IETF Logo Mail Archive

Re: [IPFIX] Export of long lived flow information

John Court <johnwcrt@au1.ibm.com> Wed, 24 October 2012 20:29 UTC

Return-Path: <johnwcrt@au1.ibm.com>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABE3621F8A17 for <ipfix@ietfa.amsl.com>; Wed, 24 Oct 2012 13:29:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.098
X-Spam-Level:
X-Spam-Status: No, score=-9.098 tagged_above=-999 required=5 tests=[AWL=1.500, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rG5tYiY1U0Wx for <ipfix@ietfa.amsl.com>; Wed, 24 Oct 2012 13:29:52 -0700 (PDT)
Received: from e23smtp08.au.ibm.com (e23smtp08.au.ibm.com [202.81.31.141]) by ietfa.amsl.com (Postfix) with ESMTP id 7941021F8964 for <ipfix@ietf.org>; Wed, 24 Oct 2012 13:29:49 -0700 (PDT)
Received: from /spool/local by e23smtp08.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <ipfix@ietf.org> from <johnwcrt@au1.ibm.com>; Thu, 25 Oct 2012 06:28:50 +1000
Received: from d23relay04.au.ibm.com (202.81.31.246) by e23smtp08.au.ibm.com (202.81.31.205) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 25 Oct 2012 06:28:47 +1000
Received: from d23av03.au.ibm.com (d23av03.au.ibm.com [9.190.234.97]) by d23relay04.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q9OKJZ5X41812034 for <ipfix@ietf.org>; Thu, 25 Oct 2012 07:19:38 +1100
Received: from d23av03.au.ibm.com (loopback [127.0.0.1]) by d23av03.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q9OKTX2p013786 for <ipfix@ietf.org>; Thu, 25 Oct 2012 07:29:34 +1100
Received: from d23mlc03.au.ibm.com (d23mlc03.au.ibm.com [9.190.26.210]) by d23av03.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id q9OKTXEW013783; Thu, 25 Oct 2012 07:29:33 +1100
In-Reply-To: <5087B96B.7020500@cisco.com>
References: <OF96D061AA.F7F6CDD4-ONCA257AA0.00772818-4A257AA0.0078DF60@au1.ibm.com> <D50FAC55-C109-4A96-A471-538F27F9C2D9@tik.ee.ethz.ch> <OF30095AE1.689CF5C8-ONCA257AA1.001FB2C7-4A257AA1.00211D2B@au1.ibm.com> <5087B96B.7020500@cisco.com>
To: Paul Aitken <paitken@cisco.com>
MIME-Version: 1.0
X-KeepSent: E375B6D9:49AD261E-CA257AA1:00703303; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.5.3 September 15, 2011
Message-ID: <OFE375B6D9.49AD261E-ONCA257AA1.00703303-4A257AA1.00708F09@au1.ibm.com>
From: John Court <johnwcrt@au1.ibm.com>
Date: Thu, 25 Oct 2012 06:28:43 +1000
X-MIMETrack: Serialize by Router on d23mlc03/23/M/IBM(Release 8.5.3FP2HF29 | July 24, 2012) at 25/10/2012 07:28:50, Serialize complete at 25/10/2012 07:28:50
Content-Type: multipart/alternative; boundary="=_alternative 00708F074A257AA1_="
x-cbid: 12102420-5140-0000-0000-0000023F3E44
Cc: ipfix@ietf.org
Subject: Re: [IPFIX] Export of long lived flow information
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2012 20:29:52 -0000

Just to be crystal clear on this point of persistent caches.  Even when 
sending "totalCount" fields, the flowStartTime is still relative to the 
current flow record, it doesn't represent the "original" first packet ever 
seen for the flow key in the cache ?  I just want to make sure of the 
semantics of flowStartTime in all cases.

Thanks again for the comments and clarifications
 
John Court
Software Engineer
IBM Security Systems Division
IBM Australia Development Laboratory
Office:  +61 7 5552 4014
Mobile: +61 430 841328





From:   Paul Aitken <paitken@cisco.com>
To:     John Court/Australia/IBM@IBMAU, 
Cc:     Brian Trammell <trammell@tik.ee.ethz.ch>, ipfix@ietf.org
Date:   24/10/2012 19:49
Subject:        Re: [IPFIX] Export of long lived flow information



John,

I suspect I have been mis-interpreting your concept of "persistent 
caches".

In a normal cache, the entries are eventually removed - because they've 
ended, or they've not seen traffic for an amount of time, or they're just 
too old, or there's simply not enough room in the cache.

Whereas in a permanent cache, the entries are never removed.

P.

v2.23.0 | Report a Bug | By Email