The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, the approaches described in this section may not be prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
A variety of flow monitoring tools currently exist to monitor the flow of packets in networks. Flow monitoring tools provide valuable information that can be used in a variety of ways. For example, flow monitoring tools may be used to perform network traffic engineering and to provide network security services, e.g., to detect and address denial of service attacks. As yet another example, flow monitoring tools can be used to support usage-based network billing services.
Flow monitoring tools are conventionally implemented as flow monitoring processes executing on a network element, such as a router. The flow monitoring processes are configured to examine and classify packets passing through a particular point in a network. The flow monitoring processes are also configured to generate flow statistical data that indicates, for example, the number of packets in each flow, the number of bytes in each flow and the protocol of each flow.
There are several definitions of the term “flow” being used by the Internet community. Within the context of Internet Protocol Information eXport (IPFIX), a flow is defined as a set of IP packets passing an observation point in the network during a certain time interval. All packets belonging to a particular flow share a set of common properties. Each property is defined as the result of applying a function to the values of: (1) one or more packet header fields (e.g. destination IP address), transport header fields (e.g. destination port number), or application header fields (e.g. RTP header fields); (2) one or more characteristics of the packet itself (e.g. number of MPLS labels, etc.); or (3) one or more fields derived from packet treatment (e.g. next hop IP address, the output interface, etc.). A packet belongs to a flow if the packet completely satisfies all the defined properties of the flow. This definition covers the range from a flow containing all packets observed at a network interface to a flow consisting of just a single packet between two applications. It includes packets selected by a sampling mechanism.
One of the issues with flow monitoring tools is how to manage the flow statistical data that they generate. Flow monitoring tools can generate large amounts of flow statistical data, particularly in networks with high traffic volume. Flow monitoring processes typically export all of their flow statistical data to a flow collector that aggregates the flow statistical data. This approach can consume a significant amount of computational resources at network elements where the flow monitoring processes are executing, particularly for networks with heavy traffic. Furthermore, the amount of flow statistical data can be so large that exporting the flow statistical data causes additional congestion on network links. This occurs in spite of the fact that consuming processes may be interested in only a subset of the available flow statistical data, so much of the flow statistical data may not be used. Various approaches have been implemented to standardize the export of flow statistical data, for example, through the use of a common transport mechanism, to facilitate services such as network management, accounting and billing. None of these approaches adequately address the problem of how to regulate the export of flow statistical data to control the consumption of resources and reduce network congestion. Based on the foregoing, there is a need for an approach for managing network flow statistical data that does not suffer from limitations of prior approaches.