IETF Logo Mail Archive

Re: [IPFIX] Export of long lived flow information

Andrew Johnson <andrjohn@cisco.com> Wed, 24 October 2012 21:45 UTC

Return-Path: <andrjohn@cisco.com>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5231321F8C2A for <ipfix@ietfa.amsl.com>; Wed, 24 Oct 2012 14:45:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.299
X-Spam-Level:
X-Spam-Status: No, score=-10.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nhlt0w+qizOz for <ipfix@ietfa.amsl.com>; Wed, 24 Oct 2012 14:45:56 -0700 (PDT)
Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by ietfa.amsl.com (Postfix) with ESMTP id EEFC721F8C13 for <ipfix@ietf.org>; Wed, 24 Oct 2012 14:45:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4981; q=dns/txt; s=iport; t=1351115156; x=1352324756; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=1mIhMqI9TM8iobd0r7r6apfUOWiC/TA2nrPx5KOA9rg=; b=ZdOijTe/m09VHT7LRwVwT6AdRflDO3RskKvPvK+8zMzYefV0JlkPP462 AuIKBywIDAqacBfNo5z1Pd6hG1+7ancJiDJbisRLQBOSeIV4flXUh0D+l pyex6UrnKmmTgw33PAjDSA0CNF+VR86UBlLNpF5ckg8t8zqjxEgX2Mm37 Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAE1giFCQ/khM/2dsb2JhbABEwX+BCIIeAQEBBAEBAQ8BJzQLDgILDgMDAQIBLhYRKAgGEyKHYgucZaALBASLXYYMYQOVc45OgWuCcA
X-IronPort-AV: E=Sophos;i="4.80,642,1344211200"; d="scan'208";a="77729684"
Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-2.cisco.com with ESMTP; 24 Oct 2012 21:45:52 +0000
Received: from cisco.com (mrwint.cisco.com [64.103.70.36]) by ams-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id q9OLjqaP007577 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 24 Oct 2012 21:45:52 GMT
Received: from ams-andrjohn-8718.cisco.com (ams-andrjohn-8718.cisco.com [10.55.163.41]) by cisco.com (8.14.4+Sun/8.8.8) with ESMTP id q9OLjmKP001550; Wed, 24 Oct 2012 22:45:48 +0100 (BST)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Andrew Johnson <andrjohn@cisco.com>
In-Reply-To: <50885B49.6050603@cisco.com>
Date: Wed, 24 Oct 2012 22:45:42 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <DE1ABD89-26A9-485E-893A-3160C6F671A6@cisco.com>
References: <OF96D061AA.F7F6CDD4-ONCA257AA0.00772818-4A257AA0.0078DF60@au1.ibm.com> <D50FAC55-C109-4A96-A471-538F27F9C2D9@tik.ee.ethz.ch> <OF30095AE1.689CF5C8-ONCA257AA1.001FB2C7-4A257AA1.00211D2B@au1.ibm.com> <5087B96B.7020500@cisco.com> <OFE375B6D9.49AD261E-ONCA257AA1.00703303-4A257AA1.00708F09@au1.ibm.com> <508850F7.2080801@net.in.tum.de> <50885B49.6050603@cisco.com>
To: Paul Aitken <paitken@cisco.com>
X-Mailer: Apple Mail (2.1278)
Cc: John Court <johnwcrt@au1.ibm.com>, ipfix@ietf.org
Subject: Re: [IPFIX] Export of long lived flow information
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2012 21:45:57 -0000

Hi all

Paul, thanks for the terminology correction, I did mean "total" counters and was confusing people with "updates".

I was thinking that a mechanism that allowed a non-permanent flow to be exported multiple time would be useful.  For example, security applications generally want to know about a new flow ASAP, so they can act on the information, but a short active timeout values lead to using more export bandwidth.  I was thinking we could do something like export a report of the flow after the first packet, and then export the final version of the flow once the normal timeouts had decided it was over.

I had in mind something like using a delta count, followed by a total count.  Reading the below definition of Total counts though, I'm not sure that will work, but I think it depends on how we interpret the definition of "Flow".  If two records have matching key fields but different starting timestamps, are they the same Flow?

I would argue that a single Flow can't have two flowStartTimes, so maybe not.  This would mean that we shouldn't reset the flowStartTimes between sending reports for the same permanent Flow.


Cheers, Andrew


On 24 Oct 2012, at 22:19, Paul Aitken wrote:
> John, Gerhard,
> 
> Looking at the definitions:
> 
> octetTotalCount:
> 
>         The total number of octets in incoming packets
>         for this Flow at the Observation Point since the Metering
>         Process (re-)initialization for this Observation Point.
> 
> packetTotalCount:
> 
>         The total number of incoming packets for this Flow
>         at the Observation Point since the Metering Process
>         (re-)initialization for this Observation Point.
> 
> 
> So even if there's a long gap in the traffic, the intention is that a MP which is reporting totalCount fields remembers that it saw the flow before.
> 
> So +1 to what Gerhard says: "flowStartTime is the time of the very first packet ever observed for this flow." (ie, the "original" first packet).
> 
> 
> Whereas when reporting deltaCount fields, the MP may "forget" about the flow (by purging the cache entry) - so after the traffic gap the flow must start over as if it's entirely new, since the MP retains no history. Therefore the flowStartTime must be the first packet in the new delta - though, the collector might choose to aggregate this with previous deltas, setting the flowStartTime to the earliest reported and the flowEndTime to the latest.
> 
> This is undoubtedly something that we should capture in one of our updated docs.
> 
> Thanks for the great question John!
> 
> P.
> 
> 
> On 24/10/12 21:35, Gerhard Muenz wrote:
>> 
>> Hi,
>> 
>> flowStartTime is the time of the first packet you are reporting on in the given record. So, including totalCount fields implicitly means that flowStartTime is the time of the very first packet ever observed for this flow.
>> 
>> Now, you can continue discussing what happens if both totalCounts and deltaCounts are included in the same record :)
>> 
>> Regards,
>> Gerhard
>> 
>> 
>> On 24.10.2012 22:28, John Court wrote:
>>> Just to be crystal clear on this point of persistent caches.  Even when
>>> sending "totalCount" fields, the flowStartTime is still relative to the
>>> current flow record, it doesn't represent the "original" first packet
>>> ever seen for the flow key in the cache ?  I just want to make sure of
>>> the semantics of flowStartTime in all cases.
>>> 
>>> Thanks again for the comments and clarifications
>>> 
>>> John Court
>>> Software Engineer
>>> IBM Security Systems Division
>>> IBM Australia Development Laboratory
>>> Office:  +61 7 5552 4014
>>> Mobile: +61 430 841328
>>> 
>>> 
>>> 
>>> 
>>> 
>>> From: Paul Aitken <paitken@cisco.com>
>>> To: John Court/Australia/IBM@IBMAU,
>>> Cc: Brian Trammell <trammell@tik.ee.ethz.ch>, ipfix@ietf.org
>>> Date: 24/10/2012 19:49
>>> Subject: Re: [IPFIX] Export of long lived flow information
>>> ------------------------------------------------------------------------
>>> 
>>> 
>>> 
>>> John,
>>> 
>>> I suspect I have been mis-interpreting your concept of "persistent caches".
>>> 
>>> In a normal cache, the entries are eventually removed - because they've
>>> ended, or they've not seen traffic for an amount of time, or they're
>>> just too old, or there's simply not enough room in the cache.
>>> 
>>> Whereas in a permanent cache, the entries are never removed.
>>> 
>>> P.
>>> 
>>> 
>>> _______________________________________________
>>> IPFIX mailing list
>>> IPFIX@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ipfix
>>> 
> 
> _______________________________________________
> IPFIX mailing list
> IPFIX@ietf.org
> https://www.ietf.org/mailman/listinfo/ipfix

v2.23.0 | Report a Bug | By Email