BENTO introduction

1
BENTO introduction

• LINX43
• London
• November 17th 2003

2
Per Gregers Bilse

• bilse_at_networksignature.com
• Systems software and compiler development for
  Borland (Turbo Prolog), ports to OS/2 and UNIX.
• Network Engineer / Architect / Manager /
  Director, EUnet, Amsterdam, The Netherlands.
• Technical Leader, Cisco Systems, London, UK
• Backbone Director, Metromedia / AboveNet, London,
  UK
• Consultant and Contractor, London, UK

3
NETWORK MONITORING WELCOME TO THE STONE AGE

• severe lack of monitoring and management tools at
  level 3
• existing tools work in terms of "lines" and
  "interfaces these are level 2 entities
• more often than not, "network management" is
  "server management
• focus on server load, uptime, packet loss,
  latency, services
• Editors Choice award from PC Magazine
• other efforts experimental, conceptual, off
  target, dont scale, and/or very expensive
• more often than not, traffic analysis means
  TCP trace (next slide)

4
The world will now come to an end.

5
STONE AGE STRATEGIC ISSUES

• network abstraction is poorly understood outside
  the core networking community
• Level 2 is all about MAC addresses
• Level 3 is all about IP addresses
• Level 4 is all about protocol and port numbers
• Etc
• software developers dont embrace lateral
  abstractions such as the Autonomous System
  because it doesnt exist in the OSI model
• there is a perceived problem of being unable to
  handle large volumes of data
• there is no understanding of the need for real
  time or near real time tools

6
INTRODUCTION TO THE BRONZE AGE

• Network Signature BENTO
• BGP
• Enabled
• Network
• Traffic
• Organizer

7
WHAT EXACTLY IS IT?

• a set of extreme performance server applications
• receives NetFlow or packet header information,
  and BGP feed
• maps IP addresses -gt AS Paths
• aggregates traffic information around AS Path,
  and stores data on disk
• produces graphs and plots from aggregated
  information
• can use any BGP attributes (but currently only
  paths)
• works in almost real time (worst case two minutes
  behind)

8
The innards From raw materials to finished
product
9
Possible uses

• network planning and optimisation (next slide)
• real time network monitoring, detection of
  anomalous/malicious traffic (DOS)
• can do a lot with fancy colours
• future extensions with rule-based traffic
  evaluation
• exchange case what if I were to peer privately?
  Connect to another exchange?
• the impossible dream A Network Signature.
• we have both routing information and
  corresponding traffic information
• compare to historical data
• five minutes ago
• one hour ago
• one week ago
• one month ago
• even this time last year
• result are we normal today?

10
The big question
11
BENTO at
the LINX

• What happens on the other side of the ethernet
• What if ?
• Where does ?
• How come ?
• Dual 2G CPU AMD760MPX-based server, raid 1
• Supports one router per AS number (technical
  limitation)
• Connected to both fabrics, heavily filtered, no
  forwarding
• Separate access interface
• Users can only access their own information

12
BENTO at the LINX How-To

• register on bento.linx.net
• AS number
• IP address (exchange fabric, source of NetFlow)
• optional list of SNMP interface numbers
• sample rate
• set up BGP session (tested with Cisco,
  Juniper/gated, Zebra/Quagga, Extreme)
• configure NetFlow export (works with most
  anything, formats are highly compatible)
• configure NetFlow accounting on relevant
  interfaces
• Log in on bento.linx.net to view graphs

13
General Cisco configuration

• interface fe0/0/0ip route-cache flow
• ip flow-export version 5
• ip flow-export destination 1.2.3.4 12345
• ip flow-cache timeout active 1

14
General Juniper configuration, 1 of 3

• interfaces
• fe-0/0/0
• unit 0
• family inet
• filter
• input SampleAll

15
General Juniper configuration, 2 of 3

• firewall
• filter SampleAll
• term all
• then
• sample
• accept

16
General Juniper configuration, 3 of 3

• forwarding-options
• sampling
• input
• family inet
• rate 100
• output
• cflowd 1.2.3.4
• port 12345
• version 5

17
General
appearance
18

Time

• Thumbwheel controls
• Offset moves back in time
• Span selects size of chunk
• Clock indicates pan-activated time lock

19
Protocol and
path selection

• Measurement selects bits or packets
• Protocol includes different protocols
• Path allows entry of a path regular expression

20
(No Transcript)
21

Aggregation

• None shows path spectrum
• Peer identifies and aggregates over all peers
• Home identifies and aggregates over all home ASs
• All does the same for all ASs
• List allows individual selection

22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25

Sorting

• Sum adds up in- and outbound traffic
• In and Out selects single traffic direction
• ASN sorts by AS number (first AS in path if
  viewing paths)
• List sorts and maps by list of AS numbers

26
(No Transcript)
27
History
comparison

• History compare performs comparison between
  current data set and identical data set at an
  earlier time
• Direction is for decluttering

28
(No Transcript)
29

Scale

• By default BENTO will autorange
• Override by specifying scale, eg 200M

30

Pan

• Spectrum can be several thousand wide
• Pan control allows inspection of entire spectrum
• Use buttons, slider, or type reference into
  slider
• Time is locked until manually released

31
(No Transcript)
32
Future
Developments

• History module for extended data storage (weeks,
  months, years)
• Drill-down module to view underlying flow data
  with similar interface
• Export module for import into databases,
  spreadsheets, billing, or just to keep FA busy
• Alarm module, for rule-based triggering of NMS
  alarms via syslog or SNMP traps
• All depend on real customers

33

Thanks!

• Special thanks go to
• Management and staff at LINX, AMS-IX, and Netnod
• Helpful beta testers
• All the people who said it couldnt be done
• bilse_at_networksignature .com