Network Working Group N. Brownlee
Request for Comments: 2722 The University of Auckland
Obsoletes: 2063 C. Mills
Category: Informational GTE Laboratories, Inc
G. Ruth
GTE Internetworking
October 1999
Network Working Group N. Brownlee
Request for Comments: 2722 The University of Auckland
Obsoletes: 2063 C. Mills
Category: Informational GTE Laboratories, Inc
G. Ruth
GTE Internetworking
October 1999
Traffic Flow Measurement: Architecture
交通流测量:体系结构
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (1999). All Rights Reserved.
版权所有(C)互联网协会(1999年)。版权所有。
Abstract
摘要
This document provides a general framework for describing network traffic flows, presents an architecture for traffic flow measurement and reporting, discusses how this relates to an overall network traffic flow architecture and indicates how it can be used within the Internet.
本文档提供了描述网络流量的一般框架,介绍了流量测量和报告的体系结构,讨论了这与总体网络流量体系结构的关系,并指出了如何在Internet中使用它。
Table of Contents
目录
1 Statement of Purpose and Scope 3
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . 3
1 Statement of Purpose and Scope 3
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . 3
2 Traffic Flow Measurement Architecture 5
2.1 Meters and Traffic Flows . . . . . . . . . . . . . . . . . 5
2.2 Interaction Between METER and METER READER . . . . . . . . 7
2.3 Interaction Between MANAGER and METER . . . . . . . . . . 7
2.4 Interaction Between MANAGER and METER READER . . . . . . . 8
2.5 Multiple METERs or METER READERs . . . . . . . . . . . . . 9
2.6 Interaction Between MANAGERs (MANAGER - MANAGER) . . . . . 10
2.7 METER READERs and APPLICATIONs . . . . . . . . . . . . . . 10
2 Traffic Flow Measurement Architecture 5
2.1 Meters and Traffic Flows . . . . . . . . . . . . . . . . . 5
2.2 Interaction Between METER and METER READER . . . . . . . . 7
2.3 Interaction Between MANAGER and METER . . . . . . . . . . 7
2.4 Interaction Between MANAGER and METER READER . . . . . . . 8
2.5 Multiple METERs or METER READERs . . . . . . . . . . . . . 9
2.6 Interaction Between MANAGERs (MANAGER - MANAGER) . . . . . 10
2.7 METER READERs and APPLICATIONs . . . . . . . . . . . . . . 10
3 Traffic Flows and Reporting Granularity 10
3.1 Flows and their Attributes . . . . . . . . . . . . . . . . 10
3.2 Granularity of Flow Measurements . . . . . . . . . . . . . 13
3.3 Rolling Counters, Timestamps, Report-in-One-Bucket-Only . 15
3 Traffic Flows and Reporting Granularity 10
3.1 Flows and their Attributes . . . . . . . . . . . . . . . . 10
3.2 Granularity of Flow Measurements . . . . . . . . . . . . . 13
3.3 Rolling Counters, Timestamps, Report-in-One-Bucket-Only . 15
4 Meters 17
4.1 Meter Structure . . . . . . . . . . . . . . . . . . . . . 17
4.2 Flow Table . . . . . . . . . . . . . . . . . . . . . . . . 19
4.3 Packet Handling, Packet Matching . . . . . . . . . . . . . 20
4.4 Rules and Rule Sets . . . . . . . . . . . . . . . . . . . 23
4.5 Maintaining the Flow Table . . . . . . . . . . . . . . . . 28
4.6 Handling Increasing Traffic Levels . . . . . . . . . . . . 29
4 Meters 17
4.1 Meter Structure . . . . . . . . . . . . . . . . . . . . . 17
4.2 Flow Table . . . . . . . . . . . . . . . . . . . . . . . . 19
4.3 Packet Handling, Packet Matching . . . . . . . . . . . . . 20
4.4 Rules and Rule Sets . . . . . . . . . . . . . . . . . . . 23
4.5 Maintaining the Flow Table . . . . . . . . . . . . . . . . 28
4.6 Handling Increasing Traffic Levels . . . . . . . . . . . . 29
5 Meter Readers 30
5.1 Identifying Flows in Flow Records . . . . . . . . . . . . 30
5.2 Usage Records, Flow Data Files . . . . . . . . . . . . . . 30
5.3 Meter to Meter Reader: Usage Record Transmission . . . . 31
5 Meter Readers 30
5.1 Identifying Flows in Flow Records . . . . . . . . . . . . 30
5.2 Usage Records, Flow Data Files . . . . . . . . . . . . . . 30
5.3 Meter to Meter Reader: Usage Record Transmission . . . . 31
6 Managers 32
6.1 Between Manager and Meter: Control Functions . . . . . . 32
6.2 Between Manager and Meter Reader: Control Functions . . . 33
6.3 Exception Conditions . . . . . . . . . . . . . . . . . . . 35
6.4 Standard Rule Sets . . . . . . . . . . . . . . . . . . . . 36
6 Managers 32
6.1 Between Manager and Meter: Control Functions . . . . . . 32
6.2 Between Manager and Meter Reader: Control Functions . . . 33
6.3 Exception Conditions . . . . . . . . . . . . . . . . . . . 35
6.4 Standard Rule Sets . . . . . . . . . . . . . . . . . . . . 36
7 Security Considerations 36
7.1 Threat Analysis . . . . . . . . . . . . . . . . . . . . . 36
7.2 Countermeasures . . . . . . . . . . . . . . . . . . . . . 37
7 Security Considerations 36
7.1 Threat Analysis . . . . . . . . . . . . . . . . . . . . . 36
7.2 Countermeasures . . . . . . . . . . . . . . . . . . . . . 37
8 IANA Considerations 39
8.1 PME Opcodes . . . . . . . . . . . . . . . . . . . . . . . 39
8.2 RTFM Attributes . . . . . . . . . . . . . . . . . . . . . 39
8 IANA Considerations 39
8.1 PME Opcodes . . . . . . . . . . . . . . . . . . . . . . . 39
8.2 RTFM Attributes . . . . . . . . . . . . . . . . . . . . . 39
9 APPENDICES 41
Appendix A: Network Characterisation . . . . . . . . . . . . . 41
Appendix B: Recommended Traffic Flow Measurement Capabilities . 42
Appendix C: List of Defined Flow Attributes . . . . . . . . . . 43
Appendix D: List of Meter Control Variables . . . . . . . . . . 44
Appendix E: Changes Introduced Since RFC 2063 . . . . . . . . . 45
9 APPENDICES 41
Appendix A: Network Characterisation . . . . . . . . . . . . . 41
Appendix B: Recommended Traffic Flow Measurement Capabilities . 42
Appendix C: List of Defined Flow Attributes . . . . . . . . . . 43
Appendix D: List of Meter Control Variables . . . . . . . . . . 44
Appendix E: Changes Introduced Since RFC 2063 . . . . . . . . . 45
10 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 45
11 References . . . . . . . . . . . . . . . . . . . . . . . . . . 46
12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 47
13 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 48
10 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 45
11 References . . . . . . . . . . . . . . . . . . . . . . . . . . 46
12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 47
13 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 48
1 Statement of Purpose and Scope
1目的和范围说明
This document describes an architecture for traffic flow measurement and reporting for data networks which has the following characteristics:
本文件描述了具有以下特征的数据网络交通流测量和报告体系结构:
- The traffic flow model can be consistently applied to any protocol, using address attributes in any combination at the 'adjacent' (see below), network and transport layers of the networking stack.
- 通过在网络堆栈的“相邻”(见下文)、网络和传输层的任何组合中使用地址属性,流量模型可以一致地应用于任何协议。
- Traffic flow attributes are defined in such a way that they are valid for multiple networking protocol stacks, and that traffic flow measurement implementations are useful in multi-protocol environments.
- 交通流属性的定义方式使其对多个网络协议栈有效,并且交通流测量实现在多协议环境中非常有用。
- Users may specify their traffic flow measurement requirements by writing 'rule sets', allowing them to collect the flow data they need while ignoring other traffic.
- 用户可以通过编写“规则集”来指定他们的流量测量要求,允许他们收集所需的流量数据,同时忽略其他流量。
- The data reduction effort to produce requested traffic flow information is placed as near as possible to the network measurement point. This minimises the volume of data to be obtained (and transmitted across the network for storage), and reduces the amount of processing required in traffic flow analysis applications.
- 生成请求的交通流信息的数据缩减工作尽可能靠近网络测量点。这将最大限度地减少要获取(并通过网络传输以存储)的数据量,并减少交通流分析应用程序中所需的处理量。
'Adjacent' (as used above) is a layer-neutral term for the next layer down in a particular instantiation of protocol layering. Although 'adjacent' will usually imply the link layer (MAC addresses), it does not implicitly advocate or dismiss any particular form of tunnelling or layering.
“相邻”(如上所述)是一个层中性术语,用于协议分层的特定实例化中的下一层。尽管“相邻”通常意味着链路层(MAC地址),但它并不暗示支持或拒绝任何特定形式的隧道或分层。
The architecture specifies common metrics for measuring traffic flows. By using the same metrics, traffic flow data can be exchanged and compared across multiple platforms. Such data is useful for:
该体系结构指定了用于测量交通流的通用指标。通过使用相同的指标,可以跨多个平台交换和比较交通流数据。这些数据有助于:
- Understanding the behaviour of existing networks,
- 了解现有网络的行为,
- Planning for network development and expansion,
- 规划网络发展和扩展,
- Quantification of network performance,
- 网络性能的量化,
- Verifying the quality of network service, and
- 验证网络服务的质量,以及
- Attribution of network usage to users.
- 将网络使用情况归因于用户。
The traffic flow measurement architecture is deliberately structured using address attributes which are defined in a consistent way at the Adjacent, Network and Transport layers of the networking stack, allowing specific implementations of the architecture to be used effectively in multi-protocol environments. Within this document the term 'usage data' is used as a generic term for the data obtained using the traffic flow measurement architecture.
交通流测量体系结构故意使用地址属性进行结构化,地址属性在网络堆栈的相邻层、网络层和传输层以一致的方式定义,允许在多协议环境中有效地使用体系结构的特定实现。在本文件中,术语“使用数据”用作使用交通流测量体系结构获得的数据的通用术语。
In principle one might define address attributes for higher layers, but it would be very difficult to do this in a general way. However, if an RTFM traffic meter were implemented within an application server (where it had direct access to application-specific usage information), it would be possible to use the rest of the RTFM architecture to collect application-specific information. Use of the same model for both network- and application-level measurement in this way could simplify the development of generic analysis applications which process and/or correlate both traffic and usage information. Experimental work in this area is described in the RTFM 'New Attributes' document [RTFM-NEW].
原则上,可以为更高的层定义地址属性,但用一般的方法很难做到这一点。但是,如果RTFM流量表是在应用服务器中实现的(在应用服务器中它可以直接访问特定于应用程序的使用信息),则可以使用RTFM体系结构的其余部分来收集特定于应用程序的信息。以这种方式对网络和应用程序级测量使用相同的模型可以简化处理和/或关联流量和使用信息的通用分析应用程序的开发。RTFM“新属性”文档[RTFM-New]中描述了该领域的实验工作。
This document is not a protocol specification. It specifies and structures the information that a traffic flow measurement system needs to collect, describes requirements that such a system must meet, and outlines tradeoffs which may be made by an implementor.
本文件不是协议规范。它规定并构建交通流测量系统需要收集的信息,描述此类系统必须满足的要求,并概述实施者可能做出的权衡。
For performance reasons, it may be desirable to use traffic information gathered through traffic flow measurement in lieu of network statistics obtained in other ways. Although the quantification of network performance is not the primary purpose of this architecture, the measured traffic flow data may be used as an indication of network performance.
出于性能原因,可能希望使用通过交通流测量收集的交通信息来代替以其他方式获得的网络统计信息。尽管网络性能的量化不是该架构的主要目的,但测量的交通流数据可以用作网络性能的指示。
A cost recovery structure decides "who pays for what." The major issue here is how to construct a tariff (who gets billed, how much, for which things, based on what information, etc). Tariff issues include fairness, predictability (how well can subscribers forecast their network charges), practicality (of gathering the data and administering the tariff), incentives (e.g. encouraging off-peak use), and cost recovery goals (100% recovery, subsidisation, profit making). Issues such as these are not covered here.
成本回收结构决定了“谁为什么付费”。这里的主要问题是如何构建关税(谁付费、多少收费、哪些东西收费、基于什么信息等)。电价问题包括公平性、可预测性(用户如何预测其网络费用)、实用性(收集数据和管理电价)、激励措施(例如鼓励非高峰使用)和成本回收目标(100%回收、补贴、盈利)。这里不涉及此类问题。
Background information explaining why this approach was selected is provided by the 'Internet Accounting Background' RFC [ACT-BKG].
“互联网会计背景”RFC[ACT-BKG]提供了解释为什么选择这种方法的背景信息。
2 Traffic Flow Measurement Architecture
2交通流量测量体系结构
A traffic flow measurement system is used by Network Operations personnel to aid in managing and developing a network. It provides a tool for measuring and understanding the network's traffic flows. This information is useful for many purposes, as mentioned in section 1 (above).
网络运营人员使用交通流量测量系统来帮助管理和开发网络。它提供了一种测量和理解网络流量的工具。如上文第1节所述,该信息在许多方面都很有用。
The following sections outline a model for traffic flow measurement, which draws from working drafts of the OSI accounting model [OSI-ACT].
以下各节概述了交通流测量模型,该模型取自OSI核算模型[OSI-ACT]的工作草案。
At the heart of the traffic measurement model are network entities called traffic METERS. Meters observe packets as they pass by a single point on their way through the network and classify them into certain groups. For each such group a meter will accumulate certain attributes, for example the numbers of packets and bytes observed for the group. These METERED TRAFFIC GROUPS may correspond to a user, a host system, a network, a group of networks, a particular transport address (e.g. an IP port number), any combination of the above, etc, depending on the meter's configuration.
流量测量模型的核心是称为流量表的网络实体。当数据包在网络中通过一个点时,电表会对其进行观察,并将其分为若干组。对于每个这样的组,计量器将累积某些属性,例如为该组观察到的数据包数和字节数。这些经计量的业务组可对应于用户、主机系统、网络、网络组、特定传输地址(例如,IP端口号)、上述任何组合等,具体取决于计量器的配置。
We assume that routers or traffic monitors throughout a network are instrumented with meters to measure traffic. Issues surrounding the choice of meter placement are discussed in the 'Internet Accounting Background' RFC [ACT-BKG]. An important aspect of meters is that they provide a way of succinctly aggregating traffic information.
我们假设整个网络中的路由器或流量监视器都装有仪表来测量流量。“互联网会计背景”RFC[ACT-BKG]中讨论了围绕电表放置选择的问题。电表的一个重要方面是,它们提供了一种简洁地聚合交通信息的方法。
For the purpose of traffic flow measurement we define the concept of a TRAFFIC FLOW, which is like an artificial logical equivalent to a call or connection. A flow is a portion of traffic, delimited by a start and stop time, that belongs to one of the metered traffic groups mentioned above. Attribute values (source/destination addresses, packet counts, byte counts, etc.) associated with a flow are aggregate quantities reflecting events which take place in the DURATION between the start and stop times. The start time of a flow is fixed for a given flow; the stop time may increase with the age of the flow.
为了流量测量的目的,我们定义了流量的概念,它类似于呼叫或连接的人工逻辑等价物。流量是由开始和停止时间分隔的流量的一部分,属于上述计量流量组之一。与流关联的属性值(源/目标地址、数据包计数、字节计数等)是反映在开始和停止时间之间持续时间内发生的事件的聚合量。对于给定的流,流的开始时间是固定的;停止时间可能会随着流量的增长而增加。
For connectionless network protocols such as IP there is by definition no way to tell whether a packet with a particular source/destination combination is part of a stream of packets or not - each packet is completely independent. A traffic meter has, as part of its configuration, a set of 'rules' which specify the flows of interest, in terms of the values of their attributes. It derives attribute values from each observed packet, and uses these to decide
对于IP等无连接网络协议,根据定义,无法判断具有特定源/目的地组合的数据包是否是数据包流的一部分-每个数据包是完全独立的。作为其配置的一部分,交通量表具有一组“规则”,根据其属性值指定感兴趣的流量。它从每个观察到的数据包中导出属性值,并使用这些值来决定
which flow they belong to. Classifying packets into 'flows' in this way provides an economical and practical way to measure network traffic and subdivide it into well-defined groups.
它们属于哪个流。以这种方式将数据包分类为“流”,提供了一种经济实用的方法来测量网络流量并将其细分为定义良好的组。
Usage information which is not derivable from traffic flows may also be of interest. For example, an application may wish to record accesses to various different information resources or a host may wish to record the username (subscriber id) for a particular network session. Provision is made in the traffic flow architecture to do this. In the future the measurement model may be extended to gather such information from applications and hosts so as to provide values for higher-layer flow attributes.
不能从交通流中导出的使用信息也可能会引起兴趣。例如,应用程序可能希望记录对各种不同信息资源的访问,或者主机可能希望记录特定网络会话的用户名(订户id)。交通流体系结构中对此做出了规定。将来,测量模型可能会扩展,以从应用程序和主机收集此类信息,从而为更高层的流属性提供值。
As well as FLOWS and METERS, the traffic flow measurement model includes MANAGERS, METER READERS and ANALYSIS APPLICATIONS, which are explained in following sections. The relationships between them are shown by the diagram below. Numbers on the diagram refer to sections in this document.
除了流量和仪表外,交通流量测量模型还包括管理器、仪表读取器和分析应用程序,这些将在以下部分中进行说明。它们之间的关系如下图所示。图表上的数字指本文件中的章节。
MANAGER
/ \
2.3 / \ 2.4
/ \
/ \ ANALYSIS
METER <-----> METER READER <-----> APPLICATION
2.2 2.7
MANAGER
/ \
2.3 / \ 2.4
/ \
/ \ ANALYSIS
METER <-----> METER READER <-----> APPLICATION
2.2 2.7
- MANAGER: A traffic measurement manager is an application which configures 'meter' entities and controls 'meter reader' entities. It sends configuration commands to the meters, and supervises the proper operation of each meter and meter reader. It may well be convenient to combine the functions of meter reader and manager within a single network entity.
- 管理器:流量测量管理器是一种配置“仪表”实体并控制“仪表读取器”实体的应用程序。它向仪表发送配置命令,并监督每个仪表和仪表读取器的正确操作。将抄表器和管理器的功能组合在一个网络实体中可能很方便。
- METER: Meters are placed at measurement points determined by Network Operations personnel. Each meter selectively records network activity as directed by its configuration settings. It can also aggregate, transform and further process the recorded activity before the data is stored. The processed and stored results are called the 'usage data'.
- 仪表:仪表放置在网络操作人员确定的测量点上。每个仪表根据其配置设置有选择地记录网络活动。它还可以在存储数据之前聚合、转换和进一步处理记录的活动。处理和存储的结果称为“使用数据”。
- METER READER: A meter reader transports usage data from meters so that it is available to analysis applications.
- 仪表读卡器:仪表读卡器传输仪表的使用数据,以便分析应用程序使用。
- ANALYSIS APPLICATION: An analysis application processes the usage data so as to provide information and reports which are useful for network engineering and management purposes. Examples include:
- 分析应用程序:分析应用程序处理使用数据,以便提供对网络工程和管理有用的信息和报告。例子包括:
- TRAFFIC FLOW MATRICES, showing the total flow rates for many of the possible paths within an internet.
- 流量矩阵,显示互联网内许多可能路径的总流量。
- FLOW RATE FREQUENCY DISTRIBUTIONS, summarizing flow rates over a period of time.
- 流量频率分布,总结一段时间内的流量。
- USAGE DATA showing the total traffic volumes sent and received by particular hosts.
- 显示特定主机发送和接收的总流量的使用率数据。
The operation of the traffic measurement system as a whole is best understood by considering the interactions between its components. These are described in the following sections.
通过考虑交通测量系统组件之间的相互作用,可以最好地理解交通测量系统作为一个整体的运行。以下各节将对其进行说明。
The information which travels along this path is the usage data itself. A meter holds usage data in an array of flow data records known as the FLOW TABLE. A meter reader may collect the data in any suitable manner. For example it might upload a copy of the whole flow table using a file transfer protocol, or read the records in the current flow set one at a time using a suitable data transfer protocol. Note that the meter reader need not read complete flow data records, a subset of their attribute values may well be sufficient.
沿着这条路径传播的信息就是使用数据本身。流量计将使用情况数据保存在称为流量表的流量数据记录数组中。仪表读取器可以任何适当的方式收集数据。例如,它可以使用文件传输协议上载整个流表的副本,或者使用合适的数据传输协议一次读取一个当前流集中的记录。请注意,仪表读取器不需要读取完整的流量数据记录,其属性值的子集可能就足够了。
A meter reader may collect usage data from one or more meters. Data may be collected from the meters at any time. There is no requirement for collections to be synchronized in any way.
仪表读取器可以从一个或多个仪表收集使用数据。可随时从仪表中收集数据。不要求以任何方式同步集合。
A manager is responsible for configuring and controlling one or more meters. Each meter's configuration includes information such as:
经理负责配置和控制一个或多个仪表。每个仪表的配置包括以下信息:
- Flow specifications, e.g. which traffic flows are to be measured, how they are to be aggregated, and any data the meter is required to compute for each flow being measured.
- 流量规格,例如,要测量的交通流、如何聚合交通流,以及流量计需要为每个测量流量计算的任何数据。
- Meter control parameters, e.g. the 'inactivity' time for flows (if no packets belonging to a flow are seen for this time the flow is considered to have ended, i.e. to have become idle).
- 仪表控制参数,例如流的“不活动”时间(如果此时未看到属于流的数据包,则认为流已结束,即变为空闲)。
- Sampling behaviour. Normally every packet will be observed. It may sometimes be necessary to use sampling techniques so as to observe only some of the packets (see following note).
- 抽样行为。通常每个包都会被观察到。有时可能需要使用采样技术,以便仅观察部分数据包(见以下注释)。
A note about sampling: Current experience with the measurement architecture shows that a carefully-designed and implemented meter compresses the data sufficiently well that in normal LANs and WANs of today sampling is seldom, if ever, needed. For this reason sampling algorithms are not prescribed by the architecture. If sampling is needed, e.g. for metering a very-high-speed network with fine-grained flows, the sampling technique should be carefully chosen so as not to bias the results. For a good introduction to this topic see the IPPM Working Group's RFC "Framework for IP Performance Metrics" [IPPM-FRM].
关于采样的注意事项:当前测量体系结构的经验表明,精心设计和实施的仪表能够充分压缩数据,在今天的普通局域网和广域网中,很少需要采样。因此,体系结构没有规定采样算法。如果需要采样,例如测量具有细粒度流的高速网络,则应仔细选择采样技术,以免使结果产生偏差。有关此主题的详细介绍,请参阅IPPM工作组的RFC“IP性能度量框架”[IPPM-FRM]。
A meter may run several rule sets concurrently on behalf of one or more managers, and any manager may download a set of flow specifications (i.e. a 'rule set') to a meter. Control parameters which apply to an individual rule set should be set by the manager after it downloads that rule set.
仪表可以代表一个或多个管理者同时运行多个规则集,任何管理者都可以将一组流量规范(即“规则集”)下载到仪表。应用于单个规则集的控制参数应由管理器在下载该规则集后设置。
One manager should be designated as the 'master' for a meter. Parameters such as sampling behaviour, which affect the overall operation of the meter, should only be set by the master manager.
应指定一名经理作为仪表的“主”。影响仪表整体运行的参数,如取样行为,只能由主管理器设置。
A manager is responsible for configuring and controlling one or more meter readers. A meter reader may only be controlled by a single manager. A meter reader needs to know at least the following for every meter it is collecting usage data from:
管理人员负责配置和控制一个或多个抄表器。仪表读数器只能由一个管理器控制。仪表读数器需要至少了解其从中收集使用数据的每个仪表的以下信息:
- The meter's unique identity, i.e. its network name or address.
- 电表的唯一标识,即其网络名称或地址。
- How often usage data is to be collected from the meter.
- 从仪表收集使用数据的频率。
- Which flow records are to be collected (e.g. all flows, flows for a particular rule set, flows which have been active since a given time, etc.).
- 要收集哪些流记录(例如,所有流、特定规则集的流、自给定时间以来一直处于活动状态的流等)。
- Which attribute values are to be collected for the required flow records (e.g. all attributes, or a small subset of them)
- 为所需的流量记录收集哪些属性值(例如,所有属性或其中的一小部分)
Since redundant reporting may be used in order to increase the reliability of usage data, exchanges among multiple entities must be considered as well. These are discussed below.
由于可以使用冗余报告来提高使用数据的可靠性,因此还必须考虑多个实体之间的交换。下文将讨论这些问题。
-- METER READER A --
/ | \
/ | \
=====METER 1 METER 2=====METER 3 METER 4=====
\ | /
\ | /
-- METER READER B --
-- METER READER A --
/ | \
/ | \
=====METER 1 METER 2=====METER 3 METER 4=====
\ | /
\ | /
-- METER READER B --
Several uniquely identified meters may report to one or more meter readers. The diagram above gives an example of how multiple meters and meter readers could be used.
多个唯一识别的仪表可向一个或多个仪表读卡器报告。上图给出了如何使用多个仪表和仪表读数器的示例。
In the diagram above meter 1 is read by meter reader A, and meter 4 is read by meter reader B. Meters 1 and 4 have no redundancy; if either meter fails, usage data for their network segments will be lost.
在上图中,仪表1由仪表读取器A读取,仪表4由仪表读取器B读取。仪表1和4没有冗余;如果任一电表出现故障,其网段的使用数据将丢失。
Meters 2 and 3, however, measure traffic on the same network segment. One of them may fail leaving the other collecting the segment's usage data. Meters 2 and 3 are read by meter reader A and by meter reader B. If one meter reader fails, the other will continue collecting usage data from both meters.
然而,表2和表3测量同一网段上的流量。其中一个可能无法让另一个收集段的使用数据。仪表2和3由仪表读取器A和仪表读取器B读取。如果一个仪表读取器出现故障,另一个将继续从两个仪表收集使用数据。
The architecture does not require multiple meter readers to be synchronized. In the situation above meter readers A and B could both collect usage data at the same intervals, but not necesarily at the same times. Note that because collections are asynchronous it is unlikely that usage records from two different meter readers will agree exactly.
该体系结构不需要同步多个抄表器。在上述情况下,抄表器A和B都可以在相同的时间间隔收集使用数据,但不一定同时收集。请注意,由于集合是异步的,所以来自两个不同仪表读取器的使用记录不太可能完全一致。
If identical usage records were required from a single meter, a manager could achieve this using two identical copies of a ruleset in that meter. Let's call them RS1 and RS2, and assume that RS1 is running. When a collection is to be made the manager switches the meter from RS1 to RS2, and directs the meter reader(s) to read flow data for RS1 from the meter. For the next collection the manager switches back to RS1, and so on. Note, however, that it is not possible to get identical usage records from more than one meter, since there is no way for a manager to switch rulesets in more than one meter at the same time.
如果一个仪表需要相同的使用记录,经理可以使用该仪表中规则集的两个相同副本来实现这一点。让我们称它们为RS1和RS2,并假设RS1正在运行。采集时,管理器将仪表从RS1切换到RS2,并指示仪表读取器从仪表读取RS1的流量数据。对于下一个集合,管理器切换回RS1,依此类推。但是,请注意,不可能从多个仪表中获取相同的使用记录,因为经理无法同时在多个仪表中切换规则集。
If there is only one meter reader and it fails, the meters continue to run. When the meter reader is restarted it can collect all of the accumulated flow data. Should this happen, time resolution will be lost (because of the missed collections) but overall traffic flow information will not. The only exception to this would occur if the
如果只有一个抄表器出现故障,抄表器将继续运行。当仪表读取器重新启动时,它可以收集所有累积流量数据。如果发生这种情况,时间分辨率将丢失(因为丢失了采集),但总体交通流信息不会丢失。如果
traffic volume was sufficient to 'roll over' counters for some flows during the failure; this is addressed in the section on 'Rolling Counters'.
故障期间,交通量足以使某些流量的计数器“翻滚”;“滚动计数器”一节对此进行了说明。
Synchronization between multiple management systems is the province of network management protocols. This traffic flow measurement architecture specifies only the network management controls necessary to perform the traffic flow measurement function and does not address the more global issues of simultaneous or interleaved (possibly conflicting) commands from multiple network management stations or the process of transferring control from one network management station to another.
多个管理系统之间的同步是网络管理协议的范畴。此交通流测量体系结构仅指定执行交通流测量功能所需的网络管理控制,不解决同时或交叉(可能冲突)的更全局问题来自多个网络管理站的命令或将控制权从一个网络管理站转移到另一个网络管理站的过程。
Once a collection of usage data has been assembled by a meter reader it can be processed by an analysis application. Details of analysis applications - such as the reports they produce and the data they require - are outside the scope of this architecture.
一旦仪表读数器收集到使用数据,分析应用程序就可以对其进行处理。分析应用程序的详细信息(如它们生成的报告和所需的数据)不在该体系结构的范围内。
It should be noted, however, that analysis applications will often require considerable amounts of input data. An important part of running a traffic flow measurement system is the storage and regular reduction of flow data so as to produce daily, weekly or monthly summary files for further analysis. Again, details of such data handling are outside the scope of this architecture.
然而,应该注意的是,分析应用程序通常需要大量的输入数据。运行交通流量测量系统的一个重要部分是存储和定期减少流量数据,以便生成每日、每周或每月的摘要文件,以供进一步分析。同样,此类数据处理的细节不在该体系结构的范围之内。
3 Traffic Flows and Reporting Granularity
3流量和报告粒度
A flow was defined in section 2.1 above in abstract terms as follows:
上文第2.1节中对流量的抽象定义如下:
"A TRAFFIC FLOW is an artifical logical equivalent to a call or connection, belonging to a (user-specieied) METERED TRAFFIC GROUP."
流量是属于(用户指定的)计量流量组的呼叫或连接的人工逻辑等价物
In practical terms, a flow is a stream of packets observed by the meter as they pass across a network between two end points (or from a single end point), which have been summarized by a traffic meter for analysis purposes.
实际上,流量是当数据包在两个端点(或从一个端点)之间通过网络时,流量表观察到的数据包流,流量表已对这些数据包进行了汇总,以便于分析。
Every traffic meter maintains a table of 'flow records' for flows seen by the meter. A flow record holds the values of the ATTRIBUTES of interest for its flow. These attributes might include:
每个交通量表都有一个“流量记录”表,用于记录表中显示的流量。流记录保存其流的感兴趣属性的值。这些属性可能包括:
- ADDRESSES for the flow's source and destination. These comprise the protocol type, the source and destination addresses at various network layers (extracted from the packet header), and the number of the interface on which the packet was observed.
- 流的源和目标的地址。这些包括协议类型、各个网络层的源地址和目标地址(从数据包头中提取)以及观察数据包的接口编号。
- First and last TIMES when packets were seen for this flow, i.e. the 'creation' and 'last activity' times for the flow.
- 看到此流的数据包的第一次和最后一次时间,即流的“创建”和“最后一次活动”时间。
- COUNTS for 'forward' (source to destination) and 'backward' (destination to source) components (e.g. packets and bytes) of the flow's traffic. The specifying of 'source' and 'destination' for flows is discussed in the section on packet matching below.
- 流流量的“向前”(源到目的地)和“向后”(目的地到源)组件(如数据包和字节)计数。流的“源”和“目的地”的指定在下面关于数据包匹配的部分中讨论。
- OTHER attributes, e.g. the index of the flow's record in the flow table and the rule set number for the rules which the meter was running while the flow was observed. The values of these attributes provide a way of distinguishing flows observed by a meter at different times.
- 其他属性,例如流量表中流量记录的索引和观察流量时流量计运行的规则的规则集编号。这些属性的值提供了一种区分流量计在不同时间观察到的流量的方法。
The attributes listed in this document (Appendix C) provide a basic (i.e. useful minimum) set; IANA considerations for allocating new attributes are set out in section 8 below.
本文件(附录C)中列出的属性提供了一个基本(即有用的最小值)集;IANA分配新属性的注意事项见下文第8节。
A flow's METERED TRAFFIC GROUP is specified by the values of its ADDRESS attributes. For example, if a flow's address attributes were specified as "source address = IP address 10.1.0.1, destination address = IP address 26.1.0.1" then only IP packets from 10.1.0.1 to 26.1.0.1 and back would be counted in that flow. If a flow's address attributes specified only that "source address = IP address 10.1.0.1," then all IP packets from and to 10.1.0.1 would be counted in that flow.
流的计量流量组由其地址属性的值指定。例如,如果流的地址属性被指定为“源地址=IP地址10.1.0.1,目标地址=IP地址26.1.0.1”,则该流中仅计算从10.1.0.1到26.1.0.1及其后的IP数据包。如果流的地址属性仅指定“源地址=IP地址10.1.0.1”,则从和到10.1.0.1的所有IP数据包都将计入该流。
The addresses specifying a flow's address attributes may include one or more of the following types:
指定流的地址属性的地址可以包括以下一种或多种类型:
- The INTERFACE NUMBER for the flow, i.e. the interface on which the meter measured the traffic. Together with a unique address for the meter this uniquely identifies a particular physical-level port.
- 流量的接口号,即仪表测量流量的接口。与仪表的唯一地址一起,它唯一地标识特定的物理级别端口。
- The ADJACENT ADDRESS, i.e. the address in the the next layer down from the peer address in a particular instantiation of protocol layering. Although 'adjacent' will usually imply the link layer, it does not implicitly advocate or dismiss any particular form of tunnelling or layering.
- 相邻地址,即在协议分层的特定实例化中,从对等地址向下的下一层中的地址。虽然“相邻”通常意味着链接层,但它并不暗示支持或拒绝任何特定形式的隧道或分层。
For example, if flow measurement is being performed using IP as the network layer on an Ethernet LAN [802-3], an adjacent address will normally be a six-octet Media Access Control (MAC) address. For a host connected to the same LAN segment as the meter the adjacent address will be the MAC address of that host. For hosts on other LAN segments it will be the MAC address of the adjacent (upstream or downstream) router carrying the traffic flow.
例如,如果使用IP作为以太网LAN[802-3]上的网络层执行流量测量,则相邻地址通常为六个八位组的媒体访问控制(MAC)地址。对于与仪表连接到同一LAN段的主机,相邻地址将是该主机的MAC地址。对于其他LAN段上的主机,它将是承载流量的相邻(上游或下游)路由器的MAC地址。
- The PEER ADDRESS, which identifies the source or destination of the packet for the network layer (n) at which traffic measurement is being performed. The form of a peer address will depend on the network-layer protocol in use, and the measurement network layer (n).
- 对等地址,用于标识正在执行流量测量的网络层(n)的数据包的源或目的地。对等地址的形式取决于使用的网络层协议和测量网络层(n)。
- The TRANSPORT ADDRESS, which identifies the source or destination port for the packet, i.e. its (n+1) layer address. For example, if flow measurement is being performed at the IP layer a transport address is a two-octet UDP or TCP port number.
- 传输地址,用于标识数据包的源端口或目标端口,即其(n+1)层地址。例如,如果在IP层执行流量测量,则传输地址为两个八位字节的UDP或TCP端口号。
The four definitions above specify addresses for each of the four lowest layers of the OSI reference model, i.e. Physical layer, Link layer, Network layer and Transport layer. A FLOW RECORD stores both the VALUE for each of its addresses (as described above) and a MASK specifying which bits of the address value are being used and which are ignored. Note that if address bits are being ignored the meter will set them to zero, however their actual values are undefined.
上述四个定义为OSI参考模型的四个最低层(即物理层、链路层、网络层和传输层)中的每一层指定地址。流记录存储其每个地址的值(如上所述)和指定正在使用和忽略地址值的哪些位的掩码。请注意,如果忽略地址位,仪表会将其设置为零,但其实际值未定义。
One of the key features of the traffic measurement architecture is that attributes have essentially the same meaning for different protocols, so that analysis applications can use the same reporting formats for all protocols. This is straightforward for peer addresses; although the form of addresses differs for the various protocols, the meaning of a 'peer address' remains the same. It becomes harder to maintain this correspondence at higher layers - for example, at the Network layer IP, Novell IPX and AppleTalk all use port numbers as a 'transport address', but CLNP and DECnet have no notion of ports.
流量测量体系结构的一个关键特征是,属性对于不同协议具有基本相同的含义,因此分析应用程序可以对所有协议使用相同的报告格式。这对于对等地址来说很简单;尽管不同协议的地址形式不同,“对等地址”的含义保持不变。在更高的层次上维护这种对应关系变得更加困难——例如,在网络层IP,Novell IPX和AppleTalk都使用端口号作为“传输地址”,但CLNP和DECnet没有端口的概念。
Reporting by adjacent intermediate sources and destinations or simply by meter interface (most useful when the meter is embedded in a router) supports hierarchical Internet reporting schemes as described in the 'Internet Accounting Background' RFC [ACT-BKG]. That is, it allows backbone and regional networks to measure usage to just the next lower level of granularity (i.e. to the regional and stub/enterprise levels, respectively), with the final breakdown according to end user (e.g. to source IP address) performed by the stub/enterprise networks.
通过相邻中间源和目的地或仅通过仪表接口进行报告(当仪表嵌入路由器时最有用)支持“互联网会计背景”RFC[ACT-BKG]中所述的分层互联网报告方案。也就是说,它允许主干网和区域网测量下一个较低粒度级别(即分别到区域和存根/企业级别)的使用情况,并根据存根/企业网络执行的最终用户(例如到源IP地址)进行细分。
In cases where network addresses are dynamically allocated (e.g. dial-in subscribers), further subscriber identification will be necessary if flows are to ascribed to individual users. Provision is made to further specify the metered traffic group through the use of an optional SUBSCRIBER ID as part of the flow id. A subscriber ID may be associated with a particular flow either through the current rule set or by unspecified means within a meter. At this time a subscriber ID is an arbitrary text string; later versions of the architecture may specify details of its contents.
在动态分配网络地址的情况下(例如,拨入用户),如果流量归属于单个用户,则需要进一步的用户标识。规定通过使用可选用户ID作为流量ID的一部分来进一步指定计量流量组。用户ID可以通过当前规则集或通过仪表内未指定的方式与特定流量相关联。此时,订户ID是任意文本字符串;体系结构的后续版本可能会指定其内容的详细信息。
GRANULARITY is the 'control knob' by which an application and/or the meter can trade off the overhead associated with performing usage reporting against its level of detail. A coarser granularity means a greater level of aggregation; finer granularity means a greater level of detail. Thus, the number of flows measured (and stored) at a meter can be regulated by changing the granularity of their attributes. Flows are like an adjustable pipe - many fine-granularity streams can carry the data with each stream measured individually, or data can be bundled in one coarse-granularity pipe. Time granularity may be controlled by varying the reporting interval, i.e. the time between meter readings.
粒度是“控制旋钮”,通过它,应用程序和/或仪表可以根据其详细程度权衡与执行使用情况报告相关的开销。粒度越粗意味着聚合程度越高;更细的粒度意味着更高级别的细节。因此,可以通过改变流量计属性的粒度来调节流量计测量(和存储)的流量数量。流就像一个可调节的管道——许多细粒度流可以携带数据,每个流单独测量,或者数据可以捆绑在一个粗粒度管道中。时间粒度可以通过改变报告间隔来控制,即仪表读数之间的时间间隔。
Flow granularity is controlled by adjusting the level of detail for the following:
通过调整以下详细程度来控制流粒度:
- The metered traffic group (address attributes, discussed above).
- 计量流量组(地址属性,如上所述)。
- The categorisation of packets (other attributes, discussed below).
- 数据包的分类(其他属性,下文讨论)。
- The lifetime/duration of flows (the reporting interval needs to be short enough to measure them with sufficient precision).
- 流的生命周期/持续时间(报告间隔需要足够短,以便以足够的精度对其进行测量)。
The set of rules controlling the determination of each packet's metered traffic group is known as the meter's CURRENT RULE SET. As will be shown, the meter's current rule set forms an integral part of the reported information, i.e. the recorded usage information cannot be properly interpreted without a definition of the rules used to collect that information.
控制每个包的计量流量组的确定的规则集称为计量器的当前规则集。如图所示,电表的当前规则集构成报告信息的一个组成部分,即,如果不定义用于收集该信息的规则,则无法正确解释记录的使用信息。
Settings for these granularity factors may vary from meter to meter. They are determined by the meter's current rule set, so they will change if network Operations personnel reconfigure the meter to use a new rule set. It is expected that the collection rules will change rather infrequently; nonetheless, the rule set in effect at any time
这些粒度因子的设置可能因米而异。它们由电表的当前规则集决定,因此,如果网络运营人员重新配置电表以使用新的规则集,它们将发生变化。预计收款规则将很少改变;尽管如此,该规则在任何时候都会生效
must be identifiable via a RULE SET NUMBER. Granularity of metered traffic groups is further specified by additional ATTRIBUTES. These attributes include:
必须可通过规则集编号识别。计量流量组的粒度由其他属性进一步指定。这些属性包括:
- Attributes which record information derived from other attribute values. Six of these are defined (SourceClass, DestClass, FlowClass, SourceKind, DestKind, FlowKind), and their meaning is determined by the meter's rule set. For example, one could have a subroutine in the rule set which determined whether a source or destination peer address was a member of an arbitrary list of networks, and set SourceClass/DestClass to one if the source/dest peer address was in the list or to zero otherwise.
- 记录从其他属性值派生的信息的属性。定义了其中六个(SourceClass、DestClass、FlowClass、SourceKind、DestKind、FlowKind),其含义由仪表的规则集决定。例如,规则集中可以有一个子例程,用于确定源或目标对等地址是否为任意网络列表的成员,如果源/目的对等地址在列表中,则将SourceClass/DestClass设置为1,否则设置为零。
- Administratively specified attributes such as Quality of Service and Priority, etc. These are not defined at this time.
- 管理上指定的属性,如服务质量和优先级等。目前未定义这些属性。
Settings for these granularity factors may vary from meter to meter. They are determined by the meter's current rule set, so they will change if Network Operations personnel reconfigure the meter to use a new rule set.
这些粒度因子的设置可能因米而异。它们由电表的当前规则集决定,因此,如果网络运营人员重新配置电表以使用新的规则集,它们将发生变化。
A rule set can aggregate groups of addresses in two ways. The simplest is to use a mask in a single rule to test for an address within a masked group. The other way is to use a sequence of rules to test for an arbitrary group of (masked) address values, then use a PushRuleTo rule to set a derived attribute (e.g. FlowKind) to indicate the flow's group.
规则集可以通过两种方式聚合地址组。最简单的方法是在单个规则中使用掩码来测试掩码组中的地址。另一种方法是使用一系列规则测试任意一组(屏蔽的)地址值,然后使用PushRuleTo规则设置派生属性(例如FlowKind)以指示流的组。
The LIFETIME of a flow is the time interval which began when the meter observed the first packet belonging to the flow and ended when it saw the last packet. Flow lifetimes are very variable, but many - if not most - are rather short. A meter cannot measure lifetimes directly; instead a meter reader collects usage data for flows which have been active since the last collection, and an analysis application may compare the data from each collection so as to determine when each flow actually stopped.
流的生存期是指从流量计观察到属于流的第一个数据包开始到最后一个数据包结束的时间间隔。流的生命周期是非常可变的,但是很多(如果不是大多数的话)都相当短。仪表不能直接测量寿命;相反,仪表读取器收集自上次收集以来一直处于活动状态的流量的使用数据,分析应用程序可以比较每个收集的数据,以确定每个流量实际停止的时间。
The meter does, however, need to reclaim memory (i.e. records in the flow table) being held by idle flows. The meter configuration includes a variable called InactivityTimeout, which specifies the minimum time a meter must wait before recovering the flow's record. In addition, before recovering a flow record the meter should be sure that the flow's data has been collected by all meter readers which registered to collect it. These two wait conditions are desired goals for the meter; they are not difficult to achieve in normal usage, however the meter cannot guarantee to fulfil them absolutely.
但是,仪表确实需要回收空闲流所持有的内存(即流表中的记录)。仪表配置包括一个名为InactivityTimeout的变量,该变量指定仪表在恢复流量记录之前必须等待的最短时间。此外,在恢复流量记录之前,流量计应确保所有注册以收集流量记录的流量计读取器已收集了流量数据。这两个等待条件是仪表的预期目标;它们在正常使用中并不难实现,但是仪表不能保证绝对满足这些要求。
These 'lifetime' issues are considered further in the section on meter readers (below). A complete list of the attributes currently defined is given in Appendix C later in this document.
这些“寿命”问题将在仪表读数器部分(下文)中进一步讨论。本文件后面的附录C中给出了当前定义的属性的完整列表。
Once a usage record is sent, the decision needs to be made whether to clear any existing flow records or to maintain them and add to their counts when recording subsequent traffic on the same flow. The second method, called rolling counters, is recommended and has several advantages. Its primary advantage is that it provides greater reliability - the system can now often survive the loss of some usage records, such as might occur if a meter reader failed and later restarted. The next usage record will very often contain yet another reading of many of the same flow buckets which were in the lost usage record. The 'continuity' of data provided by rolling counters can also supply information used for "sanity" checks on the data itself, to guard against errors in calculations.
发送使用记录后,需要决定是清除任何现有流量记录,还是在记录同一流量上的后续流量时维护这些记录并将其添加到计数中。建议使用第二种方法,称为滚动计数器,它有几个优点。它的主要优点是它提供了更高的可靠性——系统现在通常可以在丢失一些使用记录的情况下生存下来,例如,如果抄表器发生故障,然后重新启动,可能会发生这种情况。下一个使用记录通常会再次读取丢失的使用记录中的许多相同的流桶。滚动计数器提供的数据的“连续性”还可以提供用于对数据本身进行“健全”检查的信息,以防止计算中出现错误。
The use of rolling counters does introduce a new problem: how to distinguish a follow-on flow record from a new flow record. Consider the following example.
滚动计数器的使用确实带来了一个新问题:如何区分后续流记录和新流记录。考虑下面的例子。
CONTINUING FLOW OLD FLOW, then NEW FLOW
继续流旧流,然后是新流
start time = 1 start time = 1
Usage record N: flow count = 2000 flow count = 2000 (done)
start time = 1 start time = 1
Usage record N: flow count = 2000 flow count = 2000 (done)
start time = 1 start time = 5
Usage record N+1: flow count = 3000 new flow count = 1000
start time = 1 start time = 5
Usage record N+1: flow count = 3000 new flow count = 1000
Total count: 3000 3000
总数:3000
In the continuing flow case, the same flow was reported when its count was 2000, and again at 3000: the total count to date is 3000. In the OLD/NEW case, the old flow had a count of 2000. Its record was then stopped (perhaps because of temporary idleness), but then more traffic with the same characteristics arrived so a new flow record was started and it quickly reached a count of 1000. The total flow count from both the old and new records is 3000.
在持续流的情况下,相同的流在其计数为2000时报告,并且再次在3000时报告:到目前为止的总计数为3000。在旧/新情况下,旧流的计数为2000。它的记录随后被停止(可能是因为暂时的空闲),但随后更多具有相同特征的流量到达,因此新的流量记录被启动,并很快达到1000。旧记录和新记录的总流量计数均为3000。
The flow START TIMESTAMP attribute is sufficient to resolve this. In the example above, the CONTINUING FLOW flow record in the second usage record has an old FLOW START timestamp, while the NEW FLOW contains a recent FLOW START timestamp. A flow which has sporadic bursts of activity interspersed with long periods of inactivity will produce a sequence of flow activity records, each with the same set of address attributes, but with increasing FLOW START times.
流开始时间戳属性足以解决此问题。在上面的示例中,第二个使用记录中的持续流记录具有旧的流开始时间戳,而新流包含最近的流开始时间戳。如果一个流中有零星的活动突发和长时间的不活动,那么它将生成一系列流活动记录,每个记录都具有相同的地址属性集,但流开始时间会增加。
Each packet is counted in at most one flow for each running ruleset, so as to avoid multiple counting of a single packet. The record of a single flow is informally called a "bucket." If multiple, sometimes overlapping, records of usage information are required (aggregate, individual, etc), the network manager should collect the counts in sufficiently detailed granularity so that aggregate and combination counts can be reconstructed in post-processing of the raw usage data. Alternatively, multiple rulesets could be used to collect data at different granularities.
对于每个正在运行的规则集,每个数据包最多在一个流中计数,以避免对单个数据包进行多次计数。单个流的记录非正式地称为“bucket”。如果需要多个(有时重叠)使用信息记录(聚合、单个等),网络管理器应以足够详细的粒度收集计数,以便在原始使用数据的后处理中重建聚合和组合计数。或者,可以使用多个规则集以不同的粒度收集数据。
For example, consider a meter from which it is required to record both 'total packets coming in interface #1' and 'total packets arriving from any interface sourced by IP address = a.b.c.d', using a single rule set. Although a bucket can be declared for each case, it is not clear how to handle a packet which satisfies both criteria. It must only be counted once. By default it will be counted in the first bucket for which it qualifies, and not in the other bucket. Further, it is not possible to reconstruct this information by post-processing. The solution in this case is to define not two, but THREE buckets, each one collecting a unique combination of the two criteria:
例如,考虑一个表,它需要记录一个“规则接口”中的“总数据包”和“来自IP地址=A.B.C.D的任何接口的总数据包”,使用一个单一的规则集。虽然可以为每种情况声明一个bucket,但不清楚如何处理满足这两个条件的数据包。它只能算一次。默认情况下,它将被计算在它符合条件的第一个桶中,而不是另一个桶中。此外,不可能通过后处理重构该信息。这种情况下的解决方案不是定义两个,而是定义三个桶,每个桶收集两个标准的唯一组合:
Bucket 1: Packets which came in interface 1, AND were sourced by IP address a.b.c.d
Bucket 1:来自接口1的数据包,由IP地址a.b.c.d获取
Bucket 2: Packets which came in interface 1, AND were NOT sourced by IP address a.b.c.d
Bucket 2:来自接口1的数据包,不是由IP地址a.b.c.d提供的
Bucket 3: Packets which did NOT come in interface 1, AND were sourced by IP address a.b.c.d
Bucket 3:未进入接口1的数据包,其来源为IP地址a.b.c.d
(Bucket 4: Packets which did NOT come in interface 1, AND were NOT sourced by IP address a.b.c.d)
(Bucket 4:未进入接口1且未通过IP地址a.b.c.d来源的数据包)
The desired information can now be reconstructed by post-processing. "Total packets coming in interface 1" can be found by adding buckets 1 & 2, and "Total packets sourced by IP address a.b.c.d" can be found by adding buckets 1 & 3. Note that in this case bucket 4 is not explicitly required since its information is not of interest, but it is supplied here in parentheses for completeness.
现在可以通过后处理重构所需的信息。“来自接口1的总数据包”可以通过添加bucket 1和2来查找,“来自IP地址a.b.c.d的总数据包”可以通过添加bucket 1和3来查找。注意,在这种情况下,bucket 4并不是明确需要的,因为它的信息并不重要,但为了完整起见,这里在括号中提供了它。
Alternatively, the above could be achieved by running two rule sets (A and B), as follows:
或者,可以通过运行两个规则集(A和B)来实现上述目标,如下所示:
Bucket 1: Packets which came in interface 1; counted by rule set A.
Bucket 1:接口1中的数据包;按规则集A计算。
Bucket 2: Packets which were sourced by IP address a.b.c.d; counted by rule set B.
Bucket 2:由IP地址a.b.c.d来源的数据包;按规则集B计数。
4 Meters
4米
A traffic flow meter is a device for collecting data about traffic flows at a given point within a network; we will call this the METERING POINT. The header of every packet passing the network metering point is offered to the traffic meter program.
交通流量表是一种用于收集网络内给定点交通流量数据的装置;我们称之为计量点。通过网络计量点的每个数据包的报头都提供给流量表程序。
A meter could be implemented in various ways, including:
仪表可通过多种方式实现,包括:
- A dedicated small host, connected to a broadcast LAN (so that it can see all packets as they pass by) and running a traffic meter program. The metering point is the LAN segment to which the meter is attached.
- 一个专用的小型主机,连接到一个广播局域网(这样它可以看到所有经过的数据包),并运行一个流量表程序。计量点是仪表连接到的LAN段。
- A multiprocessing system with one or more network interfaces, with drivers enabling a traffic meter program to see packets. In this case the system provides multiple metering points - traffic flows on any subset of its network interfaces can be measured.
- 一种多处理系统,具有一个或多个网络接口,驱动程序使流量表程序能够看到数据包。在这种情况下,系统提供多个计量点——可以测量其网络接口的任何子集上的流量。
- A packet-forwarding device such as a router or switch. This is similar to (b) except that every received packet should also be forwarded, usually on a different interface.
- 一种数据包转发设备,如路由器或交换机。这与(b)类似,只是每个接收到的数据包也应该转发,通常在不同的接口上。
An outline of the meter's structure is given in the following diagram:
下图给出了仪表结构的概要:
Briefly, the meter works as follows:
简单地说,仪表的工作原理如下:
- Incoming packet headers arrive at the top left of the diagram and are passed to the PACKET PROCESSOR.
- 传入的数据包头到达图的左上角,并传递给数据包处理器。
- The packet processor passes them to the Packet Matching Engine (PME) where they are classified.
- 数据包处理器将它们传递给数据包匹配引擎(PME),在那里对它们进行分类。
- The PME is a Virtual Machine running a pattern matching program contained in the CURRENT RULE SET. It is invoked by the Packet Processor, executes the rules in the current rule set as described in section 4.3 below, and returns instructions on what to do with the packet.
- PME是运行当前规则集中包含的模式匹配程序的虚拟机。它由数据包处理器调用,执行下面第4.3节所述的当前规则集中的规则,并返回关于如何处理数据包的指令。
- Some packets are classified as 'to be ignored'. They are discarded by the Packet Processor.
- 某些数据包被归类为“待忽略”。它们被数据包处理器丢弃。
- Other packets are matched by the PME, which returns a FLOW KEY describing the flow to which the packet belongs.
- 其他数据包由PME匹配,PME返回描述数据包所属流的流密钥。
- The flow key is used to locate the flow's entry in the FLOW TABLE; a new entry is created when a flow is first seen. The entry's data fields (e.g. packet and byte counters) are updated.
- 流键用于在流表中定位流的条目;当第一次看到流时,将创建一个新条目。条目的数据字段(例如数据包和字节计数器)将更新。
- A meter reader may collect data from the flow table at any time. It may use the 'collect' index to locate the flows to be collected within the flow table.
- 流量计读取器可随时从流量表中收集数据。它可以使用“collect”索引来定位流表中要收集的流。
packet +------------------+
header | Current Rule Set |
| +--------+---------+
| |
| |
+-------*--------+ 'match key' +------*-------+
| Packet |---------------->| Packet |
| Processor | | Matching |
| |<----------------| Engine |
+--+----------+--+ 'flow key' +--------------+
| |
| |
Ignore * | Count (via 'flow key')
|
+--*--------------+
| 'Search' index |
+--------+--------+
|
+--------*--------+
| |
| Flow Table |
| |
+--------+--------+
|
+--------*--------+
| 'Collect' index |
+--------+--------+
|
*
Meter Reader
packet +------------------+
header | Current Rule Set |
| +--------+---------+
| |
| |
+-------*--------+ 'match key' +------*-------+
| Packet |---------------->| Packet |
| Processor | | Matching |
| |<----------------| Engine |
+--+----------+--+ 'flow key' +--------------+
| |
| |
Ignore * | Count (via 'flow key')
|
+--*--------------+
| 'Search' index |
+--------+--------+
|
+--------*--------+
| |
| Flow Table |
| |
+--------+--------+
|
+--------*--------+
| 'Collect' index |
+--------+--------+
|
*
Meter Reader
The discussion above assumes that a meter will only be running a single rule set. A meter may, however, run several rule sets concurrently. To do this the meter maintains a table of current rulesets. The packet processor matches each packet against every
上面的讨论假设一个仪表只运行一个规则集。然而,仪表可以同时运行多个规则集。为此,仪表维护一个当前规则集表。数据包处理器将每个数据包与每个
current ruleset, producing a single flow table containing flows from all the rule sets. One way to implement this is to use the Rule Set Number attribute in each flow as part of the flow key.
当前规则集,生成包含所有规则集的流的单个流表。实现这一点的一种方法是在每个流中使用规则集编号属性作为流键的一部分。
A packet may only be counted once in a rule set (as explained in section 3.3 above), but it may be counted in any of the current rulesets. The overall effect of doing this is somewhat similar to running several independent meters, one for each rule set.
一个数据包在一个规则集中只能计数一次(如上文第3.3节所述),但它可以在任何当前规则集中计数。这样做的总体效果有点类似于运行几个独立的仪表,每个规则集一个。
Every traffic meter maintains 'flow table', i.e. a table of TRAFFIC FLOW RECORDS for flows seen by the meter. Details of how the flow table is maintained are given in section 4.5 below. A flow record contains attribute values for its flow, including:
每个交通量表都维护“流量表”,即表中所示流量的交通流量记录表。下文第4.5节给出了如何维护流量表的详细信息。流记录包含其流的属性值,包括:
- Addresses for the flow's source and destination. These include addresses and masks for various network layers (extracted from the packet header), and the identity of the interface on which the packet was observed.
- 流的源和目标的地址。这些包括各种网络层的地址和掩码(从数据包头中提取),以及观察数据包的接口的标识。
- First and last times when packets were seen for this flow.
- 看到此流的数据包的第一次和最后一次。
- Counts for 'forward' (source to destination) and 'backward' (destination to source) components of the flow's traffic.
- 流流量的“向前”(源到目的地)和“向后”(目的地到源)组件计数。
- Other attributes, e.g. state of the flow record (discussed below).
- 其他属性,例如流记录的状态(下文讨论)。
The state of a flow record may be:
流量记录的状态可能是:
- INACTIVE: The flow record is not being used by the meter.
- 非活动:流量计未使用流量记录。
- CURRENT: The record is in use and describes a flow which belongs to the 'current flow set', i.e. the set of flows recently seen by the meter.
- 当前:记录正在使用中,描述了属于“当前流量集”的流量,即仪表最近看到的流量集。
- IDLE: The record is in use and the flow which it describes is part of the current flow set. In addition, no packets belonging to this flow have been seen for a period specified by the meter's InactivityTime variable.
- 空闲:记录正在使用,它描述的流是当前流集的一部分。此外,在仪表的InactivityTime变量指定的时间段内,未看到属于此流的数据包。
Each packet header received by the traffic meter program is processed as follows:
交通量计程序接收的每个数据包报头的处理如下:
- Extract attribute values from the packet header and use them to create a MATCH KEY for the packet.
- 从数据包头中提取属性值,并使用它们为数据包创建匹配键。
- Match the packet's key against the current rule set, as explained in detail below.
- 根据当前规则集匹配数据包的密钥,如下所述。
The rule set specifies whether the packet is to be counted or ignored. If it is to be counted the matching process produces a FLOW KEY for the flow to which the packet belongs. This flow key is used to find the flow's record in the flow table; if a record does not yet exist for this flow, a new flow record may be created. The data for the matching flow record can then be updated.
规则集指定数据包是计数还是忽略。如果要计数,则匹配过程为数据包所属的流生成流密钥。此流键用于在流表中查找流的记录;如果此流的记录尚不存在,则可以创建新的流记录。然后可以更新匹配流记录的数据。
For example, the rule set could specify that packets to or from any host in IP network 130.216 are to be counted. It could also specify that flow records are to be created for every pair of 24-bit (Class C) subnets within network 130.216.
例如,规则集可以指定对IP网络130.216中的任何主机之间的数据包进行计数。它还可以指定为网络130.216内的每对24位(C类)子网创建流量记录。
Each packet's match key is passed to the meter's PATTERN MATCHING ENGINE (PME) for matching. The PME is a Virtual Machine which uses a set of instructions called RULES, i.e. a RULE SET is a program for the PME. A packet's match key contains source (S) and destination (D) interface identities, address values and masks.
每个数据包的匹配密钥被传递到仪表的模式匹配引擎(PME)进行匹配。PME是一个虚拟机,它使用一组称为规则的指令,即规则集是PME的程序。数据包的匹配键包含源(s)和目标(D)接口标识、地址值和掩码。
If measured flows were unidirectional, i.e. only counted packets travelling in one direction, the matching process would be simple. The PME would be called once to match the packet. Any flow key produced by a successful match would be used to find the flow's record in the flow table, and that flow's counters would be updated.
如果测得的流量是单向的,即仅统计沿一个方向移动的数据包,则匹配过程将很简单。PME将被调用一次以匹配数据包。成功匹配产生的任何流键都将用于在流表中查找流的记录,并且该流的计数器将被更新。
Flows are, however, bidirectional, reflecting the forward and reverse packets of a protocol interchange or 'session'. Maintaining two sets of counters in the meter's flow record makes the resulting flow data much simpler to handle, since analysis programs do not have to gather together the 'forward' and 'reverse' components of sessions. Implementing bi-directional flows is, of course, more difficult for the meter, since it must decide whether a packet is a 'forward' packet or a 'reverse' one. To make this decision the meter will often need to invoke the PME twice, once for each possible packet direction.
然而,流是双向的,反映了协议交换或“会话”的正向和反向数据包。由于分析程序不必收集会话的“正向”和“反向”组件,因此在流量计的流量记录中保留两组计数器使生成的流量数据更易于处理。当然,实现双向流对仪表来说更为困难,因为仪表必须确定一个数据包是“正向”数据包还是“反向”数据包。为了做出这个决定,仪表通常需要调用PME两次,每个可能的数据包方向调用一次。
The diagram below describes the algorithm used by the traffic meter to process each packet. Flow through the diagram is from left to right and top to bottom, i.e. from the top left corner to the bottom right corner. S indicates the flow's source address (i.e. its set of source address attribute values) from the packet header, and D indicates its destination address.
下图描述了流量表用于处理每个数据包的算法。流程图中的流程从左到右,从上到下,即从左上角到右下角。S表示来自数据包头的流的源地址(即其源地址属性值集),D表示其目的地地址。
There are several cases to consider. These are:
有几个案例需要考虑。这些是:
- The packet is recognised as one which is TO BE IGNORED.
- 该数据包被识别为要忽略的数据包。
- The packet would MATCH IN EITHER DIRECTION. One situation in which this could happen would be a rule set which matches flows within network X (Source = X, Dest = X) but specifies that flows are to be created for each subnet within network X, say subnets y and z. If, for example a packet is seen for y->z, the meter must check that flow z->y is not already current before creating y->z.
- 数据包在两个方向上都匹配。可能发生这种情况的一种情况是,规则集匹配网络X内的流(Source=X,Dest=X),但指定为网络X内的每个子网(如子网y和z)创建流。例如,如果看到y->z的数据包,流量计必须在创建y->z之前检查流z->y是否为当前流。
- The packet MATCHES IN ONE DIRECTION ONLY. If its flow is already current, its forward or reverse counters are incremented. Otherwise it is added to the flow table and then counted.
- 数据包只在一个方向上匹配。如果其流已经是当前的,则其正向或反向计数器将递增。否则会将其添加到流量表中,然后进行计数。
Ignore
--- match(S->D) -------------------------------------------------+
| Suc | NoMatch |
| | Ignore |
| match(D->S) -----------------------------------------+
| | Suc | NoMatch |
| | | |
| | +-------------------------------------------+
| | |
| | Suc |
| current(D->S) ---------- count(D->S,r) --------------+
| | Fail |
| | |
| create(D->S) ----------- count(D->S,r) --------------+
| |
| Suc |
current(S->D) ------------------ count(S->D,f) --------------+
| Fail |
| Suc |
current(D->S) ------------------ count(D->S,r) --------------+
| Fail |
| |
create(S->D) ------------------- count(S->D,f) --------------+
|
*
Ignore
--- match(S->D) -------------------------------------------------+
| Suc | NoMatch |
| | Ignore |
| match(D->S) -----------------------------------------+
| | Suc | NoMatch |
| | | |
| | +-------------------------------------------+
| | |
| | Suc |
| current(D->S) ---------- count(D->S,r) --------------+
| | Fail |
| | |
| create(D->S) ----------- count(D->S,r) --------------+
| |
| Suc |
current(S->D) ------------------ count(S->D,f) --------------+
| Fail |
| Suc |
current(D->S) ------------------ count(D->S,r) --------------+
| Fail |
| |
create(S->D) ------------------- count(S->D,f) --------------+
|
*
The algorithm uses four functions, as follows:
该算法使用四个函数,如下所示:
match(A->B) implements the PME. It uses the meter's current rule set to match the attribute values in the packet's match key. A->B means that the assumed source address is A and destination address B, i.e. that the packet was travelling from A to B. match() returns one of three results:
匹配(A->B)实现PME。它使用仪表的当前规则集来匹配数据包匹配键中的属性值。A->B表示假定的源地址是A,目标地址是B,即数据包从A传输到B。match()返回三个结果之一:
'Ignore' means that the packet was matched but this flow is not to be counted.
“忽略”表示数据包已匹配,但不计算此流。
'NoMatch' means that the packet did not match. It might, however match with its direction reversed, i.e. from B to A.
“NoMatch”表示数据包不匹配。然而,它可能与其方向相反,即从B到A相匹配。
'Suc' means that the packet did match, i.e. it belongs to a flow which is to be counted.
“Suc”表示数据包确实匹配,即它属于要计数的流。
current(A->B) succeeds if the flow A-to-B is current - i.e. has a record in the flow table whose state is Current - and fails otherwise.
如果流A-to-B是当前的(即流表中有一条状态为当前的记录),则current(A->B)成功,否则失败。
create(A->B) adds the flow A-to-B to the flow table, setting the value for attributes - such as addresses - which remain constant, and zeroing the flow's counters.
create(A->B)将流A-to-B添加到流表中,设置保持不变的属性(如地址)的值,并将流的计数器归零。
count(A->B,f) increments the 'forward' counters for flow A-to-B. count(A->B,r) increments the 'reverse' counters for flow A-to-B. 'Forward' here means the counters for packets travelling from A to B. Note that count(A->B,f) is identical to count(B->A,r).
计数(A->B,f)增加流A-to-B的“正向”计数器。计数(A->B,r)增加流A-to-B的“反向”计数器。此处的“正向”指从A到B的数据包的计数器。请注意计数(A->B,f)与计数(B->A,r)相同。
When writing rule sets one must remember that the meter will normally try to match each packet in the reverse direction if the forward match does not succeed. It is particularly important that the rule set does not contain inconsistencies which will upset this process.
在编写规则集时,必须记住,如果正向匹配不成功,仪表通常会尝试反向匹配每个数据包。尤其重要的是,规则集不包含会扰乱此过程的不一致性。
Consider, for example, a rule set which counts packets from source network A to destination network B, but which ignores packets from source network B. This is an obvious example of an inconsistent rule set, since packets from network B should be counted as reverse packets for the A-to-B flow.
例如,考虑从源网络A到目的网络B的分组计数的规则集,但是忽略来自源网络B的分组。这是不一致规则集的一个明显示例,因为来自网络B的分组应该被计数为A到B流的反向分组。
This problem could be avoided by devising a language for specifying rule files and writing a compiler for it, thus making it much easier to produce correct rule sets. An example of such a language is described in the 'SRL' document [RTFM-SRL]. Another approach would be to write a 'rule set consistency checker' program, which could detect problems in hand-written rule sets.
通过设计一种用于指定规则文件的语言并为其编写编译器,可以避免这个问题,从而使生成正确的规则集变得更加容易。“SRL”文档[RTFM-SRL]中描述了此类语言的示例。另一种方法是编写“规则集一致性检查器”程序,该程序可以检测手写规则集中的问题。
Normally, the best way to avoid these problems is to write rule sets which only classify flows in the forward direction, and rely on the meter to handle reverse-travelling packets.
通常,避免这些问题的最佳方法是编写只对正向流进行分类的规则集,并依靠仪表处理反向移动的数据包。
Occasionally there can be situations when a rule set needs to know the direction in which a packet is being matched. Consider, for example, a rule set which wants to save some attribute values (source and destination addresses perhaps) for any 'unusual' packets. The rule set will contain a sequence of tests for all the 'usual' source addresses, follwed by a rule which will execute a 'NoMatch' action. If the match fails in the S->D direction, the NoMatch action will cause it to be retried. If it fails in the D->S direction, the packet can be counted as an 'unusual' packet.
有时会出现规则集需要知道数据包匹配方向的情况。例如,考虑一个规则集,它想要保存一些属性值(源地址和目的地址),用于任何“异常”数据包。规则集将包含对所有“常用”源地址的一系列测试,然后是执行“NoMatch”操作的规则。如果匹配在S->D方向失败,NoMatch操作将导致重试。如果在D->S方向失败,则该数据包可被视为“异常”数据包。
To count such an 'unusual' packet we need to know the matching direction: the MatchingStoD attribute provides this. To use it, one follows the source address tests with a rule which tests whether the matching direction is S->D (MatchingStoD value is 1). If so, a 'NoMatch' action is executed. Otherwise, the packet has failed to match in both directions; we can save whatever attribute values are of interest and count the 'unusual' packet.
要计算这样一个“不寻常”的数据包,我们需要知道匹配方向:MatchingStoD属性提供了这一点。要使用它,可以在源地址测试之后使用一条规则来测试匹配方向是否为S->D(MatchingStoD值为1)。如果是,则执行“NoMatch”操作。否则,包在两个方向上都不匹配;我们可以保存感兴趣的任何属性值,并计算“异常”数据包。
A rule set is an array of rules. Rule sets are held within a meter as entries in an array of rule sets.
规则集是一组规则。规则集作为规则集数组中的条目保存在一个仪表内。
Rule set 1 (the first entry in the rule set table) is built-in to the meter and cannot be changed. It is run when the meter is started up, and provides a very coarse reporting granularity; it is mainly useful for verifying that the meter is running, before a 'useful' rule set is downloaded to it.
规则集1(规则集表中的第一个条目)内置于仪表中,无法更改。它在仪表启动时运行,并提供非常粗略的报告粒度;它主要用于在下载“有用”规则集之前验证仪表是否正在运行。
A meter also maintains an array of 'tasks', which specify what rule sets the meter is running. Each task has a 'current' rule set (the one which it normally uses), and a 'standby' rule set (which will be used when the overall traffic level is unusually high). If a task is instructed to use rule set 0, it will cease measuring; all packets will be ignored until another (non-zero) rule set is made current.
仪表还维护一个“任务”数组,用于指定仪表运行的规则集。每个任务都有一个“当前”规则集(它通常使用的规则集)和一个“备用”规则集(当总体流量水平异常高时将使用该规则集)。如果任务被指示使用规则集0,它将停止测量;在另一个(非零)规则集变为当前规则集之前,将忽略所有数据包。
Each rule in a rule set is an instruction for the Packet Matching Engine, i.e. it is an instruction for a Virtual Machine. PME instructions have five component fields, forming two logical groups as follows:
规则集中的每个规则都是用于数据包匹配引擎的指令,即,它是用于虚拟机的指令。PME指令有五个组件字段,组成两个逻辑组,如下所示:
+-------- test ---------+ +---- action -----+
attribute & mask = value: opcode, parameter;
+-------- test ---------+ +---- action -----+
attribute & mask = value: opcode, parameter;
The test group allows PME to test the value of an attribute. This is done by ANDing the attribute value with the mask and comparing the result with the value field. Note that there is no explicit provision to test a range, although this can be done where the range can be covered by a mask, e.g. attribute value less than 2048.
测试组允许PME测试属性的值。这是通过将属性值与掩码相加并将结果与值字段进行比较来完成的。请注意,没有明确规定测试范围,尽管可以在范围可以被掩码覆盖的情况下进行测试,例如属性值小于2048。
The PME maintains a Boolean indicator called the 'test indicator', which determines whether or not a rule's test is performed. The test indicator is initially set (true).
PME维护一个称为“测试指示器”的布尔指示器,用于确定是否执行规则的测试。测试指示器初始设置(真)。
The action group specifies what action may be performed when the rule is executed. Opcodes contain two flags: 'goto' and 'test', as detailed in the table below. Execution begins with rule 1, the first in the rule set. It proceeds as follows:
操作组指定执行规则时可以执行的操作。操作码包含两个标志:“goto”和“test”,详见下表。执行从规则集中的第一条规则1开始。其进展如下:
If the test indicator is true: Perform the test, i.e. AND the attribute value with the mask and compare it with the value. If these are equal the test has succeeded; perform the rule's action (below). If the test fails execute the next rule in the rule set. If there are no more rules in the rule set, return from the match() function indicating NoMatch.
如果测试指示器为真:执行测试,即使用掩码和属性值,并将其与值进行比较。如果这些值相等,则测试成功;执行规则的操作(如下)。如果测试失败,则执行规则集中的下一条规则。如果规则集中没有其他规则,则从match()函数返回,指示NoMatch。
If the test indicator is false, or the test (above) succeeded: Set the test indicator to this opcode's test flag value. Determine the next rule to execute. If the opcode has its goto flag set, its parameter value specifies the number of the next rule. Opcodes which don't have their goto flags set either determine the next rule in special ways (Return), or they terminate execution (Ignore, NoMatch, Count, CountPkt). Perform the action.
如果测试指示器为假,或测试(以上)成功:将测试指示器设置为此操作码的测试标志值。确定要执行的下一个规则。如果操作码设置了goto标志,则其参数值指定下一条规则的编号。未设置goto标志的操作码要么以特殊方式确定下一个规则(返回),要么终止执行(忽略、NoMatch、Count、CountPkt)。执行操作。
The PME maintains two 'history' data structures. The first, the 'return' stack, simply records the index (i.e. 1-origin rule number) of each Gosub rule as it is executed; Return rules pop their Gosub rule index. Note that when the Ignore, NoMatch, Count and CountPkt actions are performed, PME execution is terminated regardless of whether the PME is executing a subroutine ('return' stack is non-empty) or not.
PME维护两个“历史”数据结构。第一个是“return”堆栈,它只记录每个Gosub规则执行时的索引(即1-原始规则编号);返回规则弹出其Gosub规则索引。请注意,当执行Ignore、NoMatch、Count和CountPkt操作时,无论PME是否正在执行子例程(“返回”堆栈为非空),PME执行都会终止。
The second data structure, the 'pattern' queue, is used to save information for later use in building a flow key. A flow key is built by zeroing all its attribute values, then copying attribute number, mask and value information from the pattern queue in the order it was enqueued.
第二个数据结构“模式”队列用于保存信息,以便以后在构建流密钥时使用。流键是通过将其所有属性值归零,然后按照排队顺序从模式队列中复制属性号、掩码和值信息来构建的。
An attribute number identifies the attribute actually used in a test. It will usually be the rule's attribute field, unless the attribute is a 'meter variable'. Details of meter variables are given after the table of opcode actions below.
属性编号标识测试中实际使用的属性。它通常是规则的属性字段,除非属性是“仪表变量”。下面的操作码动作表后面给出了仪表变量的详细信息。
The opcodes are:
操作码是:
opcode goto test
操作码转到测试
1 Ignore 0 - 2 NoMatch 0 - 3 Count 0 - 4 CountPkt 0 - 5 Return 0 0 6 Gosub 1 1 7 GosubAct 1 0 8 Assign 1 1 9 AssignAct 1 0 10 Goto 1 1 11 GotoAct 1 0 12 PushRuleTo 1 1 13 PushRuleToAct 1 0 14 PushPktTo 1 1 15 PushPktToAct 1 0 16 PopTo 1 1 17 PopToAct 1 0
1忽略0-2 NoMatch 0-3计数0-4计数PKT 0-5返回0 0 6 Gosub 1 7 GosubAct 1 0 8分配1 1 9赋值1 0 10 Goto 1 11 GotoAct 1 0 12 PushRuleTo 1 13 PushRuleTo 1 0 14 PUSHPKTO 1 15 PUSHPKTOACT 1 0 16 PopToAct 1 17 PopToAct 1 0
The actions they perform are:
他们执行的操作是:
Ignore: Stop matching, return from the match() function indicating that the packet is to be ignored.
Ignore:停止匹配,从match()函数返回,指示将忽略数据包。
NoMatch: Stop matching, return from the match() function indicating failure.
NoMatch:停止匹配,从match()函数返回,表示失败。
Count: Stop matching. Save this rule's attribute number, mask and value in the PME's pattern queue, then construct a flow key for the flow to which this packet belongs. Return from the match() function indicating success. The meter will use the flow key to search for the flow record for this packet's flow.
计数:停止匹配。将此规则的属性号、掩码和值保存在PME的模式队列中,然后为该数据包所属的流构造流密钥。从match()函数返回,表示成功。仪表将使用流量键搜索此数据包流量的流量记录。
CountPkt: As for Count, except that the masked value from the packet header (as it would have been used in the rule's test) is saved in the PME's pattern queue instead of the rule's value.
CountPkt:对于Count,除了来自数据包头的屏蔽值(在规则的测试中使用)保存在PME的模式队列中,而不是保存在规则的值中。
Gosub: Call a rule-matching subroutine. Push the current rule number on the PME's return stack, set the test indicator then goto the specified rule.
Gosub:调用规则匹配子例程。推送PME返回堆栈上的当前规则编号,设置测试指示器,然后转到指定的规则。
GosubAct: Same as Gosub, except that the test indicator is cleared before going to the specified rule.
GosubAct:与Gosub相同,只是测试指示器在转到指定规则之前已清除。
Return: Return from a rule-matching subroutine. Pop the number of the calling gosub rule from the PME's 'return' stack and add this rule's parameter value to it to determine the 'target' rule. Clear the test indicator then goto the target rule.
返回:从规则匹配子例程返回。从PME的“返回”堆栈中弹出调用gosub规则的编号,并将此规则的参数值添加到其中以确定“目标”规则。清除测试指示器,然后转到目标规则。
A subroutine call appears in a rule set as a Gosub rule followed by a small group of following rules. Since a Return action clears the test flag, the action of one of these 'following' rules will be executed; this allows the subroutine to return a result (in addition to any information it may save in the PME's pattern queue).
子例程调用在规则集中显示为Gosub规则,后跟一小组以下规则。由于返回操作清除了测试标志,因此将执行这些“以下”规则之一的操作;这允许子例程返回结果(除了它可能保存在PME模式队列中的任何信息)。
Assign: Set the attribute specified in this rule to the parameter value specified for this rule. Set the test indicator then goto the specified rule.
分配:将此规则中指定的属性设置为为此规则指定的参数值。设置测试指示器,然后转到指定规则。
AssignAct: Same as Assign, except that the test indicator is cleared before going to the specified rule.
AssignAct:与Assign相同,只是在转到指定规则之前清除了测试指示器。
Goto: Set the test indicator then goto the specified rule.
转到:设置测试指示器,然后转到指定的规则。
GotoAct: Clear the test indicator then goto the specified rule.
GotoAct:清除测试指示器,然后转到指定规则。
PushRuleTo: Save this rule's attribute number, mask and value in the PME's pattern queue. Set the test indicator then goto the specified rule.
PushRuleTo:将此规则的属性号、掩码和值保存在PME的模式队列中。设置测试指示器,然后转到指定规则。
PushRuleToAct: Same as PushRuleTo, except that the test indicator is cleared before going to the specified rule.
PushRuleToAct:与PushRuleTo相同,只是在转到指定规则之前清除了测试指示器。
PushRuleTo actions may be used to save the value and mask used in a test, or (if the test is not performed) to save an arbitrary value and mask.
PushRuleTo操作可用于保存测试中使用的值和掩码,或(如果未执行测试)保存任意值和掩码。
PushPktTo: Save this rule's attribute number, mask, and the masked value from the packet header (as it would have been used in the rule's test), in the PME's pattern queue. Set the test indicator then goto the specified rule.
PushPktTo:在PME的模式队列中保存此规则的属性号、掩码和来自数据包头的掩码值(在规则的测试中使用)。设置测试指示器,然后转到指定规则。
PushPktToAct: Same as PushPktTo, except that the test indicator is cleared before going to the specified rule.
PushPktToAct:与PushPktTo相同,只是测试指示器在转到指定规则之前已清除。
PushPktTo actions may be used to save a value from the packet header using a specified mask. The simplest way to program this is to use a zero value for the PushPktTo rule's value field, and to GoToAct to the PushPktTo rule (so that it's test is not executed).
PushPktTo操作可用于使用指定掩码保存来自数据包头的值。对此进行编程的最简单方法是为PushPktTo规则的值字段使用零值,并转到PushPktTo规则(以便不执行其测试)。
PopTo: Delete the most recent item from the pattern queue, so as to remove the information saved by an earlier 'push' action. Set the test indicator then goto the specified rule.
PopTo:从模式队列中删除最近的项,以便删除由早期“推送”操作保存的信息。设置测试指示器,然后转到指定规则。
PopToAct: Same as PopTo, except that the test indicator is cleared before going to the specified rule.
PopToAct:与PopTo相同,只是在转到指定规则之前清除了测试指示器。
As well as the attributes applying directly to packets (such as SourcePeerAddress, DestTransAddress, etc.) the PME implements several further attribtes. These are:
除了直接应用于数据包的属性(如SourcePeeradAddress、DestTransAddress等),PME还实现了几个进一步的属性。这些是:
Null: Tests performed on the Null attribute always succeed.
Null:对Null属性执行的测试总是成功的。
MatchingStoD: Indicates whether the PME is matching the packet with its addresses in 'wire order' or with its addresses reversed. MatchingStoD's value is 1 if the addresses are in wire order (StoD), and zero otherwise.
MatchingStoD:指示PME是将数据包与其“线路顺序”中的地址匹配,还是将其地址反转。如果地址为线顺序(StoD),则MatchingStoD的值为1,否则为零。
v1 .. v5: v1, v2, v3, v4 and v5 are 'meter variables'. They provide a way to pass parameters into rule-matching subroutines. Each may hold the number of a normal attribute; its value is set by an Assign action. When a meter variable appears as the attribute of a rule, its value specifies the actual attribute to be tested. For example, if v1 had been assigned SourcePeerAddress as its value, a rule with v1 as its attribute would actually test SourcePeerAddress.
v1。。v5:v1、v2、v3、v4和v5是“仪表变量”。它们提供了一种将参数传递到规则匹配子例程的方法。每个都可以保存一个正常属性的编号;其值由赋值操作设置。当仪表变量显示为规则的属性时,其值指定要测试的实际属性。例如,如果v1已被指定为其值SourcePeeradAddress,则将v1作为其属性的规则将实际测试SourcePeeradAddress。
SourceClass, DestClass, FlowClass, SourceKind, DestKind, FlowKind: These six attributes may be set by executing PushRuleTo actions. They allow the PME to save (in flow records) information which has been built up during matching. Their values may be tested in rules; this allows one to set them early in a rule set, and test them later.
SourceClass、DestClass、FlowClass、SourceKind、DestKind、FlowKind:这六个属性可以通过执行PushRuleTo操作来设置。它们允许PME保存(在流记录中)匹配期间建立的信息。它们的值可以在规则中进行测试;这使得我们可以在规则集的早期设置它们,然后再测试它们。
The opcodes detailed above (with their above 'goto' and 'test' values) form a minimum set, but one which has proved very effective in current meter implementations. From time to time it may be useful to add further opcodes; IANA considerations for allocating these are set out in section 8 below.
上面详述的操作码(以及它们上面的“goto”和“test”值)构成了一个最小值集,但在当前的仪表实施中已被证明是非常有效的。不时添加更多的操作码可能是有用的;IANA分配这些资源的注意事项见下文第8节。
The flow table may be thought of as a 1-origin array of flow records. (A particular implementation may, of course, use whatever data structure is most suitable). When the meter starts up there are no known flows; all the flow records are in the 'inactive' state.
流量表可视为流量记录的单原点数组。(当然,一个特定的实现可以使用任何最合适的数据结构)。当流量计启动时,没有已知流量;所有流记录都处于“非活动”状态。
Each time a packet is matched for a flow which is not in a current flow set a flow record is created for it; the state of such a record is 'current'. When selecting a record for the new flow the meter searches the flow table for an 'inactive' record. If no inactive records are available it will search for an 'idle' one instead. Note that there is no particular significance in the ordering of records within the flow table.
每次数据包与不在当前流集中的流匹配时,都会为其创建流记录;此类记录的状态为“当前”。为新流量选择记录时,流量计在流量表中搜索“非活动”记录。如果没有可用的非活动记录,它将搜索“空闲”记录。请注意,流程表中记录的排序没有特殊意义。
A meter's memory management routines should aim to minimise the time spent finding flow records for new flows, so as to minimise the setup overhead associated with each new flow.
仪表的内存管理例程应旨在最大限度地减少为新流量查找流量记录所花费的时间,从而最大限度地减少与每个新流量相关的设置开销。
Flow data may be collected by a 'meter reader' at any time. There is no requirement for collections to be synchronized. The reader may collect the data in any suitable manner, for example it could upload a copy of the whole flow table using a file transfer protocol, or it could read the records in the current flow set row by row using a suitable data transfer protocol.
“流量计读取器”可随时收集流量数据。不需要同步集合。读取器可以以任何合适的方式收集数据,例如,读取器可以使用文件传输协议上载整个流表的副本,或者可以使用合适的数据传输协议逐行读取当前流集中的记录。
The meter keeps information about collections, in particular it maintains ReaderLastTime variables which remember the time the last collection was made by each reader. A second variable, InactivityTime, specifies the minimum time the meter will wait before considering that a flow is idle.
仪表保存有关集合的信息,特别是它维护ReaderLastTime变量,这些变量会记住每个阅读器上次进行集合的时间。第二个变量InactivityTime指定流量计在考虑流量空闲之前等待的最短时间。
The meter must recover records used for idle flows, if only to prevent it running out of flow records. Recovered flow records are returned to the 'inactive' state. A variety of recovery strategies are possible, including the following:
流量计必须恢复用于闲置流量的记录,即使只是为了防止其耗尽流量记录。恢复的流记录将返回到“非活动”状态。可以采用多种恢复策略,包括:
One possible recovery strategy is to recover idle flow records as soon as possible after their data has been collected by all readers which have registered to do so. To implement this the meter could run a background process which scans the flow table looking for ' current' flows whose 'last packet' time is earlier than the meter's LastCollectTime.
一种可能的恢复策略是,在所有已注册的读卡器收集空闲流记录的数据后,尽快恢复这些记录。为了实现这一点,仪表可以运行后台进程,扫描流表,查找“最后一个数据包”时间早于仪表最后一次收集时间的“当前”流。
Another recovery strategy is to leave idle flows alone as long as possible, which would be acceptable if one was only interested in measuring total traffic volumes. It could be implemented by having the meter search for collected idle flows only when it ran low on ' inactive' flow records.
另一种恢复策略是尽可能长时间地保持空闲流,如果只对测量总流量感兴趣,这是可以接受的。只有当仪表在“非活动”流量记录上运行时,才可以通过仪表搜索收集的空闲流量来实现。
One further factor a meter should consider before recovering a flow is the number of meter readers which have collected the flow's data. If there are multiple meter readers operating, each reader should collect a flow's data before its memory is recovered.
在恢复流量之前,仪表应该考虑的另一个因素是收集流量数据的仪表读取器的数量。如果有多个仪表读卡器工作,则每个读卡器应在恢复其内存之前收集流量数据。
Of course a meter reader may fail, so the meter cannot wait forever for it. Instead the meter must keep a table of active meter readers, with a timeout specified for each. If a meter reader fails to collect flow data within its timeout interval, the meter should delete that reader from the meter's active meter reader table.
当然,抄表器可能会出故障,因此抄表器不能永远等待它。相反,仪表必须保留一个活动仪表读卡器表,并为每个读卡器指定超时。如果仪表读取器未能在其超时间隔内收集流量数据,则仪表应从仪表的活动仪表读取器表中删除该读取器。
Under normal conditions the meter reader specifies which set of usage records it wants to collect, and the meter provides them. If, however, memory usage rises above the high-water mark the meter should switch to a STANDBY RULE SET so as to decrease the rate at which new flows are created.
在正常情况下,抄表器指定要收集的使用记录集,并由抄表器提供。但是,如果内存使用率高于高水位线,则仪表应切换到备用规则集,以降低创建新流量的速率。
When the manager, usually as part of a regular poll, becomes aware that the meter is using its standby rule set, it could decrease the interval between collections. This would shorten the time that flows sit in memory waiting to be collected, allowing the meter to free flow memory faster.
当管理器(通常是常规轮询的一部分)意识到计量器正在使用其备用规则集时,它可能会缩短收集之间的间隔。这将缩短流在内存中等待收集的时间,从而允许仪表更快地释放流内存。
The meter could also increase its efforts to recover flow memory so as to reduce the number of idle flows in memory. When the situation returns to normal, the manager may request the meter to switch back to its normal rule set.
仪表还可以增加恢复流内存的力度,以减少内存中的空闲流数量。当情况恢复正常时,管理者可要求仪表切换回其正常规则集。
5 Meter Readers
5米读数器
Usage data is accumulated by a meter (e.g. in a router) as memory permits. It is collected at regular reporting intervals by meter readers, as specified by a manager. The collected data is recorded in stable storage as a FLOW DATA FILE, as a sequence of USAGE RECORDS.
在内存允许的情况下,使用数据由仪表(例如在路由器中)累积。根据经理的规定,抄表器定期收集数据。收集的数据作为流量数据文件记录在稳定的存储器中,作为一系列使用记录。
The following sections describe the contents of usage records and flow data files. Note, however, that at this stage the details of such records and files is not specified in the architecture. Specifying a common format for them would be a worthwhile future development.
以下各节描述了使用记录和流数据文件的内容。但是,请注意,在这个阶段,体系结构中没有指定此类记录和文件的详细信息。为它们指定一个通用的格式将是一个有价值的未来发展。
Once a packet has been classified and is ready to be counted, an appropriate flow data record must already exist in the flow table; otherwise one must be created. The flow record has a flexible format where unnecessary identification attributes may be omitted. The determination of which attributes of the flow record to use, and of what values to put in them, is specified by the current rule set.
一旦数据包被分类并准备好计数,流表中必须已经存在适当的流数据记录;否则,必须创建一个。流量记录具有灵活的格式,可以省略不必要的标识属性。由当前规则集指定要使用的流记录的哪些属性以及要在其中输入哪些值。
Note that the combination of start time, rule set number and flow subscript (row number in the flow table) provide a unique flow identifier, regardless of the values of its other attributes.
请注意,开始时间、规则集编号和流下标(流表中的行号)的组合提供了唯一的流标识符,而不管其其他属性的值如何。
The current rule set may specify additional information, e.g. a computed attribute value such as FlowKind, which is to be placed in the attribute section of the usage record. That is, if a particular flow is matched by the rule set, then the corresponding flow record should be marked not only with the qualifying identification attributes, but also with the additional information. Using this feature, several flows may each carry the same FlowKind value, so that the resulting usage records can be used in post-processing or between meter reader and meter as a criterion for collection.
当前规则集可以指定附加信息,例如,要放置在使用记录的属性部分中的计算属性值,如FlowKind。也就是说,如果某个特定流与规则集匹配,则相应的流记录不仅应标记为符合条件的标识属性,还应标记为附加信息。使用此功能,多个流可能每个都携带相同的FlowKind值,因此生成的使用记录可用于后处理或仪表读取器和仪表之间作为收集标准。
The collected usage data will be stored in flow data files on the meter reader, one file for each meter. As well as containing the measured usage data, flow data files must contain information uniquely identifiying the meter from which it was collected.
收集的使用数据将存储在流量计读取器上的流量数据文件中,每个流量计一个文件。除了包含测量的使用数据外,流量数据文件还必须包含唯一标识从中采集流量的仪表的信息。
A USAGE RECORD contains the descriptions of and values for one or more flows. Quantities are counted in terms of number of packets and number of bytes per flow. Other quantities, e.g. short-term flow rates, may be added later; work on such extensions is described in the RTFM 'New Attributes' document [RTFM-NEW].
使用记录包含一个或多个流的描述和值。数量根据数据包数量和每个流的字节数进行计数。其他数量,例如短期流量,可稍后添加;RTFM“新属性”文档[RTFM-New]中描述了此类扩展的工作。
Each usage record contains the metered traffic group identifier of the meter (a set of network addresses), a time stamp and a list of reported flows (FLOW DATA RECORDS). A meter reader will build up a file of usage records by regularly collecting flow data from a meter, using this data to build usage records and concatenating them to the tail of a file. Such a file is called a FLOW DATA FILE.
每个使用记录包含计量器的计量流量组标识符(一组网络地址)、时间戳和报告流量列表(流量数据记录)。仪表阅读器将通过定期从仪表收集流量数据来建立使用记录文件,使用这些数据来建立使用记录,并将它们连接到文件的尾部。这样的文件称为流数据文件。
A usage record contains the following information in some form:
使用记录以某种形式包含以下信息:
+-------------------------------------------------------------------+
| RECORD IDENTIFIERS: |
| Meter Id (& digital signature if required) |
| Timestamp |
| Collection Rules ID |
+-------------------------------------------------------------------+
| FLOW IDENTIFIERS: | COUNTERS |
| Address List | Packet Count |
| Subscriber ID (Optional) | Byte Count |
| Attributes (Optional) | Flow Start/Stop Time |
+-------------------------------------------------------------------+
+-------------------------------------------------------------------+
| RECORD IDENTIFIERS: |
| Meter Id (& digital signature if required) |
| Timestamp |
| Collection Rules ID |
+-------------------------------------------------------------------+
| FLOW IDENTIFIERS: | COUNTERS |
| Address List | Packet Count |
| Subscriber ID (Optional) | Byte Count |
| Attributes (Optional) | Flow Start/Stop Time |
+-------------------------------------------------------------------+
The usage record contents are the raison d'etre of the system. The accuracy, reliability, and security of transmission are the primary concerns of the meter/meter reader exchange. Since errors may occur on networks, and Internet packets may be dropped, some mechanism for ensuring that the usage information is transmitted intact is needed.
使用记录内容是系统存在的理由。传输的准确性、可靠性和安全性是电表/电表读卡器交换的主要关注点。由于网络上可能会发生错误,并且互联网数据包可能会被丢弃,因此需要某种机制来确保使用信息的完整传输。
Flow data is moved from meter to meter reader via a series of protocol exchanges between them. This may be carried out in various ways, moving individual attribute values, complete flows, or the entire flow table (i.e. all the active and idle flows). One possible method of achieving this transfer is to use SNMP; the 'Traffic Flow Measurement: Meter MIB' RFC [RTFM-MIB] gives details. Note that this is simply one example; the transfer of flow data from meter to meter reader is not specified in this document.
流量数据通过仪表之间的一系列协议交换从一个仪表移动到另一个仪表读取器。这可以通过各种方式执行,移动单个属性值、完整流或整个流表(即所有活动流和空闲流)。实现此传输的一种可能方法是使用SNMP;“交通流量测量:仪表MIB”RFC[RTFM-MIB]给出了详细信息。注意,这只是一个例子;本文件未规定从流量计到流量计读取器的流量数据传输。
The reliability of the data transfer method under light, normal, and extreme network loads should be understood before selecting among collection methods.
在选择采集方法之前,应了解轻、正常和极端网络负载下数据传输方法的可靠性。
In normal operation the meter will be running a rule file which provides the required degree of flow reporting granularity, and the meter reader(s) will collect the flow data often enough to allow the meter's garbage collection mechanism to maintain a stable level of memory usage.
在正常操作中,仪表将运行一个规则文件,该文件提供所需的流量报告粒度,仪表读取器将经常收集流量数据,以允许仪表的垃圾收集机制保持稳定的内存使用水平。
In the worst case traffic may increase to the point where the meter is in danger of running completely out of flow memory. The meter implementor must decide how to handle this, for example by switching to a default (extremely coarse granularity) rule set, by sending a trap message to the manager, or by attempting to dump flow data to the meter reader.
在最坏的情况下,流量可能会增加到仪表完全耗尽流量存储器的危险点。仪表实施者必须决定如何处理此问题,例如切换到默认(极粗粒度)规则集,向管理器发送陷阱消息,或尝试将流量数据转储到仪表读取器。
Users of the Traffic Flow Measurement system should analyse their requirements carefully and assess for themselves whether it is more important to attempt to collect flow data at normal granularity (increasing the collection frequency as needed to keep up with traffic volumes), or to accept flow data with a coarser granularity. Similarly, it may be acceptable to lose flow data for a short time in return for being sure that the meter keeps running properly, i.e. is not overwhelmed by rising traffic levels.
交通流量测量系统的用户应仔细分析其需求,并自行评估是否更重要的是尝试以正常粒度收集流量数据(根据需要增加收集频率以跟上交通量),还是接受更粗粒度的流量数据。同样,也可以接受短时间丢失流量数据,以确保流量计保持正常运行,即不会被不断上升的流量水平所淹没。
6 Managers
6名经理
A manager configures meters and controls meter readers. It does this via the interactions described below.
管理器配置仪表并控制仪表读卡器。它通过下面描述的交互来实现这一点。
- DOWNLOAD RULE SET: A meter may hold an array of rule sets. One of these, the 'default' rule set, is built in to the meter and cannot be changed; this is a diagnostic feature, ensuring that when a meter starts up it will be running a known ruleset.
- 下载规则集:一个仪表可以容纳一组规则集。其中之一是“默认”规则集,内置于仪表中,无法更改;这是一种诊断功能,确保仪表启动时运行的是已知的规则集。
All other rule sets must be downloaded by the manager. A manager may use any suitable protocol exchange to achieve this, for example an FTP file transfer or a series of SNMP SETs, one for each row of the rule set.
管理器必须下载所有其他规则集。管理器可以使用任何合适的协议交换来实现这一点,例如FTP文件传输或一系列SNMP集,规则集的每行一个。
- SPECIFY METER TASK: Once the rule sets have been downloaded, the manager must instruct the meter which rule sets will be the 'current' and 'standby' ones for each task the meter is to perform.
- 指定仪表任务:下载规则集后,管理者必须指示仪表,对于仪表要执行的每个任务,哪些规则集是“当前”和“备用”规则集。
- SET HIGH WATER MARK: A percentage of the flow table capacity, used by the meter to determine when to switch to its standby rule set (so as to increase the granularity of the flows and conserve the meter's flow memory). Once this has happened, the manager
- 设置高水位线:流量表容量的百分比,由流量计用于确定何时切换到备用规则集(以增加流量的粒度并保存流量计的流量内存)。一旦发生这种情况,经理
may also change the polling frequency or the meter's control parameters (so as to increase the rate at which the meter can recover memory from idle flows). The meter has a separate high water mark value for each task it is currently running.
还可以更改轮询频率或仪表的控制参数(以提高仪表从空闲流中恢复内存的速率)。仪表当前运行的每个任务都有一个单独的高水位线值。
If the high traffic levels persist, the meter's normal rule set may have to be rewritten to permanently reduce the reporting granularity.
如果高流量级别持续存在,则可能必须重写仪表的正常规则集,以永久降低报告粒度。
- SET FLOW TERMINATION PARAMETERS: The meter should have the good sense in situations where lack of resources may cause data loss to purge flow records from its tables. Such records may include:
- 设置流量终止参数:在缺乏资源可能导致数据丢失的情况下,流量计应具有良好的感知能力,以便从表中清除流量记录。此类记录可包括:
- Flows that have already been reported to all registered meter readers, and show no activity since the last report, - Oldest flows, or - Flows with the smallest number of observed packets.
- 已向所有注册的抄表器报告且自上次报告以来未显示任何活动的流,-最旧的流,或-观察到的数据包数最少的流。
- SET INACTIVITY TIMEOUT: This is a time in seconds since the last packet was seen for a flow. Flow records may be reclaimed if they have been idle for at least this amount of time, and have been collected in accordance with the current collection criteria.
- 设置非活动超时:这是自看到流的最后一个数据包以来的时间(以秒为单位)。如果流记录已闲置至少一段时间,并且已按照当前收集标准收集,则可以回收流记录。
It might be useful if a manager could set the FLOW TERMINATION PARAMETERS to different values for different tasks. Current meter implementations have only single ('whole meter') values for these parameters, and experience to date suggests that this provides an adequate degree of control for the tasks.
如果管理器可以为不同的任务将流终止参数设置为不同的值,这可能会很有用。目前的仪表实施中,这些参数只有一个(‘整个仪表’)值,迄今为止的经验表明,这为任务提供了足够程度的控制。
Because there are a number of parameters that must be set for traffic flow measurement to function properly, and viable settings may change as a result of network traffic characteristics, it is desirable to have dynamic network management as opposed to static meter configurations. Many of these operations have to do with space tradeoffs - if memory at the meter is exhausted, either the collection interval must be decreased or a coarser granularity of aggregation must be used to reduce the number of active flows.
由于要使交通流量测量正常工作,必须设置许多参数,并且可行的设置可能会因网络交通特性而改变,因此,最好采用动态网络管理,而不是静态仪表配置。其中许多操作都与空间折衷有关——如果仪表上的内存耗尽,则必须减少收集间隔,或者必须使用更粗的聚合粒度来减少活动流的数量。
Increasing the collection interval effectively stores data in the meter; usage data in transit is limited by the effective bandwidth of the virtual link between the meter and the meter reader, and since these limited network resources are usually also used to carry user data (the purpose of the network), the level of traffic flow measurement traffic should be kept to an affordable fraction of the bandwidth. ("Affordable" is a policy decision made by the Network
增加采集间隔有效地将数据存储在仪表中;传输中的使用数据受到电表和电表读取器之间虚拟链路的有效带宽的限制,并且由于这些有限的网络资源通常也用于传输用户数据(网络的目的),因此流量测量流量的水平应保持在带宽的可承受部分。(“负担得起”是网络做出的一项政策决定
Operations personnel). At any rate, it must be understood that the operations below do not represent the setting of independent variables; on the contrary, each of the values set has a direct and measurable effect on the behaviour of the other variables.
操作人员)。无论如何,必须理解以下操作并不代表自变量的设置;相反,每个值集对其他变量的行为都有直接和可测量的影响。
Network management operations follow:
网络管理操作如下:
- MANAGER and METER READER IDENTIFICATION: The manager should ensure that meters are read by the correct set of meter readers, and take steps to prevent unauthorised access to usage information. The meter readers so identified should be prepared to poll if necessary and accept data from the appropriate meters. Alternate meter readers may be identified in case both the primary manager and the primary meter reader are unavailable. Similarly, alternate managers may be identified.
- 管理者和抄表器标识:管理者应确保抄表器的读数正确,并采取措施防止未经授权访问使用信息。如此确定的电表读数器应准备在必要时进行投票,并接受来自适当电表的数据。如果主管理器和主抄表器均不可用,则可确定备用抄表器。同样,也可以确定候补经理。
- REPORTING INTERVAL CONTROL: The usual reporting interval should be selected to cope with normal traffic patterns. However, it may be possible for a meter to exhaust its memory during traffic spikes even with a correctly set reporting interval. Some mechanism should be available for the meter to tell the manager that it is in danger of exhausting its memory (by declaring a ' high water' condition), and for the manager to arbitrate (by decreasing the polling interval, letting nature take its course, or by telling the meter to ask for help sooner next time).
- 报告间隔控制:应选择通常的报告间隔,以应对正常的交通模式。然而,即使在正确设置报告间隔的情况下,在交通高峰期间,仪表也可能耗尽其内存。应提供一些机制,让电表告诉管理人员其内存有耗尽的危险(通过宣布“高水位”状态),并让管理人员进行仲裁(通过缩短轮询间隔、顺其自然或告诉电表下次尽早寻求帮助)。
- GRANULARITY CONTROL: Granularity control is a catch-all for all the parameters that can be tuned and traded to optimise the system's ability to reliably measure and store information on all the traffic (or as close to all the traffic as an administration requires). Granularity:
- 粒度控制:粒度控制是对所有参数的综合控制,可对这些参数进行调整和交易,以优化系统可靠地测量和存储所有流量(或根据管理要求尽可能接近所有流量)信息的能力。粒度:
- Controls the amount of address information identifying each flow, and - Determines the number of buckets into which user traffic will be lumped together.
- 控制标识每个流的地址信息量,并确定将用户流量集中到一起的存储桶数。
Since granularity is controlled by the meter's current rule set, the manager can only change it by requesting the meter to switch to a different rule set. The new rule set could be downloaded when required, or it could have been downloaded as part of the meter's initial configuration.
由于粒度由仪表的当前规则集控制,因此管理器只能通过请求仪表切换到不同的规则集来更改粒度。新规则集可以在需要时下载,也可以作为仪表初始配置的一部分下载。
- FLOW LIFETIME CONTROL: Flow termination parameters include timeout parameters for obsoleting inactive flows and removing them from tables, and maximum flow lifetimes. This is intertwined with reporting interval and granularity, and must be set in accordance with the other parameters.
- 流生存期控制:流终止参数包括用于淘汰非活动流并将其从表中删除的超时参数,以及最大流生存期。这与报告间隔和粒度交织在一起,必须根据其他参数进行设置。
Exception conditions must be handled, particularly occasions when the meter runs out of space for flow data. Since - to prevent an active task from counting any packet twice - packets can only be counted in a single flow, discarding records will result in the loss of information. The mechanisms to deal with this are as follows:
必须处理异常情况,尤其是当流量计没有足够的空间容纳流量数据时。由于-为了防止活动任务对任何数据包计数两次-数据包只能在单个流中计数,因此丢弃记录将导致信息丢失。处理这一问题的机制如下:
- METER OUTAGES: In case of impending meter outages (controlled restarts, etc.) the meter could send a trap to the manager. The manager could then request one or more meter readers to pick up the data from the meter.
- 仪表中断:如果仪表即将中断(控制重启等),仪表可能会向管理器发送陷阱。然后,经理可以要求一个或多个仪表读数器从仪表中提取数据。
Following an uncontrolled meter outage such as a power failure, the meter could send a trap to the manager indicating that it has restarted. The manager could then download the meter's correct rule set and advise the meter reader(s) that the meter is running again. Alternatively, the meter reader may discover from its regular poll that a meter has failed and restarted. It could then advise the manager of this, instead of relying on a trap from the meter.
在不受控制的电表断电(如电源故障)后,电表可能会向管理器发送一个陷阱,指示它已重新启动。然后,经理可以下载电表的正确规则集,并通知电表阅读器电表正在重新运行。或者,仪表读取器可以从其常规轮询中发现仪表出现故障并重新启动。然后,它可以将此告知经理,而不是依赖仪表上的陷阱。
- METER READER OUTAGES: If the collection system is down or isolated, the meter should try to inform the manager of its failure to communicate with the collection system. Usage data is maintained in the flows' rolling counters, and can be recovered when the meter reader is restarted.
- 仪表读卡器停机:如果采集系统停机或隔离,仪表应尝试通知经理其无法与采集系统通信。使用数据保存在流的滚动计数器中,并可在重新启动抄表器时恢复。
- MANAGER OUTAGES: If the manager fails for any reason, the meter should continue measuring and the meter reader(s) should keep gathering usage records.
- 管理器停机:如果管理器因任何原因出现故障,仪表应继续测量,仪表读数器应保持收集使用记录。
- BUFFER PROBLEMS: The network manager may realise that there is a 'low memory' condition in the meter. This can usually be attributed to the interaction between the following controls:
- 缓冲区问题:网络管理器可能意识到仪表内存不足。这通常可归因于以下控件之间的交互:
- The reporting interval is too infrequent, or - The reporting granularity is too fine.
- 报告间隔太少,或者-报告粒度太细。
Either of these may be exacerbated by low throughput or bandwidth of circuits carrying the usage data. The manager may change any of these parameters in response to the meter (or meter reader's) plea for help.
承载使用数据的电路的低吞吐量或带宽可能会加剧这两种情况。经理可根据电表(或电表读数器)的求助请求更改这些参数中的任何一个。
Although the rule table is a flexible tool, it can also become very complex. It may be helpful to develop some rule sets for common applications:
虽然规则表是一个灵活的工具,但它也可能变得非常复杂。为常见应用程序开发一些规则集可能会有所帮助:
- PROTOCOL TYPE: The meter records packets by protocol type. This will be the default rule table for Traffic Flow Meters.
- 协议类型:仪表按协议类型记录数据包。这将是交通流量表的默认规则表。
- ADJACENT SYSTEMS: The meter records packets by the MAC address of the Adjacent Systems (neighbouring originator or next-hop). (Variants on this table are "report source" or "report sink" only.) This strategy might be used by a regional or backbone network which wants to know how much aggregate traffic flows to or from its subscriber networks.
- 相邻系统:仪表根据相邻系统(相邻发起者或下一跳)的MAC地址记录数据包。(此表中的变体仅为“报告源”或“报告接收器”)。区域或骨干网络可能会使用此策略,该网络希望了解进出其用户网络的总流量。
- END SYSTEMS: The meter records packets by the IP address pair contained in the packet. (Variants on this table are "report source" or "report sink" only.) This strategy might be used by an End System network to get detailed host traffic matrix usage data.
- 终端系统:仪表通过数据包中包含的IP地址对记录数据包。(此表中的变量仅为“报告源”或“报告接收器”)。终端系统网络可能会使用此策略来获取详细的主机流量矩阵使用数据。
- TRANSPORT TYPE: The meter records packets by transport address; for IP packets this provides usage information for the various IP services.
- 传输类型:仪表按传输地址记录数据包;对于IP数据包,它提供各种IP服务的使用信息。
- HYBRID SYSTEMS: Combinations of the above, e.g. for one interface report End Systems, for another interface report Adjacent Systems. This strategy might be used by an enterprise network to learn detail about local usage and use an aggregate count for the shared regional network.
- 混合系统:上述系统的组合,例如,对于一个接口报告终端系统,对于另一个接口报告相邻系统。企业网络可以使用此策略来了解本地使用的详细信息,并使用共享区域网络的聚合计数。
7 Security Considerations
7安全考虑
A traffic flow measurement system may be subject to the following kinds of attacks:
交通流测量系统可能受到以下类型的攻击:
- ATTEMPTS TO DISABLE A TRAFFIC METER: An attacker may attempt to disrupt traffic measurement so as to prevent users being charged for network usage. For example, a network probe sending packets
- 试图禁用流量表:攻击者可能试图中断流量测量,以防止用户因网络使用而被收费。例如,网络探测器发送数据包
to a large number of destination and transport addresses could produce a sudden rise in the number of flows in a meter's flow table, thus forcing it to use its coarser standby rule set.
发送到大量目的地和传输地址可能会导致流量计流量表中的流量突然增加,从而迫使流量计使用更粗糙的备用规则集。
- UNAUTHORIZED USE OF SYSTEM RESOURCES: An attacker may wish to gain advantage or cause mischief (e.g. denial of service) by subverting any of the system elements - meters, meter readers or managers.
- 未经授权使用系统资源:攻击者可能希望通过破坏任何系统元素(仪表、仪表读数器或管理器)来获取优势或造成危害(例如拒绝服务)。
- UNAUTHORIZED DISCLOSURE OF DATA: Any data that is sensitive to disclosure can be read through active or passive attacks unless it is suitably protected. Usage data may or may not be of this type. Control messages, traps, etc. are not likely to be considered sensitive to disclosure.
- 未经授权披露数据:任何对披露敏感的数据都可以通过主动或被动攻击读取,除非得到适当保护。使用情况数据可能属于或不属于此类型。控制消息、陷阱等不太可能被视为对披露敏感。
- UNAUTHORIZED ALTERATION, REPLACEMENT OR DESTRUCTION OF DATA: Similarly, any data whose integrity is sensitive can be altered, replaced/injected or deleted through active or passive attacks unless it is suitably protected. Attackers may modify message streams to falsify usage data or interfere with the proper operation of the traffic flow measurement system. Therefore, all messages, both those containing usage data and those containing control data, should be considered vulnerable to such attacks.
- 未经授权更改、替换或销毁数据:同样,完整性敏感的任何数据都可以通过主动或被动攻击进行更改、替换/注入或删除,除非得到适当保护。攻击者可能修改消息流以伪造使用数据或干扰交通流测量系统的正常运行。因此,所有消息,包括包含使用数据的消息和包含控制数据的消息,都应被视为易受此类攻击。
The following countermeasures are recommended to address the possible threats enumerated above:
建议采取以下对策来应对上述可能的威胁:
- ATTEMPTS TO DISABLE A TRAFFIC METER can't be completely countered. In practice, flow data records from network security attacks have proved very useful in determining what happened. The most effective approach is first to configure the meter so that it has three or more times as much flow memory as it needs in normal operation, and second to collect the flow data fairly frequently so as to minimise the time needed to recover flow memory after such an attack.
- 禁用交通量表的尝试无法完全被反击。在实践中,来自网络安全攻击的流数据记录在确定发生了什么方面被证明是非常有用的。最有效的方法是首先配置流量计,使其具有正常运行所需流量内存的三倍或三倍以上,然后相当频繁地收集流量数据,以尽量减少此类攻击后恢复流量内存所需的时间。
- UNAUTHORIZED USE OF SYSTEM RESOURCES is countered through the use of authentication and access control services.
- 通过使用身份验证和访问控制服务来对抗未经授权的系统资源使用。
- UNAUTHORIZED DISCLOSURE OF DATA is countered through the use of a confidentiality (encryption) service.
- 通过使用保密(加密)服务来对抗未经授权的数据泄露。
- UNAUTHORIZED ALTERATION, REPLACEMENT OR DESTRUCTION OF DATA is countered through the use of an integrity service.
- 未经授权对数据进行更改、替换或销毁,可通过使用完整性服务进行反击。
A Traffic Measurement system must address all of these concerns. Since a high degree of protection is required, the use of strong cryptographic methodologies is recommended. The security requirements for communication between pairs of traffic measurmement system elements are summarized in the table below. It is assumed that meters do not communicate with other meters, and that meter readers do not communicate directly with other meter readers (if synchronization is required, it is handled by the manager, see Section 2.5). Each entry in the table indicates which kinds of security services are required. Basically, the requirements are as follows:
交通量测量系统必须解决所有这些问题。由于需要高度保护,建议使用强大的加密方法。下表总结了成对交通测量系统元件之间通信的安全要求。假设电表不与其他电表通信,电表读卡器不直接与其他电表读卡器通信(如果需要同步,则由经理处理,见第2.5节)。表中的每个条目都指示需要哪些类型的安全服务。基本上,要求如下:
Security Service Requirements for RTFM elements
RTFM元件的安全服务要求
+------------------------------------------------------------------+
| from\to | meter | meter reader | application | manager |
|---------+--------------+--------------+-------------+------------|
| meter | N/A | authent | N/A | authent |
| | | acc ctrl | | acc ctrl |
| | | integrity | | |
| | | confid ** | | |
|---------+--------------+--------------+-------------+------------|
| meter | authent | N/A | authent | authent |
| reader | acc ctrl | | acc ctrl | acc ctrl |
| | | | integrity | |
| | | | confid ** | |
|---------+--------------+--------------+-------------+------------|
| appl | N/A | authent | | |
| | | acc ctrl | ## | ## |
|---------+--------------+--------------+-------------+------------|
| manager | authent | authent | ## | authent |
| | acc ctrl | acc ctrl | | acc ctrl |
| | integrity | integrity | | integrity |
+------------------------------------------------------------------+
+------------------------------------------------------------------+
| from\to | meter | meter reader | application | manager |
|---------+--------------+--------------+-------------+------------|
| meter | N/A | authent | N/A | authent |
| | | acc ctrl | | acc ctrl |
| | | integrity | | |
| | | confid ** | | |
|---------+--------------+--------------+-------------+------------|
| meter | authent | N/A | authent | authent |
| reader | acc ctrl | | acc ctrl | acc ctrl |
| | | | integrity | |
| | | | confid ** | |
|---------+--------------+--------------+-------------+------------|
| appl | N/A | authent | | |
| | | acc ctrl | ## | ## |
|---------+--------------+--------------+-------------+------------|
| manager | authent | authent | ## | authent |
| | acc ctrl | acc ctrl | | acc ctrl |
| | integrity | integrity | | integrity |
+------------------------------------------------------------------+
N/A = Not Applicable ** = optional ## = outside RTFM scope
N/A = Not Applicable ** = optional ## = outside RTFM scope
- When any two elements intercommunicate they should mutually authenticate themselves to one another. This is indicated by ' authent' in the table. Once authentication is complete, an element should check that the requested type of access is allowed; this is indicated on the table by 'acc ctrl'.
- 当任何两个元素相互通信时,它们应该相互认证自己。这由表中的“authent”表示。身份验证完成后,元素应检查请求的访问类型是否被允许;这在表格上用“acc ctrl”表示。
- Whenever there is a transfer of information its integrity should be protected.
- 无论何时进行信息传输,都应保护其完整性。
- Whenever there is a transfer of usage data it should be possible to ensure its confidentiality if it is deemed sensitive to disclosure. This is indicated by 'confid' in the table.
- 无论何时传输使用数据,如果认为其对披露敏感,则应能够确保其机密性。这由表中的“confid”表示。
Security protocols are not specified in this document. The system elements' management and collection protocols are responsible for providing sufficient data integrity, confidentiality, authentication and access control services.
本文档中未指定安全协议。系统元素的管理和收集协议负责提供足够的数据完整性、机密性、身份验证和访问控制服务。
8 IANA Considerations
8 IANA考虑因素
The RTFM Architecture, as set out in this document, has two sets of assigned numbers. Considerations for assigning them are discussed in this section, using the example policies as set out in the "Guidelines for IANA Considerations" document [IANA-RFC].
如本文件所述,RTFM体系结构有两组分配编号。本节将使用“IANA注意事项指南”文档[IANA-RFC]中规定的示例策略讨论分配这些注意事项。
The Pattern Matching Engine (PME) is a virtual machine, executing RTFM rules as its instructions. The PME opcodes appear in the 'action' field of an RTFM rule. The current list of opcodes, and their values for the PME's 'goto' and 'test' flags, are set out in section 4.4 above ("Rules and Rulesets).
模式匹配引擎(PME)是一个虚拟机,执行RTFM规则作为其指令。PME操作码出现在RTFM规则的“操作”字段中。上文第4.4节(“规则和规则集”)中列出了操作码的当前列表及其PME“goto”和“test”标志的值。
The PME opcodes are pivotal to the RTFM architecture, since they must be implemented in every RTFM meter. Any new opcodes must therefore be allocated through an IETF Consensus action [IANA-RFC].
PME操作码对RTFM体系结构至关重要,因为它们必须在每个RTFM仪表中实现。因此,必须通过IETF共识行动[IANA-RFC]分配任何新的操作码。
Opcodes are simply non-negative integers, but new opcodes should be allocated sequentially so as to keep the total opcode range as small as possible.
操作码是简单的非负整数,但新的操作码应该按顺序分配,以使整个操作码范围尽可能小。
Attribute numbers in the range of 0-511 are globally unique and are allocated according to an IETF Consensus action [IANA-RFC]. Appendix C of this document allocates a basic (i.e. useful minimum) set of attribtes; they are assigned numbers in the range 0 to 63. The RTFM working group is working on an extended set of attributes, which will have numbers in the range 64 to 127.
0-511范围内的属性号是全局唯一的,并根据IETF共识行动[IANA-RFC]进行分配。本文件附录C分配了一组基本属性(即有用的最小属性);它们被分配的编号范围为0到63。RTFM工作组正在研究一组扩展的属性,这些属性的数字范围为64到127。
Vendor-specific attribute numbers are in the range 512-1023, and will be allocated using the First Come FIrst Served policy [IANA-RFC]. Vendors requiring attribute numbers should submit a request to IANA giving the attribute names: IANA will allocate them the next available numbers.
供应商特定属性号的范围为512-1023,将使用先到先得策略[IANA-RFC]进行分配。需要属性编号的供应商应向IANA提交请求,给出属性名称:IANA将为其分配下一个可用编号。
Attribute numbers 1024 and higher are Reserved for Private Use [IANA-RFC]. Implementors wishing to experiment with further new attributes should use attribute numbers in this range.
属性号1024及以上保留供私人使用[IANA-RFC]。希望尝试更多新属性的实现者应该使用此范围内的属性编号。
Attribute numbers are simply non-negative integers. When writing specifications for attributes, implementors must give sufficient detail for the new attributes to be easily added to the RTFM Meter MIB [RTFM-MIB]. In particular, they must indicate whether the new attributes may be:
属性数只是非负整数。在编写属性规范时,实现者必须提供足够的细节,以便将新属性轻松添加到RTFM仪表MIB[RTFM-MIB]中。特别是,它们必须指出新属性是否可能是:
- tested in an IF statement - saved by a SAVE statement or set by a STORE statement - read from an RTFM meter
- 在IF语句中测试-由SAVE语句保存或由STORE语句设置-从RTFM仪表读取
(IF, SAVE and STORE are statements in the SRL Ruleset Language [RTFM-SRL]).
(如果、保存和存储是SRL规则集语言[RTFM-SRL]中的语句)。
9 APPENDICES
9附录
Internet users have extraordinarily diverse requirements. Networks differ in size, speed, throughput, and processing power, among other factors. There is a range of traffic flow measurement capabilities and requirements. For traffic flow measurement purposes, the Internet may be viewed as a continuum which changes in character as traffic passes through the following representative levels:
互联网用户的需求极为多样化。除其他因素外,网络的大小、速度、吞吐量和处理能力各不相同。有一系列的交通流测量能力和要求。出于交通流量测量的目的,互联网可被视为一个连续统一体,当交通量通过以下代表性等级时,其特征会发生变化:
International |
Backbones/National ---------------
/ \
Regional/MidLevel ---------- ----------
/ \ \ / / \
Stub/Enterprise --- --- --- ---- ----
||| ||| ||| |||| ||||
End-Systems/Hosts xxx xxx xxx xxxx xxxx
International |
Backbones/National ---------------
/ \
Regional/MidLevel ---------- ----------
/ \ \ / / \
Stub/Enterprise --- --- --- ---- ----
||| ||| ||| |||| ||||
End-Systems/Hosts xxx xxx xxx xxxx xxxx
Note that mesh architectures can also be built out of these components, and that these are merely descriptive terms. The nature of a single network may encompass any or all of the descriptions below, although some networks can be clearly identified as a single type.
请注意,网格体系结构也可以由这些组件构建,并且这些只是描述性术语。单个网络的性质可能包含以下任何或所有描述,尽管某些网络可以清楚地标识为单个类型。
BACKBONE networks are typically bulk carriers that connect other networks. Individual hosts (with the exception of network management devices and backbone service hosts) typically are not directly connected to backbones.
主干网通常是连接其他网络的散货船。单个主机(网络管理设备和主干网服务主机除外)通常不直接连接到主干网。
REGIONAL networks are closely related to backbones, and differ only in size, the number of networks connected via each port, and geographical coverage. Regionals may have directly connected hosts, acting as hybrid backbone/stub networks. A regional network is a SUBSCRIBER to the backbone.
区域网络与主干网密切相关,仅在大小、通过每个端口连接的网络数量和地理覆盖范围上有所不同。区域可能有直接连接的主机,充当混合主干/存根网络。区域网络是主干网的用户。
STUB/ENTERPRISE networks connect hosts and local area networks. STUB/ENTERPRISE networks are SUBSCRIBERS to regional and backbone networks.
存根/企业网络连接主机和局域网。存根/企业网络是区域和骨干网络的订户。
END SYSTEMS, colloquially HOSTS, are SUBSCRIBERS to any of the above networks.
终端系统(俗称主机)是上述任何网络的订户。
Providing a uniform identification of the SUBSCRIBER in finer granularity than that of end-system, (e.g. user/account), is beyond the scope of the current architecture, although an optional attribute in the traffic flow measurement record may carry system-specific
以比终端系统(例如用户/帐户)更细的粒度提供用户的统一标识超出了当前架构的范围,尽管交通流测量记录中的可选属性可能带有特定于系统的属性
'user identification' labels so that meters can implement proprietary or non-standard schemes for the attribution of network traffic to responsible parties.
“用户识别”标签,以便电表能够实施专有或非标准方案,将网络流量归属于责任方。
Initial recommended traffic flow measurement conventions are outlined here according to the following Internet building blocks. It is important to understand what complexity reporting introduces at each network level. Whereas the hierarchy is described top-down in the previous section, reporting requirements are more easily addressed bottom-up.
此处根据以下Internet构建块概述了初始推荐的交通流测量约定。了解报告在每个网络级别上引入的复杂性非常重要。在上一节中,层次结构是自上而下描述的,而报告要求则更容易自下而上解决。
End-Systems Stub Networks Enterprise Networks Regional Networks Backbone Networks
终端系统存根网络企业网络区域网络骨干网络
END-SYSTEMS are currently responsible for allocating network usage to end-users, if this capability is desired. From the Internet Protocol perspective, end-systems are the finest granularity that can be identified without protocol modifications. Even if a meter violated protocol boundaries and tracked higher-level protocols, not all packets could be correctly allocated by user, and the definition of user itself varies widely from operating system to operating system (e.g. how to trace network usage back to users from shared processes).
如果需要这种功能,终端系统目前负责将网络使用分配给终端用户。从互联网协议的角度来看,终端系统是无需修改协议即可识别的最细粒度。即使仪表违反了协议边界并跟踪了更高级别的协议,但并非所有数据包都能由用户正确分配,而且用户本身的定义因操作系统而异(例如,如何从共享进程将网络使用情况跟踪回用户)。
STUB and ENTERPRISE networks will usually collect traffic data either by end-system network address or network address pair if detailed reporting is required in the local area network. If no local reporting is required, they may record usage information in the exit router to track external traffic only. (These are the only networks which routinely use attributes to perform reporting at granularities finer than end-system or intermediate-system network address.)
如果局域网中需要详细报告,存根和企业网络通常会通过终端系统网络地址或网络地址对收集流量数据。如果不需要本地报告,他们可以在出口路由器中记录使用信息,以仅跟踪外部流量。(只有这些网络经常使用属性以比终端系统或中间系统网络地址更精细的粒度执行报告。)
REGIONAL networks are intermediate networks. In some cases, subscribers will be enterprise networks, in which case the intermediate system network address is sufficient to identify the regional's immediate subscriber. In other cases, individual hosts or a disjoint group of hosts may constitute a subscriber. Then end-system network address pairs need to be tracked for those subscribers. When the source may be an aggregate entity (such as a network, or adjacent router representing traffic from a world of hosts beyond) and the destination is a singular entity (or vice versa), the meter is said to be operating as a HYBRID system.
区域网络是中间网络。在某些情况下,用户将是企业网络,在这种情况下,中间系统网络地址足以识别区域的直接用户。在其他情况下,单个主机或不相交的主机组可构成订户。然后,需要为这些订户跟踪终端系统网络地址对。当源可以是聚合实体(例如网络或表示来自外部主机世界的流量的相邻路由器)且目的地是单一实体(反之亦然)时,称电表作为混合系统运行。
At the regional level, if the overhead is tolerable it may be advantageous to report usage both by intermediate system network address (e.g. adjacent router address) and by end-system network address or end-system network address pair.
在区域级别,如果开销是可容忍的,则通过中间系统网络地址(例如,相邻路由器地址)和终端系统网络地址或终端系统网络地址对报告使用情况可能是有利的。
BACKBONE networks are the highest level networks operating at higher link speeds and traffic levels. The high volume of traffic will in most cases preclude detailed traffic flow measurement. Backbone networks will usually account for traffic by adjacent routers' network addresses.
主干网是以更高的链路速度和流量级别运行的最高级别的网络。在大多数情况下,高交通量会妨碍详细的交通流量测量。主干网通常通过相邻路由器的网络地址来计算流量。
This Appendix provides a checklist of the attributes defined to date; others will be added later as the Traffic Measurement Architecture is further developed.
本附录提供了迄今定义的属性清单;随着交通量测量体系结构的进一步发展,将添加其他内容。
Note that this table gives only a very brief summary. The Meter MIB [RTFM-MIB] provides the definitive specification of attributes and their allowed values. The MIB variables which represent flow attributes have 'flowData' prepended to their names to indicate that they belong to the MIB's flowData table.
请注意,此表仅给出了一个非常简短的摘要。Meter MIB[RTFM-MIB]提供了属性及其允许值的最终规范。表示流属性的MIB变量的名称前面有“flowData”,表示它们属于MIB的flowData表。
0 Null
0空
4 SourceInterface Integer Source Address 5 SourceAdjacentType Integer 6 SourceAdjacentAddress String 7 SourceAdjacentMask String 8 SourcePeerType Integer 9 SourcePeerAddress String 10 SourcePeerMask String 11 SourceTransType Integer 12 SourceTransAddress String 13 SourceTransMask String
4源接口整数源地址5源邻接类型整数6源邻接地址字符串7源邻接掩码字符串8源PeerType整数9源PeerAddress字符串10源PeerTask字符串11源TransType整数12源TransAddress字符串13源TransTask字符串
14 DestInterface Integer Destination Address 15 DestAdjacentType Integer 16 DestAdjacentAddress String 17 DestAdjacentMask String 18 DestPeerType Integer 19 DestPeerAddress String 20 DestPeerMask String 21 DestTransType Integer 22 DestTransAddress String 23 DestTransMask String
14 DestInterface整数目标地址15 DestAdjaceType整数16 DestAdjaceAddress字符串17 DestAdjacentMask字符串18 DestPeerType整数19 DestPeerAddress字符串20 DestPeerMask字符串21 DestTransType整数22 DestTransAddress字符串23 DestTransMask字符串
26 RuleSet Integer Meter attribute
26规则集整数米属性
27 ToOctets Integer Source-to-Dest counters 28 ToPDUs Integer 29 FromOctets Integer Dest-to-Source counters 30 FromPDUs Integer 31 FirstTime Timestamp Activity times 32 LastActiveTime Timestamp 33 SourceSubscriberID String Session attributes 34 DestSubscriberID String 35 SessionID String
27 ToOctets Integer源到目标计数器28 ToPDUs Integer 29 FromOctets Integer目标到源计数器30 FromPDU Integer 31首次时间戳活动次数32 LastActiveTime时间戳33 SourceSubscriberID字符串会话属性34 DestSubscriberID字符串35 SessionID字符串
36 SourceClass Integer 'Computed' attributes 37 DestClass Integer 38 FlowClass Integer 39 SourceKind Integer 40 DestKind Integer 41 FlowKind Integer
36 SourceClass Integer“计算”属性37 DestClass Integer 38 FlowClass Integer 39 SourceKind Integer 40 DestKind Integer 41 FlowKind Integer
50 MatchingStoD Integer PME variable
50匹配TOD整数PME变量
51 v1 Integer Meter Variables 52 v2 Integer 53 v3 Integer 54 v4 Integer 55 v5 Integer
51 v1整数仪表变量52 v2整数53 v3整数54 v4整数55 v5整数
65 .. 'Extended' attributes (to be defined by the RTFM working group) 127
65 .. '“扩展”属性(由RTFM工作组定义)127
Meter variables: Flood Mark Percentage Inactivity Timeout (seconds) Integer
仪表变量:泛洪标记百分比非活动超时(秒)整数
'per task' variables: Current Rule Set Number Integer Standby Rule Set Number Integer High Water Mark Percentage
“每个任务”变量:当前规则集编号整数备用规则集编号整数高水位线百分比
'per reader' variables: Reader Last Time Timestamp
“每个读卡器”变量:读卡器上次时间戳
The first version of the Traffic Flow Measurement Architecture was published as RFC 2063 in January 1997. The most significant changes made since then are summarised below.
交通流测量体系结构的第一个版本于1997年1月发布为RFC 2063。自那时以来所做的最重要的变化总结如下。
- A Traffic Meter can now run multiple rule sets concurrently. This makes a meter much more useful, and required only minimal changes to the architecture.
- 流量表现在可以同时运行多个规则集。这使得仪表更加有用,并且只需要对架构进行最小的更改。
- 'NoMatch' replaces 'Fail' as an action. This name was agreed to at the Working Group 1996 meeting in Montreal; it better indicates that although a particular match has failed, it may be tried again with the packet's addresses reversed.
- “NoMatch”将“Fail”替换为操作。这一名称是在蒙特利尔工作组1996年会议上商定的;它更好地表明,尽管某个特定匹配失败,但可以在数据包地址反转的情况下重试。
- The 'MatchingStoD' attribute has been added. This is a Packet Matching Engine (PME) attribute indicating that addresses are being matched in StoD (i.e. 'wire') order. It can be used to perform different actions when the match is retried, thereby simplifying some kinds of rule sets. It was discussed and agreed to at the San Jose meeting in 1996.
- 已添加“MatchingStoD”属性。这是一个数据包匹配引擎(PME)属性,指示地址以StoD(即“wire”)顺序进行匹配。它可用于在重试匹配时执行不同的操作,从而简化某些类型的规则集。1996年圣何塞会议讨论并通过了这项决议。
- Computed attributes (Class and Kind) may now be tested within a rule set. This lifts an unneccessary earlier restriction.
- 计算属性(类和种类)现在可以在规则集中进行测试。这解除了不必要的早期限制。
- The list of attribute numbers has been extended to define ranges for 'basic' attributes (in this document) and 'extended' attributes (currently being developed by the RTFM Working Group).
- 属性编号列表已扩展,以定义“基本”属性(在本文件中)和“扩展”属性(目前由RTFM工作组开发)的范围。
- The 'Security Considerations' section has been completely rewritten. It provides an evaluation of traffic measurement security risks and their countermeasures.
- “安全注意事项”部分已完全重写。它提供了交通测量安全风险评估及其对策。
10 Acknowledgments
10致谢
An initial draft of this document was produced under the auspices of the IETF's Internet Accounting Working Group with assistance from SNMP, RMON and SAAG working groups. Particular thanks are due to Stephen Stibler (IBM Research) for his patient and careful comments during the preparation of this memo.
本文件的初稿由IETF的互联网会计工作组在SNMP、RMON和SAAG工作组的协助下编制。特别感谢Stephen Stibler(IBM研究)在编写本备忘录过程中耐心细致的评论。
11 References
11参考文献
[802-3] IEEE 802.3/ISO 8802-3 Information Processing Systems - Local Area Networks - Part 3: Carrier sense multiple access with collision detection (CSMA/CD) access method and physical layer specifications, 2nd edition, September 21, 1990.
[802-3]IEEE 802.3/ISO 8802-3信息处理系统-局域网-第3部分:带冲突检测的载波侦听多址(CSMA/CD)接入方法和物理层规范,第2版,1990年9月21日。
[ACT-BKG] Mills, C., Hirsch, G. and G. Ruth, "Internet Accounting Background", RFC 1272, November 1991.
[ACT-BKG]Mills,C.,Hirsch,G.和G.Ruth,“互联网会计背景”,RFC 1272,1991年11月。
[IANA-RFC] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[IANA-RFC]Alvestrand,H.和T.Narten,“在RFC中编写IANA注意事项部分的指南”,BCP 26,RFC 2434,1998年10月。
[IPPM-FRM] Paxson, V., Almes, G., Mahdavi, J. and M. Mathis, "Framework for IP Performance Metrics", RFC 2330, May 1998.
[IPPM-FRM]Paxson,V.,Almes,G.,Mahdavi,J.和M.Mathis,“IP性能度量框架”,RFC 2330,1998年5月。
[OSI-ACT] International Standards Organisation (ISO), "Management Framework", Part 4 of Information Processing Systems Open Systems Interconnection Basic Reference Model, ISO 7498-4, 1994.
[OSI-ACT]国际标准组织(ISO),“管理框架”,信息处理系统开放系统互连基本参考模型第4部分,ISO 7498-41994。
[RTFM-MIB] Brownlee, N., "Traffic Flow Measurement: Meter MIB", RFC 2720, October 1999.
[RTFM-MIB]北布朗利,“交通流量测量:米MIB”,RFC2720,1999年10月。
[RTFM-NEW] Handelman, S., Stibler, S., Brownlee, N. and G. Ruth, "RTFM: New Attributes for Traffic Flow Measurment", RFC 2724, October 1999.
[RTFM-NEW]Handelman,S.,Stibler,S.,Brownlee,N.和G.Ruth,“RTFM:交通流测量的新属性”,RFC 27241999年10月。
[RTFM-SRL] Brownlee, N., "SRL: A Language for Describing Traffic Flows and Specifying Actions for Flow Groups", RFC 2723, October 1999.
[RTFM-SRL]布朗利,N.,“SRL:描述交通流和指定流组动作的语言”,RFC2723,1999年10月。
12 Authors' Addresses
12作者地址
Nevil Brownlee Information Technology Systems & Services The University of Auckland Private Bag 92-019 Auckland, New Zealand
NevelBrnnLee信息技术系统与服务奥克兰大学奥克兰私人包92-019,新西兰
Phone: +64 9 373 7599 x8941
EMail: n.brownlee@auckland.ac.nz
Phone: +64 9 373 7599 x8941
EMail: n.brownlee@auckland.ac.nz
Cyndi Mills GTE Laboratories, Inc 40 Sylvan Rd. Waltham, MA 02451, U.S.A.
Cyndi Mills GTE Laboratories,Inc.美国马萨诸塞州沃尔瑟姆Sylvan路40号,邮编02451。
Phone: +1 781 466 4278
EMail: cmills@gte.com
Phone: +1 781 466 4278
EMail: cmills@gte.com
Greg Ruth GTE Internetworking 3 Van de Graaff Drive P.O. Box 3073 Burlington, MA 01803, U.S.A.
美国马萨诸塞州伯灵顿市范德格拉夫大道3号,邮政信箱3073号,邮编01803。
Phone: +1 781 262 4831
EMail: gruth@bbn.com
Phone: +1 781 262 4831
EMail: gruth@bbn.com
13 Full Copyright Statement
13完整版权声明
Copyright (C) The Internet Society (1999). All Rights Reserved.
版权所有(C)互联网协会(1999年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。