Towards Active IP AccountingTowards Active IP Accounting

Franco TravostinoFranco Travostino

travos@nortelnetworks.cotravos@nortelnetworks.comm

Nortel Networks Nortel Networks TechCenterTechCenter

GenesisGenesisWhat are

programmable, active networks good for,

now?

How would you

future proof IP

Accounting?

Active IP Accounting

OutlineOutline

IP Accounting

IP Accounting’s long tooth

Active IP Accounting

First class abstractions

Implementation

Empirical results

Conclusion

IP AccountingIP Accounting

Accounting Applications

Network Nodes Accounting Server

meters

accountingprotocol

Billing

Auditing

Planning

Surveillance

IP Accounting concerns the collection of usage metrics relating to IP networks

IP Accounting shows a long toothIP Accounting shows a long tooth

Accounting data volumes grow linearly with bandwidth

IP trunks are commonly used for data and voice

Very high-value traffic coexist with low-value traffic

Increasingly, customer care is a hot area for differentiation

Customer care may demand selective real-time data mining

Intrusion and DoS detection demand real-time operations

Need adaptive pricing that reflects and promotes utilization

Standardization efforts (e.g., RMONs) lag feature curve

Vertically integrated solutions jeopardize interoperability

The Active IP Accounting The Active IP Accounting paradigmparadigm

Accounting Applications

high goodput

high goodput

Accounting Server

Billing

Auditing

Planning

Surveillance

Network Nodes

Network nodes custom prep IP accounting data and peer ad-hoc accounting protocols

A day in lifeA day in life

high goodput

Accounting ServerNetwork Nodes

Accounting Applications

Too much data, zoom

outApply this code for 1% lossy datareduction

accounting dataHere’s the reduced data

New contract in,zoom back inInterpose this code that weights in hot/slow pathand rank flows per this value function

(interpose plugin)

(interpose plugin)(interpose plugin)

n

accounting data n

Accounting Server

Another day in lifeAnother day in life

control message

accounting data in real-time …

Make flows bidirectional

and select flows for real time transfer back

(interpose plugin)

(interpose plugin)

(interpose plugin)

accounting data in real-time …

(interpose plugin)

A fraud watchdog goes off control message Deploy this

Fraud/DoS analyzer

Apply this code for H.323 flow correlation

H.323 trafficspotted

high goodputAccounting Applications

In place works betterIn place works better——A metaphoreA metaphore

1) Brake! 2) ABS

detect lockups and will pump

brakes

ABS brakes are a Turing machine that exploits

locality

Node-local organizationNode-local organization

Hardware

Meters

Classifier

Pub

lish

er

prep’d accounting data outN

etw

ork

Nod

e

new policy in

interpose plugin

machinedependent

machineindependent

Virtual Accounting Device

Two first class abstractionsTwo first class abstractions

1. The flow is the unit of accounting data• # flows << # packet traces

• Some primitive flow types are burned into the node for efficiency

• Flow type negotiation and selection can happen at runtime

• Accounting data recipients perform dynamic flow layout discovery

2. The plugin is the unit of action executed on accounting data by the network node• It’s not necessarily known a priori to anyone

• A plugin dynamically stacks upon or below any other plugin

FlowsFlowsFlows are Objects

Data: protocol, IP src, IP dst, port src, port dst, #bytes, #packets, timestamp, etc.

Code for primitive operations: add(), isSameAs(), isReciprocalOf()

Multiple types supported; flow types derive from root IP Flow

IP Flow

QoS Flow

L2Tag Flow

Hot/SlowPath Flow

DiffServ Flow

Why multiple flow types?Why multiple flow types?Flow types harvest information readily available at the node (above and beyond RMONs)

Example:

Control plane

Forwarding plane

Code paths in a network node

hot

cold

An instance of a flow object with Hot/Slow Path information

6 124.24.3.38

241.43.5.59

2049 21 116 1.5 MB 12:00

3

18

95

Pac

kets

per

co

de p

ath

116

Flow polymorphismFlow polymorphism

All IP Flow derived flows support polymorphic operations • flow.add(that); // add that flow to this flow• flow.isSameAs(that); // true if flows are the same• flow.isReciprocalOf(that); // same flow, different direction

Multiple options if the two operand flow types are heterogeneous

• Throw an exception• Demote to the first common ancestor• Operate on common fields only, ignore the rest • Operate on common fields only, set “don’t care” to the rest

This way, plugins can be coded to be flow type independent

• And one can switch among flow types without changing plugins

Accounting plugins performAccounting plugins perform Flow adding, ranking

Flow correlation according to lower-than-IP or higher-than-IP session information (e.g., VLAN or H.323)

Pre-paid debit card or toll-free semantics

Active management of accounting accuracy and data reduction

Custom extensions to the set of monitored resources

Intrusion analysis, DoS detection

VPN-specific accounting

Adaptation between flow layouts and accounting wire protocols

Peering of custom accounting wire protocols in support of real-time data mining or confidentiality requirements

Plugins samplerPlugins sampler

Make flows bidirectional

Uniq flows

n-dimensional flow ranking

Peer real-time wire protocol

Noise reduction

H.323 flow correlation

(argument: threshold)

(argument: best-value function)

Best-value functionsBest-value functionsSome accounting plugins have the mission to translate an ISP’s business model into actual code

These plugins take a best-value function in input to realize a custom n-dimensional comparison of flows

• How shall I weight the #bytes transferred per flow?

• How shall I weight the #packets per flow?

• How shall I weight the QoS info in the flow?

• How shall I weight the hot/slow path info per flow?

• How shall I weight TCP vs. UDP?

• Etc.

This free-form ranking improves over uni-dimensional flow ranking

Especially useful when we back-pressure the node and want to prune the least $ignificant flows

Best-value functions 2Best-value functions 2Example. The accounting application is a real-time monitoring application with finite flow capacity for each target node

1

10

100

1000

10000

100000

0 0.0

01

- 0.1

KB

0.1

- 1 K

B

1 - 1

0 K

B

10

- 10

0 K

B

10

0 K

B - 1

MB

1 - 1

0 M

B

> 1

0 M

B

Flows

1

10

100

1000

10000

100000

0 0.0

01

- 0.1

KB

0.1

- 1 K

B

1 - 1

0 K

B

10

- 10

0 K

B

10

0 K

B - 1

MB

1 - 1

0 M

B

> 1

0 M

B

Gold Flows

Silver Flows

Bronze Flows

123

456

number offlows (log)

Bytes carried in the unit of time

7

8

Bytes carried in the unit of time

• No best-value function, unidimensional ranking (a la Host Top N)

• Node throttles flows from left to right

• Best-value function, with 2-dimensional ranking

• Node throttles flows labeled with highest number

number offlows (log)

Who’s in control?Who’s in control?We exert node control by selecting flow types and/or plugins

Are weActive

Networks?

Are weProgrammable

Networks?

User:• Customer-carechoices influence node’s accounting•Traffic triggers plugins’ loading• Explicit control (e.g., for parental surveillance)

Manufacturer:• WAT pre-loading of plugins and flow types

ISP:• WAT or JIT loading• Active management of accounting plug-ins and flow types• Coordination of accounting apps.

Implementation Implementation Programming language: mostly Java ™

efficiency

expressive power

plugins,

pure Jav

a

Plugins’ framework: Hierarchical composition of plugins from a Java implementation of UNIX Streams ™

Resource safety: Derived from earlier work on a JVM that supports mutually suspicious principals

meters

in C,

CAM dem

ux

Throughput analysis Throughput analysis

packet traces(in C-land)

O-O programmingmodel for flows

in Java-land:up to ~450,000 traces/sec

(in C: ~700,000 traces/sec)

Net

wor

k N

ode

Hardware

Meters

Classifier

Virtual Accounting Device

Throughput analysis 2Throughput analysis 2

Unsorted flows

Best-value flows first

rank flowsin placeN

etw

ork

Nod

e

Hardware

Meters

Classifier

Virtual Accounting Device

0

100000

200000

300000

400000

500000

600000

3000 10000 20000 30000

Java

C

usecs

Flows

Accounting data reductionAccounting data reduction

1

1.0E+03

1.0E+04

1.0E+05

1.0E+06

1.0E+07

1.0E+08

packet traces

flows

0 bytes su

ppr

bidirec. flow

rank w

ith best value

function

loss

y re

duct

ions++ +

accounting data (bytes, log)

processing steps

Billing

Auditing

Planning

Surveillance{

From: To:

PackagingPackaging

Active IP Accounting runs in a physical (co-processor mode) or logical partition (software mode) of a network node

Co-processor mode is preferred; industry is trending this way

• Manufacturers already plan for RMON blades

It comes as a developer kit containing:• A library of sample flow types (pure Java)• A library of sample plugins (pure Java)• The Virtual Accounting Device (pure Java)• Its adaptation, machine-dependent code for target platforms

(in C)• An optional GUI for plugin/flow management (pure Java)

ConclusionConclusion

Active IP Accounting exploits node-locality and increases level of control over accounting data

It’s ideally suited to those accounting applications that demand real-time accounting data mining

• E.g., real-time surveillance, billing, fraud detection

Isolated from end-to-end data paths, it’s a realistic stepping stone for programmable/active networks

Overhead in the Java version is not a show stopper• Multiple effectiveness/efficiency trade-offs available

and now on to chase these DoS attackers in realtime!