IETF Logo Mail Archive

Re: [IPFIX] [Fwd: questions regarding rfc 5101 implementation]

Gerhard Muenz <muenz@net.in.tum.de> Wed, 20 January 2010 12:48 UTC

Return-Path: <muenz@net.in.tum.de>
X-Original-To: ipfix@core3.amsl.com
Delivered-To: ipfix@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CD9263A68F4 for <ipfix@core3.amsl.com>; Wed, 20 Jan 2010 04:48:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.482
X-Spam-Level:
X-Spam-Status: No, score=-2.482 tagged_above=-999 required=5 tests=[AWL=-0.233, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id THMNaITY6DsF for <ipfix@core3.amsl.com>; Wed, 20 Jan 2010 04:48:09 -0800 (PST)
Received: from mail-out1.informatik.tu-muenchen.de (mail-out1.informatik.tu-muenchen.de [131.159.0.8]) by core3.amsl.com (Postfix) with ESMTP id 630B13A6774 for <ipfix@ietf.org>; Wed, 20 Jan 2010 04:48:09 -0800 (PST)
Received: from [131.159.20.108] (repulse.net.in.tum.de [131.159.20.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by phoenix.net.informatik.tu-muenchen.de (Postfix) with ESMTP id BEA622E15; Wed, 20 Jan 2010 13:48:03 +0100 (CET)
Message-ID: <4B56FC16.5050901@net.in.tum.de>
Date: Wed, 20 Jan 2010 13:50:30 +0100
From: Gerhard Muenz <muenz@net.in.tum.de>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Brian Trammell <trammell@tik.ee.ethz.ch>
References: <4B562D49.8030205@auckland.ac.nz> <4B56BFE2.7020704@net.in.tum.de> <4B56E6AA.1060904@cisco.com> <79847F50-3F42-4F5D-861B-93EBC3F6C6EA@tik.ee.ethz.ch>
In-Reply-To: <79847F50-3F42-4F5D-861B-93EBC3F6C6EA@tik.ee.ethz.ch>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms020509060407090005040309"
X-Virus-Scanned: ClamAV using ClamSMTP
Cc: ipfix@ietf.org
Subject: Re: [IPFIX] [Fwd: questions regarding rfc 5101 implementation]
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2010 12:48:11 -0000

Brian,

Brian Trammell wrote:
> On Jan 20, 2010, at 12:19 PM, Paul Aitken wrote:
> 
>> Gerhard, Allwyn,
>> 
>>>> So, the first question is regarding the use of templates. Is an
>>>>  implementation supposed to maintain multiple templates for the
>>>>  different types of traffic? Or, is it supposed to have a
>>>> single template and to use "dummy" values when a field is not
>>>> applicable? I realize this could be implementation specific,
>>>> but is there a guideline?
>>> That is not specified in the standard, so it is implementation 
>>> specific. There is no guideline.
>>> 
>>> Cisco uses dummy values in NetFlow.V9 (e.g. zero port-numbers for
>>>  ICMP flows).
>>> 
>>> The problem is that you may have a large number of templates,
>>> which can be inefficient. On the other hand, such invalid dummy
>>> values do not exist for all IEs.
>>> 
>>> If we use a single template, the solution will be to have a new
>>> IE which defines a bitvector, and 1s in the bit vector indicate
>>> "valid" fields in the record, 0s "invalid" fields (similar to 
>>> flowKeyIndicator).
>>> 
>>> The idea with this new IE is not mine, Paul Aitken mentioned it
>>> to me some time ago.
>> I'm planning to write a new draft to express this idea. We may use 
>> structured data rather than a bitfield to express the invalid 
>> (unobserved) fields, since there would be issues with mediators
>> that don't understand the bitfield. The idea is not mine; Andrew
>> Johnson mentioned it to me some time ago.
> 
> I remember a conversation with Andrew, too, maybe in San Diego?
> 
> Basically, "yes" to this thread, "but".
> 
> I'll note that template flexibility is one of the big advantages of
> IPFIX, and that I don't really buy the multiple template inefficiency
> argument. In the worst case export, with multiple templates
> representing the same underlying data model but omitting nulls or
> substituting reduced- for full-length encoding IEs, the template
> switch overhead is 4 octets per record (plus, unless you're using UDP
> (which you shouldn't be) with a ridiculous template refresh time,
> epsilon octets per record for additional template export). This worst
> case represents each record in its own data set, and the average case
> is probably somewhat better than that, especially depending on
> implementation and deployment specifics such as maximum buffer delay
> time (which leads to messages being exported without being
> MTU-sized), path MTU, and per-template buffering.

I think the argument against using many templates is that the exporting 
process implementation becomes more complex.
With "invalid" fields, it can use a single template per cache/metering 
process. Without, it has to decide among multiple templates.

Note that in general, I'm also not in favor of invalid fields in data 
records.

Regards,
Gerhard


> A null bitfield introduces for all but the most trivial templates a
> 2- to 4-octet overhead, and only allows null omission, not concurrent
> export of full- and reduced-length encoded IEs. There are advantages
> to the FLE/RLE switch: for a common example, consider octet and
> packet count IEs, which are by default 8 octets, but in almost all
> flows (by flow count, not by octet volume) can be represented with 2
> or 4. This saves 8 octets per record (16 per biflow) when allowing 4-
> and 8- octets encodings, which saves 4 (12) net octets even in the
> pathological case, where every other record in the stream is RLE. Of
> course, once you're using this multiple-template export trick for
> RLS, you can apply the same for null omission, with no implementation
> pain.
> 
> In any case, in general we do need something better than simple dummy
> values. They're okay for counters (where a 0 and a "dummy" value have
> exactly the same semantics) and identifiers where the number space
> has an explicit null value, probably okay in cases (such as ports)
> where additional information (such as a protocolIdentifier value set
> to a portless transport) allows disambiguation, and only maybe okay
> in cases where protocol-specific values (think 0.0.0.0 address for
> DHCP) or nonsensical ones (e.g. 0 UTC 1 January 1970) can be
> disambiguated with special-casing or human intervention. Unless and
> until null bitfields are available, multiple-template export is what
> we have.
> 
> Cheers,
> 
> Brian _______________________________________________ IPFIX mailing
> list IPFIX@ietf.org https://www.ietf.org/mailman/listinfo/ipfix

v2.23.0 | Report a Bug | By Email