Internet Measurement Tutorial

1
Internet Measurement Tutorial

• Yuval Shavitt
• School of Electrical Engineering

http//www.eng.tau.ac.il/shavitt
2
Motivation

• Wide area networks are too complex to grasp
• Many protocols at various levels interact and
  effect behavior
• Many applications have performance requirements
• End-to-end delay and loss, reliability

3
Motivation (2)

• Its an interesting complex system
• Has emergent characteristics like many living
  systems
• Biological systems
• Social networks

4
TCP/IP Protocols
Application
Transport
Network
Physical Data link
5
Internet Measurement Challenges
6
Internet Measurement Challenges (1)

• Network size
• 100,000,000s hosts, 1,000,000s routers, 30,000
  ASes
• Network Complexity
• Interaction between components, protocols,
  applications, users
• All change over time
• New applications are added
• New protocol versions (TCP)
• New router design (AQM)

7
Internet Measurement Challenges (2)

• Not engineered for measurement
• Initial design had no measurement thinking
• Distributed management
• Tendency not to share data
• Blocking measurement attempts (dont ping my
  network)
• NATs, Firewalls,

8
Success Stories

• On the self-similar nature of Ethernet traffic
• W. E. Leland, M. S. Taqqu, W. Willinger, and D.
  V. Wilson
• IEEE/ACM Transactions on Networking, February
  1994.
• Thorough analysis of Bellcore LAN traces
  established self-similar properties of packet
  arrival process.
• On power-law relationships of the internet
  topology
• M. Faloutsos, P. Faloutsos, and C. Faloutsos,
• ACM SIGCOMM 1999, Aug./Sept. 1999.
• Analysis of the RouteViews BGP database establish
  the power-law characteristics of the Internet
  topology.

Pr(k)
ltkgt
k
9
Why do we measure the Internet?

• Already mentioned
• Because it is there!
• Operational reasons
• We cannot improve the Internet if we dont
  understand it
• We cannot understand it if we dont measure
• We cannot build effective models or simulators if
  we dont measure

10
Long term objectives

• Monitor the Internet at real time
• Manage the Internet
• Monitor and react before things go bad

11
What can we measure in the Internet?

• Structure
• Topology (router/network) connectivity, link
  capacities, link loss, available bandwidth,
  routing
• Traffic
• End-to-end performance, packet arrival process
  (congestion built-up)
• Users and applications
• WWW, peer-to-peer, streaming
• Malicious behavior
• Attack patterns, port scans

12
Where can we measure the Internet?

• How to chose representative measurement points?
• Example traffic samples
• LAN traffic vs. WAN traffic,
• Inside an ISP vs. between continents
• Country biases
• Commercial location vs. educational
• More locations is better

13
How can we measure the Internet?

• Active measurements
• Probes Traceroute, ping, packet trains
• Application simulation
• Passive measurement
• Logs (WWW)
• Monitors, sniffers

14
Measurement resources on the WWW

• CAIDA
• www.caida.org/tools/taxonomy
• SLAC
• www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html

15
When should we measure the Internet?

• Diurnal and weekly traffic cycles
• Time scales depend on what and how
• Passive measurement are typically continuous
• Can generate huge data sets
• Log access problems
• Privacy concerns
• Active measurements are typically discrete
• Important characteristics can be missed
• Probes can be filtered and/or detected

16
Who is measuring the Internet?

• Businesses do a great deal of measurement
• Mostly do not share with the research community
• examples
• Akamai http delay from server side
• HP (Mercury) http delay from client side
• Google everything
• Academia and Research institutes
• Publish papers, but data may not be always
  available
• Internet Statistics and Metrics Analysis (ISMA)
• CAIDA attempt to create a global meta-data
  database

17
Publishing Internet Measurement Studies

• All major networking conferences journals
  accept measurement papers
• ACM SIGCOMM, IEEE INFOCOM, ACM SIGMETRICS
• Dedicated meetings
• ACM Internet Measurement Conf. (IMC, IMW)
• Passive Active Measurements Conf. (PAM)
• TridentCom

18
Active Measurement Techniques
19
Active Probes

• Active probes send stimulus (packets) into the
  network and then measure the response
• Done on network, transport and application layers
• Active probes are useful to measure various
  things
• Delay, delay jitter, and loss
• Topology and routing behavior
• Capacity, bandwidth, and throughput

20
Simple delay/loss probing with ping

• C\gtping www.fer.hr
• Pinging www.fer.hr 161.53.72.111 with 32 bytes
  of data
• Reply from 161.53.72.111 bytes32 time113ms
  TTL49
• Reply from 161.53.72.111 bytes32 time111ms
  TTL49
• Reply from 161.53.72.111 bytes32 time113ms
  TTL49
• Reply from 161.53.72.111 bytes32 time118ms
  TTL49
• Ping statistics for 161.53.72.111
• Packets Sent 4, Received 4, Lost 0 (0
  loss),
• Approximate round trip times in milli-seconds
• Minimum 111ms, Maximum 118ms, Average
  113ms

21
ICMP

• ICMP is the IP error diagnosis protocol.

IP header IP header
Code Type
Checksum Checksum
Sequence number Sequence number
Any ICMP data Any ICMP data
22
ICMP Message Types ICMP Message Types
Meaning Type No.
Echo reply 0
Destination unreachable 3
Source quench 4
Redirect 5
Echo 8
Router advertisement 9
Router solicitation 10
Time exceeded 11
Parameter problem 12
Timestamp 13
Timestamp reply 14
Information requeste 15
Information reply 16
PING
23
Application layer ping

• One can generate application layer messages to
  test application reaction time
• Most common
• TCP SYN message to port 80

24
traceroute

• Useful to learn the route characteristics between
  two hosts.
• Sends a series of probes to successive nodes
  along a route to an intended destination and
  records the source address and time delay of the
  message returned by each.
• Based on ICMP TTL expired message

25
IP datagram format
IP protocol version number
32 bits
total datagram length (bytes)
header length (bytes)
type of service
head. len
ver
length
for fragmentation/ reassembly
fragment offset
type of data
flgs
16-bit identifier
max number remaining hops (decremented at each
router)
upper layer
time to live
Internet checksum
32 bit source IP address
32 bit destination IP address
upper layer protocol to deliver payload to
E.g. timestamp, record route taken, pecify list
of routers to visit.
Options (if any)
data (variable length, typically a TCP or UDP
segment)
26
ICMP Message Types ICMP Message Types
Meaning Type No.
Echo reply 0
Destination unreachable 3
Source quench 4
Redirect 5
Echo 8
Router advertisement 9
Router solicitation 10
Time exceeded 11
Parameter problem 12
Timestamp 13
Timestamp reply 14
Information requeste 15
Information reply 16
Type Code description 3 0 dest.
network unreachable 3 1 dest host
unreachable 3 2 dest protocol
unreachable 3 3 dest port
unreachable 3 6 dest network
unknown 3 7 dest host unknown
traceroute
27
traceroute
time
A
B
C
D
E

• Regular UDP packets
• successive TTLs
• ICMP TTL expired message
• ICMP port unreachable message

28
traceroute versions

• UNIX
• default send UDP packets
• Start at port 33435, and increment port per
  packet!
• traceroute l sends ICMP ECHO request
• tcptraceroute uses TCP SYN messages
• If port is close gets RST reply
• If port is open gets SYN ACK and reply with RST
• Best to overcome firewalls
• Windows
• ICMP ECHO request

29
C\gttracert www.fer.hr Tracing route to
www.fer.hr 161.53.72.111 over a maximum of 30
hops 1 lt1 ms lt1 ms lt1 ms
192.168.200.254 2 19 ms 20 ms 19 ms
vxr.tau.ac.il 132.66.8.10 3 17 ms 22 ms
20 ms c6509.tau.ac.il 132.66.8.20 4 21
ms 19 ms 19 ms tel-aviv.tau.ac.il
132.66.4.1 5 19 ms 23 ms 18 ms
gp1-tau-fe.ilan.net.il 128.139.191.70 6 20
ms 20 ms 20 ms iucc.il1.il.geant.net
62.40.103.69 7 69 ms 69 ms 69 ms
il.it1.it.geant.net 62.40.96.154 8 82 ms
82 ms 82 ms it.ch1.ch.geant.net
62.40.96.33 9 101 ms 98 ms 98 ms
ch.at1.at.geant.net 62.40.96.1 10 105 ms
105 ms 105 ms at.hu1.hu.geant.net
62.40.96.178 11 117 ms 112 ms 113 ms
hu.hr1.hr.geant.net 62.40.96.145 12 113 ms
115 ms 115 ms carnet-gw.hr1.hr.geant.net
62.40.103.218 13 120 ms 122 ms 123 ms
193.198.228.6 14 114 ms 112 ms 119 ms
193.198.229.10 15 120 ms 119 ms 119 ms
161.53.16.14 16 114 ms 114 ms 113 ms
duality.cc.fer.hr 161.53.72.111 Trace complete.
30
C\gttracert www.colbud.hu Tracing route to
www.colbud.hu 81.182.250.153 over a maximum of
30 hops 1 lt1 ms lt1 ms lt1 ms
192.168.200.254 2 19 ms 21 ms 18 ms
vxr.tau.ac.il 132.66.8.10 3 20 ms 21 ms
21 ms c6509.tau.ac.il 132.66.8.20 4 21
ms 20 ms 19 ms tel-aviv.tau.ac.il
132.66.4.1 5 20 ms 22 ms 19 ms
gp1-tau-fe.ilan.net.il 128.139.191.70 6 26
ms 22 ms 21 ms iucc.il1.il.geant.net
62.40.103.69 7 91 ms 92 ms 92 ms
il.nl1.nl.geant.net 62.40.96.117 8 97 ms
97 ms 97 ms nl.de1.de.geant.net
62.40.96.101 9 95 ms 96 ms 93 ms
ffm-b2-pos2-3.telia.net 213.248.77.89 10 96
ms 96 ms 150 ms ffm-bb2-pos2-3-0.telia.net
213.248.64.177 11 110 ms 112 ms 114 ms
bpt-b1-pos2-0.telia.net 213.248.64.26 12
Request timed out. 13
112 ms 110 ms 111 ms 10ge-0-0.core0-ip2.net.t
elekom.hu 145.236.85.2 14 112 ms 114 ms
110 ms tenge1-2.core0.adatpark.hu
145.236.89.10 15 114 ms 112 ms 114 ms
fixip-lns2.adatpark.hu 195.228.253.58 16 120
ms 122 ms 124 ms 153-250-182-81.adsl-fixip.ax
elero.hu 81.182.250.153 Trace complete.
31
Probing for link characteristics

• Packet dispersion techniques can be used to infer
  characteristics of each link along an Internet
  path.
• Bandwidth, queuing delays, propagation delay
• Cross traffic may cause problem
• Many tools are available
• bprobe CC97, clink D99, nettimer LB99,
  pathchar J97, pchar M00, pathrate DRM01

32
Capacity

• Maximum IPlayer throughput that a flow can get,
  without any cross traffic

link 2
link 1
link 3
sink
source
C

• Ci capacity of link i
• Path capacity CminiCi

33
Available Bandwidth

• Maximum IPlayer throughput that a flow can get,
  given (stationary) cross traffic

link 2
link 1
link 3
A
sink
source
C

• ui utilization of link i
• Path available bandwidth AminiCi(1- ui)

34
Packet Pair Dispersion

• Packet transmission time tL/C
• Send two packets back-to-back
• Measure dispersion ? at the reciever
• Estimate C as L/?
• But cross-traffic noise can effect ?.

C
3C
L/C
L/3C
L/C
35
Pathchar

• Developed by Van Jacobson to allows any user
  to find the bandwidth, delay, average queue and
  loss rate of every hop between any source
  destination on the Internet
• Measure the path hop by hop
• Default 32 probes per hop

36
(No Transcript)
37
(No Transcript)
38
(No Transcript)
39
(No Transcript)
40
Self-Loading Periodic Streams (SLoPS) Jain
Dovrolis 02

• SND sends a periodic UDP packet stream at rate R.
• RL/T, Lpacket size, Tperiod, Knumber of
  packets
• Measure one way delay (OWD) Dktarrive-tsend
• OWD variation ?DkDk1-Dk (independent of clock
  offset)
• With stationarity fluid model for the cross
  traffic, and FIFO queues

41
Illustration of SLoPS

• Periodic Stream K packets, size L bytes, rate R
  L/T

42
Trends in Real Data

• U. Oregon to U. Delaware (12 hops)
• A74Mbps (MRTG), K100, T100?S, L1200B
• R 96Mbps and 37Mbps

43
When R?A
44
Passive Measurement Techniques
45
Passive packet measurement

• Capture packets as they pass by
• Packet capture applications (tcpdump) on hosts
  use packet capture filter
• Requires access to the wire
• Promiscuous mode or mirror ports to see other
  traffic
• Hardware-bases solutions
• Endace, Inc.s DAG cards ? OC12/48/192
  (0.622/2.5/10Gbps)
• Programmable NIC cards (lt100)
• Issues
• Timestamps
• Data volumes
• Privacy

46
tcpdump

• Can capture entire packet or n first bytes
• Timestamps each packet
• Can filter based on any combination of header
  field

124018.501228 IP bakara.eng.tau.ac.il.23 gt
amirotem-pc.eng.tau.ac.il.2260 P 13(2) ack 1
win 8760 (DF) 124018.692431 IP
amirotem-pc.eng.tau.ac.il.2260 gt
bakara.eng.tau.ac.il.23 . ack 3 win 64162
(DF) 124018.692775 IP bakara.eng.tau.ac.il.23 gt
amirotem-pc.eng.tau.ac.il.2260 P 310(7) ack 1
win 8760 (DF) 124018.893601 IP
amirotem-pc.eng.tau.ac.il.2260 gt
bakara.eng.tau.ac.il.23 . ack 10 win 64155 (DF)
47
Full Packet Capture

• 122242.401784 IP (tos 0x0, ttl 128, id 37074,
  len 41) AMIROTEM.dummy.net.3214 gt
  bakara.eng.tau.ac.il.23 P tcp sum ok
  35356921373535692138(1) ack 1410929928 win 16196
  (DF)
• 0x0000 4500 0029 90d2 4000 8006 2d02 c0a8
  c803 E..).._at_...-.....
• 0x0010 8442 300c 0c8e 0017 d2be 6169 5419
  1508 .B0.......aiT...
• 0x0020 5018 3f44 1d9e 0000 6c
  P.?D....l
• 122242.426889 IP (tos 0x0, ttl 252, id 33630,
  len 41) bakara.eng.tau.ac.il.23 gt
  AMIROTEM.dummy.net.3214 P tcp sum ok 12(1)
  ack 1 win 9324 (DF)
• 0x0000 4500 0029 835e 4000 fc06 be75 8442
  300c E..)._at_....u.B0.
• 0x0010 c0a8 c803 0017 0c8e 5419 1508 d2be
  616a ........T.....aj
• 0x0020 5018 246c 3875 0000 6c88 8888 8888
  P.l8u..l.....
• 122242.600874 IP (tos 0x0, ttl 128, id 37075,
  len 41) AMIROTEM.dummy.net.3214 gt
  bakara.eng.tau.ac.il.23 P tcp sum ok 12(1)
  ack 2 win 16195 (DF)
• 0x0000 4500 0029 90d3 4000 8006 2d01 c0a8
  c803 E..).._at_...-.....
• 0x0010 8442 300c 0c8e 0017 d2be 616a 5419
  1509 .B0.......ajT...
• 0x0020 5018 3f43 169d 0000 73
  P.?C....s
• 122242.617003 IP (tos 0x0, ttl 252, id 33631,
  len 41) bakara.eng.tau.ac.il.23 gt
  AMIROTEM.dummy.net.3214 P tcp sum ok 23(1)
  ack 2 win 9324 (DF)
• 0x0000 4500 0029 835f 4000 fc06 be74 8442
  300c E..).__at_....t.B0.
• 0x0010 c0a8 c803 0017 0c8e 5419 1509 d2be
  616b ........T.....ak
• 0x0020 5018 246c 3173 0000 7388 8888 8888
  P.l1s..s.....

48
Passive IP flow measurement

• An IP flow is defined by the five-tuple
• src addr, src port, dst addr, dst port, protocol
• Ciscos NetFlow
• Part of the IOS
• Provide template based flow records
• Many tools can manipulate NetFlow data

49
FlowScan Plonka00

• Combines flow collection engine, database,
  visualization tool
• Provides a near real-time visualization of
  network traffic
• Breaks down traffic into well known service or
  application

50
FlowScan Examples (May 2005)
51
Analysis of Flows

• Examining flows of packets one can determine OOO
  packets
• Losses
• Reorders
• TCP state machine
• Retransmissions
• Duplicates
• Analysis can be done on 1- or 2-directional flows

52
Diagnostic node
Local ISP
Internet
53
Unidirectional Flows

• Evaluates TCP seq. and IP-ID patterns
• Assumption the senders IP ID forms a monotonic
  increasing sequence

BroshShavitt, Infocom05
54
HTTP Logs

• Have data about the client IP, transaction time,
  command (GET/POST), return code, bytes
  transferred, referrer, metadata (browser type,
  OS, languages, etc.)
• Tools are available to analyze HTTP logs
• Webalizer

55
HTTP Log Example

• 24.77.192.99 - - 15/May/2005235459 0300
  "GET /science_down.gif HTTP/1.1" 200 1138
  "http//www.netdimes.org/science.html
• " "Mozilla/5.0 (Windows U Windows NT 5.0
  en-US rv1.7.7) Gecko/20050414 Firefox/1.0.3"
• 68.231.117.28 - - 15/May/2005235205 0300
  "GET /ipmap.png HTTP/1.1" 200 4874697
  "http//slashdot.org/" "Mozilla/5.0 (X11
• U Linux i686 en-US rv1.7.7) Gecko/20050414
  Firefox/1.0.3"
• 24.236.177.187 - - 15/May/2005235500 0300
  "GET /home_up.gif HTTP/1.1" 200 1096
  "http//www.netdimes.org/" "Mozilla/4.0
• (compatible MSIE 6.0 Windows NT 5.1 SV1 .NET
  CLR 1.1.4322)"
• 24.236.177.187 - - 15/May/2005235500 0300
  "GET /AboutUs_up.gif HTTP/1.1" 200 1169
  "http//www.netdimes.org/" "Mozilla/4
• .0 (compatible MSIE 6.0 Windows NT 5.1 SV1
  .NET CLR 1.1.4322)"
• 24.77.192.99 - - 15/May/2005235500 0300
  "GET /Install_down.gif HTTP/1.1" 200 1219
  "http//www.netdimes.org/science.html
• " "Mozilla/5.0 (Windows U Windows NT 5.0
  en-US rv1.7.7) Gecko/20050414 Firefox/1.0.3"
• 69.141.103.137 - - 15/May/2005235450 0300
  "POST /DIMES/server HTTP/1.1" 200 3 "-"
  "Java/1.4.1_03"
• 24.236.177.187 - - 15/May/2005235500 0300
  "GET /news_up.gif HTTP/1.1" 200 1086
  "http//www.netdimes.org/" "Mozilla/4.0
• (compatible MSIE 6.0 Windows NT 5.1 SV1 .NET
  CLR 1.1.4322)"
• 24.236.177.187 - - 15/May/2005235500 0300
  "GET /community_up.gif HTTP/1.1" 200 1199
  "http//www.netdimes.org/" "Mozilla
• /4.0 (compatible MSIE 6.0 Windows NT 5.1 SV1
  .NET CLR 1.1.4322)"
• 24.236.177.187 - - 15/May/2005235500 0300
  "GET /datastat_up.gif HTTP/1.1" 200 1233
  "http//www.netdimes.org/" "Mozilla/
• 4.0 (compatible MSIE 6.0 Windows NT 5.1 SV1
  .NET CLR 1.1.4322)"
• 24.236.177.187 - - 15/May/2005235500 0300
  "GET /science_up.gif HTTP/1.1" 200 1126
  "http//www.netdimes.org/" "Mozilla/4
• .0 (compatible MSIE 6.0 Windows NT 5.1 SV1
  .NET CLR 1.1.4322)"

56

• root_at_jupiter httpd grep "GET / " access_log
  tail -10
• 68.54.223.47 - - 19/May/2005123620 0300
  "GET / HTTP/1.1" 200 14067 "-" "Mozilla/4.0
  (compatible MSIE 6.0 Windows NT 5.1 .NET CLR
  1.1.4322)"
• 132.76.80.118 - - 19/May/2005124944 0300
  "GET / HTTP/1.1" 304 - "http//www.eng.tau.ac.il/
  shavitt/" "Mozilla/4.0 (compatible MSIE 6.0
  Windows NT 5.1 .NET CLR 1.1.4322)"
• 24.169.148.213 - - 19/May/2005130658 0300
  "GET / HTTP/1.1" 200 14067 "-" "Mozilla/5.0
  (Windows U Windows NT 5.1 en-US rv1.7.8)
  Gecko/20050511 Firefox/1.0.4"
• 84.170.181.64 - - 19/May/2005130714 0300
  "GET / HTTP/1.1" 200 14067 "http//www.google.de/s
  earch?hldeqdimesmeta" "Mozilla/4.0
  (compatible MSIE 6.0 Windows NT 5.1 SV1)"
• 130.240.136.220 - - 19/May/2005130725 0300
  "GET / HTTP/1.1" 304 - "-" "Mozilla/4.0
  (compatible MSIE 6.0 Windows NT 5.1 SV1 .NET
  CLR 1.1.4322)"
• 81.72.13.30 - - 19/May/2005131100 0300 "GET
  / HTTP/1.1" 200 14067 "http//www.miranet.it/php/A
  rticolo.php?id708" "Mozilla/4.0 (compatible
  MSIE 6.0 Windows 98)"
• 194.78.199.123 - - 19/May/2005131344 0300
  "GET / HTTP/1.1" 200 14067 "-" "Mozilla/4.0
  (compatible MSIE 6.0 Windows NT 5.0 .NET CLR
  1.1.4322)"
• 82.152.182.12 - - 19/May/2005132310 0300
  "GET / HTTP/1.1" 200 14067 "-" "Mozilla/4.0
  (compatible MSIE 6.0 Windows NT 5.1 SV1)"
• 80.119.126.44 - - 19/May/2005133808 0300
  "GET / HTTP/1.1" 200 14067 "-" "Mozilla/5.0
  (Windows U Windows NT 5.1 en-US rv1.7.8)
  Gecko/20050511 Firefox/1.0.4"
• 80.250.186.101 - - 19/May/2005134614 0300
  "GET / HTTP/1.1" 200 14067 "http//distributed.ru/
  forum/?atopictopic583" "Mozilla/5.0 (Windows
  U Windows NT 5.1 en-US rv1.7.8)
  Gecko/20050511 Firefox/1.0.4"

57
Example of Log Analysis
June 5th, 2005
58
Webalizeraccess analysis
59
MultiQ

• Analyzing incoming packet streams
• Gaps between packets are used to calculate
  bottleneck link speeds
• Multiple bottlenecks can be inferred

MM, MIT
60
How does it work?

• 50 of traffic is comprised of 1500B packets
• Behavior at the second bottleneck

Effect on dist.
Keep b.n. gap
white noise
Gap shifts reveal 2nd bottleneck
61
Three bottlenecks with one strike
62
Topology Discovery
63
from IP to AS routes
C\gttracert www.fer.hr Tracing route to
www.fer.hr 161.53.72.111 over a maximum of 30
hops 1 lt1 ms lt1 ms lt1 ms
192.168.200.254 2 19 ms 20 ms 19 ms
vxr.tau.ac.il 132.66.8.10 3 17 ms 22 ms
20 ms c6509.tau.ac.il 132.66.8.20 4 21
ms 19 ms 19 ms tel-aviv.tau.ac.il
132.66.4.1 5 19 ms 23 ms 18 ms
gp1-tau-fe.ilan.net.il 128.139.191.70 6 20
ms 20 ms 20 ms iucc.il1.il.geant.net
62.40.103.69 7 69 ms 69 ms 69 ms
il.it1.it.geant.net 62.40.96.154 8 82 ms
82 ms 82 ms it.ch1.ch.geant.net
62.40.96.33 9 101 ms 98 ms 98 ms
ch.at1.at.geant.net 62.40.96.1 10 105 ms
105 ms 105 ms at.hu1.hu.geant.net
62.40.96.178 11 117 ms 112 ms 113 ms
hu.hr1.hr.geant.net 62.40.96.145 12 113 ms
115 ms 115 ms carnet-gw.hr1.hr.geant.net
62.40.103.218 13 120 ms 122 ms 123 ms
193.198.228.6 14 114 ms 112 ms 119 ms
193.198.229.10 15 120 ms 119 ms 119 ms
161.53.16.14 16 114 ms 114 ms 113 ms
duality.cc.fer.hr 161.53.72.111 Trace complete.
private network
Tel Aviv Uni.
AS378
ILAN
MACHBA
DANTE
AS20965
GEANT
HR-ZZ
CARnet
CARnet
AS2108
378
20965
2108
64
How to map IP to AS?

• BGP announcements
• Use public databases
• Internet Routing Registry (IRR),
  http//www.irr.net
• whois servers
• Commercial databases
• MaxMind, etc.
• Problem incomplete and out-of-date
• Due to acquisitions, mergers, break-ups of
  institutions

65
What is the AS level traceroute?
A
C
B
A-B-C
A
C
B
C-B-A
Are A and C neighbor ASes? What AS does the
middle router belong to, B or C?
66
The Internet Structure
routers
67
The Internet Structure
The AS graph
68
The Internet Structure
The AS graph
The PoP level graph
69
Delay Measurements
70
Minimum delay of a link
C\gttracert www.fer.hr Tracing route to
www.fer.hr 161.53.72.111 over a maximum of 30
hops 1 lt1 ms lt1 ms lt1 ms
192.168.200.254 2 19 ms 20 ms 19 ms
vxr.tau.ac.il 132.66.8.10 3 17 ms 22 ms
20 ms c6509.tau.ac.il 132.66.8.20 4 21
ms 19 ms 19 ms tel-aviv.tau.ac.il
132.66.4.1 5 19 ms 23 ms 18 ms
gp1-tau-fe.ilan.net.il 128.139.191.70 6 20
ms 20 ms 20 ms iucc.il1.il.geant.net
62.40.103.69 7 69 ms 69 ms 69 ms
il.it1.it.geant.net 62.40.96.154 8 82 ms
82 ms 82 ms it.ch1.ch.geant.net
62.40.96.33 9 101 ms 98 ms 98 ms
ch.at1.at.geant.net 62.40.96.1 10 105 ms
105 ms 105 ms at.hu1.hu.geant.net
62.40.96.178 11 117 ms 112 ms 113 ms
hu.hr1.hr.geant.net 62.40.96.145 12 113 ms
115 ms 115 ms carnet-gw.hr1.hr.geant.net
62.40.103.218 13 120 ms 122 ms 123 ms
193.198.228.6 14 114 ms 112 ms 119 ms
193.198.229.10 15 120 ms 119 ms 119 ms
161.53.16.14 16 114 ms 114 ms 113 ms
duality.cc.fer.hr 161.53.72.111 Trace complete.
Negative delays
Link delay 19 -2 2 -1 2 49 13 16 7 7 1 7 2 7 -6
Min. 0 19 17 19 18 20 69 82 98 105 112 113 120 112
119 113
71
A delay of a link inside TAU
72
Auto-Correlation Histogram
Why periodic?
73
Maybe something wrong with the code?
int gettimeofday(struct timeval tv, struct
timezone tz) if(!tv) return -1
struct _timeb timebuffer
_ftime(timebuffer) tv-gttv_sec
timebuffer.time tv-gttv_usec
timebuffer.millitm 1000 500 return 0
millisecond accuracy
translate to ?seconds
74
New vs. Old timing routines
75
Auto-Correlation Histogram
Why periodic?
76
How to define distance between ASes?

• Maybe the same as between nodes?
• The distance between two ASes will be the
  distance between the two border routers
  connecting them

AS 378 AS
1248 AS 701
20ms 17ms 26ms 40ms
35ms 89ms 79ms 91ms

?
14ms
77
from IP to AS routes
C\gttracert www.fer.hr Tracing route to
www.fer.hr 161.53.72.111 over a maximum of 30
hops 1 lt1 ms lt1 ms lt1 ms
192.168.200.254 2 19 ms 20 ms 19 ms
vxr.tau.ac.il 132.66.8.10 3 17 ms 22 ms
20 ms c6509.tau.ac.il 132.66.8.20 4 21
ms 19 ms 19 ms tel-aviv.tau.ac.il
132.66.4.1 5 19 ms 23 ms 18 ms
gp1-tau-fe.ilan.net.il 128.139.191.70 6 20
ms 20 ms 20 ms iucc.il1.il.geant.net
62.40.103.69 7 69 ms 69 ms 69 ms
il.it1.it.geant.net 62.40.96.154 8 82 ms
82 ms 82 ms it.ch1.ch.geant.net
62.40.96.33 9 101 ms 98 ms 98 ms
ch.at1.at.geant.net 62.40.96.1 10 105 ms
105 ms 105 ms at.hu1.hu.geant.net
62.40.96.178 11 117 ms 112 ms 113 ms
hu.hr1.hr.geant.net 62.40.96.145 12 113 ms
115 ms 115 ms carnet-gw.hr1.hr.geant.net
62.40.103.218 13 120 ms 122 ms 123 ms
193.198.228.6 14 114 ms 112 ms 119 ms
193.198.229.10 15 120 ms 119 ms 119 ms
161.53.16.14 16 114 ms 114 ms 113 ms
duality.cc.fer.hr 161.53.72.111 Trace complete.
private network
Tel Aviv Uni.
AS378
ILAN
MACHBA
DANTE
AS20965
GEANT
HR-ZZ
CARnet
CARnet
AS2108
2ms
378
20965
2108
78
(No Transcript)
79
DIMES AS distance definition (1)

• Define the following distances
• MaxAS(n) the maximum delay to a node in AS n.
• MinAS(n) the minimum delay to a node in AS n.
• For AS edge (src,dest) define the distances
• MinASEdge(src,dest) MinAS(dest)-MaxAS(src)
• MaxASEdge(src,dest) MaxAS(dest)-MaxAS(src)
• All distances are positive.
• Define ASDiameter(n) MaxAS(n) MinAS(n)

80
DIMES AS distance definition (2)
AS 378 AS
1248 AS 701
20ms 17ms 26ms 40ms
35ms 89ms 79ms 91ms

MinASEdge(378,1248) 9ms
MinASEdge(1248,701) 1ms (non negative.)
MaxASEdge(378,1248) 63ms
MaxASEdge(1248,701) 56ms
81
DIMES AS Diameter definition
AS 378 AS
1248 AS 701
20ms 17ms 26ms 40ms
35ms 89ms 79ms 91ms

diameter 9ms
diameter 54ms diameter
12ms
82
Measurement Projects
83
ETOMIC(Evergrow Traffic Observatory Measurement
InfrastruCture)http//www.etomic.org

• Active precise one-way delay measurement.
• Specialized hardware.
• With packet train techniques one can
• Estimate available bandwidth
• Bottleneck capacity
• Perform network tomography
• 18 boxes were deployed in Europe.
• More have been deployed this year

84
ETOMIC Deployment
85
Hardware Structure

• A PC with a
• DAG card
• high precision sampling hardware
• high precision packet train generation
• GPS connection
• For synchronized timing

86
The GPS module

• Garmin 35HVS GPS reciever
• 1 ?s PPS signal
• RS 232 RS 422 converter max 100m cable

Serial port
RS422-gt232
PC
DAG PPS
RS232-gt422
87
The Endace DAG 3.6GE card

• PCI bus 32 bit 33 Mhz
• Single port full packet capture at 10/100/1000
  Mbit/s
• Precise timestamping
• Burst of patterned traffic generator sending
  special packets at 10/100/1000 Mbit/s

88
ATOMIC -gt ANME
89
Skitterhttp//www.caida.org/tools/measurement/ski
tter

• Primarily intended to be used to measure forward
  IP paths (each hop) from a source to many
  destinations.
• traceroute based
• Based on FreeBSD box with kernel modification for
  timestamp accuracy.
• Deployment 20-30 skitter hosts, worldwide (Half
  in the USA).

90
Skitter Goals

• Measure Forward IP Pathsskitter records each hop
  from a source to many destinations. by
  incrementing the "time to live" (TTL) of each IP
  packet header and recording replies from each
  router (or hop) leading to the destination host.
• Measure Round Trip Timeskitter collects round
  trip time (RTT) along with path (hop) data.
  skitter uses ICMP echo requests as probes to a
  list of IP destinations.
• Track Persistent Routing Changesskitter data can
  provide indications of low-frequency persistent
  routing changes. Correlations between RTT and
  time of day may reveal a change in either forward
  or reverse path routing.
• Visualize Network ConnectivityBy probing the
  paths to many destinations IP addresses spread
  throughout the IPv4 address space, skitter data
  can be used to visualize the directed graph from
  a source to much of the Internet.

91
Skitter Visualization
92
2003 12,517 node 35,334 edges
93
RTT and loss plot
94
Archipelago (Ark)

• 43 monitors
• 3 commercial
• IPv4 IPv6

95

• 25th, 50th, and 75th percentiles

96
RouteViewshttp//www.routeviews.org

• Peers with 70 ASes (mostly backbones) to collect
  their BGP paths
• The largest and most reliable source of AS level
  routing and interconnectivity.

97
Animating BGP Routing
98
BGP Routing Table Growth
99
NLANRhttp//www.nlanr.net

• The National Laboratory for Applied Network
  Research (NLANR)
• Lots of measurement data
• Active Measurement Project (AMP)
• 150 universities with high performance
  connection measure to each other.
• Passive Measurement and Analysis (PMA)
• Header taken daily from OC3 - OC48 speed links.

100
Ono

• A plugin for the Vuze (Azureus) BitTorrent Client
• 3.5M measurements a day
• Over 3000 ASes a year
• Few hundreds of measurement per client
• Measure only to other clients

101
iPlane An Information Plane for Distributed
Services

• Performs traceroutes from PlanetLab nodes and
  traceroute servers to construct a router
  interface-level Internet map.
• Clustering interfaces into PoPs
• Based on TTL response time
• Latency prediction

102
PlanetLab

• 1080 nodes over 496 (academic) sites
• Bare bone machines. Load your own tool.
• Host various measurement projects
• DIMES
• iPlane
• ScriptRoute (flexible scripts)

103
Scamper

• A tool for network measurement
• IPv4 IPv6
• Parallel measurements
• Measurement rate control
• Measurement type UDP, ICMP, TCP, UDP-paris, and
  ICMP-paris.
• By default, UDP is used.