Re: [IPFIX] [Fwd: questions regarding rfc 5101 implementation]
Gerhard Muenz <muenz@net.in.tum.de> Wed, 20 January 2010 12:48 UTC
Return-Path: <muenz@net.in.tum.de>
X-Original-To: ipfix@core3.amsl.com
Delivered-To: ipfix@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CD9263A68F4 for <ipfix@core3.amsl.com>; Wed, 20 Jan 2010 04:48:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.482
X-Spam-Level:
X-Spam-Status: No, score=-2.482 tagged_above=-999 required=5 tests=[AWL=-0.233, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id THMNaITY6DsF for <ipfix@core3.amsl.com>; Wed, 20 Jan 2010 04:48:09 -0800 (PST)
Received: from mail-out1.informatik.tu-muenchen.de (mail-out1.informatik.tu-muenchen.de [131.159.0.8]) by core3.amsl.com (Postfix) with ESMTP id 630B13A6774 for <ipfix@ietf.org>; Wed, 20 Jan 2010 04:48:09 -0800 (PST)
Received: from [131.159.20.108] (repulse.net.in.tum.de [131.159.20.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by phoenix.net.informatik.tu-muenchen.de (Postfix) with ESMTP id BEA622E15; Wed, 20 Jan 2010 13:48:03 +0100 (CET)
Message-ID: <4B56FC16.5050901@net.in.tum.de>
Date: Wed, 20 Jan 2010 13:50:30 +0100
From: Gerhard Muenz <muenz@net.in.tum.de>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Brian Trammell <trammell@tik.ee.ethz.ch>
References: <4B562D49.8030205@auckland.ac.nz> <4B56BFE2.7020704@net.in.tum.de> <4B56E6AA.1060904@cisco.com> <79847F50-3F42-4F5D-861B-93EBC3F6C6EA@tik.ee.ethz.ch>
In-Reply-To: <79847F50-3F42-4F5D-861B-93EBC3F6C6EA@tik.ee.ethz.ch>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms020509060407090005040309"
X-Virus-Scanned: ClamAV using ClamSMTP
Cc: ipfix@ietf.org
Subject: Re: [IPFIX] [Fwd: questions regarding rfc 5101 implementation]
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2010 12:48:11 -0000
Brian, Brian Trammell wrote: > On Jan 20, 2010, at 12:19 PM, Paul Aitken wrote: > >> Gerhard, Allwyn, >> >>>> So, the first question is regarding the use of templates. Is an >>>> implementation supposed to maintain multiple templates for the >>>> different types of traffic? Or, is it supposed to have a >>>> single template and to use "dummy" values when a field is not >>>> applicable? I realize this could be implementation specific, >>>> but is there a guideline? >>> That is not specified in the standard, so it is implementation >>> specific. There is no guideline. >>> >>> Cisco uses dummy values in NetFlow.V9 (e.g. zero port-numbers for >>> ICMP flows). >>> >>> The problem is that you may have a large number of templates, >>> which can be inefficient. On the other hand, such invalid dummy >>> values do not exist for all IEs. >>> >>> If we use a single template, the solution will be to have a new >>> IE which defines a bitvector, and 1s in the bit vector indicate >>> "valid" fields in the record, 0s "invalid" fields (similar to >>> flowKeyIndicator). >>> >>> The idea with this new IE is not mine, Paul Aitken mentioned it >>> to me some time ago. >> I'm planning to write a new draft to express this idea. We may use >> structured data rather than a bitfield to express the invalid >> (unobserved) fields, since there would be issues with mediators >> that don't understand the bitfield. The idea is not mine; Andrew >> Johnson mentioned it to me some time ago. > > I remember a conversation with Andrew, too, maybe in San Diego? > > Basically, "yes" to this thread, "but". > > I'll note that template flexibility is one of the big advantages of > IPFIX, and that I don't really buy the multiple template inefficiency > argument. In the worst case export, with multiple templates > representing the same underlying data model but omitting nulls or > substituting reduced- for full-length encoding IEs, the template > switch overhead is 4 octets per record (plus, unless you're using UDP > (which you shouldn't be) with a ridiculous template refresh time, > epsilon octets per record for additional template export). This worst > case represents each record in its own data set, and the average case > is probably somewhat better than that, especially depending on > implementation and deployment specifics such as maximum buffer delay > time (which leads to messages being exported without being > MTU-sized), path MTU, and per-template buffering. I think the argument against using many templates is that the exporting process implementation becomes more complex. With "invalid" fields, it can use a single template per cache/metering process. Without, it has to decide among multiple templates. Note that in general, I'm also not in favor of invalid fields in data records. Regards, Gerhard > A null bitfield introduces for all but the most trivial templates a > 2- to 4-octet overhead, and only allows null omission, not concurrent > export of full- and reduced-length encoded IEs. There are advantages > to the FLE/RLE switch: for a common example, consider octet and > packet count IEs, which are by default 8 octets, but in almost all > flows (by flow count, not by octet volume) can be represented with 2 > or 4. This saves 8 octets per record (16 per biflow) when allowing 4- > and 8- octets encodings, which saves 4 (12) net octets even in the > pathological case, where every other record in the stream is RLE. Of > course, once you're using this multiple-template export trick for > RLS, you can apply the same for null omission, with no implementation > pain. > > In any case, in general we do need something better than simple dummy > values. They're okay for counters (where a 0 and a "dummy" value have > exactly the same semantics) and identifiers where the number space > has an explicit null value, probably okay in cases (such as ports) > where additional information (such as a protocolIdentifier value set > to a portless transport) allows disambiguation, and only maybe okay > in cases where protocol-specific values (think 0.0.0.0 address for > DHCP) or nonsensical ones (e.g. 0 UTC 1 January 1970) can be > disambiguated with special-casing or human intervention. Unless and > until null bitfields are available, multiple-template export is what > we have. > > Cheers, > > Brian _______________________________________________ IPFIX mailing > list IPFIX@ietf.org https://www.ietf.org/mailman/listinfo/ipfix
- [IPFIX] [Fwd: questions regarding rfc 5101 implem… Nevil Brownlee
- Re: [IPFIX] [Fwd: questions regarding rfc 5101 im… Gerhard Muenz
- Re: [IPFIX] [Fwd: questions regarding rfc 5101 im… Paul Aitken
- Re: [IPFIX] [Fwd: questions regarding rfc 5101 im… Andrew Johnson
- Re: [IPFIX] [Fwd: questions regarding rfc 5101 im… Brian Trammell
- Re: [IPFIX] [Fwd: questions regarding rfc 5101 im… Gerhard Muenz
- Re: [IPFIX] [Fwd: questions regarding rfc 5101 im… Gerhard Muenz
- Re: [IPFIX] [Fwd: questions regarding rfc 5101 im… Brian Trammell
- Re: [IPFIX] [Fwd: questions regarding rfc 5101 im… Andrew Johnson
- Re: [IPFIX] [Fwd: questions regarding rfc 5101 im… Atsushi Kobayashi
- Re: [IPFIX] [Fwd: questions regarding rfc 5101 im… Atsushi Kobayashi