Browse > Article
http://dx.doi.org/10.3837/tiis.2014.04.009

Exploring Flow Characteristics in IPv6: A Comparative Measurement Study with IPv4 for Traffic Monitoring  

Li, Qiang (Tsinghua National Laboratory for Information Science and Technology, Tsinghua University)
Qin, Tao (MOE Key Lab for Intelligent Networks and Network Security, Xi'an Jiaotong University)
Guan, Xiaohong (Tsinghua National Laboratory for Information Science and Technology, Tsinghua University)
Zheng, Qinghua (MOE Key Lab for Intelligent Networks and Network Security, Xi'an Jiaotong University)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.8, no.4, 2014 , pp. 1307-1323 More about this Journal
Abstract
With the exhaustion of global IPv4 addresses, IPv6 technologies have attracted increasing attentions, and have been deployed widely. Meanwhile, new applications running over IPv6 networks will change the traditional traffic characteristics obtained from IPv4 networks. Traditional models obtained from IPv4 cannot be used for IPv6 network monitoring directly and there is a need to investigate those changes. In this paper, we explore the flow features of IPv6 traffic and compare its difference with that of IPv4 traffic from flow level. Firstly, we analyze the differences of the general flow statistical characteristics and users' behavior between IPv4 and IPv6 networks. We find that there are more elephant flows in IPv6, which is critical for traffic engineering. Secondly, we find that there exist many one-way flows both in the IPv4 and IPv6 traffic, which are important information sources for abnormal behavior detection. Finally, in light of the challenges of analyzing massive data of large-scale network monitoring, we propose a group flow model which can greatly reduce the number of flows while capturing the primary traffic features, and perform a comparative measurement analysis of group users' behavior dynamic characteristics. We find there are less sharp changes caused by abnormity compared with IPv4, which shows there are less large-scale malicious activities in IPv6 currently. All the evaluation experiments are carried out based on the traffic traces collected from the Northwest Regional Center of CERNET (China Education and Research Network), and the results reveal the detailed flow characteristics of IPv6, which are useful for traffic management and anomaly detection in IPv6.
Keywords
Traffic management; Comparative Measurement; Network Monitoring; IPv4; IPv6;
Citations & Related Records
연도 인용수 순위
  • Reference
1 N. Muraleedharan, "Analysis of TCP flow data for traffic anomaly and scan detection," in Proc. of 16th IEEE International Conference on Networks (ICON'08), pp. 1-4, 2008.
2 T. Qin, X. Guan, W. Li, P.Wang, M. Zhu, "A new connection degree calculation and measurement method for large scale network monitoring," Journal of Network and Computer Applications, 2013.
3 Q. Li, T. Qin, X. Guan, Q. Zheng, "Empirical Analysis and Comparison of IPv4-IPv6 Traffic: A Case Study on the Campus Network," in Proc. of Proceedings of 18th IEEE International Conference on Networks (ICON'12), Singapore, pp. 395-399, 2012.
4 B. Li, J. Springer, G. Bebis, M. Hadi Gunes, "A survey of network flow applications, Journal of Network and Computer Applications," 36 (2013) 567-581.   DOI   ScienceOn
5 A. Lakhina, M. Crovella, C. Diot, "Mining anomalies using traffic feature distributions," in Proc. of Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, ACM, Philadelphia, Pennsylvania, USA, pp. 217-228, 2005.
6 P. Casas, S. Vaton, L. Fillatre, I. Nikiforov, "Optimal volume anomaly detection and isolation in large-scale IP networks using coarse-grained measurements," Computer Networks, 54 (2010) 1750-1766.   DOI   ScienceOn
7 H. Jiang, Z. Ge, S. Jin, J. Wang, "Network prefix-level traffic profiling: Characterizing, modeling, and evaluation," Computer Networks, 54 (2010) 3327-3340.   DOI   ScienceOn
8 E.F. Harrington, "Measuring Network Change: Renyi cross entropy and the second order degree distribution," in Proc. of Proceedings of passive and active measurement conference, 2006.
9 N. Ye, S. Vilbert, Q. Chen, "Computer intrusion detection through EWMA for autocorrelated and uncorrelated data," IEEE Transactions on Reliability, 52 (2003) 75-82.   DOI   ScienceOn
10 G. Nychis, V. Sekar, D.G. Andersen, H. Kim, H. Zhang, "An empirical evaluation of entropy-based traffic anomaly detection," in Proc. of Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, ACM, pp. 151-156, 2008.
11 P. Haag, "Watch your Flows with NfSen and NFDUMP," in Proc. of 50th RIPE Meeting, 2005.
12 C. Estan, G. Varghese, "New directions in traffic measurement and accounting: Focusing on the elephants, ignoring the mice," ACM Trans. Comput. Syst., 21 (2003) 270-313.   DOI   ScienceOn
13 T. Liu, X. Guan, Q. Zheng, Y. Qu, "A new worm exploiting IPv6 and IPv4-IPv6 dual-stack networks: experiment, modeling, simulation, and defense," IEEE Network, 23 (2009) 22-29.
14 C. Ciflikli, A. Gezer, A. Tuncay Ozsahin, O. Ozkasap, "BitTorrent packet traffic features over IPv6 and IPv4," Simulation Modelling Practice and Theory, 18 (2010) 1214-1224.   DOI   ScienceOn
15 C. Ciflikli, A. Gezer, A.T. Ozsahin, "Packet traffic features of IPv6 and IPv4 protocol traffic," Turkish Journal of Electrical Engineering & Computer Sciences, 20 (2012) 727-749.
16 F. Li, C. An, J. Yang, J. Wu, H. Zhang, "A study of traffic from the perspective of a large pure IPv6 ISP," Computer Communications, 2013.
17 R. Pang, V. Yegneswaran, P. Barford, V. Paxson, L. Peterson, "Characteristics of internet background radiation," in Proc. of Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, ACM, Taormina, Sicily, Italy, pp. 27-40, 2004.
18 Q. Wang, Z. Chen, C. Chen, "Darknet-Based Inference of Internet Worm Temporal Characteristics," IEEE Transactions on Information Forensics and Security, 6 (2011) 1382-1393.   DOI   ScienceOn
19 N. Brownlee, "One-Way Traffic Monitoring with iatmon," in Proc. of Passive and Active Measurement, Springer Berlin Heidelberg, pp. 179-188, 2012.
20 E. Glatz, X. Dimitropoulos, "Classifying Internet One-way Traffic," Perform. Eval. Rev., 40 (2012) 417-418.   DOI
21 M. Ford, J. Stevens, J. Ronan, "Initial Results from an IPv6 Darknet," in Proc. of International Conference on Internet Surveillance and Protection (ICISP'06), pp. 13-13, 2006.
22 E. Kohler, J. Li, V. Paxson, S. Shenker, "Observed Structure of Addresses in IP Traffic," IEEE/ACM Transactions on Networking, 14 (2006) 1207-1218.   DOI   ScienceOn
23 A. Lakhina, K. Papagiannaki, M. Crovella, C. Diot, E.D. Kolaczyk, N. Taft, "Structural analysis of network traffic flows," in Proc. of Proceedings of the joint international conference on Measurement and modeling of computer systems, ACM, New York, NY, USA, pp. 61-72, 2004.
24 X. Guan, T. Qin, W. Li, P. Wang, "Dynamic feature analysis and measurement for large-scale network traffic monitoring," Trans. Info. For. Sec., 5 (2010) 905-919.
25 L. Yuk-Nam, L. Man-Chiu, T. Wee Lum, L. Wing Cheong, "Empirical Performance of IPv6 vs. IPv4 under a Dual-Stack Environment," in Proc. of IEEE International Conference on Communications (ICC'08), pp. 5924-5929, 2008.
26 F. Huici, A.d. Pietro, B. Trammell, J.M.G. Hidalgo, D.M. Ruiz, N. d'Heureuse, "Blockmon: a high-performance composable network traffic measurement system," in Proc. of Proceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication, ACM, Helsinki, Finland, pp. 79-80, 2012.
27 E. Damergi, E. Mohamed, B. Ammar, "Network performance evaluation using traffic measurements," in Proc. of First International Symposium on Control, Communications and Signal Processing, pp. 523-526, 2004.
28 M. Thottan, C. Ji, "Anomaly detection in IP networks," IEEE Transactions on Signal Processing, 51 (2003) 2191-2204.   DOI   ScienceOn
29 K. Cho, K. Fukuda, H. Esaki, A. Kato, "The impact and implications of the growth in residential user-to-user traffic," SIGCOMM Comput. Commun. Rev., 36 (2006) 207-218.   DOI
30 A. Dhamdhere, M. Luckie, B. Huffaker, k. claffy, A. Elmokashfi, E. Aben, "Measuring the deployment of IPv6: topology, routing and performance," in Proc. of Proceedings of the 2012 ACM conference on Internet measurement conference, ACM, Boston, Massachusetts, USA, pp. 537-550, 2012.
31 J. Wu, J.H. Wang, J. Yang, "CNGI-CERNET2: an IPv6 deployment in China," SIGCOMM Comput. Commun. Rev., 41 (2011) 48-52.   DOI
32 Y. Wang, S. Ye, X. Li, "Understanding current IPv6 performance: a measurement study," in Proc. of 10th IEEE Symposium on Computers and Communications (ISCC 2005), pp. 71-76, 2005.
33 L. Zhang, H. Wang, S. Zhong, "A measurement study on BitTorrent traffic behaviors over IPv6," in Proc. of 2012 IEEE International Conference on Computer Science and Automation Engineering (CSAE), pp. 354-357, 2012.
34 W. Shen, Y. Chen, Q. Zhang, Y. Chen, B. Deng, X. Li, G. Lv, "Observations of IPv6 traffic, in: ISECS International Colloquium on Computing, Communication."Control, and Management (CCCM 2009), pp. 278-282, 2009.
35 N. Ao, C. Chen, "Understanding IPv6 user performance on private BT system," in Proc. of 4th IET International Conference on Wireless, Mobile & Multimedia Networks (ICWMMN 2011), IET, pp. 288-293, 2011.
36 W.-L. Shiau, Y.-F. Li, H.-C. Chao, P.-Y. Hsu, "Evaluating IPv6 on a large-scale network," Computer Communications, 29 (2006) 3113-3121.   DOI   ScienceOn
37 T.M. Raste, D.B. Kulkarni, "Design and implementation scheme for deploying IPv4 over IPv6 tunnel," Journal of Network and Computer Applications, 31 (2008) 66-72.   DOI   ScienceOn
38 E. Gamess, R. Suros, "An upper bound model for TCP and UDP throughput in IPv4 and IPv6," Journal of Network and Computer Applications, 31 (2008) 585-602. Article (CrossRef Link).   DOI   ScienceOn