IPFIX Working Group A. Kobayashi
Internet-Draft H. Nishida
Intended status: Informational NTT PF Lab.
Expires: May 8, 2009 B. Claise
Cisco Systems
November 4, 2008
IPFIX Mediation: Framework
draft-ietf-ipfix-mediators-framework-01
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 8, 2009.
Kobayashi, et al. Expires May 8, 2009 [Page 1]
Internet-Draft IPFIX Mediation Framework November 2008
Abstract
This document describes a framework for an IPFIX Mediation. This
framework details an IPFIX Mediation reference model and the
components of the IPFIX Mediation device (IPFIX Mediator).
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. IPFIX Mediation Reference Model . . . . . . . . . . . . . . . 9
4. IPFIX Mediation Functional and Logical Blocks . . . . . . . . 12
4.1. Collecting Process . . . . . . . . . . . . . . . . . . . . 12
4.2. Exporting Process . . . . . . . . . . . . . . . . . . . . 12
4.3. Intermediate Process . . . . . . . . . . . . . . . . . . . 12
4.3.1. Flow Selection Function . . . . . . . . . . . . . . . 12
4.3.2. Flow-based Collector Selection Function . . . . . . . 13
4.3.3. Aggregation Function . . . . . . . . . . . . . . . . . 13
4.3.4. Correlation Function . . . . . . . . . . . . . . . . . 14
4.3.5. Modification Function . . . . . . . . . . . . . . . . 15
4.4. IPFIX File Writer/Reader . . . . . . . . . . . . . . . . . 16
4.5. Flow Expiration . . . . . . . . . . . . . . . . . . . . . 17
4.6. Information Model . . . . . . . . . . . . . . . . . . . . 18
4.7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 18
5. Security Considerations . . . . . . . . . . . . . . . . . . . 20
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22
7.1. Normative References . . . . . . . . . . . . . . . . . . . 22
7.2. Informative References . . . . . . . . . . . . . . . . . . 22
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25
Intellectual Property and Copyright Statements . . . . . . . . . . 26
Kobayashi, et al. Expires May 8, 2009 [Page 2]
Internet-Draft IPFIX Mediation Framework November 2008
1. Introduction
IPFIX Mediation reroutes, replicates, filters, aggregates,
correlates, or modifies Flow Records/Packet Reports or changes a
transport protocol. This document describes the framework for IPFIX
Mediation. The motivation for the IPFIX Mediation standard comes
from the need for flow-based measurement system support for large-
scale networks, interdomain networks, and coexistence with
traditional Exporters as described in detail in
[I-D.ietf-ipfix-mediator-ps]. The standard specification requires a
definition of IPFIX Mediation and IPFIX Mediation device (IPFIX
Mediator).
This document is organized as follows. Section 2 describes
terminology related to IPFIX Mediation. Section 3 describes a high
level reference model. Section 4 details the components of the IPFIX
Mediator.
Kobayashi, et al. Expires May 8, 2009 [Page 3]
Internet-Draft IPFIX Mediation Framework November 2008
2. Terminology
The terms in this section are in line with those in the IPFIX
specification document [RFC5101] and the PSAMP specification document
[I-D.ietf-psamp-protocol]. Additional terms required for the IPFIX
Mediation are also defined with those in the IPFIX Mediator problem
statement [I-D.ietf-ipfix-mediator-ps]. All these terms are
capitalized in this document.
Observation Point
An Observation Point is a location in the network where IP packets
can be observed. Examples include: a line to which a probe is
attached, a shared medium, such as an Ethernet-based LAN, a single
port of a router, or a set of interfaces (physical or logical) of
a router.
Note that every Observation Point is associated with an
Observation Domain (defined below), and that one Observation Point
may be a superset of several other Observation Points. For
example, one Observation Point can be an entire line card. That
would be the superset of the individual Observation Points at the
line card's interfaces.
Observation Domain
An Observation Domain is the largest set of Observation Points for
which Flow information can be aggregated by a Metering Process.
For example, a router line card may be an Observation Domain if it
is composed of several interfaces, each of which is an Observation
Point. In the IPFIX Message it generates, the Observation Domain
includes its Observation Domain ID, which is unique per Exporting
Process. That way, the Collecting Process can identify the
specific Observation Domain from the Exporter that sends the IPFIX
Messages. Every Observation Point is associated with an
Observation Domain. It is RECOMMENDED that Observation Domain IDs
also be unique per IPFIX Device.
Flow Key
Each of the fields that:
1. belong to the packet header (e.g., destination IP address),
2. are a property of the packet itself (e.g., packet length),
3. are derived from packet treatment (e.g., Autonomous System (AS)
number),
Kobayashi, et al. Expires May 8, 2009 [Page 4]
Internet-Draft IPFIX Mediation Framework November 2008
and that are used to define a Flow are termed Flow Keys.
Flow Record
A Flow Record contains information about a specific Flow that was
observed at an Observation Point. A Flow Record contains measured
properties of the Flow (e.g., the total number of bytes for all
the Flow's packets) and usually characteristic properties of the
Flow (e.g., source IP address).
Packet Reports
Packet Reports comprise a configurable subset of a packet's input
to the Selection Process, including the Packet Content,
information relating to its treatment (for example, the output
interface), and its associated selection state (for example, a
hash of the Packet Content).
Exporting Process
The Exporting Process sends Flow Records to one or more Collecting
Processes. The Flow Records are generated by one or more Metering
Processes.
Exporter
A device that hosts one or more Exporting Processes is termed an
Exporter.
IPFIX Device
An IPFIX Device hosts at least one Exporting Process. It may host
further Exporting Processes and arbitrary numbers of Observation
Points and Metering Processes.
Collecting Process
A Collecting Process receives Flow Records from one or more
Exporting Processes. The Collecting Process might process or
store received Flow Records, but such actions are out of the scope
of this document.
Collector
A device that hosts one or more Collecting Processes is termed a
Collector.
Kobayashi, et al. Expires May 8, 2009 [Page 5]
Internet-Draft IPFIX Mediation Framework November 2008
IPFIX Message
An IPFIX Message is a message originating at the Exporting Process
that carries the IPFIX records of this Exporting Process and whose
destination is a Collecting Process. An IPFIX Message is
encapsulated at the transport layer.
Information Element
An Information Element is a protocol and encoding-independent
description of an attribute that may appear in an IPFIX Record.
The IPFIX information model [RFC5102] defines the base set of
Information Elements for IPFIX. The type associated with an
Information Element indicates constraints on what it may contain
and also determines the valid encoding mechanisms for use in
IPFIX.
IPFIX Mediation
An IPFIX Mediation is a generic term for functions doing something
for Flow Records, Packet Reports, and IPFIX Messages. IPFIX
Mediation is located in between components: Metering Processes,
Exporting Processes, Collecting Processes, and other applications.
IPFIX Mediation can be included in any IPFIX Devices. IPFIX
Mediation consists of a set of some of the following functions:
* rerouting input Flow Records/Packet Reports to an appropriate
Collecting Process
* replicating input Flow Records/Packet Reports
* filtering and selecting input Flow Records/Packet Reports
* aggregating input Flow Records/Packet Reports based on new Flow
Keys
* correlating a set of Flow Records/Packet Reports for creating
new Flow Records/Packet Reports with new metrics
* modifying input Flow Records/Packet Reports
* changing transport protocols that carry IPFIX Messages
The modification of Flow Records/Packet Reports includes these
processes:
* changing the value of specified Information Elements
Kobayashi, et al. Expires May 8, 2009 [Page 6]
Internet-Draft IPFIX Mediation Framework November 2008
* adding new Information Elements by deriving further Flow or
packet properties from existing fields or calculating new
metrics
* deleting specified Information Elements.
IPFIX Mediation can be included in any device, such as routers,
switches, NMS (Network Management Systems), or stand-alone
devices.
Flow-Based Collector Selection
The Flow-Based Collector Selection evaluates an input Flow Record/
Packet Report based on the value of the specified Information
Element and then selects a Collector for each input Flow Record/
Packet Report.
IPFIX Mediator
An IPFIX Mediator contains one or more functions defined in IPFIX
Mediation. The IPFIX Mediator can be a stand-alone or a virtual
device. It also contains one or more Collecting Processes and one
or more Exporting Processes.
Original Exporter
An Original Exporter is an IPFIX Device that hosts Observation
Points where IP packets can be directly observed.
IPFIX Proxy
An IPFIX Proxy is an IPFIX Mediator that receives IPFIX Messages
from an Original Exporter and sends IPFIX Messages to one or more
Collectors. It may alter part of an IPFIX Message to comply with
IPFIX Protocol specifications. It may also change the type of
transport protocol, such as UDP, TCP, SCTP, and PR-SCTP, and
convert a legacy protocol message to an IPFIX Message, if
necessary.
IPFIX Concentrator
An IPFIX Concentrator is an IPFIX Mediator that receives Flow
Records/Packet Reports, aggregates them, then exports the
aggregated Flow Records.
Kobayashi, et al. Expires May 8, 2009 [Page 7]
Internet-Draft IPFIX Mediation Framework November 2008
IPFIX Distributor
An IPFIX Distributor is an IPFIX Mediator that reroutes input Flow
Records/Packet Reports based on the result of Flow-Based Collector
Selection. It may filter or replicate input Flow Records/Packet
Reports, if necessary.
IPFIX Masquerading Proxy
An IPFIX Masquerading Proxy is an IPFIX Mediator that screens out
a part of the data of input Flow Records/Packet Reports according
to configured policies. It can thus, for example, hide the
network topology information or customers' IP addresses.
Intermediate Process
An Intermediate Process in IPFIX Mediators can be considered as a
partial Metering Process taken from the Metering Process in
Original Exporters as described in [RFC3917].
The Intermediate Process generates new sets of Data Records/Packet
Reports from input Data Records/Packet Reports.
Mediator Observation Domain
An IPFIX Mediator does not host the Observation Points and
Observation Domain. The Observation Domain ID in the IPFIX header
sent by the IPFIX Mediator also indicates the largest set of
Observation Points from the viewpoint of a Collector. However,
this value does not indicate the physical entity of an Original
Exporter.
Transport Session Information
The Transport Session is specified in [RFC5101]. In SCTP, the
Transport Session Information is the SCTP association. In TCP and
UDP, the Transport Session Information corresponds to a 5-tuple
{Exporter IP address, Collector IP address, Exporter transport
port, Collector transport port, and transport protocol}.
Kobayashi, et al. Expires May 8, 2009 [Page 8]
Internet-Draft IPFIX Mediation Framework November 2008
3. IPFIX Mediation Reference Model
The figure below shows the high-level reference model for IPFIX
Mediation based on [I-D.ietf-ipfix-architecture]. This figure covers
the various possible scenarios that can exist in an IPFIX measurement
system.
+---------------------------+ +---------------------------+
| Collector {l} | | Collector {k} |
|[*Application(s)] | |[*Application(s)] |
|[IPFIX File Reader/Writer] | |[IPFIX File Reader/Writer] |
|[Collecting Process(es)] |....|[Collecting Process(es)] |
+---------------------------+ +---------------------------+
^ ^ ^ ^
| | | |
| +------....----+ |
| | |
IPFIX (Flow Records / Packet Reports)
| | |
+----------------+----+-----+ +-------+-------------------+
|IPFIX Mediator {j} | |IPFIX Mediator {n} |
|[*Applications(s)] | |[*Applications(s)] |
|[Exporting Process(es)] | |[Exporting Process(es)] |
|[Intermediate Process(es)] |....|[Intermediate Process(es)] |
|[Collecting Process(es)] | |[Collecting Process(es)] |
+---------------------------+ +---------------------------+
^ ^ ^
| | |
| +------....-----+
| |
IPFIX (Flow Records / Packet Reports)
| |
+----------------+----------+ +----+----------------------+
|IPFIX Original Exporter {i}| |IPFIX Original Exporter {m}|
|[Exporting Process(es)] | |[Exporting Process(es)] |
|[Metering Process(es)] |....|[Metering Process(es)] |
|[Observation Point(s)] | |[Observation Point(s)] |
+---------------------------+ +---------------------------+
^ ^ ^ ^
| | | |
Packets coming in to Observation Points
Figure A: Reference Model for IPFIX Mediation.
The various functional components are indicated within brackets [].
The functional components within [*] are not part of
[I-D.ietf-ipfix-architecture].
Kobayashi, et al. Expires May 8, 2009 [Page 9]
Internet-Draft IPFIX Mediation Framework November 2008
The figure below shows the basic IPFIX Mediator component model. The
IPFIX Mediator is formally defined to consist of one or more
Collecting Processes, zero or more Intermediate Processes, and one or
more Exporting Processes. Basically, IPFIX Mediator devices, i.e.,
IPFIX Proxy, IPFIX Masquerading Proxy, IPFIX Distributor, and IPFIX
Concentrator, described in [I-D.ietf-ipfix-mediator-ps], are composed
of these components.
IPFIX(Flow Records/Packet Reports)
^
^ |
+------------------------|-|---------------------+
| IPFIX Mediator | | |
| | | |
| .---------------------|-+-------------------. |
| .----------------------+--------------------.| |
| | Exporting Process (es) |' |
| '----------------------^--------------------' |
| | | |
| .---------------------|-+-------------------. |
| .----------------------+--------------------.| |
| | Intermediate Process (es) (optional) |' |
| '----------------------^--------------------' |
| | | |
| .---------------------|-+-------------------. |
| .----------------------+--------------------.| |
| | Collecting Process (es) |' |
| '----------------------^--------------------' |
+------------------------|-|---------------------+
|
IPFIX(Flow Records/Packet Reports)
Figure B: IPFIX Mediator Basic Component Model.
An Original Exporter with a Mediation function is modeled as follows.
Kobayashi, et al. Expires May 8, 2009 [Page 10]
Internet-Draft IPFIX Mediation Framework November 2008
IPFIX (Flow Records/Packet Reports)
^ ^
+---------------------------|-|------------------------+
| Original Exporter | | |
| | | |
| .---------------------|-+-------------------. |
| .----------------------+--------------------.| |
| | Exporting Process(es) |' |
| '----------------------^--------------------' |
| | | |
| .---------------------|-+-------------------. |
| .----------------------+--------------------.| |
| | Intermediate Process(es) |' |
| '---------^-----------------------^---------' |
| |Flow Record or | |
| | Packet Reports | |
| .------------+----------. .---------+-------------. |
| | Metering Process {i} |..| Metering Process {n} | |
| '------------^----------' '---------^-------------' |
| | | |
| .------------+----------. .---------+-------------. |
| | Observation Point {i} |..| Observation Point {n} | |
| '------------^----------' '---------^-------------' |
+--------------|-----------------------|---------------+
| |
Packets coming in to Observation Points
Figure C: Component Model for Original Exporter with Mediation.
Kobayashi, et al. Expires May 8, 2009 [Page 11]
Internet-Draft IPFIX Mediation Framework November 2008
4. IPFIX Mediation Functional and Logical Blocks
The section describes the details of each component and examples
applicable to that component for IPFIX Mediation and IPFIX Mediator.
4.1. Collecting Process
The Collecting Processes described in [RFC5101] receive Flow Records/
Packet Reports with information relating to their treatment in the
Metering Process and Exporting Process in the Original Exporter, such
as sampling rate, IPFIX header information, and Transport Session
Information. The Collecting Processes forward the set of data to
multiple components: Intermediate Processes and Exporting Processes.
In other words, the processes may duplicate received Flow Records/
Packet Reports and forward them to multiple components in sequence or
in parallel.
4.2. Exporting Process
The Exporting Processes described in [RFC5101] forward Flow Records/
Packet Reports to one or multiple Collectors. The processes manage
the reporting Template and make IPFIX Messages.
4.3. Intermediate Process
Intermediate Processes generate new sets of Flow Records/Packet
Reports from input Flow Records/Packet Reports with IPFIX header
information "Export Time" and "Observation Domain ID". The processes
host one of several functions defined below or a combination of them,
in any sequence or in any set. In the case of a combination, the
output of each function can be the input of other functions. The
following subsections show the details of each function.
4.3.1. Flow Selection Function
The Flow Selection function determines which input Flow Records/
Packet Reports are selected by matching under a filtering policy and
then forwards them to the next processes or functions. The function
is similar to the Selection Process described in
[I-D.ietf-psamp-framework]. The function covers several selection
techniques, such as property match filtering and Flow selection,
which are described in [I-D.ietf-psamp-framework] and
[I-D.peluso-flowselection], respectively. In property match
filtering, if the value of a specified Information Element equals a
configured value, the function selects Flow Records/Packet Reports to
forward.
Kobayashi, et al. Expires May 8, 2009 [Page 12]
Internet-Draft IPFIX Mediation Framework November 2008
4.3.2. Flow-based Collector Selection Function
The Flow-based Collector Selection function determines to which
Collector input Flow Records/Packet Reports are exported. The
function may also determine the type of Transport Session. The
function evaluates the value of a specified Information Element in
input Flow Records/Packet Reports and then selects the Collector.
These selection criteria are similar to the property match filtering
in Mediator Selection Function.
Applicable examples include exporting Flow Records/Packet Reports to
a dedicated Collector on the basis of customers or organizations
peering. The function classifies Flow Records/Packet Reports on the
basis of a peering AS number, as shown in the following figure. The
set of classified Flow Records/Packet Reports is exported to a
dedicated Collector on the basis of the peering AS number.
.----------------------------.
| Intermediate Process |
| .----------------------. |
| | Flow-Based Collector | |
| | Selection Function | |
| | | |
| | Peering AS #10 | |
| | +-------------------+-+---> Collector #1
| | | Peering AS #20 | |
Flow --+---+--+-------------------+-+---> Collector #2
Records | | | Peering AS #30 | |
| | +-------------------+-+---> Collector #3
| '----------------------' |
'----------------------------'
Figure D: Exporting classified Flow Records to dedicated Collector.
4.3.3. Aggregation Function
The Aggregation function creates aggregated Flow Records from input
Flow Records/Packet Reports. The aggregation method is divided into
three types:
Choosing Shorter Flow Key
Choosing a shorter Flow Key than the Flow Key of input Flow
Records, such as three, two, or a single Flow Key, can create more
aggregated Flow Records. The function gathers Flow Records/Packet
Reports within a given interval time and then distinguishes Flow
Records/Packet Reports that have common properties. If values of
a given key field are the same, that means those Flow Records/
Kobayashi, et al. Expires May 8, 2009 [Page 13]
Internet-Draft IPFIX Mediation Framework November 2008
Packet Reports have common properties, and the function merges
them in accordance with aggregation rules described in
[I-D.dressler-ipfix-aggregation].
In addition, the function can create statistical data and
subsidiary information related to the aggregated Flow Records.
Examples include the number of input Flow Records/Packet Reports,
the given interval time, and a set of a new Flow Key.
Time Composition
Time composition is defined as aggregation with the same Flow Key
for long-running Flows. The function may also compute Flow
Records statistics, such as average, maximum, and minimum value of
each counter. The statistics help to visualize the behavior of
traffic volume over a long time period.
As another approach, the function collects Flow Records/Packet
Reports of a shorter time period from an Original Exporter, and
then computes these statistics. Even if output Flow Records of
the function indicate a general time period, the accuracy of the
minimum, maximum, and average value can be improved.
Space Composition
Space composition is defined as aggregation on a larger
Observation Domain or on a set of Observation Points. In that
case, a Flow key can be applied to other properties, such as
Exporter IP address and Observation Domain ID.
In addition, a group identifier indicating a spatial Observation
Domain can also become a new Flow Key. For example, a group can
indicate an area on an ISP network, or a link aggregation
interface composd of physical interfaces. The group can also make
a relation to a set of values of specified Information Elements in
Flow Records by the configuring rule. After converting from the
values of specified Information Elements to the group identifier,
the function can create aggregated Flow Records by a general
aggregation process.
4.3.4. Correlation Function
The Correlation function creates new metrics from by evaluating the
correlation among sets of Flow Records/Packets Records. These sets
can be Flow Records gathered during a certain period, a pair of
consecutive Packet Reports, or Packet Reports exported by different
Exporters indicating the same packet. After offering new metrics,
the function outputs Flow Records with the new metrics field.
Kobayashi, et al. Expires May 8, 2009 [Page 14]
Internet-Draft IPFIX Mediation Framework November 2008
Applicable examples are as follows.
o One way delay follows from correlating Packet Reports exported
from different Exporters on the path.
o Packet interval time, or jitter, follows from correlating
consecutive Packet Reports exported from the same Exporter.
o Difference values follow from correlating Flow Records observed at
ingress or egress interfaces. The values help to confirm the
result of a queueing or rate-limiting function.
o Average/maximum/minimum values follow from correlating each in a
set of Flow Records.
4.3.5. Modification Function
The Modification function modifies input Flow Records/Packet Reports
without changing their granularity. The function can add new
Information Elements, delete existing Information Elements, or modify
the value of specified Information Elements. If the function
modifies the data structure of an original Template, it also needs to
modify the value of the "flowKeyIndicator".
Adding specified Information Elements
The function obtains the value of a specified Information Element
and then adds it into Flow Records/Packet Reports. There are
several methods to obtain the value: retrieving the value from a
database or calculating the value based on the value of other
Information Elements and received traffic data.
Applicable examples include adding derived packet property
parameters instead of Original Exporters. Doing that can
compensate for traditional Exporters or probes unable to add
packet property parameters. Therefore, Collectors do not need to
recognize the difference among implementations of routers from
several vendors or among Exporter types, such as router, switch,
or probe. Typical derived packet property parameters include the
following.
* The "bgpNextHop{IPv4|IPv6}Address" described in [RFC5102]
indicates the egress router of a network domain. That is
useful for making a traffic matrix that covers the whole
network domain.
* The BGP Community value indicates the same group of destination
or source IP addresses.
Kobayashi, et al. Expires May 8, 2009 [Page 15]
Internet-Draft IPFIX Mediation Framework November 2008
* The "mplsVpnRouteDistinguisher" described in [RFC5102], which
cannot be extracted from the core router in MPLS networks,
indicates the VPN customer's identification. Network operators
can monitor the traffic behavior of each customer by adding
"mplsVpnRouteDistinguisher" to Flow Records/Packet Reports.
Deleting specified Information Elements
This function deletes existing Information Elements according to
instruction rules, which indicate whether an Information Element
should be removed.
Applicable examples include hiding network topology information
and private information. In the case of IPFIX exporting across
domains, the function can avoid making a vulnerability by deleting
unnecessary Information Elements. Examples of network topology
information include "ipNextHopIP{v4|v6}Address", "bgpNextHopIP{v4|
v6}Address", and "bgp{Next|Prev}AdjacentAsNumber", described in
[RFC5102]. In addition, MPLS-related Information Elements, such
as "mplsLabelStackSection", are useless for customers in the case
of feeding Flow Records/Packet Reports to VPN customers.
Modifying the value of specified Information Elements
This function modifies the value of specified Information
Elements.
Applicable examples include anonymizing customers' private
information, such as IP address and port number, according to a
privacy protection policy. Several annonymization techniques are
described in [I-D.boschi-ipfix-anon]. The function also reports
anonymization methods and part of anonymized data as subsidiary
information.
4.4. IPFIX File Writer/Reader
The IPFIX File Writer stores input Flow Records/Packet Reports from
any process in a storage system. If received Flow Records/Packet
Reports include uninteresting Information Elements, the Modification
Function can delete these elements before the IPFIX File Writer
handles them. Therefore, IPFIX File Writers can accept input from
any process. In either case, input needs to include the IPFIX header
information and the Transport Session Information along with Flow
Records/Packet Reports.
In contrast, the IPFIX File Reader retrieves stored Flow Records/
Packet Reports when operators want to retrieve past Flow Records/
Packet Reports on the basis of a given time period. If the data
Kobayashi, et al. Expires May 8, 2009 [Page 16]
Internet-Draft IPFIX Mediation Framework November 2008
structure of output Flow Records/Packet Reports from the IPFIX File
Reader is different from what operators want, the Modification
function can modify the data structure. Therefore, the output of
IPFIX File Readers can be input to any components. The IPFIX File
Writer/Reader are described in [I-D.ietf-ipfix-file] in detail.
The figure shows the IPFIX component model with IPFIX File Writer/
Reader. IPFIX File Writer/Reader are located in the same position of
Exporting Process/Collecting Process, respectively.
IPFIX (Flow Records/Packet Reports)
^
^ |
.----------------------|-+--------------------.
.-----------------------+---------------------.|
| Exporting Process (es) / IPFIX File Writer |'
'----^------------------^---------------------'
| | |
| .-------------|-+--------------------.
| .--------------+---------------------.|
| | Intermediate Process (es) |'
| '--------------^-^-------------------'
| | |
.---+------------------|-+--------------------.
.-----------------------+---------------------.|
| Collecting Process (es) / IPFIX File Reader |'
'-----------------------^---------------------'
|
IPFIX (Flow Records/Packet Reports)
Figure E: IPFIX Mediator Component Model with IPFIX File Writer/
Reader.
4.5. Flow Expiration
The Aggregation function needs expiration conditions to export cached
Flow Records. These conditions are described in
[I-D.ietf-ipfix-architecture]. In the case of IPFIX Mediation, these
conditions are as follows:
o If there are no input/received Flow Records/Packet Reports
belonging to a cached Flow for a certain time period, aggregated
Flow Records will expire. This time period should be configurable
at the Intermediate Process.
o If the IPFIX Mediator experiences resource constraints, aggregated
Flow Records may prematurely expire (e.g., lack of memory to store
Kobayashi, et al. Expires May 8, 2009 [Page 17]
Internet-Draft IPFIX Mediation Framework November 2008
Flow Records).
o For long-running Flows, the Intermediate Process should expire the
Flow on a regular basis or based on some expiration policy. This
periodicity or expiration policy should be configurable at the
Intermediate Process.
The Correlation function also needs similar expiration conditions.
However, when cached Flow Records/Packet Reports prematurely expire
and the function can not compute the correlation among them, cached
Flow Records/Packet reports may be discarded.
4.6. Information Model
IPFIX Mediation reuse the general information model from [RFC5101]
and from [I-D.ietf-psamp-info]. The following new Information
Elements for IPFIX Mediation are also needed.
+-----+---------------------------+-----+---------------------------+
| ID | Name | ID | Name |
+-----+---------------------------+-----+---------------------------+
| XXX | averageBitRate | XXX | averagePacketsRate |
| XXX | minimumBitRate | XXX | minimumPacketsRate |
| XXX | maximumBitRate | XXX | maximumPacketsRate |
+-----+---------------------------+-----+---------------------------+
4.7. Examples
As example, in case of Intermediate Processes having different
functions, a Collecting Process/IPFIX File Reader replicates Flow
Records/Packet Reports, if necessary, and forwards them to a suitable
Intermediate Process/Exporting Process. Example figure is shown
below.
Kobayashi, et al. Expires May 8, 2009 [Page 18]
Internet-Draft IPFIX Mediation Framework November 2008
IPFIX IPFIX IPFIX
^ ^ ^
| | |
.------------. .-----+-------. .-----+-------. .------+------.
| IPFIX File | | Exporting | | Exporting | | Exporting |
| Writer | | Process {i}| | Process {j}|....| Process {n}|
'-----^-^----' '-----^-------' '-----^-------' '------^------'
| | | | |
| +-------------+ | Flow Records
| Flow Records / Packet Reports |
| .------+-------. .-----+--------. .------+-------.
| | Intermediate | | Intermediate | | Intermediate |
| | Process {l} | | Process {m} | | Process {p} |
| | | | |...| |
| | Flow-based | | Flow-based | | |
| | Collector | | Collector | | |
| | Selection | | Selection | | |
Flow Records | ^ | | ^ | | |
| | | | | | | | |
| | Correlation | | Modification| | Modification|
| | ^ | | ^ | | ^ |
| | | | | | | | | |
| | Selection | | Aggregation |...| Selection |
| | ^ | | ^ ^ | | ^ |
| '------|-------' '-----|-|------' '------|-------'
| | | | |
| +---------------+ | Flow Records
| | | |
| Flow Records / Packet Reports |
.------+------. .------+------. .------+------. .-----+------.
| Collecting | | Collecting | | Collecting | | IPFIX File |
| Process {i}| | Process {j}|...| Process {n}| | Reader |
'------^------' '------^------' '------^------' '------------'
| | |
IPFIX IPFIX IPFIX
Figure F: Functional Block Examples for IPFIX Mediator.
Kobayashi, et al. Expires May 8, 2009 [Page 19]
Internet-Draft IPFIX Mediation Framework November 2008
5. Security Considerations
IPFIX Mediators use the IPFIX protocol. Security considerations
about Flow Records are described in [RFC5101].
Kobayashi, et al. Expires May 8, 2009 [Page 20]
Internet-Draft IPFIX Mediation Framework November 2008
6. IANA Considerations
This document has no actions for IANA.
Kobayashi, et al. Expires May 8, 2009 [Page 21]
Internet-Draft IPFIX Mediation Framework November 2008
7. References
7.1. Normative References
[I-D.ietf-ipfix-architecture]
Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek,
"Architecture for IP Flow Information Export",
draft-ietf-I-D.ietf-ipfix-architectureitecture-12.txt(work
in progress) , September 2006.
[I-D.ietf-psamp-framework]
Duffield, N., "A Framework for Packet Selection and
Reporting", draft-ietf-psamp-framework-13.txt , June 2008.
[I-D.ietf-psamp-info]
Dietz, T., Claise, B., Aitken, P., Dressler, F., and G.
Carle, "Information Model for Packet Sampling Exports",
draft-ietf-psamp-info-11.txt (work in progress) ,
October 2008.
[I-D.ietf-psamp-protocol]
Claise, B., Quittek, J., and A. Johnson, "Packet Sampling
(PSAMP) Protocol Specifications",
draft-ietf-psamp-protocol-09.txt , December 2007.
[RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander,
"Requirements for IP Flow Information Export(IPFIX)",
October 2004.
[RFC5101] Claise, B., "Specification of the IP Flow Information
Export (IPFIX) Protocol for the Exchange of IP Traffic
Flow Information", January 2008.
[RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and J.
Meyer, "Information Model for IP Flow Information Export",
January 2008.
7.2. Informative References
[I-D.boschi-ipfix-anon]
Boschi, E. and B. Trammell, "IP Flow Anonymisation
Support", draft-boschi-ipfix-anon-01.txt (work in
progress) , July 2008.
[I-D.dressler-ipfix-aggregation]
Dressler, F., Sommer, C., Munz, G., and A. Kobayashi,
"IPFIX Aggregation",
draft-dressler-ipfix-aggregation-05.txt (work in
Kobayashi, et al. Expires May 8, 2009 [Page 22]
Internet-Draft IPFIX Mediation Framework November 2008
progress) , July 2008.
[I-D.ietf-ipfix-file]
Trammell, B., Boschi, E., Mark, L., Zseby, T., and A.
Wagner, "An IPFIX-Based File Format",
draft-ietf-ipfix-file-03.txt(work in progress) ,
October 2008.
[I-D.ietf-ipfix-mediator-ps]
Kobayashi, A., Nishida, H., Sommer, C., Dressler, F.,
Stephan, E., and B. Claise, "IPFIX Mediation: Problem
Statement",
draft-ietf-ipfix-mediation-problem-statement-01.txt(work
in progress) , September 2008.
[I-D.peluso-flowselection]
Peluso, L., Zseby, T., D'Antonio, S., and M. Molina, "Flow
selection Techniques",
draft-peluso-flowselection-tech-01.txt(work in progress) ,
November 2007.
Kobayashi, et al. Expires May 8, 2009 [Page 23]
Internet-Draft IPFIX Mediation Framework November 2008
Appendix A. Acknowledgements
The authors gratefully acknowledge the contributions of
Keisuke Ishibashi,
Tsuyoshi Kondoh, and
Daisuke Matsubara.
Kobayashi, et al. Expires May 8, 2009 [Page 24]
Internet-Draft IPFIX Mediation Framework November 2008
Authors' Addresses
Atsushi Kobayashi
NTT Information Sharing Platform Laboratories
3-9-11 Midori-cho
Musashino-shi, Tokyo 180-8585
Japan
Phone: +81-422-59-3978
Email: akoba@nttv6.net
Haruhiko Nishida
NTT Information Sharing Platform Laboratories
3-9-11 Midori-cho
Musashino-shi, Tokyo 180-8585
Japan
Phone: +81-422-59-3978
Email: nishida.haruhiko@lab.ntt.co.jp
Benoit Claise
Cisco Systems
De Kleetlaan 6a b1
Diegem 1831
Belgium
Phone: +32 2 704 5622
Email: bclaise@cisco.com
Kobayashi, et al. Expires May 8, 2009 [Page 25]
Internet-Draft IPFIX Mediation Framework November 2008
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Kobayashi, et al. Expires May 8, 2009 [Page 26]
