1 / 11

IPFIX Aggregation

IPFIX Aggregation. draft-dressler-ipfix-aggregation-01.txt. Motivation. Reduction of monitoring data Bandwidth savings and performance savings at the collector Speed-up of flow accounting Reduction of concurrent active streams in a monitor Concentrating multiple IPFIX streams

bmckinley
Download Presentation

IPFIX Aggregation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPFIX Aggregation draft-dressler-ipfix-aggregation-01.txt

  2. Motivation • Reduction of monitoring data • Bandwidth savings and performance savings at the collector • Speed-up of flow accounting • Reduction of concurrent active streams in a monitor • Concentrating multiple IPFIX streams • Definition of concentrator functionality • Transport of information about the aggregation rules • For improved processing of IPFIX data 63rd IETF Meeting, Paris, 2005

  3. Architecture exported monitoring data (IPFIX Protocol) exported monitoring data (IPFIX Protocol) EP EP EP AP AP CP CP MP MP MP exported monitoring data (IPFIX Protocol) EP: Exporting Process AP: Aggregation Process MP: Metering Process 63rd IETF Meeting, Paris, 2005

  4. Aggregation Rules • Specify • which flow records to aggregate into a meta-flow record • how the meta-flow record and the corresponding data template looks like • Comprise aggregation instructions containing • IPFIX field ID • mandatory field for incoming records • included in meta-flow record or data template depending on field modifier • pattern (optional) • restricts aggregated flow records to those that match this pattern • field modifier (discard, keep, mask/n, or aggregate) • specifies how this field is treated • implicitly defines if the field appears in meta-flow or data template 63rd IETF Meeting, Paris, 2005

  5. Field Modifiers 63rd IETF Meeting, Paris, 2005

  6. Field Modifier – cont’d • Special field modifier aggregate for counters, timestamps etc. • Result depends on field: • minimum in case of • minimumPacketLength, minimumTtl, flowStartSeconds, flowStartMilliSeconds • maximum in case of • maximumPacketLenth, maximumTtl, flowEndSeconds, flowEndMilliSeconds • binary OR (as suggested by IPFIX-INFO) in case of • ipv6OptionHeaders, tcpControlBits • sum in case of • octetDeltaCount, packetDeltaCount 63rd IETF Meeting, Paris, 2005

  7. Example • Goal: • monitor flows to web servers (http/https) in 10.10.0.0/16 • aggregate sources addresses into /24 network addresses • Aggregation Rule: discard protocolIdentifier discard sourceTransportPort mask/24 sourceIpv4Address discard destinationTransportPort in 80,443 keep destinationIpv4Address in 10.10.0.0/16 aggregate packetDeltaCount aggregate octetDeltaCount aggregate flowStartMilliSeconds aggregate flowEndMilliSeconds 63rd IETF Meeting, Paris, 2005

  8. Example – cont’d • Data Template: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Template ID | Field Count = 6 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data Count = 2 | Preceding Rule | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field 1 Type = sourceIpv4SourceNetwork | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field 2 Type = destinationIpv4Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field 3 Type = packetDeltaCount | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field 4 Type = octetDeltaCount | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field 5 Type = flowStartMilliSeconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Field 6 Type = flowEndMilliSecondsess | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data 1 Type = destinationTransportPort | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data 1 Value = 80,443 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data 2 Type = destinationIpv4Network | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data 2 Value = 10.10.0.0/16 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 63rd IETF Meeting, Paris, 2005

  9. Example – cont’d pattern in data template • Incoming flows: • Resulting meta-flow: discarded fixed-value in data template 63rd IETF Meeting, Paris, 2005

  10. Cascading Aggregation Rules • Goal: • Allows other semantics than “match-any”, i.e. may be used to avoid that an incoming flow contributes to more than one meta-flow • Cascading aggregation rules: • Use preceding rule field in data template header Get incoming flow preceding rule Apply rule 1? no preceding rule Apply rule 2? no yes Aggregate … yes Aggregate 63rd IETF Meeting, Paris, 2005

  11. Conclusions • IPFIX Aggregation -00 received only positive feedback • -01 has reached a good state • Already two implementations supporting aggregation • IBM • Erlangen University / Tuebingen University • Next steps • To be continued as an individual I-D? • To be added to the IPFIX charter? 63rd IETF Meeting, Paris, 2005

More Related