Network Measurements

Question 1

Why do we want to measure the network?

Answer 1

Network provider: 
•Model reality
•Predict future
•Plan network
•Avoid bottlenecks in advance
•Reduce cost
Service provider:
•Get information about clients
•Adjust service to demands
•Reduce load on servers

Client: check service & compare
Researcher: performance evaluation & understanding

Question 2

Why do we need to measure?

Answer 2

•Distributed multi-domain network →information only partially available
•Growth, usage, structure changes
•Highly interactive system•
Heterogeneity in all directions
•The total is more than the sum of its pieces
•Built, driven, and used by humans →errors, misconfigurations, flaws, failures, misuse, …

Question 3

What types of active measurement are conducted?

Answer 3

Perfomance: latency, throughput, loss
Topology: Mapping (L2, IP, AS), alias resolution
Security: TLS certs & certificate transparency
ssh server keys
IoT protocols

Question 4

How does certificate transparency measurement work?

Answer 4

Public log of issued certificates (to prevent incorrectly issued certificates).
-> can be scanned

Question 5

What can active security measurements do for the internet?

Answer 5

Improve security by:

• finding insecure devices & configs (-> notify)
• find weaknesses in protocols
• find protocols vulnerable to amplification attacks

Question 6

How can you reduce the ethics and intrusiveness of active measurements?

Answer 6

• Reduce intrusiveness of scanning technique (no login, low scanning rate)
• Provide information on scanning machines website
• respond to ever inquiry and abuse mail
• offer possibility of blacklisting ip addresses and subnets

Question 7

What is passive measurement?

Answer 7

Passive measurement is observing exisiting traffic in the network using probes.

• traffic volume
• traffic composition
• packet interarrival times

Question 8

What can you use passive measurements for?

Answer 8

Traffic analysis (engineering, anomaly detection)
Accounting (resource utilization & charging)
Security (intrusion detection & prohibited data transfers)

Question 9

What types of export timeouts exist in flow-based traffic measurements?

Answer 9

Inactive timeout -> export at end of flow

Active timeout -> periodic export for long-lived flows

Question 10

What is an IP Traffic Flow in IPFIX?

Answer 10

A set of IP Packets passing an observation point during a certain time interval.
All packets have a set of common properties

Question 11

What is an observation point in IPFIX?

Answer 11

A location where IP packets can be observed. Can be superset of obs. points

Question 12

Explain the IPFIX metering process

Answer 12

Packet hdr capture -> Timestamp -> Classify -> Timestamp || Maintaining flow records

Question 13

What is a flow record in IPFIX?

Answer 13

Information about specific flow. Contains measured properties (tot bytes of all packets) and characteristics.

Question 14

How does anomaly detection with passive measurement work?

Answer 14

Collect flow data at observation points in network and create time series representation.
Label flows as good or malicious & Train model

Question 15

name some indicators for amplification attacks that can be found using passive measurement?

Answer 15

• Amplification factor: small requests generate larger responses
• attacker sends few variations of packets (similar lengths)
• payload similarity
• unsolicited ICMP messages (watch for returning ICMP from victim)
• TTL measurements (different length attacker -> am & amp -> victim)

Question 16

What is hybrid measurement?

Answer 16

Modification of packet flows (hdr & piggybacking)
+ Same as for passive
+ can introduce additional information
- Modifying data packets may cause problems

Question 17

Name some issues with active and passive measurements

Answer 17

Active:
- intrusive
- Find out what network is capable of
- changes nw state
Passive:
- non intrusive
- find out current situation
- does not influence nw state

Question 18

Name some network metrics

Answer 18

• Throughput: bandwidth & packet rate
• Latency: average, standard deviation, media, jitter, percentils
• Frame loss rate
  (- Max burst length)
  (- recover after overload)
  (- recover after sys restart)

Question 19

Why is packet rate important?

Answer 19

Processing is costly for the packet headers. Therfore a few large packets get processed faster than the same amount of bytes in small packets. (Both have the same bandwidth)

Question 20

What is the max packet rate for network?

Answer 20

Min ether frame: 64 bytes + 8 bytes (Ethernet preamble and delimiter) + min interpacket gap 12 bytes
-> 84 bytes
10 GBit/s / 84 bytes = 14,88 Mpps

Question 21

How does parallel packet procesing work?

Answer 21

The NIC has a high number of queues (TX and RX) - 1 for each core.

Question 22

Explain the 3 possibilities to distribute incoming traffic

Answer 22

Per-packet:
- every packet may be on different core -> may cause packet reordering and state sync
Per-flow (5 tuple):
- one flow per core -> protocol state is in core, no reordering in flow
Explicitly configured filters -> Flows can be mapped to explicit cores -> useful to fwd traffic to VMs but per-flow has better balance

Question 23

Name possible bottlenecks for performance

Answer 23

CPU power
NIC processing power (mostly consumer devices)
BUS (PCIe) bw 8 GBit/s / lane

Question 24

What advantages/disadvantages does packet processing in user space have?

Answer 24

+ Fewer expensive system calls
+ Simplified mem mgmt
+ Way faster
+ Batch processing in app

• Protocol implementation in app
• NIC exclusively by single app
• Not API-compatible with typical user space apps

Question 25

Give adv/disadv of techniques for packet reception

Answer 25

interrupt per packet:
\+ low latency
- low throughput (expensive interrupts)
several packets per interrupt:
\+ high throughput
- high latency
no interrupts:
\+ low latency (depending on freq)
\+ high throughput
- inefficient at low packet rates (busy waiting)