IETF Logo Mail Archive

Re: [IPFIX] Export of long lived flow information

Paul Aitken <paitken@cisco.com> Mon, 29 October 2012 12:17 UTC

Return-Path: <paitken@cisco.com>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B99E721F864A for <ipfix@ietfa.amsl.com>; Mon, 29 Oct 2012 05:17:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[AWL=1.002, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eQsO5FrqMWRk for <ipfix@ietfa.amsl.com>; Mon, 29 Oct 2012 05:17:01 -0700 (PDT)
Received: from ams-iport-4.cisco.com (ams-iport-4.cisco.com [144.254.224.147]) by ietfa.amsl.com (Postfix) with ESMTP id E3FA721F8646 for <ipfix@ietf.org>; Mon, 29 Oct 2012 05:17:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4621; q=dns/txt; s=iport; t=1351513021; x=1352722621; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to; bh=6r7mok7A70y4Mo0sWy7nzi3fA+l7CEm6fESRbD1J+pY=; b=fyqaxt/fskCkb3qR5XVX7GybOCvXIZ+ooN4KGluR/lnmTGr4ZqTdSORR OmUVnhE63MXv0jk8nmSU4o849tvHq4rNMvwqsu+NUpyCGgi18TUlTRaKz 4LQ8abyKumyGyPSGIMebKSHb0NFL/rnmBQ9/ZwKPXb64Z4Wosf3OReGhd M=;
X-IronPort-AV: E=Sophos;i="4.80,671,1344211200"; d="scan'208,217";a="9183668"
Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-4.cisco.com with ESMTP; 29 Oct 2012 12:16:57 +0000
Received: from [10.55.95.150] (dhcp-10-55-95-150.cisco.com [10.55.95.150]) by ams-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id q9TCGu92032297; Mon, 29 Oct 2012 12:16:56 GMT
Message-ID: <508E73BB.2090009@cisco.com>
Date: Mon, 29 Oct 2012 12:16:59 +0000
From: Paul Aitken <paitken@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:15.0) Gecko/20120912 Thunderbird/15.0.1
MIME-Version: 1.0
To: John Court <johnwcrt@au1.ibm.com>
References: <OF96D061AA.F7F6CDD4-ONCA257AA0.00772818-4A257AA0.0078DF60@au1.ibm.com> <D50FAC55-C109-4A96-A471-538F27F9C2D9@tik.ee.ethz.ch> <OF30095AE1.689CF5C8-ONCA257AA1.001FB2C7-4A257AA1.00211D2B@au1.ibm.com> <5087B96B.7020500@cisco.com> <OFE375B6D9.49AD261E-ONCA257AA1.00703303-4A257AA1.00708F09@au1.ibm.com> <508850F7.2080801@net.in.tum.de> <50885B49.6050603@cisco.com> <DE1ABD89-26A9-485E-893A-3160C6F671A6@cisco.com> <5088666F.1090106@cisco.com> <OF4B5A9A3A.F88C734E-ONCA257AA2.0005120F-4A257AA2.0005F365@au1.ibm.com>
In-Reply-To: <OF4B5A9A3A.F88C734E-ONCA257AA2.0005120F-4A257AA2.0005F365@au1.ibm.com>
Content-Type: multipart/alternative; boundary="------------040903010005000108090105"
Cc: ipfix@ietf.org
Subject: Re: [IPFIX] Export of long lived flow information
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Oct 2012 12:17:02 -0000

John,

> Paul,
>
> *Definitely. If it's a permanent flow and you're exporting totalCount
> fields - which are measured "since the Metering Process
> (re-)initialization for this Observation Point" - then the flowStartTime
> must surely be the time the first ever packet was observed.*
>
> If you take that literally shouldn't that be interpreted to mean that 
> the totalCount continues into the next time a connection is up between 
> the same flow key ?

Yes, that's what it says.


> Even if a flowEndReason of :
>
>  0x03: end of Flow detected
> The Flow was terminated because the Metering Process
> detected signals indicating the end of the Flow, for
> example, the TCP FIN flag.

The definitions of *totalCount are independent of flowEndReason.


> That clearly wouldn't be of much use IMO and makes it difficult to see 
> what the flowEndReason field semantics mean in that context.  Just 
> pointing out that taking that definition literally doesn't give a 
> useful answer on its own either :-).  Although maybe that does make 
> sense in a router context ?  Can you clarify this some more, perhaps 
> you never intend using the flowEndReason IE in your case ?

We do use flowEndReason. However, flowEndReason doesn't logically apply 
to permanent flows: they're permanent, therefore, they don't end.

P.

v2.23.0 | Report a Bug | By Email