Accurate And Flexible Flow-Based Monitoring For High-Speed Networks REPORTER: HSUAN-JU LI 2014/12/25 Field Programmable Logic and Applications (FPL), 2013.

Slides:



Advertisements
Similar presentations
IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
Advertisements

CCNA3: Switching Basics and Intermediate Routing v3.0 CISCO NETWORKING ACADEMY PROGRAM Switching Concepts Introduction to Ethernet/802.3 LANs Introduction.
NetFPGA Project: 4-Port Layer 2/3 Switch Ankur Singla Gene Juknevicius
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
Multi-granular, multi-purpose and multi-Gb/s monitoring on off-the-shelf systems TELE9752 Group 3.
CSCI 465 D ata Communications and Networks Lecture 20 Martin van Bommel CSCI 465 Data Communications & Networks 1.
SDN and Openflow.
1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
What's inside a router? We have yet to consider the switching function of a router - the actual transfer of datagrams from a router's incoming links to.
TCP/IP Protocol Suite 1 Chapter 7 Upon completion you will be able to: ARP and RARP Understand the need for ARP Understand the cases in which ARP is used.
1 An Open Source Hardware Module for High-Speed Network Monitoring on NetFPGA NetFPGA European Developers Workshop 2010 Gianni Antichi, Stefano Giordano.
1 Pertemuan 21 Internetworking Matakuliah: H0174/Jaringan Komputer Tahun: 2006 Versi: 1/0.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.
CS335 Networking & Network Administration Tuesday, May 11, 2010.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.
IP Routing: an Introduction. Quiz
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 7 Internet Protocol Version4.
A Scalable, Commodity Data Center Network Architecture Mohammad Al-Fares, Alexander Loukissas, Amin Vahdat Presented by Gregory Peaker and Tyler Maclean.
Chapter 9 Classification And Forwarding. Outline.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Connecting LANs, Backbone Networks, and Virtual LANs
Module 10. Internet Protocol (IP) is the routed protocol of the Internet. IP addressing enables packets to be routed from source to destination using.
Paper Review Building a Robust Software-based Router Using Network Processors.
Chapter 4: Managing LAN Traffic
ECE 526 – Network Processing Systems Design Network Processor Architecture and Scalability Chapter 13,14: D. E. Comer.
Lecture 2 TCP/IP Protocol Suite Reference: TCP/IP Protocol Suite, 4 th Edition (chapter 2) 1.
Jon Turner (and a cast of thousands) Washington University Design of a High Performance Active Router Active Nets PI Meeting - 12/01.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
1 CISCO NETWORKING ACADEMY PROGRAM (CNAP) SEMESTER 1/ MODULE 8 Ethernet Switching.
Brierley 1 Module 4 Module 4 Introduction to LAN Switching.
TCP/IP Protocol Suite 1 Chapter 8 Upon completion you will be able to: ARP and RARP Understand the need for ARP Understand the cases in which ARP is used.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) 5. Passive Monitoring Techniques.
IP Forwarding.
TCP/IP Protocol Suite 1 Chapter 7 Upon completion you will be able to: ARP and RARP Understand the need for ARP Understand the cases in which ARP is used.
Switches 1RD-CSY  In this lecture, we will learn about  Collision Domain and Microsegmentation  Switches – a layer two device ◦ MAC address.
NetFlow: Digging Flows Out of the Traffic Evandro de Souza ESnet ESnet Site Coordinating Committee Meeting Columbus/OH – July/2004.
Chapter 6 – Connectivity Devices
DiFMon Distributed Flow Monitor Dario Salvi Consorzio Interuniversitario Nazionale per l’Informatica (CINI) Naples, Italy.
Hyung-Min Lee ©Networking Lab., 2001 Chapter 8 ARP and RARP.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 4 Switching Concepts.
Cisco 3 - Switching Perrine. J Page 16/4/2016 Chapter 4 Switches The performance of shared-medium Ethernet is affected by several factors: data frame broadcast.
Chapter 7 ARP and RARP.
Switches 1RD-CSY  In this lecture, we will learn about  Collision Domain and Microsegmentation  Switches – a layer two device ◦ MAC address.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Measurement COS 597E: Software Defined Networking.
4/19/20021 TCPSplitter: A Reconfigurable Hardware Based TCP Flow Monitor David V. Schuehler.
Open-Eye Georgios Androulidakis National Technical University of Athens.
1 Kyung Hee University Chapter 8 ARP(Address Resolution Protocol)
Cisco Network Devices Chapter 6 powered by DJ 1. Chapter Objectives At the end of this Chapter you will be able to:  Identify and explain various Cisco.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Connecting Devices CORPORATE INSTITUTE OF SCIENCE & TECHNOLOGY, BHOPAL Department of Electronics and.
OpenFlow MPLS and the Open Source Label Switched Router Department of Computer Science and Information Engineering, National Cheng Kung University, Tainan,
An Efficient Gigabit Ethernet Switch Model for Large-Scale Simulation Dong (Kevin) Jin.
CCNA3 Module 4 Brierley Module 4. CCNA3 Module 4 Brierley Topics LAN congestion and its effect on network performance Advantages of LAN segmentation in.
POSTECH DP&NM Lab Detailed Design Document NetFlow Generator 정승화 DPNM Lab. in Postech.
Address Resolution Protocol Yasir Jan 20 th March 2008 Future Internet.
Introduction to Networks v6.0
Instructor Materials Chapter 5: Ethernet
Chapter 8 ARP(Address Resolution Protocol)
ARP and RARP Objectives Chapter 7 Upon completion you will be able to:
Chapter 4 Data Link Layer Switching
Access Control Lists CCNA 2 v3 – Module 11
Network Core and QoS.
Dynamic Packet-filtering in High-speed Networks Using NetFPGAs
Implementing an OpenFlow Switch on the NetFPGA platform
Net 323 D: Networks Protocols
Online NetFPGA decision tree statistical traffic classifier
Network Core and QoS.
Presentation transcript:

Accurate And Flexible Flow-Based Monitoring For High-Speed Networks REPORTER: HSUAN-JU LI 2014/12/25 Field Programmable Logic and Applications (FPL), rd International Conference on, Sept. (2013) Marco Forconesi, Gustavo Sutter, Sergio Lopez-Buedo, Javier Aracil

Outline Introduction Related Work Flow-Based Monitoring Technique And Development Platform Proposed Architectures Results And Validation Conclusions 2

Outline Introduction Related Work Flow-Based Monitoring Technique And Development Platform Proposed Architectures Results And Validation Conclusions 3

Introduction Network operators routinely use flow-based tools in order to track down bandwidth utilization as well as network dysfunctionalities and attacks Flow-based tools : Track down bandwidth utilization Network dysfunctionalities Network attacks 4

Introduction(cont.) 5 Flow exporter Flow collector Flow-based tools infrastructure

Introduction(cont.) Flow exporter Analyzes packets in the network Creates the flows Periodically send finished flows to the collector 6 Router Flow exporter Typically implemented inside routers Benefit: Not necessary to add any extra component !

Introduction(cont.) Flow collector Receives flows from exporters Stores flows for future processing 7

Introduction(cont.) Drawbacks on flow exporter Routers can be burdened by too much traffic In order to dedicate all computing resources to packets Flow monitoring is skipped in order to dedicate all computing resources to route packets Causing all flow information to be lost 8

Introduction(cont.) Drawbacks on flow exporter In high-speed networks, flow-based monitoring is accomplished by routers and switches on the basis of packet sampling: Not all the packets on the network are analyzed Poor accuracy of the data delivered to the collector 9

Introduction(cont.) Drawbacks on flow exporter Routers and switches have limited resources, so they cannot scale to higher link rates or larger memories to store more active flows. Network devices are closed platforms Network engineers are not free to modify how flows are defined So that they don’t know what type of information is collected 10

Outline Introduction Related Work Flow-Based Monitoring Technique And Development Platform Proposed Architectures Results And Validation Conclusions 11

Related Work 12 Network probes that generate network flows at 10 Gbps Software based probes FPGA Probes

Related Work(cont.) Software based probes Using commodity servers Multicore architectures and a careful balance between cores Popular open-source approaches(achieve up to near 10Mpps) nProbe, softflowd, ffProbe 13

Related Work(cont.) FPGA based probes The first implementation on NetFPGA-1G (a Virtex-2 platform) Reconfigurable architecture for network flow analysis (Very Large Scale Integration (VLSI) Systems, IEEE Transactions on Volume:16, Issue:1) An architecture for network flow analysis using a Virtex-2 device, which is able to store up to 65,536 concurrent flows at a maximum rate below 3 Mpps. 14

Related Work(cont.) FPGA based probes FlowMon for Network Monitoring 10 Gbps, 256,000 concurrent active flow implementation is presented in FlowMon using Virtex-5 in the context of the Liberouter project An fpga based hardware architecture for network flow analysis Gives some results for Virtex-5, claiming a superior speed but only for 500 concurrent flows. 15

Outline Introduction Related Work Flow-Based Monitoring Technique And Development Platform Proposed Architectures Results And Validation Conclusions 16

Flow-Based Monitoring Technique And Development Platform According to Cisco’s definition Flow is a unidirectional stream for packets between a given source and destination Flow is identified by five key fields (5-tuple) Source IP address, Destination IP address, Source port number, Destination port number and Layer 3 protocol type Packets with the same 5-tuple belong to the same flow 17 Src. IP Address Dst. IP Address Src. Port #Dst. Port# Network Layer Flow

Flow-Based Monitoring Technique And Development Platform(cont.) Flow cache A fast local memory inside the exporter Used to store the active flows of the link that is being monitored Flow table is a data structure on the flow cache Consists of a list of flow records Contains the number of packets, the total number of transmitted bytes, the timestamp of the flow creation/expiration and the TCP flags 18 # Packets Total # trans. bytes Timestamp of flow creation TCP flags Flow recorder

Flow-Based Monitoring Technique And Development Platform(cont.) 19 Flow table Flow recorder 1 Flow recorder 0 Flow recorder 2 Flow recorder n # Packets Total # trans. bytes Timestamp of flow creation TCP flags Src. IP Address Dst. IP Address Src. Port #Dst. Port# Network Layer Consists

Flow-Based Monitoring Technique And Development Platform(cont.) Every time a packet is received, the memory is polled to determine if the extracted 5-tuple matches an active flow If not matches, a new flow entry is created Otherwise the active flow in the flow table is updated 20

Flow-Based Monitoring Technique And Development Platform(cont.) Parallel to the flow creation and updates A mechanism that is needed in charge of removing the flows from the flow table once they are no longer on the link Time out TCP transmission signal FIN and RST flags 21

Flow-Based Monitoring Technique And Development Platform(cont.) Parallel to the flow creation and updates Two concurrent processes access the memory(flow table) 22

Flow-Based Monitoring Technique And Development Platform(cont.) The design has been implemented and tested on NetFPGA-10G Second release of the NetFPGA project Develop an open-source hardware and software platform Standford University together with Xilinx Lab Virtex-5 TX240T FPGA, which provide four independent 10 Gps Ethernet ports Populate with three QDR-II and four RLDRAM memory devices Respectively provide 27MB and 288MB of external storage 23

Outline Introduction Related Work Flow-Based Monitoring Technique And Development Platform Proposed Architectures Results And Validation Conclusions 24

Proposed Architectures Two implementations that developed NF_BRAM: Uses internal BlockRAMs to store the actives Supports up to 16,384 concurrent flows NF_QDR: Uses external QDR-II memory Supports up to 786,432 concurrent flows 25

Proposed Architectures(cont.) Architecture of NF_BRAM 26

Proposed Architectures(cont.) Architecture of NF_BRAM 27

Proposed Architectures(cont.) Extracts the 5-tuple from the Ethernet frames Plus the information need to create/update a new flow Timestamp, TCP flags, Number of bytes 28

Proposed Architectures(cont.) Calculates a hash code to obtain an address where the flow record will be stored The probability of collision depends on the input 5-tuples that follow a non-uniform distribution, so this module is intended to be modified. 29

Proposed Architectures(cont.) Is the name given to ‘Process A’ With previously calculated hash code, the flow table is addressed and its content analyzed Busy flag: if is set, means that an active flow is on that memory location The received 5-tuple is compared to the store one If match, then update this flow with the information of the received packet If not match, the collision is occurred, then the received packet is discard 30

Proposed Architectures(cont.) Is the name given to ‘Process A’ With previously calculated hash code, the flow table is addressed and its content analyzed Busy flag: if is clear, then a new flow record is created in that position of the flow table RST flag and FIN flag: If either TCP flag is received, the memory is polled to check if there is an active flow to which the packet belongs to. The flow is updated and exported immediately 31

Proposed Architectures(cont.) 32 Process A() { if (busyflag = 1) // An active flow is on that memory location { if((compare 5-tuple)==(the stored one)) //matched { Update this flow with the information of the received packet; } else //The collision is occurred { The received packet is discard; }

Proposed Architectures(cont.) 33 Process A() { if (busyflag = 0) //The busy flag is clear { Create a new flow record in that position of the flow table; if ((RST=1)||(FIN=1)) //TCP flag assert { Polling memory to check if there is an active flow to which the packet belongs to ; }

Proposed Architectures(cont.) This module is implemented with the BlockRAM of the FPGA Each flow record to be stored and read back in one memory address The access of the two Processes(A and B) to the memory is completely in parallel and independent 34

Proposed Architectures(cont.) Is the name given to process B and performs two operations First, checks the time elapsed since the last packet of the flow arrived is less than a predefined inactivity timeout Second, consists of checking that the time elapsed since the flow record was created is less than a predefined maximum flow duration 35

Proposed Architectures(cont.) Is the name given to process B and performs two operations If either of two conditions are satisfied Exported the flow record Remove the flow from the flow table 36

Proposed Architectures(cont.) Receives the flow records that were purged from the flow table and exports them out of the flow cache core Could also be connected to the PCIe DMA engine in order to send flow records directly to the host computer Implements Flow exporting protocol NetFlow, IPFIX Flows are exported through one of the 10 Gbps Ethernet ports available in NetFPGA-10G 37

Proposed Architectures(cont.) Architecture of NF_QDR 38

Proposed Architectures(cont.) Another architecture boosts flow monitoring in three manners The use of QDR-II memory can implement a much bigger flow table (786,432 vs. 16,384 for the NF BRAM architecture) Flow records are now 288-bit long, instead of the original 241 bits in the original NF BRAM design 47 additional bits to store extra information It reduces flow drops caused by collisions in the hash function 39

Proposed Architectures(cont.) There is only one available port in the QDR-II external memories A multiplexing mechanism for both processes to share the communication with the memory 40

Proposed Architectures(cont.) First looks-up if the active flow record is in the internal cache module If the flow is in cache, then updated and the update is written back to the external main memory 41

Proposed Architectures(cont.) First looks-up if the active flow record is in the internal cache module If the flow is not found in cache Performs a read operation to the main memory 42

Proposed Architectures(cont.) This cache module is used to store the most recently created flows Burst of packets that belong to the same flow do not poll the memory every time The external memory is only addressed to write the updated flow back so an exact copy of the information in cache is present in the main memory 43

Proposed Architectures(cont.) 44 Look up Most recently created flows Address to write MUxMUx NF_QDR PA PB

Proposed Architectures(cont.) The dispatcher maintains a number of read operations on queue that maximizes the memory throughput 45

Outline Introduction Related Work Flow-Based Monitoring Technique And Development Platform Proposed Architectures Results And Validation Conclusions 46

Results And Validation Hardware Resource Utilization The designs were coded in VHDL and synthesized using Xilinx EDK/XST v13.4 Clock frequency for both architectures is 200 MHz 47

Results And Validation(cont.) Two general-purpose PCs containing 10 Gbps Ethernet interfaces were connected to the NetFPGA-10G platform The first PC was used as traffic generator, running a high-performance network driver capable of saturating a 10 Gbps link The second machine captured in a file the output flow records exported by the design under test The same input traffic was processed offline with a well-known flow capturing software P. S. del R´ıo, D. Corral, J. Garc´ıa-Dorado, and J. Aracil, “On the impact of packet sampling on skype traffic classification,”IFIP/IEEE International Symposium on Integrated Network Management (IM 0213),

Results And Validation(cont.) Test the worst case scenario using a loop generator of minimum size packets with minimum interframe gaps during a 100-second run With the real traffic captures It tested flow creation in a real scenario and checked the output against the software tools mentioned above 49

Outline Introduction Related Work Flow-Based Monitoring Technique And Development Platform Proposed Architectures Results And Validation Conclusions 50

Conclusions The proposed design is able to cope with saturated 10 Gbps links even for the highest packet rates Mpps for the shortest 64-byte Ethernet frames The design supports up to 786,432 concurrent active flows The HDL code for both architectures has been released as public opensource hardware projects 51

THANK YOU 52

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.