Rutger Coolen, TNC 2005

Collaborative network monitoring for NREN’s

Use cases for LOBSTER

TNC 2005Rutger Coolen2

Agenda

• LOBSTER Viewpoints and Actors

• Use cases - Approach

• 2 example use cases for LOBSTER

• Your input

• Current Status

TNC 2005Rutger Coolen3

Viewpoints on LOBSTER

• Project viewpoint • LOBSTER is a “Specific Support Action” project under EU FP6

• Infrastructure viewpoint• The LOBSTER project realises a pilot infrastructure for

advanced network monitoring

• Community viewpoint• The owners and users of the LOBSTER infrastructure co-

operate in a community

TNC 2005Rutger Coolen4

Overview of the actors

• LOBSTER community• LOBSTER primarily aims at NREN’s• and secondarily at ISP’s

• Other potential users• Customers of NREN’s and ISP’s, including researchers• Government / policy-makers

TNC 2005Rutger Coolen5

• LOBSTER Viewpoints and Actors

• Use cases - Approach

• 2 example use cases for LOBSTER

• Your input & Current Status

TNC 2005Rutger Coolen6

Use Cases

• What use-cases are:• Applications of the LOBSTER infrastructure

• What use-cases are used for:• To demonstrate the benefits of LOBSTER• To derive requirements for the LOBSTER infrastructure

• What use-cases are not:• The (business) case for joining LOBSTER

TNC 2005Rutger Coolen7

Use Cases Inclusion of LOBSTER characteristics

Multiple domains Advanced

monitoring

Hig

h S

peedP

riva

cy

•Co-operation between NREN’s•Interdomain problems

•Beyond state-of-the-art monitoring capabilities•Distributed sensors

•Confidentiality reqs•Privacy legislation

•Anonymisation

•Advanced Hardware•Useful for advancedNREN & GN2 networks

Benefits for users

TNC 2005Rutger Coolen8

Use Cases Approach

Basic Use-Case Template: Structuring Use-Cases with Goals, Alistair Cockburn• http://alistair.cockburn.us

USE CASE # < the name is the goal as a short active verb phrase>

Goal in Context <a longer statement of the goal in context if needed>

Scope & Level <what system is being considered black box under design>

Preconditions <what we expect is already the state of the world>

Success End Condition <the state of the world upon successful completion>

Failed End Condition <the state of the world if goal abandoned>

Primary, Secondary Actors <a role name or description for the primary actor, and other systems relied upon to accomplish use case>

Trigger <the action upon the system that starts the use case>

DESCRIPTION Step Action

1 <put here the steps of the scenario from trigger to goal delivery,and any cleanup afte>

2 <...>

EXTENSIONS Step Branching Action

1a <condition causing branching> : <action or name of sub.use case>

SUB-VARIATIONS Branching Action

1 <list of variation s>

TNC 2005Rutger Coolen9

• LOBSTER Viewpoints and Actors

• Use cases - Approach

• 2 example use cases for LOBSTER

• Your input & Current Status

TNC 2005Rutger Coolen10

CSIRTanalysis

Use Case 1a - Collaborative Worm Detection1. On detection of a worm a signature is distributed

MP

NREN x

NREN 2NREN 1

MP MP

MP

MP

MP

MP

MPMP

MP Measurement Point, or Monitoring Sensor

TNC 2005Rutger Coolen11

Use Case 1a - Collaborative Worm Detection2. LOBSTER measurement points collect worm sources

MeasurementPoint

Worm listSource Customer10.0.0.1 Univ.110.0.2.4 R&D.210.1.1.2 Univ.2… …

copy of traffic

TNC 2005Rutger Coolen12

Use Case 1a - Collaborative Worm Detection3a. Incident Response Team takes actions

Block sources, or route to special web-site10.0.0.110.0.2.4…

Access Router forCustomers

WormSource IP’sCustomer X

MeasurementPoint

E-mail to customers

(1) (2)

TNC 2005Rutger Coolen13

Use Case 1b - Worm Impact Statistics3b. Anonymous data is combined in an overall picture

NREN 2NREN 1

MP MP

MP

MP

MP

MPAnonymousworm counts

NREN 1

Anonymous worm counts

NREN 2

TNC 2005Rutger Coolen14

Use Case 2a – Advanced Services Monitoring1. Inter- and intradomain call set-up and data-streams

NREN x

NREN 2NREN 1

Interdomain

Voice-over-IP

IntradomainVoice-over-IP

Interdomain

Video

Conferencin

g

TNC 2005Rutger Coolen15

Use Case 2a – Advanced Services Monitoring2. A user monitor’s the key parameters

NREN 2NREN 1

MP MP

Intradomain

MP

Ingress/ egress

(Partial) raw data fromother NREN

TNC 2005Rutger Coolen16

Use Case 2a – Advanced Services Monitoring3. Summary of advanced services parameters

NREN 2NREN 1

MP MP

MP

MP

MP

MP

NREN1 NRENx

NREN1 - 1024 calls/day1.12 Tb data/dayAvg. MOS = 4.12

NRENx … -

AdvancedServicesSummary

AdvancedServicesSummary

TNC 2005Rutger Coolen17

Use CasesOverview of primary actors per case

Case NREN ISP Customers Policy-makers

Security

Collaborative Worm Detection (case 1a) • • •Statistical

Worm Impact StatisticsStatistics (case 1b)

• •

Performance measurement

Advanced Services MonitoringQuality Measurement(case 2b)

• • •

Network Planning

Advanced Services MonitoringTraffic overview (case 2a)

• • •

TNC 2005Rutger Coolen18

More use cases…

• Security incident response• Spyware detection• Denial-of-Service attack: control traffic detection• Backdoor detection

• Performance measurement• Delay sensitive grid computing• On-line (educational) games

• Network traffic characterisation• Peer-to-peer applications• Services with dynamic ports

TNC 2005Rutger Coolen19

• LOBSTER Viewpoints and Actors

• Use cases - Approach

• 2 example use cases for LOBSTER

• Your input & Current Status

TNC 2005Rutger Coolen20

Your Input: questions or remarks

• Reaction on use cases

• Requirements for the infrastructure or community

TNC 2005Rutger Coolen21

Current status

• Implementation of pilot infrastructure by the LOBSTER consortium

• Initial community with Forthnet, Uninett, and Cesnet in 2005

• Establishing relation with Geant2/ JRA-1

• You are invited to join our efforts and become a pilot user!

TNC 2005Rutger Coolen22

Thank you