IETF Logo Mail Archive

Re: [IPFIX] Export of long lived flow information

Brian Trammell <trammell@tik.ee.ethz.ch> Thu, 01 November 2012 06:22 UTC

Return-Path: <trammell@tik.ee.ethz.ch>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E39021F8448 for <ipfix@ietfa.amsl.com>; Wed, 31 Oct 2012 23:22:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.153
X-Spam-Level:
X-Spam-Status: No, score=-6.153 tagged_above=-999 required=5 tests=[AWL=-0.154, BAYES_00=-2.599, J_CHICKENPOX_54=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QZSykebs7Orm for <ipfix@ietfa.amsl.com>; Wed, 31 Oct 2012 23:22:41 -0700 (PDT)
Received: from smtp.ee.ethz.ch (smtp.ee.ethz.ch [129.132.2.219]) by ietfa.amsl.com (Postfix) with ESMTP id 5451C21F848B for <ipfix@ietf.org>; Wed, 31 Oct 2012 23:22:40 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp.ee.ethz.ch (Postfix) with ESMTP id 878BFD930A; Thu, 1 Nov 2012 07:22:38 +0100 (MET)
X-Virus-Scanned: by amavisd-new on smtp.ee.ethz.ch
Received: from smtp.ee.ethz.ch ([127.0.0.1]) by localhost (.ee.ethz.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id CE1csphyq5Nv; Thu, 1 Nov 2012 07:22:38 +0100 (MET)
Received: from [10.0.27.100] (cust-integra-122-165.antanet.ch [80.75.122.165]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: briant) by smtp.ee.ethz.ch (Postfix) with ESMTPSA id 29037D9305; Thu, 1 Nov 2012 07:22:38 +0100 (MET)
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset="us-ascii"
From: Brian Trammell <trammell@tik.ee.ethz.ch>
In-Reply-To: <OF55562F5E.2B7AD32B-ONCA257AA8.00789598-4A257AA8.007909AD@au1.ibm.com>
Date: Thu, 01 Nov 2012 07:22:37 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <2B2D0366-B036-4830-A2D9-47940CDC6E79@tik.ee.ethz.ch>
References: <OF55562F5E.2B7AD32B-ONCA257AA8.00789598-4A257AA8.007909AD@au1.ibm.com>
To: John Court <johnwcrt@au1.ibm.com>
X-Mailer: Apple Mail (2.1283)
Cc: ipfix@ietf.org
Subject: Re: [IPFIX] Export of long lived flow information
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2012 06:22:42 -0000

Hi, John,

Thanks, but neither of these work, really. The former must make reference to both timestamps, and the latter doesn't account for the possibility that an MP may either fail to observe a packet, decide not to include a packet for its own reasons, or be dealing with observations that aren't really packets at all.

Cheers,

Brian


On Oct 31, 2012, at 11:01 PM, John Court wrote:

> Damn, 
> 
> Sorry about the previous message, when I re-read it the third time I realised that the positive allows the confusion of failing to clearly indicate what "isn't" included. 
> 
> I am not sure if this is better but what about : 
> 
> If this Information Element is present in a Flow Record, Flow properties in this Flow Record MUST account for ALL packets observed after/before this timestamp. 
> 
> 
> John Court
> 
> 
> ----- Forwarded by John Court/Australia/IBM on 01/11/2012 07:56 ----- 
> 
> From:        John Court/Australia/IBM 
> To:        Brian Trammell <trammell@tik.ee.ethz.ch>, 
> Cc:        ipfix@ietf.org, Gerhard Muenz <muenz@net.in.tum.de>, Paul Aitken <paitken@cisco.com> 
> Date:        01/11/2012 07:37 
> Subject:        Re: [IPFIX] Export of long lived flow information 
> 
> 
> Personally I always find negative logic requires a double read to make sure I understand it.  Whats wrong with the positive logic equivalent ? 
> 
> >>If this Information Element is present in a Flow Record, Flow properties in this Flow Record do not refer to packets observed before/after this >>timestamp. 
> 
> Becomes : 
> 
> If this Information Element is present in a Flow Record, Flow properties in this Flow Record ONLY refer to packets observed after/before this timestamp. 
> 
> Thanks 
> 
> 
> John Court
> 
> 
> 
> 
> 
> From:        Brian Trammell <trammell@tik.ee.ethz.ch> 
> To:        Gerhard Muenz <muenz@net.in.tum.de>, 
> Cc:        Paul Aitken <paitken@cisco.com>, John Court/Australia/IBM@IBMAU, <ipfix@ietf.org> 
> Date:        31/10/2012 18:17 
> Subject:        Re: [IPFIX] Export of long lived flow information 
> 
> 
> 
> Hi, Gerhard, all,
> 
> Thought about this a bit too, and I can't come up anything better than the negative clarification. I might consider changing "preceding" and "succeeding" to "before" and "after" to simplify the language for non-native speakers, and stick an "observed" in there to make clear we're talking about observation time:
> 
> If this Information Element is present in a Flow Record, Flow properties in this Flow Record do not refer to packets observed before/after this timestamp.
> 
> It either case, it does make things a lot more explicitly clear, so I'd definitely add it to the timestamp/duration IEs.
> 
> Thanks, cheers,
> 
> Brian
> 
> On Oct 31, 2012, at 8:52 AM, Gerhard Muenz wrote:
> 
> > 
> > Hi all,
> > 
> > I scanned through the IANA registry and briefly checked occurrences of "this Flow". I do not think that we need change them in general, except for those IEs which define a measurement interval.
> > 
> > So, we have:
> > - flowStart* (including flowStartDeltaMicroseconds)
> > - flowEnd* (including flowEndDeltaMicroseconds)
> > - flowDuration*
> > 
> > My first shot was the following change for absolute flowStart*/flowEnd* timestamps:
> > 
> > OLD:
> > The absolute timestamp of the first|last packet of this Flow.
> > NEW:
> > The absolute timestamp of the first|last packet accounted in this Flow Record.
> > 
> > We could add a sentence clarifying that the Flow properties reported in this Flow Record refer to the given measurement interval.
> > At the moment, I only find a good "negative" way to describe this:
> > "If this Information Element is present in a Flow Record, Flow properties in this Flow Record do not refer to packets preceding|succeeding this timestamp."
> > 
> > Do you have better suggestions?
> > Or do you think that this clarification is not necessary?
> > 
> > Regards,
> > Gerhard
> > 
> > 
> > On 30.10.2012 13:38, Brian Trammell wrote:
> >> Hi, Paul, all,
> >> 
> >> If someone throws together a quick summary of the position for me I'd
> >> be happy make a couple of slides and do the presentation in person in
> >> Atlanta.
> >> 
> >> From where I sit, it looks like we just go ask IANA to make the
> >> registry change. Wearing my IE-Doctors-author hat (I can't wear an IE
> >> Doctor hat, there aren't any yet. :) ), I'd say this revision would be
> >> covered (and permissible) under point 2 in section 5.2 of ie-doctors.
> >> 
> >> Best regards,
> >> 
> >> Brian
> >> 
> >> 
> >> On 30 Oct 2012, at 13:21 , Paul Aitken wrote:
> >> 
> >>> Gerhard,
> >>> 
> >>> I agree with your definitions. Thanks for clarifying.
> >>> 
> >>> So what's the next step?
> >>> 
> >>>   * Update the IANA definitions?
> >>>   * Add clarifications to the WG documents?
> >>> 
> >>> 
> >>> Do we need a short presentation at the upcoming WG meeting?
> >>> 
> >>> P.
> >>> 
> >>> 
> >>> On 30/10/12 11:51, Gerhard Muenz wrote:
> >>>> Paul,
> >>>> 
> >>>> On 26.10.2012 20:20, Paul Aitken wrote:
> >>>>> Andrew, Gerhard,
> >>>>> 
> >>>>>>> My understanding is that both, deltaCounts and totalCounts contain the number of packets or octets observed in the indicated time interval. So, for identical flowStart* and flowEnd* timestamps, the values are the same.
> >>>>>> This is my understanding as well.
> >>>>> 
> >>>>> There has to be a difference between delta and total counts, else we
> >>>>> wouldn't have both of them!
> >>>>> 
> >>>>> Suppose we have a permanent cache, so the cache entries never expire.
> >>>>> 
> >>>>> For a new flow starting at t0 with a first export at t1, the
> >>>>> timestamps, delta, and total counts are the same.
> >>>>> 
> >>>>> However with the second export at t2, the total and delta counts are
> >>>>> different although their timestamps match (they'll both say, "t0 to
> >>>>> t2").
> >>>> 
> >>>> No, this would contradict the new definition of flowStart* we are just discussing.
> >>>> If delta counts are exported for the interval (t1,t2), then flowStart* is t1.
> >>>> If delta counts are exported for the interval (t0,t2), then flowStart* is t0.
> >>>> If total counts are exported, flowStart is always t0.
> >>>> These statements hold regardless of which type of cache is used by the Metering Process. In general, the information model does not care about how the cache is implemented. The exported information just must follow the IE definition.
> >>>> 
> >>>>> 
> >>>>> With the traditional (non-permanent) cache, the entry would probably
> >>>>> have been removed at t1 and re-created on a subsequent packet, so at
> >>>>> t2 the delta and total counts would both be equal. However it'd be
> >>>>> incorrect to report the total count, because that's defined as the
> >>>>> total number of packets or bytes ..."since the Metering Process
> >>>>> (re-)initialization for this Observation Point".
> >>>> 
> >>>> You must not export total counters in this case because you reset counters before re-initialization of the Metering Process.
> >>>> 
> >>>> Thanks,
> >>>> Gerhard
> >>>> 
> >>>>> 
> >>>>> 
> >>>>>>> However, the description of totalCounts says that you report the number of packets or octets observed for this Flow since re-initialization. So, you must never reset the counter for this Flow, even after observing a FIN or RST.
> >>>>>>> If you reset flow counters, or if you remove Flows from your Cache, you cannot use totalCounts any more unless you re-initialize the Metering Process (e.g. after flushing the entire permanent Cache).
> >>>>>> 
> >>>>>> I can try some tests later, but from what I have seen (and been told) many totals being exported are in fact just a delta sent once at the end of the flow.  If a later flow had the same IPs, protocol, and ports as an earlier flow I'm pretty sure a new start time will be sent rather than the the first time that flow was seen since reinitializing the metering process.
> >>>>> 
> >>>>> So the MP uses a traditional (non-permanent) cache. In RFC 6728
> >>>>> terms, a TimeoutCache or NaturalCache rather than a PermanentCache.
> >>>>> 
> >>>>> 
> >>>>>> Or to put it an other way I think deltas are being sent, but called totals by the implementation because it seemed like the right thing to do for a value being sent once at the end of the flow.
> >>>>> 
> >>>>> The collector could be aggregating deltas to keep running totals.
> >>>>> 
> >>>>> 
> >>>>>> I suspect that totals reporting on the export process (eg exportedOctetTotalCount, exportedMessageTotalCount) are, however, reported with a start time that is only reset on reinitialization.
> >>>>> 
> >>>>> Definitely, because these are defined as "The total number of X that
> >>>>> the Exporting Process has sent since the Exporting Process
> >>>>> (re-)initialization ...".
> >>>>> 
> >>>>> P.
> >>> 
> >>> _______________________________________________
> >>> IPFIX mailing list
> >>> IPFIX@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/ipfix
> 
>

v2.23.0 | Report a Bug | By Email