José Luis García-Dorado

High-Performance network traffic processing systems using commodity hardware

The Internet has opened new avenues for information accessing and sharing in a variety of media formats. Such popularity has resulted in an increase of the amount of resources consumed in backbone links, whose capacities have witnessed numerous upgrades to cope with the ever-increasing demand for bandwidth. Consequently, network traffic processing at todays data transmission rates is a very demanding task, which has been traditionally accomplished by means of specialized hardware tailored to specific tasks. However, such approaches lack either of flexibility or extensibility--or both. As an alternative, the research community has pointed to the utilization of commodity hardware, which may provide flexible and extensible cost-aware solutions, ergo entailing large reductions of the operational and capital expenditure investments. In this chapter, we provide a survey-like introduction to high-performance network traffic processing using commodity hardware. We present the required background to understand the different solutions proposed in the literature to achieve high-speed lossless packet capture, which are reviewed and compared.

Multi-granular, multi-purpose and multi-Gb/s monitoring on off-the-shelf systems

SUMMARY As an attempt to make network managers’ life easier, we present M3Omon, a system architecture that helps to develop monitoring applications and perform network diagnosis. M3Omon behaves as an intermediate layer between the traffic and monitoring applications that provides advanced features, high performance and low cost. Such advanced features leverage a multi-granular and multi-purpose approach to the monitoring problem. Multi-granular monitoring provides answers to tasks that use traffic aggregates to identify an event, and requires either flow records or packet data or even both to understand it and, eventually, take convenient countermeasures. M3Omon provides a simple API to access traffic simultaneously at several different granularities, i.e. packet-level, flow-level and aggregate statistics. The multi-purposed design of M3Omon allows not only performing tasks in parallel that are specifically targeted to different traffic-related purposes (e.g. traffic classification and intrusion detection) but also sharing granularities between applications, e.g. several concurrent applications fed from flow records that are provided by M3Omon. Finally, the low-cost characteristic is brought by off-the-shelf systems (the combination of open-source software and commodity hardware) and the high performance is achieved thanks to modifications in the standard NIC driver, low-level hardware interaction, efficient memory management and programming optimization. Copyright

Batch to the Future: Analyzing Timestamp Accuracy of High-Performance Packet I/O Engines

Novel packet I/O engines allow capturing traffic at multi-10Gb/s using only-software and commodity-hardware systems. This is achieved thanks to the application of techniques such as batch processing. Nevertheless, this feature involves degradation in the timestamp accuracy, which may be relevant for monitoring purposes. We propose two different approaches to mitigate such effect: a simple algorithm to distribute inter-batch time among the packets composing a batch, and a driver modification to poll NIC buffers avoiding batch processing. Experimental results, using both synthetic and real traffic, show that our proposals allow capturing accurately timestamped traffic for monitoring purposes at multi-10Gb/s rates.

Multi‐granular, multi‐purpose and multi‐Gb/s monitoring on off‐the‐shelf systems

SUMMARY As an attempt to make network managers’ life easier, we present M3Omon, a system architecture that helps to develop monitoring applications and perform network diagnosis. M3Omon behaves as an intermediate layer between the traffic and monitoring applications that provides advanced features, high performance and low cost. Such advanced features leverage a multi-granular and multi-purpose approach to the monitoring problem. Multi-granular monitoring provides answers to tasks that use traffic aggregates to identify an event, and requires either flow records or packet data or even both to understand it and, eventually, take convenient countermeasures. M3Omon provides a simple API to access traffic simultaneously at several different granularities, i.e. packet-level, flow-level and aggregate statistics. The multi-purposed design of M3Omon allows not only performing tasks in parallel that are specifically targeted to different traffic-related purposes (e.g. traffic classification and intrusion detection) but also sharing granularities between applications, e.g. several concurrent applications fed from flow records that are provided by M3Omon. Finally, the low-cost characteristic is brought by off-the-shelf systems (the combination of open-source software and commodity hardware) and the high performance is achieved thanks to modifications in the standard NIC driver, low-level hardware interaction, efficient memory management and programming optimization. Copyright

Detection of traffic changes in large-scale backbone networks: The case of the Spanish academic network

Network management systems produce a huge amount of data in large-scale networks. For example, the Spanish academic network features hundreds of access and backbone links, each of which produces a link utilization time series. For the purpose of detecting relevant changes in traffic load a visual inspection of all such time series is required. As a result, the operational expenditure increases. In this paper, we present an on-line change detection algorithm to identify the relevant change points in link utilization, which are presented to the network manager through a graphical user interface. Consequently, the network manager only inspects those links that show a stationary and statistically significant change in the link load.

On the processing time for detection of Skype traffic

The last few years have witnessed VoIP applications gaining a tremendous popularity and Skype, in particular, is leading this continuous expansion. Unfortunately, Skype follows a closed source and proprietary design, and typically uses encryption mechanisms, making it very difficult to identify its presence from a traffic aggregate. Several algorithms and approaches have been proposed to perform such task with promising results in terms of accuracy. However, such approaches typically require significant computation resources and it is unlikely that they can be deployed in nowadays high-speed networks. In this light, this paper focuses on cutting the processing cost of algorithms to detect Skype traffic. We have conveniently tuned a previous well-validated algorithm and we have assessed its performance. To this end, we have used real traces from public repositories, from a Spanish 3G operator, and synthetic traces. Our results show that a single process can detect Skype traffic at 1 Gbps rates reading replayed real traces directly from a NIC. Even more, 3.7 Gbps are achieved reading from traces previously allocated in memory using a single process and 45 Gbps using 16 concurrent processes. This fact paves the way for 10 Gbps processing in commodity hardware.

Cost-aware Multi Data-Center Bulk Transfers in the Cloud from a Customer-Side Perspective

Many cloud applications (e.g., data backup and replication, video distribution) require dissemination of large volumes of data from a source data-center to multiple geographically distributed data-centers. Given the high costs of wide-area bandwidth, the overall cost of inter-data-center communication is a major concern in such scenarios. While previous works have focused on optimizing the costs of bulk transfer, most of them use the charging models of Internet service providers, typically based on the 95th percentile of bandwidth consumption. However, public Cloud Service Providers (CSP) follow very different models to charge their customers. First, the cost for transmission is flat and depends on the location of the source and receiver data-centers. Second, CSPs offer discounts once customer transfers exceed certain volume thresholds per data-center. We present a systematic framework, CloudMPcast, that exploits these two aspects of cloud pricing schemes. CloudMPcast constructs overlay distribution trees for bulk-data transfer that both optimizes dollar costs of distribution, and ensures end-to-end data transfer times are not affected. CloudMPCast monitors TCP throughputs between data-centers and only proposes alternative trees that respect original transfer times. After an extensive measurement study, the cost savings range from 10 to 60 percent for both Azure and EC2 infrastructures, which potentially translates to millions of dollars a year assuming realistic demands.

Automated Detection of Load Changes in Large-Scale Networks

This paper presents a new online algorithm for automated detection of load changes, which provides statistical evidence of stationary changes in traffic load. To this end, we perform continuous measurements of the link load, then look for clusters in the dataset and finally apply the Behrens-Fisher hypothesis testing methodology. The algorithm serves to identify which links deviate from the typical load behavior. The rest of the links are considered normal and no intervention of the network manager is required. Due to the automated selection of abnormal links, the Operations Expenditure (OPEX) is reduced. The algorithm has been applied to a set of links in the Spanish National Research and Education Network (RedIRIS) showing good results.

Performance Evaluation and Design of Polymorphous OBS Networks With Guaranteed TDM Services

In polymorphous optical burst-switched (POBS) networks, the burst control packets (BCPs) of conventional just-enough-time based signalling OBS networks are given extended properties which enable them not only to reserve fixed time-slots for asynchronous data bursts, but also to allocate TDM reservations for periodic streams of data, and even a complete wavelength for high-bandwidth demanding services. This allows POBS to provide a flexible, yet transparent, approach for supporting the idiosyncrasies of todays most popular services over the same underlying network architecture. In POBS, the spare gaps in between synchronous TDM reservations can be used for the allocation of best-effort data bursts, leading to a more efficient utilisation of the optical capacity. This work shows how to extend the well-known Erlang fixed point procedure to evaluate the performance behavior of POBS networks, whereby asynchronous data bursts coexist with high-priority periodic TDM reservations. The performance evaluation algorithm is applied to a number of case scenarios, showing the benefits arisen due to the flexibility of POBS networks.

Testing the capacity of off-the-shelf systems to store 10GbE traffic

The maturity of the telecommunications market and the fact that user demands increase every day leaves network operators no option but to deploy high-speed infrastructures and test them in an efficient and economical manner. A common approach to this problem has been the storage of network traffic samples for analysis and replay using different versions of what we have named NTSS. This type of task is particularly demanding in 10 Gb Ethernet links and has traditionally been addressed by closed solutions or NTSS built on top of high-end hardware. However, these approaches lack flexibility and extensibility, which typically translates into higher cost. This work studies how NTSS can be built using COTS: a combination of commodity hardware and open source software. To this end, we present the current limitations of COTS systems and focus on low-level optimization techniques at several levels: the NIC driver, hard drives, and the software interaction between them. The application of these techniques has proven crucial for reaching 10 Gb/s rates, as different state-of-the-art systems have shown after an extensive performance test.