IETF Logo Mail Archive

[IPFIX] Export of long lived flow information

John Court <johnwcrt@au1.ibm.com> Tue, 23 October 2012 01:02 UTC

Return-Path: <johnwcrt@au1.ibm.com>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DFD91F0C5F for <ipfix@ietfa.amsl.com>; Mon, 22 Oct 2012 18:02:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iHikX6teuKer for <ipfix@ietfa.amsl.com>; Mon, 22 Oct 2012 18:02:30 -0700 (PDT)
Received: from e23smtp03.au.ibm.com (e23smtp03.au.ibm.com [202.81.31.145]) by ietfa.amsl.com (Postfix) with ESMTP id 27F711F0C51 for <ipfix@ietf.org>; Mon, 22 Oct 2012 18:02:29 -0700 (PDT)
Received: from /spool/local by e23smtp03.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <ipfix@ietf.org> from <johnwcrt@au1.ibm.com>; Tue, 23 Oct 2012 10:59:43 +1000
Received: from d23relay03.au.ibm.com (202.81.31.245) by e23smtp03.au.ibm.com (202.81.31.209) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Tue, 23 Oct 2012 10:59:41 +1000
Received: from d23av01.au.ibm.com (d23av01.au.ibm.com [9.190.234.96]) by d23relay03.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q9N12HKH40304740 for <ipfix@ietf.org>; Tue, 23 Oct 2012 12:02:20 +1100
Received: from d23av01.au.ibm.com (loopback [127.0.0.1]) by d23av01.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q9N12HDH001780 for <ipfix@ietf.org>; Tue, 23 Oct 2012 12:02:17 +1100
Received: from d23mlc03.au.ibm.com (d23mlc03.au.ibm.com [9.190.26.210]) by d23av01.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id q9N12HvC001777 for <ipfix@ietf.org>; Tue, 23 Oct 2012 12:02:17 +1100
To: ipfix@ietf.org
MIME-Version: 1.0
X-KeepSent: BEE7B680:CE11B7E3-CA257AA0:0001FAB7; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.5.3 September 15, 2011
Message-ID: <OFBEE7B680.CE11B7E3-ONCA257AA0.0001FAB7-4A257AA0.0005B27D@au1.ibm.com>
From: John Court <johnwcrt@au1.ibm.com>
Date: Tue, 23 Oct 2012 11:01:31 +1000
X-MIMETrack: Serialize by Router on d23mlc03/23/M/IBM(Release 8.5.3FP2HF29 | July 24, 2012) at 23/10/2012 12:01:34, Serialize complete at 23/10/2012 12:01:34
Content-Type: multipart/alternative; boundary="=_alternative 0005B27A4A257AA0_="
x-cbid: 12102300-6102-0000-0000-0000026B22D8
Subject: [IPFIX] Export of long lived flow information
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2012 01:02:35 -0000

Hi,

I have been a subscriber to the list for a little over a year, and an 
implementer of IPFIX export for at least one product.  This WG has done 
great work overall !

One area that still has me a little confused even after researching as 
many of the RFCs as possible including RFC5472 is how to treat export of 
long lived flows.

At the moment I use "DeltaCount" information elements for everything and 
at specific intervals export long lived flows with the flowEndReason of 
"flowActiveTimeout".  This of course results in multiple flow records for 
long lived connections over time.  Since this situation doesn't seem to be 
covered explicitly I was hoping someone on the list would point me in the 
right direction or confirm my assumptions.  On thing that is particularly 
unclear is what to do about flowStart/flowEnd times when sending this type 
of record.

Thanks

John Court
Senior Software Engineer
IBM Security Systems Division
IBM Australia Development Laboratory
Office:  +61 7 5552 4014
Mobile: +61 430 841328

v2.23.0 | Report a Bug | By Email