PPT Version

Download Report

Transcript PPT Version 

Flow sampling in IPFIX:
Status and suggestion for its
support
Maurizio Molina, <[email protected]>
Packet sampling
• Packet sampling selects packets within flows
– Several possible algorithms (1 out of N, random,…)
– Done to reduce meter load
– Most likely same algorithm is applied to all flows of
an observation point
• Information to be exported: sampling algorithm
and parameters (all drafts say so….)
• PROTO draft: “The Options Template Record….is used to supply
information about the Metering process configuration….rather than
supplying info about IP flows….for example the sample rate of an
interface”
• INFO draft:
– SamplingAlgorithm
– SamplingInterval
© NEC Europe Ltd., 2002
Network Laboratories, Heidelberg
2
Flow sampling
• Flow sampling selects entire flows
– ARCH draft: “Selecting Flows for export” is a MAY funct.
in the exporting process.
• In this way, it can reduce export/collector load
• Example: collect all, export the elephants:
– http://www.research.att.com/~duffield/pubs/DLT02-optimal.pdf
– BUT it would be also beneficial to allow this functionality
in the meter, to deal with limited resources (e.g memory
for the flow cache)
• Example: keep flow records for the elephants only:
– C. Estan, and G. Varghese: “New directions in traffic
measurement and accouning”, SIGCOMM 2002
• F.S. can co-exist with pk sampling, even if pk sampling
introduces a “natural” flow sampling (small flows out)
• What info can/ needs to be exported? How?
© NEC Europe Ltd., 2002
Network Laboratories, Heidelberg
3
Exporting flow sampling Info
• It is Metering/exporting process Info, not single flows Info
– As for packet sampling, use Option records: flow records
contain an options record ID where this info is contained.
“Scope” can be the interface, the cache, etc.
• Info that can be known:
– Flow sampling type and parameters
• E.g. threshold based exporting, 1 out of N exporting? Elephant
detection?
– Unreported traffic because of flow sampling (packets, bytes)
– Unreported flows (only if flow sampling is done in the
exporter, if it’s in the meter we don’t know it…)
• What is this info useful for?
– Re-normalization (like for pk sampling)
– Trust/re-adjustement of the metering process (e.g. “reported
flows only account for 10% of the traffic….”)
© NEC Europe Ltd., 2002
Network Laboratories, Heidelberg
4
Flow Sampling in IPFIX - Conclusions
• Flow sampling in the exporter process is already considered (as
a MAY) in IPFIX drafts. What information to export hasn’t been
defined yet
• Flow sampling in the meter is not explicitly considered, but may
be a need if meter’s memory is limited
• How to Export flow sampling info: it would be possible with
Option records, like for pk sampling
Suggested next steps:
• Internet draft describing the flow sampling issue, what
specific info to export and how. As a target, add these info
in IPFIX information model
• Comments? Questions?
© NEC Europe Ltd., 2002
Network Laboratories, Heidelberg
5