< draft-ietf-rtfm-architecture-07.txt   draft-ietf-rtfm-architecture-08.txt >
Internet Engineering Task Force Nevil Brownlee Internet Engineering Task Force Nevil Brownlee
INTERNET-DRAFT The University of Auckland INTERNET-DRAFT The University of Auckland
Cyndi Mills Cyndi Mills
GTE Laboratories, Inc GTE Laboratories, Inc
Greg Ruth Greg Ruth
GTE Laboratories, Inc GTE Internteworking
June 99 August 1999
Expires December 99 Expires February 2000
Traffic Flow Measurement: Architecture Traffic Flow Measurement: Architecture
<draft-ietf-rtfm-architecture-07.txt> <draft-ietf-rtfm-architecture-08.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with all This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026. provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Task Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other groups Force (IETF), its areas, and its working groups. Note that other groups
may also distribute working documents as Internet-Drafts. may also distribute working documents as Internet-Drafts.
skipping to change at page 2, line ? skipping to change at page 2, line ?
This Internet Draft is a product of the Realtime Traffic Flow This Internet Draft is a product of the Realtime Traffic Flow
Measurement Working Group of the IETF. Measurement Working Group of the IETF.
Abstract Abstract
This document provides a general framework for describing network This document provides a general framework for describing network
traffic flows, presents an architecture for traffic flow measurement and traffic flows, presents an architecture for traffic flow measurement and
reporting, discusses how this relates to an overall network traffic flow reporting, discusses how this relates to an overall network traffic flow
architecture and indicates how it can be used within the Internet. architecture and indicates how it can be used within the Internet.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
Contents Contents
1 Statement of Purpose and Scope 2 1 Statement of Purpose and Scope 3
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1 Introduction . . . .. . . . . . . . . . . . . . . . . . . . . 3
2 Traffic Flow Measurement Architecture 4 2 Traffic Flow Measurement Architecture 5
2.1 Meters and Traffic Flows . . . . . . . . . . . . . . . . . . . 4 2.1 Meters and Traffic Flows .. . . . . . . . . . . . . . . . . 5
2.2 Interaction Between METER and METER READER . . . . . . . . . . 6 2.2 Interaction Between METER and METER READER . . . . . . . . . 7
2.3 Interaction Between MANAGER and METER . . . . . . . . . . . . 6 2.3 Interaction Between MANAGER and METER . . . . . . . . . . . . 7
2.4 Interaction Between MANAGER and METER READER . . . . . . . . . 7 2.4 Interaction Between MANAGER and METER READER . . . . . . . . 8
2.5 Multiple METERs or METER READERs . . . . . . . . . . . . . . . 8 2.5 Multiple METERs or METER READERs . . . . . . . . . . . . . . 9
2.6 Interaction Between MANAGERs (MANAGER - MANAGER) . . . . . . . 9 2.6 Interaction Between MANAGERs (MANAGER - MANAGER) . . . . . . 10
2.7 METER READERs and APPLICATIONs . . . . . . . . . . . . . . . . 9 2.7 METER READERs and APPLICATIONs . . . . . . . . . . . . . . . 10
3 Traffic Flows and Reporting Granularity 9 3 Traffic Flows and Reporting Granularity 10
3.1 Flows and their Attributes . . . . . . . . . . . . . . . . . . 10 3.1 Flows and their Attributes . . . . . . . . . . . . . . . . . 10
3.2 Granularity of Flow Measurements . . . . . . . . . . . . . . . 12 3.2 Granularity of Flow Measurements . . . . . . . . . . . . . . 13
3.3 Rolling Counters, Timestamps, Report-in-One-Bucket-Only . . . 14 3.3 Rolling Counters, Timestamps, Report-in-One-Bucket-Only . . . 14
4 Meters 16 4 Meters 16
4.1 Meter Structure . . . . . . . . . . . . . . . . . . . . . . . 16 4.1 Meter Structure . . . . . .. . . . . . . . . . . . . . . . . 17
4.2 Flow Table . . . . . . . . . . . . . . . . . . . . . . . . . . 18 4.2 Flow Table . . . .. . . . . . . . . . . . . . . . . . . . . . 19
4.3 Packet Handling, Packet Matching . . . . . . . . . . . . . . . 18 4.3 Packet Handling, Packet Matching . . . . . . . . . . . . . . 19
4.4 Rules and Rule Sets . . . . . . . . . . . . . . . . . . . . . 22 4.4 Rules and Rule Sets . . . .. . . . . . . . . . . . . . . . . 23
4.5 Maintaining the Flow Table . . . . . . . . . . . . . . . . . . 27 4.5 Maintaining the Flow Table . . . . . . . . . . . . . . . . . 28
4.6 Handling Increasing Traffic Levels . . . . . . . . . . . . . . 28 4.6 Handling Increasing Traffic Levels . . . . . . . . . . . . . 29
5 Meter Readers 28 5 Meter Readers 29
5.1 Identifying Flows in Flow Records . . . . . . . . . . . . . . 29 5.1 Identifying Flows in Flow Records . . . . . . . . . . . . . . 30
5.2 Usage Records, Flow Data Files . . . . . . . . . . . . . . . . 29 5.2 Usage Records, Flow Data Files . . . . . . . . . . . . . . . 30
5.3 Meter to Meter Reader: Usage Record Transmission . . . . . . . 30 5.3 Meter to Meter Reader: Usage Record Transmission . . . . . . 31
6 Managers 31 6 Managers 32
6.1 Between Manager and Meter: Control Functions . . . . . . . . . 31 6.1 Between Manager and Meter: Control Functions . . . . . . . . 32
6.2 Between Manager and Meter Reader: Control Functions . . . . . 32 6.2 Between Manager and Meter Reader: Control Functions . . . . 33
6.3 Exception Conditions . . . . . . . . . . . . . . . . . . . . . 33 6.3 Exception Conditions . . . .. . . . . . . . . . . . . . . . . 34
6.4 Standard Rule Sets . . . . . . . . . . . . . . . . . . . . . . 34 6.4 Standard Rule Sets . . . .. . . . . . . . . . . . . . . . . . 35
7 Security Considerations 35 7 Security Considerations 36
7.1 Threat Analysis . . . . . . . . . . . . . . . . . . . . . . . 35 7.1 Threat Analysis . . . . . .. . . . . . . . . . . . . . . . . 36
7.2 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 36 7.2 Countermeasures . . . . . .. . . . . . . . . . . . . . . . . 37
8 IANA Considerations 38 8 IANA Considerations 38
8.1 PME Opcodes . . . . . . . . . . . . . . . . . . . . . . . . . 38 8.1 PME Opcodes . . . . . . . .. . . . . . . . . . . . . . . . . 38
8.2 RTFM Attributes . . . . . . . . . . . . . . . . . . . . . . . 38 8.2 RTFM Attributes . . . . . .. . . . . . . . . . . . . . . . . 39
9 APPENDICES 39 9 APPENDICES 40
9.1 Appendix A: Network Characterisation . . . . . . . . . . . . 39 9.1 Appendix A: Network Characterisation . . . . . . . . . . . . 40
9.2 Appendix B: Recommended Traffic Flow Measurement Capabilities 40 9.2 Appendix B: Recommended Traffic Flow Measurement Capabilities 41
9.3 Appendix C: List of Defined Flow Attributes . . . . . . . . . 41 9.3 Appendix C: List of Defined Flow Attributes . . . . . . . . . 42
9.4 Appendix D: List of Meter Control Variables . . . . . . . . . 42
9.5 Appendix E: Changes Introduced Since RFC 2063 . . . . . . . . 43
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
10 Acknowledgments 43 9.4 Appendix D: List of Meter Control Variables . . . . . . . . . 43
9.5 Appendix E: Changes Introduced Since RFC 2063 . . . . . . . . 44
10 Acknowledgments 44
11 References 44 11 References 44
12 Author's Addresses 44 12 Author's Addresses 45
1 Statement of Purpose and Scope 1 Statement of Purpose and Scope
1.1 Introduction 1.1 Introduction
This document describes an architecture for traffic flow measurement and This document describes an architecture for traffic flow measurement and
reporting for data networks which has the following characteristics: reporting for data networks which has the following characteristics:
- The traffic flow model can be consistently applied to any protocol, - The traffic flow model can be consistently applied to any protocol,
using address attributes in any combination at the 'adjacent' (see using address attributes in any combination at the 'adjacent' (see
below), network and transport layers of the networking stack. below), network and transport layers of the networking stack.
- Traffic flow attributes are defined in such a way that they are - Traffic flow attributes are defined in such a way that they are
valid for multiple networking protocol stacks, and that traffic valid for multiple networking protocol stacks, and that traffic
skipping to change at page 4, line 5 skipping to change at page 4, line 5
'Adjacent' (as used above) is a layer-neutral term for the next layer 'Adjacent' (as used above) is a layer-neutral term for the next layer
down in a particular instantiation of protocol layering. Although down in a particular instantiation of protocol layering. Although
'adjacent' will usually imply the link layer (MAC addresses), it does 'adjacent' will usually imply the link layer (MAC addresses), it does
not implicitly advocate or dismiss any particular form of tunnelling or not implicitly advocate or dismiss any particular form of tunnelling or
layering. layering.
The architecture specifies common metrics for measuring traffic flows. The architecture specifies common metrics for measuring traffic flows.
By using the same metrics, traffic flow data can be exchanged and By using the same metrics, traffic flow data can be exchanged and
compared across multiple platforms. Such data is useful for: compared across multiple platforms. Such data is useful for:
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
- Understanding the behaviour of existing networks, - Understanding the behaviour of existing networks,
- Planning for network development and expansion, - Planning for network development and expansion,
- Quantification of network performance, - Quantification of network performance,
- Verifying the quality of network service, and - Verifying the quality of network service, and
- Attribution of network usage to users. - Attribution of network usage to users.
skipping to change at page 4, line 34 skipping to change at page 4, line 34
In principle one might define address attributes for higher layers, but In principle one might define address attributes for higher layers, but
it would be very difficult to do this in a general way. However, if an it would be very difficult to do this in a general way. However, if an
RTFM traffic meter were implemented within an application server (where RTFM traffic meter were implemented within an application server (where
it had direct access to application-specific usage information), it it had direct access to application-specific usage information), it
would be possible to use the rest of the rtfm architecture to collect would be possible to use the rest of the rtfm architecture to collect
application-specific information. Use of the same model for both application-specific information. Use of the same model for both
network- and application-level measurement in this way could simplify network- and application-level measurement in this way could simplify
the development of generic analysis applications which process and/or the development of generic analysis applications which process and/or
correlate both traffic and usage information. Experimental work in this correlate both traffic and usage information. Experimental work in this
area is described in the RTFM 'New Attributes' document [1]. area is described in the RTFM 'New Attributes' document [RTFM-NEW].
This document is not a protocol specification. It specifies and This document is not a protocol specification. It specifies and
structures the information that a traffic flow measurement system needs structures the information that a traffic flow measurement system needs
to collect, describes requirements that such a system must meet, and to collect, describes requirements that such a system must meet, and
outlines tradeoffs which may be made by an implementor. outlines tradeoffs which may be made by an implementor.
For performance reasons, it may be desirable to use traffic information For performance reasons, it may be desirable to use traffic information
gathered through traffic flow measurement in lieu of network statistics gathered through traffic flow measurement in lieu of network statistics
obtained in other ways. Although the quantification of network obtained in other ways. Although the quantification of network
performance is not the primary purpose of this architecture, the performance is not the primary purpose of this architecture, the
skipping to change at page 5, line 5 skipping to change at page 5, line 5
A cost recovery structure decides "who pays for what." The major issue A cost recovery structure decides "who pays for what." The major issue
here is how to construct a tariff (who gets billed, how much, for which here is how to construct a tariff (who gets billed, how much, for which
things, based on what information, etc). Tariff issues include things, based on what information, etc). Tariff issues include
fairness, predictability (how well can subscribers forecast their fairness, predictability (how well can subscribers forecast their
network charges), practicality (of gathering the data and administering network charges), practicality (of gathering the data and administering
the tariff), incentives (e.g. encouraging off-peak use), and cost the tariff), incentives (e.g. encouraging off-peak use), and cost
recovery goals (100% recovery, subsidisation, profit making). Issues recovery goals (100% recovery, subsidisation, profit making). Issues
such as these are not covered here. such as these are not covered here.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
Background information explaining why this approach was selected is Background information explaining why this approach was selected is
provided by the 'Internet Accounting Background' RFC [2]. provided by the 'Internet Accounting Background' RFC [ACT-BKG].
2 Traffic Flow Measurement Architecture 2 Traffic Flow Measurement Architecture
A traffic flow measurement system is used by Network Operations A traffic flow measurement system is used by Network Operations
personnel to aid in managing and developing a network. It provides a personnel to aid in managing and developing a network. It provides a
tool for measuring and understanding the network's traffic flows. This tool for measuring and understanding the network's traffic flows. This
information is useful for many purposes, as mentioned in section 1 information is useful for many purposes, as mentioned in section 1
(above). (above).
The following sections outline a model for traffic flow measurement, The following sections outline a model for traffic flow measurement,
which draws from working drafts of the OSI accounting model [3]. which draws from working drafts of the OSI accounting model [OSI-ACT].
2.1 Meters and Traffic Flows 2.1 Meters and Traffic Flows
At the heart of the traffic measurement model are network entities At the heart of the traffic measurement model are network entities
called traffic METERS. Meters observe packets as they pass by a single called traffic METERS. Meters observe packets as they pass by a single
point on their way through the network and classify them into certain point on their way through the network and classify them into certain
groups. For each such group a meter will accumulate certain attributes, groups. For each such group a meter will accumulate certain attributes,
for example the numbers of packets and bytes observed for the group. for example the numbers of packets and bytes observed for the group.
These METERED TRAFFIC GROUPS may correspond to a user, a host system, a These METERED TRAFFIC GROUPS may correspond to a user, a host system, a
network, a group of networks, a particular transport address (e.g. an network, a group of networks, a particular transport address (e.g. an IP
IP port number), any combination of the above, etc, depending on the port number), any combination of the above, etc, depending on the
meter's configuration. meter's configuration.
We assume that routers or traffic monitors throughout a network are We assume that routers or traffic monitors throughout a network are
instrumented with meters to measure traffic. Issues surrounding the instrumented with meters to measure traffic. Issues surrounding the
choice of meter placement are discussed in the 'Internet Accounting choice of meter placement are discussed in the 'Internet Accounting
Background' RFC [2]. An important aspect of meters is that they provide Background' RFC [ACT-BKG]. An important aspect of meters is that they
a way of succinctly aggregating traffic information. provide a way of succinctly aggregating traffic information.
For the purpose of traffic flow measurement we define the concept of a For the purpose of traffic flow measurement we define the concept of a
TRAFFIC FLOW, which is like an artificial logical equivalent to a call TRAFFIC FLOW, which is like an artificial logical equivalent to a call
or connection. A flow is a portion of traffic, delimited by a start and or connection. A flow is a portion of traffic, delimited by a start and
stop time, that belongs to one of the metered traffic groups mentioned stop time, that belongs to one of the metered traffic groups mentioned
above. Attribute values (source/destination addresses, packet counts, above. Attribute values (source/destination addresses, packet counts,
byte counts, etc.) associated with a flow are aggregate quantities byte counts, etc.) associated with a flow are aggregate quantities
reflecting events which take place in the DURATION between the start and reflecting events which take place in the DURATION between the start and
stop times. The start time of a flow is fixed for a given flow; the stop times. The start time of a flow is fixed for a given flow; the
stop time may increase with the age of the flow. stop time may increase with the age of the flow.
For connectionless network protocols such as IP there is by definition For connectionless network protocols such as IP there is by definition
no way to tell whether a packet with a particular source/destination no way to tell whether a packet with a particular source/destination
combination is part of a stream of packets or not - each packet is combination is part of a stream of packets or not - each packet is
completely independent. A traffic meter has, as part of its completely independent. A traffic meter has, as part of its
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
configuration, a set of 'rules' which specify the flows of interest, in configuration, a set of 'rules' which specify the flows of interest, in
terms of the values of their attributes. It derives attribute values terms of the values of their attributes. It derives attribute values
from each observed packet, and uses these to decide which flow they from each observed packet, and uses these to decide which flow they
belong to. Classifying packets into 'flows' in this way provides an belong to. Classifying packets into 'flows' in this way provides an
economical and practical way to measure network traffic and subdivide it economical and practical way to measure network traffic and subdivide it
into well-defined groups. into well-defined groups.
Usage information which is not derivable from traffic flows may also be Usage information which is not derivable from traffic flows may also be
of interest. For example, an application may wish to record accesses to of interest. For example, an application may wish to record accesses to
skipping to change at page 7, line 5 skipping to change at page 7, line 5
- METER: Meters are placed at measurement points determined by - METER: Meters are placed at measurement points determined by
Network Operations personnel. Each meter selectively records Network Operations personnel. Each meter selectively records
network activity as directed by its configuration settings. It can network activity as directed by its configuration settings. It can
also aggregate, transform and further process the recorded activity also aggregate, transform and further process the recorded activity
before the data is stored. The processed and stored results are before the data is stored. The processed and stored results are
called the 'usage data.' called the 'usage data.'
- METER READER: A meter reader transports usage data from meters so - METER READER: A meter reader transports usage data from meters so
that it is available to analysis applications. that it is available to analysis applications.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
- ANALYSIS APPLICATION: An analysis application processes the usage - ANALYSIS APPLICATION: An analysis application processes the usage
data so as to provide information and reports which are useful for data so as to provide information and reports which are useful for
network engineering and management purposes. Examples include: network engineering and management purposes. Examples include:
- TRAFFIC FLOW MATRICES, showing the total flow rates for many of -TRAFFIC FLOW MATRICES, showing the total flow rates for many of
the possible paths within an internet. the possible paths within an internet.
- FLOW RATE FREQUENCY DISTRIBUTIONS, summarizing flow rates over -FLOW RATE FREQUENCY DISTRIBUTIONS, summarizing flow rates over
a period of time. a period of time.
- USAGE DATA showing the total traffic volumes sent and received -USAGE DATA showing the total traffic volumes sent and received
by particular hosts. by particular hosts.
The operation of the traffic measurement system as a whole is best The operation of the traffic measurement system as a whole is best
understood by considering the interactions between its components. understood by considering the interactions between its components.
These are described in the following sections. These are described in the following sections.
2.2 Interaction Between METER and METER READER 2.2 Interaction Between METER and METER READER
The information which travels along this path is the usage data itself. The information which travels along this path is the usage data itself.
A meter holds usage data in an array of flow data records known as the A meter holds usage data in an array of flow data records known as the
FLOW TABLE. A meter reader may collect the data in any suitable manner. FLOW TABLE. A meter reader may collect the data in any suitable manner.
For example it might upload a copy of the whole flow table using a file For example it might upload a copy of the whole flow table using a file
transfer protocol, or read the records in the current flow set one at a transfer protocol, or read the records in the current flow set one at a
time using a suitable data transfer protocol. Note that the meter time using a suitable data transfer protocol. Note that the meter
reader need not read complete flow data records, a subset of their reader need not read complete flow data records, a subset of their
attribute values may well be sufficient. attribute values may well be sufficient.
A meter reader may collect usage data from one or more meters. Data may A meter reader may collect usage data from one or more meters. Data may
be collected from the meters at any time. There is no requirement for be collected from the meters at any time. There is no requirement for
collections to be synchronized in any way. collections to be synchronized in any way.
2.3 Interaction Between MANAGER and METER 2.3 Interaction Between MANAGER and METER
A manager is responsible for configuring and controlling one or more A manager is responsible for configuring and controlling one or more
meters. Each meter's configuration includes information such as: meters. Each meter's configuration includes information such as:
- Flow specifications, e.g. which traffic flows are to be measured, - Flow specifications, e.g. which traffic flows are to be measured,
how they are to be aggregated, and any data the meter is required how they are to be aggregated, and any data the meter is required
to compute for each flow being measured. to compute for each flow being measured.
- Meter control parameters, e.g. the 'inactivity' time for flows (if - Meter control parameters, e.g. the 'inactivity' time for flows (if
no packets belonging to a flow are seen for this time the flow is no packets belonging to a flow are seen for this time the flow is
considered to have ended, i.e. to have become idle). considered to have ended, i.e. to have become idle).
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
- Sampling behaviour. Normally every packet will be observed. It - Sampling behaviour. Normally every packet will be observed. It
may sometimes be necessary to use sampling techniques so as to may sometimes be necessary to use sampling techniques so as to
observe only some of the packets (see following note). observe only some of the packets (see following note).
A note about sampling: Current experience with the measurement A note about sampling: Current experience with the measurement
architecture shows that a carefully-designed and implemented meter architecture shows that a carefully-designed and implemented meter
compresses the data sufficiently well that in normal LANs and WANs of compresses the data sufficiently well that in normal LANs and WANs of
today sampling is seldom, if ever, needed. For this reason sampling today sampling is seldom, if ever, needed. For this reason sampling
algorithms are not prescribed by the architecture. If sampling is algorithms are not prescribed by the architecture. If sampling is
needed, e.g. for metering a very-high-speed network with fine-grained needed, e.g. for metering a very-high-speed network with fine-grained
flows, the sampling technique should be carefully chosen so as not to flows, the sampling technique should be carefully chosen so as not to
bias the results. For a good introduction to this topic see the IPPM bias the results. For a good introduction to this topic see the IPPM
Working Group's RFC "Framework for IP Performance Metrics" [4]. Working Group's RFC "Framework for IP Performance Metrics" [IPPM-FRM].
A meter may run several rule sets concurrently on behalf of one or more A meter may run several rule sets concurrently on behalf of one or more
managers, and any manager may download a set of flow specifications managers, and any manager may download a set of flow specifications
(i.e. a 'rule set') to a meter. Control parameters which apply to an (i.e. a 'rule set') to a meter. Control parameters which apply to an
individual rule set should be set by the manager after it downloads that individual rule set should be set by the manager after it downloads that
rule set. rule set.
One manager should be designated as the 'master' for a meter. One manager should be designated as the 'master' for a meter.
Parameters such as sampling behaviour, which affect the overall Parameters such as sampling behaviour, which affect the overall
operation of the meter, should only be set by the master manager. operation of the meter, should only be set by the master manager.
2.4 Interaction Between MANAGER and METER READER 2.4 Interaction Between MANAGER and METER READER
A manager is responsible for configuring and controlling one or more A manager is responsible for configuring and controlling one or more
meter readers. A meter reader may only be controlled by a single meter readers. A meter reader may only be controlled by a single
manager. A meter reader needs to know at least the following for every manager. A meter reader needs to know at least the following for every
meter it is collecting usage data from: meter it is collecting usage data from:
- The meter's unique identity, i.e. its network name or address. - The meter's unique identity, i.e. its network name or address.
- How often usage data is to be collected from the meter. - How often usage data is to be collected from the meter.
- Which flow records are to be collected (e.g. all flows, flows for - Which flow records are to be collected (e.g. all flows, flows for a
a particular rule set, flows which have been active since a given particular rule set, flows which have been active since a given
time, etc.). time, etc.).
- Which attribute values are to be collected for the required flow - Which attribute values are to be collected for the required flow
records (e.g. all attributes, or a small subset of them) records (e.g. all attributes, or a small subset of them)
Since redundant reporting may be used in order to increase the Since redundant reporting may be used in order to increase the
reliability of usage data, exchanges among multiple entities must be reliability of usage data, exchanges among multiple entities must be
considered as well. These are discussed below. considered as well. These are discussed below.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
2.5 Multiple METERs or METER READERs 2.5 Multiple METERs or METER READERs
-- METER READER A -- -- METER READER A --
/ | \ / | \
/ | \ / | \
=====METER 1 METER 2=====METER 3 METER 4===== =====METER 1 METER 2=====METER 3 METER 4=====
\ | / \ | /
\ | / \ | /
-- METER READER B -- -- METER READER B --
Several uniquely identified meters may report to one or more meter Several uniquely identified meters may report to one or more meter
skipping to change at page 10, line 5 skipping to change at page 10, line 5
manager to switch rulesets in more than one meter at the same time. manager to switch rulesets in more than one meter at the same time.
If there is only one meter reader and it fails, the meters continue to If there is only one meter reader and it fails, the meters continue to
run. When the meter reader is restarted it can collect all of the run. When the meter reader is restarted it can collect all of the
accumulated flow data. Should this happen, time resolution will be lost accumulated flow data. Should this happen, time resolution will be lost
(because of the missed collections) but overall traffic flow information (because of the missed collections) but overall traffic flow information
will not. The only exception to this would occur if the traffic volume will not. The only exception to this would occur if the traffic volume
was sufficient to 'roll over' counters for some flows during the was sufficient to 'roll over' counters for some flows during the
failure; this is addressed in the section on 'Rolling Counters.' failure; this is addressed in the section on 'Rolling Counters.'
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
2.6 Interaction Between MANAGERs (MANAGER - MANAGER) 2.6 Interaction Between MANAGERs (MANAGER - MANAGER)
Synchronization between multiple management systems is the province of Synchronization between multiple management systems is the province of
network management protocols. This traffic flow measurement network management protocols. This traffic flow measurement
architecture specifies only the network management controls necessary to architecture specifies only the network management controls necessary to
perform the traffic flow measurement function and does not address the perform the traffic flow measurement function and does not address the
more global issues of simultaneous or interleaved (possibly conflicting) more global issues of simultaneous or interleaved (possibly conflicting)
commands from multiple network management stations or the process of commands from multiple network management stations or the process of
transferring control from one network management station to another. transferring control from one network management station to another.
2.7 METER READERs and APPLICATIONs 2.7 METER READERs and APPLICATIONs
Once a collection of usage data has been assembled by a meter reader it Once a collection of usage data has been assembled by a meter reader it
can be processed by an analysis application. Details of analysis can be processed by an analysis application. Details of analysis
applications - such as the reports they produce and the data they applications - such as the reports they produce and the data they
require - are outside the scope of this architecture. require - are outside the scope of this architecture.
It should be noted, however, that analysis applications will often It should be noted, however, that analysis applications will often
require considerable amounts of input data. An important part of require considerable amounts of input data. An important part of
running a traffic flow measurement system is the storage and regular running a traffic flow measurement system is the storage and regular
reduction of flow data so as to produce daily, weekly or monthly summary reduction of flow data so as to produce daily, weekly or monthly summary
files for further analysis. Again, details of such data handling are files for further analysis. Again, details of such data handling are
outside the scope of this architecture. outside the scope of this architecture.
3 Traffic Flows and Reporting Granularity 3 Traffic Flows and Reporting Granularity
A flow was defined in section 2.1 above in abstract terms as follows: A flow was defined in section 2.1 above in abstract terms as follows:
"A TRAFFIC FLOW is an artifical logical equivalent to a call or "A TRAFFIC FLOW is an artifical logical equivalent to a call or
connection, belonging to a (user-specieied) METERED TRAFFIC connection, belonging to a (user-specieied) METERED TRAFFIC
GROUP." GROUP."
In practical terms, a flow is a stream of packets observed by the meter In practical terms, a flow is a stream of packets observed by the meter
as they pass across a network between two end points (or from a single as they pass across a network between two end points (or from a single
end point), which have been summarized by a traffic meter for analysis end point), which have been summarized by a traffic meter for analysis
purposes. purposes.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 3.1 Flows and their Attributes
3.1 Flows and their Attributes
Every traffic meter maintains a table of 'flow records' for flows seen Every traffic meter maintains a table of 'flow records' for flows seen
by the meter. A flow record holds the values of the ATTRIBUTES of by the meter. A flow record holds the values of the ATTRIBUTES of
interest for its flow. These attributes might include: interest for its flow. These attributes might include:
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
- ADDRESSES for the flow's source and destination. These comprise - ADDRESSES for the flow's source and destination. These comprise
the protocol type, the source and destination addresses at various the protocol type, the source and destination addresses at various
network layers (extracted from the packet header), and the number network layers (extracted from the packet header), and the number
of the interface on which the packet was observed. of the interface on which the packet was observed.
- First and last TIMES when packets were seen for this flow, i.e. - First and last TIMES when packets were seen for this flow, i.e. the
the 'creation' and 'last activity' times for the flow. 'creation' and 'last activity' times for the flow.
- COUNTS for 'forward' (source to destination) and 'backward' - COUNTS for 'forward' (source to destination) and 'backward'
(destination to source) components (e.g. packets and bytes) of the (destination to source) components (e.g. packets and bytes) of the
flow's traffic. The specifying of 'source' and 'destination' for flow's traffic. The specifying of 'source' and 'destination' for
flows is discussed in the section on packet matching below. flows is discussed in the section on packet matching below.
- OTHER attributes, e.g. the index of the flow's record in the flow - OTHER attributes, e.g. the index of the flow's record in the flow
table and the rule set number for the rules which the meter was table and the rule set number for the rules which the meter was
running while the flow was observed. The values of these running while the flow was observed. The values of these
attributes provide a way of distinguishing flows observed by a attributes provide a way of distinguishing flows observed by a
skipping to change at page 12, line 4 skipping to change at page 11, line 48
The addresses specifying a flow's address attributes may include one or The addresses specifying a flow's address attributes may include one or
more of the following types: more of the following types:
- The INTERFACE NUMBER for the flow, i.e. the interface on which the - The INTERFACE NUMBER for the flow, i.e. the interface on which the
meter measured the traffic. Together with a unique address for the meter measured the traffic. Together with a unique address for the
meter this uniquely identifies a particular physical-level port. meter this uniquely identifies a particular physical-level port.
- The ADJACENT ADDRESS, i.e. the address in the the next layer down - The ADJACENT ADDRESS, i.e. the address in the the next layer down
from the peer address in a particular instantiation of protocol from the peer address in a particular instantiation of protocol
layering. Although 'adjacent' will usually imply the link layer, layering. Although 'adjacent' will usually imply the link layer,
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
it does not implicitly advocate or dismiss any particular form of it does not implicitly advocate or dismiss any particular form of
tunnelling or layering. tunnelling or layering.
For example, if flow measurement is being performed using IP as the For example, if flow measurement is being performed using IP as the
network layer on an Ethernet LAN [5], an adjacent address will network layer on an Ethernet LAN [802-3], an adjacent address will
normally be a six-octet Media Access Control (MAC) address. For a normally be a six-octet Media Access Control (MAC) address. For a
host connected to the same LAN segment as the meter the adjacent host connected to the same LAN segment as the meter the adjacent
address will be the MAC address of that host. For hosts on other address will be the MAC address of that host. For hosts on other
LAN segments it will be the MAC address of the adjacent (upstream LAN segments it will be the MAC address of the adjacent (upstream
or downstream) router carrying the traffic flow. or downstream) router carrying the traffic flow.
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
- The PEER ADDRESS, which identifies the source or destination of the - The PEER ADDRESS, which identifies the source or destination of the
packet for the network layer (n) at which traffic measurement is packet for the network layer (n) at which traffic measurement is
being performed. The form of a peer address will depend on the being performed. The form of a peer address will depend on the
network-layer protocol in use, and the measurement network layer network-layer protocol in use, and the measurement network layer
(n). (n).
- The TRANSPORT ADDRESS, which identifies the source or destination - The TRANSPORT ADDRESS, which identifies the source or destination
port for the packet, i.e. its (n+1) layer address. For example, port for the packet, i.e. its (n+1) layer address. For example, if
if flow measurement is being performed at the IP layer a transport flow measurement is being performed at the IP layer a transport
address is a two-octet UDP or TCP port number. address is a two-octet UDP or TCP port number.
The four definitions above specify addresses for each of the four lowest The four definitions above specify addresses for each of the four lowest
layers of the OSI reference model, i.e. Physical layer, Link layer, layers of the OSI reference model, i.e. Physical layer, Link layer,
Network layer and Transport layer. A FLOW RECORD stores both the VALUE Network layer and Transport layer. A FLOW RECORD stores both the VALUE
for each of its addresses (as described above) and a MASK specifying for each of its addresses (as described above) and a MASK specifying
which bits of the address value are being used and which are ignored. which bits of the address value are being used and which are ignored.
Note that if address bits are being ignored the meter will set them to Note that if address bits are being ignored the meter will set them to
zero, however their actual values are undefined. zero, however their actual values are undefined.
skipping to change at page 12, line 50 skipping to change at page 12, line 39
protocols. This is straightforward for peer addresses; although the protocols. This is straightforward for peer addresses; although the
form of addresses differs for the various protocols, the meaning of a form of addresses differs for the various protocols, the meaning of a
'peer address' remains the same. It becomes harder to maintain this 'peer address' remains the same. It becomes harder to maintain this
correspondence at higher layers - for example, at the Network layer IP, correspondence at higher layers - for example, at the Network layer IP,
Novell IPX and AppleTalk all use port numbers as a 'transport address,' Novell IPX and AppleTalk all use port numbers as a 'transport address,'
but CLNP and DECnet have no notion of ports. but CLNP and DECnet have no notion of ports.
Reporting by adjacent intermediate sources and destinations or simply by Reporting by adjacent intermediate sources and destinations or simply by
meter interface (most useful when the meter is embedded in a router) meter interface (most useful when the meter is embedded in a router)
supports hierarchical Internet reporting schemes as described in the supports hierarchical Internet reporting schemes as described in the
'Internet Accounting Background' RFC [2]. That is, it allows backbone 'Internet Accounting Background' RFC [ACT-BKG]. That is, it allows
and regional networks to measure usage to just the next lower level of backbone and regional networks to measure usage to just the next lower
granularity (i.e. to the regional and stub/enterprise levels, level of granularity (i.e. to the regional and stub/enterprise levels,
respectively), with the final breakdown according to end user (e.g. to respectively), with the final breakdown according to end user (e.g. to
source IP address) performed by the stub/enterprise networks. source IP address) performed by the stub/enterprise networks.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 In cases where network addresses are dynamically allocated (e.g. dial-in
subscribers), further subscriber identification will be necessary if
In cases where network addresses are dynamically allocated (e.g. flows are to ascribed to individual users. Provision is made to further
dial-in subscribers), further subscriber identification will be specify the metered traffic group through the use of an optional
necessary if flows are to ascribed to individual users. Provision is SUBSCRIBER ID as part of the flow id. A subscriber ID may be associated
made to further specify the metered traffic group through the use of an with a particular flow either through the current rule set or by
optional SUBSCRIBER ID as part of the flow id. A subscriber ID may be unspecified means within a meter. At this time a subscriber ID is an
associated with a particular flow either through the current rule set or
by unspecified means within a meter. At this time a subscriber ID is an
arbitrary text string; later versions of the architecture may specify arbitrary text string; later versions of the architecture may specify
details of its contents. details of its contents.
3.2 Granularity of Flow Measurements INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
3.2 Granularity of Flow Measurements
GRANULARITY is the 'control knob' by which an application and/or the GRANULARITY is the 'control knob' by which an application and/or the
meter can trade off the overhead associated with performing usage meter can trade off the overhead associated with performing usage
reporting against its level of detail. A coarser granularity means a reporting against its level of detail. A coarser granularity means a
greater level of aggregation; finer granularity means a greater level of greater level of aggregation; finer granularity means a greater level of
detail. Thus, the number of flows measured (and stored) at a meter can detail. Thus, the number of flows measured (and stored) at a meter can
be regulated by changing the granularity of their attributes. Flows are be regulated by changing the granularity of their attributes. Flows are
like an adjustable pipe - many fine-granularity streams can carry the like an adjustable pipe - many fine-granularity streams can carry the
data with each stream measured individually, or data can be bundled in data with each stream measured individually, or data can be bundled in
one coarse-granularity pipe. Time granularity may be controlled by one coarse-granularity pipe. Time granularity may be controlled by
skipping to change at page 14, line 4 skipping to change at page 13, line 43
reported information, i.e. the recorded usage information cannot be reported information, i.e. the recorded usage information cannot be
properly interpreted without a definition of the rules used to collect properly interpreted without a definition of the rules used to collect
that information. that information.
Settings for these granularity factors may vary from meter to meter. Settings for these granularity factors may vary from meter to meter.
They are determined by the meter's current rule set, so they will change They are determined by the meter's current rule set, so they will change
if network Operations personnel reconfigure the meter to use a new rule if network Operations personnel reconfigure the meter to use a new rule
set. It is expected that the collection rules will change rather set. It is expected that the collection rules will change rather
infrequently; nonetheless, the rule set in effect at any time must be infrequently; nonetheless, the rule set in effect at any time must be
identifiable via a RULE SET NUMBER. Granularity of metered traffic identifiable via a RULE SET NUMBER. Granularity of metered traffic
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
groups is further specified by additional ATTRIBUTES. These attributes groups is further specified by additional ATTRIBUTES. These attributes
include: include:
- Attributes which record information derived from other attribute - Attributes which record information derived from other attribute
values. Six of these are defined (SourceClass, DestClass, values. Six of these are defined (SourceClass, DestClass,
FlowClass, SourceKind, DestKind, FlowKind), and their meaning is FlowClass, SourceKind, DestKind, FlowKind), and their meaning is
determined by the meter's rule set. For example, one could have a determined by the meter's rule set. For example, one could have a
subroutine in the rule set which determined whether a source or subroutine in the rule set which determined whether a source or
destination peer address was a member of an arbitrary list of destination peer address was a member of an arbitrary list of
networks, and set SourceClass/DestClass to one if the source/dest networks, and set SourceClass/DestClass to one if the source/dest
peer address was in the list or to zero otherwise. peer address was in the list or to zero otherwise.
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
- Administratively specified attributes such as Quality of Service - Administratively specified attributes such as Quality of Service
and Priority, etc. These are not defined at this time. and Priority, etc. These are not defined at this time.
Settings for these granularity factors may vary from meter to meter. Settings for these granularity factors may vary from meter to meter.
They are determined by the meter's current rule set, so they will change They are determined by the meter's current rule set, so they will change
if Network Operations personnel reconfigure the meter to use a new rule if Network Operations personnel reconfigure the meter to use a new rule
set. set.
A rule set can aggregate groups of addresses in two ways. The simplest A rule set can aggregate groups of addresses in two ways. The simplest
is to use a mask in a single rule to test for an address within a masked is to use a mask in a single rule to test for an address within a masked
group. The other way is to use a sequence of rules to test for an group. The other way is to use a sequence of rules to test for an
arbitrary group of (masked) address values, then use a PushRuleTo rule arbitrary group of (masked) address values, then use a PushRuleTo rule
to set a derived attribute (e.g. FlowKind) to indicate the flow's to set a derived attribute (e.g. FlowKind) to indicate the flow's group.
group.
The LIFETIME of a flow is the time interval which began when the meter The LIFETIME of a flow is the time interval which began when the meter
observed the first packet belonging to the flow and ended when it saw observed the first packet belonging to the flow and ended when it saw
the last packet. Flow lifetimes are very variable, but many - if not the last packet. Flow lifetimes are very variable, but many - if not
most - are rather short. A meter cannot measure lifetimes directly; most - are rather short. A meter cannot measure lifetimes directly;
instead a meter reader collects usage data for flows which have been instead a meter reader collects usage data for flows which have been
active since the last collection, and an analysis application may active since the last collection, and an analysis application may
compare the data from each collection so as to determine when each flow compare the data from each collection so as to determine when each flow
actually stopped. actually stopped.
skipping to change at page 15, line 5 skipping to change at page 14, line 44
before recovering a flow record the meter should be sure that the flow's before recovering a flow record the meter should be sure that the flow's
data has been collected by all meter readers which registered to collect data has been collected by all meter readers which registered to collect
it. These two wait conditions are desired goals for the meter; they are it. These two wait conditions are desired goals for the meter; they are
not difficult to achieve in normal usage, however the meter cannot not difficult to achieve in normal usage, however the meter cannot
guarantee to fulfil them absolutely. guarantee to fulfil them absolutely.
These 'lifetime' issues are considered further in the section on meter These 'lifetime' issues are considered further in the section on meter
readers (below). A complete list of the attributes currently defined is readers (below). A complete list of the attributes currently defined is
given in Appendix C later in this document. given in Appendix C later in this document.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 3.3 Rolling Counters, Timestamps, Report-in-One-Bucket-Only
3.3 Rolling Counters, Timestamps, Report-in-One-Bucket-Only
Once a usage record is sent, the decision needs to be made whether to Once a usage record is sent, the decision needs to be made whether to
clear any existing flow records or to maintain them and add to their clear any existing flow records or to maintain them and add to their
counts when recording subsequent traffic on the same flow. The second counts when recording subsequent traffic on the same flow. The second
method, called rolling counters, is recommended and has several method, called rolling counters, is recommended and has several
advantages. Its primary advantage is that it provides greater advantages. Its primary advantage is that it provides greater
reliability - the system can now often survive the loss of some usage reliability - the system can now often survive the loss of some usage
records, such as might occur if a meter reader failed and later records, such as might occur if a meter reader failed and later
restarted. The next usage record will very often contain yet another restarted. The next usage record will very often contain yet another
reading of many of the same flow buckets which were in the lost usage reading of many of the same flow buckets which were in the lost usage
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
record. The 'continuity' of data provided by rolling counters can also record. The 'continuity' of data provided by rolling counters can also
supply information used for "sanity" checks on the data itself, to guard supply information used for "sanity" checks on the data itself, to guard
against errors in calculations. against errors in calculations.
The use of rolling counters does introduce a new problem: how to The use of rolling counters does introduce a new problem: how to
distinguish a follow-on flow record from a new flow record. Consider distinguish a follow-on flow record from a new flow record. Consider
the following example. the following example.
CONTINUING FLOW OLD FLOW, then NEW FLOW CONTINUING FLOW OLD FLOW, then NEW FLOW
skipping to change at page 16, line 4 skipping to change at page 15, line 44
the example above, the CONTINUING FLOW flow record in the second usage the example above, the CONTINUING FLOW flow record in the second usage
record has an old FLOW START timestamp, while the NEW FLOW contains a record has an old FLOW START timestamp, while the NEW FLOW contains a
recent FLOW START timestamp. A flow which has sporadic bursts of recent FLOW START timestamp. A flow which has sporadic bursts of
activity interspersed with long periods of inactivity will produce a activity interspersed with long periods of inactivity will produce a
sequence of flow activity records, each with the same set of address sequence of flow activity records, each with the same set of address
attributes, but with increasing FLOW START times. attributes, but with increasing FLOW START times.
Each packet is counted in at most one flow for each running ruleset, so Each packet is counted in at most one flow for each running ruleset, so
as to avoid multiple counting of a single packet. The record of a as to avoid multiple counting of a single packet. The record of a
single flow is informally called a "bucket." If multiple, sometimes single flow is informally called a "bucket." If multiple, sometimes
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
overlapping, records of usage information are required (aggregate, overlapping, records of usage information are required (aggregate,
individual, etc), the network manager should collect the counts in individual, etc), the network manager should collect the counts in
sufficiently detailed granularity so that aggregate and combination sufficiently detailed granularity so that aggregate and combination
counts can be reconstructed in post-processing of the raw usage data. counts can be reconstructed in post-processing of the raw usage data.
Alternatively, multiple rulesets could be used to collect data at Alternatively, multiple rulesets could be used to collect data at
different granularities. different granularities.
For example, consider a meter from which it is required to record both For example, consider a meter from which it is required to record both
'total packets coming in interface #1' and 'total packets arriving from 'total packets coming in interface #1' and 'total packets arriving from
any interface sourced by IP address = a.b.c.d,' using a single rule set. any interface sourced by IP address = a.b.c.d,' using a single rule set.
Although a bucket can be declared for each case, it is not clear how to Although a bucket can be declared for each case, it is not clear how to
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
handle a packet which satisfies both criteria. It must only be counted handle a packet which satisfies both criteria. It must only be counted
once. By default it will be counted in the first bucket for which it once. By default it will be counted in the first bucket for which it
qualifies, and not in the other bucket. Further, it is not possible to qualifies, and not in the other bucket. Further, it is not possible to
reconstruct this information by post-processing. The solution in this reconstruct this information by post-processing. The solution in this
case is to define not two, but THREE buckets, each one collecting a case is to define not two, but THREE buckets, each one collecting a
unique combination of the two criteria: unique combination of the two criteria:
Bucket 1: Packets which came in interface 1, Bucket 1: Packets which came in interface 1,
AND were sourced by IP address a.b.c.d AND were sourced by IP address a.b.c.d
skipping to change at page 17, line 5 skipping to change at page 16, line 42
Alternatively, the above could be achieved by running two rule sets (A Alternatively, the above could be achieved by running two rule sets (A
and B), as follows: and B), as follows:
Bucket 1: Packets which came in interface 1; Bucket 1: Packets which came in interface 1;
counted by rule set A. counted by rule set A.
Bucket 2: Packets which were sourced by IP address a.b.c.d; Bucket 2: Packets which were sourced by IP address a.b.c.d;
counted by rule set B. counted by rule set B.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 4 Meters
4 Meters
A traffic flow meter is a device for collecting data about traffic flows A traffic flow meter is a device for collecting data about traffic flows
at a given point within a network; we will call this the METERING POINT. at a given point within a network; we will call this the METERING POINT.
The header of every packet passing the network metering point is offered The header of every packet passing the network metering point is offered
to the traffic meter program. to the traffic meter program.
A meter could be implemented in various ways, including: A meter could be implemented in various ways, including:
- A dedicated small host, connected to a broadcast LAN (so that it - A dedicated small host, connected to a broadcast LAN (so that it
can see all packets as they pass by) and running a traffic meter can see all packets as they pass by) and running a traffic meter
program. The metering point is the LAN segment to which the meter program. The metering point is the LAN segment to which the meter
is attached. is attached.
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
- A multiprocessing system with one or more network interfaces, with - A multiprocessing system with one or more network interfaces, with
drivers enabling a traffic meter program to see packets. In this drivers enabling a traffic meter program to see packets. In this
case the system provides multiple metering points - traffic flows case the system provides multiple metering points - traffic flows
on any subset of its network interfaces can be measured. on any subset of its network interfaces can be measured.
- A packet-forwarding device such as a router or switch. This is - A packet-forwarding device such as a router or switch. This is
similar to (b) except that every received packet should also be similar to (b) except that every received packet should also be
forwarded, usually on a different interface. forwarded, usually on a different interface.
4.1 Meter Structure 4.1 Meter Structure
An outline of the meter's structure is given in the following diagram: An outline of the meter's structure is given in the following diagram:
Briefly, the meter works as follows: Briefly, the meter works as follows:
- Incoming packet headers arrive at the top left of the diagram and - Incoming packet headers arrive at the top left of the diagram and
are passed to the PACKET PROCESSOR. are passed to the PACKET PROCESSOR.
- The packet processor passes them to the Packet Matching Engine - The packet processor passes them to the Packet Matching Engine
(PME) where they are classified. (PME) where they are classified.
skipping to change at page 18, line 5 skipping to change at page 17, line 40
Processor, executes the rules in the current rule set as described Processor, executes the rules in the current rule set as described
in section 4.3 below, and returns instructions on what to do with in section 4.3 below, and returns instructions on what to do with
the packet. the packet.
- Some packets are classified as 'to be ignored.' They are discarded - Some packets are classified as 'to be ignored.' They are discarded
by the Packet Processor. by the Packet Processor.
- Other packets are matched by the PME, which returns a FLOW KEY - Other packets are matched by the PME, which returns a FLOW KEY
describing the flow to which the packet belongs. describing the flow to which the packet belongs.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
- The flow key is used to locate the flow's entry in the FLOW TABLE; - The flow key is used to locate the flow's entry in the FLOW TABLE;
a new entry is created when a flow is first seen. The entry's data a new entry is created when a flow is first seen. The entry's data
fields (e.g. packet and byte counters) are updated. fields (e.g. packet and byte counters) are updated.
- A meter reader may collect data from the flow table at any time. - A meter reader may collect data from the flow table at any time.
It may use the 'collect' index to locate the flows to be collected It may use the 'collect' index to locate the flows to be collected
within the flow table. within the flow table.
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
packet +------------------+ packet +------------------+
header | Current Rule Set | header | Current Rule Set |
| +--------+---------+ | +--------+---------+
| | | |
| | | |
+-------*--------+ 'match key' +------*-------+ +-------*--------+ 'match key' +------*-------+
| Packet |---------------->| Packet | | Packet |---------------->| Packet |
| Processor | | Matching | | Processor | | Matching |
| |<----------------| Engine | | |<----------------| Engine |
+--+----------+--+ 'flow key' +--------------+ +--+----------+--+ 'flow key' +--------------+
skipping to change at page 19, line 5 skipping to change at page 18, line 46
Meter Reader Meter Reader
The discussion above assumes that a meter will only be running a single The discussion above assumes that a meter will only be running a single
rule set. A meter may, however, run several rule sets concurrently. To rule set. A meter may, however, run several rule sets concurrently. To
do this the meter maintains a table of current rulesets. The packet do this the meter maintains a table of current rulesets. The packet
processor matches each packet against every current ruleset, producing a processor matches each packet against every current ruleset, producing a
single flow table containing flows from all the rule sets. One way to single flow table containing flows from all the rule sets. One way to
implement this is to use the Rule Set Number attribute in each flow as implement this is to use the Rule Set Number attribute in each flow as
part of the flow key. part of the flow key.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
A packet may only be counted once in a rule set (as explained in section A packet may only be counted once in a rule set (as explained in section
3.3 above), but it may be counted in any of the current rulesets. The 3.3 above), but it may be counted in any of the current rulesets. The
overall effect of doing this is somewhat similar to running several overall effect of doing this is somewhat similar to running several
independent meters, one for each rule set. independent meters, one for each rule set.
4.2 Flow Table INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
Every traffic meter maintains 'flow table,' i.e. a table of TRAFFIC 4.2 Flow Table
FLOW RECORDS for flows seen by the meter. Details of how the flow table
is maintained are given in section 4.5 below. A flow record contains Every traffic meter maintains 'flow table,' i.e. a table of TRAFFIC FLOW
RECORDS for flows seen by the meter. Details of how the flow table is
maintained are given in section 4.5 below. A flow record contains
attribute values for its flow, including: attribute values for its flow, including:
- Addresses for the flow's source and destination. These include - Addresses for the flow's source and destination. These include
addresses and masks for various network layers (extracted from the addresses and masks for various network layers (extracted from the
packet header), and the identity of the interface on which the packet header), and the identity of the interface on which the
packet was observed. packet was observed.
- First and last times when packets were seen for this flow. - First and last times when packets were seen for this flow.
- Counts for 'forward' (source to destination) and 'backward' - Counts for 'forward' (source to destination) and 'backward'
skipping to change at page 19, line 44 skipping to change at page 19, line 39
- CURRENT: The record is in use and describes a flow which belongs to - CURRENT: The record is in use and describes a flow which belongs to
the 'current flow set,' i.e. the set of flows recently seen by the the 'current flow set,' i.e. the set of flows recently seen by the
meter. meter.
- IDLE: The record is in use and the flow which it describes is part - IDLE: The record is in use and the flow which it describes is part
of the current flow set. In addition, no packets belonging to this of the current flow set. In addition, no packets belonging to this
flow have been seen for a period specified by the meter's flow have been seen for a period specified by the meter's
InactivityTime variable. InactivityTime variable.
4.3 Packet Handling, Packet Matching 4.3 Packet Handling, Packet Matching
Each packet header received by the traffic meter program is processed as Each packet header received by the traffic meter program is processed as
follows: follows:
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
- Extract attribute values from the packet header and use them to - Extract attribute values from the packet header and use them to
create a MATCH KEY for the packet. create a MATCH KEY for the packet.
- Match the packet's key against the current rule set, as explained - Match the packet's key against the current rule set, as explained
in detail below. in detail below.
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
The rule set specifies whether the packet is to be counted or ignored. The rule set specifies whether the packet is to be counted or ignored.
If it is to be counted the matching process produces a FLOW KEY for the If it is to be counted the matching process produces a FLOW KEY for the
flow to which the packet belongs. This flow key is used to find the flow to which the packet belongs. This flow key is used to find the
flow's record in the flow table; if a record does not yet exist for this flow's record in the flow table; if a record does not yet exist for this
flow, a new flow record may be created. The data for the matching flow flow, a new flow record may be created. The data for the matching flow
record can then be updated. record can then be updated.
For example, the rule set could specify that packets to or from any host For example, the rule set could specify that packets to or from any host
in IP network 130.216 are to be counted. It could also specify that in IP network 130.216 are to be counted. It could also specify that
flow records are to be created for every pair of 24-bit (Class C) flow records are to be created for every pair of 24-bit (Class C)
skipping to change at page 20, line 49 skipping to change at page 20, line 43
counters in the meter's flow record makes the resulting flow data much counters in the meter's flow record makes the resulting flow data much
simpler to handle, since analysis programs do not have to gather simpler to handle, since analysis programs do not have to gather
together the 'forward' and 'reverse' components of sessions. together the 'forward' and 'reverse' components of sessions.
Implementing bi-directional flows is, of course, more difficult for the Implementing bi-directional flows is, of course, more difficult for the
meter, since it must decide whether a packet is a 'forward' packet or a meter, since it must decide whether a packet is a 'forward' packet or a
'reverse' one. To make this decision the meter will often need to 'reverse' one. To make this decision the meter will often need to
invoke the PME twice, once for each possible packet direction. invoke the PME twice, once for each possible packet direction.
The diagram below describes the algorithm used by the traffic meter to The diagram below describes the algorithm used by the traffic meter to
process each packet. Flow through the diagram is from left to right and process each packet. Flow through the diagram is from left to right and
top to bottom, i.e. from the top left corner to the bottom right top to bottom, i.e. from the top left corner to the bottom right corner.
corner. S indicates the flow's source address (i.e. its set of source S indicates the flow's source address (i.e. its set of source address
address attribute values) from the packet header, and D indicates its attribute values) from the packet header, and D indicates its
destination address. destination address.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
There are several cases to consider. These are: There are several cases to consider. These are:
- The packet is recognised as one which is TO BE IGNORED. - The packet is recognised as one which is TO BE IGNORED.
- The packet would MATCH IN EITHER DIRECTION. One situation in which - The packet would MATCH IN EITHER DIRECTION. One situation in which
this could happen would be a rule set which matches flows within this could happen would be a rule set which matches flows within
network X (Source = X, Dest = X) but specifies that flows are to be network X (Source = X, Dest = X) but specifies that flows are to be
created for each subnet within network X, say subnets y and z. If, created for each subnet within network X, say subnets y and z. If,
for example a packet is seen for y->z, the meter must check that for example a packet is seen for y->z, the meter must check that
flow z->y is not already current before creating y->z. flow z->y is not already current before creating y->z.
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
- The packet MATCHES IN ONE DIRECTION ONLY. If its flow is already - The packet MATCHES IN ONE DIRECTION ONLY. If its flow is already
current, its forward or reverse counters are incremented. current, its forward or reverse counters are incremented.
Otherwise it is added to the flow table and then counted. Otherwise it is added to the flow table and then counted.
Ignore Ignore
--- match(S->D) -------------------------------------------------+ --- match(S->D) -------------------------------------------------+
| Suc | NoMatch | | Suc | NoMatch |
| | Ignore | | | Ignore |
| match(D->S) -----------------------------------------+ | match(D->S) -----------------------------------------+
| | Suc | NoMatch | | | Suc | NoMatch |
skipping to change at page 22, line 5 skipping to change at page 21, line 45
* *
The algorithm uses four functions, as follows: The algorithm uses four functions, as follows:
match(A->B) implements the PME. It uses the meter's current rule set match(A->B) implements the PME. It uses the meter's current rule set
to match the attribute values in the packet's match key. A->B means to match the attribute values in the packet's match key. A->B means
that the assumed source address is A and destination address B, i.e. that the assumed source address is A and destination address B, i.e.
that the packet was travelling from A to B. match() returns one of that the packet was travelling from A to B. match() returns one of
three results: three results:
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
'Ignore' means that the packet was matched but this flow is not 'Ignore' means that the packet was matched but this flow is not
to be counted. to be counted.
'NoMatch' means that the packet did not match. It might, however 'NoMatch' means that the packet did not match. It might, however
match with its direction reversed, i.e. from B to A. match with its direction reversed, i.e. from B to A.
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
'Suc' means that the packet did match, i.e. it belongs to a flow 'Suc' means that the packet did match, i.e. it belongs to a flow
which is to be counted. which is to be counted.
current(A->B) succeeds if the flow A-to-B is current - i.e. has current(A->B) succeeds if the flow A-to-B is current - i.e. has
a record in the flow table whose state is Current - and fails a record in the flow table whose state is Current - and fails
otherwise. otherwise.
create(A->B) adds the flow A-to-B to the flow table, setting the create(A->B) adds the flow A-to-B to the flow table, setting the
value for attributes - such as addresses - which remain constant, value for attributes - such as addresses - which remain constant,
and zeroing the flow's counters. and zeroing the flow's counters.
skipping to change at page 22, line 43 skipping to change at page 22, line 37
Consider, for example, a rule set which counts packets from source Consider, for example, a rule set which counts packets from source
network A to destination network B, but which ignores packets from network A to destination network B, but which ignores packets from
source network B. This is an obvious example of an inconsistent rule source network B. This is an obvious example of an inconsistent rule
set, since packets from network B should be counted as reverse packets set, since packets from network B should be counted as reverse packets
for the A-to-B flow. for the A-to-B flow.
This problem could be avoided by devising a language for specifying rule This problem could be avoided by devising a language for specifying rule
files and writing a compiler for it, thus making it much easier to files and writing a compiler for it, thus making it much easier to
produce correct rule sets. An example of such a language is described produce correct rule sets. An example of such a language is described
in the 'SRL' document [6]. Another approach would be to write a 'rule in the 'SRL' document [RTFM-SRL]. Another approach would be to write a
set consistency checker' program, which could detect problems in 'rule set consistency checker' program, which could detect problems in
hand-written rule sets. hand-written rule sets.
Normally, the best way to avoid these problems is to write rule sets Normally, the best way to avoid these problems is to write rule sets
which only classify flows in the forward direction, and rely on the which only classify flows in the forward direction, and rely on the
meter to handle reverse-travelling packets. meter to handle reverse-travelling packets.
Occasionally there can be situations when a rule set needs to know the Occasionally there can be situations when a rule set needs to know the
direction in which a packet is being matched. Consider, for example, a direction in which a packet is being matched. Consider, for example, a
rule set which wants to save some attribute values (source and rule set which wants to save some attribute values (source and
destination addresses perhaps) for any 'unusual' packets. The rule set destination addresses perhaps) for any 'unusual' packets. The rule set
will contain a sequence of tests for all the 'usual' source addresses, will contain a sequence of tests for all the 'usual' source addresses,
follwed by a rule which will execute a 'NoMatch' action. If the match follwed by a rule which will execute a 'NoMatch' action. If the match
fails in the S->D direction, the NoMatch action will cause it to be fails in the S->D direction, the NoMatch action will cause it to be
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
retried. If it fails in the D->S direction, the packet can be counted retried. If it fails in the D->S direction, the packet can be counted
as an 'unusual' packet. as an 'unusual' packet.
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
To count such an 'unusual' packet we need to know the matching To count such an 'unusual' packet we need to know the matching
direction: the MatchingStoD attribute provides this. To use it, one direction: the MatchingStoD attribute provides this. To use it, one
follows the source address tests with a rule which tests whether the follows the source address tests with a rule which tests whether the
matching direction is S->D (MatchingStoD value is 1). If so, a matching direction is S->D (MatchingStoD value is 1). If so, a
'NoMatch' action is executed. Otherwise, the packet has failed to match 'NoMatch' action is executed. Otherwise, the packet has failed to match
in both directions; we can save whatever attribute values are of in both directions; we can save whatever attribute values are of
interest and count the 'unusual' packet. interest and count the 'unusual' packet.
4.4 Rules and Rule Sets 4.4 Rules and Rule Sets
A rule set is an array of rules. Rule sets are held within a meter as A rule set is an array of rules. Rule sets are held within a meter as
entries in an array of rule sets. entries in an array of rule sets.
Rule set 1 (the first entry in the rule set table) is built-in to the Rule set 1 (the first entry in the rule set table) is built-in to the
meter and cannot be changed. It is run when the meter is started up, meter and cannot be changed. It is run when the meter is started up,
and provides a very coarse reporting granularity; it is mainly useful and provides a very coarse reporting granularity; it is mainly useful
for verifying that the meter is running, before a 'useful' rule set is for verifying that the meter is running, before a 'useful' rule set is
downloaded to it. downloaded to it.
skipping to change at page 24, line 5 skipping to change at page 23, line 51
The test group allows PME to test the value of an attribute. This is The test group allows PME to test the value of an attribute. This is
done by ANDing the attribute value with the mask and comparing the done by ANDing the attribute value with the mask and comparing the
result with the value field. Note that there is no explicit provision result with the value field. Note that there is no explicit provision
to test a range, although this can be done where the range can be to test a range, although this can be done where the range can be
covered by a mask, e.g. attribute value less than 2048. covered by a mask, e.g. attribute value less than 2048.
The PME maintains a Boolean indicator called the 'test indicator,' which The PME maintains a Boolean indicator called the 'test indicator,' which
determines whether or not a rule's test is performed. The test determines whether or not a rule's test is performed. The test
indicator is initially set (true). indicator is initially set (true).
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
The opcode group specifies what action may be performed when the rule is The opcode group specifies what action may be performed when the rule is
executed. Opcodes contain two flags: 'goto' and 'test,' as detailed in executed. Opcodes contain two flags: 'goto' and 'test,' as detailed in
the table below. Execution begins with rule 1, the first in the rule the table below. Execution begins with rule 1, the first in the rule
set. It proceeds as follows: set. It proceeds as follows:
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
If the test indicator is true: If the test indicator is true:
Perform the test, i.e. AND the attribute value with the Perform the test, i.e. AND the attribute value with the
mask and compare it with the value. mask and compare it with the value.
If these are equal the test has succeeded; perform the If these are equal the test has succeeded; perform the
rule's action (below). rule's action (below).
If the test fails execute the next rule in the rule set. If the test fails execute the next rule in the rule set.
If there are no more rules in the rule set, return from the If there are no more rules in the rule set, return from the
match() function indicating NoMatch. match() function indicating NoMatch.
If the test indicator is false, or the test (above) succeeded: If the test indicator is false, or the test (above) succeeded:
skipping to change at page 24, line 52 skipping to change at page 25, line 5
and value information from the pattern queue in the order it was and value information from the pattern queue in the order it was
enqueued. enqueued.
An attribute number identifies the attribute actually used in a test. An attribute number identifies the attribute actually used in a test.
It will usually be the rule's attribute field, unless the attribute is a It will usually be the rule's attribute field, unless the attribute is a
'meter variable.' Details of meter variables are given after the table 'meter variable.' Details of meter variables are given after the table
of opcode actions below. of opcode actions below.
The opcodes are: The opcodes are:
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
opcode goto test opcode goto test
1 Ignore 0 - 1 Ignore 0 -
2 NoMatch 0 - 2 NoMatch 0 -
3 Count 0 - 3 Count 0 -
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
4 CountPkt 0 - 4 CountPkt 0 -
5 Return 0 0 5 Return 0 0
6 Gosub 1 1 6 Gosub 1 1
7 GosubAct 1 0 7 GosubAct 1 0
8 Assign 1 1 8 Assign 1 1
9 AssignAct 1 0 9 AssignAct 1 0
10 Goto 1 1 10 Goto 1 1
11 GotoAct 1 0 11 GotoAct 1 0
12 PushRuleTo 1 1 12 PushRuleTo 1 1
13 PushRuleToAct 1 0 13 PushRuleToAct 1 0
skipping to change at page 25, line 50 skipping to change at page 26, line 5
the rule's test) is saved in the PME's pattern the rule's test) is saved in the PME's pattern
queue instead of the rule's value. queue instead of the rule's value.
Gosub: Call a rule-matching subroutine. Push the current Gosub: Call a rule-matching subroutine. Push the current
rule number on the PME's return stack, set the rule number on the PME's return stack, set the
test indicator then goto the specified rule. test indicator then goto the specified rule.
GosubAct: Same as Gosub, except that the test indicator is GosubAct: Same as Gosub, except that the test indicator is
cleared before going to the specified rule. cleared before going to the specified rule.
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
Return: Return from a rule-matching subroutine. Pop the Return: Return from a rule-matching subroutine. Pop the
number of the calling gosub rule from the PME's number of the calling gosub rule from the PME's
'return' stack and add this rule's parameter value 'return' stack and add this rule's parameter value
to it to determine the 'target' rule. Clear the to it to determine the 'target' rule. Clear the
test indicator then goto the target rule. test indicator then goto the target rule.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
A subroutine call appears in a rule set as a Gosub A subroutine call appears in a rule set as a Gosub
rule followed by a small group of following rules. rule followed by a small group of following rules.
Since a Return action clears the test flag, the Since a Return action clears the test flag, the
action of one of these 'following' rules will be action of one of these 'following' rules will be
executed; this allows the subroutine to return a executed; this allows the subroutine to return a
result (in addition to any information it may save result (in addition to any information it may save
in the PME's pattern queue). in the PME's pattern queue).
Assign: Set the attribute specified in this rule to the Assign: Set the attribute specified in this rule to the
parameter value specified for this rule. Set the parameter value specified for this rule. Set the
skipping to change at page 26, line 51 skipping to change at page 27, line 4
have been used in the rule's test), in the PME's have been used in the rule's test), in the PME's
pattern queue. Set the test indicator then goto pattern queue. Set the test indicator then goto
the specified rule. the specified rule.
PushPktToAct: Same as PushPktTo, except that the test indicator PushPktToAct: Same as PushPktTo, except that the test indicator
is cleared before going to the specified rule. is cleared before going to the specified rule.
PushPktTo actions may be used to save a value from PushPktTo actions may be used to save a value from
the packet header using a specified mask. The the packet header using a specified mask. The
simplest way to program this is to use a zero value simplest way to program this is to use a zero value
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
for the PushPktTo rule's value field, and to for the PushPktTo rule's value field, and to
GoToAct to the PushPktTo rule (so that it's test is GoToAct to the PushPktTo rule (so that it's test is
not executed). not executed).
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
PopTo: Delete the most recent item from the pattern PopTo: Delete the most recent item from the pattern
queue, so as to remove the information saved by queue, so as to remove the information saved by
an earlier 'push' action. Set the test indicator an earlier 'push' action. Set the test indicator
then goto the specified rule. then goto the specified rule.
PopToAct: Same as PopTo, except that the test indicator PopToAct: Same as PopTo, except that the test indicator
is cleared before going to the specified rule. is cleared before going to the specified rule.
As well as the attributes applying directly to packets (such as As well as the attributes applying directly to packets (such as
SourcePeerAddress, DestTransAddress, etc.) the PME implements several SourcePeerAddress, DestTransAddress, etc.) the PME implements several
skipping to change at page 28, line 5 skipping to change at page 28, line 5
information which has been built up during matching. information which has been built up during matching.
Their values may be tested in rules; this allows one Their values may be tested in rules; this allows one
to set them early in a rule set, and test them later. to set them early in a rule set, and test them later.
The opcodes detailed above (with their above 'goto'and 'test' values) The opcodes detailed above (with their above 'goto'and 'test' values)
form a minimum set, but one which has proved very effective in current form a minimum set, but one which has proved very effective in current
meter implementations. From time to time it may be useful to add meter implementations. From time to time it may be useful to add
further opcodes; IANA considerations for allocating these are set out in further opcodes; IANA considerations for allocating these are set out in
section 8 below. section 8 below.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
4.5 Maintaining the Flow Table 4.5 Maintaining the Flow Table
The flow table may be thought of as a 1-origin array of flow records. The flow table may be thought of as a 1-origin array of flow records.
(A particular implementation may, of course, use whatever data structure (A particular implementation may, of course, use whatever data structure
is most suitable). When the meter starts up there are no known flows; is most suitable). When the meter starts up there are no known flows;
all the flow records are in the 'inactive' state. all the flow records are in the 'inactive' state.
Each time a packet is matched for a flow which is not in a current flow Each time a packet is matched for a flow which is not in a current flow
set a flow record is created for it; the state of such a record is set a flow record is created for it; the state of such a record is
'current.' When selecting a record for the new flow the meter searches 'current.' When selecting a record for the new flow the meter searches
the flow table for an 'inactive' record. If no inactive records are the flow table for an 'inactive' record. If no inactive records are
skipping to change at page 29, line 5 skipping to change at page 29, line 5
background process which scans the flow table looking for 'current' background process which scans the flow table looking for 'current'
flows whose 'last packet' time is earlier than the meter's flows whose 'last packet' time is earlier than the meter's
LastCollectTime. LastCollectTime.
Another recovery strategy is to leave idle flows alone as long as Another recovery strategy is to leave idle flows alone as long as
possible, which would be acceptable if one was only interested in possible, which would be acceptable if one was only interested in
measuring total traffic volumes. It could be implemented by having the measuring total traffic volumes. It could be implemented by having the
meter search for collected idle flows only when it ran low on 'inactive' meter search for collected idle flows only when it ran low on 'inactive'
flow records. flow records.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
One further factor a meter should consider before recovering a flow is One further factor a meter should consider before recovering a flow is
the number of meter readers which have collected the flow's data. If the number of meter readers which have collected the flow's data. If
there are multiple meter readers operating, each reader should collect a there are multiple meter readers operating, each reader should collect a
flow's data before its memory is recovered. flow's data before its memory is recovered.
Of course a meter reader may fail, so the meter cannot wait forever for Of course a meter reader may fail, so the meter cannot wait forever for
it. Instead the meter must keep a table of active meter readers, with a it. Instead the meter must keep a table of active meter readers, with a
timeout specified for each. If a meter reader fails to collect flow timeout specified for each. If a meter reader fails to collect flow
data within its timeout interval, the meter should delete that reader data within its timeout interval, the meter should delete that reader
from the meter's active meter reader table. from the meter's active meter reader table.
4.6 Handling Increasing Traffic Levels 4.6 Handling Increasing Traffic Levels
Under normal conditions the meter reader specifies which set of usage Under normal conditions the meter reader specifies which set of usage
records it wants to collect, and the meter provides them. If, however, records it wants to collect, and the meter provides them. If, however,
memory usage rises above the high-water mark the meter should switch to memory usage rises above the high-water mark the meter should switch to
a STANDBY RULE SET so as to decrease the rate at which new flows are a STANDBY RULE SET so as to decrease the rate at which new flows are
created. created.
When the manager, usually as part of a regular poll, becomes aware that When the manager, usually as part of a regular poll, becomes aware that
the meter is using its standby rule set, it could decrease the interval the meter is using its standby rule set, it could decrease the interval
between collections. This would shorten the time that flows sit in between collections. This would shorten the time that flows sit in
memory waiting to be collected, allowing the meter to free flow memory memory waiting to be collected, allowing the meter to free flow memory
faster. faster.
The meter could also increase its efforts to recover flow memory so as The meter could also increase its efforts to recover flow memory so as
to reduce the number of idle flows in memory. When the situation to reduce the number of idle flows in memory. When the situation
returns to normal, the manager may request the meter to switch back to returns to normal, the manager may request the meter to switch back to
its normal rule set. its normal rule set.
5 Meter Readers 5 Meter Readers
Usage data is accumulated by a meter (e.g. in a router) as memory Usage data is accumulated by a meter (e.g. in a router) as memory
permits. It is collected at regular reporting intervals by meter permits. It is collected at regular reporting intervals by meter
readers, as specified by a manager. The collected data is recorded in readers, as specified by a manager. The collected data is recorded in
stable storage as a FLOW DATA FILE, as a sequence of USAGE RECORDS. stable storage as a FLOW DATA FILE, as a sequence of USAGE RECORDS.
The following sections describe the contents of usage records and flow The following sections describe the contents of usage records and flow
data files. Note, however, that at this stage the details of such data files. Note, however, that at this stage the details of such
records and files is not specified in the architecture. Specifying a records and files is not specified in the architecture. Specifying a
common format for them would be a worthwhile future development. common format for them would be a worthwhile future development.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
5.1 Identifying Flows in Flow Records 5.1 Identifying Flows in Flow Records
Once a packet has been classified and is ready to be counted, an Once a packet has been classified and is ready to be counted, an
appropriate flow data record must already exist in the flow table; appropriate flow data record must already exist in the flow table;
otherwise one must be created. The flow record has a flexible format otherwise one must be created. The flow record has a flexible format
where unnecessary identification attributes may be omitted. The where unnecessary identification attributes may be omitted. The
determination of which attributes of the flow record to use, and of what determination of which attributes of the flow record to use, and of what
values to put in them, is specified by the current rule set. values to put in them, is specified by the current rule set.
Note that the combination of start time, rule set number and flow Note that the combination of start time, rule set number and flow
subscript (row number in the flow table) provide a unique flow subscript (row number in the flow table) provide a unique flow
identifier, regardless of the values of its other attributes. identifier, regardless of the values of its other attributes.
The current rule set may specify additional information, e.g. a The current rule set may specify additional information, e.g. a computed
computed attribute value such as FlowKind, which is to be placed in the attribute value such as FlowKind, which is to be placed in the attribute
attribute section of the usage record. That is, if a particular flow is section of the usage record. That is, if a particular flow is matched
matched by the rule set, then the corresponding flow record should be by the rule set, then the corresponding flow record should be marked not
marked not only with the qualifying identification attributes, but also only with the qualifying identification attributes, but also with the
with the additional information. Using this feature, several flows may additional information. Using this feature, several flows may each
each carry the same FlowKind value, so that the resulting usage records carry the same FlowKind value, so that the resulting usage records can
can be used in post-processing or between meter reader and meter as a be used in post-processing or between meter reader and meter as a
criterion for collection. criterion for collection.
5.2 Usage Records, Flow Data Files 5.2 Usage Records, Flow Data Files
The collected usage data will be stored in flow data files on the meter The collected usage data will be stored in flow data files on the meter
reader, one file for each meter. As well as containing the measured reader, one file for each meter. As well as containing the measured
usage data, flow data files must contain information uniquely usage data, flow data files must contain information uniquely
identifiying the meter from which it was collected. identifiying the meter from which it was collected.
A USAGE RECORD contains the descriptions of and values for one or more A USAGE RECORD contains the descriptions of and values for one or more
flows. Quantities are counted in terms of number of packets and number flows. Quantities are counted in terms of number of packets and number
of bytes per flow. Other quantities, e.g. short-term flow rates, may of bytes per flow. Other quantities, e.g. short-term flow rates, may be
be added later; work on such extensions is described in the RTFM 'New added later; work on such extensions is described in the RTFM 'New
Attributes' document [1]. Attributes' document [RTFM-NEW].
Each usage record contains the metered traffic group identifier of the Each usage record contains the metered traffic group identifier of the
meter (a set of network addresses), a time stamp and a list of reported meter (a set of network addresses), a time stamp and a list of reported
flows (FLOW DATA RECORDS). A meter reader will build up a file of usage flows (FLOW DATA RECORDS). A meter reader will build up a file of usage
records by regularly collecting flow data from a meter, using this data records by regularly collecting flow data from a meter, using this data
to build usage records and concatenating them to the tail of a file. to build usage records and concatenating them to the tail of a file.
Such a file is called a FLOW DATA FILE. Such a file is called a FLOW DATA FILE.
A usage record contains the following information in some form: A usage record contains the following information in some form:
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| RECORD IDENTIFIERS: | | RECORD IDENTIFIERS: |
| Meter Id (& digital signature if required) | | Meter Id (& digital signature if required) |
| Timestamp | | Timestamp |
| Collection Rules ID | | Collection Rules ID |
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
| FLOW IDENTIFIERS: | COUNTERS | | FLOW IDENTIFIERS: | COUNTERS |
| Address List | Packet Count | | Address List | Packet Count |
| Subscriber ID (Optional) | Byte Count | | Subscriber ID (Optional) | Byte Count |
| Attributes (Optional) | Flow Start/Stop Time | | Attributes (Optional) | Flow Start/Stop Time |
+-------------------------------------------------------------------+ +-------------------------------------------------------------------+
5.3 Meter to Meter Reader: Usage Record Transmission 5.3 Meter to Meter Reader: Usage Record Transmission
The usage record contents are the raison d'etre of the system. The The usage record contents are the raison d'etre of the system. The
accuracy, reliability, and security of transmission are the primary accuracy, reliability, and security of transmission are the primary
concerns of the meter/meter reader exchange. Since errors may occur on concerns of the meter/meter reader exchange. Since errors may occur on
networks, and Internet packets may be dropped, some mechanism for networks, and Internet packets may be dropped, some mechanism for
ensuring that the usage information is transmitted intact is needed. ensuring that the usage information is transmitted intact is needed.
Flow data is moved from meter to meter reader via a series of protocol Flow data is moved from meter to meter reader via a series of protocol
exchanges between them. This may be carried out in various ways, moving exchanges between them. This may be carried out in various ways, moving
individual attribute values, complete flows, or the entire flow table individual attribute values, complete flows, or the entire flow table
(i.e. all the active and idle flows). One possible method of achieving (i.e. all the active and idle flows). One possible method of achieving
this transfer is to use SNMP; the 'Traffic Flow Measurement: Meter MIB' this transfer is to use SNMP; the 'Traffic Flow Measurement: Meter MIB'
RFC [7] gives details. Note that this is simply one example; the RFC [RTFM-MIB] gives details. Note that this is simply one example; the
transfer of flow data from meter to meter reader is not specified in transfer of flow data from meter to meter reader is not specified in
this document. this document.
The reliability of the data transfer method under light, normal, and The reliability of the data transfer method under light, normal, and
extreme network loads should be understood before selecting among extreme network loads should be understood before selecting among
collection methods. collection methods.
In normal operation the meter will be running a rule file which provides In normal operation the meter will be running a rule file which provides
the required degree of flow reporting granularity, and the meter the required degree of flow reporting granularity, and the meter
reader(s) will collect the flow data often enough to allow the meter's reader(s) will collect the flow data often enough to allow the meter's
skipping to change at page 31, line 55 skipping to change at page 32, line 4
In the worst case traffic may increase to the point where the meter is In the worst case traffic may increase to the point where the meter is
in danger of running completely out of flow memory. The meter in danger of running completely out of flow memory. The meter
implementor must decide how to handle this, for example by switching to implementor must decide how to handle this, for example by switching to
a default (extremely coarse granularity) rule set, by sending a trap a default (extremely coarse granularity) rule set, by sending a trap
message to the manager, or by attempting to dump flow data to the meter message to the manager, or by attempting to dump flow data to the meter
reader. reader.
Users of the Traffic Flow Measurement system should analyse their Users of the Traffic Flow Measurement system should analyse their
requirements carefully and assess for themselves whether it is more requirements carefully and assess for themselves whether it is more
important to attempt to collect flow data at normal granularity important to attempt to collect flow data at normal granularity
(increasing the collection frequency as needed to keep up with traffic
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
(increasing the collection frequency as needed to keep up with traffic
volumes), or to accept flow data with a coarser granularity. Similarly, volumes), or to accept flow data with a coarser granularity. Similarly,
it may be acceptable to lose flow data for a short time in return for it may be acceptable to lose flow data for a short time in return for
being sure that the meter keeps running properly, i.e. is not being sure that the meter keeps running properly, i.e. is not
overwhelmed by rising traffic levels. overwhelmed by rising traffic levels.
6 Managers 6 Managers
A manager configures meters and controls meter readers. It does this A manager configures meters and controls meter readers. It does this
via the interactions described below. via the interactions described below.
6.1 Between Manager and Meter: Control Functions 6.1 Between Manager and Meter: Control Functions
- DOWNLOAD RULE SET: A meter may hold an array of rule sets. One of - DOWNLOAD RULE SET: A meter may hold an array of rule sets. One of
these, the 'default' rule set, is built in to the meter and cannot these, the 'default' rule set, is built in to the meter and cannot
be changed; this is a diagnostic feature, ensuring that when a be changed; this is a diagnostic feature, ensuring that when a
meter starts up it will be running a known ruleset. meter starts up it will be running a known ruleset.
All other rule sets must be downloaded by the manager. A manager All other rule sets must be downloaded by the manager. A manager
may use any suitable protocol exchange to achieve this, for example may use any suitable protocol exchange to achieve this, for example
an FTP file transfer or a series of SNMP SETs, one for each row of an FTP file transfer or a series of SNMP SETs, one for each row of
the rule set. the rule set.
skipping to change at page 33, line 5 skipping to change at page 32, line 51
each task it is currently running. each task it is currently running.
If the high traffic levels persist, the meter's normal rule set may If the high traffic levels persist, the meter's normal rule set may
have to be rewritten to permanently reduce the reporting have to be rewritten to permanently reduce the reporting
granularity. granularity.
- SET FLOW TERMINATION PARAMETERS: The meter should have the good - SET FLOW TERMINATION PARAMETERS: The meter should have the good
sense in situations where lack of resources may cause data loss to sense in situations where lack of resources may cause data loss to
purge flow records from its tables. Such records may include: purge flow records from its tables. Such records may include:
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 - Flows that have already been reported to all registered meter
- Flows that have already been reported to all registered meter
readers, and show no activity since the last report, readers, and show no activity since the last report,
- Oldest flows, or
- Flows with the smallest number of observed packets.
- Oldest flows, or INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
- Flows with the smallest number of observed packets.
- SET INACTIVITY TIMEOUT: This is a time in seconds since the last - SET INACTIVITY TIMEOUT: This is a time in seconds since the last
packet was seen for a flow. Flow records may be reclaimed if they packet was seen for a flow. Flow records may be reclaimed if they
have been idle for at least this amount of time, and have been have been idle for at least this amount of time, and have been
collected in accordance with the current collection criteria. collected in accordance with the current collection criteria.
It might be useful if a manager could set the FLOW TERMINATION It might be useful if a manager could set the FLOW TERMINATION
PARAMETERS to different values for different tasks. Current meter PARAMETERS to different values for different tasks. Current meter
implementations have only single ('whole meter') values for these implementations have only single ('whole meter') values for these
parameters, and experience to date suggests that this provides an parameters, and experience to date suggests that this provides an
adequate degree of control for the tasks. adequate degree of control for the tasks.
6.2 Between Manager and Meter Reader: Control Functions 6.2 Between Manager and Meter Reader: Control Functions
Because there are a number of parameters that must be set for traffic Because there are a number of parameters that must be set for traffic
flow measurement to function properly, and viable settings may change as flow measurement to function properly, and viable settings may change as
a result of network traffic characteristics, it is desirable to have a result of network traffic characteristics, it is desirable to have
dynamic network management as opposed to static meter configurations. dynamic network management as opposed to static meter configurations.
Many of these operations have to do with space tradeoffs - if memory at Many of these operations have to do with space tradeoffs - if memory at
the meter is exhausted, either the collection interval must be decreased the meter is exhausted, either the collection interval must be decreased
or a coarser granularity of aggregation must be used to reduce the or a coarser granularity of aggregation must be used to reduce the
number of active flows. number of active flows.
skipping to change at page 34, line 5 skipping to change at page 33, line 43
purpose of the network), the level of traffic flow measurement traffic purpose of the network), the level of traffic flow measurement traffic
should be kept to an affordable fraction of the bandwidth. should be kept to an affordable fraction of the bandwidth.
("Affordable" is a policy decision made by the Network Operations ("Affordable" is a policy decision made by the Network Operations
personnel). At any rate, it must be understood that the operations personnel). At any rate, it must be understood that the operations
below do not represent the setting of independent variables; on the below do not represent the setting of independent variables; on the
contrary, each of the values set has a direct and measurable effect on contrary, each of the values set has a direct and measurable effect on
the behaviour of the other variables. the behaviour of the other variables.
Network management operations follow: Network management operations follow:
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
- MANAGER and METER READER IDENTIFICATION: The manager should ensure - MANAGER and METER READER IDENTIFICATION: The manager should ensure
that meters are read by the correct set of meter readers, and take that meters are read by the correct set of meter readers, and take
steps to prevent unauthorised access to usage information. The steps to prevent unauthorised access to usage information. The
meter readers so identified should be prepared to poll if necessary meter readers so identified should be prepared to poll if necessary
and accept data from the appropriate meters. Alternate meter and accept data from the appropriate meters. Alternate meter
readers may be identified in case both the primary manager and the readers may be identified in case both the primary manager and the
primary meter reader are unavailable. Similarly, alternate primary meter reader are unavailable. Similarly, alternate
managers may be identified. managers may be identified.
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
- REPORTING INTERVAL CONTROL: The usual reporting interval should be - REPORTING INTERVAL CONTROL: The usual reporting interval should be
selected to cope with normal traffic patterns. However, it may be selected to cope with normal traffic patterns. However, it may be
possible for a meter to exhaust its memory during traffic spikes possible for a meter to exhaust its memory during traffic spikes
even with a correctly set reporting interval. Some mechanism even with a correctly set reporting interval. Some mechanism
should be available for the meter to tell the manager that it is in should be available for the meter to tell the manager that it is in
danger of exhausting its memory (by declaring a 'high water' danger of exhausting its memory (by declaring a 'high water'
condition), and for the manager to arbitrate (by decreasing the condition), and for the manager to arbitrate (by decreasing the
polling interval, letting nature take its course, or by telling the polling interval, letting nature take its course, or by telling the
meter to ask for help sooner next time). meter to ask for help sooner next time).
- GRANULARITY CONTROL: Granularity control is a catch-all for all the - GRANULARITY CONTROL: Granularity control is a catch-all for all the
parameters that can be tuned and traded to optimise the system's parameters that can be tuned and traded to optimise the system's
ability to reliably measure and store information on all the ability to reliably measure and store information on all the
traffic (or as close to all the traffic as an administration traffic (or as close to all the traffic as an administration
requires). Granularity: requires). Granularity:
- Controls the amount of address information identifying each - Controls the amount of address information identifying each
flow, and flow, and
- Determines the number of buckets into which user traffic will
- Determines the number of buckets into which user traffic will
be lumped together. be lumped together.
Since granularity is controlled by the meter's current rule set, Since granularity is controlled by the meter's current rule set,
the manager can only change it by requesting the meter to switch to the manager can only change it by requesting the meter to switch to
a different rule set. The new rule set could be downloaded when a different rule set. The new rule set could be downloaded when
required, or it could have been downloaded as part of the meter's required, or it could have been downloaded as part of the meter's
initial configuration. initial configuration.
- FLOW LIFETIME CONTROL: Flow termination parameters include timeout - FLOW LIFETIME CONTROL: Flow termination parameters include timeout
parameters for obsoleting inactive flows and removing them from parameters for obsoleting inactive flows and removing them from
tables, and maximum flow lifetimes. This is intertwined with tables, and maximum flow lifetimes. This is intertwined with
reporting interval and granularity, and must be set in accordance reporting interval and granularity, and must be set in accordance
with the other parameters. with the other parameters.
6.3 Exception Conditions 6.3 Exception Conditions
Exception conditions must be handled, particularly occasions when the Exception conditions must be handled, particularly occasions when the
meter runs out of space for flow data. Since - to prevent an active meter runs out of space for flow data. Since - to prevent an active
task from counting any packet twice - packets can only be counted in a task from counting any packet twice - packets can only be counted in a
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
single flow, discarding records will result in the loss of information. single flow, discarding records will result in the loss of information.
The mechanisms to deal with this are as follows: The mechanisms to deal with this are as follows:
- METER OUTAGES: In case of impending meter outages (controlled - METER OUTAGES: In case of impending meter outages (controlled
restarts, etc.) the meter could send a trap to the manager. The restarts, etc.) the meter could send a trap to the manager. The
manager could then request one or more meter readers to pick up the manager could then request one or more meter readers to pick up the
data from the meter. data from the meter.
Following an uncontrolled meter outage such as a power failure, the Following an uncontrolled meter outage such as a power failure, the
meter could send a trap to the manager indicating that it has meter could send a trap to the manager indicating that it has
restarted. The manager could then download the meter's correct restarted. The manager could then download the meter's correct
rule set and advise the meter reader(s) that the meter is running rule set and advise the meter reader(s) that the meter is running
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
again. Alternatively, the meter reader may discover from its again. Alternatively, the meter reader may discover from its
regular poll that a meter has failed and restarted. It could then regular poll that a meter has failed and restarted. It could then
advise the manager of this, instead of relying on a trap from the advise the manager of this, instead of relying on a trap from the
meter. meter.
- METER READER OUTAGES: If the collection system is down or isolated, - METER READER OUTAGES: If the collection system is down or isolated,
the meter should try to inform the manager of its failure to the meter should try to inform the manager of its failure to
communicate with the collection system. Usage data is maintained communicate with the collection system. Usage data is maintained
in the flows' rolling counters, and can be recovered when the meter in the flows' rolling counters, and can be recovered when the meter
reader is restarted. reader is restarted.
- MANAGER OUTAGES: If the manager fails for any reason, the meter - MANAGER OUTAGES: If the manager fails for any reason, the meter
should continue measuring and the meter reader(s) should keep should continue measuring and the meter reader(s) should keep
gathering usage records. gathering usage records.
- BUFFER PROBLEMS: The network manager may realise that there is a - BUFFER PROBLEMS: The network manager may realise that there is a
'low memory' condition in the meter. This can usually be 'low memory' condition in the meter. This can usually be
attributed to the interaction between the following controls: attributed to the interaction between the following controls:
- The reporting interval is too infrequent, or - The reporting interval is too infrequent, or
- The reporting granularity is too fine.
- The reporting granularity is too fine.
Either of these may be exacerbated by low throughput or bandwidth Either of these may be exacerbated by low throughput or bandwidth
of circuits carrying the usage data. The manager may change any of of circuits carrying the usage data. The manager may change any of
these parameters in response to the meter (or meter reader's) plea these parameters in response to the meter (or meter reader's) plea
for help. for help.
6.4 Standard Rule Sets 6.4 Standard Rule Sets
Although the rule table is a flexible tool, it can also become very Although the rule table is a flexible tool, it can also become very
complex. It may be helpful to develop some rule sets for common complex. It may be helpful to develop some rule sets for common
applications: applications:
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
- PROTOCOL TYPE: The meter records packets by protocol type. This - PROTOCOL TYPE: The meter records packets by protocol type. This
will be the default rule table for Traffic Flow Meters. will be the default rule table for Traffic Flow Meters.
- ADJACENT SYSTEMS: The meter records packets by the MAC address of - ADJACENT SYSTEMS: The meter records packets by the MAC address of
the Adjacent Systems (neighbouring originator or next-hop). the Adjacent Systems (neighbouring originator or next-hop).
(Variants on this table are "report source" or "report sink" only.) (Variants on this table are "report source" or "report sink" only.)
This strategy might be used by a regional or backbone network which This strategy might be used by a regional or backbone network which
wants to know how much aggregate traffic flows to or from its wants to know how much aggregate traffic flows to or from its
subscriber networks. subscriber networks.
- END SYSTEMS: The meter records packets by the IP address pair - END SYSTEMS: The meter records packets by the IP address pair
contained in the packet. (Variants on this table are "report contained in the packet. (Variants on this table are "report
source" or "report sink" only.) This strategy might be used by an source" or "report sink" only.) This strategy might be used by an
End System network to get detailed host traffic matrix usage data. End System network to get detailed host traffic matrix usage data.
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
- TRANSPORT TYPE: The meter records packets by transport address; for - TRANSPORT TYPE: The meter records packets by transport address; for
IP packets this provides usage information for the various IP IP packets this provides usage information for the various IP
services. services.
- HYBRID SYSTEMS: Combinations of the above, e.g. for one interface - HYBRID SYSTEMS: Combinations of the above, e.g. for one interface
report End Systems, for another interface report Adjacent Systems. report End Systems, for another interface report Adjacent Systems.
This strategy might be used by an enterprise network to learn This strategy might be used by an enterprise network to learn
detail about local usage and use an aggregate count for the shared detail about local usage and use an aggregate count for the shared
regional network. regional network.
7 Security Considerations 7 Security Considerations
7.1 Threat Analysis 7.1 Threat Analysis
A traffic flow measurement system may be subject to the following kinds A traffic flow measurement system may be subject to the following kinds
of attacks: of attacks:
- ATTEMPTS TO DISABLE A TRAFFIC METER: An attacker may attempt to - ATTEMPTS TO DISABLE A TRAFFIC METER: An attacker may attempt to
disrupt traffic measurement so as to prevent users being charged disrupt traffic measurement so as to prevent users being charged
for network usage. For example, a network probe sending packets to for network usage. For example, a network probe sending packets to
a large number of destination and transport addresses could produce a large number of destination and transport addresses could produce
a sudden rise in the number of flows in a meter's flow table, thus a sudden rise in the number of flows in a meter's flow table, thus
forcing it to use its coarser standby rule set. forcing it to use its coarser standby rule set.
- UNAUTHORIZED USE OF SYSTEM RESOURCES: An attacker may wish to gain - UNAUTHORIZED USE OF SYSTEM RESOURCES: An attacker may wish to gain
advantage or cause mischief (e.g. denial of service) by subverting dadvantage or cause mischief (e.g. denial of service) by subverting
any of the system elements - meters, meter readers or managers. any of the system elements - meters, meter readers or managers.
- UNAUTHORIZED DISCLOSURE OF DATA: Any data that is sensitive to - UNAUTHORIZED DISCLOSURE OF DATA: Any data that is sensitive to
disclosure can be read through active or passive attacks unless it disclosure can be read through active or passive attacks unless it
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
is suitably protected. Usage data may or may not be of this type. is suitably protected. Usage data may or may not be of this type.
Control messages, traps, etc. are not likely to be considered Control messages, traps, etc. are not likely to be considered
sensitive to disclosure. sensitive to disclosure.
- UNAUTHORIZED ALTERATION, REPLACEMENT OR DESTRUCTION OF DATA: - UNAUTHORIZED ALTERATION, REPLACEMENT OR DESTRUCTION OF DATA:
Similarly, any data whose integrity is sensitive can be altered, Similarly, any data whose integrity is sensitive can be altered,
replaced/injected or deleted through active or passive attacks replaced/injected or deleted through active or passive attacks
unless it is suitably protected. Attackers may modify message unless it is suitably protected. Attackers may modify message
streams to falsify usage data or interfere with the proper streams to falsify usage data or interfere with the proper
operation of the traffic flow measurement system. Therefore, all operation of the traffic flow measurement system. Therefore, all
messages, both those containing usage data and those containing messages, both those containing usage data and those containing
control data, should be considered vulnerable to such attacks. control data, should be considered vulnerable to such attacks.
7.2 Countermeasures INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
7.2 Countermeasures
The following countermeasures are recommended to address the possible The following countermeasures are recommended to address the possible
threats enumerated above: threats enumerated above:
- ATTEMPTS TO DISABLE A TRAFFIC METER can't be completely countered. - ATTEMPTS TO DISABLE A TRAFFIC METER can't be completely countered.
In practice, flow data records from network security attacks have In practice, flow data records from network security attacks have
proved very useful in determining what happened. The most proved very useful in determining what happened. The most
effective approach is first to configure the meter so that it has effective approach is first to configure the meter so that it has
three or more times as much flow memory as it needs in normal three or more times as much flow memory as it needs in normal
operation, and second to collect the flow data fairly frequently so operation, and second to collect the flow data fairly frequently so
skipping to change at page 38, line 5 skipping to change at page 37, line 41
a high degree of protection is required, the use of strong cryptographic a high degree of protection is required, the use of strong cryptographic
methodologies is recommended. The security requirements for methodologies is recommended. The security requirements for
communication between pairs of traffic measurmement system elements are communication between pairs of traffic measurmement system elements are
summarized in the table below. It is assumed that meters do not summarized in the table below. It is assumed that meters do not
communicate with other meters, and that meter readers do not communicate communicate with other meters, and that meter readers do not communicate
directly with other meter readers (if synchronization is required, it is directly with other meter readers (if synchronization is required, it is
handled by the manager, see Section 2.5). Each entry in the table handled by the manager, see Section 2.5). Each entry in the table
indicates which kinds of security services are required. Basically, the indicates which kinds of security services are required. Basically, the
requirements are as follows: requirements are as follows:
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
Security Service Requirements for RTFM elements Security Service Requirements for RTFM elements
+------------------------------------------------------------------+ +------------------------------------------------------------------+
| from\to | meter | meter reader | application | manager | | from\to | meter | meter reader | application | manager |
|---------+--------------+--------------+-------------+------------| |---------+--------------+--------------+-------------+------------|
| meter | N/A | authent | N/A | authent | | meter | N/A | authent | N/A | authent |
| | | acc ctrl | | acc ctrl | | | | acc ctrl | | acc ctrl |
| | | integrity | | | | | | integrity | | |
| | | confid ** | | | | | | confid ** | | |
|---------+--------------+--------------+-------------+------------| |---------+--------------+--------------+-------------+------------|
| meter | authent | N/A | authent | authent | | meter | authent | N/A | authent | authent |
| reader | acc ctrl | | acc ctrl | acc ctrl | | reader | acc ctrl | | acc ctrl | acc ctrl |
| | | | integrity | | | | | | integrity | |
| | | | confid ** | | | | | | confid ** | |
|---------+--------------+--------------+-------------+------------| |---------+--------------+--------------+-------------+------------|
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
|---------+--------------+--------------+-------------+------------|
| appl | N/A | authent | | | | appl | N/A | authent | | |
| | | acc ctrl | ## | ## | | | | acc ctrl | ## | ## |
|---------+--------------+--------------+-------------+------------| |---------+--------------+--------------+-------------+------------|
| manager | authent | authent | ## | authent | | manager | authent | authent | ## | authent |
| | acc ctrl | acc ctrl | | acc ctrl | | | acc ctrl | acc ctrl | | acc ctrl |
| | integrity | integrity | | integrity | | | integrity | integrity | | integrity |
+------------------------------------------------------------------+ +------------------------------------------------------------------+
N/A = Not Applicable ** = optional ## = outside RTFM scope N/A = Not Applicable ** = optional ## = outside RTFM scope
skipping to change at page 39, line 5 skipping to change at page 38, line 36
- Whenever there is a transfer of usage data it should be possible to - Whenever there is a transfer of usage data it should be possible to
ensure its confidentiality if it is deemed sensitive to disclosure. ensure its confidentiality if it is deemed sensitive to disclosure.
This is indicated by 'confid' in the table. This is indicated by 'confid' in the table.
Security protocols are not specified in this document. The system Security protocols are not specified in this document. The system
elements' management and collection protocols are responsible for elements' management and collection protocols are responsible for
providing sufficient data integrity, confidentiality, authentication and providing sufficient data integrity, confidentiality, authentication and
access control services. access control services.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 8 IANA Considerations
8 IANA Considerations
The RTFM Architecture, as set out in this document, has two sets of The RTFM Architecture, as set out in this document, has two sets of
assigned numbers. Considerations for assigning them are discussed in assigned numbers. Considerations for assigning them are discussed in
this section, using the example policies as set out in the "Guidelines this section, using the example policies as set out in the "Guidelines
for IANA Considerations" document [8]. for IANA Considerations" document [IANA-RFC].
8.1 PME Opcodes 8.1 PME Opcodes
The Pattern Matching Engine (PME) is a virtual machine, executing RTFM The Pattern Matching Engine (PME) is a virtual machine, executing RTFM
rules as its instructions. The PME opcodes appear in the 'action' field rules as its instructions. The PME opcodes appear in the 'action' field
of an RTFM rule. The current list of opcodes, and their values for the of an RTFM rule. The current list of opcodes, and their values for the
PME's 'goto' and 'test' flags, are set out in section 4.4 above ("Rules PME's 'goto' and 'test' flags, are set out in section 4.4 above ("Rules
and Rulesets). and Rulesets).
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
The PME opcodes are pivotal to the RTFM architecture, since they must be The PME opcodes are pivotal to the RTFM architecture, since they must be
implemented in every RTFM meter. Any new opcodes must therefore be implemented in every RTFM meter. Any new opcodes must therefore be
allocated through an IETF Consensus action [8]. allocated through an IETF Consensus action [IANA-RFC].
Opcodes are simply non-negative integers, but new opcodes should be Opcodes are simply non-negative integers, but new opcodes should be
allocated sequentially so as to keep the total opcode range as small as allocated sequentially so as to keep the total opcode range as small as
possible. possible.
8.2 RTFM Attributes 8.2 RTFM Attributes
Attribute numbers in the range of 0-511 are globally unique and are Attribute numbers in the range of 0-511 are globally unique and are
allocated according to an IETF Consensus action [8]. Appendix C of this allocated according to an IETF Consensus action [IANA-RFC]. Appendix C
document allocates a basic (i.e. useful minimum) set of attribtes; they of this document allocates a basic (i.e. useful minimum) set of
are assigned numbers in the range 0 to 63. The RTFM working group is attribtes; they are assigned numbers in the range 0 to 63. The RTFM
working on an extended set of attributes, which will have numbers in the working group is working on an extended set of attributes, which will
range 64 to 127. have numbers in the range 64 to 127.
Vendor-specific attribute numbers are in the range 512-1023, and will be Vendor-specific attribute numbers are in the range 512-1023, and will be
allocated using the First Come FIrst Served policy [8]. Vendors allocated using the First Come FIrst Served policy [IANA-RFC]. Vendors
requiring attribute numbers should submit a request to IANA giving the requiring attribute numbers should submit a request to IANA giving the
attribute names: IANA will allocate them the next available numbers. attribute names: IANA will allocate them the next available numbers.
Attribute numbers 1024 and higher are Reserved for Private Use [8]. Attribute numbers 1024 and higher are Reserved for Private Use
Implementors wishing to experiment with further new attributes should [IANA-RFC]. Implementors wishing to experiment with further new
use attribute numbers in this range. attributes should use attribute numbers in this range.
Attribute numbers are simply non-negative integers. When writing Attribute numbers are simply non-negative integers. When writing
specifications for attributes, implementors must give sufficient detail specifications for attributes, implementors must give sufficient detail
for the new attributes to be easily added to the RTFM Meter MIB [7]. for the new attributes to be easily added to the RTFM Meter MIB
In particular, they must indicate whether the new attributes may be: [RTFM-MIB]. In particular, they must indicate whether the new attributes
may be:
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
- tested in an IF statement - tested in an IF statement
- saved by a SAVE statement or set by a STORE statement - saved by a SAVE statement or set by a STORE statement
- read from an RTFM meter - read from an RTFM meter
(IF, SAVE and STORE are statements in the SRL Ruleset Language [6]). (IF, SAVE and STORE are statements in the SRL Ruleset Language
[RTFM-SRL]).
9 APPENDICES INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
9.1 Appendix A: Network Characterisation 9 APPENDICES
9.1 Appendix A: Network Characterisation
Internet users have extraordinarily diverse requirements. Networks Internet users have extraordinarily diverse requirements. Networks
differ in size, speed, throughput, and processing power, among other differ in size, speed, throughput, and processing power, among other
factors. There is a range of traffic flow measurement capabilities and factors. There is a range of traffic flow measurement capabilities and
requirements. For traffic flow measurement purposes, the Internet may requirements. For traffic flow measurement purposes, the Internet may
be viewed as a continuum which changes in character as traffic passes be viewed as a continuum which changes in character as traffic passes
through the following representative levels: through the following representative levels:
International | International |
Backbones/National --------------- Backbones/National ---------------
skipping to change at page 41, line 5 skipping to change at page 40, line 43
networks. Individual hosts (with the exception of network management networks. Individual hosts (with the exception of network management
devices and backbone service hosts) typically are not directly connected devices and backbone service hosts) typically are not directly connected
to backbones. to backbones.
REGIONAL networks are closely related to backbones, and differ only in REGIONAL networks are closely related to backbones, and differ only in
size, the number of networks connected via each port, and geographical size, the number of networks connected via each port, and geographical
coverage. Regionals may have directly connected hosts, acting as hybrid coverage. Regionals may have directly connected hosts, acting as hybrid
backbone/stub networks. A regional network is a SUBSCRIBER to the backbone/stub networks. A regional network is a SUBSCRIBER to the
backbone. backbone.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 STUB/ENTERPRISE networks connect hosts and local area networks.
STUB/ENTERPRISE networks are SUBSCRIBERS to regional and backbone
STUB/ENTERPRISE networks connect hosts and local area networks. STUB/ networks.
ENTERPRISE networks are SUBSCRIBERS to regional and backbone networks.
END SYSTEMS, colloquially HOSTS, are SUBSCRIBERS to any of the above END SYSTEMS, colloquially HOSTS, are SUBSCRIBERS to any of the above
networks. networks.
Providing a uniform identification of the SUBSCRIBER in finer Providing a uniform identification of the SUBSCRIBER in finer
granularity than that of end-system, (e.g. user/account), is beyond the granularity than that of end-system, (e.g. user/account), is beyond the
scope of the current architecture, although an optional attribute in the scope of the current architecture, although an optional attribute in the
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
traffic flow measurement record may carry system-specific 'user traffic flow measurement record may carry system-specific 'user
identification' labels so that meters can implement proprietary or identification' labels so that meters can implement proprietary or
non-standard schemes for the attribution of network traffic to non-standard schemes for the attribution of network traffic to
responsible parties. responsible parties.
9.2 Appendix B: Recommended Traffic Flow Measurement Capabilities 9.2 Appendix B: Recommended Traffic Flow Measurement Capabilities
Initial recommended traffic flow measurement conventions are outlined Initial recommended traffic flow measurement conventions are outlined
here according to the following Internet building blocks. It is here according to the following Internet building blocks. It is
important to understand what complexity reporting introduces at each important to understand what complexity reporting introduces at each
network level. Whereas the hierarchy is described top-down in the network level. Whereas the hierarchy is described top-down in the
previous section, reporting requirements are more easily addressed previous section, reporting requirements are more easily addressed
bottom-up. bottom-up.
End-Systems End-Systems
Stub Networks Stub Networks
skipping to change at page 42, line 5 skipping to change at page 41, line 44
trace network usage back to users from shared processes). trace network usage back to users from shared processes).
STUB and ENTERPRISE networks will usually collect traffic data either by STUB and ENTERPRISE networks will usually collect traffic data either by
end-system network address or network address pair if detailed reporting end-system network address or network address pair if detailed reporting
is required in the local area network. If no local reporting is is required in the local area network. If no local reporting is
required, they may record usage information in the exit router to track required, they may record usage information in the exit router to track
external traffic only. (These are the only networks which routinely use external traffic only. (These are the only networks which routinely use
attributes to perform reporting at granularities finer than end-system attributes to perform reporting at granularities finer than end-system
or intermediate-system network address.) or intermediate-system network address.)
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
REGIONAL networks are intermediate networks. In some cases, subscribers REGIONAL networks are intermediate networks. In some cases, subscribers
will be enterprise networks, in which case the intermediate system will be enterprise networks, in which case the intermediate system
network address is sufficient to identify the regional's immediate network address is sufficient to identify the regional's immediate
subscriber. In other cases, individual hosts or a disjoint group of subscriber. In other cases, individual hosts or a disjoint group of
hosts may constitute a subscriber. Then end-system network address hosts may constitute a subscriber. Then end-system network address
pairs need to be tracked for those subscribers. When the source may be pairs need to be tracked for those subscribers. When the source may be
an aggregate entity (such as a network, or adjacent router representing an aggregate entity (such as a network, or adjacent router representing
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
traffic from a world of hosts beyond) and the destination is a singular traffic from a world of hosts beyond) and the destination is a singular
entity (or vice versa), the meter is said to be operating as a HYBRID entity (or vice versa), the meter is said to be operating as a HYBRID
system. system.
At the regional level, if the overhead is tolerable it may be At the regional level, if the overhead is tolerable it may be
advantageous to report usage both by intermediate system network address advantageous to report usage both by intermediate system network address
(e.g. adjacent router address) and by end-system network address or (e.g. adjacent router address) and by end-system network address or
end-system network address pair. end-system network address pair.
BACKBONE networks are the highest level networks operating at higher BACKBONE networks are the highest level networks operating at higher
link speeds and traffic levels. The high volume of traffic will in most link speeds and traffic levels. The high volume of traffic will in most
cases preclude detailed traffic flow measurement. Backbone networks cases preclude detailed traffic flow measurement. Backbone networks
will usually account for traffic by adjacent routers' network addresses. will usually account for traffic by adjacent routers' network addresses.
9.3 Appendix C: List of Defined Flow Attributes 9.3 Appendix C: List of Defined Flow Attributes
This Appendix provides a checklist of the attributes defined to date; This Appendix provides a checklist of the attributes defined to date;
others will be added later as the Traffic Measurement Architecture is others will be added later as the Traffic Measurement Architecture is
further developed. further developed.
Note that this table gives only a very brief summary. The Meter MIB [7] Note that this table gives only a very brief summary. The Meter MIB
provides the definitive specification of attributes and their allowed [RTFM-MIB] provides the definitive specification of attributes and their
values. The MIB variables which represent flow attributes have allowed values. The MIB variables which represent flow attributes have
'flowData' prepended to their names to indicate that they belong to the 'flowData' prepended to their names to indicate that they belong to the
MIB's flowData table. MIB's flowData table.
0 Null 0 Null
4 SourceInterface Integer Source Address 4 SourceInterface Integer Source Address
5 SourceAdjacentType Integer 5 SourceAdjacentType Integer
6 SourceAdjacentAddress String 6 SourceAdjacentAddress String
7 SourceAdjacentMask String 7 SourceAdjacentMask String
8 SourcePeerType Integer 8 SourcePeerType Integer
9 SourcePeerAddress String 9 SourcePeerAddress String
10 SourcePeerMask String 10 SourcePeerMask String
11 SourceTransType Integer 11 SourceTransType Integer
12 SourceTransAddress String 12 SourceTransAddress String
13 SourceTransMask String 13 SourceTransMask String
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
14 DestInterface Integer Destination Address 14 DestInterface Integer Destination Address
15 DestAdjacentType Integer 15 DestAdjacentType Integer
16 DestAdjacentAddress String 16 DestAdjacentAddress String
17 DestAdjacentMask String 17 DestAdjacentMask String
18 DestPeerType Integer 18 DestPeerType Integer
19 DestPeerAddress String 19 DestPeerAddress String
20 DestPeerMask String 20 DestPeerMask String
21 DestTransType Integer 21 DestTransType Integer
22 DestTransAddress String 22 DestTransAddress String
23 DestTransMask String 23 DestTransMask String
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
26 RuleSet Integer Meter attribute 26 RuleSet Integer Meter attribute
27 ToOctets Integer Source-to-Dest counters 27 ToOctets Integer Source-to-Dest counters
28 ToPDUs Integer 28 ToPDUs Integer
29 FromOctets Integer Dest-to-Source counters 29 FromOctets Integer Dest-to-Source counters
30 FromPDUs Integer 30 FromPDUs Integer
31 FirstTime Timestamp Activity times 31 FirstTime Timestamp Activity times
32 LastActiveTime Timestamp 32 LastActiveTime Timestamp
33 SourceSubscriberID String Session attributes 33 SourceSubscriberID String Session attributes
34 DestSubscriberID String 34 DestSubscriberID String
skipping to change at page 43, line 49 skipping to change at page 43, line 38
51 v1 Integer Meter Variables 51 v1 Integer Meter Variables
52 v2 Integer 52 v2 Integer
53 v3 Integer 53 v3 Integer
54 v4 Integer 54 v4 Integer
55 v5 Integer 55 v5 Integer
65 65
.. 'Extended' attributes (to be defined by the RTFM working group) .. 'Extended' attributes (to be defined by the RTFM working group)
127 127
9.4 Appendix D: List of Meter Control Variables 9.4 Appendix D: List of Meter Control Variables
Meter variables: Meter variables:
Flood Mark Percentage Flood Mark Percentage
Inactivity Timeout (seconds) Integer Inactivity Timeout (seconds) Integer
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99
'per task' variables: 'per task' variables:
Current Rule Set Number Integer Current Rule Set Number Integer
Standby Rule Set Number Integer Standby Rule Set Number Integer
High Water Mark Percentage High Water Mark Percentage
'per reader' variables: 'per reader' variables:
Reader Last Time Timestamp Reader Last Time Timestamp
9.5 Appendix E: Changes Introduced Since RFC 2063 INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
9.5 Appendix E: Changes Introduced Since RFC 2063
The first version of the Traffic Flow Measurement Architecture was The first version of the Traffic Flow Measurement Architecture was
published as RFC 2063 in January 1997. The most significant changes published as RFC 2063 in January 1997. The most significant changes
made since then are summarised below. made since then are summarised below.
- A Traffic Meter can now run multiple rule sets concurrently. This - A Traffic Meter can now run multiple rule sets concurrently. This
makes a meter much more useful, and required only minimal changes makes a meter much more useful, and required only minimal changes
to the architecture. to the architecture.
- 'NoMatch' replaces 'Fail' as an action. This name was agreed to at - 'NoMatch' replaces 'Fail' as an action. This name was agreed to at
skipping to change at page 45, line 5 skipping to change at page 44, line 40
rule set. This lifts an unneccessary earlier restriction. rule set. This lifts an unneccessary earlier restriction.
- The list of attribute numbers has been extended to define ranges - The list of attribute numbers has been extended to define ranges
for 'basic' attributes (in this document) and 'extended' attributes for 'basic' attributes (in this document) and 'extended' attributes
(currently being developed by the RTFM Working Group). (currently being developed by the RTFM Working Group).
- The 'Security Considerations' section has been completely - The 'Security Considerations' section has been completely
rewritten. It provides an evaluation of traffic measurement rewritten. It provides an evaluation of traffic measurement
security risks and their countermeasures. security risks and their countermeasures.
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 10 Acknowledgments
10 Acknowledgments
An initial draft of this document was produced under the auspices of the An initial draft of this document was produced under the auspices of the
IETF's Internet Accounting Working Group with assistance from SNMP, RMON IETF's Internet Accounting Working Group with assistance from SNMP, RMON
and SAAG working groups. Particular thanks are due to Stephen Stibler and SAAG working groups. Particular thanks are due to Stephen Stibler
(IBM Research) for his patient and careful comments during the (IBM Research) for his patient and careful comments during the
preparation of this draft. preparation of this draft.
11 References INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
[1] Handelman, S.W., Brownlee, N., Ruth, G., Stibler, S., 11 References
"New Attributes for Traffic Flow Measurment," Internet Draft,
'Working draft' to become an Experimental RFC,
IBM, The University of Auckland, BBN, IBM.
[2] Mills, C., Hirsch, G. and Ruth, G., "Internet Accounting [802-3] IEEE 802.3/ISO 8802-3 Information Processing Systems - Local
Background", RFC 1272, November 1991. Area Networks - Part 3: Carrier sense multiple access with
collision detection (CSMA/CD) access method and physical
layer specifications, 2nd edition, September 21, 1990.
[3] International Standards Organisation (ISO), "Management [ACT-BKG] Mills, C., Hirsch, G. and Ruth, G., "Internet Accounting
Framework," Part 4 of Information Processing Systems Open Background," RFC 1272, November 1991.
Systems Interconnection Basic Reference Model, ISO 7498-4,
1994.
[4] Paxson, V., Almes, G., Mahdavi, J. and Mathis, M., [IANA-RFC] Alvestrand, H. and T. Narten, "Guidelines for Writing an
"Framework for IP Performance Metrics," RFC 2330, May 1998. IANA Considerations Section in RFCs", BCP 26, RFC 2434,
October 1998.
[5] IEEE 802.3/ISO 8802-3 Information Processing Systems - Local [IPPM-FRM] Paxson, V., Almes, G., Mahdavi, J. and Mathis, M.,
Area Networks - Part 3: Carrier sense multiple access with "Framework for IP Performance Metrics," RFC 2330, May 1998.
collision detection (CSMA/CD) access method and physical
layer specifications, 2nd edition, September 21, 1990.
[6] Brownlee, N., "SRL: A Language for Describing Traffic Flows [OSI-ACT] International Standards Organisation (ISO), "Management
and Specifying Actions for Flow Groups," Internet Draft, Framework," Part 4 of Information Processing Systems Open
'Working draft' to become an Informational RFC, Systems Interconnection Basic Reference Model,
The University of Auckland. ISO 7498-4, 1994.
[7] Brownlee, N., "Traffic Flow Measurement: Meter MIB", [RTFM-MIB] Brownlee, N., "Traffic Flow Measurement: Meter MIB",
RFC 2064, January 1997. RFC 2064, January 1997.
[8] Alvestrand, H. and T. Narten, "Guidelines for Writing an [RTFM-NEW] Handelman, S.W., Brownlee, N., Ruth, G., Stibler, S.,
IANA Considerations Section in RFCs", BCP 26, RFC 2434, "New Attributes for Traffic Flow Measurment," Internet
October 1998. Draft 'Work in progress' to become an Informational RFC
INTERNET-DRAFT Traffic Flow Measurement: Architecture June 99 [RTFM-SRL] Brownlee, N., "SRL: A Language for Describing Traffic
Flows and Specifying Actions for Flow Groups," Internet
Draft 'Work in progress' to become an Informational RFC
12 Author's Addresses 12 Author's Addresses
Nevil Brownlee Nevil Brownlee
Information Technology Systems & Services Information Technology Systems & Services
The University of Auckland The University of Auckland
Private Bag 92-019
Auckland, New Zealand
Phone: +64 9 373 7599 x8941 Phone: +64 9 373 7599 x8941
E-mail: n.brownlee@auckland.ac.nz E-mail: n.brownlee@auckland.ac.nz
INTERNET-DRAFT Traffic Flow Measurement: Architecture August 99
Cyndi Mills Cyndi Mills
GTE Laboratories, Inc GTE Laboratories, Inc
40 Sylvan Rd.
Waltham, MA 02451, U.S.A.
Phone: +1 617 466 4278 Phone: +1 781 466 4278
E-mail: cmills@gte.com E-mail: cmills@gte.com
Greg Ruth Greg Ruth
GTE Laboratories, Inc GTE Internteworking
3 Van de Graaff Drive
P.O. Box 3073
Burlington, MA 01803, U.S.A.
Phone: +1 617 466 2448 Phone: +1 781 262 4831
E-mail: gruth@gte.com E-mail: gruth@gte.com
Expires December 99 Expires February 2000
 End of changes. 176 change blocks. 
288 lines changed or deleted 294 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/