IPFIX Aggregation

1
IPFIX Aggregation

• draft-dressler-ipfix-aggregation-02.txt

2
Key Contributions in brief

• Rule-based Description Language for complex
  Metering Processes
• Flexible definition of Flow Keys beyond the
  typical IP-5-tuple
• Specification of exported IEs (Flow Key or
  non-Flow Key)
• implicit aggregation of non-Flow Key IEs
• implicit definition of Templates
• Filtering on IE values
• Rule chaining
• IPFIX Extensions
• New template type Data Template
• contains fixed value fields ( common properties)
• necessary to report filters and rule chaining to
  the collector
• New abstract data types
• ipv4Network, portRanges
• How these can be used for Flow Aggregation
• Reduction of monitoring data ? bandwidth savings
  and performance savings at the collector
• Speed-up of flow accounting by reducing
  concurrent streams in a monitor
• Aggregation of multiple IPFIX streams ?
  concentrator functionality

Focus of thispresentation
3
Description Language for Metering Processes

• Each rule specifies
• Flow Key IEs
• reported non-Flow Key IEs
• Optional filters
• Rule syntax
• field modifier keep mask/n discard
  aggregate
• specifies how this IE is treated
• defines if IE is reported in outgoing records or
  not
• IE
• mandatory field for incoming records
• pattern (optional)
• restricts rule to flow records that match this
  pattern

? implicit Template definition
4
Field Modifiers

• keep
• Specifies IE to be Flow Key in outgoing records
• IE also has to be Flow Key in incoming records
• Optional filtering on this IE using a pattern
• mask/n
• Modifies IP address information
• Otherwise just like keep
• discard
• IE is removed from outgoing records
• IE may not be Flow Key
• Optional filtering on this IE using a pattern
• aggregate
• Specifies IE to be non-Flow Key in outgoing
  records
• values are aggregated (how this is done depends
  on IE)

5
Example

• Goal
• Meter flows to web servers (http/https) in
  10.10.0.0/16
• Aggregate sources addresses into /24 network
  addresses
• Rule

discard protocolIdentifier discard
sourceTransportPort mask/24 sourceIpv4Address d
iscard destinationTransportPort in
80,443 keep destinationIpv4Address in
10.10.0.0/16 aggregate packetDeltaCount aggregate
octetDeltaCount aggregate flowStartMilliSeconds
aggregate flowEndMilliSeconds
6
Example contd
discard protocolIdentifier discard
sourceTransportPort mask/24 sourceIpv4Address d
iscard destinationTransportPort in
80,443 keep destinationIpv4Address in
10.10.0.0/16 aggregate packetDeltaCount aggregate
octetDeltaCount aggregate flowStartMilliSeconds
aggregate flowEndMilliSeconds

• Incoming records
• Outgoing records

Flow Key
Prot Src Port Src Addr Dst Port Dst Addr Pkt Oct Start End
TCP 64235 10.0.1.1 80 10.10.0.10 4 144 1055 1090
TCP 64236 10.0.1.2 80 10.10.0.10 3 56 1071 1103
TCP 6889 10.0.1.3 22 10.10.0.10 2 34 1083 1100
TCP 5555 10.0.2.1 80 10.10.0.10 6 155 1090 1201
TCP 6666 10.0.2.1 80 10.10.0.11 3 77 1095 1199
discarded
discarded
pattern mismatch
masked
aggregated
Src Net Dst Addr Pkt Oct Start End
10.0.1.0/24 10.10.0.10 9 200 1055 1103
10.0.2.0/24 10.10.0.10 6 155 1090 1201
10.0.2.0/24 10.10.0.11 3 77 1095 1199
7
Conclusion

• Flexible Flow Key definition ? enables flow
  aggregation
• Filtering ? enables adaptive metering
• Implicit Template definition

Field modifier IE is reported IE is Flow Key IE may be used for filtering
keep yes yes yes
mask/n yes, masked yes, masked yes
discard no no yes
aggregate yes no no (does not seem to be useful)