IETF Logo Mail Archive

Re: [IPFIX] Export of long lived flow information

Andrew Johnson <andrjohn@cisco.com> Tue, 23 October 2012 08:42 UTC

Return-Path: <andrjohn@cisco.com>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC10721F86C7 for <ipfix@ietfa.amsl.com>; Tue, 23 Oct 2012 01:42:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.999
X-Spam-Level:
X-Spam-Status: No, score=-9.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_64=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8r45rxgE0Ltm for <ipfix@ietfa.amsl.com>; Tue, 23 Oct 2012 01:42:44 -0700 (PDT)
Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by ietfa.amsl.com (Postfix) with ESMTP id 007ED21F86CA for <ipfix@ietf.org>; Tue, 23 Oct 2012 01:42:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4618; q=dns/txt; s=iport; t=1350981764; x=1352191364; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=YcZAPOANQOZohFCfye2StQwo96LfdvQOBrDBnHQAduA=; b=cg/sDTPKyg/eog36aeX3hkID34ncssJCCYnNB4LpiBtOylH4q8uoJEOC vXesPJrhLBZ5VtFtBOafqloMs1LP8FYTvufiDgw/qnPZBCzn/QIP8lwhE BODuNLe9Ssb6N0j9A25BK8IX31RqdQM61KS+YuAaMSL/4gKgl7jnOybgM g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av4EAC1YhlCQ/khN/2dsb2JhbABEwWOBCIIeAQEBBAEBAQ8BJzQLDgILGC4WETAGARIih2ILnE6PXJBHBASLW4V+YAOVcY5OgWuCcA
X-IronPort-AV: E=Sophos;i="4.80,634,1344211200"; d="scan'208";a="77677114"
Received: from ams-core-4.cisco.com ([144.254.72.77]) by ams-iport-2.cisco.com with ESMTP; 23 Oct 2012 08:42:30 +0000
Received: from cisco.com (mrwint.cisco.com [64.103.70.36]) by ams-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id q9N8gT1p030553 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 23 Oct 2012 08:42:29 GMT
Received: from dhcp-10-147-1-70.cisco.com (dhcp-10-147-1-70.cisco.com [10.147.1.70]) by cisco.com (8.14.4+Sun/8.8.8) with ESMTP id q9N8gQSZ027938; Tue, 23 Oct 2012 09:42:28 +0100 (BST)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Andrew Johnson <andrjohn@cisco.com>
In-Reply-To: <C9BF46B8-129C-4D96-8A35-F5F5DE2390F0@tik.ee.ethz.ch>
Date: Tue, 23 Oct 2012 09:42:21 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <8F849333-9503-4177-BB21-70426C600E93@cisco.com>
References: <OFBEE7B680.CE11B7E3-ONCA257AA0.0001FAB7-4A257AA0.0005B27D@au1.ibm.com> <C9BF46B8-129C-4D96-8A35-F5F5DE2390F0@tik.ee.ethz.ch>
To: Brian Trammell <trammell@tik.ee.ethz.ch>, John Court <johnwcrt@au1.ibm.com>
X-Mailer: Apple Mail (2.1278)
Cc: IETF IPFIX Working Group <ipfix@ietf.org>
Subject: Re: [IPFIX] Export of long lived flow information
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2012 08:42:45 -0000

Hi folks

I've been thinking for a while now that we should be able to send a mixture of delta and update records for the same flow, but I haven't really figured out how to make the semantics obvious to the collector.

i.e.:    Delta (new record), update, update, update(ends the flow)


Perhaps we could use the flow end reason to make things more explicit.  For example, all but the last packet have a flowEndReason of 0 and then the last one updates the reason.

Would this sort of thing be useful?  Would collectors be able to work with it?


Cheers, Andrew



On 23 Oct 2012, at 08:43, Brian Trammell wrote:
> Hi, John,
> 
> Your assumptions are basically correct. The IPFIX model of a Metering Process (MP) makes an implicit assumption that it will be configured or configurable to export information about long-lived flows every n minutes through active timeout. From the MP side, this allows periodic complete flushing of the flow cache. 
> 
> More importantly (IMO), on the Collecting Process (CP) side, it provides a guarantee that every packet observed and selected for export will be accounted for within Ta + Tde + Tdc, where Ta is the active timeout, Tde is the MP to EP delay (how long it takes for an exported flow to make it from the MP cache, through the Exporting Process (EP), into an IPFIX Message, which is implementation dependent but typically short) and Tde is the export delay (OWD from EP to CP). This is important for streaming process applications, as after this time, the CP and downstream processes can assume that no further information about the past will become available.
> 
> The tradeoff here is that shorter Ta causes more records to be exported about long flows, and a longer Ta causes a longer delay, which some streaming applications can't tolerate.
> 
> In any case, the assumption is that the flow is no longer in the cache after active timeout, so you don't know when the flow really started. Since the flowStartTime is the timestamp of the first observed packet within the record, and flowEndTime is the timestamp of the last observed packet within the record, the timestamps would then be record-local.... i.e. a flow less than twice the active timeout (with at least one packet per idle timeout) would result in two flow records. The first would have a timestamp range between the first packet of the flow and the last packet observed before the active timeout; the second between the first packet observed after the active timeout and the last packet of the flow.
> 
> This does, admittedly, make it rather difficult to stitch records for long flows together -- you can't match timestamps, and essentially need to simulate the flow cache with a longer active timeout. For applications requiring a single record per flow, active timeouts can be set to be practically infinite, with the tradeoff that you never know at the CP when you'll get a flow with a start time far in the past.
> 
> Best regards,
> 
> Brian
> 
> 
> On Oct 23, 2012, at 3:01 AM, John Court wrote:
> 
>> Hi, 
>> 
>> I have been a subscriber to the list for a little over a year, and an implementer of IPFIX export for at least one product.  This WG has done great work overall ! 
>> 
>> One area that still has me a little confused even after researching as many of the RFCs as possible including RFC5472 is how to treat export of long lived flows. 
>> 
>> At the moment I use "DeltaCount" information elements for everything and at specific intervals export long lived flows with the flowEndReason of "flowActiveTimeout".  This of course results in multiple flow records for long lived connections over time.  Since this situation doesn't seem to be covered explicitly I was hoping someone on the list would point me in the right direction or confirm my assumptions.  On thing that is particularly unclear is what to do about flowStart/flowEnd times when sending this type of record. 
>> 
>> Thanks 
>> 
>> John Court
>> Senior Software Engineer
>> IBM Security Systems Division
>> IBM Australia Development Laboratory
>> Office:  +61 7 5552 4014
>> Mobile: +61 430 841328
>> 
>> _______________________________________________
>> IPFIX mailing list
>> IPFIX@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipfix
> 
> _______________________________________________
> IPFIX mailing list
> IPFIX@ietf.org
> https://www.ietf.org/mailman/listinfo/ipfix

v2.23.0 | Report a Bug | By Email