1 Analysis and Study on BGP Routing Information and Flow Data Yoshiaki HARADA Graduate School of Information Science and Electrical Engineering (ISEE)

1

Analysis and Study onBGP Routing Information and Flow Data

Yoshiaki HARADAGraduate School of Information

Science and Electrical Engineering (ISEE)Kyushu University

Takashi CHIYONOBU

Department of Electrical Engineering and Computer

Science (EECS)

Kyushu University

Koji OKAMURA

Computing and Communications Center

Kyushu University

2

Contents

Background AS and Internet routing

Purpose Analysis method

Method of collecting Flow Data and BGP table Method of analyzing Flow Data

Relationship of Flow Data and AS path length Ditribution of Destination ASes

Result Relationship of Flow Data and AS path length Distribution of Destination ASes

Conclusion

3

2

2

QGPOPas2523QGPOPas2523

KOREN(KR)

KOREN(KR)

CERNET(CN)

CERNET(CN)

SINET(JP)

SINET(JP)

SingAREN(SG)

SingAREN(SG)

ASIA-BB

ASIA-BB

ThaiSARN(TH)

ThaiSARN(TH)

APAN-JP

APAN-JP

ASnet(TW)

ASnet(TW)

HARNET(HK)

HARNET(HK)

AARNET(AU)

AARNET(AU)Abilene

(US)

Abilene(US)

JGN2

JGN2

TEIN2TEIN2

JP

CH

KR

AU

HK

SG

TH

TW

PHID

MY

CSTnet(CN)

CSTnet(CN)

Kyushu-u

VN

CommercialCommercial

CommercialCommercial

4

QGPOPas2523QGPOPas2523

KOREN(KR)

KOREN(KR)

CERNET(CH)

CERNET(CH)

SINET(JP)

SINET(JP)

SingAREN(SG)

SingAREN(SG)

ThaiSARN(TH)

ThaiSARN(TH)

APAN-JPAPAN-JP

ASnet(TW)

ASnet(TW)

AARNET(AU)

AARNET(AU)Abilene

(US)

Abilene(US)

JGN2

JGN2

JP

CH

KR

AU

SG

TH

TW

Oct. 2005Oct. 2005

Kyushu-u

5

QGPOPas2523QGPOPas2523

KOREN(KR)

KOREN(KR)

CERNET(CH)

CERNET(CH)

SINET(JP)

SINET(JP)

SingAREN(SG)

SingAREN(SG)

ASIA-BB

ASIA-BB

ThaiSARN(TH)

ThaiSARN(TH)

APAN-JPAPAN-JP

ASnet(TW)

ASnet(TW)

HARNET(HK)

HARNET(HK)

AARNET(AU)

AARNET(AU)Abilene

(US)

Abilene(US)

JGN2

JGN2

JP

CH

KR

AU

HK

SG

TH

TW

Nov. 2005Nov. 2005

Kyushu-u

6

QGPOPas2523QGPOPas2523

KOREN(KR)

KOREN(KR)

CERNET(CH)

CERNET(CH)

SINET(JP)

SINET(JP)

SingAREN(SG)

SingAREN(SG)

ASIA-BB

ASIA-BB

ThaiSARN(TH)

ThaiSARN(TH)

APAN-JPAPAN-JP

ASnet(TW)

ASnet(TW)

HARNET(HK)

HARNET(HK)

AARNET(AU)

AARNET(AU)Abilene

(US)

Abilene(US)

JGN2

JGN2

TEIN2TEIN2

JP

CH

KR

AU

HK

SG

TH

TW

PH

ID

MY

Jan. 2006Jan. 2006

Kyushu-u

7

Background – Autonomous system

AS(Autonomous system) Collection of IP networks and routers under the

control of one entity (or sometimes more) that presents a common routing policy to the Internet.

An Internet Service Provider (ISP) A very large organization

AS numbers are currently 16-bit integers, which allow for a maximum of 65536 assignments.

AS2508 ：　 Kyushu University AS17522 : NTT West

8

Background – Routing Protocol

Routing Routing is the technique by which data finds its way from one

host computer to another. Routing Protocol in Internet

IGP(Interior Gateway Protocol) IGP is a protocol for exchanging routing information between

gateways (hosts with routers) within an autonomous network (RIP,OSPF)

EGP(Exterior Gateway Protocol) EGP is a protocol for exchanging routing information between ASes

(BGP,EGP). EGP use AS path length (the number of AS a route has traversed)

as a guide of selecting route.

9

Background – AS path length and internet routing

ASconnectioncommunication

Kyushu Univ.AS2508

QGPOPAS2523

Korean telecom AS4766

IIJAS2497

ATT-internet4AS7018

This route is shorter than existing route

New connection

BGP select the shorter route (AS path length 3)

New ASAS????

New AS

BGP select the shotest route (AS path length 4)This route is shorter

than existing route

Communication between AS2508 and AS4766 (AS path length 5)

10

Background – Relationship of Flow Data and AS path length

In Internet, route is changing by appearance of new ASes and new connecion between existing ASes

Those analyzing result between the Flow Data and the change of AS path should be useful for constructing future Internet

We analyzed the colleration between AS path length and Flow data in Internet

11

Background – Distribution of communication target

SINETAS2907

KORENAS9270

Kyushu UniversityAS 2508

Tokyo UniveresityAS2501

Kyoto UniversityAS2504

Japanese Universities

QGPOPAS2523

commercial ISPs etc.

Asian research network

We believe that the correlation of communication target is biased

small traffic

many traffic

12

Background – Distribution of Destination ASes

A certain organization is not all of ASes existing in internet

For example: Kyushu University is frequently communicate with Kyoto Univerisity

We assume that the correlation of communication target is biased.

We analyze distribution of destination ASes from Flow Data in Internet

13

Analysis method – BGP table and Flow Data We use the collecting Flow Data exported from QGPOP and

Kyushu University, and use the BGP table exported from QGPOP Flow Data

Sampling rate is 1 / 10 QGPOP: every 4 weeks 　（ 2004/10/13 ～ 2006/01/04 ） Kyushu University : every weeks (2004/10/13 ～ 2006/01/)

KOREN

SINET

QGPOPInformation communication network dedicated to academic research

Korea Advanced Research Network

Flow Data and BGP table

IIJ

Internet Initiative Japan

Kyushu University

Univerisies

Researchinstitutes

Universities and research institutes

14

Analysis method – Detail of BGP table and Flow Data

BGP table

We calculate AS path anddestination AS from Flow

Data and BGP table

destination IP addresssorce IP address

destination (source)AS number

destination IP address

Flow Data

AS path

15

Result – Relationship of AS path length and flow data

average AS path length of flows

average AS path length of packets

Average AS path length of packets had decreased through a year

16Distribution of packets and AS path length

Result – Relationship of AS path length and flow data

80% of packets flows less than AS path length 5

17

Consideration – Relationship of Flow Data and AS path length

There are many communication which have short AS path length

Average AS path length had increasing through a year

Flow Data include illigal access, and this analysis is adversely affected

We analyzed only the traffic data of HTTP in Flow Data to cut out mal-accesses caused by such as virus

Port number 80 (Web access)

18

average AS path length of flows

average AS path length of packets

Result – Time change of average AS path length in port 80 traffic

Average AS path length of flows had decreased through a year

19

Result – Distribution of packets and AS path length in port 80 traffic

20

Consideration – Analysis of port80 traffic

Relationship of AS path length and Flow Data A pair of ASes which have short AS path length

communicate frequently Average AS path length are increasing in all flows

Relationship of Flow Data In port 80 traffic Average AS-path length that was calculated from length per one

flow had been decreased The number of flows that have shorted AS-path length was

increased AS-path length between ASes that communicates frequently had

shortened

21

Result – Detail of ASes

We analyze the detail of ASes to find the reasons of decreasing average AS path length We find two decreasing reasons of AS path length

Two Microsoft’s AS is united Frequenty communicating AS’s path was shortened

The number of communication between Ases which have short AS path had increased

Between AS18088 （ QIC) and AS2508(Kyushu Univ.) etc. AS path length 3 is shorter than average AS path in all

flows.

22

Result – Time change of the number of communication target ASes

The number of ASes existing in Internet is about 20,000

Kyushu University communicated with about a half of ASes in Intenret ?

around 9,000 ASes

23

Result – Distribution of percentage of packets

2004/10/20SINET

2005/8/31Kyoto University

100 ASes (0.5% of ASes existing in Internet) accounts

for around 70% of traffic

24

Consideration – Distribution of destination ASes

Time change of communication target We analyzed Flow data from 2004/10 to 2006/01 Kyushu University communicate up to 9000 ASes.

Bias of communication A small propotion of ASes account for almost of traffic

It is not expected that a half of ASes existing in Internet communicated with Kyushu Univerisity

We analyze the Flow Data in port 80 traffic to cut off illegal accesses

25

Result – Time change of the number of target ASes in port 80

Kyushu University communicated between around 2000 and 2500 ASes

Communication target is biased

2000 ASes are around 10% of ASes existing in Internet

26

Result – Distribution of percentage of packets in port 80

2005/8/31Kyoto University20 ASes (0.1% of ASes existing in

Internet) accounts for 50 % of traffic

80 ASes (0.4% of ASes existing in Internet) accounts for 80% of traffic

27

Consideration – Distribution of Destination in port 80

Time change of communication target in port 80 We analyzed Flow data from 2004/10 to 2006/01 Kyushu University communicated from 2200 to 2400

ASes.

Bias of communication A small propotion of ASes account for almost of traffic

as in the analysis of all flows 20 (0.1%) ASes accounts for 50 % of traffic 80 (0.4%) ASes accounts for 80% of traffic

28

Result – Time change of communication targaet and traffic

We analyze Flow Data by comparing between 2005/11/09 with 2004/11/10

A half of communicating ASes are changed for a year, but there are few

change in traffic

ASes existing through a year account for almost traffic

1365921 1232

2004 : 95%2005 : 91%

The numer of ASes

The percentage of packets

2004/11/10 : 22562005/11/09 : 2286

29

Result – Detail of communicating ASes

ASes which have a lot of traffic through a year Japanese major ISPs , for example AS23816 （ Yahoo! Japan ） and

AS4713 （ OCN ） , are high on the list on traffic, and communication bias is not change

Kyoto Univerisity’s traffic had increasing

ASes which have communication on only 2004/11 ASes are integreted into other AS, for example AS7072 (Microsoft)

and

ASes which have communication on only 2005/11 AS 5572 (BOTIC AS) and AS 30968 (Info Box),which are Russian AS ,

and have a lot of traffic in 2005/11

30

Conclusion

Relationship of Flow data and AS path length Average AS path length had been increased during one year Average AS-path length that was calculated from length per one

flow for HTTP had been decreased The number of flows that have shorted AS-path length was

increased AS-path length between ASes that communicates frequently had

shortened Distribution of destination ASes

Kyushu university had been communicated with half of ASes that exist on the Internet in one year

80% of flows belong to only 0.7% of AS in the whole Internet In port 80 traffic, Kyushu University were communicating with

from 2200 to 2500 ASes 50% of packets is transmitted by the 20 ASes that are most

frequently communicating with Kyushu University

31

Conclusion – Future work

We could find the relationship of AS path length and flows, but could not find the relationship of AS path length and packets in port 80 traffic We should decrease the time of data collecting to

find the relationship of AS path length and packets

If we organize the communication target in country and region, we will be able to find new correlation

32

Thank You!