Packet Sampling for Flow Accounting: Challenges and Limitations

We investigate the applicability of packet sampling techniques to flow-based accounting. First we show by theoretical considerations how the achievable accuracy depends on sampling techniques, parameters and traffic characteristics. Then we investigate em

  • PDF / 315,548 Bytes
  • 11 Pages / 430 x 660 pts Page_size
  • 76 Downloads / 274 Views

DOWNLOAD

REPORT


Fraunhofer Institute FOKUS, Kaiserin-Augusta-Allee 31, 10589 Berlin, Germany {Tanja.Zseby,Thomas.Hirsch}@fokus.fraunhofer.de 2 Cisco Systems, De Kleetlaan 6a b, 1831 Diegem, Belgium [email protected]

Abstract. We investigate the applicability of packet sampling techniques to flow-based accounting. First we show by theoretical considerations how the achievable accuracy depends on sampling techniques, parameters and traffic characteristics. Then we investigate empirically which accuracy is achieved with typical flow characteristics by experiments with real traffic traces from three different networks. In a third step we illustrate how to support samplingbased accounting by providing an accuracy statement together with the measured data. We show which information is required for this and how an accuracy assessment can be approximated from information available after the sampling process using information elements of the IP flow information export protocol (IPFIX). Keywords: packet sampling, accounting, IPFIX.

1 Introduction Sampling aims at the reduction of measurement costs by estimating the metric of interest from a subset of data. It is important that the extent of potential estimation errors can be evaluated, especially if measurement results map to monetary values as it is the case for accounting. The achievable accuracy usually depends on characteristics of the population, i.e., in our case the traffic in the network. Since network traffic is extremely dynamic providing an up-to-date accuracy assessment is not trivial. It must be derived from the limited information available after the sampling process. It has to be calculated per flow and updated continuously. Basic packet selection methods are currently standardized in the IETF PSAMP group [6]. A flow sampling scheme for accounting is introduced in [1]. Sample and Hold [2], Shared-state Sampling (S3) [3], and the Runs bAsed Traffic Estimator (RATE) [4] propose packet sampling methods that bias the selection process towards large flows in order to reduce resource consumption for flow caching and flow record transfer. This makes sense for accounting because in typical flow distributions a few large flows contribute to the majority to the overall traffic volume (e.g. [1]). Nevertheless, all those approaches require the classification of packets into flows before or during the sampling process. In contrast to this we investigate the effects of packet sampling that is applied before flow classification, so that only selected M. Claypool and S. Uhlig (Eds.): PAM 2008, LNCS 4979, pp. 61–71, 2008. © Springer-Verlag Berlin Heidelberg 2008

62

T. Zseby, T. Hirsch, and B. Claise

packets need to be classified, which significantly reduces workload on routers [5]. We compare the achievable accuracy for basic PSAMP schemes and a stratified method used in Cisco NetFlow to accounting requirements. We show how the accuracy can be approximated from available information, using IPFIX information elements [11].

2 Flow Accounting Requirements The accuracy of an estimate is as