Transcript MonNet status

MonNet status
Sven Tafvelin
Chalmers
Original configuration
Router
DWDM
Measurement configuration
Splitters
Router
DWDM
Measurem. comp
G-bit
Ethernet
switch
Measurem. comp
What can the traces be used
for?
•
•
•
•
•
•
•
Network statistics (of course)
What type of traffic is the network used for
Changes of network usage over time
Application behaviour on the net
Delay properties
Network stability
Network forensics
Performance issues
In general a 10 Gbit/s connection can
potentially generate very much trace data
at a speed which even fast computers
have problems to sustain.
We have 6 fast disks used in parallel and
have received sustained write speed of
about 480 Mbyte/s corresponding to 3.8
Gbit/s which is substantially less than 10
Gbit/s.
Performance issues (2)
On the other hand:
• We will not store user data
• The links are generally not fully loaded
Trace formats are
incompatible(1)
There is no standard on trace formats. The
number of alternatives is large and many
exist in incompatible versions also:
• PCAP – from the libpcap
• DAG/ERF – from Endace equipment
• FR, FR+, TSH – from NLANR
• CRL – from Coral/CoralReef
• Etc etc
Trace formats are
incompatible(2)
There exist conversion programs between
some of these formats but converting
usually means loosing information.
We can only keep information which can be
represented in both formats.
Trace sanitization and
desensitation
Immediately after (or in parallel) when the
trace is caught it need to be processed.
Sanitization means that the trace is
processed:
• Obvious start/end problems are adjusted
• Time stamp information is improved as
much as possible
• Correctness is checked
• Traces may need to be merged
Desensitation
Often the equipment will catch more
information than is allowed:
• Surplus information need to be removed
• IP# need to be anonymized
Ethics issues
There are people who regard Internet as the
last bastion of total freedom and therefore
don’t want traffic traces taken at all.
The current political debate is going in the
other direction. Police, authorities etc will
be able to get rather detailed information
about Internet traffic.
Trace anonymization
There is a (vague?) connection between the
IP# recorded in the packets and the
person behind the keyboard.
Therefore there is a general vish to
anonymize the IP# without destroying the
value when traffic should be analyzed.
Trace anonymization(2)
Trace anonymization is regarded as
important. This means that the IP# in the
trace should systematically be replaced by
a pseudonym IP#.
We want the replacement to be prefix
preserving. This means that if two IP#s
belong to the same subnet the
pseudonyms will also seem to belong to
the same subnet.
Trace anonymization(3)
There are two well known methods for prefix
preserving anonymization:
1) TCPdpriv is almost a standard which every new
proposal is measured against. It is prefix
preserving but there is a major problem: The
pseudonym IP# depends on the order of original
IP#s. Therefore the same IP# will get different
pseudonyms in different traces! This makes it
impossible to merge two traces for example.
Trace anonymization(4)
2) Crypto-PAn solves this problem. It uses
encryption algorithms and given a certain
key it will always translate an IP# into the
same pseudonym IP# and be prefix
preserving on all levels.
If the key is not known the pseudonym IP#
cannot be inverted.
Research ethics
The MonNet project was accepted by the
regional research ethics committee in
August 2005
Early traces
Early traces for short periods have been
taken to test all facilities and software.
On Sept 6 three 6 minutes traces were
taken 10.00-10.06, 15.30-15.36 and
20.00-20.06
Some, not very interesting,results are here:
2005-09-06