Skip to main content

Requirements for Content Information Export in IP Flow Information Export (IPFIX)
draft-fan-ipfix-content-info-req-00

The information below is for an old version of the document.
Document Type Active Internet-Draft (individual)
Author Peng Fan
Last updated 2013-07-14
Stream (None)
Formats plain text htmlized pdfized bibtex
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-fan-ipfix-content-info-req-00
Network Working Group                                             P. Fan
Internet-Draft                                              China Mobile
Intended status: Informational                             July 15, 2013
Expires: January 16, 2014

   Requirements for Content Information Export in IP Flow Information
                             Export (IPFIX)
                  draft-fan-ipfix-content-info-req-00

Abstract

   This document specifies requirements for exporting content related
   information using IPFIX.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 16, 2014.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Fan                     Expires January 16, 2014                [Page 1]
Internet-Draft      Content Information Requirements           July 2013

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Content Information . . . . . . . . . . . . . . . . . . . . .   3
   3.  Purpose of Exporting Content Information  . . . . . . . . . .   3
     3.1.  Analyzing Purpose . . . . . . . . . . . . . . . . . . . .   4
     3.2.  Optimizing Purpose  . . . . . . . . . . . . . . . . . . .   4
     3.3.  Business Purpose  . . . . . . . . . . . . . . . . . . . .   4
     3.4.  Security Purpose  . . . . . . . . . . . . . . . . . . . .   5
   4.  Distinguishing Flows with Content Properties  . . . . . . . .   5
     4.1.  Locating the Content Properties . . . . . . . . . . . . .   5
     4.2.  Encryption  . . . . . . . . . . . . . . . . . . . . . . .   6
     4.3.  Tunnels and Bearers . . . . . . . . . . . . . . . . . . .   6
     4.4.  Protocol Fields . . . . . . . . . . . . . . . . . . . . .   6
     4.5.  Application and Service Information . . . . . . . . . . .   7
   5.  Content Aware Metering Process  . . . . . . . . . . . . . . .   7
     5.1.  Traffic Handling  . . . . . . . . . . . . . . . . . . . .   7
     5.2.  Instantaneity . . . . . . . . . . . . . . . . . . . . . .   7
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   Our internet today employs a large and increasing number of devices
   with content aware ability.  These devices can be traditional routing
   boxes, middleboxes [RFC3234] performing specialized functions, or
   monitoring probes placed in the network or on a specific link.  No
   matter in the form of service line card or independent box, content
   aware function is implemented based on payload information of IP
   flows other than layer 3 or layer 4 information, and is widely used
   for different purposes: traffic analyzing, filtering, policy control
   and charging, security, etc.

   The IPFIX protocol provides us with ways to give network
   administrators flow information.  A series of standards have been
   defined by IPFIX WG, including requirements [RFC3917], architecture
   [RFC5470], protocol specification [I-D.ietf-ipfix-protocol-
   rfc5101bis], and information model [I-D.ietf-ipfix-information-model-
   rfc5102bis].  IPFIX already provides Information Elements for every
   common Layer 4 and Layer 3 packet header field in the IETF protocol
   suite, basic Layer 2 information, basic counters, timestamps and time
   ranges, and so on, according to [I-D.draft-ietf-ipfix-ie-doctors].
   However, higher-layer content related information export is not yet
   well standardized.  Although [RFC6759] specifies a Cisco extension to

Fan                     Expires January 16, 2014                [Page 2]
Internet-Draft      Content Information Requirements           July 2013

   the IPFIX information model to export application information after
   running application recognition procedure, more granular, well-
   defined information models that can be used in a universal,
   interoperable way to gather content information have not been
   specified.

   This memo describes requirements for exporting content information of
   traffic flows, and intends to update [RFC3917].

2.  Content Information

   Content information tells network administrators what exactly is
   carried by the flow rather than just flow properties.  Compared with
   traditional IP flow information usually derived from layer 2 to layer
   4 header fields, content information focuses on layers above layer 4,
   and requires deep parse or comprehensive analysis of a packet or an
   IP flow.  The content information commonly expected can be a specific
   header field, part of the details within the payload a packet, or the
   application generating the IP flow characterized by an assigned
   application identifier.

   Content information covers a wide range of messages revealed from
   sections encapsulated above transport layer in a packet.  The
   following are 2 categories content information can be briefly divided
   into.  Note that this classification is for illustration purpose,
   while not meant to come to a strict, academic guidance.  In practical
   use a piece of content information may have multiple characteristics
   that cannot be fit neatly into a single category.

   Application information:  Application information describes the
      application or service that is currently carried by the monitored
      IP flow.  This kind of information provides direct clue to the
      exact content that is transported on the network: a pointer
      indicating the resource (e.g. URL), a recognized application name
      (e.g. abc web site) or category (e.g. web browsing).

   Network information:  Network information is closely related with
      status and statistics of a protocol.  It often gives the idea
      about how a session is established, maintained and torn down, for
      example HTTP request method, web page download duration, PDP
      context create latency, etc.

3.  Purpose of Exporting Content Information

   This section describes in what ways content information is used.  The
   following is a selection of reasons of exporting content information
   and abilities enabled by it.

Fan                     Expires January 16, 2014                [Page 3]
Internet-Draft      Content Information Requirements           July 2013

3.1.  Analyzing Purpose

   Content information helps network administrators make intelligent and
   synthetic analysis on traffic.  Angle of analysis can be application
   usage, traffic distribution, network performance, or any combination
   of them.  Analyzing purpose is regarded as a basic need for content
   information, and the results after content analysis are often used
   for other purposes.  Traffic visualizing and mobile network signaling
   analysis system are typical service for this purpose.  Examples of
   content analysis include:

   o  The traffic volume distribution of a certain application among
      selected locations.

   o  The success rate and average duration of loading a specific web
      page.

   o  Average PDP context create times, success rate, and online
      duration in each PDP connection within a time period.

3.2.  Optimizing Purpose

   By utilizing content information, a variety of optimization functions
   can be fulfilled, such as policy based traffic control, better
   resource distribution and improved user experience.  The following
   are some of the examples.

   o  Policy and Charging Control (PCC, see [TS23.203]) and Policy
      Control Framework (PCF, see [WT-134]) are architectures defined to
      achieve policy based control functions.  The architecture can look
      into the content and make decisions based on it, e.g. QoS
      assignment.

   o  CDN or cache systems are used to redistribute resources for better
      user access.  Content information such as requested domain name
      and URL is basic for normal function of those systems.

   o  Traffic control systems for purpose like restricting P2P traffic
      is another example.

3.3.  Business Purpose

   Content information helps network administrators provide better
   services to subscribers, no matter in marketing or operation field.
   The following are some of the examples.

   o  Content charging is a fresh charging model that performs according
      to application, service type, etc.  Compared with traditional flat

Fan                     Expires January 16, 2014                [Page 4]
Internet-Draft      Content Information Requirements           July 2013

      rate or time/volume based charging, it offers customized,
      differentiated charging strategy.  Content charging is also part
      of the functions of PCC.

   o  Internet usage query with the help of content information is
      essential when solving customer complaints regarding internet
      access.

3.4.  Security Purpose

   Security related functions such as application-based firewall,
   parental control, intrusion detection and abnormal flow detection
   also require content information.

4.  Distinguishing Flows with Content Properties

   Traffic flows are distinguished by properties in the flows as
   described in [RFC3917].  Packets with the same properties in the
   predefined property set are considered to be within the same flow,
   while packets with one or more different properties are mapped into
   different flows.  A metering process with content awareness must also
   meet the fundamental packet evaluation ability requirement in section
   4 of [RFC3917], as those basic properties (e.g. IP header fields,
   transport header fields, MPLS label, etc.) serve as fundamental marks
   of flows.

   A traffic flow can also be distinguished with content information
   properties by a metering process with content awareness, though the
   approaches of evaluating content information and distinguishing flows
   by it require special abilities.  The following subsections describe
   a list of considerations of content aware flow distinguishing and
   content properties used for evaluation.

4.1.  Locating the Content Properties

   A significant difference regarding content information evaluation is
   that it is not performed on the basis of signal packets but
   frequently on a series of packets related with each other forming a
   traffic "stream" (e.g. a session, a five-tuple defined flow, etc.).
   The properties of a flow may not exist in every packet, for example:

   o  Properties only exist in certain position(s) of a stream, e.g. the
      target URL of an HTTP transaction exists in the request message.

Fan                     Expires January 16, 2014                [Page 5]
Internet-Draft      Content Information Requirements           July 2013

   o  Properties do not exist in the stream to be metered and have to be
      associated to the stream by the metering process.  For example,
      the network information of a mobile core network can be retrieved
      in different stages in GTP-C protocol, while service traffic is
      carried by GTP-U protocol.

   o  Properties are the overall characteristic of the stream, e.g. the
      application identifier that describes the entire traffic.

   So in case of content aware flow distinguishing, the procedure is
   more like evaluating the properties of flows and identifying them,
   than evaluating the properties of packets and map them to flows.  A
   metering process with content awareness must be able to evaluate
   content properties retrieved from traffic.

4.2.  Encryption

   If the traffic containing content properties is encrypted, metering
   process requiring direct access to those properties is likely to be
   affected.  This kind of metering process must meet the requirements
   in this section for traffic that have the properties required by the
   process unencrypted.

   Compared with metering process requiring direct access to certain
   information, there is another kind of metering process based on
   statistic features or connection behaviors of traffic, which is able
   to identify applications in case of encryption.  This kind of
   metering process must meet the requirement in subsection 4.5 despite
   of encryption.

4.3.  Tunnels and Bearers

   Many applications run over a tunneling protocol or a protocol acting
   as a session or presentation bearer.  Content information may be
   carried in the tunnel, bearer and the application traffic that runs
   above them.  A metering process must be able to comprehend the
   encapsulation and separate flows by information properties in the
   encapsulation or the encapsulated section.

4.4.  Protocol Fields

   The metering process must be able to separate flows by examining the
   content properties contained in protocol fields, for example:

   o  An HTTP browsing transaction characterized by the resource URL in
      the Request-URI field of the request message.

Fan                     Expires January 16, 2014                [Page 6]
Internet-Draft      Content Information Requirements           July 2013

   o  A DNS query transaction characterized by the domain name in the
      Question section of the query message.

4.5.  Application and Service Information

   If the metering process is equipped with the function of classifying
   the application, service or their category traffic belongs to, the
   metering process must be able to separate flows by application/
   service information, e.g. skype, VoIP, etc.

5.  Content Aware Metering Process

   This section describes requirements for the content aware metering
   process, and is meant to complement and update section 5 of
   [RFC3917].

5.1.  Traffic Handling

   The metering process must be able to handle the traffic as a whole
   and evaluate content information in a global perspective, in addition
   to the traditional packet header based metering approach.  The
   following is a few specific requirements for the metering process.

   o  The metering process must be able to deal with required traffic
      granularity based on needs.  For example, a stream of application
      traffic consisting of several TCP flows, or a specific TCP
      transaction in a large GTP tunnel.

   o  Many applications and protocols work on a bidirectional session,
      transaction, or dialog mode.  The metering process must be able to
      associate related packet streams to correctly interpret content
      information in them.

   o  Many protocols are implemented on separated planes, e.g. FTP, GTP,
      etc.  The metering process must be able to associate and
      comprehend information on different planes.

5.2.  Instantaneity

   The content information may be used by other systems or applications
   for purposes described in section 3.  Some systems may use it for
   offline analysis, while some may perform real-time feedback onto the
   traffic (e.g. rate limiting).  The metering process must meet the
   instantaneity requirements based on needs of the systems.

6.  Security Considerations

   TBD.

Fan                     Expires January 16, 2014                [Page 7]
Internet-Draft      Content Information Requirements           July 2013

7.  IANA Considerations

   This memo includes no request to IANA.

8.  References

8.1.  Normative References

   [I-D.draft-ietf-ipfix-ie-doctors]
              Trammell, B. and B. Claise, "Guidelines for Authors and
              Reviewers of IPFIX Information Elements", draft-ietf-
              ipfix-ie-doctors-07 (Work in Progress), October 2012.

   [I-D.ietf-ipfix-information-model-rfc5102bis]
              Claise, B. and B. Trammell, "Information Model for IP Flow
              Information eXport (IPFIX)", draft-ietf-ipfix-information-
              model-rfc5102bis-10 (Work in Progress), February 2013.

   [I-D.ietf-ipfix-protocol-rfc5101bis]
              Claise, B., Trammell, B., Aitken, P., Bryant, S., Leinen,
              S., and T. Dietz, "Specification of the IP Flow
              Information eXport (IPFIX) Protocol for the Exchange of
              Flow Information", draft-ietf-ipfix-protocol-rfc5101bis-08
              (Work in Progress), June 2013.

   [RFC3917]  Quittek, J., Zseby, T., Claise, B., and S. Zander,
              "Requirements for IP Flow Information Export (IPFIX)", RFC
              3917, October 2004.

   [RFC5470]  Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek,
              "Architecture for IP Flow Information Export", RFC 5470,
              March 2009.

   [RFC6957]  Claise, B., Aitken, P., and N. Ben-Dvora, "Cisco Systems
              Export of Application Information in IP Flow Information
              Export (IPFIX)", RFC 6957, November 2012.

8.2.  Informative References

   [RFC3234]  Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and
              Issues", RFC 3234, February 2002.

   [TS23.203]
              3GPP Technical Specification 23.203, ., "Policy and
              charging control architecture", March 2012.

   [WT-134]   BBF STRAW BALLOT WT-134, ., "Broadband Policy Control
              Framework (PCF)", February 2012.

Fan                     Expires January 16, 2014                [Page 8]
Internet-Draft      Content Information Requirements           July 2013

Author's Address

   Peng Fan
   China Mobile
   32 Xuanwumen West Street, Xicheng District
   Beijing  100053
   P.R. China

   Email: fanpeng@chinamobile.com

Fan                     Expires January 16, 2014                [Page 9]