[ipfix-info] Re: draft-boschi-ipfix-biflow and software implementation
Brian Trammell <bht@cert.org> Tue, 07 February 2006 16:09 UTC
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F6VPd-0001NL-Lf for ipfix-archive@megatron.ietf.org; Tue, 07 Feb 2006 11:09:54 -0500
Received: from mil.doit.wisc.edu (mil.doit.wisc.edu [128.104.31.31]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA07007 for <ipfix-archive@lists.ietf.org>; Tue, 7 Feb 2006 11:08:10 -0500 (EST)
Received: from majordomo by mil.doit.wisc.edu with local (Exim 3.13 #1) id 1F6V4d-0007FN-00 for ipfix-list@mil.doit.wisc.edu; Tue, 07 Feb 2006 09:48:11 -0600
Received: from beniaminus.red.cert.org ([192.88.209.10]) by mil.doit.wisc.edu with esmtp (Exim 3.13 #1) id 1F6V4b-0007EY-00 for ipfix-info@net.doit.wisc.edu; Tue, 07 Feb 2006 09:48:09 -0600
Received: from beniaminus.red.cert.org (localhost [127.0.0.1]) by beniaminus.red.cert.org (8.13.1/8.13.1/2.16) with ESMTP id k17Fm521016405 for <ipfix-info@net.doit.wisc.edu>; Tue, 7 Feb 2006 10:48:07 -0500
Received: (from defang@localhost) by beniaminus.red.cert.org (8.13.1/8.13.1/Submit/1.1) id k17FlJnp016351 for <ipfix-info@net.doit.wisc.edu>; Tue, 7 Feb 2006 10:47:19 -0500
Received: from villemus.indigo.cert.org (villemus.indigo.cert.org [10.60.10.5]) by beniaminus.red.cert.org (envelope-sender <bht@cert.org>) (MIMEDefang) with ESMTP id k17FlI1v016349; Tue, 07 Feb 2006 10:47:19 -0500 (EST)
Received: from [128.237.249.38] (vpn-10-25-4-12.remote.cert.org [10.25.4.12]) by villemus.indigo.cert.org (8.12.11/8.12.11/2.53) with ESMTP id k17FlIAW013343; Tue, 7 Feb 2006 10:47:18 -0500
In-Reply-To: <20060207151142.GA18424@localhost.localdomain>
References: <43E75136.9060509@fokus.fraunhofer.de> <85F86ADC-BB27-4617-A848-43CCC210945C@cert.org> <20060207151142.GA18424@localhost.localdomain>
Mime-Version: 1.0 (Apple Message framework v746.2)
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="Apple-Mail-2--41239908"
Message-Id: <F4E70CFB-42C3-4426-BACB-9958DE4944B8@cert.org>
Cc: Elisa Boschi <boschi@fokus.fraunhofer.de>, Lutz Mark <mark@fokus.fraunhofer.de>, Elisa Boschi <elisa.boschi@hitachi-eu.com>, yann@bashibuzuk.net
Content-Transfer-Encoding: 7bit
From: Brian Trammell <bht@cert.org>
Subject: [ipfix-info] Re: draft-boschi-ipfix-biflow and software implementation
Date: Tue, 07 Feb 2006 10:47:13 -0500
To: Alexandre Dulaunoy <adulau@uucp.foo.be>, ipfix-info@net.doit.wisc.edu
X-Pgp-Agent: GPGMail 1.1.1 (Tiger)
X-Mailer: Apple Mail (2.746.2)
X-Spam-Status: No, hits=0 required=5 checker=SpamAssassin version=3.000004
X-Scanned-By: MIMEDefang 2.54 on 192.88.209.10
Precedence: bulk
Sender: majordomo listserver <majordomo@mil.doit.wisc.edu>
Alexandre,
On Feb 7, 2006, at 10:11 AM, Alexandre Dulaunoy wrote:
> I'll try to "over" summarize back what I understand with the
> information you gave me and the draft
> (draft-boschi-export-perpktinfo-01.txt) :
>
> The FlowID is a 32bit id unique across one observation point and is
> (always?) generated by the exporter.
>
> We (at SES ASTRA and CSRRT-LU) are trying to generate a
> "unique/calculable" FlowID among a specify dataset of records. Why ?
> We have a bunch of "exporters" (routers, devices) with various
> versions of Netflow and we have to live with that for the time
> being. What we are doing currently ? we use a simple hash function to
> generate a "unique" FlowID per data set based on source/destination
> IP, source/destination PORT and (protocol). We use the lowest
> source/destination (IP/PORT) to generate a unified hash id per biflow.
>
> So it seems that I was mixing our and your definition of FlowID but
> what do you think ? Can we call that a FlowID or something else ?
> Have you think of a 'possible' function to generate a FlowID based on
> records ? Like that, we can rebuild biflow(s) from uniflow(s) ? Does
> it make sense ?
flowId, as defined in -info-11, does not presently appear flexible
enough to cover this use case; its "unique within Observation Domain"
constraint appears to make multiple Flow Records sharing the same
flowId impossible. Thinking about it for a moment, I think this is a
fault in the information model. To increase the flexibility of this
IE, I'd propose changing its definition to the following:
5.1.7. flowId
Description:
An identifier of a Flow that is unique within an Observation
Domain. This Information Element can be used to distinguish
between different Flows if Flow Keys such as IP addresses and
port
numbers are not reported or reported in separate records.
Multiple
Flow Records observed within the same Observation Domain may
share
the same flowId if they describe the same Flow as determined
by the
Metering Processes within that Domain.
Abstract Data Type: unsigned32
Data Type Semantics: identifier
ElementId: 148
Status: current
(Elisa - this also expands flowId as required for -biflow-02 section
3.2)
> Brian : A site note, looking into naf source code (the pcap exporter),
> I can't find the part of generating the FlowID. Can you point me to
> the correct part ?
We don't actually use the flowId anywhere (hence the cheating) - we
do single-record biflow export per draft-boschi-ipfix-biflow section
3.4 (section 4 in the forthcoming -02 draft), with CERT-private IEs
standing in for IANA-assigned IEs pending completion of that draft.
The relevant code is in nafcore.c. NAF unifies uniflows (from pcap or
SiLK) into biflows the hard way; SiLK asymmetric unidirectional data
is collected using the SiLK tools' proprietary protocol into a single
database, relevant records are selected out of that database and
sorted by time, mingling incoming and outgoing records and re-
matching them before aggregation.
YAF also cheats; it's designed solely for deployment at symmetric
routing points, or for use on packet capture data that can be
prearranged to appear to have come from a symmetric routing point.
Regards,
Brian
- [ipfix-info] Re: draft-boschi-ipfix-biflow and so… Brian Trammell
- [ipfix-info] Re: draft-boschi-ipfix-biflow and so… Alexandre Dulaunoy