Flow-based analysis of Internet traffic

Flow-basedanalysisofInternettrafficFedorAfanasievyWarrenDalyzAntonPetrovyAndreiSukhov\ƒyJSV”SamaraTelecom”,Aerodromnaya45,Samara,Russiae-mails:afv@smrtlc.ru,apetrov@smrtlc.ruzHeaNetLtd,CramptonAve,ShelbourneRd,Ballsbridge,Dublin4,Ireland;e-mail:warren.daly@heanet.ie\LaboratoryofNetworkTechnologies,SamaraAcademyofTransportEngineering,1stBezymyannyper.,18,Samara,443066,Russiae-mail:sukhov@ssau.ruAbstractWeproposetheuseofflow-basedanalysistoestimatethequal-ityofanInternetconnection.Usingresultsfromqueueingtheorywecomparetwoexpressionsforbackbonetrafficthathavedifferentap-plications.Wewilldemonstrateacurvethatshowsthedependenceoflinkutilizationandthenumberofactiveflowsinit,todescribingdifferentstatesofthenetwork.Weproposeamethodologyforplot-tingsuchacurveusingdatareceivedfromaCiscorouterfromtheNetFlowprotocol,andusethiscurvetoshowtheworkingareaandtheoverloadpointofthegivennetwork.Ourtestdemonstratesaneasywaytoidentifywhenabackboneupgradeisrequired.Keywords:Flow-basedtestofnetworkquality,CiscoNetFlow,queueingmodels,PassiveMonitoringSystemƒCorrespondingauthor:sukhov@ssau.ru11IntroductionModelingthetrafficatthepacketlevelhasproventobeverydifficultsincetrafficonalinkistheresultofahighlevelofaggregationofnumerousflows.Recently,anewtrendhasemergedformodellingInternettrafficattheflowlevel.Aflowhereisaverygenericconcept.ItcanbeaTCPconnectionoraUDPstreamdescribedbysourceanddestinationIPaddresses,sourceanddestinationportnumbers,ortheprotocolnumberetc.Itispossibletodeter-minetheresponsetimeandthedistributionflowsthatareactiveatacertaintimeinthenetwork.Forsimplicity,itismucheasiertomonitorflowsthantomonitorpacketsinarouter.Untilrecentlynetworkoperatorscollectedstatisticsatthepacketlevel,whichincludedsourceanddestinationaddresses,ports,protocols,packetflags,size,startandendtimeofUDPandTCPsessions,durationoftheses-sionsetc.Processingsuchhugevolumesofdataisdifficultandrequirespow-erfulhardware,softwareandsignificanthumanresources.Wenotethatthistypeofdatacollectiondoesnotproducethenecessaryinformationneededtoprovideusefulrecommendationsforthenetworkunderconsideration.Usually,thefollowingfourvaluesareusedfortheestimationofthenet-workquality:LinkutilizationlevelRoundtriptime(comparableto2*onewaydelay(OWD))PacketlossrateIPpacketdelayvariationTheroundtriptime,packetlossrateandIPpacketdelayvariationde-scribethequalityofconnectivitybetweentworemotepointsorend-to-endconnection.Thelinkutilizationisappliedtothemonitoringofasinglehopbetweentworouters.Networkoperatorsneedtoknowwhentheirbackboneorpeeringlinksmustbeupgraded.Boundaryvaluesofnetworkparametersmayserveasanindicatore.g.asthecurrentvaluesofthenetworkparametersreachadefinedlimit,thelinkshavetobeupgraded.Theproblemwiththismethodisthatthereisnostandardizedsetofnetworkparameterstomonitor.Each2providerhasitsownsetoftechnicalspecificationsaimedonavoidingover-load.Bigproviders,likeSprint[9],relyontheresultsoftheirownresearch.Usually,networkoperatorsmonitorpeakandaveragelinkutilizationlevelsandupgradetheirlinkswhentheutilizationlevelisintherange30%-60%.Themainfocusofthispaperistouseflow-basedanalysistomonitorthebackbonelinkandidentifywhenanupgradedisneeded.PreviousworkbyChuckFraleighetal[10]addressedasimilarprovisioningproblemtoreducethe’perpacket’end-to-enddelay.DinaPapagiannakietal[14],atInfocom03,introducedamethodologyonthebaseofSNMPstatisticstopredictwhenandwherelinkadditions/upgradesshouldtakeplaceinanIPbackbonenetwork.Trafficaccountingmechanismsbasedonflowsshouldbeconsideredaspassivemeasurementmechanisms.Informationgatheredbyflowsareusefulformanypurposes:UnderstandingthebehaviourofexistingnetworksPlanningfornetworkdevelopmentandexpansionQuantifyingnetworkperformanceVerifyingthequalityofnetworkserviceAttributionofnetworkusagetousersUnfortunately,atthepresenttimethereisnounitedviewonhowtoestimatetheconnectionquality,andfind”narrow”placesinthenetworks.AsmentionedabovemanyISPssuchasSprintusethe50%maximumutilizationruleasaguidelineforlinkupgrading.Therearesomecaseswhenthisapproachisbetterandmoreprecisethantraditionaltests.InRussiaandinothercountrieswherethemagestriallinksarelongandexpensive,regionalconnectivityisprovidedbyonlytwoorthreetelecommunicationoperators.OftenthecapacityofmagistriallinkCmislessthansumofthecapacitiesCifromthebordergatewayroutertotheInternetserviceproviders(ISP),seeFig.1.CmnXi=1Ci(1)Inthiscasethe50%utilizationoflinkruletotheregionalproviderisfulfilled,butthequalityoftheconnectionisofalowlevel.Ifthestaff3Figure1:TheschemeofmagisteriallinkofaregionalISPhavenoconceptofhigher(magisterial)networks,theircapacityandconnectionquality,thenourmodelwillallowthemtoestimatethequalityoftheabovechannel.Barakatetal[3]proposeamodelthatreliesonflow-levelinformationtocomputethetotal(aggregate)rateofdataobservedonanIPbackbonelink.Formodellingpurposes,thetrafficisviewedasthesuperposition(i.e.,multiplexing)ofalargenumberofflowsthatarriveatrandomtimesandthatstayactiveforrandomperiods.Thispaperpresentsatechniqueforestimatingthenetworkbehaviourbasedontheutilizationcurvewhichisthegraphicalcorrelationbetweenlinkutiliz