Use Case

Fundamental Peering Analysis



Use Case Background

The core purpose of all service providers is to provide connectivity, and for many, it is connectivity to the internet. The network reaches the internet by a combination of transit and peering connections. Transit allows traffic from another network to cross or “transit” a provider’s network to the rest of the internet. Peering means that neither party pays the other for the exchange or transit of traffic.

Transit connectivity is often a major cost center leading to the desire to move as much traffic as possible to free peering. Although it remains impractical to peer with every potential partner network, reducing the percentage of traffic exchanged over transit can be a good cost-control strategy.


To identify potential peering opportunities, network operators need to be able to measure the volume of traffic to get a sense of scale and proportional impact of various candidates but also be able to correlate that volume with globally identifiable sources or destinations both from an addressing perspective but also from a routing topology perspective. Unfortunately, interacting with router-configuration tools or even using basic infrastructure-monitoring systems cannot say much about the traffic traversing the network let alone its origin or destination across the internet.


For many service providers, basic internet connectivity has become a commodity, largely indistinguishable among providers, leading to differentiation based on price and lower margins. In such an environment, cost control becomes the primary strategic objective, and the largest costs get the most scrutiny, including transit. Over time, the split of traffic volume between transit and peering has been pushed ever more towards peering with goals minimizing transit to less than 50%, 40%, 35%, and so on. Clearly, providers that can achieve the lowest transit volumes, and hence costs, will have the greatest advantage to both keep customers and preserve the most profit.


Proper peering analysis starts with pervasive volume measurement collected across the entire border in order to get the sense of the totality of the traffic volume. But it is also important to see the individual forwarding transactions and the attributes they contain to be able to distinguish among the users and applications sharing the network. And finally, it is essential to include routing topology as that is key to how to control what traffic is exchanged at both peering and transit connections as well as helps understand the potential paths across the internet. By bringing all these components together, it should be possible to see the top sources and destinations exchanged with the internet as well as see what routing paths and connection points those top patterns use at the border of the network. Having identified those origins as distinct from our transit and existing peering connections, they can be approached about formally establishing new peering relationships.

The best source of detailed volume data is NetFlow, the forwarding digests exported by most routers. NetFlow’s primary metric is volume, both bits-per-second and packets-per-second. Summed together across all traffic at all interfaces and all border routers gives us the total traffic volume exchanged between the network and the internet. But NetFlow goes beyond by also providing a range of transactional attributes, including IP addresses, protocol, and ports, to help distinguish traffic and provide powerful correlations of meaning with volume.

Arbor Sightline is the premier NetFlow collection and analysis platform designed from the start not only for complete DDoS attack detection and defense but also for comprehensive network visibility and traffic analysis. Sightline’s NetFlow processing pipeline scales to the largest intercontinental networks as well as provides a thorough break-down of all the primary traffic attributes allowing for a variety of correlations bringing immediate and practical meaning to volume-based analysis.

Sightline also directly connects with routers via BGP allowing Sightline to see and understand the forwarding paths as the routers see them and how traffic will follow those paths not only when exchanging with adjacent networks but also across the internet. Utilizing these key traffic and data inputs, Sightline presents actionable peering analysis clearly identifying all adjacent networks and the discrete traffic exchanged with them. The top origins traversing transit connections immediately pop-out being top candidates for pursuing formal private peering.

figure 1
Figure 1: Here we can see this peer is a transit operator yet some of the top origins for traffic are two prominent CDNs. Getting those CDNs on private peering connections, or even better, placing cache cluster in the local network, gets that high-volume traffic off the expensive transit and potentially even improving performance.


Arbor Sightline takes the legwork out of collecting and analyzing traffic and routing data plus takes the guesswork out of identifying top traffic sources or destinations for pursuing private peering, helping to save the network money as well as putting the service provider in the best position to excel and succeed.