IPFIX Working Group A. Kobayashi
Internet-Draft H. Nishida
Intended status: Informational NTT PF Lab.
Expires: August 15, 2009 B. Claise
Cisco Systems
February 11, 2009
IPFIX Mediation: Framework
draft-ietf-ipfix-mediators-framework-02
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 15, 2009.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Kobayashi, et al. Expires August 15, 2009 [Page 1]
Internet-Draft IPFIX Mediation Framework February 2009
Abstract
This document describes a framework for IPFIX Mediation. This
framework details the IPFIX Mediation reference model and the
components of an IPFIX Mediator.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology and Definition . . . . . . . . . . . . . . . . . . 4
3. IPFIX/PSAMP Documents Overview . . . . . . . . . . . . . . . . 6
3.1. IPFIX Documents Overview . . . . . . . . . . . . . . . . . 6
3.2. PSAMP Documents Overview . . . . . . . . . . . . . . . . . 6
4. IPFIX Mediation Reference Model . . . . . . . . . . . . . . . 7
5. IPFIX Mediation Functional and Logical Blocks . . . . . . . . 10
5.1. Collecting Process . . . . . . . . . . . . . . . . . . . . 10
5.2. Exporting Process . . . . . . . . . . . . . . . . . . . . 10
5.3. Intermediate Process . . . . . . . . . . . . . . . . . . . 10
5.3.1. Selection Function . . . . . . . . . . . . . . . . . . 10
5.3.2. Aggregation Function . . . . . . . . . . . . . . . . . 12
5.3.3. Correlation Function . . . . . . . . . . . . . . . . . 13
5.3.4. Modification Function . . . . . . . . . . . . . . . . 14
5.4. IPFIX File Writer/Reader . . . . . . . . . . . . . . . . . 15
5.5. Flow Expiration . . . . . . . . . . . . . . . . . . . . . 16
5.6. Information Model . . . . . . . . . . . . . . . . . . . . 17
5.7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 17
6. Security Considerations . . . . . . . . . . . . . . . . . . . 19
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
8.1. Normative References . . . . . . . . . . . . . . . . . . . 21
8.2. Informative References . . . . . . . . . . . . . . . . . . 22
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24
Kobayashi, et al. Expires August 15, 2009 [Page 2]
Internet-Draft IPFIX Mediation Framework February 2009
1. Introduction
IPFIX Mediation has two classes of mediation: context mediation for
traffic data and transport mediation for transport protocols that do
not affect content. Context mediation aggregates, correlates,
filters, or modifies Data Records. Transport mediation changes the
transport protocol that carries IPFIX Messages. This document
describes the framework for IPFIX Mediation. The motivation for the
IPFIX Mediation standard comes from the need for functional blocks
supporting IP traffic growth, multifaceted traffic measurement, and a
heterogeneous environment, as described in detail in
[I-D.ietf-ipfix-mediator-ps]. The standard specification requires a
definition of IPFIX Mediation and IPFIX Mediator.
This document is organized as follows. Section 2 defines terminology
related to IPFIX Mediation. Section 3 describes a high level
reference model. Section 4 details the components of the IPFIX
Mediator.
Kobayashi, et al. Expires August 15, 2009 [Page 3]
Internet-Draft IPFIX Mediation Framework February 2009
2. Terminology and Definition
The terms in this section are in line with those in the IPFIX
Protocol specifications [RFC5101] and the PSAMP specification
document [I-D.ietf-psamp-protocol]. The terms Observation Point,
Observation Domain, Flow Key, Flow Record, Exporting Process,
Exporter, IPFIX Device, Collecting Process, Collector, IPFIX Message,
Metering Process, and Information Element are defined in the IPFIX
protocol specifications [RFC5101], the term Packet Report is defined
in the PSAMP specification document [I-D.ietf-psamp-protocol], and
the terms IPFIX Mediation, IPFIX Mediator, Original Exporter, IPFIX
Proxy, IPFIX Concentrator, IPFIX Distributor, IPFIX Masquerading
Proxy are defined in the IPFIX Mediation problem statement document
[I-D.ietf-ipfix-mediator-ps]. Additional terms required for the
IPFIX Mediation are defined here. All these terms have an initial
capital letter in this document.
Intermediate Process
An Intermediate Process generates new sets of Data Records/
Template Records from input Data Records/Template Records.
Mediator Observation Domain
A Mediator Observation Domain indicates the largest set of
Observation Points from the viewpoint of a Collector, and a
Mediator Observation Domain ID is used in an IPFIX Message header,
such as the Observation Domain ID in [RFC5101]. However, the
Mediator Observation Domain ID may not indicate the physical
entity of an Original Exporter. For example, the value may
indicate the set of Exporters or set of line cards in an Exporter.
The Mediator Observation Domain ID is 0 when an IPFIX Masquerading
Proxy screens out the Mediator Observation Domain ID.
[Note]
[RFC5101] mentions that the Observation Domain ID should be 0 when
no specific Observation Domain ID is relevant for the entire IPFIX
Message, in the case of a hierarchy of Collectors when aggregated
Data Records are exported. However, even in the case of
aggregation, the IPFIX Mediator can set a meaningful value. This
shows the conflict between Observation Domain ID and Mediator
Observation Domain ID.
Transport Session Information
The Transport Session is specified in [RFC5101]. In SCTP, the
Transport Session Information is the SCTP association. In TCP and
UDP, the Transport Session Information corresponds to a 5-tuple
Kobayashi, et al. Expires August 15, 2009 [Page 4]
Internet-Draft IPFIX Mediation Framework February 2009
{Exporter IP address, Collector IP address, Exporter transport
port, Collector transport port, and transport protocol}.
Kobayashi, et al. Expires August 15, 2009 [Page 5]
Internet-Draft IPFIX Mediation Framework February 2009
3. IPFIX/PSAMP Documents Overview
3.1. IPFIX Documents Overview
The IPFIX protocol [RFC5101] provides network administrators with
access to IP flow information. The architecture for the export of
measured IP flow information out of an IPFIX Exporting Process to a
Collecting Process is defined in [I-D.ietf-ipfix-architecture], per
the requirements defined in [RFC3917]. The IPFIX protocol [RFC5101]
specifies how IPFIX Data Records and Templates are carried via a
number of transport protocols from IPFIX Exporting Processes to IPFIX
Collecting Processes. IPFIX has a formal description of IPFIX
Information Elements, their names, types, and additional semantic
information, as specified in [RFC5102]. [I-D.ietf-ipfix-mib]
specifies the IPFIX Management Information Base. Finally,
[I-D.ietf-ipfix-as] describes what types of applications can use the
IPFIX protocol and how they can use the information provided. It
furthermore shows how the IPFIX framework relates to other
architectures and frameworks. The storage of IPFIX Messages in a
file is specified in [I-D.ietf-ipfix-file].
3.2. PSAMP Documents Overview
The framework for packet selection and reporting
[I-D.ietf-psamp-framework] enables network elements to select subsets
of packets by statistical and other methods and to export a stream of
reports on the selected packets to a Collector. The set of packet
selection techniques (sampling, filtering, and hashing) standardized
by PSAMP is described in [I-D.ietf-psamp-sample-tech]. The PSAMP
protocol [I-D.ietf-psamp-protocol] specifies the export of packet
information from a PSAMP Exporting Process to a Collector. Like
IPFIX, PSAMP has a formal description of its Information Elements,
their names, types, and additional semantic information. The PSAMP
information model is defined in [I-D.ietf-psamp-info].
[I-D.ietf-psamp-mib] describes the PSAMP Management Information Base.
Kobayashi, et al. Expires August 15, 2009 [Page 6]
Internet-Draft IPFIX Mediation Framework February 2009
4. IPFIX Mediation Reference Model
The figure below shows the high-level reference model for IPFIX
Mediation based on [I-D.ietf-ipfix-architecture]. This figure covers
the various possible scenarios that can exist in an IPFIX measurement
system.
+---------------------------+ +---------------------------+
| Collector {l} | | Collector {k} |
|[*Application(s)] | |[*Application(s)] |
|[Collecting Process(es)] |....|[Collecting Process(es)] |
+---------------------------+ +---------------------------+
^ ^ ^ ^
| | | |
| +------....----+ |
| | |
IPFIX (Flow Records / Packet Reports)
| | |
+----------------+----+-----+ +-------+-------------------+
|IPFIX Mediator {j} | |IPFIX Mediator {n} |
|[*Applications(s)] | |[*Applications(s)] |
|[Exporting Process(es)] | |[Exporting Process(es)] |
|[Intermediate Process(es)] |....|[Intermediate Process(es)] |
|[Collecting Process(es)] | |[Collecting Process(es)] |
+---------------------------+ +---------------------------+
^ ^ ^
| | |
| +------....-----+
| |
IPFIX (Flow Records / Packet Reports)
| |
+----------------+----------+ +----+----------------------+
|IPFIX Original Exporter {i}| |IPFIX Original Exporter {m}|
|[Exporting Process(es)] | |[Exporting Process(es)] |
|[Metering Process(es)] |....|[Metering Process(es)] |
|[Observation Point(s)] | |[Observation Point(s)] |
+---------------------------+ +---------------------------+
^ ^ ^ ^
| | | |
Packets coming to Observation Points
Figure A: Reference Model for IPFIX Mediation.
The various functional components are indicated within brackets [].
The functional components within [*] are not part of this document
Kobayashi, et al. Expires August 15, 2009 [Page 7]
Internet-Draft IPFIX Mediation Framework February 2009
and [I-D.ietf-ipfix-architecture].
The figure below shows the basic IPFIX Mediator component model. The
IPFIX Mediator is formally defined as consisting of one or more
Collecting Processes, zero or more Intermediate Processes, and one or
more Exporting Processes. Basically, the IPFIX Mediator devices,
i.e., IPFIX Proxy, IPFIX Masquerading Proxy, IPFIX Distributor, and
IPFIX Concentrator, described in [I-D.ietf-ipfix-mediator-ps] are
composed of these components.
IPFIX (Flow Records / Packet Reports)
^
^ |
+------------------------|-|---------------------+
| IPFIX Mediator | | |
| | | |
| .---------------------|-+-------------------. |
| .----------------------+--------------------.| |
| | Exporting Process(es) |' |
| '----------------------^--------------------' |
| | | |
| .---------------------|-+-------------------. |
| .----------------------+--------------------.| |
| | Intermediate Process(es) (optional) |' |
| '----------------------^--------------------' |
| | | |
| .---------------------|-+-------------------. |
| .----------------------+--------------------.| |
| | Collecting Process(es) |' |
| '----------------------^--------------------' |
+------------------------|-|---------------------+
|
IPFIX (Flow Records / Packet Reports)
Figure B: IPFIX Mediator Basic Component Model.
An Original Exporter with an IPFIX Mediation is modeled as follows.
Kobayashi, et al. Expires August 15, 2009 [Page 8]
Internet-Draft IPFIX Mediation Framework February 2009
IPFIX (Flow Records / Packet Reports)
^ ^
+---------------------------|-|------------------------+
| Original Exporter | | |
| | | |
| .---------------------|-+-------------------. |
| .----------------------+--------------------.| |
| | Exporting Process(es) |' |
| '----------------------^--------------------' |
| | | |
| .---------------------|-+-------------------. |
| .----------------------+--------------------.| |
| | Intermediate Process(es) |' |
| '---------^-----------------------^---------' |
| |Flow Record or | |
| | Packet Reports | |
| .------------+----------. .---------+-------------. |
| | Metering Process {i} |..| Metering Process {n} | |
| '------------^----------' '---------^-------------' |
| | | |
| .------------+----------. .---------+-------------. |
| | Observation Point {i} |..| Observation Point {n} | |
| '------------^----------' '---------^-------------' |
+--------------|-----------------------|---------------+
| |
Packets coming to Observation Points
Figure C: Component Model for Original Exporter with Mediation.
Kobayashi, et al. Expires August 15, 2009 [Page 9]
Internet-Draft IPFIX Mediation Framework February 2009
5. IPFIX Mediation Functional and Logical Blocks
This section describes the details of each component and examples
applicable to that component for IPFIX Mediation and IPFIX Mediators.
5.1. Collecting Process
The Collecting Processes described in [RFC5101] receive Data Records
with information relating to their treatment in the Metering Process
and Exporting Process in the Original Exporter, such as sampling
rate, IPFIX Message header information, and Transport Session
Information. The Collecting Processes transmit the set of data to
multiple components: Intermediate Processes and Exporting Processes.
In other words, the processes may duplicate received Data Records and
transmit them to multiple components in sequence or in parallel.
5.2. Exporting Process
The Exporting Processes described in [RFC5101] transmit Data Records
to one or multiple Collectors. The processes manage the reporting
Template and create IPFIX Messages.
5.3. Intermediate Process
The Intermediate Processes generate new sets of Data Records from
input Data Records with context information collected by the
Collecting Process that includes the "Export Time" and "Observation
Domain ID" included in IPFIX Message headers. The processes host one
of several functions defined below or a combination of them, in any
sequence or in any set. In the case of a combination, the output of
each function can be the input of other functions. The following
subsections show the details of each function.
5.3.1. Selection Function
The Selection Function determines which input Data Records are
selected by matching them under a filtering policy and then transmits
them to the next processes or functions. The function is similar to
the Selection Process described in [I-D.ietf-psamp-sample-tech]. The
function covers several selection techniques, such as property match
filtering and sampling. In property match filtering, if the value of
a specified Information Element equals a configured value, the
function selects a Data Record to transmit.
The combination of the Selection Functions and other functions
provides some useful applications.
Kobayashi, et al. Expires August 15, 2009 [Page 10]
Internet-Draft IPFIX Mediation Framework February 2009
Data-based Collector Selection
The combination of one or multiple Selection Functions and
Exporting Processes can determine to which Collector input Data
Records are exported. Applicable examples include exporting Data
Records to a dedicated Collector on the basis of customer or
organization peering. For example, selectors select Data Records
on the basis of a peering AS number, as shown in the following
figure. The set of Data Records is exported to a dedicated
Collector on the basis of the peering AS number.
.----------------------.
| Intermediate Process | +----------------+
| | | Exporting |
| +- Selection #1 ------->| Process #1 |--> Collector #1
Data | | Peering AS #10 | '-----------------'
Record| | | +----------------+
--------+- Selection #2 ------->| Exporting |--> Collector #2
| | Peering AS #20 | | Process #2 |
| | | '----------------'
| | | +----------------+
| +- Selection #1 ------->| Exporting |--> Collector #3
| Peering AS #30 | | Process #3 |
'----------------------' '----------------'
Figure D: Exporting classified Data Records to dedicated
Collector.
Flow Selection and Aggregation
The combination of one or multiple Selection Functions and
Aggregation Functions can efficiently reduce the amount of Flow
Records. For example, a selector selects small Flows consisting
of a small number of packets and then transmits them to the
Aggregation Function. Another selector selects other Flows and
then transmits them to the Exporting Process, as shown in the
following figure. This results in aggregation based on the
distribution of the number of packets per Flow.
Kobayashi, et al. Expires August 15, 2009 [Page 11]
Internet-Draft IPFIX Mediation Framework February 2009
.-------------------------------------+ +-------------------+
| Intermediate Process | | Exporting Process |
| | | |
Data | +- Selection #1 -----> Aggregation ---->| |
Record| | packetDeltaCount <= 5 | | |
--------+ | | |
| | | | |
| +- Selection #2 ----------------------->| |
| packetDeltaCount > 5 | | |
'-------------------------------------' '-------------------'
Figure E: Flow Selection and Aggregation
5.3.2. Aggregation Function
The Aggregation Function creates aggregated Flow Records from input
Flow Records/Packet Reports. The aggregation method is divided into
three types.
Flow Key Field Selection
Decreasing the number of fields considered as Flow Keys, such as
three, two, or one Flow Key field, creates more aggregated Flow
Records. The function gathers Data Records within a given
interval time and then merges the Data Records that have common
properties. If the values of given Flow Key fields are the same,
that means those Data Records have common properties, and the
function merges them in accordance with the aggregation policy.
In addition, the function can create statistical data and
subsidiary information related to the aggregated Flow Records.
Examples include the number of input Data Records, the given
interval time, and a new set of Flow Keys.
Time Composition
Time composition is defined as aggregation of Flow Records with
identical Flow Key values within a given interval time. The
function may also compute Flow Records statistics, such as the
maximum, and minimum values of each counter. The statistics
enable the visualization of the behavior of traffic volume over a
long time period. The function provides some advantages.
* reducing the number of Flow Records for long-running Flows
* computing the active time period for long-running Flows
Kobayashi, et al. Expires August 15, 2009 [Page 12]
Internet-Draft IPFIX Mediation Framework February 2009
* revealing the up-and-down traffic volume within an active time
Short period Flow Records created by configurating a short
active time, e.g., 1 or 10 sec, are merged within a certain
time period, e.g., 60 or 300 sec, at an IPFIX Mediator. While
merging, the IPFIX Mediator computes new metrics such as
maximum and minimum. It produces more precise maximum and
minimum values without increasing the number of Flow Records on
a Collector.
Space Composition
Space composition is defined as aggregation on a larger
Observation Domain or on a set of Observation Points. Generally,
Flow Key fields are included in a Flow Record. In that case,
other properties that are not included in a Flow Record, such as
the Exporter IP address or Observation Domain ID, become Flow Key
fields.
In addition, a group identifier indicating a spatial Observation
Domain can also become a new Flow Key. For example, a group can
indicate an area on an ISP network, or a link aggregation
interface composed of physical interfaces. The group can also
make a relation to a set of values of specified Information
Elements in the Flow Records by the configuring rule. After
converting from the values of specified Information Elements to
the group identifier, the function can create aggregated Flow
Records by a general aggregation process.
5.3.3. Correlation Function
The Correlation Function creates new metrics by evaluating the
correlation among sets of Flow Records/Packet Reports. These sets
can be Flow Records gathered during a certain period, a pair of
consecutive Packet Reports, or Packet Reports exported by different
Exporters indicating the same packet. After producing new metrics,
the function outputs Flow Records with the new metrics field.
Applicable examples are as follows.
o One way delay follows from the correlation of Packet Reports
exported from different Exporters on the path.
o Packet interval time, or jitter, follows the correlation of
consecutive Packet Reports exported from the same Exporter.
o Difference values follow the correlation of Flow Records observed
at ingress or egress interfaces. The values help to confirm the
result of a queueing or rate-limiting function.
Kobayashi, et al. Expires August 15, 2009 [Page 13]
Internet-Draft IPFIX Mediation Framework February 2009
o Average/maximum/minimum values follow the correlation of each in a
set of Flow Records.
5.3.4. Modification Function
The Modification Function modifies input Data Records without
changing their granularity. The function can add new Information
Elements, delete existing Information Elements, or modify the value
of specified Information Elements. If the function modifies the data
structure of an original Template, it also needs to modify the value
of the "flowKeyIndicator".
Adding specified Information Elements
The function obtains the value of a specified Information Element
and then adds it to Data Records. There are several methods to
obtain the value: retrieving the value from a database or
calculating the value on the basis of the value of other
Information Elements and received traffic data.
Applicable examples include adding derived packet property
parameters. Doing that can compensate for traditional exporting
devices or probes that are unable to add packet property
parameters. Therefore, Collectors do not need to recognize the
difference among implementations of routers from several vendors
or among Exporter types, such as router, switch, or probe.
Typical derived packet property parameters include the following.
* The "bgpNextHop{IPv4|IPv6}Address" described in [RFC5102]
indicates the egress router of a network domain. That is
useful for making a traffic matrix that covers the whole
network domain.
* The BGP community value indicates the same group of destination
or source IP addresses.
* The "mplsVpnRouteDistinguisher" described in [RFC5102], which
cannot be extracted from the core router in MPLS networks,
indicates the VPN customer's identification. Network operators
can monitor the traffic behavior of each customer by adding
"mplsVpnRouteDistinguisher" to Data Records.
Deleting specified Information Elements
This function deletes existing Information Elements according to
instruction rules, which indicate whether an Information Element
should be removed.
Kobayashi, et al. Expires August 15, 2009 [Page 14]
Internet-Draft IPFIX Mediation Framework February 2009
Applicable examples include hiding network topology information
and private information. In the case of IPFIX exporting across
domains, the function can avoid creating a vulnerability by
deleting unnecessary Information Elements. Examples of network
topology information include "ipNextHopIP{v4|v6}Address",
"bgpNextHopIP{v4|v6}Address", and "bgp{Next|
Prev}AdjacentAsNumber", described in [RFC5102]. In addition,
MPLS-related Information Elements, such as
"mplsLabelStackSection", are useless for the customers in the case
of feeding Flow Records/Packet Reports to VPN customers.
Modifying the value of specified Information Elements
This function modifies the value of specified Information
Elements.
Applicable examples include anonymizing customers' private
information, such as IP address and port number, according to a
privacy protection policy. The function may also report
anonymized fields and the anonymization method as subsidiary
information.
5.4. IPFIX File Writer/Reader
The IPFIX File Writer/Reader on an IPFIX Mediator complies with
[I-D.ietf-ipfix-file] as well. The IPFIX File Writer stores input
Data Records from any process in a file system. If received Data
Records include uninteresting Information Elements, the Modification
Function can delete these elements before the IPFIX File Writer
handles them.
In contrast, the IPFIX File Reader retrieves stored Data Records when
administrators want to retrieve past Data Records from a given time
period. If the data structure of output Data Records from the IPFIX
File Reader is different from what administrators want, the
Modification Function can modify the data structure.
The figure shows the IPFIX component model with an IPFIX File Writer/
Reader.
Kobayashi, et al. Expires August 15, 2009 [Page 15]
Internet-Draft IPFIX Mediation Framework February 2009
IPFIX (Flow Records / Packet Reports)
^
^ |
.----------------------|-+--------------------.
.-----------------------+---------------------.|
| Exporting Process(es) / IPFIX File Writer |'
'----^------------------^---------------------'
| | |
| .-------------|-+--------------------.
| .--------------+---------------------.|
| | Intermediate Process(es) |'
| '--------------^-^-------------------'
| | |
.---+------------------|-+--------------------.
.-----------------------+---------------------.|
| Collecting Process(es) / IPFIX File Reader |'
'-----------------------^---------------------'
|
IPFIX (Flow Records / Packet Reports)
Figure E: IPFIX Mediator Component Model with IPFIX File Writer/
Reader.
5.5. Flow Expiration
The Aggregation Function needs expiration conditions to export cached
Flow Records. These conditions are described in
[I-D.ietf-ipfix-architecture]. In the case of IPFIX Mediation, these
conditions are as follows.
o If there are no input Data Records belonging to a cached Flow for
a certain time period, aggregated Flow Records will expire. This
time period should be configurable at the Intermediate Process.
o If the IPFIX Mediator experiences resource constraints, aggregated
Flow Records may prematurely expire (e.g., lack of memory to store
Flow Records).
o For long-running Flows, the Intermediate Process should cause the
Flow to expire on a regular basis or based on an expiration
policy. This periodicity or expiration policy should be
configurable at the Intermediate Process.
The Correlation Function also needs similar expiration conditions.
However, when cached Flow Records prematurely expire and the function
cannot compute their correlation, cached Flow Records may be
discarded.
Kobayashi, et al. Expires August 15, 2009 [Page 16]
Internet-Draft IPFIX Mediation Framework February 2009
5.6. Information Model
IPFIX Mediation reuses the general information model from [RFC5102]
and from [I-D.ietf-psamp-info]. The Correlation Function uses the
additional Information Elements indicating the minimum and maximum
values for packet count and octet count.
5.7. Examples
As an example in the case of Intermediate Processes having different
functions, a Collecting Process/IPFIX File Reader replicates Data
Records, if necessary, and transmits them to a suitable Intermediate
Process/Exporting Process. An example figure is shown below.
Kobayashi, et al. Expires August 15, 2009 [Page 17]
Internet-Draft IPFIX Mediation Framework February 2009
IPFIX IPFIX IPFIX
^ ^ ^
| | |
.------------. .-----+-------. .-----+-------. .------+------.
| IPFIX File | | Exporting | | Exporting | | Exporting |
| Writer | | Process {i}| | Process {j}|....| Process {n}|
'-----^-^----' '-----^-------' '-----^-------' '------^------'
| | | | |
| +-------------+ | Flow Records
| Flow Records / Packet Reports |
| .------+-------. .-----+--------. .------+-------.
| | Intermediate | | Intermediate | | Intermediate |
| | Process {l} | | Process {m} | | Process {p} |
| | | | |...| |
| | Selection | | Selection | | |
Flow Records | ^ | | ^ | | |
| | | | | | | | |
| | Correlation | | Modification| | Modification|
| | ^ | | ^ | | ^ |
| | | | | | | | | |
| | Selection | | Aggregation |...| Selection |
| | ^ | | ^ ^ | | ^ |
| '------|-------' '-----|-|------' '------|-------'
| | | | |
| +---------------+ | Flow Records
| | | |
| Flow Records / Packet Reports |
.------+------. .------+------. .------+------. .-----+------.
| Collecting | | Collecting | | Collecting | | IPFIX File |
| Process {i}| | Process {j}|...| Process {n}| | Reader |
'------^------' '------^------' '------^------' '------------'
| | |
IPFIX IPFIX IPFIX
Figure F: Functional Block Examples for IPFIX Mediator.
Kobayashi, et al. Expires August 15, 2009 [Page 18]
Internet-Draft IPFIX Mediation Framework February 2009
6. Security Considerations
An IPFIX measurement system must also prevent the security threats
related to IPFIX Mediation that follow as well as the security
threats described in the security consideration section in [RFC5101].
o attacks against IPFIX Mediators
IPFIX Mediators need to prevent unauthorized access or denial-of-
service (DoS) attacks from untrusted public networks. One
solutions is that IPFIX Mediators host the packet filter function
to reject malicious packets at an outside interface.
o man-in-the-middle attacks by untrusted IPFIX Mediators
The Collector-Mediator-Exporter structure model would increase the
risk of man-in-the-middle attacks. One solutions is that IPFIX
Collectors and Exporters must verify trusted IPFIX Mediators to
prevent connection to untrusted IPFIX Mediators.
o configuration of IPFIX Mediation
In the case of IPFIX Distributors and IPFIX Masquerading Proxies,
an accidental misconfiguration and unauthorized access to
configuration data could lead to the crucial problem of disclosure
of confidential traffic data.
To eliminate these risks, IPFIX Mediators must provide the
authentication function for authorized administrators and the
facilities to help in tracing configuration changes to their
origin.
Kobayashi, et al. Expires August 15, 2009 [Page 19]
Internet-Draft IPFIX Mediation Framework February 2009
7. IANA Considerations
This document has no actions for IANA.
Kobayashi, et al. Expires August 15, 2009 [Page 20]
Internet-Draft IPFIX Mediation Framework February 2009
8. References
8.1. Normative References
[I-D.ietf-ipfix-architecture]
Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek,
"Architecture for IP Flow Information Export",
draft-ietf-I-D.ietf-ipfix-architectureitecture-12.txt(work
in progress) , September 2006.
[I-D.ietf-ipfix-as]
Zseby, T., Boschi, E., Brownlee, N., and B. Claise, "IPFIX
Applicability", draft-ietf-ipfix-as-12 (work in
progress) , June 2007.
[I-D.ietf-ipfix-mib]
Dietz, T., Claise, B., and A. Kobayashi, "Definitions of
Managed Objects for IP Flow Information Export",
draft-ietf-ipfix-mib-05 (work in progress) ,
November 2008.
[I-D.ietf-psamp-framework]
Duffield, N., "A Framework for Packet Selection and
Reporting", draft-ietf-psamp-framework-13.txt , June 2008.
[I-D.ietf-psamp-info]
Dietz, T., Claise, B., Aitken, P., Dressler, F., and G.
Carle, "Information Model for Packet Sampling Exports",
draft-ietf-psamp-info-11.txt (work in progress) ,
October 2008.
[I-D.ietf-psamp-mib]
Dietz, T. and B. Claise, "Definitions of Managed Objects
for Packet Sampling", draft-ietf-psamp-mib-06 (work in
progress) , June 2006.
[I-D.ietf-psamp-protocol]
Claise, B., Quittek, J., and A. Johnson, "Packet Sampling
(PSAMP) Protocol Specifications",
draft-ietf-psamp-protocol-09.txt , December 2007.
[I-D.ietf-psamp-sample-tech]
Zseby, T., Molina, M., Duffield, N., Niccolini, S., and F.
Raspall, "Sampling and Filtering Techniques for IP Packet
Selection", draft-ietf-psamp-sample-tech-11.txt ,
July 2008.
[RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander,
Kobayashi, et al. Expires August 15, 2009 [Page 21]
Internet-Draft IPFIX Mediation Framework February 2009
"Requirements for IP Flow Information Export(IPFIX)",
October 2004.
[RFC5101] Claise, B., "Specification of the IP Flow Information
Export (IPFIX) Protocol for the Exchange of IP Traffic
Flow Information", January 2008.
[RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and J.
Meyer, "Information Model for IP Flow Information Export",
January 2008.
8.2. Informative References
[I-D.ietf-ipfix-file]
Trammell, B., Boschi, E., Mark, L., Zseby, T., and A.
Wagner, "An IPFIX-Based File Format",
draft-ietf-ipfix-file-03.txt(work in progress) ,
October 2008.
[I-D.ietf-ipfix-mediator-ps]
Kobayashi, A., Nishida, H., Sommer, C., Dressler, F.,
Stephan, E., and B. Claise, "IPFIX Mediation: Problem
Statement",
draft-ietf-ipfix-mediation-problem-statement-02.txt(work
in progress) , September 2009.
Kobayashi, et al. Expires August 15, 2009 [Page 22]
Internet-Draft IPFIX Mediation Framework February 2009
Appendix A. Acknowledgements
The authors gratefully acknowledge the contributions of
Keisuke Ishibashi,
Tsuyoshi Kondoh, and
Daisuke Matsubara.
Kobayashi, et al. Expires August 15, 2009 [Page 23]
Internet-Draft IPFIX Mediation Framework February 2009
Authors' Addresses
Atsushi Kobayashi
NTT Information Sharing Platform Laboratories
3-9-11 Midori-cho
Musashino-shi, Tokyo 180-8585
Japan
Phone: +81-422-59-3978
Email: akoba@nttv6.net
Haruhiko Nishida
NTT Information Sharing Platform Laboratories
3-9-11 Midori-cho
Musashino-shi, Tokyo 180-8585
Japan
Phone: +81-422-59-3978
Email: nishida.haruhiko@lab.ntt.co.jp
Benoit Claise
Cisco Systems
De Kleetlaan 6a b1
Diegem 1831
Belgium
Phone: +32 2 704 5622
Email: bclaise@cisco.com
Kobayashi, et al. Expires August 15, 2009 [Page 24]
