Integrating IP Traffic Flow Measurement
Juergen Quittek (1), Marcelo Pias (2), Marcus Brunner (1)
- NEC Europe Ltd., C&C Research Laboratories Adenauerplatz 6, 69115 Heidelberg, Germany
- University College London, Department of Computer Science Gower Street, London WC1E 6BT, UK
Traffic flow measurements are required by several applications in network and service management. For Internet measurements the IETF Realtime Traffic Flow Measurement (RTFM) working group defined an architecture (RFC2722) and an SNMP MIB module (RFC2720) called Meter MIB.
The RTFM architecture defines four components:
The architecture focusses on Meter, Reader and Manager and their interaction. The application is just briefly addressed. This paper focusses on the interaction between the application and the other components of the RTFM architecture.
Currently, there exist freely available implementations of Meter, Manager and Reader in the NeTraMet distribution. They can be used to produce flow data files which then can be analyzed by an application. This is sufficient for several pure traffic measurement applications, which operate offline and have the only function of traffic analysis.
However, it is rather inconvenient to be used by network and service management applications that integrate traffic measurement into a larger system as one of its modules. The integration requires automatic generation of rule sets (specifying the measurement to be conducted), control of the Manager and Reader, and reading of the traffic flow data to be processed for specific needs of the application.
Particularly specifying the measurements by rulesets as defined by the RTFM architecture is rather complicated and error-prone, because it is a procedural specification. Rulesets are sequences of instructions to be executed by the pattern matching engine within the meter. A flow is specified by the set of all results of the execution of this procedure for all possible packet headers passing the meter.
The paper analyzes a set of applications from different areas (accounting and charging for QoS, policy-based network management, MPLS multicast traffic conrol) and identifies requirements for the integration of traffic measurement including:
We matched these requirements by developing an interface between the application and Meter, Manager and Reader. The interface described in this paper models the RTFM architecture and provides a high level of abstraction. It can be implemented as an API or as a network protocol.
Traffic measurements are specified in a declarative way by a data structure containing flow attributes. Basic attributes, such as an IP source address are already predefined in the data structure and may be wildcarded. Further attributes - as defined by the RTFM architecture - can be added in a generic way. Manager and Reader functionality is provided by the interface. The Reader can be configured to deliver traffic data in pull or in push mode.
The interface specification has been submitted as an Internet draft to the IETF. The specification is designed in a generic way that supports the implementation as a network protocol as well as mapping it to procedural and object-oriented languages, such as C or Java, respectively. A Java API implementation has already been used successfully in two European research projects.