Leadership Laboratory
Applied Intelligence Analysis of Networks
June 16th, 2008
By Richard Porter
1. Traffic Analysis Concept
1.1 Observe Orient Decide Act
Concepts of operation can sometimes be problematic when technologists get caught up in the technology. Here we will examine an Information Operations concept that will provide an action model.
This model was crafted by one of the finest fighter pilots in the world who remained undefeated in aerial combat.
"Col. John Boyd, U.S. Air Force fighter pilot ace, developed the concept of the OODA Loop to describe the process needed to win at war. This model matured as he won aerial dogfights in Korea and Viet Nam and later used it to describe how to gain a competitive advantage in any situation. Recently, the OODA loop has begun to be applied to business and product development as a way to describe their decision-making cycles. In these situations, the loop often gets stuck at the D and the team is reduced to making a sound like OO-OO-OO. The OODA loop is a succinct representation of the natural decision cycle seen in every context: war, business, product development, or life."
[Figure 1.1]
This concept brings forth a mindset that can apply to any situation. In this case we are going to examine traffic control and "Act" capabilities to provide better Quality of Service to traffic.
1.1.1 OODA: Observe
In order to understand what "Act" actions that need to be take, it is important to understand observation capabilities.
We have several methods of observation at our disposal. The Simple Network Management Protocol is used in many tools associated with observation. Using SNMP Traps and a common logging system we increased our visibility into the network. For the purpose of this conceptual examination we will remain within those two observation tools and protocols.
SNMP provides trap capabilities that can report to central logging systems. With this information you are provided with some level of visibility into network activity. Observation can be achieved with enough information to move to the next phase of the loop.
Syslog provides system level logging and some network activity information. This information can also provide information in movement to the next Phase.
With these two tools it is, with some research, possible to automatically observe certain "Act" conditions. Using the OODA model it would be possible to automate the loop process with reporting to Administrators. This reporting would allow operators to interrupt the loop when needed.
1.1.2 OODA: Orient
As applied to network traffic management, this phase would be analysis of the information provided from the observation phase. Using our two example methods of observation information gathering, SNMP and Syslog, we can orient ourselves as to what behavior is occurring.
Is the behavior normal? Has something occurred in the loop process that is not normal? In this case we are using Quality of Service as the primary driver for the model. Our orientation, in this example, is that a customer is regularly bursting beyond their bandwidth negotiated. The customer may not be aware of the network behavior change and will likely report an outage as packets begin to drop.
If we plug into the OODA loop model, with utilization of automated tools, it will be possible to move into decide and "act" phases.
1.1.3 OODA: Decide
The below model takes Col. Boyd’s loop and applies to business. In the diagram we can see that the Decide block includes "Managing Deliberation" and "Fusing Information" (Ullman 2007). Above we "Observe" the flow of "Implicit Guidance and Control" (Ullman 2007). We can conclude that, in the world of network management, this would be customer service policies or service level agreements.
[Figure 1.1.3]
Taking the information that we have received through the different phase a decision can be made. In the case of a bursting customer, several actions can be proactively taken.
1.1.4 OODA: Act
At the completion of the first loop we "Act". This action, in the case of our bursting customer can be several actions.
With automated systems in place, it is possible to notify, proactively, the customer. Actions could also include notification of an operator for manual loop intervention. If service level agreements are in-place it may also be possible to automatically, and temporarily, increase bandwidth to the customer.
Keeping through the loop this temporary increase can be trended and continually acted upon. If the customer is continually using more bandwidth, this could plug into your business model in offering customers up a different service level agreement.
2. References
Dr. David G. Ullman (2007) "OO-OO-OO!" The Sound of a Broken OODA Loop. The Journal of Software Engineering. Retrieved 24 Feb 2008 from: http://www.stsc.hill.af.mil/CrossTalk/2007/04/0704Ullman.html
W. R. Stevens (2005) TCP/IP illustrated, Volume 1. Pages 2-4.Addison Wesley.
D. E. Comer (2006) Internetworking With TCP/IP, Volume I, Fifth Edition. Page 363. Pearson Prentice Hall.
======
Submitted by Richard Porter, rwporter@gmail.com