Traffic Flow Measurement: Architecture
RFC 2063
| Document | Type |
RFC - Experimental
(January 1997; No errata)
Obsoleted by RFC 2722
|
|
|---|---|---|---|
| Authors | Nevil Brownlee , Cynthia Mills , Greg Ruth | ||
| Last updated | 2013-03-02 | ||
| Stream | Internet Engineering Task Force (IETF) | ||
| Formats | plain text html pdf htmlized bibtex | ||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 2063 (Experimental) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | (None) | ||
Network Working Group N. Brownlee
Request for Comments: 2063 The University of Auckland
Category: Experimental C. Mills
BBN Systems and Technologies
G. Ruth
GTE Laboratories, Inc.
January 1997
Traffic Flow Measurement: Architecture
Status of this Memo
This memo defines an Experimental Protocol for the Internet
community. This memo does not specify an Internet standard of any
kind. Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Abstract
This document describes an architecture for the measurement and
reporting of network traffic flows, discusses how this relates to an
overall network traffic flow architecture, and describes how it can
be used within the Internet. It is intended to provide a starting
point for the Realtime Traffic Flow Measurement Working Group.
Table of Contents
1 Statement of Purpose and Scope 2
2 Traffic Flow Measurement Architecture 4
2.1 Meters and Traffic Flows . . . . . . . . . . . . . . . . . . 4
2.2 Interaction Between METER and METER READER . . . . . . . . . 6
2.3 Interaction Between MANAGER and METER . . . . . . . . . . . 6
2.4 Interaction Between MANAGER and METER READER . . . . . . . . 7
2.5 Multiple METERs or METER READERs . . . . . . . . . . . . . . 7
2.6 Interaction Between MANAGERs (MANAGER - MANAGER) . . . . . . 8
2.7 METER READERs and APPLICATIONs . . . . . . . . . . . . . . . 8
3 Traffic Flows and Reporting Granularity 9
3.1 Flows and their Attributes . . . . . . . . . . . . . . . . . 9
3.2 Granularity of Flow Measurements . . . . . . . . . . . . . . 11
3.3 Rolling Counters, Timestamps, Report-in-One-Bucket-Only . . 13
4 Meters 15
4.1 Meter Structure . . . . . . . . . . . . . . . . . . . . . . 15
4.2 Flow Table . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.3 Packet Handling, Packet Matching . . . . . . . . . . . . . . 17
4.4 Rules and Rule Sets . . . . . . . . . . . . . . . . . . . . 21
4.5 Maintaining the Flow Table . . . . . . . . . . . . . . . . . 24
4.6 Handling Increasing Traffic Levels . . . . . . . . . . . . . 25
Brownlee, et. al. Experimental [Page 1]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
5 Meter Readers 26
5.1 Identifying Flows in Flow Records . . . . . . . . . . . . . 26
5.2 Usage Records, Flow Data Files . . . . . . . . . . . . . . . 27
5.3 Meter to Meter Reader: Usage Record Transmission. . . . . . 27
6 Managers 28
6.1 Between Manager and Meter: Control Functions . . . . . . . 28
6.2 Between Manager and Meter Reader: Control Functions . . . 29
6.3 Exception Conditions . . . . . . . . . . . . . . . . . . . . 31
6.4 Standard Rule Sets . . . . . . . . . . . . . . . . . . . . 32
7 APPENDICES 33
7.1 Appendix A: Network Characterisation . . . . . . . . . . . . 33
7.2 Appendix B: Recommended Traffic Flow Measurement Capabilities 34
7.3 Appendix C: List of Defined Flow Attributes . . . . . . . . 35
7.4 Appendix D: List of Meter Control Variables . . . . . . . . 36
8 Acknowledgments 36
9 References 37
10 Security Considerations 37
11 Authors' Addresses 37
1 Statement of Purpose and Scope
This document describes an architecture for traffic flow measurement
and reporting for data networks which has the following
characteristics:
- The traffic flow model can be consistently applied to any
protocol/application at any network layer (e.g. network,
transport, application layers).
- Traffic flow attributes are defined in such a way that they are
valid for multiple networking protocol stacks, and that traffic
flow measurement implementations are useful in MULTI-PROTOCOL
environments.
- Users may specify their traffic flow measurement requirements
in a simple manner, allowing them to collect the flow data they
need while ignoring other traffic.
- The data reduction effort to produce requested traffic flow
information is placed as near as possible to the network
measurement point. This reduces the volume of data to be
obtained (and transmitted across the network for storage),
and minimises the amount of processing required in traffic
flow analysis applications.
Brownlee, et. al. Experimental [Page 2]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
The architecture specifies common metrics for measuring traffic
flows. By using the same metrics, traffic flow data can be exchanged
and compared across multiple platforms. Such data is useful for:
- Understanding the behaviour of existing networks,
- Planning for network development and expansion,
- Quantification of network performance,
- Verifying the quality of network service, and
- Attribution of network usage to users.
The traffic flow measurement architecture is deliberately structured
so that specific protocol implementations may extend coverage to
multi-protocol environments and to other protocol layers, such as
usage measurement for application-level services. Use of the same
model for both network- and application-level measurement may
simplify the development of generic analysis applications which
process and/or correlate any or all levels of traffic and usage
information. Within this docuemt the term 'usage data' is used as a
generic term for the data obtained using the traffic flow measurement
architecture.
This document is not a protocol specification. It specifies and
structures the information that a traffic flow measurement system
needs to collect, describes requirements that such a system must
meet, and outlines tradeoffs which may be made by an implementor.
For performance reasons, it may be desirable to use traffic
information gathered through traffic flow measurement in lieu of
network statistics obtained in other ways. Although the
quantification of network performance is not the primary purpose of
this architecture, the measured traffic flow data may be used as an
indication of network performance.
A cost recovery structure decides "who pays for what." The major
issue here is how to construct a tariff (who gets billed, how much,
for which things, based on what information, etc). Tariff issues
include fairness, predictability (how well can subscribers forecast
their network charges), practicality (of gathering the data and
administering the tariff), incentives (e.g. encouraging off-peak
use), and cost recovery goals (100% recovery, subsidisation, profit
making). Issues such as these are not covered here.
Background information explaining why this approach was selected is
provided by 'Traffic Flow Measurement: Background' RFC [1].
Brownlee, et. al. Experimental [Page 3]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
2 Traffic Flow Measurement Architecture
A traffic flow measurement system is used by network Operations
personnel for managing and developing a network. It provides a tool
for measuring and understanding the network's traffic flows. This
information is useful for many purposes, as mentioned in section 1
(above).
The following sections outline a model for traffic flow measurement,
which draws from working drafts of the OSI accounting model [2].
Future extensions are anticipated as the model is refined to address
additional protocol layers.
2.1 Meters and Traffic Flows
At the heart of the traffic measurement model are network entities
called traffic METERS. Meters count certain attributes (such as
numbers of packets and bytes) and classify them as belonging to
ACCOUNTABLE ENTITIES using other attributes (such as source and
destination addresses). An accountable entity is someone who (or
something which) is responsible for some activitiy on the network.
It may be a user, a host system, a network, a group of networks, etc,
depending on the granularity specified by the meter's configuration.
We assume that routers or traffic monitors throughout a network are
instrumented with meters to measure traffic. Issues surrounding the
choice of meter placement are discussed in the 'Traffic Flow
Measurement: Background' RFC [1]. An important aspect of meters is
that they provide a way of succinctly aggregating entity usage
information.
For the purpose of traffic flow measurement we define the concept of
a TRAFFIC FLOW, which is an artificial logical equivalent to a call
or connection. A flow is a portion of traffic, delimited by a start
and stop time, that was generated by a particular accountable entity.
Attribute values (source/destination addresses, packet counts, byte
counts, etc.) associated with a flow are aggregate quantities
reflecting events which take place in the DURATION between the start
and stop times. The start time of a flow is fixed for a given flow;
the end time may increase with the age of the flow.
For connectionless network protocols such as IP there is by
definition no way to tell whether a packet with a particular
source/destination combination is part of a stream of packets or not
- each packet is completely independent. A traffic meter has, as
part of its configuration, a set of 'rules' which specify the flows
of interest, in terms of the values of their attributes. It derives
attribute values from each observed packet, and uses these to decide
Brownlee, et. al. Experimental [Page 4]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
which flow they belong to. Classifying packets into 'flows' in this
way provides an economical and practical way to measure network
traffic and ascribe it to accountable entities.
Usage information which is not deriveable from traffic flows may also
be of interest. For example, an application may wish to record
accesses to various different information resources or a host may
wish to record the username (subscriber id) for a particular network
session. Provision is made in the traffic flow architecture to do
this. In the future the measurement model will be extended to gather
such information from applications and hosts so as to provide values
for higher-layer flow attributes.
As well as FLOWS and METERS, the traffic flow measurement model
includes MANAGERS, METER READERS and ANALYSIS APPLICAIONS, which are
explained in following sections. The relationships between them are
shown by the diagram below. Numbers on the diagram refer to sections
in this document.
MANAGER
/ \
2.3 / \ 2.4
/ \
/ \ ANALYSIS
METER <-----> METER READER <-----> APPLICATION
2.2 2.7
- MANAGER: A traffic measurement manager is an application which
configures 'meter' entities and controls 'meter reader' entities.
It uses the data requirements of analysis applications to determine
the appropriate configurations for each meter, and the proper
operation of each meter reader. It may well be convenient to
combine the functions of meter reader and manager within a single
network entity.
- METER: Meters are placed at measurement points determined by
network Operations personnel. Each meter selectively records
network activity as directed by its configuration settings. It can
also aggregate, transform and further process the recorded activity
before the data is stored. The processed and stored results are
called the 'usage data.'
- METER READER: A meter reader reliably transports usage data from
meters so that it is available to analysis applications.
Brownlee, et. al. Experimental [Page 5]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
- ANALYSIS APPLICATION: An analysis application processes the usage
data so as to provide information and reports which are useful for
network engineering and management purposes. Examples include:
- TRAFFIC FLOW MATRICES, showing the total flow rates for
many of the possible paths within an internet.
- FLOW RATE FREQUENCY DISTRIBUTIONS, indicating how flow
rates vary with time.
- USAGE DATA showing the total traffic volumes sent and
received by particular hosts.
The operation of the traffic measurement system as a whole is best
understood by considering the interactions between its components.
These are described in the following sections.
2.2 Interaction Between METER and METER READER
The information which travels along this path is the usage data
itself. A meter holds usage data in an array of flow data records
known as the FLOW TABLE. A meter reader may collect the data in any
suitable manner. For example it might upload a copy of the whole
flow table using a file transfer protocol, or read the records in the
current flow set one at a time using a suitable data transfer
protocol. Note that the meter reader need not read complete flow
data records, a subset of their attribute values may well be
sufficient.
A meter reader may collect usage data from one or more meters. Data
may be collected from the meters at any time. There is no
requirement for collections to be synchronized in any way.
2.3 Interaction Between MANAGER and METER
A manager is responsible for configuring and controlling one or more
meters. At the time of writing a meter can only be controlled by a
single manager; in the future this restriction may be relaxed. Each
meter's configuration includes information such as:
- Flow specifications, e.g. which traffic flows are to be measured,
how they are to be aggregated, and any data the meter is required
to compute for each flow being measured.
- Meter control parameters, e.g. the maximum size of its flow table,
the 'inactivity' time for flows (if no packets belonging to a flow
are seen for this time the flow is considered to have ended, i.e.
to have become idle).
Brownlee, et. al. Experimental [Page 6]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
- Sampling rate. Normally every packet will be observed. It may
sometimes be necessary to use sampling techniques to observe only
some of the packets. (Sampling algorithms are not prescribed by
the architecture; it should be noted that before using sampling one
should verify the statistical validity of the algorithm used).
Current experience with the measurement architecture shows that a
carefully-designed and implemented meter compresses the data such
that in normal LANs and WANs of today sampling is really not
needed.
2.4 Interaction Between MANAGER and METER READER
A manager is responsible for configuring and controlling one or more
meter readers. A meter reader may only be controlled by a single
manager. A meter reader needs to know at least the following for
every meter is is collecting usage data from:
- The meter's unique identity, i.e. its network name or address.
- How often usage data is to be collected from the meter.
- Which flow records are to be collected (e.g. all active flows, the
whole flow table, flows seen since a given time, etc.).
- Which attribute values are to be collected for the required flow
records (e.g. all attributes, or a small subset of them)
Since redundant reporting may be used in order to increase the
reliability of usage data, exchanges among multiple entities must be
considered as well. These are discussed below.
2.5 Multiple METERs or METER READERs
-- METER READER A --
/ | \
/ | \
=====METER 1 METER 2=====METER 3 METER 4=====
\ | /
\ | /
-- METER READER B --
Several uniquely identified meters may report to one or more meter
readers. The diagram above gives an example of how multiple meters
and meter readers could be used.
Brownlee, et. al. Experimental [Page 7]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
In the diagram above meter 1 is read by meter reader A, and meter 4
is read by meter reader B. Meters 1 and 4 have no redundancy; if
either fails, usage data for their network segments will be lost.
Meters 2 and 3, however, measure traffic on the same network segment.
One of them may fail leaving the other collecting the segment's usage
data. Meters 2 and 3 are read by meter reader A and by meter reader
B. If one meter reader fails, the other will continue collecting
usage data.
The architecture does not require multiple meter readers to be
synchronized. In the situation above meter readers A and B could
both collect usage data at the same intervals, but not neccesarily at
the same times. Note that because collections are asynchronous it is
unlikely that usage records from two different meter readers will
agree exactly.
If precisely synchronized collections are required this can be
achieved by having one manager request each meter to begin collecting
a new set of flows, then allowing all meter readers to collect the
usage data from the old sets of flows.
If there is only one meter reader and it fails, the meters continue
to run. When the meter reader is restarted it can collect all of the
accumulated flow data. Should this happen, time resolution will be
lost (because of the missed collections) but overall traffic flow
information will not. The only exception to this would occur if the
traffic volume was sufficient to 'roll over' counters for some flows
during the failure; this is addressed in the section on 'Rolling
Counters.'
2.6 Interaction Between MANAGERs (MANAGER - MANAGER)
Synchronization between multiple management systems is the province
of network management protocols. This traffic flow measurement
architecture specifies only the network management controls necessary
to perform the traffic flow measurement function and does not address
the more global issues of simultaneous or interleaved (possibly
conflicting) commands from multiple network management stations or
the process of transferring control from one network management
station to another.
2.7 METER READERs and APPLICATIONs
Once a collection of usage data has been assembled by a meter reader
it can be processed by an analysis application. Details of analysis
applications - such as the reports they produce and the data they
require - are outside the scope of this architecture.
Brownlee, et. al. Experimental [Page 8]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
It should be noted, however, that analysis applications will often
require considerable amounts of input data. An important part of
running a traffic flow measurement system is the storage and regular
reduction of flow data so as to produce daily, weekly or monthly
summary files for further analysis. Again, details of such data
handling are outside the scope of this architecture.
3 Traffic Flows and Reporting Granularity
A flow was defined in section 2.1 above in abstract terms as follows:
"A TRAFFIC FLOW is an artifical logical equivalent to a call or
connection, belonging to an ACCOUNTABLE ENTITY."
In practical terms, a flow is a stream of packets passing across a
network between two end points (or being sent from a single end
point), which have been summarized by a traffic meter for analysis
purposes.
3.1 Flows and their Attributes
Every traffic meter maintains a table of 'flow records' for flows
seen by the meter. A flow record holds the values of the ATTRIBUTES
of interest for its flow. These attributes might include:
- ADDRESSES for the flow's source and destination. These comprise
the protocol type, the source and destination addresses at various
network layers (extracted from the packet), and the number of the
interface on which the packet was observed.
- First and last TIMES when packets were seen for this flow, i.e.
the 'creation' and 'last activity' times for the flow.
- COUNTS for 'forward' (source to destination) and 'backward'
(destination to source) components (e.g. packets and bytes) of the
flow's traffic. The specifying of 'source' and 'destination' for
flows is discussed in the section on packet matching below.
- OTHER attributes, e.g. information computed by the meter.
A flow's ACCOUNTABLE ENTITY is specified by the values of its ADDRESS
attributes. For example, if a flow's address attributes specified
only that "source address = IP address 10.1.0.1," then all IP packets
from and to that address would be counted in that flow. If a flow's
address list were specified as "source address = IP address 10.1.0.1,
destination address = IP address 26.1.0.1" then only IP packets
between 10.1.0.1 and 26.1.0.1 would be counted in that flow.
Brownlee, et. al. Experimental [Page 9]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
The addresses specifying a flow's address attributes may include one
or more of the following types:
- The INTERFACE NUMBER for the flow, i.e. the interface on which the
meter measured the traffic. Together with a unique address for the
meter this uniquely identifies a particular physical-level port.
- The ADJACENT ADDRESS, i.e. the [n-1] layer address of the
immediate source or destination on the path of the packet. For
example, if flow measurement is being performed at the IP layer on
an Ethernet LAN [3], an adjacent address is a six-octet Media
Access Control (MAC) address. For a host connected to the same LAN
segment as the meter the adjacent address will be the MAC address
of that host. For hosts on other LAN segments it will be the MAC
address of the adjacent (upstream or downstream) router carrying
the traffic flow.
- The PEER ADDRESS, which identifies the source or destination of the
PEER-LEVEL packet. The form of a peer address will depend on the
network-layer protocol in use, and the network layer [n] at which
traffic measurement is being performed.
- The TRANSPORT ADDRESS, which identifies the source or destination
port for the packet, i.e. its [n+1] layer address. For example,
if flow measurement is being performed at the IP layer a transport
address is a two-octet UDP or TCP port number.
The four definitions above specify addresses for each of the four
lowest layers of the OSI reference model, i.e. Physical layer, Link
layer, Network layer and Transport layer. A FLOW RECORD stores both
the VALUE for each of its addresses (as described above) and a MASK
specifying which bits of the address value are being used and which
are ignored. Note that if address bits are being ignored the meter
will set them to zero, however their actual values are undefined.
One of the key features of the traffic measurement architecture is
that attributes have essentially the same meaning for different
protocols, so that analysis applications can use the same reporting
formats for all protocols. This is straightforward for peer
addresses; although the form of addresses differs for the various
protocols, the meaning of a 'peer address' remains the same. It
becomes harder to maintain this correspondence at higher layers - for
example, at the Network layer IP, Novell IPX and AppleTalk all use
port numbers as a 'transport address,' but CLNP and DECnet have no
notion of ports. Further work is needed here, particularly in
selecting attributes which will be suitable for the higher layers of
the OSI reference model.
Brownlee, et. al. Experimental [Page 10]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
Reporting by adjacent intermediate sources and destinations or simply
by meter interface (most useful when the meter is embedded in a
router) supports hierarchical Internet reporting schemes as described
in the 'Traffic Flow Measurement: Background' RFC [1]. That is, it
allows backbone and regional networks to measure usage to just the
next lower level of granularity (i.e. to the regional and
stub/enterprise levels, respectively), with the final breakdown
according to end user (e.g. to source IP address) performed by the
stub/enterprise networks.
In cases where network addresses are dynamically allocated (e.g.
mobile subscribers), further subscriber identification will be
necessary if flows are to ascribed to individual users. Provision is
made to further specify the accountable entity through the use of an
optional SUBSCRIBER ID as part of the flow id. A subscriber ID may
be associated with a particular flow either through the current rule
set or by proprietary means within a meter, for example via protocol
exchanges with one or more (multi-user) hosts. At this time a
subscriber ID is an arbitrary text string; later versions of the
architecture may specify its contents on more detail.
3.2 Granularity of Flow Measurements
GRANULARITY is the 'control knob' by which an application and/or the
meter can trade off the overhead associated with performing usage
reporting against the level of detail supplied. A coarser
granularity means a greater level of aggregation; finer granularity
means a greater level of detail. Thus, the number of flows measured
(and stored) at a meter can be regulated by changing the granularity
of the accountable entity, the attributes, or the time intervals.
Flows are like an adjustable pipe - many fine-granularity streams can
carry the data with each stream measured individually, or data can be
bundled in one coarse-granularity pipe.
Flow granularity is controlled by adjusting the level of detail at
which the following are reported:
- The accountable entity (address attributes, discussed above).
- The categorisation of packets (other attributes, discussed below).
- The lifetime/duration of flows (the reporting interval needs to be
short enough to measure them with sufficient precision).
Brownlee, et. al. Experimental [Page 11]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
The set of rules controlling the determination of each packet's
accountable entity is known as the meter's CURRENT RULE SET. As will
be shown, the meter's current rule set forms an integral part of the
reported information, i.e. the recorded usage information cannot be
properly interpreted without a definition of the rules used to
collect that information.
Settings for these granularity factors may vary from meter to meter.
They are determined by the meter's current rule set, so they will
change if network Operations personnel reconfigure the meter to use a
new rule set. It is expected that the collection rules will change
rather infrequently; nonetheless, the rule set in effect at any time
must be identifiable via a RULE SET ID. Granularity of accountable
entities is further specified by additional ATTRIBUTES. These
attributes include:
- Meter variables such as the index of the flow's record in the flow
table and the rule set id for the rules which the meter was running
while the flow was observed. The values of these attributes
provide a way of distinguishing flows observed by a meter at
different times.
- Attributes which record information derived from other attribute
values. Six of these are defined (SourceClass, DestClass,
FlowClass, SourceKind, DestKind, FlowKind), and their meaning is
determined by the meter's rule set. For example, one could have a
subroutine in the rule set which determined whether a source or
destination peer address was a member of an arbitrary list of
networks, and set SourceClass/DestClass to one if the source/dest
peer address was in the list or to zero otherwise.
- Administratively specified attributes such as Quality Of Service
and Priority, etc. These are not defined at this time.
- Higher-layer (especially application-level) attributes. These are
not defined at this time.
Settings for these granularity factors may vary from meter to meter.
They are determined by the meter's current rule set, so they will
change if network Operations personnel reconfigure the meter to use a
new rule set.
The LIFETIME of a flow is the time interval which began when the
meter observed the first packet belonging to the flow and ended when
it saw the last packet. Flow lifetimes are very variable, but many -
if not most - are rather short. A meter cannot measure lifetimes
directly; instead a meter reader collects usage data for flows which
have been active since the last collection, and an analysis
Brownlee, et. al. Experimental [Page 12]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
application may compare the data from each collection so as to
determine when each flow actually stopped.
The meter does, however, need to reclaim memory (i.e. records in the
flow table) being held by idle flows. The meter configuration
includes a variable called InactivityTimeout, which specifies the
minimum time a meter must wait before recovering the flow's record.
In addition, before recovering a flow record the meter must be sure
that the flow's data has been collected by at least one meter reader.
These 'lifetime' issues are considered further in the section on
meter readers (below). A complete list of the attributes currently
defined is given in Appendix C later in this document.
3.3 Rolling Counters, Timestamps, Report-in-One-Bucket-Only
Once an usage record is sent, the decision needs to be made whether
to clear any existing flow records or to maintain them and add to
their counts when recording subsequent traffic on the same flow. The
second method, called rolling counters, is recommended and has
several advantages. Its primary advantage is that it provides
greater reliability - the system can now often survive the loss of
some usage records, such as might occur if a meter reader failed and
later restarted. The next usage record will very often contain yet
another reading of many of the same flow buckets which were in the
lost usage record. The 'continuity' of data provided by rolling
counters can also supply information used for "sanity" checks on the
data itself, to guard against errors in calculations.
The use of rolling counters does introduce a new problem: how to
distinguish a follow-on flow record from a new flow record. Consider
the following example.
CONTINUING FLOW OLD FLOW, then NEW FLOW
start time = 1 start time = 1
Usage record N: flow count = 2000 flow count = 2000 (done)
start time = 1 start time = 5
Usage record N+1: flow count = 3000 new flow count = 1000
Total count: 3000 3000
In the continuing flow case, the same flow was reported when its
count was 2000, and again at 3000: the total count to date is 3000.
In the OLD/NEW case, the old flow had a count of 2000. Its record
Brownlee, et. al. Experimental [Page 13]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
was then stopped (perhaps because of temporary idleness, or MAX
LIFETIME policy), but then more traffic with the same characteristics
arrived so a new flow record was started and it quickly reached a
count of 1000. The total flow count from both the old and new
records is 3000.
The flow START TIMESTAMP attribute is sufficient to resolve this. In
the example above, the CONTINUING FLOW flow record in the second
usage record has an old FLOW START timestamp, while the NEW FLOW
contains a recent FLOW START timestamp.
Each packet is counted in one and only one flow, so as to avoid
multiple counting of a single packet. The record of a single flow is
informally called a "bucket." If multiple, sometimes overlapping,
records of usage information are required (aggregate, individual,
etc), the network manager should collect the counts in sufficiently
detailed granularity so that aggregate and combination counts can be
reconstructed in post-processing of the raw usage data.
For example, consider a meter from which it is required to record
both 'total packets coming in interface #1' and 'total packets
arriving from any interface sourced by IP address = a.b.c.d.'
Although a bucket can be declared for each case, it is not clear how
to handle a packet which satisfies both criteria. It must only be
counted once. By default it will be counted in the first bucket for
which it qualifies, and not in the other bucket. Further, it is not
possible to reconstruct this information by post-processing. The
solution in this case is to define not two, but THREE buckets, each
one collecting a unique combination of the two criteria:
Bucket 1: Packets which came in interface 1,
AND were sourced by IP address a.b.c.d
Bucket 2: Packets which came in interface 1,
AND were NOT sourced by IP address a.b.c.d
Bucket 3: Packets which did NOT come in interface 1,
AND were sourced by IP address a.b.c.d
(Bucket 4: Packets which did NOT come in interface 1,
AND NOT sourced by IP address a.b.c.d)
The desired information can now be reconstructed by post-processing.
"Total packets coming in interface 1" can be found by adding buckets
1 & 2, and "Total packets sourced by IP address a.b.c.d" can be found
by adding buckets 1 & 3. Note that in this case bucket 4 is not
explicitly required since its information is not of interest, but it
is supplied here in parentheses for completeness.
Brownlee, et. al. Experimental [Page 14]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
4 Meters
A traffic flow meter is a device for collecting data about traffic
flows at a given point within a network; we will call this the
METERING POINT. The header of every packet passing the network
metering point is offered to the traffic meter program.
A meter could be implemented in various ways, including:
- A dedicated small host, connected to a LAN (so that it can see all
packets as they pass by) and running a 'traffic meter' program.
The metering point is the LAN segment to which the meter is
attached.
- A multiprocessing system with one or more network interfaces, with
drivers enabling a traffic meter program to see packets. In this
case the system provides multiple metering points - traffic flows
on any subset of its network interfaces can be measured.
- A packet-forwarding device such as a router or switch. This is
similar to (b) except that every received packet should also be
forwarded, usually on a different interface.
The discussion in the following sections assumes that a meter may
only run a single rule set. It is, however, possible for a meter to
run several rule sets concurrently, matching each packet against
every active rule set and producing a single flow table with flows
from all the active rule sets. The overall effect of doing this
would be similar to running several independent meters, one for each
rule set.
4.1 Meter Structure
An outline of the meter's structure is given in the following
diagram.
Briefly, the meter works as follows:
- Incoming packet headers arrive at the top left of the diagram and
are passed to the PACKET PROCESSOR.
- The packet processor passes them to the Packet Matching Engine
(PME) where they are classified.
- The PME is a Virtual Machine running a pattern matching program
contained in the CURRENT RULE SET. It is invoked by the Packet
Processor, and returns instructions on what to do with the packet.
Brownlee, et. al. Experimental [Page 15]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
- Some packets are classified as 'to be ignored.' They are discarded
by the Packet Processor.
- Other packets are matched by the PME, which returns a FLOW KEY
describing the flow to which the packet belongs.
- The flow key is used to locate the flow's entry in the FLOW TABLE;
a new entry is created when a flow is first seen. The entry's
packet and byte counters are updated.
- A meter reader may collect data from the flow table at any time.
It may use the 'collect' index to locate the flows to be collected
within the flow table.
packet +------------------+
header | Current Rule Set |
| +--------+---------+
| |
+--------*---------+ +----------*-------------+
| Packet Processor |<----->| Packet Matching Engine |
+--+------------+--+ +------------------------+
| |
Ignore * | Count via flow key
|
+--*--------------+
| 'Search' index |
+--------+--------+
|
+--------*--------+
| |
| Flow Table |
| |
+--------+--------+
|
+--------*--------+
| 'Collect' index |
+--------+--------+
|
*
Meter Reader
Brownlee, et. al. Experimental [Page 16]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
4.2 Flow Table
Every traffic meter maintains a table of TRAFFIC FLOW RECORDS for
flows seen by the meter. A flow record contains attribute values for
its flow, including:
- Addresses for the flow's source and destination. These include
addresses and masks for various network layers (extracted from the
packet), and the number of the interface on which the packet was
observed.
- First and last times when packets were seen for this flow.
- Counts for 'forward' (source to destination) and 'backward'
(destination to source) components of the flow's traffic.
- Other attributes, e.g. state of the flow record (discussed below).
The state of a flow record may be:
- INACTIVE: The flow record is not being used by the meter.
- CURRENT: The record is in use and describes a flow which belongs to
the 'current flow set,' i.e. the set of flows recently seen by the
meter.
- IDLE: The record is in use and the flow which it describes is part
of the current flow set. In addition, no packets belonging to this
flow have been seen for a period specified by the meter's
InactivityTime variable.
4.3 Packet Handling, Packet Matching
Each packet header received by the traffic meter program is processed
as follows:
- Extract attribute values from the packet header and use them to
create a MATCH KEY for the packet.
- Match the packet's key against the current rule set, as explained
in detail below.
The rule set specifies whether the packet is to be counted or
ignored. If it is to be counted the matching process produces a FLOW
KEY for the flow to which the packet belongs. This flow key is used
to find the flow's record in the flow table; if a record does not yet
exist for this flow, a new flow record may be created. The counts
for the matching flow record can then be incremented.
Brownlee, et. al. Experimental [Page 17]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
For example, the rule set could specify that packets to or from any
host in IP network 130.216 are to be counted. It could also specify
that flow records are to be created for every pair of 24-bit (Class
C) subnets within network 130.216.
Each packet's match key is passed to the meter's PATTERN MATCHING
ENGINE (PME) for matching. The PME is a Virtual Machine which uses a
set of instructions called RULES, i.e. a RULE SET is a program for
the PME. A packet's match key contains an interface number, source
address (S) and destination address (D) values. It does not,
however, contain any attribute masks for its attributes, only their
values.
If measured flows were unidirectional, i.e. only counted packets
travelling in one direction, the matching process would be simple.
The PME would be called once to match the packet. Any flow key
produced by a successful match would be used to find the flow's
record in the flow table, and that flow's counters would be updated.
Flows are, however, bidirectional, reflecting the forward and reverse
packets of a protocol interchange or 'session.' Maintaining two sets
of counters in the meter's flow record makes the resulting flow data
much simpler to handle, since analysis programs do not have to gather
together the 'forward' and 'reverse' components of sessions.
Implementing bi-directional flows is, of course, more difficult for
the meter, since it must decide whether a packet is a 'forward'
packet or a 'reverse' one. To make this decision the meter will
often need to invoke the PME twice, once for each possible packet
direction.
The diagram below describes the algorithm used by the traffic meter
to process each packet. Flow through the diagram is from left to
right and top to bottom, i.e. from the top left corner to the bottom
right corner. S indicates the flow's source address (i.e. its set
of source address attribute values) from the packet, and D indicates
its destination address.
There are several cases to consider. These are:
- The packet is recognised as one which is TO BE IGNORED.
- The packet MATCHES IN BOTH DIRECTIONS. One situation in which this
could happen would be a rule set which matches flows within network
X (Source = X, Dest = X) but specifies that flows are to be created
for each subnet within network X, say subnets y and z. If, for
example a packet is seen for y->z, the meter must check that flow
z->y is not already current before creating y->z.
Brownlee, et. al. Experimental [Page 18]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
- The packet MATCHES IN ONE DIRECTION ONLY. If its flow is already
current, its forward or reverse counters are incremented.
Otherwise it is added to the flow table and then counted.
The algorithm uses four functions, as follows:
match(A->B) implements the PME. It uses the meter's current rule set
to match the attribute values in the packet's match key. A->B means
that the assumed source address is A and destination address B, i.e.
that the packet was travelling from A to B. match() returns one of
three results:
'Ignore' means that the packet was matched but this flow is not
to be counted.
'Fail' means that the packet did not match. It might, however
match with its direction reversed, i.e. from B to A.
'Suc' means that the packet did match, i.e. it belongs to a flow
which is to be counted.
current(A->B) succeeds if the flow A-to-B is current - i.e. has
a record in the flow table whose state is Current - and fails
otherwise.
create(A->B) adds the flow A-to-B to the flow table, setting the
value for attributes - such as addresses - which remain constant,
and zeroing the flow's counters.
count(A->B,f) increments the 'forward' counters for flow A-to-B.
count(A->B,r) increments the 'reverse' counters for flow A-to-B.
'Forward' here means the counters for packets travelling from
A to B. Note that count(A->B,f) is identical to count(B->A,r).
Brownlee, et. al. Experimental [Page 19]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
Ignore
--- match(S->D) -------------------------------------------------+
| Suc | Fail |
| | Ignore |
| match(D->S) -----------------------------------------+
| | Suc | Fail |
| | | |
| | +-------------------------------------------+
| | |
| | Suc |
| current(D->S) ---------- count(D->S,r) --------------+
| | Fail |
| | |
| create(D->S) ----------- count(D->S,r) --------------+
| |
| Suc |
current(S->D) ------------------ count(S->D,f) --------------+
| Fail |
| Suc |
current(D->S) ------------------ count(D->S,r) --------------+
| Fail |
| |
create(S->D) ------------------- count(S->D,f) --------------+
|
*
When writing rule sets one must remember that the meter will normally
try to match each packet in both directions. It is particularly
important that the rule set does not contain inconsistencies which
will upset this process.
Consider, for example, a rule set which counts packets from source
network A to destination network B, but which ignores packets from
source network B. This is an obvious example of an inconsistent rule
set, since packets from network B should be counted as reverse
packets for the A-to-B flow.
This problem could be avoided by devising a language for specifying
rule files and writing a compiler for it, thus making it much easier
to produce correct rule sets. Another approach would be to write a
'rule set consistency checker' program, which could detect problems
in hand-written rule sets.
In the short term the best way to avoid these problems is to write
rule sets which only clasify flows in the forward direction, and rely
on the meter to handle reverse-travelling packets.
Brownlee, et. al. Experimental [Page 20]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
4.4 Rules and Rule Sets
A rule set is an array of rules. Rule sets are held within a meter
as entries in an array of rule sets. One member of this array is the
CURRENT RULE SET, in that it is the one which is currently being used
by the meter to classify incoming packets.
Rule set 1 is built in to the meter and cannot be changed. It is run
when the meter is started up, and provides a very coarse reporting
granularity; it is mainly useful for verifying that the meter is
running, before a 'useful' rule set is downloaded to it.
If the meter is instructed to use rule set 0, it will cease
measuring; all packets will be ignored until another (non-zero) rule
set is made current.
Each rule in a rule set is structured as follows:
+-------- test ---------+ +---- action -----+
attribute & mask = value: opcode, parameter;
Opcodes contain two flags: 'goto' and 'test.' The PME maintains a
Boolean indicator called the 'test indicator,' which is initially set
(on). Execution begins with rule 1, the first in the rule set. It
proceeds as follows:
If the test indicator is on:
Perform the test, i.e. AND the attribute value with the
mask and compare it with the value.
If these are equal the test has succeeded; perform the
rule's action (below).
If the test fails execute the next rule in the rule set.
If there are no more rules in the rule set, return from the
match() function indicating failure.
If the test indicator is off, or the test (above) succeeded:
Set the test indicator to this rule's test flag value.
Determine the next rule to execute.
If the opcode has its goto flag set, its parameter value
specifies the number of the next rule.
Opcodes which don't have their goto flags set either
determine the next rule in special ways (Return),
or they terminate execution (Ignore, Fail, Count,
CountPkt).
Perform the action.
Brownlee, et. al. Experimental [Page 21]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
The PME maintains two 'history' data structures. The first, the
'return' stack, simply records the index (i.e. 1-origin rule number)
of each Gosub rule as it is executed; Return rules pop their Gosub
rule index. The second, the 'pattern' queue, is used to save
information for later use in building a flow key. A flow key is
built by zeroing all its attribute values, then copying attribute and
mask information from the pattern stack in the order it was enqueued.
The opcodes are:
opcode goto test
1 Ignore 0 -
2 Fail 0 -
3 Count 0 -
4 CountPkt 0 -
5 Return 0 0
6 Gosub 1 1
7 GosubAct 1 0
8 Assign 1 1
9 AssignAct 1 0
10 Goto 1 1
11 GotoAct 1 0
12 PushRuleTo 1 1
13 PushRuleToAct 1 0
14 PushPktTo 1 1
15 PushPktToAct 1 0
The actions they perform are:
Ignore: Stop matching, return from the match() function
indicating that the packet is to be ignored.
Fail: Stop matching, return from the match() function
indicating failure.
Count: Stop matching. Save this rule's attribute name,
mask and value in the PME's pattern queue, then
construct a flow key for the flow to which this
this packet belongs. Return from the match()
function indicating success. The meter will use
the flow key to locate the flow record for this
packet's flow.
CountPkt: As for Count, except that the masked value from
the packet is saved in the PME's pattern queue
instead of the rule's value.
Brownlee, et. al. Experimental [Page 22]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
Gosub: Call a rule-matching subroutine. Push the current
rule number on the PME's return stack, set the
test indicator then goto the specified rule.
GosubAct: Same as Gosub, except that the test indicator is
cleared before going to the specified rule.
Return: Return from a rule-matching subroutine. Pop the
number of the calling gosub rule from the PME's
'return' stack and add this rule's parameter value
to it to determine the 'target' rule. Clear the
test indicator then goto the target rule.
A subroutine call appears in a rule set as a Gosub
rule followed by a small group of following rules.
Since a Return action clears the test flag, the
action of one of these 'following' rules will be
executed; this allows the subroutine to return a
result (in addition to any information it may save
in the PME's pattern queue).
Assign: Set the attribute specified in this rule to the
value specified in this rule. Set the test
indicator then goto the specified rule.
AssignAct: Same as Assign, except that the test indicator
is cleared before going to the specified rule.
Goto: Set the test indicator then goto the
specified rule.
GotoAct: Clear the test indicator then goto the specified
rule.
PushRuleTo: Save this rule's attribute name, mask and value
in the PME's pattern queue. Set the test
indicator then goto the specified rule.
PushRuleToAct: Same as PushRuleTo, except that the test indicator
is cleared before going to the specified rule.
PushRuleTo actions may be used to save the value
and mask used in a test, or (if the test is not
performed) to save an arbitrary value and mask.
Brownlee, et. al. Experimental [Page 23]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
PushPktTo: Save this rule's attribute name, mask, together
with the masked value from the packet, in the
PME's pattern queue. SET the test indicator then
goto the specified rule.
PushPktToAct: Same as PushPktTo, except that the test indicator
is cleared before going to the specified rule.
PushPktTo actions may be used to save a value from
the packet using a specified mask. The test in
PushPktTo rules will almost never be executed.
As well as the attributes applying directly to packets (such as
SourcePeerAddress, DestTransAddress, etc.) the PME implements
several further attribtes. These are:
Null: Tests performed on the Null attribute always succeed.
v1 .. v5: v1, v2, v3, v4 and v5 are 'meter variables.' They
provide a way to pass parameters into rule-matching
subroutines. Each may hold the name of a normal
attribute; its value is set by an Assign action.
When a meter variable appears as the attribute of a
rule, its value specifies the actual attribute to be
tested. For example, if v1 had been assigned
SourcePeerAddress as its value, a rule with v1 as its
attribute would actually test SourcePeerAddress.
SourceClass, DestClass, FlowClass,
SourceKind, DestKind, FlowKind:
These six attributes may be set by executing PushRuleto
actions. They allow the PME to save (in flow records)
information which has been built up during matching.
Since their values are only defined when matching is
complete (and the flow key is built) their values may
not be tested in rules.
4.5 Maintaining the Flow Table
The flow table may be thought of as a 1-origin array of flow records.
(A particular implementation may, of course, use whatever data
structure is most suitable). When the meter starts up there are no
known flows; all the flow records are in the 'inactive' state.
Each time a packet is seen for a flow which is not in the current
flow set a flow record is set up for it; the state of such a record
is 'current.' When selecting a record for the new flow the meter
searches the flow table for a 'inactive' record - there is no
Brownlee, et. al. Experimental [Page 24]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
particular significance in the ordering of records within the table.
Flow data may be collected by a 'meter reader' at any time. There is
no requirement for collections to be synchronized. The reader may
collect the data in any suitable manner, for example it could upload
a copy of the whole flow table using a file transfer protocol, or it
could read the records in the current flow set row by row using a
suitable data transfer protocol.
The meter keeps information about collections, in particular it
maintains a LastCollectTime variable which remembers the time the
last collection was made. A second variable, InactivityTime,
specifies the minimum time the meter will wait before considering
that a flow is idle.
The meter must recover records used for idle flows, if only to
prevent it running out of flow records. Recovered flow records are
returned to the 'inactive' state. A variety of recovery strategies
are possible, including the following:
One possible recovery strategy is to recover idle flow records as
soon as possible after their data has been collected. To implement
this the meter could run a background process which scans the flow
table looking for 'current' flows whose 'last packet' time is earlier
than the meter's LastCollectTime. This would be suitable for use
when one was interested in measuring flow lifetimes.
Another recovery strategy is to leave idle flows alone as long as
possible, which would be suitable if one was only interested in
measuring total traffic volumes. It could be implemented by having
the meter search for collected idle flows only when it ran out of
'inactive' flow records.
One further factor a meter should consider before recovering a flow
is the number of meter readers which have collected the flow's data.
If there are multiple meter readers operating, network Operations
personnel should be able to specify the minimum number of meters - or
perhaps a specific list of meters - which should collect a flow's
data before its memory can be recovered. This issue will be further
developed in the future.
4.6 Handling Increasing Traffic Levels
Under normal conditions the meter reader specifies which set of usage
records it wants to collect, and the meter provides them.
If memory usage rises above the high-water mark the meter should
switch to a STANDBY RULE SET so as to increase the granularity of
Brownlee, et. al. Experimental [Page 25]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
flow collection and decrease the rate at which new flows are created.
When the manager, usually as part of a regular poll, becomes aware
that the meter is using its standby rule set, it could decrease the
interval between collections. The meter should also increase its
efforts to recover flow memory so as to reduce the number of idle
flows in memory. When the situation returns to normal, the manager
may request the meter to switch back to its normal rule set.
5 Meter Readers
Usage data is accumulated by a meter (e.g. in a router) as memory
permits. It is collected at regular reporting intervals by meter
readers, as specified by a manager. The collected data is recorded
in a disk file called a FLOW DATA FILE, as a sequence of USAGE
RECORDS.
The following sections describe the contents of usage records and
flow data files. Note, however, that at this stage the details of
such records and files is not specified in the architecture.
Specifying a common format for them would be a worthwhile future
development.
5.1 Identifying Flows in Flow Records
Once a packet has been classified and is ready to be counted, an
appropriate flow data record must already exist in the flow table;
otherwise one must be created. The flow record has a flexible format
where unnecessary identification attributes may be omitted. The
determination of which attributes of the flow record to use, and of
what values to put in them, is specified by the current rule set.
Note that the combination of start time, rule set id and subscript
(row number in the flow table) provide a unique flow identifier,
regardless of the values of its other attributes.
The current rule set may specify additional information, e.g. a
computed attribute value such as FlowKind, which is to be placed in
the attribute section of the usage record. That is, if a particular
flow is matched by the rule set, then the corresponding flow record
should be marked not only with the qualifying identification
attributes, but also with the additional information. Using this
feature, several flows may each carry the same FlowKind value, so
that the resulting usage records can be used in post-processing or
between meter reader and meter as a criterion for collection.
Brownlee, et. al. Experimental [Page 26]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
5.2 Usage Records, Flow Data Files
The collected usage data will be stored in flow data files on the
meter reader, one file for each meter. As well as containing the
measured usage data, flow data files must contain information
uniquely identifiying the meter from which it was collected.
A USAGE RECORD contains the descriptions of and values for one or
more flows. Quantities are counted in terms of number of packets and
number of bytes per flow. Each usage record contains the entity
identifier of the meter (a network address), a time stamp and a list
of reported flows (FLOW DATA RECORDS). A meter reader will build up a
file of usage records by regularly collecting flow data from a meter,
using this data to build usage records and concatenating them to the
tail of a file. Such a file is called a FLOW DATA FILE.
A usage record contains the following information in some form:
+-------------------------------------------------------------------+
| RECORD IDENTIFIERS: |
| Meter Id (& digital signature if required) |
| Timestamp |
| Collection Rules ID |
+-------------------------------------------------------------------+
| FLOW IDENTIFIERS: | COUNTERS |
| Address List | Packet Count |
| Subscriber ID (Optional) | Byte Count |
| Attributes (Optional) | Flow Start/Stop Time |
+-------------------------------------------------------------------+
5.3 Meter to Meter Reader: Usage Record Transmission
The usage record contents are the raison d'etre of the system. The
accuracy, reliability, and security of transmission are the primary
concerns of the meter/meter reader exchange. Since errors may occur
on networks, and Internet packets may be dropped, some mechanism for
ensuring that the usage information is transmitted intact is needed.
Flow data is moved from meter to meter reader via a series of
protocol exchanges between them. This may be carried out in various
ways, moving individual attribute values, complete flows, or the
entire flow table (i.e. all the active flows). One possible method
of achieving this transfer is to use SNMP; the 'Traffic Flow
Measurement: Meter MIB' document [4] gives details. Note that this
is simply one example; the transfer of flow data from meter to meter
reader is not specified in this document.
Brownlee, et. al. Experimental [Page 27]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
The reliability of the data transfer method under light, normal, and
extreme network loads should be understood before selecting among
collection methods.
In normal operation the meter will be running a rule file which
provides the required degree of flow reporting granularity, and the
meter reader(s) will collect the flow data often enough to allow the
meter's garbage collection mechanism to maintain a stable level of
memory usage.
In the worst case traffic may increase to the point where the meter
is in danger of running completely out of flow memory. The meter
implementor must decide how to handle this, for example by switching
to a default (extremely coarse granularity) rule set, by sending a
trap to the manager, or by attempting to dump flow data to the meter
reader.
Users of the Traffic Flow Measurement system should analyse their
requirements carefully and assess for themselves whether it is more
important to attempt to collect flow data at normal granularity
(increasing the collection frequency as needed to keep up with
traffic volumes), or to accept flow data with a coarser granularity.
Similarly, it may be acceptable to lose flow data for a short time in
return for being sure that the meter keeps running properly, i.e. is
not overwhelmed by rising traffic levels.
6 Managers
A manager configures meters and controls meter readers. It does this
via the interactions described below.
6.1 Between Manager and Meter: Control Functions
- DOWNLOAD RULE SET: A meter may hold an array of rule sets. One of
these, the 'default' rule set, is built in to the meter and cannot
be changed; the others must be downloaded by the manager. A
manager may use any suitable protocol exchange to achieve this, for
example an FTP file transfer or a series of SNMP SETs, one for each
row of the rule set.
- SWITCH TO SPECIFIED RULE SET: Once the rule sets have been
downloaded, the manager must instruct the meter which rule set it
is to actually run (i.e. which is to be the current rule set), and
which is to be the standby rule set.
- SET HIGH WATER MARK: A percentage value interpreted by the meter
which tells the meter when to switch to its standby rule set, so as
to increase the granularity of the flows and conserve the meter's
Brownlee, et. al. Experimental [Page 28]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
flow memory. Once this has happened, the manager may also change
the polling frequency or the meter's control parameters (so as to
increase the rate at which the meter can recover memory from idle
flows).
If the high traffic levels persist, the meter's normal rule set may
have to be rewritten to permanently reduce the reporting
granularity.
- SET FLOW TERMINATION PARAMETERS: The meter should have the good
sense in situations where lack of resources may cause data loss to
purge flow records from its tables. Such records may include:
- Flows that have already been reported to at least one meter
reader, and show no activity since the last report,
- Oldest flows, or
- Flows with the smallest number of unreported packets.
- SET INACTIVITY TIMEOUT: This is a time in seconds since the last
packet was seen for a flow. Flow records may be reclaimed if they
have been idle for at least this amount of time, and have been
collected in accordance with the current collection criteria.
6.2 Between Manager and Meter Reader: Control Functions
Because there are a number of parameters that must be set for traffic
flow measurement to function properly, and viable settings may change
as a result of network traffic characteristics, it is desirable to
have dynamic network management as opposed to static meter
configurations. Many of these operations have to do with space
tradeoffs - if memory at the meter is exhausted, either the reporting
interval must be decreased or a coarser granularity of aggregation
must be used so that more data fits into less space.
Increasing the reporting interval effectively stores data in the
meter; usage data in transit is limited by the effective bandwidth of
the virtual link between the meter and the meter reader, and since
these limited network resources are usually also used to carry user
data (the purpose of the network), the level of traffic flow
measurement traffic should be kept to an affordable fraction of the
bandwidth. ("Affordable" is a policy decision made by the network
Operations personnel). At any rate, it must be understood that the
operations below do not represent the setting of independent
variables; on the contrary, each of the values set has a direct and
measurable effect on the behaviour of the other variables.
Brownlee, et. al. Experimental [Page 29]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
Network management operations follow:
- MANAGER and METER READER IDENTIFICATION: The manager should ensure
that meters report to the correct set of collection stations, and
take steps to prevent unauthorised access to usage information.
The collection stations so identified should be prepared to poll if
necessary and accept data from the appropriate meters. Alternate
collection stations may be identified in case both the primary
manager and the primary collection station are unavailable.
Similarly, alternate managers may be identified.
- REPORTING INTERVAL CONTROL: The usual reporting interval should be
selected to cope with normal traffic patterns. However, it may be
possible for a meter to exhaust its memory during traffic spikes
even with a correctly set reporting interval. Some mechanism must
be available for the meter to tell the manager that it is in danger
of exhausting its memory (by declaring a 'high water' condition),
and for the manager to arbitrate (by decreasing the polling
interval, letting nature take its course, or by telling the meter
to ask for help sooner next time).
- GRANULARITY CONTROL: Granularity control is a catch-all for all the
parameters that can be tuned and traded to optimise the system's
ability to reliably measure and store information on all the
traffic (or as close to all the traffic as an administration
requires). Granularity
- Controls flow-id granularities for each interface, and
- Determines the number of buckets into which user traffic will
be lumped together.
Since granularity is controlled by the meter's current rule set,
the manager can only change it by requesting the meter to switch to
a different rule set. The new rule set could be downloaded when
required, or it could have been downloaded as part of the meter's
initial configuration.
- FLOW LIFETIME CONTROL: Flow termination parameters include timeout
parameters for obsoleting inactive flows and removing them from
tables and maximum flow lifetimes. This is intertwined with
reporting interval and granularity, and must be set in accordance
with the other parameters.
Brownlee, et. al. Experimental [Page 30]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
6.3 Exception Conditions
Exception conditions must be handled, particularly occasions when the
meter runs out of buffer space. Since, to prevent counting any
packet twice, packets can only be counted in a single flow at any
given time, discarding records will result in the loss of
information. The mechanisms to deal with this are as follows:
- METER OUTAGES: In case of impending meter outages (controlled
crashes, etc.) the meter could send a trap to the manager. The
manager could then request one or more meter readers to pick up the
usage record from the meter.
Following an uncontrolled meter outage such as a power failure, the
meter could send a trap to the manager indicating that it has
restarted. The manager could then download the meter's correct
rule set and advise the meter reader(s) that the meter is running
again. Alternatively, the meter reader may discover from its
regular poll that a meter has failed and restarted. It could then
advise the manager of this, instead of relying on a trap from the
meter.
- METER READER OUTAGES: If the collection system is down or isolated,
the meter should try to inform the manager of its failure to
communicate with the collection system. Usage data is maintained
in the flows' rolling counters, and can be recovered when the meter
reader is restarted.
- MANAGER OUTAGES: If the manager fails for any reason, the meter
should continue measuring and the meter reader(s) should keep
gathering usage records.
- BUFFER PROBLEMS: The network manager may realise that there is a
'low memory' condition in the meter. This can usually be
attributed to the interaction between the following controls:
- The reporting interval is too infrequent,
- The reporting granularity is too fine, or
- The throughput/bandwidth of circuits carrying the usage
data is too low.
The manager may change any of these parameters in response to the
meter (or meter reader's) plea for help.
Brownlee, et. al. Experimental [Page 31]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
6.4 Standard Rule Sets
Although the rule table is a flexible tool, it can also become very
complex. It may be helpful to develop some rule sets for common
applications:
- PROTOCOL TYPE: The meter records packets by protocol type. This
will be the default rule table for Traffic Flow Meters.
- ADJACENT SYSTEMS: The meter records packets by the MAC address of
the Adjacent Systems (neighbouring originator or next-hop).
(Variants on this table are "report source" or "report sink" only.)
This strategy might be used by a regional or backbone network which
wants to know how much aggregate traffic flows to or from its
subscriber networks.
- END SYSTEMS: The meter records packets by the IP address pair
contained in the packet. (Variants on this table are "report
source" or "report sink" only.) This strategy might be used by an
End System network to get detailed host traffic matrix usage data.
- TRANSPORT TYPE: The meter records packets by transport address; for
IP packets this provides usage information for the various IP
services.
- HYBRID SYSTEMS: Combinations of the above, e.g. for one interface
report End Systems, for another interface report Adjacent Systems.
This strategy might be used by an enterprise network to learn
detail about local usage and use an aggregate count for the shared
regional network.
Brownlee, et. al. Experimental [Page 32]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
7 APPENDICES
7.1 Appendix A: Network Characterisation
Internet users have extraordinarily diverse requirements. Networks
differ in size, speed, throughput, and processing power, among other
factors. There is a range of traffic flow measurement capabilities
and requirements. For traffic flow measurement purposes, the
Internet may be viewed as a continuum which changes in character as
traffic passes through the following representative levels:
International |
Backbones/National ---------------
/ \
Regional/MidLevel ---------- ----------
/ \ \ / / \
Stub/Enterprise --- --- --- ---- ----
||| ||| ||| |||| ||||
End-Systems/Hosts xxx xxx xxx xxxx xxxx
Note that mesh architectures can also be built out of these
components, and that these are merely descriptive terms. The nature
of a single network may encompass any or all of the descriptions
below, although some networks can be clearly identified as a single
type.
BACKBONE networks are typically bulk carriers that connect other
networks. Individual hosts (with the exception of network management
devices and backbone service hosts) typically are not directly
connected to backbones.
REGIONAL networks are closely related to backbones, and differ only
in size, the number of networks connected via each port, and
geographical coverage. Regionals may have directly connected hosts,
acting as hybrid backbone/stub networks. A regional network is a
SUBSCRIBER to the backbone.
STUB/ENTERPRISE networks connect hosts and local area networks.
STUB/ENTERPRISE networks are SUBSCRIBERS to regional and backbone
networks.
END SYSTEMS, colloquially HOSTS, are SUBSCRIBERS to any of the above
networks.
Providing a uniform identification of the SUBSCRIBER in finer
granularity than that of end-system, (e.g. user/account), is beyond
the scope of the current architecture, although an optional attribute
Brownlee, et. al. Experimental [Page 33]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
in the traffic flow measurement record may carry system-specific
"accountable (billable) party" labels so that meters can implement
proprietary or non-standard schemes for the attribution of network
traffic to responsible parties.
7.2 Appendix B: Recommended Traffic Flow Measurement Capabilities
Initial recommended traffic flow measurement conventions are outlined
here according to the following Internet building blocks. It is
important to understand what complexity reporting introduces at each
network level. Whereas the hierarchy is described top-down in the
previous section, reporting requirements are more easily addressed
bottom-up.
End-Systems
Stub Networks
Enterprise Networks
Regional Networks
Backbone Networks
END-SYSTEMS are currently responsible for allocating network usage to
end-users, if this capability is desired. From the Internet Protocol
perspective, end-systems are the finest granularity that can be
identified without protocol modifications. Even if a meter violated
protocol boundaries and tracked higher-level protocols, not all
packets could be correctly allocated by user, and the definition of
user itself varies too widely from operating system to operating
system (e.g. how to trace network usage back to users from shared
processes).
STUB and ENTERPRISE networks will usually collect traffic data either
by end- system network address or network address pair if detailed
reporting is required in the local area network. If no local
reporting is required, they may record usage information in the exit
router to track external traffic only. (These are the only networks
which routinely use attributes to perform reporting at granularities
finer than end-system or intermediate-system network address.)
REGIONAL networks are intermediate networks. In some cases,
subscribers will be enterprise networks, in which case the
intermediate system network address is sufficient to identify the
regional's immediate subscriber. In other cases, individual hosts or
a disjoint group of hosts may constitute a subscriber. Then end-
system network address pairs need to be tracked for those
subscribers. When the source may be an aggregate entity (such as a
network, or adjacent router representing traffic from a world of
hosts beyond) and the destination is a singular entity (or vice
versa), the meter is said to be operating as a HYBRID system.
Brownlee, et. al. Experimental [Page 34]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
At the regional level, if the overhead is tolerable it may be
advantageous to report usage both by intermediate system network
address (e.g. adjacent router address) and by end-system network
address or end-system network address pair.
BACKBONE networks are the highest level networks operating at higher
link speeds and traffic levels. The high volume of traffic will in
most cases preclude detailed traffic flow measurement. Backbone
networks will usually account for traffic by adjacent routers'
network addresses.
7.3 Appendix C: List of Defined Flow Attributes
This Appendix provides a checklist of the attributes defined to date;
others will be added later as the Traffic Measurement Architecture is
further developed.
0 Null
1 Flow Subscript Integer Flow table info
2 Flow Status Integer
4 Source Interface Integer Source Address
5 Source Adjacent Type Integer
6 Source Adjacent Address String
7 Source Adjacent Mask String
8 Source Peer Type Integer
9 Source Peer Address String
10 Source Peer Mask String
11 Source Trans Type Integer
12 Source Trans Address String
13 Source Trans Mask String
14 Destination Interface Integer Destination Address
15 Destination Adjacent Type Integer
16 Destination Adjacent Address String
17 Destination AdjacentMask String
18 Destination PeerType Integer
19 Destination PeerAddress String
20 Destination PeerMask String
21 Destination TransType Integer
22 Destination TransAddress String
23 Destination TransMask String
24 Packet Scale Factor Integer 'Other' attributes
25 Byte Scale Factor Integer
26 Rule Set Number Integer
27 Forward Bytes Counter Source-to-Dest counters
28 Forward Packets Counter
Brownlee, et. al. Experimental [Page 35]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
29 Reverse Bytes Counter Dest-to-Source counters
30 Reverse Packets Counter
31 First Time TimeTicks Activity times
32 Last Active Time TimeTicks
33 Source Subscriber ID String Session attributes
34 Destination Subscriber ID String
35 Session ID String
36 Source Class Integer 'Computed' attributes
37 Destination Class Integer
38 Flow Class Integer
39 Source Kind Integer
40 Destination Kind Integer
41 Flow Kind Integer
51 V1 Integer Meter variables
52 V2 Integer
53 V3 Integer
54 V4 Integer
55 V5 Integer
7.4 Appendix D: List of Meter Control Variables
Current Rule Set Number Integer
Standby Rule Set Number Integer
High Water Mark Percentage
Flood Mark Percentage
Inactivity Timeout (seconds) Integer
Last Collect Time TimeTicks
8 Acknowledgments
This document was initially produced under the auspices of the IETF's
Internet Accounting Working Group with assistance from SNMP, RMON and
SAAG working groups. This version documents the implementation work
done by the Internet Accounting Working Group, and is intended to
provide a starting point for the Realtime Traffic Flow Measurement
Working Group. Particular thanks are due to Stephen Stibler (IBM
Research) for his patient and careful comments during the preparation
of this memo.
Brownlee, et. al. Experimental [Page 36]
RFC 2063 Traffic Flow Measurement: Architecture January 1997
9 References
[1] Mills, C., Hirsch, G. and G. Ruth, "Internet Accounting
Background", RFC 1272, Bolt Beranek and Newman Inc., Meridian
Technology Corporation, November 1991.
[2] International Standards Organisation (ISO), "Management
Framework," Part 4 of Information Processing Systems Open
Systems Interconnection Basic Reference Model, ISO 7498-4,
1994.
[3] IEEE 802.3/ISO 8802-3 Information Processing Systems -
Local Area Networks - Part 3: Carrier sense multiple access
with collision detection (CSMA/CD) access method and physical
layer specifications, 2nd edition, September 21, 1990.
[4] Brownlee, N., "Traffic Flow Measurement: Meter MIB",
RFC 2064, The University of Auckland, January 1997.
10 Security Considerations
Security issues are not discussed in detail in this document. The
meter's management and collection protocols are responsible for
providing sufficient data integrity and confidentiality.
11 Authors' Addresses
Nevil Brownlee
Information Technology Systems & Services
The University of Auckland
Phone: +64 9 373 7599 x8941
EMail: n.brownlee @auckland.ac.nz
Cyndi Mills
BBN Systems and Technologies
Phone: +1 617 873 4143
EMail: cmills@bbn.com
Greg Ruth
GTE Laboratories, Inc
Phone: +1 617 466 2448
EMail: gruth@gte.com
Brownlee, et. al. Experimental [Page 37]