CSAMP
: A System for
Network-Wide Flow Monitoring
Vyas Sekar,Michael K. Reiter, Walter Willinger, Hui Zhang,Ramana Rao Kompella, David G. Andersen
Flow measurements today
There was a router-centric view of current measurements
solutions in network, until now.
Routers are completely independent of each other , so
we have much more flow measurements that we need and inefficient use of router resources
So we pass from a router-centric approach to a
What is Csamp?
Csamp , a system for Network-Wide Flow Monitoring
Csamp is made because current flow monitoring solutions are inadequate for many network management applications
Csamp is a system for coordinated flow monitoring within an AS (Autonomous System)
The goal of cSamp is to assign sampling responsibilities to routers in a coordinated manner to optimize network-wide flow monitoring
Motivation Design
System Architecture
Discussion & Future Work Evaluation
Motivation
In past many people tried to design such network-wide flow monitoring systems, but they were not such efficient such Csamp
There are 5 criteria that a flow monitoring system should satisfy
provide high flow coverage
minimize redundant reports
satisfy network-wide flow monitoring objectives
work within router resource constraints
Design of Csamp
3 basic ideas
Flow sampling instead of packet sampling
Hash-based coordination
Random flow sampling preserves the fidelity of traffic estimation (single router)
Each router has a table of hash ranges indexed
using a key. By receiving a packet the router looks the hash range (key = hash of packet’s
header fields), computes the 5-tuple (srcIP, dstIP, srcport, dstport, protocol) of an IP flow, if the
hash falls in the range of the cell, this hash is used as index to a flow table, if the flow already exists it updates the entry else it creates a new one.
Random flow sampling preserves the fidelity of traffic estimation (single router)
On a single router, do random *flow* (not packet) sampling.
Each packet header is hashed
Hash range
{1,6}
Flow table
If flow already exists update else
create new entry
Computes 5-tuple If falls {7,9} {10, 12} . . Use as index We have an entry in flow table ok
Hash-based coordination
uses hash-based selection (using the same hash
function but having different hash ranges) to
eliminate duplicate measurements in the network. So different routers can monitor disjoint flows without
requiring explicit communication between routers (multiple routers, single path)
Hash-based coordination multiple routers Hash range Flow table Hash range Hash range Flow table Flow table
Network-wide optimization uses optimization framework to specify and satisfy network wide monitoring objectives while respecting router
resource constraints.
Note : Many paths = Origin - Destination (OD) pairs in network
Single path network
Multiple destination pairs in the network. Per
origin-destination pair, assign non-overlapping ranges to each router .Each router has a sampling manifest that specifies the hash range for each origin-destination pair that it might see. For each packet, see if it should be logged (based on hash and origin-destination), and log it.
The routers then generate flow reports which can be sent
{1,5} {7,9}
Hash range for each OD pair
Get OD-pair from packet Green or Yellow????
Csamp algorithm for router
Get OD-pair from packet (usually based on
packet information, src & dst IP addresses)
Compute hash (flow = packet 5-tuple)
Look up hash-range for OD-pair from sampling
manifest
To achieve flow monitoring goals specified in terms
of OD- pairs , cSamp optimization engine needs the traffic matrix and routing information.
Traffic matrices obtained by using estimation techniques that may have errors, so appropriate techniques are used in order to minimize the error.
Traffic matrix Routing information Optimization engine input Sampling manifests output dissemination
System Architecture
Mechanisms
Obtaining Origin Destination pairs in network for packets
the ingress routers mark each packet header with the OD-pair
identifier (given by optimization engine).
Responding to long-term (e.g. uses traffic during
previous week) & short-term traffic dynamics avoiding underfitting and overfitting
the optimization engine must be able to predict the traffic matrix to
Manage memory resources on routers
We store only flow counters in StaticRam(SRAM) instead of storing
the whole flow record (the IP 5-tuple, the OD-pair identifier, and counters).
Computing the optimal solution
In order to respond in near-real time to network dynamics, use new
more efficient algorithms.
Handling routing changes
Precompute sampling manifests for different scenarios in a given
measurement cycle, so if there is a change an appropriate sampling manifest corresponding to this scenario is already available.
Evaluation
Coverage VS optimal solution
Estimated traffic with our engine VsDiscussion & Future Work
OD-pair identifiers
Modifications to packet header
Upgrades to border routers to compute the engress router for each
packet
Router memory exhaustion
A router’s flow memory might be exhausted due to traffic dynamics
Find better choice of eviction of flow records
Changes cause loss of flow coverage or duplicates Applications
Confirm that cSamp provides better fidelity to traditional traffic
Conclusion
Existing solutions focus on incrementally
improving single-router sampling algorithms,
instead of Csamp , a system that takes a network wide approach to flow monitoring.
So..
Much greater monitoring coverage
Better use of router resources
Satisfy better flow monitoring goals compared to