Re: [IPFIX] Export of long lived flow information

[Paul Aitken <paitken@cisco.com>]

Andrew, Gerhard,

>> My understanding is that both, deltaCounts and totalCounts contain 
>> the number of packets or octets observed in the indicated time 
>> interval. So, for identical flowStart* and flowEnd* timestamps, the 
>> values are the same.
> This is my understanding as well.

There has to be a difference between delta and total counts, else we 
wouldn't have both of them!

Suppose we have a permanent cache, so the cache entries never expire.

For a new flow starting at t0 with a first export at t1, the timestamps, 
delta, and total counts are the same.

However with the second export at t2, the total and delta counts are 
different although their timestamps match (they'll both say, "t0 to t2").

With the traditional (non-permanent) cache, the entry would probably 
have been removed at t1 and re-created on a subsequent packet, so at t2 
the delta and total counts would both be equal. However it'd be 
incorrect to report the total count, because that's defined as the total 
number of packets or bytes ..."since the Metering Process 
(re-)initialization for this Observation Point".


>> However, the description of totalCounts says that you report the 
>> number of packets or octets observed for this Flow since 
>> re-initialization. So, you must never reset the counter for this 
>> Flow, even after observing a FIN or RST.
>> If you reset flow counters, or if you remove Flows from your Cache, 
>> you cannot use totalCounts any more unless you re-initialize the 
>> Metering Process (e.g. after flushing the entire permanent Cache).
>
> I can try some tests later, but from what I have seen (and been told) 
> many totals being exported are in fact just a delta sent once at the 
> end of the flow.  If a later flow had the same IPs, protocol, and 
> ports as an earlier flow I'm pretty sure a new start time will be sent 
> rather than the the first time that flow was seen since reinitializing 
> the metering process.

So the MP uses a traditional (non-permanent) cache. In RFC 6728 terms, a 
TimeoutCache or NaturalCache rather than a PermanentCache.


> Or to put it an other way I think deltas are being sent, but called 
> totals by the implementation because it seemed like the right thing to 
> do for a value being sent once at the end of the flow.

The collector could be aggregating deltas to keep running totals.


> I suspect that totals reporting on the export process (eg 
> exportedOctetTotalCount, exportedMessageTotalCount) are, however, 
> reported with a start time that is only reset on reinitialization.

Definitely, because these are defined as "The total number of X that the 
Exporting Process has sent since the Exporting Process 
(re-)initialization ...".

P.