1. Field of the Invention
The present invention relates to a method for monitoring traffic in a network, wherein a monitoring activity of at least two monitoring probes of the network is coordinated by a coordinating means. Further, the present invention relates to a network wherein for monitoring traffic in the network a monitoring activity of at least two monitoring probes of the network is coordinated by a coordinating means.
2. Description of the Related Art
Monitoring is crucial both to the correct operation of a network and to the services that run on it. Operators perform monitoring for various purposes, including traffic engineering, quality of service, security and detection of faults and mis-configurations. Traffic relevant to these applications tends to flow through several points in the network, and so a distributed monitoring architecture is needed in order to track it.
Unfortunately, monitoring traffic in real-time and in a distributed way presents a range of difficult issues. The first of these is scalability: the volume of traffic to be monitored is rapidly growing, with reports stating that the annual global IP traffic volume will exceed half a zettabyte by 2012 and will nearly double every two years; this growth puts serious stress on any monitoring infrastructure. Flow-based monitoring helps to deal with this problem by operating at a coarser granularity while retaining the required resolution for fulfilling operators' needs. In addition, flow monitoring avoids the bias of packet sampling approaches against small flows, an important feature for security applications.
Monitoring such traffic requires a distributed infrastructure that allows the burden of the monitoring task to be shared among a wide set of probes scattered throughout the network. However, a coordination infrastructure for this set of probes is needed: in particular, since each traffic flow is likely to go through several probes at the same time, it is necessary to ensure that only one of these monitors and exports data about the flow. This necessity stems both from performance reasons, i.e. monitoring the same flow several times and exporting the associated reports wastes valuable resources, and accuracy reasons, i.e. accounting for the same flow several times can cause monitoring applications to arrive at wrong aggregated results.
Most of the proposed approaches for coordinating the activities of multiple probes are based on a centralized entity that, after collecting all of the necessary information about the traffic and the resources available on each probe computes an optimized configuration. One of the most representative examples of this kind of solution is Csamp, which assumes the coordination point to have the knowledge of the traffic matrix and the routing scheme, as well as the probes to be able to mark each packet with an Origin-Destination identifier. While this last assumption has been addressed by a more recent version of Csamp, this improvement comes at the cost of having to deal with a higher flow granularity and, therefore, generally yields a sub-optimal solution.
Besides the high-level of churn resulting from the updates, this centralized location presents scalability problems and a single point of failure. A refined version of Csamp has been proposed which addresses this problem but at the cost of a sub-optimal resource allocation. Csamp is described within “CSAMP: a system for network-wide flow monitoring”. Sekar, V., Reiter, M. K., Willinger, W., Zhang, H., Kompella, R. R., and Andersen, D. G. 2008. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation (San Francisco, Calif., Apr. 16-18, 2008)”.
A single coordination point approach is not likely to scale up to large monitoring systems and makes the system scarcely resilient to failures. Furthermore, retrieving the traffic matrices and the routing state is not always possible, especially in the case of inter-domain monitoring, since operators are hardly willing to disclose such information to third parties. Furthermore, in order to issue a new monitoring configuration upon change of the network conditions, a centralized approach has to gather measurement data first, and then to compute a new, optimal solution; this may involve considerable latency, possibly causing inconsistent measurements.
Another solution uses probabilistic data structures to disseminate information about which probes are currently monitoring which flows. Such a solution is obtainable from “Scalable Coordination Techniques for Distributed Network Monitoring”. Sharma, M. and Byers, J. In Proceedings of the 6th Conference on Active and Passive Measurement (PAM 2005)” and basically involves using an epidemic algorithm in order to broadcast to every monitoring node a probabilistic data structure summarizing all of the flows which are currently being monitored. Such a model involves a high overhead in terms of exchanged traffic and does not scale well. Additionally, since probabilistic summaries usually allow for false positives, a certain number of flows is likely to escape monitoring. Unfortunately, the approach uses gossiping protocols, so does not scale to larger networks. In addition, a small fraction of flows may be monitored more than once, which may not be acceptable depending on the requirements of the network operator.
Further, from “Coordinated Sampling sans Origin-Destination Identifiers: Algorithms, Analysis, and Evaluation” Vyas Sekar, Anupam Gupta, Michael K Reiter, Hui Zhang Technical Report, CMU-CS-09-104 another method for monitoring traffic in a network is obtainable.