CN102124698B - System and method for exporting structured data in a network management environment - Google Patents
System and method for exporting structured data in a network management environment Download PDFInfo
- Publication number
- CN102124698B CN102124698B CN201080001236.7A CN201080001236A CN102124698B CN 102124698 B CN102124698 B CN 102124698B CN 201080001236 A CN201080001236 A CN 201080001236A CN 102124698 B CN102124698 B CN 102124698B
- Authority
- CN
- China
- Prior art keywords
- data
- template
- information
- list
- information element
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
An apparatus is provided in one example embodiment and includes a network element configured to receive a plurality of packets. The network element is configured to couple to a module, the module being configured to generate a data record that is based on information associated with the packets and capable of being interpreted according to a template in which multiple information elements can be positioned to create a hierarchical relationship within structured data. The structured data further includes references to the information elements. The network element further includes an export module configured to export the data record to a next destination.
Description
priority request
The application require according to 35U.S.C. § 119 on March 4th, 2009 submit to be entitled as EXPORT OF STRUCTURED DATA, the priority of the provisional application that sequence number is 61/157,336, this application is incorporated into this by entirety by reference.
Technical field
The disclosure relates generally to the communications field, and more specifically, relates to and in network environment, derive (export) structural data.
Background technology
Network architecture in communication environment becomes and becomes increasingly complex.In addition, want the increase of the client of communicating by letter in network environment or end subscriber that many network configuration and system are responded with the increase that adapts to network traffics by adding element.The increase of network traffics and end subscriber has created the data that even more will be routed, manage and analyze.In some cases, comprise about the data record of the information of flow and can be exported another point from a point.These records can be used for various objects.Along with the growth of complexity He the mixing property of data, to deriving best these information, significant challenge is proposed.
Brief description of the drawings
For the more complete understanding to example embodiment of the present invention and feature and advantage is provided, can be with reference to the description below making by reference to the accompanying drawings, in the accompanying drawings, similar label represents similar part, wherein:
Fig. 1 is the simplified communication system for derived type structure and repeating data according to an example embodiment;
Fig. 2 illustrates the example schematic diagram of the embodiment of basicList (basic list) information element coding;
Fig. 3 illustrates the example schematic diagram of the embodiment of the basicList coding with enterprise number;
Fig. 4 illustrates the example schematic diagram of the embodiment of variable-length basicList information element coding (255 eight bit bytes of length L EssT.LTssT.LT);
Fig. 5 illustrates the example schematic diagram that length is the embodiment of the variable-length basicList information element coding of 0-65535 eight bit byte;
Fig. 6 illustrates the example schematic diagram of the embodiment of subTemplateList (subtemplate list) coding;
Fig. 7 illustrates the example schematic diagram of the embodiment of the variable-length subTemplateList information element of 255 eight bit bytes of length L EssT.LTssT.LT;
Fig. 8 illustrates the example schematic diagram of the embodiment of the variable-length subTemplateList information element coding with 0-65535 length in octets;
Fig. 9 illustrates the example schematic diagram of the embodiment of subTemplateMultiList (subtemplate multiple row table) coding;
Figure 10 illustrates the example schematic diagram of the embodiment of variable-length subTemplateMultiList information element;
Figure 11 illustrates the example schematic diagram of the embodiment of variable-length subTemplateMultiList information element;
Figure 12 illustrates the example schematic diagram of the embodiment of coding basicList template record;
Figure 13 illustrates the example schematic diagram of the embodiment of coding basicList data record;
Figure 14 illustrates the example schematic diagram of coding for the embodiment of the subTemplateList template of object;
Figure 15 illustrates the example schematic diagram of coding for the embodiment of assailant's subTemplateList template;
Figure 16 illustrates the example schematic diagram of coding for the embodiment of participant's subTemplateList template;
Figure 17 illustrates the example schematic diagram of coding for the embodiment of the subTemplateList template of alarm;
Figure 18 illustrates the example schematic diagram of the embodiment of coding subTemplateList data set;
Figure 19 illustrates the example schematic diagram of coding for the embodiment of the subTemplateMultiList template of object;
Figure 20 illustrates the example schematic diagram of coding for the embodiment of assailant's subTemplateMultiList template;
Figure 21 illustrates the example schematic diagram of coding for the embodiment of participant's subTemplateMultiList template;
Figure 22 illustrates the example schematic diagram of coding for the embodiment of the subTemplateMultiList template of alarm; And
Figure 23 illustrates the example schematic diagram of the embodiment of coding subTemplateMultiList data set.
Embodiment
General introduction
In an example embodiment, provide a kind of device, and this device comprises the network element that is configured to receive multiple groupings.Network element is configured to be coupled to module, and this module is configured to generate the data record of the information based on being associated with grouping.This data record can be positioned and explain with the template that creates hierarchical relationship (hierarchical relationship) in structural data according to multiple information elements wherein.Structural data also comprises quoting information element.Network element also comprises the derivation module that is configured to data record to export to Network Management Station.
Turn to Fig. 1, Fig. 1 is the simplified communication system 10 for derived type structure and repeating data according to an example embodiment.Communication system 10 can comprise the set of network equipment 12a-12c, managed network 14, internet 16, can comprise the Network Management Station 18 of collector module 24, and Network Management Station 18 can be coupled to database 22.Each network equipment 12a-12c can comprise that IP stream information derivation (IPFIX) logic module 32, NetFlow/IPFIX formwork module 34 (it can comprise the structural data message elements 36 that also can appear in data record), stream record collect element 38, and can comprise the operating system 42 of processor 44 and memory component 46.In a similar fashion, Network Management Station 18 can comprise operating system 43, processor 45 and memory component 47.
Each element in Fig. 1 can be coupled each other by any other suitable connection (wired or wireless) of simple interface or the feasible path by being provided for network service.In addition, based on particular configuration needs, can by these elements any or multiple combined or remove from this architecture.Fig. 1 comprises the multiple network equipment 12a-12c that are coupled to managed network 14.Note, be assigned to numeral and the character title of the network equipment and do not mean that the level of any type; Title is the object for instructing arbitrarily and only.These titles should not be interpreted as limiting them by any way in ability, function or application that may be from the benefited latency environment of the feature of communication system 10.Communication system 10 can comprise can carry out transmission control protocol/Internet Protocol (TCP/IP) communication for send or receive the configuration of grouping in network.In appropriate circumstances and based on particular demands, communication system 10 also can operate in conjunction with User Datagram Protoco (UDP)/IP (UDP/IP) or any other suitable agreement or tunnel transmission technique.
In example embodiment, in communication system 10, define a kind of method, expansion of the IPFIX information model specifying in IPFIX protocol specification to providing in RFC5101 and RFC5102 has been provided for it, with the hierarchical structural data in supported data record and the list (sequence) of information element.This expansion makes it possible to the complex data structures such as variable-length list and further the specification of the hierarchical inclusion relation between template is defined.IPFIX provides the agreement based on (as defined in RFC3954) NetFlow.IPFIX (or NetFlow) derives processing can derived data record.Although IPFIX is to be developed for deriving stream information originally, but it can be used for deriving the data of any kind.Data record can comprise one or more attributes corresponding with information element separately.IPFIX information model provides the basic information element set for IPFIX.For each information element, information model definition numeric identifier, abstract data type, for encoding mechanism and any semantic constraint of data type.The current basic single-value data type (for example, numeral, character string and the network address) of only supporting.
Current can't coding to the list (sequence) of the hierarchical structural data of the field as in IPFIX and netflow record and such data.As current defined, the data record in IPFIX is (flat) list of single-value attribute " plane ".NetFlow and IPFIX derive " plane " data record conventionally.This mechanism is suitable for requirement up to now.But a series of new network management-application may ask to derive the structured data in NetFlow and IPFIX.Example be from router or firewall box (, certain network security element) derive repeat and/or variable data.Communication system 10 can easily meet this request, as here by detailed description.
The example embodiment presenting provides enhancing data modeling to propose the complex hierarchy of composition data type.More specifically, the expansion of IPFIX and NetFlow is provided to hierarchical structural data in supported data and the variable-length list (sequence) of information element.In example embodiment, system can define the template that represents structured layer level relation.Be defined built in RFC5101/5102 for the template machine that represents " plane " data, wherein, a part for the innovation presenting is that this existing template mechanism application is represented to structural data.
In one example, hierarchical data structure can be defined as any degree of depth.It can be from the network equipment (for example, derive logic module 32 via IPFIX) (be for example exported receiving terminal, Network Management Station 18), this receiving terminal can carry out decryption record and various report, statistical analysis, diagnostic assessment etc. are provided subsequently according to template.Template can be sent out prior to data record, and these templates may can have the structural data as information element.The data record that comprises structural data is sent out subsequently, and these data record can be explained according to template.Expansion provides the encapsulation mechanism of the data for being collected by the network equipment.Note, as used in this manual at this, term " derivation " means the transmission activity from a node to any type of another node in the context that has comprised the data communication of summarizing here.
Turn to the operational capacity of the element of Fig. 1, network equipment 12a can be the network element that receives any type of grouping.It is constantly set up stream and generates and the record being associated through its data.Network equipment 12a can collect and these relevant information of dividing into groups (for example, collecting element 38 via stream record), and with the form illustrating here, data is encoded subsequently.Note, collecting can be that (, collecting from the viewed data record of multiple points of observation) collected in space or the time is collected (collecting of the data record of observing from different time points).Network Management Station 18 be collected and be sent to this information can, and Network Management Station 18 can receive it and also process this information.This can relate to IPFIX derives logic module 32, NetFlow/IPFIX formwork module 34 and structural data message elements 36: they can assist these operations.
Network Management Station 18 can obtain this information, and forms statistical information or create report, and these statistical informations or report have been emphasized and propagated the major issue being associated through the data of the network equipment.The report application of any type that in fact, in fact initial data can be used to occur in network, performance evaluation, fault eliminating activity etc.Initial data can be any content relevant with the data that are associated with particular network device, or these data can with send the network equipment and shown that for it other assembly in network of some knowledge is relevant.
In an example implementation mode, network equipment 12a and Network Management Station 18 comprise the auxiliary element (for example, software) of the expansion of general introduction here.Network equipment 12a can comprise and form hierarchical data derive the ability of this information (for example, via template), and wherein, data can be received and be processed by the element residing in Network Management Station 18.In this occasion, these two equipment provide symmetrical complementary operation, and wherein, (for example,, by collector module 24) can be understood and process to the data that sent by network equipment 12a effectively by Network Management Station 18.
Expansion discussed here can have particular value in the activity being associated with remote measurement, and this allows remote measurement information and is reported to system designer or Virtual network operator.Other application can comprise that routing packets, intrusion detection and fail safe, load balancing, deep packet detection, network address translation (NAT-ing), label (for example exchange, in the context of MPLS activity), and these tolerance will be valuable any other occasions.
It should be noted that the given network equipment can use any one or more in the information element defining here.Any data element in these structured data elements can be balanced utilize in case best by information delivery to Network Management Station 18 or seek to obtain any other destination of this information.New data type presented here is general, because they can be used in every way.The conveyer mechanism providing can be applied in any mode that is applicable to its particular report demand by the given network equipment.
The multiple advantages that provided by these activities are provided.For example, such operation provides the transparent mode in order to derived information.As a comparison, if someone for example wishes to derive the such information relevant with tolerance for concrete stream in simple one minute interval, 60 streams record and must be created and derive.If such situation occurs, between network equipment 12a and Network Management Station 18, the very big part of available bandwidth will be consumed.As a comparison, the concept presenting here can provide these tolerance is pooled to the single stream record for discrete transmission effectively.The agreement but also the hierarchical information element that are not only expanded as optimizing the transmission being associated with stream record are all just sent and are more mixed more comprehensive information in single transmission.
Consider to relate to the example of the usual router occasion occurring in network.Conventionally, make to router the request of recording some relevant performance metrics with stream of collecting.In example embodiment, IPFIX can be used to this object, because it can classify the packet as stream record based on some field.In addition, can also collect tolerance based on systematicness.For example, can collect tolerance for " packet size is average " in fixed time interval.Another example can relate to packetization delay, or in fact relates to any other parameter of seeking its statistics.This information can be collected, and can make and decision how to report that this is information-related.For example, each minute, individual data record can be sent out and this data record can comprise the information relevant with grouping and tolerance list.This can easily be exported to for example Network Management Station 18, and wherein, structural data will be explained at Network Management Station 18 places.
For example, for 5 yuan of group models, can in data, arrange following: grouping and the byte counter of source and destination IP address, agreement, source and destination port numbers, conveying, and the list of information element.The first paragraph of this stream can be coupled with timestamp, and second segment can be mentioned tolerance.NetFlow IPFIX agreement can be used with its traditional approach, template can be derived to Network Management Station 18 (or more specifically making, derive to collector module 24), Network Management Station 18 will be known how to information decoding (convection current record deciphering particularly) based on template discussed here.In an example implementation mode, collector module 24 resides in Network Management Station 18, but alternatively can be arranged in or other place in network.
Another example implementation mode of communication system 10 has about safety.IPS (intrusion prevention system) data with alert structure can comprise multiple participants.Each participant can comprise multiple assailants and multiple object, and each object is made up of multiple application potentially.Intrusion prevention system alarm (IPSAlert) data structure can comprise: participant (Participant), assailant (Attacker), object (Target) and AppID (application ID).Each participant can have multiple assailants, multiple object and multiple AppID.Another example has about mediation function (mediation function.).Top layer collection and treatment (Collection Process) can be from network collection and treatment request video data recording.Each collector module or collector element (or derivation module of any other type) can be derived the structure that comprises following content: router, Line cards and the data record about video.Each router can have multiple Line cards, Line cards and then can have multiple data record about video.
Here the example embodiment presenting provides IPFIX expansion with by defining three new information elements and three corresponding new abstract data types are supported hierarchical structural data and variable-length list, and these three corresponding new abstract data types are called as basicList (basic list), subTemplateList (subtemplate list) and subTemplateMultiList (subtemplate multiple row table).Basic list represents to be mainly used to the zero of any single information element or the list of Multi-instance (for example, port numbers list, interface index list etc.) of single-value data type.Subtemplate list represents the zero of structural data or the list of Multi-instance, wherein, and the data type of each list element identical and corresponding with single template record (structural data for example, being formed by multipair IP address).Subtemplate multiple row table represents the zero of structural data or the list of Multi-instance, wherein, the data type of each list element can be different and corresponding (for example with different templates definition, the structural data being formed by multiple access list entrys, wherein, entry can be by the type constitution of various criterion).These information elements can change significantly, or are modified for concrete occasion in the case of not departing from the broad range of the concept presenting here.To be described in further detail these information elements with reference to concrete accompanying drawing below.
Turn to the foundation structure of Fig. 1, for simplicity, provide the brief overview of network equipment 12a, but these inner members of 12a can be replicated in other network equipment.As used in this manual at this, network equipment 12a and Network Management Station 18 be can be in network environment " network element " of swap data.Network Management Station 18 and network equipment 12a can initiate or subsidiary communications system 10 in the exchanges data of any type.As used in this document at this, data refer to any information element type: video, numeral, audio frequency, or script data, or the source of any type or object code, or can be transferred to from a point any other appropriate information of any appropriate format of another point.Therefore, network equipment 12a and Network Management Station 18 can be any network element, special equipment, switch, server, router, gateway, fire compartment wall, bridger, load equalizer, or can operate any other suitable equipment, network equipment, assembly, element or the object of exchange message or process information in network environment.In addition, network equipment 12a and Network Management Station 18 can comprise any suitable hardware, software, assembly, module, interface or the object (object) of auxiliary its operation.This can comprise the suitable algorithm and the communication protocol that allow effectively to send and coordinate (coordination) data or information.
Network equipment 12a and Network Management Station 18 can be equipped with the suitable software of the extended operation described in execution example embodiment of the present disclosure.Memory component (for example, memory component 46,47) and processor (these operations of its auxiliary block post general introduction) can be included in and in these equipment or from outside, offer these equipment, or merged with any suitable method.Processor (for example, processor 44,45) can easily be carried out the code (software) for realizing described activity.
Memory component above-mentioned can be stored the information by network equipment 12a and Network Management Station 18 references.As used in this document here, term " memory component " comprises can be safeguarded with the coordination of network equipment 12a and Network Management Station 18 and/or any suitable database (for example database 22) or the storage medium (providing with any appropriate format) of the relevant information of operation are provided.For example, memory component can be stored in such information in electronic register, chart, record, index, list or queue.Alternatively, based on particular demands, memory component can suitably be kept at such information any suitable random access memory (RAM), read-only memory (ROM), erasable programmable ROM (EPROM), electric erasable PROM (EEPROM), application-specific integrated circuit (ASIC) (ASIC), software, hardware, or any other suitable assembly, equipment, element or object.
As previously mentioned, in an example implementation mode, network equipment 12a and Network Management Station 18 comprise in order to realize as the software of the extended operation of being summarized in this document here.This can comprise the software (for example, exchanging the software of (reciprocating) software or auxiliary sending/receiving signal, processing signals, request signal etc.) in order to help to coordinate expansion activity described herein.In other embodiments, this processing and/or coordinate feature and can offer from the outside these equipment or be included in and realize this desirable function in certain miscellaneous equipment.
Turn to the more specifically details relevant with structural data information element with template, Fig. 2-Figure 23 illustrates some the movable example embodiment in the activity being associated with communication system 10.For the object of instruction and the further certain operations ability of understanding the architecture that proposes, provide the brief overview of IPFIX.IPFIX agreement provides the access IP right of stream information to network manager.According to the requirement defining in RFC3917, in IPFIX architecture, define the architecture for deriving measured (collection and treatment (Collecting Process) is gone in IPFIX derivation processing (PFIX Exporting Process)) IP stream information.[RFC5470's] IPFIX architecture has specified how IPFIX data record and template derive processing via the delivery protocol of congestion aware from IPFIX and be carried to IPFIX collection and treatment.IPFIX has the formal description to IPFIX information element, its title, type and other semantic information, as defined in IPFIX information model.
About the relation between IPFIX and packet samples agreement (PSAMP), [RFC5476's] IPFIX agreement has specified that grouping information derives the derivation of processing PSAMP collection and treatment from PSAMP.Similar with IPFIX, PSAMP has the formal description to its information element, their title, type and other semantic information.PSAMP information model is defined in [RFC5477].Because PSAMP information specification is based on IPFIX protocol specification, therefore the specification in this document is also effective for PSAMP agreement.Between IPFIX and PSAMP one is different is that IPFIX agreement derives stream record, and PSAMP agreement derives grouping report.From deriving angle, IPFIX does not distinguish the stream record being made up of several groupings that pool together and the stream record being made up of single grouping purely.Therefore, PSAMP derives and can be counted as the special IPFIX stream record that comprises the information relevant with single grouping.According to the term that used here, structural data information element is one of information element (, basicList, subTemplateList or subTemplateMultiList) of supporting structuring data.
Here the example embodiment presenting has been specified the agreement in order to derived type structure data (some of them may with IP stream information about).IPFIX agreement is designed to derive the information relevant with measurement of correlation data with IP traffic flow, and wherein, stream can for example, define by one group of determinant attribute (, source and destination IP address, source and destination port etc.).IPFIX agreement specifies to utilize TLV (type, length, value) form to derive the IP flow measurement of convection current.Information utilizes template record to derive, and it is right that this template record is sent out once { type, length } to derive the data format that has defined the information element in stream.Data record has been specified the value for each stream.
Based on the guide for IPIFX, IPFIX agreement is optimised to be derived and flows relevant information.But, due to its template mechanism, IPFIX agreement can derive the information of any type, as long as relevant information element is designated in IPFIX information model, or assigned tissue (IANA) registration to IP address, or be designated as information element fixed according to enterprise etc.In example embodiment, for each information element, IPFIX information model has defined numeric identifier, abstract data type, encoding mechanism for data type, and any semantic constraint.
For abstract data type, notice that following situation is important, although the information element and the abstract data type that define in IPFIX information model represent monodrome, new abstract data type described herein is structurized in essence and has mainly comprised quoting out of Memory element and template.By quoting out of Memory element and template from the data content of information element, can define the secondary data structure such as variable-length list and specify the hierarchical inclusion relation between template.Spread all over explanation below, compared with term " flows record " more specifically, more generally term " data record " (it can comprise any data) is used.
IPFIX has some current restrictions.The example occasion of considering the IPS data with alert structure that comprises multiple participants, wherein, each participant comprises multiple assailants and multiple object, and each object is made up of multiple application potentially, as described below:
alert
signatureId
protocolIdentifier
riskRating
participant 1
attacker 1
sourceIPv4Address
applicationId
…
attacker N
sourceIPv4Address
applicationId
target 1
destinationIPv4Address
applicationId 1
…
applicationId n
…
target N
destinationIPv4Address
applicationId 1
…
applicationId n
participant 2
…
In order to derive this information in IPFIX, need to make data planarization (therefore having lost hierarchical relationship), and need to create the new IPFIX template for each alarm according to the number of the participant in the object in the number of the applicationId element in each object, each participant and assailant's number and each alarm.Each template is unique for each alarm, and in the time creating, derive, safeguard and fetch template, consumed a large amount of CPU, memory and derivation bandwidth.
In order to solve these defects (and other defect), summarize here according to three of an example implementation mode new abstract data types.According to the linking of information model as in IPFIX protocol specification, new information element can be sent out with cannonical format by network byte order (also referred to as upper byte order formerly).
Explanation below contributes to the coding of definition to data type above-mentioned.For example, when the coding of structural data information element (is had to regular length, because the regular length element that it comprises similar number, if or the arrangement of element in list has produced identical total length) time, length of element can be encoded in corresponding template record.But, in the time utilizing variable element to count to represent variable length data, hierarchical data and repeating data, can before structural data information element coding, utilize the length that one or three eight bit bytes are carried that these are encoded to variable length descriptor element.
According to an example arrangement, basicList information element represents the zero of information element or the list of Multi-instance.Fig. 2 illustrates coding example 20, and this example 20 shows and can how basicList information element be encoded.Field ID (Field ID) is included in the information element identifier of (one or more) information element in list.Length of element (Element Length), if indicate the length of each element or length to be encoded as IPFIX variable length descriptor element, comprises value 0xFFFF.Collection and treatment to the list element decoding from basicList content (BasicList Content) until there is no further data redundancy.But record count is not included can be derived in the time that information element is decoded.Field ID can be illustrated as enterprise's bit (Enterprise bit) (highest order) to be made as 0.If transfer enterprise's bit to be made as 1, the nybble enterprise number of can encoding after immediate element length, coding example 30 is as shown in Figure 3 described.Fig. 3 has described the example of the basicList coding with enterprise number.Fig. 4 has described example basicList information element coding 40 (255 eight bit bytes of length L EssT.LTssT.LT).
It shall yet further be noted that if basicList has zero element, encoded data comprises Field ID, length of element and nybble enterprise number (if present).BasicList content is empty.Because length of element field is the live part of head, so even in the situation of the neutral element list without enterprise number, it is not also omitted.Fig. 5 has described example variable-length basicList information element coding 50 (length is 0 to 65535 eight bit byte).Fig. 6 shows how in data record, subTemplateList information element 60 to be encoded according to an example.Fig. 7 illustrates example subTemplateList information element coding 70 (255 eight bit bytes of length L EssT.LTssT.LT).
Template ID is the ID for SubTemplateList content being carried out to the template of coding&decoding.SubTemplateList content is made up of zero or the Multi-instance of the data record corresponding with template ID.Collection and treatment to data record decoding until there is no further data redundancy.Record count is not included, but can when to SubTemplateList decoding, be derived.If specified template itself comprises structural data information element as described herein, coding&decoding is recursively performed.Note, if SubTemplateList has zero element, encoded data only comprises template ID; SubTemplateList content is empty.
Fig. 8 has described the example of variable-length SubTemplateList information element coding 80 (length is 0 to 65535 eight bit byte).Although the each top layer element in subTemplateList information element is corresponding with single template ID and therefore have same data type, but the element that list sometimes comprises more than one data type is also useful.In order to support this situation, each top layer element carrying template ID and length in subTemplateMultiList information element.Fig. 9 shows subTemplateMultiList information element and how in IPFIX data record, to be encoded.Fig. 9 has described the example of subTemplateMultiList code element length 90.For element template ID, different from subTemplateList information element, each list element comprises has specified element template ID and length of element that element content is below encoded.Element content is made up of zero or the Multi-instance of the data record corresponding with element template ID.Collection and treatment to data record decoding until there is no further data redundancy.Record count is not included, but can in the time that element content is decoded, derive.If specified template itself comprises structural data information element, recursively carry out coding&decoding.
Figure 10 has described example variable-length subTemplateMultiList information element coding 100 (255 eight bit bytes of length L EssT.LTssT.LT).Figure 11 has described the example of variable-length subTemplateMultiList information element coding 110 (length is 0 to 65535 eight bit byte).
According to an example implementation mode, according to structured data format, new structural data information element can represent to carry potentially the list of complex hierarchy and repeating data.Number and length at element can be by recording in the regular situation changing, and these information elements can be encoded as variable length descriptor element.
For collection and treatment one side, collection and treatment can be write down the information element identifier of its unapprehended any information element and can from stream record, abandon this information element.Therefore, do not support the collection and treatment of the expansion of specifying can ignore the structural data information element in data record here, or it can be ignored the data record that comprises these new structural data information elements and continue to process other data record simultaneously.
For structural data coding example, occasion is below created only can be how to the extension encoding proposing here for illustrating.About the coding to BasicList, the user_record (user _ record) that comprises data below can be encoded as follows.
--------------------------------------------------------
userId | sourceIPv4Address | applicationId list
--------------------------------------------------------
1 192.0.2.201 1001,1002,1003
--------------------------------------------------------
UserId is used for identifying user uniquely.User_record comprises the data for the user of the particular ip address from one group of application of access, and wherein, the number of application can be variable.Template ID is that 258 the template record for user_record is shown in Figure 12.Figure 12 has described the coding of the template record that comprises basicList 120.The list of application is represented as basicList; The length of list is selected as encoding with three bytes, even if it may be less than 255 eight bit bytes.Data set can be expressed as shown in Figure 13.Figure 13 has described the coding example 130 of the data record that comprises basicList.It is unavailable that ' N/A ' in Figure 12 is used for identifying this space, there is no such information element because current in IANA.Like this symbol class, be applicable to Figure 17 and Figure 22.Equally, note, after spreading all over value XXX, the YYY of each example and ZZZ and being illustrated in by the information element of being assigned by IANA.
Another example is made up of IPS alarm, and IPS alarm is made up of mandatory-attribute below: signatureId (signature Id), protocolIdentifier (protocol identifier) and riskRating (risk rating).It also can comprise zero or multiple participant, and each participant can comprise zero or multiple assailant and zero or multiple object.Assailant can comprise attribute sourceIPv4Address (IPv4 address, source) and applicationId (application Id), and the object zero degree that comprises attribute destinationIPv4Address (IPv4 address, destination) and attribute applicationId or repeatedly occur.Note, signatureId and riskRating information element field are created these examples that are only illustrated as N/A for Field ID.SignatureId helps the IPS signature of mark triggering alarm uniquely.RiskRating identifies potential risks according to the scale 0-100 (the 100th, the most serious) of the flow that triggers alarm.
In order to represent alarm, template below can be defined:
For the template (258) of object
For assailant's template (259)
For participant's template (260)
For the template (261) of alarm
alert(261)
|(signatureId)
|(protocolIdentifier)
|(riskRating)
|
+-------list of participants(260)
|
+-------attacker(259)
| (sourceIPv4Address)
| (applicationId)
|
+-------target(258)
|(destinationIPv4Address)
|(list of applicationId)
Template ID is that 258 the template record for object is illustrated by Figure 14.Figure 14 provides the example of the template 140 that comprises basicList.ApplicationId list in object is represented as basicList.Template (259) record 150 for assailant is shown in Figure 15.The template record for participant with template ID 260 is illustrated by Figure 16.Figure 16 illustrates the example codes subTemplateList template 160 for participant.A subTemplateList in participant comprises assailant's list; The 2nd subTemplateList comprises list object.It is 170 shown in Figure 17 that template ID is that 261 the template for alarm records.It has expressed the coding comprising for the template of the subTemplateList of IPS alarm.SubTemplateList in alarm template record comprises participant list.
Consider to have a participant's IPS alarm, wherein, participant comprises multiple assailants and has an object of multiple application.
--------------------------------------------------------------------------
| Participant
sigId |protocol | risk | attacker | target
| Id | Rating | ip | appId | ip | appId(s)
--------------------------------------------------------------------------
1003 17 10 192.0.2.3 103
192.0.2.4 104 192.0.2.104 4001,4002
192.0.2.5 105
--------------------------------------------------------------------------
Data are recorded in Figure 18 and are expressed out, and wherein, the length of basicList and subTemplateList information element is encoded with three bytes, even if they may be less than 255 eight bit bytes.Figure 18 illustrates the example codes 180 of the data set that comprises subTemplateList.
About the coding to subTemplateMultiList, consider the example of the IPS alarm designing below.Participant can comprise assailant and object with any order, and sequence conveys to some information gatherer and need to be retained.In example below, there is two assailant A1 and A2 and an object T1.This information is encoded as subTemplateMultiList.
--------------------------------------------------------------------------
| Participant
sigId |protocol | risk | attacker | target
| Id | Rating | ip | appId | ip | appId(s)
--------------------------------------------------------------------------
1003 17 10 192.0.2.3 103 192.0.2.103 3001,3002
192.0.2.4 104
--------------------------------------------------------------------------
Wherein, assailant A1 is: 192.0.2.3 103
Wherein, assailant A2 is: 192.0.2.4 104
Wherein, object T1 is: 192.0.2.103 3001,3002
In order to represent alarm, template is below defined:
For the template (258) of object
For assailant's template (259)
For participant's template (260)
For the template (261) of alarm.
Template ID is that 258 the template record for object is shown in Figure 19.Figure 19 illustrates the coding 190 to subTemplateMultiList template for object.The list of applicationId in object template record is represented as basicList.Template ID is that 259 the template record for assailant is shown in Figure 20.Figure 20 has described the example codes 200 to subTemplateMultiList template for assailant.The example 210 of the template record for participant of use template ID 260 is shown in Figure 21.Template record for participant has a subTemplateMultiList information element, and it is the list that can comprise with any sequentially repeated assailant and object.Use the template for IPS alarm of template ID 261 to record 220 shown in Figure 22.The list that subTemplateList in warning template record comprises participant.
The length of basicList, subTemplateList and subTemplateMultiList can be encoded with three bytes, even if it may be less than 255 eight bit bytes.Data set can be represented as shown in Figure 23, and it is the example of the coding 230 to subTemplateMultiList data set.For with the relation (for example, RFC5473) that reduces redundancy (Reducing Redundancy), exist for utilizing IPFIX agreement to derive stream or the bandwidth conservation method of grouping information.For example, RFC5473 has defined commonPropertiesID (the total characteristic ID) information element for deriving common features.New structured data type listed above can be used to define the list of commonPropertiesID.In the time that structural data comprises repeat element, these elements can be replaced by commonPropertiesID information element as defined in RFC5473.Be substituted element and can comprise basicList, subTemplateList and subTemplateMultiList information element.
Note, by the example providing here, can describe alternately according to two, three, four or more network element or relating module etc.But this is only implemented for clarifying and the object of example.In some cases, can be more easily by only describing one or more in the function of stream of given group with reference to a limited number of item.Should be appreciated that communication system 10 (and instruction) can easily expand scale, and can hold a large amount of assemblies and layout and configuration more complicated or that mix.Therefore, the extensive instruction of the scope that the example providing should limiting telecommunication system 10 or constraint communication system 10, because it is applicable to many other architectures potentially.
Notice that following situation is also important, the step of describing with reference to diagram above only illustrate can by communication system 10 carry out or can be in the possible case of communication system 10 interior execution some.Some in these steps can be suitably deleted or remove, or in the case of not departing from the scope of discussed concept, these steps can be significantly revised or change.In addition, multiple these operations are described to carry out concomitantly or concurrently with one or more other operations.But, can significantly change the timing of these operations.Operations flows is above provided for the object of example and discussion.The substantial flexibility that communication system 10 provides is: can in the case of not departing from the instruction of discussed concept, provide any suitable layout, by the arrangement of time, configuration and timing mechanism.According to similar general principle, flow process above and diagram have been noticed for some flow being described or processing the rule of occasion or order, but these provide (the not being requirement) guide of the possibility for realizing the operational capacity proposing here simply.Can how to carry out these activities is quite flexibles, and any such statement (as provided cordially in this manual) should not be interpreted as limiting broad range or the framework that Fig. 1-2 3 is presented.
Those skilled in the art can determine that multiple other changes, replaces, changes, changes and amendment, and can wish that discussed concept comprises falling all such change, replacement, variation, change and amendment within the scope of the appended claims.For auxiliary United States Patent and Trademark Office (USPTO) and additionally, for the auxiliary any reader who authorizes any patent right of the application explains claims, applicant wishes to note, applicant: (a) do not wish that any one in claims quotes the 6th (6) section of 35U.S.C. the 112nd part (because it day exists submitting to), unless word " for ... device " or " for ... step " be used in particularly during specific rights requires; And (b) do not wish that any statement in specification limits the disclosure in any mode not reflecting in claims.
Claims (18)
1. for the device in network environment derived type structure data, comprising:
Network element, be configured to receive multiple groupings, described network element is configured to be coupled to module, this module is configured to generated data record, the information of this data record based on being associated with grouping and can be positioned and explain with the template that creates hierarchical relationship in structural data according to multiple information elements wherein, and wherein, described structural data also comprises quoting described information element, described network element also comprises the Internet Protocol stream information derivation module that is configured to described data record to export to next destination
Described information element is corresponding with the abstract data type separately of the information that can represent to be associated with grouping, and described abstract data type is a part for data type group, and described group comprises:
A) basic list, it is simple data list;
B) subtemplate list, it quotes a template in template; And
C) subtemplate multiple row table, it is quoted the one or more templates in template and comprises multiple data lists, and
Wherein, described structural data refers to the variable-length list of the hierarchical relationship between the several templates in solid plate.
2. device as claimed in claim 1, wherein, described network element is configured to generate multiple templates, and each template in described template is quoted by described structural data.
3. device as claimed in claim 1, wherein, the derivation agreement that is configured to the generation that triggers described data record is each information element designation number identifier, abstract data type and the encoding mechanism for abstract data type in described information element.
4. device as claimed in claim 1, wherein, it is received that described data are recorded in Network Management Station place, described Network Management Station is configured to explain described data record according to described template, and wherein, described Network Management Station is configured to create report, statistical analysis or diagnostic assessment based on described data record.
5. device as claimed in claim 1, wherein, described information element is sent out with cannonical format according to network byte order.
6. for the method in network environment derived type structure data, comprising:
Receive multiple groupings;
Generated data record, the information of this data record based on being associated with grouping and can be positioned and explain with the template that creates hierarchical relationship in structural data according to multiple information elements wherein, and wherein, described structural data also comprises quoting described information element; And
Derive described data via Internet Protocol stream information derivation IPFIX module and be recorded to next destination, the abstract data type separately of wherein said information element and the information that can represent to be associated with grouping, and described abstract data type is a part for data type group, described group comprises:
A) basic list, it is simple data list;
B) subtemplate list, it is a part for a template in template; And
C) subtemplate multiple row table, it is a part for a template in template and comprises multiple data lists, and
Described structural data refers to the variable-length list of the hierarchical relationship between the several templates in solid plate.
7. method as claimed in claim 6, also comprises:
Generate multiple templates, and each template in described template is quoted by described structural data.
8. method as claimed in claim 6, wherein, the derivation agreement that is configured to the generation that triggers described data record is each information element designation number identifier, abstract data type and the encoding mechanism for abstract data type in described information element.
9. method as claimed in claim 6, wherein, described data record is in response to being generated from network security element request variable data.
10. method as claimed in claim 6, wherein, described data record is received and described template is evaluated creates report, statistical analysis or diagnostic assessment based on described data record.
11. methods as claimed in claim 6, wherein, described information element is sent out with cannonical format according to network byte order.
12. 1 kinds for the device in network environment derived type structure data, comprising:
Network Management Station, be configured to receive via Internet Protocol stream information and derive the data record that module derives and makes an explanation according to template, in described template, multiple information elements can be positioned in structural data, to create hierarchical relationship, and wherein, described structural data comprises quoting described information element
Wherein, described information element is corresponding with the abstract data type separately of the information that can represent to be associated with grouping, and described abstract data type is a part for data type group, and described group comprises:
A) basic list, it is simple data list;
B) subtemplate list, it quotes a template in template; And
C) subtemplate multiple row table, it is quoted the one or more templates in template and comprises multiple data lists, and
Described structural data refers to the variable-length list of the hierarchical relationship between the several templates in solid plate.
13. devices as claimed in claim 12, wherein, described Network Management Station is configured to receive multiple templates, and each template in described template is quoted by described structural data.
14. devices as claimed in claim 12, wherein, the derivation agreement that is configured to the generation that triggers described data record is each information element designation number identifier, abstract data type and the encoding mechanism for abstract data type in described information element.
15. devices as claimed in claim 12, wherein, described Network Management Station is configured to create report, statistical analysis or diagnostic assessment based on described data record.
16. 1 kinds for the method in network environment derived type structure data, comprising:
Receive via Internet Protocol stream information and derive the data record that module derives and makes an explanation according to template, in described template, multiple information elements can be positioned in structural data, to create hierarchical relationship, and wherein, described structural data comprises quoting described information element; And
Create report, statistical analysis or diagnostic assessment based on described data record,
Wherein, described information element is corresponding with the abstract data type separately of the information that can represent to be associated with grouping, and described abstract data type is a part for data type group, and described group comprises:
A) basic list, it is simple data list;
B) subtemplate list, it quotes a template in template; And
C) subtemplate multiple row table, it is quoted the one or more templates in template and comprises multiple data lists, and
Described structural data refers to the variable-length list of the hierarchical relationship between the several templates in solid plate.
17. methods as claimed in claim 16, also comprise:
Receive multiple templates, wherein, the each template in described template is quoted by described structural data.
18. methods as claimed in claim 16, wherein, described data record is in response to being generated from network security element request variable data.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US12/465,707 | 2009-05-14 | ||
| US12/465,707 US8125920B2 (en) | 2009-03-04 | 2009-05-14 | System and method for exporting structured data in a network environment |
| PCT/US2010/030607 WO2010102311A1 (en) | 2009-03-04 | 2010-04-09 | System and method for exporting structured data in a network management environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102124698A CN102124698A (en) | 2011-07-13 |
| CN102124698B true CN102124698B (en) | 2014-11-19 |
Family
ID=44259770
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201080001236.7A Active CN102124698B (en) | 2009-05-14 | 2010-04-09 | System and method for exporting structured data in a network management environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102124698B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8125920B2 (en) | 2009-03-04 | 2012-02-28 | Cisco Technology, Inc. | System and method for exporting structured data in a network environment |
| US8724487B1 (en) | 2010-02-15 | 2014-05-13 | Cisco Technology, Inc. | System and method for synchronized reporting in a network environment |
| CN103916289B (en) * | 2014-03-21 | 2017-04-12 | 烽火通信科技股份有限公司 | Message screening device and method in IPFIX output device |
| CN108183892B (en) * | 2017-12-22 | 2021-08-06 | 新华三大数据技术有限公司 | Message processing method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6405251B1 (en) * | 1999-03-25 | 2002-06-11 | Nortel Networks Limited | Enhancement of network accounting records |
| CN1794649A (en) * | 2005-07-15 | 2006-06-28 | 华为技术有限公司 | Data management method and system based on simple network management protocol |
| US7433304B1 (en) * | 2002-09-06 | 2008-10-07 | Packeteer, Inc. | Classification data structure enabling multi-dimensional network traffic classification and control schemes |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8156233B2 (en) * | 2007-04-06 | 2012-04-10 | Cisco Technology, Inc. | Streaming of templates and data records in individual streams using a multistream protocol |
-
2010
- 2010-04-09 CN CN201080001236.7A patent/CN102124698B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6405251B1 (en) * | 1999-03-25 | 2002-06-11 | Nortel Networks Limited | Enhancement of network accounting records |
| US7433304B1 (en) * | 2002-09-06 | 2008-10-07 | Packeteer, Inc. | Classification data structure enabling multi-dimensional network traffic classification and control schemes |
| CN1794649A (en) * | 2005-07-15 | 2006-06-28 | 华为技术有限公司 | Data management method and system based on simple network management protocol |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102124698A (en) | 2011-07-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1937541B (en) | Network performance test method | |
| US6546420B1 (en) | Aggregating information about network message flows | |
| US9037710B2 (en) | Method and apparatus for correlating end to end measurements through control plane monitoring of wireless traffic | |
| US9065767B2 (en) | System and method for reducing netflow traffic in a network environment | |
| KR100997182B1 (en) | Flow information restricting apparatus and method | |
| US8310942B2 (en) | Flow statistics aggregation | |
| US20130290521A1 (en) | Method and system for annotating network flow information | |
| EP2255494B1 (en) | System and method for exporting structured data in a network management environment | |
| CN112491926A (en) | SRv6 path quality measuring method, device, electronic equipment and storage medium | |
| WO2015165212A1 (en) | Packet processing method, device and computer storage medium | |
| CN112714034B (en) | Method and device for processing multicast message | |
| MX2010006844A (en) | Method of resolving network address to host names in network flows for network device. | |
| Claise et al. | Export of structured data in IP flow information export (IPFIX) | |
| WO2020228527A1 (en) | Data stream classification method and message forwarding device | |
| CN102124698B (en) | System and method for exporting structured data in a network management environment | |
| CN105099916A (en) | Open flow routing and switching equipment and data message processing method thereof | |
| CN109617830A (en) | A kind of method and apparatus regarding real time demonstration business in networking | |
| US8750146B2 (en) | Method and apparatus for applying uniform hashing to wireless traffic | |
| US20230327983A1 (en) | Performance measurement in a segment routing network | |
| CN101471817B (en) | Method, system and equipment for monitoring flux of connectionless IP network | |
| CN111478791B (en) | Data management method and device | |
| CN106888105A (en) | A kind of three layers of discovery method and device of virtual link end to end | |
| CN101459546A (en) | Recognition method and apparatus for peer-to-peer node flow | |
| KR100676712B1 (en) | Method for discriminating network and classifying traffic of subscribers in order to monitor network in multi-protocol label switching virtual private network | |
| CN106603418A (en) | Network topology updating method and flow analysis equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |