[ovs-discuss] OVS NetFlow export - is there passive timeout?

Martin Vizvary vizvary at ics.muni.cz
Mon Nov 10 08:22:03 UTC 2014


Hi,

thank  you (Motonori and Peter) for your suggestions about sFlow. I am
familiar with sFlow idea, however our whole infrastructure and most
intrusion detection methods are based on NetFlow/IPFIX. That's why I am
more interested in NetFlow implementation.

@Ben - Now, i do understand the implementation and why there is such
short passive timeout. Are there any performance tests about the impact
of number of records in datapath flow table?

Best regards,

Martin

On 11/06/2014 04:32 PM, Peter Phaal wrote:
> Martin,
> 
> One way to understand the difference between sFlow and NetFlow
> monitoring is to view them as different stages in the measurement
> pipeline. With NetFlow the flow cache exists on the switch and with
> sFlow the flow cache is external. 
> 
> With an external flow cache, you can choose your own flow expiration
> settings and flow keys, you are not limited by the options implemented
> by the on switch flow cache:
> 
> http://blog.sflow.com/2013/08/restflow.html
> 
> Regards,
> Peter
> 
> 
>> On Nov 6, 2014, at 2:26 AM, Motonori Shindo <motonori at shin.do
>> <mailto:motonori at shin.do>> wrote:
>>
>> Martin,
>>
>> NetFlow on OVS can potentially generate more flow records than usual
>> router/switch-based exporters because of a relatively short “inactive”
>> timeout (1.5s in my understanding). Depending on the collector of your
>> choice, it may be worth considering to use sFlow instead because it
>> can give  information beyond L4 header so more context it can give to
>> the IDS. 
>>
>> Regards,
>>
>>>> Motonori Shindo
>>
>> 2014/11/06 19:04、Martin Vizvary <vizvary at ics.muni.cz
>> <mailto:vizvary at ics.muni.cz>> のメール:
>>
>>>
>>>
>>> On 11/05/2014 05:16 PM, Ben Pfaff wrote:
>>>> On Wed, Nov 05, 2014 at 04:59:30PM +0100, Martin Vizvary wrote:
>>>>> does anybody know if and how is implemented passive timeout for flow
>>>>> expiration?
>>>>>
>>>>> I was playing around with it, but you can configure only active
>>>>> timeout.
>>>>> (passive timeout is approximately 1s - I guess it is connected with
>>>>> next_timeout cycle only...
>>>>
>>>> The passive timeout triggers at the same time that OVS removes a flow
>>>> from the datapath.  That is managed internally to OVS mainly to ensure a
>>>> good balance between performance, CPU usage, and memory usage.  It's
>>>> probably not a good idea to try to adjust it just to change the NetFlow
>>>> passive timeout.
>>>>
>>>
>>> Thank you for fast response. Well, I know it will have impact on OVS
>>> performance, however it is not a good idea to use network flows with 1s
>>> timeout (current netflow probes use 30s/60s). Every request that takes
>>> longer than 2s will be divided into two flow records. Every service with
>>> keep-alive longer than 1-2s timeout will be divided into several flow
>>> records, etc.
>>>
>>> It will ends with huge amount of network flows in real networks. Also
>>> divided flows will be useless for current Intrusion Detection Systems...
>>>
>>> Did you measure the impact of longer timeouts on OVS performance?
>>>
>>> Martin
>>>
>>> -- 
>>> Mgr. Martin Vizvary
>>>                                 vizvary at ics.muni.cz
>>> <mailto:vizvary at ics.muni.cz>
>>> Security Department, CSIRT-MU group
>>>                http://csirt.muni.cz <http://csirt.muni.cz/>
>>> Institute of Computer Science, Masaryk University, Brno, Czech Republic
>>> PGP Key ID: 0xF2D9925F
>>>
>>> _______________________________________________
>>> discuss mailing list
>>> discuss at openvswitch.org <mailto:discuss at openvswitch.org>
>>> http://openvswitch.org/mailman/listinfo/discuss
>>
>> _______________________________________________
>> discuss mailing list
>> discuss at openvswitch.org <mailto:discuss at openvswitch.org>
>> http://openvswitch.org/mailman/listinfo/discuss
> 

-- 
Mgr. Martin Vizvary                                 vizvary at ics.muni.cz
Security Department, CSIRT-MU group                http://csirt.muni.cz
Institute of Computer Science, Masaryk University, Brno, Czech Republic
PGP Key ID: 0xF2D9925F

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3240 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20141110/5fbb0cb2/attachment.p7s>


More information about the discuss mailing list