Packet Sampling for Flow Accounting: Challenges and Limitations

Transcription

1 Packet Sampling for Flow Accounting: Challenges and Limitations Tanja Zseby (Fraunhofer FOKUS) Thomas Hirsch (Fraunhofer FOKUS) Benoit Claise (Cisco Systems) April 29, 2008 This work was funded by Cisco Systems as part of the VEGAS project.

2 Outline Problem statement Packet selection techniques Accuracy assessment in theory Accuracy assessment in practice Experimental results Standardization (IPFIX/PSAMP) Conclusion 2008 FhG FOKUS PAM of 20

3 Usage-based Accounting Accounting based on flow volume (transferred bytes) Requires flow measurements all packets from network A all packets with DSCP=x all VoIP packets Flow:= packets with common properties Customer Network Customer Network End System Provider Network 2008 FhG FOKUS PAM of 20

4 Flow Measurements Packets: <s 1, t 1, c 1 >, <s 2, t 2, c 2 >,... <s N, t N, c N > Packet Attributes at Observation Point s i, sequence number t i arrival time c i content (header, payload) Classification f(c i ) Flows: FlowID 1: <s 1, t 1, c 1 > <s 4, t 4, c 4 > <s 8, t 8, c 8 > FlowID 2: <s 2, t 2, c 2 > <s 3, t 3, c 3 > <s 6, t 6, c 6 > FlowID 3: <s 5, t 5, c 5 > <s 7, t 7, c 7 > <s 9, t 9, c 9 > Aggregation Aggregation Aggregation Flow Records: < N, μ, σ,... > < N, μ, σ,... > < N, μ, σ,... > f f f f f f f f f 2008 FhG FOKUS PAM of 20

5 Problem: Resource Consumption Resource Limitations Processing power Transmission Storage Demand depends on Data rates Required granularity Solutions Dedicated Hardware Improved Algorithms Data Selection Additional CPU load for running NetFlow on different routers* 1:100 *source: NetFlow Performance Analysis, Cisco white paper 2008 FhG FOKUS PAM of 20

6 Packet Selection Packets: Selected Packets: <s 1, t 1, c 1 >, <s 2, t 2, c 2 >,... <s N, t N, c N > f(c i ) Filtering Packet Selection f(s i ) or f(t i,) Sampling <s 2, t 2, c 2 >, <s 6, t 6, c 6 >... <s n, t n, c n > Classification Flows: FlowID 1: <s 8, t 8, c 8 > FlowID 2: <s 2, t 2, c 2 > <s 6, t 6, c 6 > FlowID 3: <s 5, t 5, c 5 > <s 9, t 9, c 9 > Aggregation Aggregation Aggregation Flow Records: < Nˆ, μˆ, σˆ,... > f f f < Nˆ, μˆ, σˆ,... > < Nˆ, μˆ, σˆ,... > f f f f f f 2008 FhG FOKUS PAM of 20

7 Packet Selection Techniques (Examples) 2008 FhG FOKUS PAM of 20

8 Problem: Accuracy Assessment Accuracy Assessment required Achievable accuracy depends on Sampling and estimation method Sampling parameters Population characteristics unknown and highly dynamic Accuracy assessment during measurement For each measurement interval For each flow Based on sampled data Bias Precision 2008 FhG FOKUS PAM of 20

9 Theoretical Model Case: n-out-of-n, sampling before classification Estimation of Flow Volume: Variance of Estimate: Sum ˆ f N n f = n i= 1 n x f 2 f [ ˆ N N V Sum ] = V[ x ] = V[ x ] f, i f f, i 2 f, i n i= 1 n i= 1 n random variables N Packets in MI n Packets in sample Sum f N f n f μ f 2 σ x x f f,i Volume in flow f Number of packets in flow f Sampled packets from flow f Mean packet size in flow f Packet size variance in flow f Bytes in i-th packet Estimation accuracy for flow f : StdErr rel ( ) 1 N N σ + μ N μ = N μ n N f f f f f f f Flow Characteristics: Number of packets from flow f in MI Packet size variance in flow f Packet size mean in flow f Sampling Parameters: Number of all packets in MI (population size) Number of selected packets in MI (sample size) 2008 FhG FOKUS PAM of 20

10 Accuracy Assessment in Practice Flow characteristics unknown Estimation from sampled data Storing per-packet information too costly Storing aggregates NetFlow Records Number of packets stored Sum of packet sizes stored Calculation/estimation of mean packet size possible BUT: calculation/estimation of packet size variance not possible NetFlow Records: N f, x f, 2 xf Store sum of squares! 2008 FhG FOKUS PAM of 20

11 1-in-K Sampling (Cisco) 1-in-K: Count-based stratification with equal allocation Packet selection limited to 1 packet per subinterval Theoretical Model see paper Stratification gain Depends on variance of packet sizes from flow f in strata 1 packet per sub-interval selected not sufficient to estimate variance in sub-interval n-out-of-n: 1 N 3 of 15 1-in-K: 1 K 1 K 1 K 2008 FhG FOKUS PAM x 1 of 5 11 of 20

12 Setup Experiments Traces from three different networks Different sampling schemes Different classification schemes Different measurement interval lengths Sampling before and after classification Accuracy Calculation based on theoretical model using real flow characteristics 2008 FhG FOKUS PAM of 20

13 Flow Characterstics Trace: CIRIL MI: 10M Classification S24D FhG FOKUS PAM of 20

14 Conformant Flows Sampling fraction: 5%, StdErr 0.05 Sampling after classification Sampling before classification 2008 FhG FOKUS PAM of 20

15 Sampling Experiments 1000 sampling runs per experiment Different sampling rates Calculation of bias and standard error Comparison of schemes n-out-of-n 1-in-K systematic 2008 FhG FOKUS PAM of 20

16 Conformant Flows Trace: NZIX MI: 1M Classification S24D00 Sampling fraction =5% Max rel. StdErr Error/CL n-of-n 1-in-K Systematic /99% /95% /99% /95% /95% /95% /95% /95% > FhG FOKUS PAM of 20

17 Results Comparison of schemes n-out-of-n close to n-out-of-n model 1-in-K close to n-out-of-n model Systematic sampling Better results for some flows But unpredictable (high variance of results) Differs from model Higher accuracy achievable with Larger sample fraction Longer observation periods (if flow characteristics remain) Coarse grained classification Aggregation of flows 2008 FhG FOKUS PAM of 20

18 IPFIX/PSAMP IEs IP Flow Information Export (IPFIX) Standard for flow information export (RFC5101) Information elements (RFC5102) Packet Sampling (PSAMP) Packet selection techniques (filtering, sampling) Packet export using IPFIX Parameter Number N of packets in measurement interval Number n of packets in sample Number of packets from flow f in sample Sum (bytes in sampled packets) Sum of squares (bytes in sampled packets) IPFIX/PSAMP IEs samplingpopulation samplingsize packettotalcount octettotalcount octettotalsumofsquares 2008 FhG FOKUS PAM of 20

19 Conclusion Accuracy Assessment in theory and practice n-out-of-n (before/after classification) store sum of squares 1-in-K not possible in practice (although model exists) Experiments Small flows poor accuracy for sampling before classification 1-in-K close to n-out-of-n Accuracy depends on settings (obs. period, classification) Alternative: Flow selection based on expected accuracy IPFIX provides required information elements Work in progress: Sampling for other metrics (e.g. for anomaly detection) Hash-based selection 2008 FhG FOKUS PAM of 20

20 Thank you! FOKUS Open Source IPFIX Library: Measurement data always welcome at: