Network administrators are often interested in detecting TCP-level packet reordering to diagnose performance problems and neutralize attacks. However, packet reordering is expensive to measure, because each packet must be processed relative to the TCP sequence number of its predecessor in the same flow. Due to the volume of traffic, the detection of packet reordering should take place in the data plane of the network devices as the packets fly by. However, restrictions on the memory size and the number of memory accesses per packet make it impossible to design an efficient algorithm for pinpointing the flows with heavy packet reordering. In practice, packet reordering is typically a property of a network path, due to a congested or flaky link. Flows traversing the same path are correlated in their out-of-orderness, and aggregating out-of-order statistics at the IP prefix level would provide useful diagnostic information. In this paper, we present efficient algorithms for identifying IP prefixes with heavy packet reordering under memory restrictions. First, we analyze as much of the traffic as possible by going after the largest flows. Next, we sample as many flows as possible, regardless of their sizes. To achieve the best of both worlds, we also combine these two methods. In all algorithms, we resolve the challenging interplay between measuring at the flow level and aggregating at the prefix level by allocating memory using prefix information. Our simulation experiments using packet traces from a campus network show that our algorithms are effective at identifying IP prefixes with heavy packet reordering using moderate memory resources.
翻译:网络管理员通常有兴趣检测 TCP 级的软件包重新排序, 以诊断性能问题和中和攻击。 但是, 软件包重新排序费用昂贵, 因为每个软件包的处理必须与其前身的 TCP 序列编号相对, 并在同一流中进行。 由于运输量很大, 软件包重新排序的检测应在网络设备的数据平面上进行, 随着软件包的飞来, 邮件包重新排序应该能够提供有用的诊断信息 。 但是, 对内存大小和每个软件包的内存存访问次数的限制使得无法设计一种有效的算法, 用于用大包重新排序来确定流量。 在实践中, 软件重新排序通常是一种网络路径的属性。 由于混杂或松散的链接, 每个软件包重新排序过程必须与之相对应。 将同一路径的流量与它们相对相关联, 并且用我们最精细的内径比值来测量我们所有的内脏数据流, 并且用最精细的缩缩缩略度来测量我们所有的内程。