RE: [ipfix] bytes and packet counters, tstamp of last report
"MEYER,JEFFREY D (HP-Cupertino,ex1)" <jeff.meyer2@hp.com> Fri, 10 October 2003 18:45 UTC
Received: from mil.doit.wisc.edu (mil.doit.wisc.edu [128.104.31.31]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA11651 for <ipfix-archive@lists.ietf.org>; Fri, 10 Oct 2003 14:45:14 -0400 (EDT)
Received: from majordomo by mil.doit.wisc.edu with local (Exim 3.13 #1) id 1A827e-0004GD-00 for ipfix-list@mil.doit.wisc.edu; Fri, 10 Oct 2003 13:36:18 -0500
Received: from atlrel7.hp.com ([156.153.255.213]) by mil.doit.wisc.edu with esmtp (Exim 3.13 #1) id 1A827c-0004G7-00 for ipfix@net.doit.wisc.edu; Fri, 10 Oct 2003 13:36:16 -0500
Received: from xatlrelay1.atl.hp.com (xatlrelay1.atl.hp.com [15.45.89.190]) by atlrel7.hp.com (Postfix) with ESMTP id DB7011C026D0; Fri, 10 Oct 2003 14:36:15 -0400 (EDT)
Received: from xatlbh1.atl.hp.com (xatlbh1.atl.hp.com [15.45.89.186]) by xatlrelay1.atl.hp.com (Postfix) with ESMTP id CF5C41C0008D; Fri, 10 Oct 2003 14:36:15 -0400 (EDT)
Received: by xatlbh1.atl.hp.com with Internet Mail Service (5.5.2655.55) id <4S0G82RF>; Fri, 10 Oct 2003 14:36:15 -0400
Message-ID: <1D3D2C371FCBD947A7897FABBD3533A502960391@xsun01.ptp.hp.com>
From: "MEYER,JEFFREY D (HP-Cupertino,ex1)" <jeff.meyer2@hp.com>
To: "MEYER,JEFFREY D (HP-Cupertino,ex1)" <jeff.meyer2@hp.com>, 'Benoit Claise' <bclaise@cisco.com>
Cc: 'Tal Givoly' <givoly@xacct.com>, "'stbryant@cisco.com'" <stbryant@cisco.com>, 'Maurizio Molina' <molina@ccrle.nec.de>, "'ipfix@net.doit.wisc.edu'" <ipfix@net.doit.wisc.edu>
Subject: RE: [ipfix] bytes and packet counters, tstamp of last report
Date: Fri, 10 Oct 2003 14:36:10 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2655.55)
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C38F5D.604647D8"
Precedence: bulk
Sender: majordomo listserver <majordomo@mil.doit.wisc.edu>
Benoit, One other point on your e-mail. In your discussion of "Long lived flows", are you saying that if an observed connection lasts say 5 minutes, and through configuration the system will export a long lived flow after 3 minutes of activity, that the second flow record's numbytes is measured from the beginning of the flow (e..g it represents period t,t+5m vs. t+3m,t+5m, where t is the actual start time of the long lived flow). I would have thought that the second record would indicate flow properties SINCE any previous flow record. That was the revised wording I had suggested based on Maurizio's observation of ambiguity. If you are saying that the second exported flow for a long lived connection is cumulative, then you've created a rather dicey problem. Especially if a collection system is doing aggregation of these flows. Because instead of a flow being a discrete self-contained piece of information, one must now determine if it actually represents additional counts added to flows previously reported. If so this sets you up to have to search an ENORMOUS space of old flows to do delta calculations. My impression of traditional NFvX behavior is that exporting a flow effectively pops it out of the flow table. Any subsequent traffic for the same flow would first create a new flow entry and the counters effectively reset each time a flow is exported. Here is the current Cisco documentation: http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuratio n_guide_chapter09186a008019d0da.html <http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configurati on_guide_chapter09186a008019d0da.html> Configuring Netflow Aging Parameters You can control when flows are purged from the software flow cache (and, if configured, reported through NDE) with the configuration aging parameters, Active and Inactive, of the ip flow-cache timeout command. wp1011379Active Aging specifies the period of time in which a flow should be removed from the software flow cache after the flow is created. Generally, this parameter is used to periodically notify external collection devices about active flows. This parameter operates independently of existing traffic on the flow. Active timeout settings tend to be on the order of minutes (default is 30min). My reading here is that exporting and purging are one in the same. I.e. I never get a flow which may reflect counts which were already reported in a previous flow. Are you proposing changing this behavior? If so, this has significant deliterious impact on collection. I would not recommend changing. Regards, Jeff Meyer -----Original Message----- From: MEYER,JEFFREY D (HP-Cupertino,ex1) Sent: Friday, October 10, 2003 11:05 AM To: 'Benoit Claise'; MEYER,JEFFREY D (HP-Cupertino,ex1) Cc: 'Tal Givoly'; stbryant@cisco.com; Maurizio Molina; ipfix@net.doit.wisc.edu Subject: RE: [ipfix] bytes and packet counters, tstamp of last report Benoit, Adding these three information items to the Info Model sounds fine. What is the rollover and reset behavior of these counters? E.g. when an observer is started due to reboot or other administrative action the counters are set to zero. Is there a way to distinguish between a counter reset and rollover? Presumably these should be long's in the information model. Is there a practical lower bound on an implementation in terms of size, e.g. 32-bits? Also what are the triggers for these to be exported? Some timer, threshold, or unspecified operation? In any of these cases, is there a guarantee that there will not be > 1 rollover between exports? I would think most of these aspects should be captured in the information model. Hopefully they also illustrate some of the problematic behavior of dealing with counters, not insurmountable, but certainly irritating. Regards, Jeff Meyer -----Original Message----- From: Benoit Claise [mailto:bclaise@cisco.com] Sent: Friday, October 10, 2003 4:11 AM To: MEYER,JEFFREY D (HP-Cupertino,ex1) Cc: 'Tal Givoly'; stbryant@cisco.com; Maurizio Molina; ipfix@net.doit.wisc.edu Subject: Re: [ipfix] bytes and packet counters, tstamp of last report Hi, Hi, In some use cases counters may have desirable properties as Tal has described. But like many things, counters also have their limitations and downsides. In the basic Flow Export scenario which is exemplified by existing Netflow implementations, a flow record indicates a summary of observed behavior. Consider two flow events: sourceAddress=1.2.3.4 destinationAddress=1.2.3.5 packetCount=1000 byteCount=100000 flowCreationTime=2003-10-08T10:00:00Z flowEndTime=2003-10-08T10:00:05Z TcpControlBits=0x13 sourceAddress=1.2.3.4 destinationAddress=1.2.3.6 packetCount=1000 byteCount=200000 flowCreationTime=2003-10-08T10:00:02Z flowEndTime=2003-10-08T10:00:06Z TcpControlBits=0x13 Each of these completely describes a conversation, as it includes both the fin and syn TCP flags. Start time, end time and absolute counts. Given the large percentage of flows which when exported, describe a complete conversation, I don't see the advantage of using counters. I'm not even sure how one would propose the use of counters as an alternative. Would you require two records be sent for each flow (one with byteCounter and packetCounter=0 and another with the final value?) Since most flows can be represented by a single record, doubling the number of records to accomodate counters seems a bit odd. Counters also require the holding of state, which produces a much greater burden on the collector. Since the necessary state must be held by the observer, why double the workload? I.e. a single counter is pretty useless. I need to delta it against a previously observed matching counter to arrive at a quantity. For information models such as PSAMP, there may be a compelling use case. So I imagine adding an explicit annotation in the information model for counters would be worthwile. However, I think that counter behavior such as when it is zeroed out and its rollover behavior need to be appropriately documented and thought out. (e.g. on restart, the counters presumably reset to zero, so here is additional state a collector may need to monitor to reconcile (if possible) existing observations). For IPFIX's base information model, I would strongly discourage "fixing" something which isn't broken. I fully agree with Jeff here regarding the flow records but there are actually 2 aspects to this problem. 1. The flow record. There is an expiration process for the flow records. http://www.ietf.org/internet-drafts/draft-ietf-ipfix-protocol-00.txt <http://www.ietf.org/internet-drafts/draft-ietf-ipfix-protocol-00.txt> 4.1 Flow Expiration A Flow is considered to be inactive if no packets belonging to the Flow have been observed at the Observation Point for a given timeout interval otherwise it is considered as an active flow. A Flow can be exported under the following conditions: 1. If the Metering Process can detect the end of a Flow, it SHOULD export the Flow Records at the end of the Flow. For example, a Flow generated by TCP [3] type of traffic where the FIN or RST bits indicate the end of the Flow. 2. If the Flow has been inactive for a certain period of time. This inactivity timeout SHOULD be configurable, with a minimum value of 0 for an immediate expiration. For example, a Flow generated by UDP [2] type of traffic. 3. For long-lasting Flows, the Metering Process SHOULD export the Flow Records on a regular basis. This periodicity SHOULD be configurable. 4. If the Metering Process experiences internal constraints, a Flow MAY be forced to expire prematurely (for example, counters wrapping or low memory). What the IPFIX information model tries to say is that: a flow expires and we send the packet/byte count for the flow duration. So this is actually a running counter for the flow duration. Note: a long last flow is actually composed a several flows (see condition 3 before). Ok, I understand that this could be better explained in the IPFIX information model draft: The packet count can be a running counter and is the count from the beginning of the flow establishment. The packet count can be a delta counter and is the count since the last report for this flow. http://www.ietf.org/internet-drafts/draft-claise-netflow-9-05.txt <http://www.ietf.org/internet-drafts/draft-claise-netflow-9-05.txt> speaks of: Incoming counter with IN_BYTES 1 N length N x 8 bits for bytes associated with an IP Flow Incoming counter with IN_PKTS 2 N length N x 8 bits for packets associated with an IP Flow 2. The second aspect is actually total counters. Something that needs to added to the IPFIX protocol draft is described in its "open issues" section: - The proposal on the table is to send a IPFIX Sync (this would be an Options Data Records) message periodically (periodicity is configurable), with the following information (aside the standard IPFix header) * Number of flow records sent (for each template?) * Packets and bytes sent (for each template?) So we need to keep a few running counters. In http://www.ietf.org/internet-drafts/draft-claise-netflow-9-05.txt <http://www.ietf.org/internet-drafts/draft-claise-netflow-9-05.txt> , there are explicitely described: Counter with length N x 8 bits for bytes TOTAL_BYTES_EXP 40 N for the number of bytes exported by the Observation Domain Counter with length N x 8 bits for bytes TOTAL_EXP_PKTS_SENT 41 N for the number of packets exported by the Observation Domain Counter with length N x 8 bits for bytes TOTAL_FLOWS_EXP 42 N for the number of Flows exported by the Observation Domain I propose to also explicitely described them in the IPFIX information model draft. Regards, Benoit. Regards, Jeff Meyer _________________________________________________________________ Get MSN 8 Dial-up Internet Service FREE for one month. Limited time offer-- sign up now! http://join.msn.com/?page=dept/dialup <http://join.msn.com/?page=dept/dialup> -----Original Message----- From: majordomo listserver [ mailto:majordomo@mil.doit.wisc.edu <mailto:majordomo@mil.doit.wisc.edu> ]On Behalf Of Tal Givoly Sent: Wednesday, October 08, 2003 9:14 AM To: stbryant@cisco.com <mailto:stbryant@cisco.com> ; Maurizio Molina Cc: ipfix@net.doit.wisc.edu <mailto:ipfix@net.doit.wisc.edu> Subject: RE: [ipfix] bytes and packet counters, tstamp of last report Both counters have value (running and delta). Obviously, they must be kept discrete from an information model perspective as they represent different information. Devices sometimes maintain one, sometimes the other, and sometimes both. Just as an example, as far as I recall, NetFlow v5-8 doesn't maintain running counters (counter to your suggestion) EVEN THOUGH it operates over a non-reliable and non-congestion-aware transport. Our probe product emits both for various different purposes. Tal -----Original Message----- From: majordomo listserver [ mailto:majordomo@mil.doit.wisc.edu <mailto:majordomo@mil.doit.wisc.edu> ]On Behalf Of Stewart Bryant Sent: Wednesday, October 08, 2003 8:09 AM To: Maurizio Molina Cc: ' ipfix@net.doit.wisc.edu <mailto:ipfix@net.doit.wisc.edu> ' Subject: Re: [ipfix] bytes and packet counters, tstamp of last report Maurizio Molina wrote: Hi, the IPFIX info model states (sec. 6.10) that The packet count can be a running counter and is the count from the beginning of the flow establishment. The packet count can be a delta counter and is the count since the last report for this flow. I would prefer that we only supported running counters because: a) Supporting two types is more scope for non-interworking, and you can always convert from one to the other at the collector. b) Running counters also work over an unreliable transport whereas delta counters mandate the use of a reliable transport. c) Running counters are most likely what the hardware is keeping anyway, therefore delta counters are more work and more storage at the exporter. If we decide that we need both then we have to represent them as two different information elements because the info model does not support sub-typing. Stewart (There's the same statement for byte counts in 6.11). To me, this doesn't clarify wheter it is both...and (2 counters) or either .... or (1 counter). Moreover, there is currently no room for a field containing the timestamp of the last report of a flow. I think that keeping this timestamp is helpful for many applications and the info model should support it. Regards, Maurizio -- Help mailto:majordomo@net.doit.wisc.edu <mailto:majordomo@net.doit.wisc.edu> and say "help" in message body Unsubscribe mailto:majordomo@net.doit.wisc.edu <mailto:majordomo@net.doit.wisc.edu> and say "unsubscribe ipfix" in message body Archive http://ipfix.doit.wisc.edu/archive/ <http://ipfix.doit.wisc.edu/archive/> -- Help mailto:majordomo@net.doit.wisc.edu <mailto:majordomo@net.doit.wisc.edu> and say "help" in message body Unsubscribe mailto:majordomo@net.doit.wisc.edu <mailto:majordomo@net.doit.wisc.edu> and say "unsubscribe ipfix" in message body Archive http://ipfix.doit.wisc.edu/archive/ <http://ipfix.doit.wisc.edu/archive/> -- Help mailto:majordomo@net.doit.wisc.edu <mailto:majordomo@net.doit.wisc.edu> and say "help" in message body Unsubscribe mailto:majordomo@net.doit.wisc.edu <mailto:majordomo@net.doit.wisc.edu> and say "unsubscribe ipfix" in message body Archive http://ipfix.doit.wisc.edu/archive/ <http://ipfix.doit.wisc.edu/archive/> -- Help mailto:majordomo@net.doit.wisc.edu <mailto:majordomo@net.doit.wisc.edu> and say "help" in message body Unsubscribe mailto:majordomo@net.doit.wisc.edu <mailto:majordomo@net.doit.wisc.edu> and say "unsubscribe ipfix" in message body Archive http://ipfix.doit.wisc.edu/archive/ <http://ipfix.doit.wisc.edu/archive/>
- [ipfix] bytes and packet counters, tstamp of last… Maurizio Molina
- Re: [ipfix] bytes and packet counters, tstamp of … Stewart Bryant
- RE: [ipfix] bytes and packet counters, tstamp of … Tal Givoly
- RE: [ipfix] bytes and packet counters, tstamp of … MEYER,JEFFREY D (HP-Cupertino,ex1)
- Re: [ipfix] bytes and packet counters, tstamp of … Maurizio Molina
- RE: [ipfix] bytes and packet counters, tstamp of … MEYER,JEFFREY D (HP-Cupertino,ex1)
- Re: [ipfix] bytes and packet counters, tstamp of … Ganesh Sadasivan
- Re: [ipfix] bytes and packet counters, tstamp of … Benoit Claise
- RE: [ipfix] bytes and packet counters, tstamp of … MEYER,JEFFREY D (HP-Cupertino,ex1)
- RE: [ipfix] bytes and packet counters, tstamp of … MEYER,JEFFREY D (HP-Cupertino,ex1)
- Re: [ipfix] bytes and packet counters, tstamp of … Benoit Claise