P. 1


|Views: 3|Likes:
Published by mhdridhuan

More info:

Published by: mhdridhuan on Jun 14, 2013
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Network congestion control using NetFlow

Maxim A. Kolosovskiy Elena N. Kryuchkova

Altai State Technical University, Russia

The goal of congestion control is to avoid congestion in network elements. A network element is congested if it is being offered more traffic than it can process. To detect such situations and to neutralize them we should monitor traffic in the network. In this paper, we propose using Cisco’s NetFlow technology, which allows collecting statistics about traffic in the network by generating special NetFlow packets. Cisco’s routers can send NetFlow packets to a special node, so we can collect these packets, analyze its content and detect network congestion. We use Cisco’s feature as example, some other vendors (Juniper, 3COM, Alcatel, etc.) provide similar features for their routers. We also consider a simple system, which collects statistical information about network elements, determines overloaded elements and identifies flows, which congest them.

The main idea is generating packets. When some network element becomes congested. When elements will have been unloaded. routers memory. First congestion control algorithm was introduced by Van Jacobson in 1987 [2]. bandwidth of links. etc. Congestive collapse was explored as possible problem in 1984 by John Nagle [1]. jFlow. You can find information about congestion control in [7. . sFlow. congestion control system must have opportunity to monitor the state of the network. For detailed information. NetStream). etc. Introduction The goal of congestion control is to avoid congestion in network elements. interfaces. Thus.1. messaging delays. Many RFCs have been written about congestion control.). The features permit to decompose network flows according to various attributes (IPs. there is potential for a serious trouble. users don’t receive expected packets (or conformation of delivery) in the time limit. percent of delivered packets. Therefore. we can use special features (e. Congestion control is control of resources: routers CPUs. etc. So. If we can’t offer high-speed service to all users. link occupancy.g. section References contains some of them [3-6]. we should restrict consumption of resources by users to avoid congestion. The system monitors various factors (e. If the system has detected an incipient congestion. NetFlow. all users get satisfactory service continuously. This activity reduces traffic through these elements. which contain information about router’s active flows. the system will restore normal traffic rates in these elements. it restricts traffic rates in some network elements and continues to monitor the state of the network. A traditional approach is using SNMP. Based on this information the system detects possible congestion. Congestion control system usually works in the following way. First well-known congestive collapse happened with NSFNet in 1986: capacity of backbone dropped from 32 kbit/s to 40 bit/s. Users begin to resubmit packets and new packets cause further congestion. if it is being offered more traffic than it can process. 8].g. If we don’t control our network. it can cause congestive collapse and all network services become unavailable. IPFIX. SNMP-approach is very limited: we can’t get detailed information about the network. A network element is congested. router’s CPU occupancy.). ports. Such situation is called congestive collapse. it processes traffic very slowly and some packets are lost. protocols. If we permit unlimited using of resources.

 Destination port number. number of flows in this packets (1-30). A router also considers a flow inactive. Each NetFlow packet consists of a header and a sequence of flow records. NetFlow technology includes three parts:  NetFlow exporter enables to generate UDP packets. and send information to special node (NetFlow collector). A record contains information about one flow (IP addresses. UDP doesn’t guarantee reliable service. number of packets. Cisco’s routers can be exporters.  Destination IP address. etc. if they have the same following fields:  Source IP address. Two packets are from one flow. if a flow is long lived (by default: 30 min).  Router or switch interface. which allows collecting information about network traffic [9]. time since the router booted.  Type of service byte. ports. To correct such errors a packet contains a special field: number of flows. A router inspects each received packet and creates a new cache entry (if the packet doesn’t belong to active flows) or updates one of existing entries (if the packet belongs to an existing flow).  Source port number. These fields are called key-fields. etc).  Analyzer is special software. Fundamentals of NetFlow technology NetFlow is Cisco’s technology.2. if a router doesn’t receive any packets of the flow (by default: 15 sec). When a flow becomes inactive. A router considers traffic as a collection of flows and stores a cache entry for each active flow. Using this field we can reject duplicates and process datagrams in the correct order. which analyses received data. other fields are called non-key-fields. Flexible NetFlow overcomes limitations with key-fields: we can specify own set of key-fields [10]. A router considers a flow inactive.  NetFlow collector saves received packets to the data storage. which were inspected by the router. A header contains version of NetFlow.  Layer 3 protocol type. So we receive only interesting information. we can aggregate all . so datagrams may arrive out of order. appear duplicates and some datagrams may be lost. which contain information about flows passing through the router. a router places its cache entry to NetFlow packet.

IPv6. We can apply this information to detect congestion. Versions 5 and 9 are most popular versions of NetFlow [11]. NetFlow provides only collecting of statistical information about network. to monitor application and network usage.flows in groups before exporting to the collector (for example. so congestion control system can work as indicator of active viruses. . etc. 3COM.cisco. knowledge about network dependencies helps to understand causes of congestion. Alcatel. These problems are interrelated. some other vendors (Juniper. information from layer 2 to layer 7).) provide similar features for their routers. if we would like to analyze protocol usage. We use Cisco’s feature as example. to detect anomalies and viruses. to mining dependency between flows. then we specify single key-field – protocol type). to optimize the utilization of network resources. You can find more information about NetFlow on Cisco’s official site www.com. IPFIX (IP Flow Information Export) is version 9 standardized by IETF [12]. etc. For example. some viruses initiate network congestion. Flexible NetFlow introduce a collection of new available fields (for example. (as examples [13-15]).

Historical trends can be built for different periods of time: hours. which are processed by each router and by each link (using corresponding fields in NetFlow packets). which applications and IP addresses are generating the traffic. Understanding. we can obtain information about existing (or incipient) congestion. subnets. Next step is to restrict traffic in these elements (by reducing bandwidth of some routers or links) or to re-distribute the part of traffic between other network elements (by changing routing tables in routers). On the contrary. so we can use information obtained by SNMP for capacity planning. we obtain granular information about usage of network elements:  we can monitor number of bytes and number of packets. last received packet of the flow). More detailed knowledge of flow is extremely important in networks today. all fields in NetFlow packets can be useful.. If we’ve obtained necessary information about network. we can analyze the state of the network to find overloaded network elements. which work as “bottleneck”. protocol. The system can analyze collected historical information about network and report about overloaded segments of network. In one word.  we can analyze. To unload these segments the system provides information about causes of . Congestion control system can work in different ways:  Off-line monitoring system. Using NetFlow technology. the system increases the load of these elements.3. etc. ToS. SNMP permits to monitor bandwidth.  we can use timestamps fields to build historical usage trends (start of the flow. weeks. Extended collection of Flexible NetFlow fields make this technology more attractive. So. ports. group of addresses.  we know paths used for packet delivering (field “Next Hop”).  we can observe interaction between autonomous systems. months. is priceless. interface). it is not enough to understand how well the network supports the business. However. which flows stress certain routers and links (using key-fields of active flow: source and destination IP. days. Using NetFlow for congestion control A traditional method of performance monitoring is using SNMP (Simple Network Management Protocol). if the system detects that some network elements work with too low rates.  we can collect statistics only about interested interfaces.

The system usually changes routing tables and traffic rates. so we can manually change the network state. Ordinary files can be used. Each alert corresponds to a resource of a network element. Instead of previous case this system makes changes in automatically mode. Last system is the most effective one. we can detect incipient congestion. but more complex.  On-line monitoring system. but for large networks it should be a database.existing problems. First system can’t prevent serious congestion problems. the system signalizes about incipient congestion. A system can be organized as a collection of alerts. it may be inconvenient. Types of system are listed in increasing order of efficiently. where we analyze collected information). The system can change parameters and state of the network online. but we should make changes manually and if the network is large. If usage of the resource exceeds assigned threshold. We obtain information about the network online.g. this system works automatically. A necessary part of the congestion control system is data storage. .  Controlling system. we can only analyze causes of these problems. Using the next system. The system analyzes and collects information simultaneously (instead of previous case. capacity and topology planning). If we have collected information for a long period. we plan changes of our network (e.

12. We can replace our routers corresponding to their load.1.1. Example of congestion control system We would like to discuss simple congestion control system in Java.15 => 10. 2.1. which are generated artificial): A. Hosts are sorted in increasing order by total traffic.6 10. We can see conversations. 3.6 => MB) 42% (121. 2.1:29750 10.1.2 10. B.12.1. total traffic and a distribution of the traffic over different periods of a day (we assume that a day consists of six 4-hour periods). timestamps.7 MB . The collector saves necessary fields of packets to a file (source and destination IPs and ports.1 MB 11. 5. Configuring hosts in the network to send NetFlow v5 packets to our NetFlow collector.1.4 => 10.12.6 MB 15.1.8 MB [6%-22%-23%-40%-3%-4%] 2777. Collecting information about network flows for a long period.14 4. so if we want to unload the link.12.6 MB 11.13:29792 10. we should change the path of one of these conversations.1.4. Analyzing tables and changing network parameters.12. 4.1.9 MB) 5% (15.12. etc.11 10.5 => 10.12 Total 2763. 3.12.14:16906 Total: 288.12.11 10. protocols. The load of hosts IP 10. number of Layer 3 bytes.12.1. If we change the path of last conversation. 10. In this example we see.1.1.6:12352 which are using maximal bandwidth.12.1.6 MB [1%-22%-21%-33%-16%-3%] 4523.3 MB [5%-13%-22%-20%-13%-25%] Using the table we can estimate the load of each host. C. 4.16 10.8:20644 -> -> -> 10.12. it doesn’t change the load of the link essentially.12. For each host we show its IP address.2 MB => 10. The load of links 10. Building some tables for analyzing the state of the network.1.7 MB 52% (151. that first two conversations load the link most of all. Using of our system consists of the following steps: 1. The most unloaded links 1. To analyze data we build the following statistical tables (to make examples more clear we use NetFlow packets.10 10.7 MB) The example shows statistic for a link.4:23725 10.).8 => 10.

1.7 48.4 MB (11%) These examples can be combined to produce tables that are more complex. For each conversation. We find hosts. output and total traffic.11% For each host we display the list of hosts.12.1.3 10.12. Conversations 10.1.1 :9015 149. Finally.8 10. . Last line contains protocol distribution for that host.12 -> => => => => => 10.2 :4157 473. Interactions with other hosts and protocol distribution 10. we change parameters of some network elements to unload bottlenecks. Use case: We are not satisfied by working of the service.14 62.12.3 MB (68%) 10. UDP . which interact with that host. which delay the service. which support this conversation.3 :21435 Total: 1400. we build the list of links. We also display distribution of the traffic over time (day is divided into six 4-hour periods).6 MB) 481. Each network service is assigned to one or more ports.0 MB [0%-2%-53%-31%-0%-12%] For each host we display input.12. which load bottlenecks.0 MB Protocols: TCP .We can use these links to unload other links.12.6 10.3 48. E.1. which interact with 10. we know links and routers.1 MB) 1104. to detect possible congestion and to make a decision about changes.16 10. Thus. So.12.6 10.3 MB) Conversation is defined by four parameters: source and destination IPs and ports. which are used for that conversation (in parentheses we show total traffic in the link).12.12.8 MB [0%-0%-62%-2%-0%-34%] OUT 292.14 10.4 13.1.12. We also display total traffic for each interaction.7 MB MB MB MB MB (of (of (of (of (of 811.12. which are located on Other .1.7 10. so we can estimate how many traffic the service produces and consumes.7 48.1.6 MB MB MB MB MB MB MB MB (33%) (31%) (16%) (10%) (4%) (1%) (0%) Active ports of the host (with total traffic).0 MB) 416.5 MB (14%) 10.1 :15681 237.7 48. which are using port 32001.1.8 10.6 :22222 27.12. We analyze the load of these elements and find “bottlenecks”.1.7 and find conversations.2 MB [0%-4%-47%-47%-0%-0%] IN&OUT 458.9 :31890 438.7 and uses port 32001. Active ports of host 10.1 *** IN 165. G.12.8 MB (5%) Total traffic: 91. D.14:28542 these tables permit to analyze the state of the network.7 10.6 4.1. Input and output traffic *** 10.12.3:29828 10.7 48. We know conversations. F.4 :9390 We show elementary examples.12.5 MB) 457.12.11%.

but the system doesn’t propose explicit actions to unload congested elements. . These solutions use special properties of flow-based traffic information to make data processing more effectively. Using our system network administrator obtains information about overloaded (and unloaded) elements. We have considered using NetFlow for network congestion control. the next step is developing algorithms. It is not satisfactorily for large data streams. sketches [17]). we can replace some of network elements (routers and links) and we can change the topology of the network. using information about conversations we can minimize traffic in the network). Thus. Suitable data storage is very important for such systems. To optimize network we can change routing tables on routers. so we should use another data storage in our system.g. Conclusion Network congestion is an actual problem today.5. We use ordinary files. aggregation databases [16]. Obtained data allow distributing application between hosts in optimal way (for example. but it is the simplest way. the system proposes optimal way to redistribute traffic). which analyze collected information and find a solution (for example. There are some novel solutions to support highspeed incremental collecting and analyzing traffic information (e. because NetFlow is very powerful tool for collecting information about network traffic.

RFC 5101. 3rd ACM SIGCOMM conference on Internet measurement.A Technical Overview (Cisco’s official site www. 2000. 2005. Claise. 2009. 1984. Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information. TCP Congestion Control. [13] A. Elsevier Computer Networks. [6] [7] [8] [9] S. Allman. R. 2008. RFC 4340. Fussenegger. Floyd. 2006. Lund. 2003. Histogram-based Traffic Anomaly Detection. [16] A. Floyd. 2007. Kind. IEEE Transactions on Network and Service Management. Michael J. Kohler. Stoecklin. 2004. Hurley. X. S. J. M. The Eternal Sunshine of the Sketch Data Structure. Gantenbein. C. B. V. E. Introduction to Cisco IOS NetFlow . . Karels. The Mathematics of Internet Congestion Control. Srikant. 263 p. D. pp. 67-68. S. Caracas. A. Stoecklin. Van Jacobson. Paxson. Hurley. Kind. M. Dimitropoulos. 1988. A Light-Weight and Scalable Network Profiling System. Congestion Avoidance and Control. Blanton. Congestion Control in IP/TCP Internetworks. 2005. 2004. M. [17] X. Datagram Congestion Control Protocol (DCCP). Cisco Systems NetFlow Services Export Version 9. A. Network Congestion Control: Managing Internet Traffic.cisco.com). P. Allman. Welzl M. RFC 5681. P. [11] [12] B. Floyd. Claise. Duffield. Dimitropoulos. S. RFC 896. [4] [5] M. 2008. M. [10] Cisco IOS Flexible NetFlow Technology White Paper (Cisco’s official site www. Specifying New Congestion Control Algorithms. 164 p. Handley. E. European Research Consortium for Informatics and Mathematics. RFC 2914. Dechouniotis. 3rd IEEE/IFIP International Workshop on Business-driven IT Management (BDIM 2008).com). Massar. [15] N. RFC 5033. Mining Semantic Relations using NetFlow. D. Kind.cisco. RFC 3954. Kind. Congestion Control Principles. Predicting resource usage and estimation accuracy in an IP flow measurement collection infrastructure.References [1] [2] [3] John Nagle. 2009 [14] A.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->