IETF Logo Mail Archive

Re: [IPFIX] Export of long lived flow information

Andrew Feren <andrewf@plixer.com> Tue, 23 October 2012 13:19 UTC

Return-Path: <andrewf@plixer.com>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D306121F849A for <ipfix@ietfa.amsl.com>; Tue, 23 Oct 2012 06:19:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.149
X-Spam-Level:
X-Spam-Status: No, score=-2.149 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, J_CHICKENPOX_64=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BiasCmOrvJ9n for <ipfix@ietfa.amsl.com>; Tue, 23 Oct 2012 06:19:21 -0700 (PDT)
Received: from smtp.plixer.com (smtp.plixer.com [66.186.184.193]) by ietfa.amsl.com (Postfix) with ESMTP id EC71621F8464 for <ipfix@ietf.org>; Tue, 23 Oct 2012 06:19:20 -0700 (PDT)
Received: from [10.100.1.132] ([10.100.1.132]) by smtp.plixer.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Tue, 23 Oct 2012 09:19:20 -0400
Message-ID: <50869957.1020906@plixer.com>
Date: Tue, 23 Oct 2012 09:19:19 -0400
From: Andrew Feren <andrewf@plixer.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/19.0 Thunderbird/19.0a1
MIME-Version: 1.0
To: ipfix@ietf.org
References: <OFBEE7B680.CE11B7E3-ONCA257AA0.0001FAB7-4A257AA0.0005B27D@au1.ibm.com> <C9BF46B8-129C-4D96-8A35-F5F5DE2390F0@tik.ee.ethz.ch> <8F849333-9503-4177-BB21-70426C600E93@cisco.com>
In-Reply-To: <8F849333-9503-4177-BB21-70426C600E93@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 23 Oct 2012 13:19:20.0035 (UTC) FILETIME=[02AA1330:01CDB121]
Subject: Re: [IPFIX] Export of long lived flow information
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2012 13:19:21 -0000

Hi Andrew,

I'm not sure I understand your question.

How is a delta different than an update?

Specific to flowEndReason rather than sending 0 each update should 
include the reason (e.g. 0x02 active timeout).  Do you have some 
situation in mind where a flow is being exported for an unknown reason?  
Or is the reason known,  but it doesn't fit one of the 5 currently defined?

-Andrew

On 10/23/2012 04:42 AM, Andrew Johnson wrote:
> Hi folks
>
> I've been thinking for a while now that we should be able to send a mixture of delta and update records for the same flow, but I haven't really figured out how to make the semantics obvious to the collector.
>
> i.e.:    Delta (new record), update, update, update(ends the flow)
>
>
> Perhaps we could use the flow end reason to make things more explicit.  For example, all but the last packet have a flowEndReason of 0 and then the last one updates the reason.
>
> Would this sort of thing be useful?  Would collectors be able to work with it?
>
>
> Cheers, Andrew
>
>
>
> On 23 Oct 2012, at 08:43, Brian Trammell wrote:
>> Hi, John,
>>
>> Your assumptions are basically correct. The IPFIX model of a Metering Process (MP) makes an implicit assumption that it will be configured or configurable to export information about long-lived flows every n minutes through active timeout. From the MP side, this allows periodic complete flushing of the flow cache.
>>
>> More importantly (IMO), on the Collecting Process (CP) side, it provides a guarantee that every packet observed and selected for export will be accounted for within Ta + Tde + Tdc, where Ta is the active timeout, Tde is the MP to EP delay (how long it takes for an exported flow to make it from the MP cache, through the Exporting Process (EP), into an IPFIX Message, which is implementation dependent but typically short) and Tde is the export delay (OWD from EP to CP). This is important for streaming process applications, as after this time, the CP and downstream processes can assume that no further information about the past will become available.
>>
>> The tradeoff here is that shorter Ta causes more records to be exported about long flows, and a longer Ta causes a longer delay, which some streaming applications can't tolerate.
>>
>> In any case, the assumption is that the flow is no longer in the cache after active timeout, so you don't know when the flow really started. Since the flowStartTime is the timestamp of the first observed packet within the record, and flowEndTime is the timestamp of the last observed packet within the record, the timestamps would then be record-local.... i.e. a flow less than twice the active timeout (with at least one packet per idle timeout) would result in two flow records. The first would have a timestamp range between the first packet of the flow and the last packet observed before the active timeout; the second between the first packet observed after the active timeout and the last packet of the flow.
>>
>> This does, admittedly, make it rather difficult to stitch records for long flows together -- you can't match timestamps, and essentially need to simulate the flow cache with a longer active timeout. For applications requiring a single record per flow, active timeouts can be set to be practically infinite, with the tradeoff that you never know at the CP when you'll get a flow with a start time far in the past.
>>
>> Best regards,
>>
>> Brian
>>
>>
>> On Oct 23, 2012, at 3:01 AM, John Court wrote:
>>
>>> Hi,
>>>
>>> I have been a subscriber to the list for a little over a year, and an implementer of IPFIX export for at least one product.  This WG has done great work overall !
>>>
>>> One area that still has me a little confused even after researching as many of the RFCs as possible including RFC5472 is how to treat export of long lived flows.
>>>
>>> At the moment I use "DeltaCount" information elements for everything and at specific intervals export long lived flows with the flowEndReason of "flowActiveTimeout".  This of course results in multiple flow records for long lived connections over time.  Since this situation doesn't seem to be covered explicitly I was hoping someone on the list would point me in the right direction or confirm my assumptions.  On thing that is particularly unclear is what to do about flowStart/flowEnd times when sending this type of record.
>>>
>>> Thanks
>>>
>>> John Court
>>> Senior Software Engineer
>>> IBM Security Systems Division
>>> IBM Australia Development Laboratory
>>> Office:  +61 7 5552 4014
>>> Mobile: +61 430 841328
>>>
>>> _______________________________________________
>>> IPFIX mailing list
>>> IPFIX@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ipfix
>> _______________________________________________
>> IPFIX mailing list
>> IPFIX@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipfix
> _______________________________________________
> IPFIX mailing list
> IPFIX@ietf.org
> https://www.ietf.org/mailman/listinfo/ipfix

v2.23.0 | Report a Bug | By Email