An overview on Internet Measurement Methodologies, Techniques and Tools

An overview on Internet

Measurement Methodologies,

Techniques and Tools

AA 2012/2013

[email protected]

(Agenda) Lezione 24/04/2013

¤  Traffic exchange (peering)

¨  Measurement Topics

¤  Active vs passive

n  tools overview (we will see them in the next classes)

¤  One or many obs. points

¤  Net vs App

n  The IPPM framework

¤  Sampling techniques

Part 2

(Agenda) Lezione 2/05/2012

Part 3

¨  The most common metrics

¨  Availability

¨  Reliability

Who need to measure Internet

traffic and performance?

¨ 

Corporate administrators who buy network service

for their organization.

¨ 

Smaller service providers who buy network service

from a larger provider and resell it to their own

customers.

¨ 

Anyone buying outsourced Services who must judge

the service provider’s ability to serve their end user

community adequately.

Who need to measure Internet

traffic and performance?

¨ 

Course Projects:

¤ 

A projects on network measurement and analysis, e.g.

to collect and characterize the network traffic

generated from your internet connection

Basic Terminology

Networks and Internets def.

¨ 

A network is a collection of hosts connected together

so that they can exchange information.

¨ 

Hosts in a network communicate using a

mutually-agreed network protocol, i.e. they exchange

packets of information

¨ 

An internet is a collection of networks with links

between them

¨ 

Routers are devices with links to more than one

network

Adjacency, Connectivity, Internet

and Intranets

¨ 

The Internet is the internet of networks that use the

TCP/IP suite of protocols

¨ 

The Internet can be viewed as a graph in the sense

that it is

¤ a set of nodes (networks containing routers) and

¤ edges between them (links between routers)

Visualization from the Opte Project of the various routes through a portion of the Internet (http://opte.org/)

[email protected] ©

http://www.caida.org/research/topology/as_core_network/

An Autonomous System (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet.

Old definition RFC 1771 New definition RFC 1930 A unique ASN is allocated to each AS for use in BGP routing. AS numbers are important

because the ASN uniquely identifies each network on the Internet.

RFC: Request for Comment

¨  In computer network engineering, a Request for Comments

(RFC) is a memorandum describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems

¨  RFC are usually published by the RFC Editor on behalf of the

Internet Engineering Task Force (IETF), ¨  http://www.ietf.org/rfc.html

Adjacency and Reachability

¨ 

We describe two networks as adjacent if there is at

least one link directly between them

¨ 

A network is reachable from another network if

there is a path between them

¤ 

reachability is one-way; X may be reachable from Y

while Y is unreachable from X

n e.g. VPN à Internet; Internet à VPN

¤ 

two networks are connected if there is a path (made

up of one or more routers and/or links) between them

that provides reachability in both directions

Connectivity

¨ 

A distinguishing feature of the Internet is that it

provides universal connectivity to its hosts—every

host is connected to every other host and able to

communicate with it

¤ 

individual hosts within a network may be prevented

from communicating with Internet hosts by a firewall;

such hosts do not have Internet connectivity

Network layers

¨  Once connectivity is established, it becomes possible for a

network to provide services

¤  e-mail is one example of such a service.

¨  It is useful to think of network services as being implemented in

layers.

¨  Each layer is considered an entity in itself, providing support

for higher layers

¤  This allows each layer to be developed independently of the other

layers, which is an effective simplification.

Firewall and Intranet

¨  A firewall is a hardware device or a software program running

on a secure host that sits at the junction point or gateway

between two networks usually a private network and a public network such as the Internet, and has connectivity to both

¨  An intranet is an internet using TCP/IP, but in which all the hosts

belong to a single organization, for example a large company with office networks at various geographic locations.

¤  hosts on an intranet are only accessible to members of the

organization that owns it

¤  an intranet is not part of the Internet

¤  an intranet may have some hosts that are Internet-connected

Who provide connectivity

Internet Service Providers

ISP common concept

¨ 

ISPs provide a complete range of services, e.g. they

will

¤ 

Connect networks (or individual hosts) to the Internet

¤ 

Provide services for their customers such as e-mail,

network news and Web access

Specialized ISP

Transport providers

¨ 

Traffic Exchange providers (Internet Exchange

Points)

¨ 

Service providers

¨ 

Content providers

Transport providers

¨  ISP running their own wide-area network and provide Internet

connectivity for their customers via that network ¤  e.g. telecom, fastweb

¨  ISPs who focus on end-user customers can be described as access

providers

¨  ISPs having high-speed networks covering large geographical

areas and connecting to many other ISP networks are commonly described as backbone providers

¤  A special case of transport provider is a transit provider, i.e. one whose

customers are other transport providers rather than individuals or companies.

E.g. Verizon transport provider

http://www.wiley.com/legacy/compbooks/press/ch14.htm

Many ISP cover all the layers, other only a portion

[email protected] ©

Relathionship between networks

¨  The relationships between networks are generally described

by one of the following three categories:

¤  Transit (or pay) – The network operator pays money (or settlement)

to another network for Internet access (or transit).

¤  Peer (or swap) – Two networks exchange traffic between each

other's customers freely, and for mutual benefit.

¤  Customer (or sell) – Another network pays a network money to

Transit providers: Peering

¨  Peering: how providers agree to cooperate

¤  peering is a voluntary interconnection of administratively separate

Internet networks for the purpose of exchanging traffic between the customers of each network.

n  The pure definition of peering is settlement-free or "sender keeps all,"

meaning that neither party pays the other for the exchanged traffic; instead, each derives revenue from its own customers.

¤  Peering requires physical interconnection of the networks, an

exchange of routing information through the Border Gateway

Protocol (BGP) routing protocol and is often accompanied by peering agreements of varying formality

Peering and network relathions

¨  Bilateral peering: exchange of routing information

¤  each ISP becomes aware of the other's routes to their customers'

networks. Information received/transmitted is used to control the flow of traffic exchanged with the outside

¤  ISPs may or may not agree to carry traffic to some or all of those

customers

n  the details are determined by a contract between the two providers.

¨  Transit: carry traffic on behalf of another ISP

¤  traffic may be carried with or without exchange of routing info

[email protected] ©

http://www.wiley.com/legacy/compbooks/press/ch14.htm

Traffic

measured @

NaMeX (RM)

and MIX-IT

(MI)

Traffic

measured @

NaMeX (RM)

and MIX-IT

(MI)

[email protected] ©

Traffic

measured @

NaMeX (RM)

and MIX-IT

(MI)

An issues to be aware of:

Oversubscription

[email protected] ©

3 messages between hosts. Once connectivity is

established, it becomes possible for a network to provide

services; e-mail is one example of such a service.

It is useful to think of network services as being implemented in layers. Each layer is considered an entity in itself, providing support for higher layers. This allows each layer to be developed independently of the other layers, which is an effective simplification.

The commonly used layers are listed in Figure 1. The layer numbers were assigned by the Open Systems Interconnection (OSI) Reference Model [OSI-REF], and are widely used as shorthand for the layer names.

1 Physical Provides hardware interfaces

between machines

2 Link Sends and receives packets on

interfaces

3 Network Carries packets between hosts so

as to form networks

4 Transport Provides well-defined information

transport for applications

5-7 Application Provides application services to

users Figure 1: Network layers

2. Internet Service Providers (ISPs)

Companies that provide connectivity to the Internet are known as Internet Service Providers. Many ISPs provide a complete range of services, e.g. they will

• Connect networks (or individual hosts) to the Internet

• Provide services for their customers such as e-mail, network news and Web access

• Provide support services such as Web hosting

Other ISPs may, however, choose to concentrate on particular services, as discussed below.

2.1. Transport

Transport providers are ISPs who run their own

wide-area network and provide Internet connectivity for their customers via that network. ISPs having high-speed networks covering large geographical areas and connecting to many other ISP networks are commonly described as backbone providers. A special case of transport provider is a transit provider, i.e. one whose customers are other transport providers rather than individuals or companies. The notion of transit is discussed in section 2.4 (below).

ISPs who focus on end-user customers can be described as access providers. Access providers connect customer networks to the ISP's own network, and thus to the Internet. Customer connections may use various technologies, e.g. dial-in modems (low speed) or fixed connections (higher speeds).

One issue that customers need to be aware of is

over-subscription. To help define this term, we introduce two

others: proximal, meaning “very near” and its opposite,

distal, meaning "far away".

An access provider's network (illustrated in Figure 2) connects to other transport provider networks via fixed links with a well-defined maximum capacity, for example, a T3 link, with 45 Mbps capacity. We'll call this the

proximal capacity, because it is nearer to the Internet

backbone. Access Provider Network customer 1 … customer N Transport Provider Network proximal capacity distal capacity Internet Access Provider Network customer 1 … customer N Transport Provider Network proximal capacity distal capacity Internet

Figure 2: Example of a (small) ISP network oversubscription ratio R

R = (total distal capacity) / (proximal capacity) R>1 means oversubscription

Service providers

Web hosting/housing

¨ 

Application service providers

¤ 

complex applications with web service access

n Software as a Service ¤ 

development platform

Infrastructure providers

Infrastructure as a Service

Large ASPs built their own network:

http://community.comsoc.org/blogs/alanweissberger/googles-largest-internal-network-interconnects-its-data-centers-using-software

Content Providers

¨ 

Any network host that is the source of

downloadable content

¨ 

Content delivery networks

¤ 

CDNs are used by popular commercial Web sites to

Lord Kelvin said, “

when you can measure what

you are speaking about, and express it in numbers,

you know something about it; but when you cannot

measure it, when you cannot express it in numbers,

your knowledge is of a meager and unsatisfactory

kind”

Measurement Topics

Why measurement

¨  Without measurements, you have no objective record or

benchmark of how a network behaves

¨  Measurements show whether changes improve or degrade the

network’s performance, and by how much

¨  If you are buying Internet connectivity from an ISP you need to

understand the kind of service being offered

¤  Only by measuring actual performance can you verify that you're

Active vs. Passive measurement

¨ 

Passive measurements: by observing normal network

traffic

¤ Not invasive

¤ Challenging when rate increases

¤ tools: e.g. tcpdump, CoralReef, NeTraMet

¨ 

Active measurements: by sending test traffic into the

network

¤ Invasive

¤ tools: e.g. Scamper

One or Many observation points

¨  Some measurements rely on observations at more than one

point in the network

¤  to measure the time a packet takes to travel from A to B, you must

record the times when the packet leaves A and arrives at B using accurate, synchronized clocks.

¨  For measuring traffic flows through a large network is not a

good idea observing flows at many points

¤  It is difficult to correlate measurements of flows taken simultaneously at

even a few different places

¤  It is much simpler to measure traffic at the ingress/egress links of your

network

¤  Follow individual packets on their various paths through the network

ONLY IF you need to produce a traffic matrix showing overall traffic flows through it

Network vs. Application Measurements

¨  Application-level measurements are needed for a clear view

of overall application performance, which cannot easily be synthesized from lower level data

¤  They may also offer some insights into the performance of the client and

server hosts, and of the network links between.

¨  Application measurements allow to bypass traffic filtering

¤  some ISPs today block ICMP echo packets or limit the rate at which they

are processed

¤  measurements using such packets (e.g. using ping) are still useful, but the

increasing use of traffic filtering is decreasing that utility

¨  RFC 2330 clarify the difference between application and

network metrics

ISP performance evaluated using Application Measurement by www.truenet.co.nz/

The IPPM Framework

(started in 1998 still active)

¨  To clarify the differences between application and network metrics, the

IETF's IP Performance Metrics (IPPM) WG has developed a Measurement Framework for measuring network performance

¤  RFC 2330: Framework for IP Performance Metrics

¨  The Framework presents

¤  terms for describing networks,

¤  explains the need for metrics to be useful, concrete, well defined, and capable

of being measured repeatedly and reliably

¨  With the Framework defined, the IPPM WG has continued to specify

network metrics such as

¤  A One-way Delay Metric for IPPM -- RFC 2679

¤  IPPM metrics for measuring connectivity -- RFC 2678

Sampling Techniques and Traps

Observing packet

¤ 

packet missing is not admitted

¤ 

if packets were missed the number of lost packets must

be reported

¨ 

What to do when packet rate increase?

¤ 

sample the network traffic

Sampling Techniques and Traps (2)

¨ 

What sampling algorithm should one use?

¤ to examine every n-th packet

¤ examine packets at fixed time intervals; this is harder to

implement and may be affected by aliasing

(synchronization) effects (RFC 2330 discuss this issues)

¤ to measure effects that happen at frequencies of F Hz or

less, you must sample the signal at least 2F times per second (from the Sampling Theorem)

¨ 

In practice sampling granularity depends on

¤ the phenomena we want catch

The IP Performance Metrics WG’s view

Common Metrics

Latency

¨ 

widely used measure of network latency is

round-trip time (RTT)

¤ 

the time for a packet to make the round trip from a

Network latency component times

a)  The time it takes a packet to travel along the physical links that make up

its path through the Internet (transport time)

b)  The time it takes to pass through routers between those links (queuing and

transmission time)

c)  The time required for the server to process an incoming packet and

generate a response packet (server response time) (a) + (b) = { Forward delay (Client à Server) } and { Reverse delay (Server à Client) }

(c) Server delay

Measuring (a) and (b) requires measurement at both client and server, using one-way delay techniques such as those as described in RFC 2679

Measuring latency

¨ 

Use a method that is implemented within the server's

IP stack, so that it requires very little server

processing to generate a response

¤ 

Ping the most common used

¨ 

Factors influencing latency

¤ 

Server load

¤ 

Path congestion

The ISP point of view

¨ 

An ISP can manage latency only for packets travelling

within its own network.

¤ Maximum latency can be higher than the average

¤ You need to ask

n  how often the latency is measured,

n  by how much it may vary, and

n  over what period it is averaged.

¨ 

ISPs will measure latency using a tool such as ping,

which uses the ICMP protocol

¤ This may not accurately represent the performance of

applications that use other protocols

Technical Note: Some network equipment is known to give ICMP a much lower

priority than other traffic, this could make the results for ISPs that use that

equipment appear to be slower than they really are.  However, we perform a large number of pings, which should reduce the affects of routing

equipment giving ICMP traffic a low priority.

Packet Loss

¨  Network packet loss is the fraction of packets lost in transit

from client to server and back during a specified time interval, expressed as a percentage of the packets sent to the server during that interval

¨  TCP relies on detecting lost packets to sense congestion and

control the rate at which packets are sent, we expect to see occasional packets lost from TCP streams

Throughput

¨  The rate at which data is sent through the network, usually

expressed in bits per second (bps), bytes per second (Bps) or packets per second (pps)

¨  Throughput is measured by counting bytes transported during a

specified time interval

¤  a long interval will average out short-term bursts in the data rate

¤  Short intervals imply a higher data collection rate, and may exaggerate

the burstiness of the data.

¤  A good compromise is to use one- to five minute intervals, and to

SpeedTest.net

Performance Measurement Tools

Taxonomy

¨ 

http://www.caida.org/tools/taxonomy/

performance.xml

Availability and Reliability

Availability

¨ 

ITU-T E.800, namely:

¤ 

… the ability of an item to be in a state to perform a

required function at a given instant of time or at any

instant of time within a given time interval ...

¨ 

From the user point of view, availability over a

specified time interval is the percentage of that

interval during which the system was available for

normal use

What is supposed to be available?

Service availability

¤ 

Web service availability test

¨ 

Host availability

¤ 

Host availability test

¨ 

Network availability

¤ 

Network availability test

When is the service unavailable?

¨ 

Tests will produce latency and packet loss values for

each case

¨ 

A service is effective if are satisfied

¤ 

maximum latency and

¤ 

minimum packet loss

¨ 

if the measured values fall outside these limits, the

service will be considered unavailable

Example

¨  From the user point of view, you could decide that network

availability is lost if, when you ping your ISP's access router at one-minute intervals, ping latency is worse than 10 ms or ping packet loss is greater than 1 percent.

¨  You need to be realistic when setting these limits, for example

2% packet loss may be unacceptable for Web or ftp data transfer, but 5% packet loss could be acceptable for email.

Reporting availability

¨  Availabilities are usually reported as a single monthly figure

giving the percentage of the time that the network was available

¤  One minute is approximately 0.01% of a week, hence if service

availability was 99.99%, the service was unavailable for about four minutes during the month.

¨  When you discuss availability with your ISP, bear the above in

mind as you work together to agree on a definition of availability

¨  ISP do not normally specify availability so carefully. Instead

they use a single value of backbone availability, without specifying exactly what it means.

Other couse of unavailability

MMTR

MTTF

Scheduled downtime

Reliability

¨ 

Is closely related to availability

¨ 

Is a measure of how often you get a response back

that is wrong, or get a part that is defective

¤ 

higher the reliability lower the frequency of getting

back a wrong answer

¨ 

In networking a wrong response (e.g. a corrupted

packet) is often equal to a no response (e.g. a lost

packet)

“Managers are effected by

Mononumerosis

”

E.C.

Statistics

Working with statistics

Mean, Median and Percentiles

¤ 

used to define SLA

¨ 

Sampling periods must be the same for comparison

Performance Measurement Tools

http://www.caida.org/tools/taxonomy/index.xml

Anonymization   

Topology

Workload

Performance

Routing   

Multicast   

Measurement Infrastructures

Source

¨ 

Fundamental of Internet Measurement: A tutorial

http://edu.eap.gr/pli/pli23/documents/Parallila_Keimena/B_Tomos/pdf/ Fundamentals_of_Internet_Measurement_A_Tutorial.pdf