Prefix Clustering

1
Prefix Clustering

• By
• Manish Agarwal

2
Outline

• Two Papers
• D. G. Andersen, H. Balakrishna et al, Topology
  inference from BGP Routing Dynamics
• Y. Afek, O. B. Shalom and A. B. Barr, On the
  structure and application of BGP policy Atoms

3
Outline

• Two Papers
• D. G. Andersen, H. Balakrishna et al, Topology
  inference from BGP Routing Dynamics
• Y. Afek, O. B. Shalom and A. B. Barr, On the
  structure and application of BGP policy Atoms

4
AIM of the Paper 1

• Topology inference from BGP Routing Dynamics

• Proposes a method to infer logical
  relationships between network prefixes within an
  Autonomous System (AS) using only passive
  monitoring of BGP messages

5
Main Idea
Topology inference from BGP Routing Dynamics

• Clustering of Prefixes based upon similarities
  between their frequency of update

6
Clustering Mechanism

• Input Time series of routing updates
• (An update is any BGP routing message that is
  specific to a prefix announcement or
  withdrawal)
• Updates are ordered by timestamp of reception and
  contains the prefix that was affected
• Group the prefixes that are frequently updated in
  the same time window

7
Clustering Mechanism cont

• Distance Metric correlation between the two
  update streams
• Up(t) 1 if p updated during interval t
  and 0 otherwise

8
Clustering Mechanism cont

• Based on Up(t) calculate correlation between two
  prefixes as follow

9
Single-linkage clustering

• First computes the pairwise distances between
  objects (correlation) and stores them in sorted
  order
• Iterates through the prefix pair from closest to
  farthest
• When encounter new node in a pair, join it to its
  neighbor or neighbors cluster if the
  neighborhood already clustered
• If prefixes are in different clusters, merge the
  clusters

10
Single-linkage clustering cont..
11
Data Collection
Genuity
Northeast exchange
Collected 70 Million BGP announcement
12
Data Collection cont.

• Performed clustering on
• 2338 prefixes announced by AS 701 (UUNET)
• 1310 prefixes announced by AS 7018 (ATT)
• Time Window 30 secs

13
Results

• UUNET ends up with 6 clusters after 2.3 million
  comparisons
• ATT ends up with 5 clusters after 800k
  comparisons

14
Metrics to evaluate the clusters

• Are the clustered IP Addresses adjacent to each
  other ? used IP address similarity
• Are the Prefixes routed to the same destination ?
  DNS based POP comparison
• How deep into the network do the prefixes share a
  path ? Ratio of shared to unshared path length

15
Some examples for cluster evaluation

• The prefixes 200.50.192.0/19 and 196.3.153.0/24
  appear to have little to do with each other.
  Their traceroutes only stay together for 10 hops,
  to New York. An examination of whois data,
  however, reveals that both are in the Caribbean
  one in Jamaica, the other in Haiti.
• 199.230.128.0/23 and 204.154.48.0/21 are located
  about 45 miles away from each other in Illinois
  but traceroute doesnt reveal this, because the
  default route to one now goes through a different
  provider, with a backup link to UUNET. This
  relationship was only exposed by using the
  historical data of BGP updates.

16
Some examples for cluster evaluation

• 205.159.243.0/24 and 204.86.96.0/24 share only 10
  traceroute hops, but they both end up in the same
  UUNET PoP in Chicago 18 hops later, following a
  parallel load-balanced path.

17
Results
Implication Compatible with the idea that
providers allocate IP addresses in a logical
hierarchical fashion
Two adjacent netblocks have a distance of
zero. Two netblocks separated by a class C
netblock would have a distance of 28, and so on.
18
Results
The Pairwise shared/total traceroute hops
19
Results
It suggests that many BGP Updates occur for
multiple prefixes at the POP level
We see that UUNET reduces well from 2337 to
about 1200 clusters while retaining 95 POP
Level accuracy and ATT from 1310 to 900 with 97
accuracy
20
Conclusion

• Temporal structure of BGP messages can reveal
  interesting and important relationships between
  IP prefixes
• Clustering of prefixes inside UUNET can reduce
  the number of prefixes by about 50 while
  grouping 97 of the prefixes into groups that
  represent the same ISP POP

21
Outline

• Two Papers
• D. G. Andersen, H. Balakrishna et al, Topology
  inference from BGP Routing Dynamics
• Y. Afek, O. B. Shalom and A. B. Barr, On the
  structure and application of BGP policy Atoms

22
What are Policy atoms ?

• Broido and Claffys definition Groups of
  prefixes sharing a common BGP AS path at any
  internet backbone router. Prefixes missing in any
  route table were not considered in calculation
• By this paper A group of prefixes p such
  that for any index i,j, prefixes Pi, Pj belonging
  to p and for any router A that hold a full BGP
  table in the internet, BGP route from A to Pi
  equals A to Pj

23
What are policy atoms ? Cont..

• If some prefixes are missing from the view point
  of some internet router, they are put into
  different atoms from those that are seen by the
  router even if they shared a common AS path on
  all routers that saw both groups

24
Example of calculation of policy atoms
25
Example of calculation of policy atoms
26
Calculation of policy atoms

• RIPE Database for 13 peer routers was used to
  calculate policy atoms
• Two ways to calculate atoms
• Snapshot Method Uses route table information
  supplied in the RIPE snapshot. Could not capture
  changes at the time of snapshots
• Quiet Period For each snapshot, route table was
  tracked for next 4 hours for any update of that
  prefix. Thus at each 1000 second checkpoint, atom
  was calculated.

27
Results

• General statistics for ASs and atoms

28
Results

• General statistics for ASs and atoms
• Average number of atoms calculated was 25k
• The number of atoms is much closer to the number
  of ASs seen (12.5k) than to the number of
  prefixes seen (115k)

29
Results
Stability of Policy Atoms
Implication Keeping the atom membership
information accurate to within 2-3 in a
distributed environment may only take a
few Thousand updates in a few hours time window
30
Results
Correlation of atom structure to internet update
records
31
Results

• Correlation of atom structure to internet update
  records
• Number of atoms seen in their entirety in an
  update was about 70-75 of the number of updates
  seen
• 86 updates contained information for members of
  single atom only and 10 of 2 atoms only

Implication Atomicity of updates
32
Results
85 of the atoms are Created between the Source
AS and its Immediate peers Implies Policy
Atoms Are created by Policy
33
Results

• Compressing BGP update traffic
• As a result of the good correlation of atom
  structure to BGP update traffic, it is possible
  to compress the BGP update traffic by replacing
  references to all prefixes in an update with the
  ID of the atom they belong to.

34
Conclusion

• Atoms are real entities
• Atoms could be used to achieve saving in
  bandwidth in internet routing updates

35
Future Work

• Getting the knowledge of the atom structure
  proliferated to all internet routers (Ex
  Central body performing the calculation and
  distributing the results)
• Network Fault handling Network fault affect
  whole atoms. Knowing the atom structure may allow
  the better understanding of the scope of a fault
  and thus support a more efficient reaction to the
  fault