results: End System Multicast <ul><li>Frequency of occurrence of number of hop values between two hosts </li></ul><ul><li>Degree of host versus level of host in overlay tree </li></ul>
  11. 11. Experiments on PlanetLab <ul><li>Internet Experiments </li></ul><ul><ul><li>Implement and experiment with TAG (Topology-Aware Grouping) on the PlanetLab ( http://www.planet-lab.org ) wide-area platform </li></ul></ul><ul><ul><li>Additional experiments with NICE and HyperCast </li></ul></ul><ul><ul><li>Run several sets of experiments with nodes in the United States, Europe, and Asia </li></ul></ul>
  12. 12. Overlay Tree Structure: Simulations <ul><li>Topologies </li></ul><ul><ul><li>Contains 4k routers connected in ways consistent with router-level power-law and small-world properties </li></ul></ul><ul><ul><li>GT-ITM topology with 4k routers </li></ul></ul><ul><ul><li>Delays and bandwidths according to realistic distributions </li></ul></ul><ul><li>Overlay multicast algorithms </li></ul><ul><ul><li>ESM (End System Multicast) [SIGCOMM 2001] </li></ul></ul><ul><ul><ul><li>A host has the upper degree bound (we use 6) on the number of its neighbors </li></ul></ul></ul><ul><ul><li>TAG (Topology-Aware Grouping) [extended NOSSDAV 2002] </li></ul></ul><ul><ul><ul><li>Uses ulimit=6 and bwthresh=100 kbps for partial path matching </li></ul></ul></ul><ul><ul><li>MDDBST (Minimum Diameter Degree-Bounded Spanning Tree) [NOSSDAV 2001, INFOCOM 2003] </li></ul></ul><ul><ul><ul><li>Minimizes the number of hops in the longest path, and bounds the degree of hosts in overlay trees (degree bound = edge bw/min bw) </li></ul></ul></ul>
  13. 13. Results: Number of Hops <ul><li>Uniform host distribution </li></ul><ul><li>Non-uniform host distribution </li></ul>MDDBST not as clear as ESM, because it minimizes max. cost
  14. 14. Results: Isolation of Topology Effects <ul><li>Variability in router degrees </li></ul><ul><li>Clustering (small world) </li></ul>
  15. 15. Results: Degree <ul><li>Router degree versus overlay tree level of destination host </li></ul><ul><li>Frequency of router degree </li></ul>
  16. 16. Results: Latency and Bandwidth <ul><li>Relative delay penalty (RDP) </li></ul>ESM achieves a good balance, but scalability is a concern <ul><li>Mean bottleneck bandwidth </li></ul>
  17. 17. Overlay Multicast Tree Cost <ul><li>Network Model </li></ul><ul><ul><li>L O (h,k,n) denotes overlay cost for an overlay O when n is the number of hosts </li></ul></ul><ul><ul><li>We only count hops in router subsequences </li></ul></ul><ul><ul><li>We use n instead of m </li></ul></ul><ul><li>Why an underlying tree model? </li></ul><ul><ul><li>Simple analysis </li></ul></ul><ul><ul><li>Consistency with real topologies [Radoslavov00] </li></ul></ul><ul><ul><li>Transformation from a graph to a k-ary tree with minimum cost tree </li></ul></ul><ul><li>Why least cost tree? </li></ul><ul><ul><li>Modeling and analysis are simplified </li></ul></ul><ul><ul><li>Many overlay multicast algorithms optimize a delay-related metric, which is typically also optimized by underlying intra-domain routing protocols </li></ul></ul><ul><ul><li>A lower bound on the overlay tree cost can be computed </li></ul></ul>h k Source Host Receiver
  18. 18. Network Models with Unary Nodes Self-similar Tree Model (k=2, θ =1, h=3) Unary node with only one child Number of unary nodes created between adjacent nodes at levels i-1 and i Branching node <ul><li>To incorporate the number-of-hops distribution, use a self-similar tree model [SODA2002] </li></ul>
  19. 19. Receivers at Leaf Nodes k Source α h  (a) Overlay link Receiver α k Level l (b)
  20. 20. Receivers at Leaf Nodes The overlay cost in (a): The overlay cost in (b): where if otherwise The sum of (a) and (b): n 1- θ is observed where
  21. 21. Receivers at Leaf Nodes where θ =0.15
  22. 22. Receivers at Leaf or Non-leaf Nodes α β … … … … kp k(1-p) L υ (h-1,k,n) L υ (h-2,k,n) L υ (h-3,k,n) h k(1-p) kp kp k(1-p) (a) α β kp k(1-p) … … … … kp Level l (A) (B) (b)
  23. 23. Receivers at Leaf or Non-leaf Nodes The overlay cost in (a): The overlay cost in (b): where The sum of (a) and (b):
  24. 24. Receivers at Leaf or Non-leaf Nodes where θ =0.15
  25. 25. Cost Model Validation <ul><li>The analytical results are validated using traceroute-based simulation topologies and our earlier topologies </li></ul><ul><li>Normalized overly cost via simulations </li></ul><ul><ul><li>ESM and MDDBST have n 0.8 -n 0.9 ; TAG has a slightly higher cost due to partial path matching </li></ul></ul><ul><li>Cost with GT-ITM/uniform hosts is higher than with non-uniform/power-law/small-world </li></ul><ul><li>The normalized overlay tree cost for the real ESM tree is n 0.945 </li></ul>
  26. 26. Related Work <ul><li>Chuang and Sirbu (1998) found that the ratio between the total number of multicast links and the average unicast path length exhibits a power-law ( m 0.8 ) </li></ul><ul><li>Chalmers and Almeroth (2001) found the ratio to be around m 0.7 and multicast trees have a high frequency of unary nodes </li></ul><ul><li>Phillips et al.(1999), Adjih et al.(2002) and Mieghem et al.(2001) mathematically model the efficiency of IP multicast </li></ul><ul><li>Radoslavov (2000) characterized real and generated topologies with respect to neighborhood size growth, robustness, and increase in path lengths due to link failure. They analyzed the impact of topology on heuristic overlay multicast strategies </li></ul><ul><li>Jin and Bestavros (2002) have shown that both Internet AS-level and router-level graphs exhibit small-world behavior. They also outlined how small-world behavior affects the overlay multicast tree size </li></ul><ul><li>Overlay multicast algorithms include End System Multicast (2000,2001), CAN-based multicast (2002), MDDBST (2001,2003), TAG (2001), etc. </li></ul>
  27. 27. Conclusions <ul><li>We have investigated the efficiency of overlay multicast using theoretical models, experimental data, and simulations. We find that: </li></ul><ul><ul><li>The number of routers/delay between parent and child hosts tends to decrease as the level of the host in the ESM/TAG overlay tree increases  lower cost </li></ul></ul><ul><ul><li>Routing features in overlay multicast protocols, non-uniform host distribution, along with power-law and small-world topology characteristics contribute to these phenomena </li></ul></ul><ul><ul><li>We can quantify potential bandwidth savings of overlay multicast compared to unicast ( n 0.9 < n) and the bandwidth penalty of overlay multicast compared to IP multicast ( n 0.9 > n 0.8 ) </li></ul></ul>
  28. 28. Ongoing Work <ul><li>We are conducting larger scale simulations and experiments using PlanetLab </li></ul><ul><li>We are examining other and more dynamic metrics with other overlay protocols </li></ul><ul><li>We will precisely formulate the relationship between the overlay trees, overlay protocols and Internet topology characteristics </li></ul><ul><li>We are investigating the possibility of inter-overlay cooperation to further reduce the overlay performance penalty </li></ul>
  29. 29. Other Work… <ul><li>Exploiting network tomography for monitoring and traffic engineering </li></ul><ul><ul><li>FlowMate on-line passive flow clustering: design and implementation [ICNP 2002, ToN] </li></ul></ul><ul><ul><li>Distributed network delay and loss monitoring [CC 2003] </li></ul></ul><ul><li>Testing security mechanisms [Computers&Security 2003, CACM 2004] </li></ul><ul><li>Sensor networks [INFOCOM 2004, IWQoS 2004] </li></ul>
  30. 30. Cooperative Overlays Overlays A and B may or may not cooperate. Overlay A Overlay B Co-located nodes Shared routers and links
  31. 31. A Spectrum of Overlay Cooperation Independent overlays Merged overlays Sharing information e.g., control info, queries Shared measurement Cooperative forwarding Inter-overlay Traffic engineering Less cooperation More cooperation
  32. 32. Cooperative Forwarding Overlay B Overlay A <ul><li>Route Y is better than route X which only uses hosts in overlay A. Can be proactive or reactive for long-lived flows. </li></ul>Route X Route Y
  33. 33. Cooperation Mechanisms <ul><li>Privilege levels </li></ul><ul><ul><li>Full privileges and obligations : a host ( active member ) is authorized to use all the services provided by its home overlay network(s). </li></ul></ul><ul><ul><li>Limited privileges and obligations : a host ( passive member ) has limited capabilities such as routing and replication. </li></ul></ul><ul><ul><li>Each overlay selects a set of nodes that other overlays can exploit as passive members (transit nodes) according to peering relationships. </li></ul></ul><ul><li>Inter-overlay agents selected according to: </li></ul><ul><ul><li>Number of co-located overlay nodes; Number of different overlays represented in neighbor nodes; Minimum maximum delay to other hosts in home overlay </li></ul></ul><ul><li>Passive membership selected according to: </li></ul><ul><ul><li>Performance improvement of other overlays, e.g., Number of members that have this passive member as their next hop (maximum-next-hop) </li></ul></ul><ul><ul><li>Compatibility and loads of other overlays </li></ul></ul><ul><ul><li>Trust-based priority to determine which overlays are cooperative </li></ul></ul>
  34. 34. Additional Cooperative Services <ul><li>Shared measurement service </li></ul><ul><li>Control information sharing (e.g., randomized routing time intervals and traffic equilibrium computation for multiple overlays) </li></ul><ul><li>Query forwarding in peer-to-peer networks </li></ul><ul><li>Inter-overlay traffic engineering </li></ul>
  35. 35. Related Work <ul><li>Overlay broadcasting (Y. Chawathe et al.) </li></ul><ul><ul><li>Studies possibility of cooperation among overlays. </li></ul></ul><ul><li>Routing underlay (A. Nakao et al.) </li></ul><ul><ul><li>Provides shared network layer information to overlay nodes. </li></ul></ul><ul><li>Tomography-based overlay network monitoring (Y. Chen et al.) </li></ul><ul><ul><li>Requires O(n) measurements for all the O(n 2 ) overlay paths. </li></ul></ul><ul><li>Selfish source and overlay routing (L. Qiu et al.) </li></ul><ul><li>Other overlay networks </li></ul><ul><ul><li>Include RON, Detour, End System Multicast, etc. </li></ul></ul>
  36. 36. Current Plan <ul><li>We are designing a cooperative overlay architecture for heterogeneous overlay networks to collaborate. </li></ul><ul><li>Our goal is to prove that overlay cooperation reduces competition, improves overall performance, and preserves heterogeneity [ICNP2003 poster]. </li></ul><ul><li>Ongoing Work </li></ul><ul><ul><li>We are currently implementing our algorithms on PlanetLab . </li></ul></ul><ul><ul><li>We will examine other types of overlay cooperation services with particular attention to the complexity, scalability, and security issues. </li></ul></ul>
  37. 37. Is “On-line” Tomography Useful and at What Time Scale? <ul><li>What is “ tomography ” ? A method of producing (inferring) an image of the internal structures of a solid object by the observation and recording of the differences in the effects on the passage of waves of energy impinging on those structures. </li></ul><ul><li>What is “ network tomography ” ? Internet mapping (routes, per-segment delays, per-segment losses, per-segment bandwidth, shared bottlenecks) via composing end-to-end measurements. </li></ul>
  38. 38. Why FlowMate? Source Receiver Receiver Receiver Receiver
  39. 39. Why FlowMate? <ul><li>Partitioning flows emerging from the same source (busy server) according to shared bottlenecks is useful for: </li></ul><ul><ul><li>Customized, more fair and more responsive coordinated congestion management. </li></ul></ul><ul><ul><li>Overlay networks (e.g., application-layer multicast and peer-to-peer applications). </li></ul></ul><ul><ul><li>Load balancing. </li></ul></ul><ul><ul><li>Pricing. </li></ul></ul><ul><ul><li>Traffic engineering and admission control. </li></ul></ul>
  40. 40. The Problem <ul><li>Input: </li></ul><ul><ul><li>A set of flows (micro or macro), F , originating at the same source, where F = { f 1 , f 2 , …, f n } </li></ul></ul><ul><li>Required: </li></ul><ul><ul><li>Periodically map each flow f i (1  i  n) to a cluster g j (1  j  m)  G = { g 1 , g 2 , …, g m }, m  n , where all flows f  g j  G share a common bottleneck </li></ul></ul>
  41. 41. FlowMate Features <ul><li>Employs passive probing to reduce probe generation and processing overhead, and network load with a large number of flows. </li></ul><ul><li>Employs on-line clustering based on constantly changing shared bottlenecks. </li></ul><ul><li>Works with or without receiver timestamp support (and no router support). </li></ul><ul><li>Reduces overhead using representatives . </li></ul><ul><li>Uses limited history for stability (no samples). </li></ul>
  42. 42. Architecture Transport layer implementation enables more accurate timestamping
  43. 43. Basic Algorithm [O(NG)] Initialize: Empty cluster list and flow table. Repeat forever: - Collect delay Information. - Check triggering condition. - If (triggered): cluster flows and generate clusters. - Delete delay samples and maintain compact history information. Partitioning: - Select delay samples. - Assign a representative flow for each cluster. - Each flow is tested against each representative, and joins the cluster with highest correlation. - A flow either joins a cluster or forms a new one.
  44. 44. Shared Bottleneck Test <ul><li>For two flows f1 and f2 sharing a common bottleneck in s  r [Rubenstein00]: The cross correlation measure of multiplexed (f1, f2) packets, spaced apart by time t > 0 , is higher than the auto correlation measure of packets of f1 or f2, spaced apart by time T > t . </li></ul>s r
  45. 45. In-Band Delay Sampling <ul><li>One way delay (reasonable clock skew OK). </li></ul><ul><li>Extend the time-stamped ACK (RFC 1323) to include packet reception time. </li></ul><ul><li>Select samples according to inter-packet spacing. </li></ul>time Samples chosen as probes
  46. 46. Triggering Clustering <ul><li>Every flow with at least M samples is considered </li></ul>Time d_min d_max t Clustering not invoked Clustering may be invoked if enough samples for all flows Clustering must be invoked if not invoked since t Last time clustering was invoked
  47. 47. Our Accuracy Index <ul><li>Sources of inaccuracies: false sharing and cluster splits </li></ul><ul><li>A cluster split is not as harmful as false sharing </li></ul><ul><li>Let k j denote the resulting number of splits of a correct cluster: </li></ul>Example: correct: {1,2,3},{4,5,6}, result: {1,2},{3,4,5},{6}, I=0.67
  48. 48. Simulation Configuration <ul><li>Configuration: </li></ul><ul><li>Cross and reverse traffic: CBR sources </li></ul><ul><li>Forward traffic: FTP, Telnet, or HTTP/1.1 </li></ul><ul><li>Background traffic: 3 “StarWars” flows (self-similar traffic) </li></ul>D5 D3 Source Cross- traffic generator Cross- traffic destination(s) s D4 D9 D10 D11 D12 D2 D1 D8 D7 D6 11 10 9 8 7 6 5 4 3 2 1 3 Mbps 1.5 Mbps 10 Mbps 12 ms 12 ms 19 ms 5 ms 9 ms 22 ms 5 ms 11 ms 12 ms 5 ms 3 ms 4 ms 2 ms 2 ms 3 ms 2 ms 1 ms 3 ms 4 ms bottlenecks 13 ms 14 ms 17 ms 14 ms 3 ms 3 ms
  49. 49. Foreground Load <ul><li>FlowMate accuracy (using a simpler topology) </li></ul><ul><li>Different loads Staggered start times </li></ul>Correlation periods: 1, 2, 4, 6, 8, 10 seconds.
  50. 50. Background Load <ul><li>Load and on/off periods have little impact on average accuracy </li></ul>
  51. 51. Bursty Flows <ul><li>Telnet traffic HTTP/1.1 traffic </li></ul>Sampling: Flow life-time (P2P FTPs (elephants), HTTP/1.0 vs. 1.1), Packet interleaving patterns, Delayed ACKs
  52. 52. Router Buffering <ul><li>Buffer size vs avg index Drop policy </li></ul>
  53. 53. <ul><li>Naïve coordinated congestion management demonstrates better fairness and responsiveness </li></ul>Sample Application
  54. 54. Related Work <ul><li>Two-flow correlation tests based on delay or loss of all Poisson probe samples [Rubenstein et al., SIGMETRICS 2000]. </li></ul><ul><li>Semi-active Bayesian probing (using shared packet loss correlations) [Harfoush et al., ICNP 2000]. </li></ul><ul><li>Shannon or Renyi entropy-based flow clustering [Katabi et al., MIT-TR-2001 and IC3N01]. </li></ul><ul><li>Other tomography work, e.g., [AT&T, UMass, BU, Rice, Berkeley]. </li></ul><ul><li>Congestion Management schemes, e.g., Congestion Manager (CM) [Balakrishnan et al, SIGCOMM 99], Ensemble, Int, FastStart. </li></ul>
  55. 55. Conclusions <ul><li>FlowMate is an on-line flow partitioning scheme that does not require active probing. Partitioning is periodically performed at the flow origin for a large set of flows. </li></ul><ul><li>FlowMate appears to be robust under heavy background load and has low overhead. </li></ul><ul><li>High burstiness of flows to be partitioned is the main factor that degrades performance. </li></ul><ul><li>FlowMate can be useful to many applications, such as overlay networks, congestion management, load balancing, and pricing. </li></ul><ul><li>We have integrated FlowMate into Linux v2.4.17 and performed experiments on Emulab and Planetlab. </li></ul>
  56. 56. <ul><li>Goals: </li></ul><ul><ul><li>Scalability (to thousands of nodes)? </li></ul></ul><ul><ul><li>Prolonged network lifetime? </li></ul></ul><ul><ul><li>Data and state aggregation? </li></ul></ul><ul><ul><li>Robustness in the face of unexpected failures? </li></ul></ul><ul><ul><li>Security of sensor communications? </li></ul></ul><ul><li>Approach Clustering </li></ul><ul><li>Requirements: </li></ul><ul><li>Completely distributed </li></ul><ul><li>O(1) iterations to terminate </li></ul><ul><li>Low message/processing overhead </li></ul><ul><li>High energy, well-spread cluster heads </li></ul><ul><li>Balanced clusters </li></ul><ul><li>Approaches HEED (Hybrid, Energy-Efficient, Distributed clustering) and READ (Robust, Energy-Aware Distributed clustering) </li></ul><ul><li>Network: </li></ul><ul><ul><li>Rectangular field with a large number of dispersed sensor nodes </li></ul></ul><ul><li>Sensor nodes : </li></ul><ul><ul><li>Location un -aware and quasi-stationary </li></ul></ul><ul><ul><li>Homogeneous </li></ul></ul><ul><ul><li>Unattended (infeasible to recharge) </li></ul></ul><ul><li>Example applications: </li></ul><ul><ul><li>Seismic monitoring or field surveillance. </li></ul></ul>Distributed Clustering for Sensor Networks
  57. 57. Anomaly Detection and Security Testing <ul><li>Tomography-based anomaly detection: </li></ul><ul><li>1. Infer per-segment delays, losses and traffic properties through tomography among a set of cooperating end hosts </li></ul><ul><li>2. Detect attacks, configuration problems, and flash crowds on-line based on inferred properties </li></ul><ul><li>Firewall testing: </li></ul><ul><li>1. Develop a vulnerability type versus firewall operation matrix </li></ul><ul><li>2. Place Common Vulnerabilities Exposure (CVE), and other firewall problems in appropriate matrix cells </li></ul><ul><li>3. Find clusters in matrix; predict problems; automate firewall testing </li></ul>Packet Egress Packet may be dropped Stream may be dropped Address Lookup NAT/PAT Routing Decision Application Level Packet Reassembly Port Filtering Sanity Checks Dynamic Rule Set NAT/PAT Packet Ingress

×