Flow Aggregation for the IP Flow Information Export (IPFIX) Protocol
RFC 7015
| Document | Type |
RFC
- Proposed Standard
(September 2013)
Was
draft-ietf-ipfix-a9n
(ipfix WG)
|
|
|---|---|---|---|
| Authors | Brian Trammell , Arno Wagner , Benoît Claise | ||
| Last updated | 2015-10-14 | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Additional resources | Mailing list discussion | ||
| IESG | Responsible AD | Joel Jaeggli | |
| Send notices to | (None) |
RFC 7015
#x27;.
start time |end time |source ip4 |port |dest ip4 |port|pt| oct
9:00:00.138 9:00:00.138 192.0.2.2 47113 192.0.2.131 53 17 119
9:00:03.246 9:00:03.246 192.0.2.2 22153 192.0.2.131 53 17 83
9:00:00.478 9:00:03.486 192.0.2.2 52420 198.51.100.2 443 6 1637
9:00:07.172 9:00:07.172 192.0.2.3 56047 192.0.2.131 53 17 111
9:00:07.309 9:00:14.861 192.0.2.3 41183 198.51.100.67 80 6 16838
9:00:03.556 9:00:19.876 192.0.2.2 17606 198.51.100.68 80 6 11538
9:00:25.210 9:00:25.210 192.0.2.3 47113 192.0.2.131 53 17 119
9:00:26.358 9:00:30.198 192.0.2.3 48458 198.51.100.133 80 6 2973
9:00:29.213 9:01:00.061 192.0.2.4 61295 198.51.100.2 443 6 8350
9:04:00.207 9:04:04.431 203.0.113.3 41256 198.51.100.133 80 6 778
9:03:59.624 9:04:06.984 203.0.113.3 51662 198.51.100.3 80 6 883
9:00:30.532 9:06:15.402 192.0.2.2 37581 198.51.100.2 80 6 15420
9:06:56.813 9:06:59.821 203.0.113.3 52572 198.51.100.2 443 6 1637
9:06:30.565 9:07:00.261 203.0.113.3 49914 198.51.100.133 80 6 561
9:06:55.160 9:07:05.208 192.0.2.2 50824 198.51.100.2 443 6 1899
9:06:49.322 9:07:05.322 192.0.2.3 34597 198.51.100.3 80 6 1284
9:07:05.849 9:07:09.625 203.0.113.3 58907 198.51.100.4 80 6 2670
9:10:45.161 9:10:45.161 192.0.2.4 22478 192.0.2.131 53 17 75
9:10:45.209 9:11:01.465 192.0.2.4 49513 198.51.100.68 80 6 3374
9:10:57.094 9:11:00.614 192.0.2.4 64832 198.51.100.67 80 6 138
9:10:59.770 9:11:02.842 192.0.2.3 60833 198.51.100.69 443 6 2325
9:02:18.390 9:13:46.598 203.0.113.3 39586 198.51.100.17 80 6 11200
9:13:53.933 9:14:06.605 192.0.2.2 19638 198.51.100.3 80 6 2869
9:13:02.864 9:14:08.720 192.0.2.3 40429 198.51.100.4 80 6 18289
Figure 10: Input Data for Examples
8.1. Traffic Time Series per Source
Aggregating Flows by source IP address in time series (i.e., with a
regular interval) can be used in subsequent heavy-hitter analysis and
as a source parameter for statistical anomaly detection techniques.
Here, the Intermediate Aggregation Process imposes an interval,
aggregates the key to remove all key fields other than the source IP
address, then combines the result into a stream of Aggregated Flows.
The imposed interval of five minutes is longer than the majority of
Flows; for those Flows crossing interval boundaries, the entire Flow
is accounted to the interval containing the start time of the Flow.
Trammell, et al. Standards Track [Page 32]
RFC 7015 IPFIX Aggregation September 2013
In this example, the Partially Aggregated Flows after each conceptual
operation in the Intermediate Aggregation Process are shown. These
are meant to be illustrative of the conceptual operations only, and
not to suggest an implementation (indeed, the example shown here
would not necessarily be the most efficient method for performing
these operations). Subsequent examples will omit the Partially
Aggregated Flows for brevity.
The input to this process could be any Flow Record containing a
source IP address and octet counter; consider for this example the
Template and data from the introduction. The Intermediate
Aggregation Process would then output records containing just
timestamps, source IP, and octetDeltaCount, as in Figure 11.
flowStartMilliseconds(152)[8]
flowEndMilliseconds(153)[8]
sourceIPv4Address(8)[4]
octetDeltaCount(1)[8]
Figure 11: Output Template for Time Series per Source
Trammell, et al. Standards Track [Page 33]
RFC 7015 IPFIX Aggregation September 2013
Assume the goal is to get 5-minute (300 s) time series of octet
counts per source IP address. The aggregation operations would then
be arranged as in Figure 12.
Original Flows
|
V
+-----------------------+
| interval distribution |
| * impose uniform |
| 300s time interval |
+-----------------------+
|
| Partially Aggregated Flows
V
+------------------------+
| key aggregation |
| * reduce key to only |
| sourceIPv4Address |
+------------------------+
|
| Partially Aggregated Flows
V
+-------------------------+
| aggregate combination |
| * sum octetDeltaCount |
+-------------------------+
|
V
Aggregated Flows
Figure 12: Aggregation Operations for Time Series per Source
After applying the interval distribution step to the source data in
Figure 10, only the time intervals have changed; the Partially
Aggregated Flows are shown in Figure 13. Note that interval
distribution follows the default Start Interval policy; that is, the
entire Flow is accounted to the interval containing the Flow's start
time.
Trammell, et al. Standards Track [Page 34]
RFC 7015 IPFIX Aggregation September 2013
start time |end time |source ip4 |port |dest ip4 |port|pt| oct
9:00:00.000 9:05:00.000 192.0.2.2 47113 192.0.2.131 53 17 119
9:00:00.000 9:05:00.000 192.0.2.2 22153 192.0.2.131 53 17 83
9:00:00.000 9:05:00.000 192.0.2.2 52420 198.51.100.2 443 6 1637
9:00:00.000 9:05:00.000 192.0.2.3 56047 192.0.2.131 53 17 111
9:00:00.000 9:05:00.000 192.0.2.3 41183 198.51.100.67 80 6 16838
9:00:00.000 9:05:00.000 192.0.2.2 17606 198.51.100.68 80 6 11538
9:00:00.000 9:05:00.000 192.0.2.3 47113 192.0.2.131 53 17 119
9:00:00.000 9:05:00.000 192.0.2.3 48458 198.51.100.133 80 6 2973
9:00:00.000 9:05:00.000 192.0.2.4 61295 198.51.100.2 443 6 8350
9:00:00.000 9:05:00.000 203.0.113.3 41256 198.51.100.133 80 6 778
9:00:00.000 9:05:00.000 203.0.113.3 51662 198.51.100.3 80 6 883
9:00:00.000 9:05:00.000 192.0.2.2 37581 198.51.100.2 80 6 15420
9:00:00.000 9:05:00.000 203.0.113.3 39586 198.51.100.17 80 6 11200
9:05:00.000 9:10:00.000 203.0.113.3 52572 198.51.100.2 443 6 1637
9:05:00.000 9:10:00.000 203.0.113.3 49914 197.51.100.133 80 6 561
9:05:00.000 9:10:00.000 192.0.2.2 50824 198.51.100.2 443 6 1899
9:05:00.000 9:10:00.000 192.0.2.3 34597 198.51.100.3 80 6 1284
9:05:00.000 9:10:00.000 203.0.113.3 58907 198.51.100.4 80 6 2670
9:10:00.000 9:15:00.000 192.0.2.4 22478 192.0.2.131 53 17 75
9:10:00.000 9:15:00.000 192.0.2.4 49513 198.51.100.68 80 6 3374
9:10:00.000 9:15:00.000 192.0.2.4 64832 198.51.100.67 80 6 138
9:10:00.000 9:15:00.000 192.0.2.3 60833 198.51.100.69 443 6 2325
9:10:00.000 9:15:00.000 192.0.2.2 19638 198.51.100.3 80 6 2869
9:10:00.000 9:15:00.000 192.0.2.3 40429 198.51.100.4 80 6 18289
Figure 13: Interval Imposition for Time Series per Source
After the key aggregation step, all Flow Keys except the source IP
address have been discarded, as shown in Figure 14. This leaves
duplicate Partially Aggregated Flows to be combined in the final
operation.
Trammell, et al. Standards Track [Page 35]
RFC 7015 IPFIX Aggregation September 2013
start time |end time |source ip4 |octets
9:00:00.000 9:05:00.000 192.0.2.2 119
9:00:00.000 9:05:00.000 192.0.2.2 83
9:00:00.000 9:05:00.000 192.0.2.2 1637
9:00:00.000 9:05:00.000 192.0.2.3 111
9:00:00.000 9:05:00.000 192.0.2.3 16838
9:00:00.000 9:05:00.000 192.0.2.2 11538
9:00:00.000 9:05:00.000 192.0.2.3 119
9:00:00.000 9:05:00.000 192.0.2.3 2973
9:00:00.000 9:05:00.000 192.0.2.4 8350
9:00:00.000 9:05:00.000 203.0.113.3 778
9:00:00.000 9:05:00.000 203.0.113.3 883
9:00:00.000 9:05:00.000 192.0.2.2 15420
9:00:00.000 9:05:00.000 203.0.113.3 11200
9:05:00.000 9:10:00.000 203.0.113.3 1637
9:05:00.000 9:10:00.000 203.0.113.3 561
9:05:00.000 9:10:00.000 192.0.2.2 1899
9:05:00.000 9:10:00.000 192.0.2.3 1284
9:05:00.000 9:10:00.000 203.0.113.3 2670
9:10:00.000 9:15:00.000 192.0.2.4 75
9:10:00.000 9:15:00.000 192.0.2.4 3374
9:10:00.000 9:15:00.000 192.0.2.4 138
9:10:00.000 9:15:00.000 192.0.2.3 2325
9:10:00.000 9:15:00.000 192.0.2.2 2869
9:10:00.000 9:15:00.000 192.0.2.3 18289
Figure 14: Key Aggregation for Time Series per Source
Aggregate combination sums the counters per key and interval; the
summations of the first two keys and intervals are shown in detail in
Figure 15.
Trammell, et al. Standards Track [Page 36]
RFC 7015 IPFIX Aggregation September 2013
start time |end time |source ip4 |octets
9:00:00.000 9:05:00.000 192.0.2.2 119
9:00:00.000 9:05:00.000 192.0.2.2 83
9:00:00.000 9:05:00.000 192.0.2.2 1637
9:00:00.000 9:05:00.000 192.0.2.2 11538
+ 9:00:00.000 9:05:00.000 192.0.2.2 15420
-----
= 9:00:00.000 9:05:00.000 192.0.2.2 28797
9:00:00.000 9:05:00.000 192.0.2.3 111
9:00:00.000 9:05:00.000 192.0.2.3 16838
9:00:00.000 9:05:00.000 192.0.2.3 119
+ 9:00:00.000 9:05:00.000 192.0.2.3 2973
-----
= 9:00:00.000 9:05:00.000 192.0.2.3 20041
Figure 15: Summation during Aggregate Combination
This can be applied to each set of Partially Aggregated Flows to
produce the final Aggregated Flows that are shown in Figure 16, as
exported by the Template in Figure 11.
start time |end time |source ip4 |octets
9:00:00.000 9:05:00.000 192.0.2.2 28797
9:00:00.000 9:05:00.000 192.0.2.3 20041
9:00:00.000 9:05:00.000 192.0.2.4 8350
9:00:00.000 9:05:00.000 203.0.113.3 12861
9:05:00.000 9:10:00.000 192.0.2.2 1899
9:05:00.000 9:10:00.000 192.0.2.3 1284
9:05:00.000 9:10:00.000 203.0.113.3 4868
9:10:00.000 9:15:00.000 192.0.2.2 2869
9:10:00.000 9:15:00.000 192.0.2.3 20614
9:10:00.000 9:15:00.000 192.0.2.4 3587
Figure 16: Aggregated Flows for Time Series per Source
8.2. Core Traffic Matrix
Aggregating Flows by source and destination ASN in time series is
used to generate core traffic matrices. The core traffic matrix
provides a view of the state of the routes within a network, and it
can be used for long-term planning of changes to network design based
on traffic demand. Here, imposed time intervals are generally much
longer than active Flow timeouts. The traffic matrix is reported in
terms of octets, packets, and flows, as each of these values may have
a subtly different effect on capacity planning.
Trammell, et al. Standards Track [Page 37]
RFC 7015 IPFIX Aggregation September 2013
This example demonstrates key aggregation using derived keys and
Original Flow counting. While some Original Flows may be generated
by Exporting Processes on forwarding devices, and therefore contain
the bgpSourceAsNumber and bgpDestinationAsNumber Information
Elements, Original Flows from Exporting Processes on dedicated
measurement devices without routing data contain only a
destinationIPv[46]Address. For these Flows, the Mediator must look
up a next-hop AS from an IP-to-AS table, replacing source and
destination addresses with ASNs. The table used in this example is
shown in Figure 17. (Note that due to limited example address space,
in this example we ignore the common practice of routing only blocks
of /24 or larger.)
prefix |ASN
192.0.2.0/25 64496
192.0.2.128/25 64497
198.51.100/24 64498
203.0.113.0/24 64499
Figure 17: Example ASN Map
The Template for Aggregated Flows produced by this example is shown
in Figure 18.
flowStartMilliseconds(152)[8]
flowEndMilliseconds(153)[8]
bgpSourceAsNumber(16)[4]
bgpDestinationAsNumber(17)[4]
octetDeltaCount(1)[8]
Figure 18: Output Template for Traffic Matrix
Assume the goal is to get 60-minute time series of octet counts per
source/destination ASN pair. The aggregation operations would then
be arranged as in Figure 19.
Trammell, et al. Standards Track [Page 38]
RFC 7015 IPFIX Aggregation September 2013
Original Flows
|
V
+-----------------------+
| interval distribution |
| * impose uniform |
| 3600s time interval|
+-----------------------+
|
| Partially Aggregated Flows
V
+------------------------+
| key aggregation |
| * reduce key to only |
| sourceIPv4Address + |
| destIPv4Address |
+------------------------+
|
V
+------------------------+
| key aggregation |
| * replace addresses |
| with ASN from map |
+------------------------+
|
| Partially Aggregated Flows
V
+-------------------------+
| aggregate combination |
| * sum octetDeltaCount |
+-------------------------+
|
V
Aggregated Flows
Figure 19: Aggregation Operations for Traffic Matrix
After applying the interval distribution step to the source data in
Figure 10, the Partially Aggregated Flows are shown in Figure 20.
Note that the Flows are identical to those in the interval
distribution step in the previous example, except the chosen interval
(1 hour, 3600 seconds) is different; therefore, all the Flows fit
into a single interval.
Trammell, et al. Standards Track [Page 39]
RFC 7015 IPFIX Aggregation September 2013
start time |end time |source ip4 |port |dest ip4 |port|pt| oct
9:00:00 10:00:00 192.0.2.2 47113 192.0.2.131 53 17 119
9:00:00 10:00:00 192.0.2.2 22153 192.0.2.131 53 17 83
9:00:00 10:00:00 192.0.2.2 52420 198.51.100.2 443 6 1637
9:00:00 10:00:00 192.0.2.3 56047 192.0.2.131 53 17 111
9:00:00 10:00:00 192.0.2.3 41183 198.51.100.67 80 6 16838
9:00:00 10:00:00 192.0.2.2 17606 198.51.100.68 80 6 11538
9:00:00 10:00:00 192.0.2.3 47113 192.0.2.131 53 17 119
9:00:00 10:00:00 192.0.2.3 48458 198.51.100.133 80 6 2973
9:00:00 10:00:00 192.0.2.4 61295 198.51.100.2 443 6 8350
9:00:00 10:00:00 203.0.113.3 41256 198.51.100.133 80 6 778
9:00:00 10:00:00 203.0.113.3 51662 198.51.100.3 80 6 883
9:00:00 10:00:00 192.0.2.2 37581 198.51.100.2 80 6 15420
9:00:00 10:00:00 203.0.113.3 52572 198.51.100.2 443 6 1637
9:00:00 10:00:00 203.0.113.3 49914 197.51.100.133 80 6 561
9:00:00 10:00:00 192.0.2.2 50824 198.51.100.2 443 6 1899
9:00:00 10:00:00 192.0.2.3 34597 198.51.100.3 80 6 1284
9:00:00 10:00:00 203.0.113.3 58907 198.51.100.4 80 6 2670
9:00:00 10:00:00 192.0.2.4 22478 192.0.2.131 53 17 75
9:00:00 10:00:00 192.0.2.4 49513 198.51.100.68 80 6 3374
9:00:00 10:00:00 192.0.2.4 64832 198.51.100.67 80 6 138
9:00:00 10:00:00 192.0.2.3 60833 198.51.100.69 443 6 2325
9:00:00 10:00:00 203.0.113.3 39586 198.51.100.17 80 6 11200
9:00:00 10:00:00 192.0.2.2 19638 198.51.100.3 80 6 2869
9:00:00 10:00:00 192.0.2.3 40429 198.51.100.4 80 6 18289
Figure 20: Interval Imposition for Traffic Matrix
The next steps are to discard irrelevant key fields and to replace
the source and destination addresses with source and destination ASNs
in the map; the results of these key aggregation steps are shown in
Figure 21.
Trammell, et al. Standards Track [Page 40]
RFC 7015 IPFIX Aggregation September 2013
start time |end time |source ASN |dest ASN |octets
9:00:00 10:00:00 AS64496 AS64497 119
9:00:00 10:00:00 AS64496 AS64497 83
9:00:00 10:00:00 AS64496 AS64498 1637
9:00:00 10:00:00 AS64496 AS64497 111
9:00:00 10:00:00 AS64496 AS64498 16838
9:00:00 10:00:00 AS64496 AS64498 11538
9:00:00 10:00:00 AS64496 AS64497 119
9:00:00 10:00:00 AS64496 AS64498 2973
9:00:00 10:00:00 AS64496 AS64498 8350
9:00:00 10:00:00 AS64499 AS64498 778
9:00:00 10:00:00 AS64499 AS64498 883
9:00:00 10:00:00 AS64496 AS64498 15420
9:00:00 10:00:00 AS64499 AS64498 1637
9:00:00 10:00:00 AS64499 AS64498 561
9:00:00 10:00:00 AS64496 AS64498 1899
9:00:00 10:00:00 AS64496 AS64498 1284
9:00:00 10:00:00 AS64499 AS64498 2670
9:00:00 10:00:00 AS64496 AS64497 75
9:00:00 10:00:00 AS64496 AS64498 3374
9:00:00 10:00:00 AS64496 AS64498 138
9:00:00 10:00:00 AS64496 AS64498 2325
9:00:00 10:00:00 AS64499 AS64498 11200
9:00:00 10:00:00 AS64496 AS64498 2869
9:00:00 10:00:00 AS64496 AS64498 18289
Figure 21: Key Aggregation for Traffic Matrix:
Reduction and Replacement
Finally, aggregate combination sums the counters per key and
interval. The resulting Aggregated Flows containing the traffic
matrix, shown in Figure 22, are then exported using the Template in
Figure 18. Note that these Aggregated Flows represent a sparse
matrix: AS pairs for which no traffic was received have no
corresponding record in the output.
start time end time source ASN dest ASN octets
9:00:00 10:00:00 AS64496 AS64497 507
9:00:00 10:00:00 AS64496 AS64498 86934
9:00:00 10:00:00 AS64499 AS64498 17729
Figure 22: Aggregated Flows for Traffic Matrix
The output of this operation is suitable for re-aggregation: that is,
traffic matrices from single links or Observation Points can be
aggregated through the same interval imposition and aggregate
combination steps in order to build a traffic matrix for an entire
network.
Trammell, et al. Standards Track [Page 41]
RFC 7015 IPFIX Aggregation September 2013
8.3. Distinct Source Count per Destination Endpoint
Aggregating Flows by destination address and port, and counting
distinct sources aggregated away, can be used as part of passive
service inventory and host characterization. This example shows
aggregation as an analysis technique, performed on source data stored
in an IPFIX File. As the Transport Session in this File is bounded,
removal of all timestamp information allows summarization of the
entire time interval contained within the interval. Removal of
timing information during interval imposition is equivalent to an
infinitely long imposed time interval. This demonstrates both how
infinite intervals work, and how unique counters work. The
aggregation operations are summarized in Figure 23.
Trammell, et al. Standards Track [Page 42]
RFC 7015 IPFIX Aggregation September 2013
Original Flows
|
V
+-----------------------+
| interval distribution |
| * discard timestamps |
+-----------------------+
|
| Partially Aggregated Flows
V
+----------------------------+
| value aggregation |
| * discard octetDeltaCount |
+----------------------------+
|
| Partially Aggregated Flows
V
+----------------------------+
| key aggregation |
| * reduce key to only |
| destIPv4Address + |
| destTransportPort, |
| * count distinct sources |
+----------------------------+
|
| Partially Aggregated Flows
V
+----------------------------------------------+
| aggregate combination |
| * no-op (distinct sources already counted) |
+----------------------------------------------+
|
V
Aggregated Flows
Figure 23: Aggregation Operations for Source Count
The Template for Aggregated Flows produced by this example is shown
in Figure 24.
destinationIPv4Address(12)[4]
destinationTransportPort(11)[2]
distinctCountOfSourceIPAddress(378)[8]
Figure 24: Output Template for Source Count
Trammell, et al. Standards Track [Page 43]
RFC 7015 IPFIX Aggregation September 2013
Interval distribution, in this case, merely discards the timestamp
information from the Original Flows in Figure 10, and as such is not
shown. Likewise, the value aggregation step simply discards the
octetDeltaCount value field. The key aggregation step reduces the
key to the destinationIPv4Address and destinationTransportPort,
counting the distinct source addresses. Since this is essentially
the output of this aggregation function, the aggregate combination
operation is a no-op; the resulting Aggregated Flows are shown in
Figure 25.
dest ip4 |port |dist src
192.0.2.131 53 3
198.51.100.2 80 1
198.51.100.2 443 3
198.51.100.67 80 2
198.51.100.68 80 2
198.51.100.133 80 2
198.51.100.3 80 3
198.51.100.4 80 2
198.51.100.17 80 1
198.51.100.69 443 1
Figure 25: Aggregated Flows for Source Count
8.4. Traffic Time Series per Source with Counter Distribution
Returning to the example in Section 8.1, note that our source data
contains some Flows with durations longer than the imposed interval
of five minutes. The default method for dealing with such Flows is
to account them to the interval containing the Flow's start time.
In this example, the same data is aggregated using the same
arrangement of operations and the same output Template as in
Section 8.1, but using a different counter distribution policy,
Simple Uniform Distribution, as described in Section 5.1.1. In order
to do this, the Exporting Process first exports the Aggregate Counter
Distribution Options Template, as in Figure 26.
templateId(12)[2]{scope}
valueDistributionMethod(384)[1]
Figure 26: Aggregate Counter Distribution Options Template
This Template is followed by an Aggregate Counter Distribution Record
described by this Template; assuming the output Template in Figure 11
has ID 257, this record would appear as in Figure 27.
Trammell, et al. Standards Track [Page 44]
RFC 7015 IPFIX Aggregation September 2013
template ID | value distribution method
257 4 (simple uniform)
Figure 27: Aggregate Counter Distribution Record
Following metadata export, the aggregation steps follow as before.
However, two long Flows are distributed across multiple intervals in
the interval imposition step, as indicated with "*" in Figure 28.
Note the uneven distribution of the three-interval, 11200-octet Flow
into three Partially Aggregated Flows of 3733, 3733, and 3734 octets;
this ensures no cumulative error is injected by the interval
distribution step.
start time |end time |source ip4 |port |dest ip4 |port|pt| oct
9:00:00.000 9:05:00.000 192.0.2.2 47113 192.0.2.131 53 17 119
9:00:00.000 9:05:00.000 192.0.2.2 22153 192.0.2.131 53 17 83
9:00:00.000 9:05:00.000 192.0.2.2 52420 198.51.100.2 443 6 1637
9:00:00.000 9:05:00.000 192.0.2.3 56047 192.0.2.131 53 17 111
9:00:00.000 9:05:00.000 192.0.2.3 41183 198.51.100.67 80 6 16838
9:00:00.000 9:05:00.000 192.0.2.2 17606 198.51.100.68 80 6 11538
9:00:00.000 9:05:00.000 192.0.2.3 47113 192.0.2.131 53 17 119
9:00:00.000 9:05:00.000 192.0.2.3 48458 198.51.100.133 80 6 2973
9:00:00.000 9:05:00.000 192.0.2.4 61295 198.51.100.2 443 6 8350
9:00:00.000 9:05:00.000 203.0.113.3 41256 198.51.100.133 80 6 778
9:00:00.000 9:05:00.000 203.0.113.3 51662 198.51.100.3 80 6 883
9:00:00.000 9:05:00.000 192.0.2.2 37581 198.51.100.2 80 6 7710*
9:00:00.000 9:05:00.000 203.0.113.3 39586 198.51.100.17 80 6 3733*
9:05:00.000 9:10:00.000 203.0.113.3 52572 198.51.100.2 443 6 1637
9:05:00.000 9:10:00.000 203.0.113.3 49914 197.51.100.133 80 6 561
9:05:00.000 9:10:00.000 192.0.2.2 50824 198.51.100.2 443 6 1899
9:05:00.000 9:10:00.000 192.0.2.3 34597 198.51.100.3 80 6 1284
9:05:00.000 9:10:00.000 203.0.113.3 58907 198.51.100.4 80 6 2670
9:05:00.000 9:10:00.000 192.0.2.2 37581 198.51.100.2 80 6 7710*
9:05:00.000 9:10:00.000 203.0.113.3 39586 198.51.100.17 80 6 3733*
9:10:00.000 9:15:00.000 192.0.2.4 22478 192.0.2.131 53 17 75
9:10:00.000 9:15:00.000 192.0.2.4 49513 198.51.100.68 80 6 3374
9:10:00.000 9:15:00.000 192.0.2.4 64832 198.51.100.67 80 6 138
9:10:00.000 9:15:00.000 192.0.2.3 60833 198.51.100.69 443 6 2325
9:10:00.000 9:15:00.000 192.0.2.2 19638 198.51.100.3 80 6 2869
9:10:00.000 9:15:00.000 192.0.2.3 40429 198.51.100.4 80 6 18289
9:10:00.000 9:15:00.000 203.0.113.3 39586 198.51.100.17 80 6 3734*
Figure 28: Distributed Interval Imposition for Time Series per Source
Subsequent steps are as in Section 8.1; the results, to be exported
using the Template shown in Figure 11, are shown in Figure 29, with
Aggregated Flows differing from the example in Section 8.1 indicated
by "*".
Trammell, et al. Standards Track [Page 45]
RFC 7015 IPFIX Aggregation September 2013
start time |end time |source ip4 |octets
9:00:00.000 9:05:00.000 192.0.2.2 21087*
9:00:00.000 9:05:00.000 192.0.2.3 20041
9:00:00.000 9:05:00.000 192.0.2.4 8350
9:00:00.000 9:05:00.000 203.0.113.3 5394*
9:05:00.000 9:10:00.000 192.0.2.2 9609*
9:05:00.000 9:10:00.000 192.0.2.3 1284
9:05:00.000 9:10:00.000 203.0.113.3 8601*
9:10:00.000 9:15:00.000 192.0.2.2 2869
9:10:00.000 9:15:00.000 192.0.2.3 20614
9:10:00.000 9:15:00.000 192.0.2.4 3587
9:10:00.000 9:15:00.000 203.0.113.3 3734*
Figure 29: Aggregated Flows for Time Series per Source
with Counter Distribution
9. Security Considerations
This document specifies the operation of an Intermediate Aggregation
Process with the IPFIX protocol; the Security Considerations for the
protocol itself in Section 11 of [RFC7011] therefore apply. In the
common case that aggregation is performed on a Mediator, the Security
Considerations for Mediators in Section 9 of [RFC6183] apply as well.
As mentioned in Section 3, certain aggregation operations may tend to
have an anonymizing effect on Flow data by obliterating sensitive
identifiers. Aggregation may also be combined with anonymization
within a Mediator, or as part of a chain of Mediators, to further
leverage this effect. In any case in which an Intermediate
Aggregation Process is applied as part of a data anonymization or
protection scheme, or is used together with anonymization as
described in [RFC6235], the Security Considerations in Section 9 of
[RFC6235] apply.
10. IANA Considerations
This document specifies the creation of new IPFIX Information
Elements in the IPFIX Information Element registry [IANA-IPFIX], as
defined in Section 7 above. IANA has assigned Information Element
numbers to these Information Elements, and entered them into the
registry.
11. Acknowledgments
Special thanks to Elisa Boschi for early work on the concepts laid
out in this document. Thanks to Lothar Braun, Christian Henke, and
Rahul Patel for their reviews and valuable feedback, with special
Trammell, et al. Standards Track [Page 46]
RFC 7015 IPFIX Aggregation September 2013
thanks to Paul Aitken for his multiple detailed reviews. This work
is materially supported by the European Union Seventh Framework
Programme under grant agreement 257315 (DEMONS).
12. References
12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008.
[RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken,
"Specification of the IP Flow Information Export (IPFIX)
Protocol for the Exchange of Flow Information", STD 77,
RFC 7011, September 2013.
12.2. Informative References
[RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander,
"Requirements for IP Flow Information Export (IPFIX)", RFC
3917, October 2004.
[RFC5470] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek,
"Architecture for IP Flow Information Export", RFC 5470,
March 2009.
[RFC5472] Zseby, T., Boschi, E., Brownlee, N., and B. Claise, "IP
Flow Information Export (IPFIX) Applicability", RFC 5472,
March 2009.
[RFC5476] Claise, B., Johnson, A., and J. Quittek, "Packet Sampling
(PSAMP) Protocol Specifications", RFC 5476, March 2009.
[RFC5655] Trammell, B., Boschi, E., Mark, L., Zseby, T., and A.
Wagner, "Specification of the IP Flow Information Export
(IPFIX) File Format", RFC 5655, October 2009.
[RFC5982] Kobayashi, A. and B. Claise, "IP Flow Information Export
(IPFIX) Mediation: Problem Statement", RFC 5982, August
2010.
[RFC6183] Kobayashi, A., Claise, B., Muenz, G., and K. Ishibashi,
"IP Flow Information Export (IPFIX) Mediation: Framework",
RFC 6183, April 2011.
Trammell, et al. Standards Track [Page 47]
RFC 7015 IPFIX Aggregation September 2013
[RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization
Support", RFC 6235, May 2011.
[RFC6728] Muenz, G., Claise, B., and P. Aitken, "Configuration Data
Model for the IP Flow Information Export (IPFIX) and
Packet Sampling (PSAMP) Protocols", RFC 6728, October
2012.
[RFC7012] Claise, B., Ed. and B. Trammell, Ed., "Information Model
for IP Flow Information Export (IPFIX)", RFC 7012,
September 2013.
[RFC7013] Trammell, B. and B. Claise, "Guidelines for Authors and
Reviewers of IP Flow Information Export (IPFIX)
Information Elements", BCP 184, RFC 7013, September 2013.
[RFC7014] D'Antonio, S., Zseby, T., Henke, C., and L. Peluso, "Flow
Selection Techniques", RFC 7014, September 2013.
[IANA-IPFIX]
IANA, "IP Flow Information Export (IPFIX) Entities",
<http://www.iana.org/assignments/ipfix>.
[IPFIX-MED-PROTO]
Claise, B., Kobayashi, A., and B. Trammell, "Operation of
the IP Flow Information Export (IPFIX) Protocol on IPFIX
Mediators", Work in Progress, July 2013.
Trammell, et al. Standards Track [Page 48]
RFC 7015 IPFIX Aggregation September 2013
Authors' Addresses
Brian Trammell
Swiss Federal Institute of Technology Zurich
Gloriastrasse 35
8092 Zurich
Switzerland
Phone: +41 44 632 70 13
EMail: trammell@tik.ee.ethz.ch
Arno Wagner
Consecom AG
Bleicherweg 64a
8002 Zurich
Switzerland
EMail: arno@wagner.name
Benoit Claise
Cisco Systems, Inc.
De Kleetlaan 6a b1
1831 Diegem
Belgium
Phone: +32 2 704 5622
EMail: bclaise@cisco.com
Trammell, et al. Standards Track [Page 49]