One document matched: draft-ietf-ipfix-biflow-00.txt
IPFIX Working Group B. Trammell
Internet-Draft CERT/NetSA
Intended status: Informational E. Boschi
Expires: March 3, 2007 Hitachi Europe
August 30, 2006
Bidirectional Flow Export using IPFIX
draft-ietf-ipfix-biflow-00.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 3, 2007.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document describes an efficient method for exporting
bidirectional flow (Biflow) information using the IP Flow Information
Export (IPFIX) protocol, representing each Biflow using a single Flow
Record.
Trammell & Boschi Expires March 3, 2007 [Page 1]
Internet-Draft IPFIX Biflow Export August 2006
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Rationale and History . . . . . . . . . . . . . . . . . . . . 4
4. Biflow Semantics . . . . . . . . . . . . . . . . . . . . . . . 5
5. Direction Assignment . . . . . . . . . . . . . . . . . . . . . 7
6. Record Representation . . . . . . . . . . . . . . . . . . . . 8
6.1. Reverse Information Element Private Enterprise Number . . 8
6.2. Example . . . . . . . . . . . . . . . . . . . . . . . . . 9
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
8. Security Considerations . . . . . . . . . . . . . . . . . . . 12
9. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 12
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
11.1. Normative References . . . . . . . . . . . . . . . . . . . 13
11.2. Informative References . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14
Intellectual Property and Copyright Statements . . . . . . . . . . 15
Trammell & Boschi Expires March 3, 2007 [Page 2]
Internet-Draft IPFIX Biflow Export August 2006
1. Introduction
Many flow analysis tasks benefit from association of the upstream and
downstream flows of a bidirectional communication, e.g., separating
answered and unanswered TCP requests, calculating round trip times,
etc. Metering processes that are not part of an asymmetric routing
infrastructure, especially those deployed within a single Observation
Domain through which bidirectional traffic flows, are well positioned
to observe bidirectional flows (Biflows). In such topologies, the
total resource requirements for Biflow assembly are often lower if
the Biflows are assembled at the Metering Process as opposed to the
Collecting Process. IPFIX requires only information model extensions
to be complete as a solution for exporting Biflow data.
To that end, we propose a Biflow export method using a single Flow
Record per Biflow in this document. This method requires additional
Information Elements to represent the reverse direction of each
biflow. This method is motivated by an exploration of other possible
methods of Biflow export using IPFIX; however, these methods have
important drawbacks, as discussed in the Rationale and History
section.
2. Terminology
Capitalized terms used in this document that are defined in the
Terminology section of the IPFIX Protocol draft
[I-D.ietf-ipfix-protocol] are to be interpreted as defined there.
The following additional terms are defined in terms of the protocol
document terminology.
Directional Key Field: A Directional Key Field is a single field in
a Flow Key as defined in the IPFIX Protocol draft
[I-D.ietf-ipfix-protocol] that is specifically associated with a
single endpoint of the flow. sourceIPv4Address and
destinationTransportPort are example common directional key
fields.
Non-directional Key Field: A Non-directional Key Field is a single
field within a Flow Key as defined in the IPFIX Protocol draft
[I-D.ietf-ipfix-protocol] that is not specifically associated with
either endpoint of the flow. protocolIdentifier is an example
common non-directional key field.
Uniflow (Unidirectional Flow): A Uniflow is a Flow as defined in
the IPFIX Protocol draft [I-D.ietf-ipfix-protocol], restricted
such that the Flow is composed only of packets sent from a single
endpoint to another single endpoint.
Trammell & Boschi Expires March 3, 2007 [Page 3]
Internet-Draft IPFIX Biflow Export August 2006
Biflow (Bidirectional Flow): A Biflow is a Flow as defined in the
IPFIX Protocol draft [I-D.ietf-ipfix-protocol], composed of
packets sent in both directions between two endpoints. A Biflow
is composed from two Uniflows such that:
1. each Non-directional Key Field of each Uniflow is identical to
its counterpart in the other, and
2. each Directional Key Field of each Uniflow is identical to its
reverse direction counterpart in the other
A Biflow contains two Non-Key Fields for each value it represents
associated with a single direction or endpoint: one for the
forward direction and one for the reverse direction, as defined
below.
Biflow Source: The source of a Biflow is the endpoint identified by
the source Directional Key Fields in the biflow.
Biflow Destination: The destination of a Biflow is the endpoint
identified by the destination Directional Key Fields in the
biflow.
Forward direction (of a Biflow): The direction of a Biflow composed
of packets sent by the Biflow Source. Values associated with the
forward direction of a Biflow are represented using normal
Information Elements. In other words, a Uniflow may be defined as
a Biflow having only a forward direction.
Reverse direction (of a Biflow): The direction of a Biflow composed
of packets sent by the Biflow Destination. Values associated with
the reverse direction of a Biflow are represented using reverse
Information Elements, as defined below.
Reverse Information Element: An Information Element defined as
corresponding to a normal Information Element, but associated with
the reverse direction of a Biflow.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. Rationale and History
In selecting the Single Record Biflow export method described in this
document as the recommendation for bidirectional flow export using
IPFIX, we considered several other possible methods.
Trammell & Boschi Expires March 3, 2007 [Page 4]
Internet-Draft IPFIX Biflow Export August 2006
The first and most obvious would be simply to export biflows as two
uniflows adjacent in the record stream; a Collecting Process could
then reassemble them with minimal state requirements. However, this
has the drawbacks that it is merely an informal arrangement the
Collecting Process cannot rely upon, and that it is not bandwidth-
efficient, duplicating the export of flow key data in each uniflow
record.
We then considered the method outlined in Reducing Redundancy in
IPFIX and PSAMP Reports [I-D.boschi-ipfix-reducing-redundancy] for
reducing this bandwidth inefficiency. This would also formally link
the two uniflows into a single construct, by exporting the flow key
as Common Properties then exporting each direction's information as
Specific Properties. However, it would do so at the expense of
additional overhead to transmit the commonPropertiesId, and
additional state management requirements at both the Collecting and
Exporting Process.
A proposal was made on the IPFIX mailing list to use the Multiple
Information Element feature of the protocol to export forward and
reverse counters using identical Information Element in the same Flow
Record. In this approach, the first instance of a counter would
represent the forward direction, and the second instance of the same
counter would represent the reverse. This had the disadvantage of
conflicting with the presently defined semantics for these counters,
and was as such abandoned.
4. Biflow Semantics
As stated in the Terminology section above, a Biflow is simply a Flow
representing packets flowing in both directions between two endpoints
on a network. There are compelling reasons to treat Biflows as
single entities (as opposed to merely ad-hoc combinations of Uniflow
halves) within IPFIX. First, as most application-layer network
protocols are inherently bidirectional, a Biflow-based data model
more accurately represents the behavior of the network, and enables
easier application of flow data to answering interesting questions
about network behavior. Second, exporting Biflow data can result in
improved export efficiency by eliminating the duplication of Flow Key
data in an IPFIX message stream, and improve collection efficiency by
removing the burden of biflow matching from the Collecting Process
where possible.
Biflows are somewhat more semantically complicated than Uniflows.
First, when handling Uniflows, the semantics of "source" and
"destination" Information Elements are clearly defined by the
semantics of the underlying packet header data: the source
Trammell & Boschi Expires March 3, 2007 [Page 5]
Internet-Draft IPFIX Biflow Export August 2006
Information Elements represent the source header fields, and the
destination Information Elements represent the destination header
fields. When representing Biflows with single IPFIX Data Records,
the definitions of source and destination must be chosen more
carefully.
As in the Terminology section above, we define the Source of a Biflow
to be that identified by the source Directional Key Field(s), and the
Destination of the Biflow to be that identified by the destination
Directional Key Field(s). Note that, for IANA-registered Information
Elements or those defined by the IPFIX Information Model
[I-D.ietf-ipfix-info], Source Key Fields are represented by
Information Elements whose names begin with "source", and Destination
Key Fields are represented by Information Elements whose names begin
with "destination"; it is recommended that vendor-specific
information elements follow these conventions, as well.
Methods for assignment of Source and Destination by the Metering and
Exporting Processes are described in the following section.
As the Source and Destination of a Biflow are defined in terms of its
Directional Keys, Biflow values are also split info "forward" and
"reverse" directions. As in the Terminology section above, the
Forward direction of a Biflow is composed of packets sent by the
Biflow Source, and the Reverse direction of a Biflow is composed of
packets sent by the Destination. In other words, the two directions
of a Biflow may be roughly thought of as the two Uniflow halves that
were matched to compose the Biflow. A Biflow record, then, contains
each Flow Key record once, and both forward and reverse direction
information elements for each non-key field.
The Reverse direction values are represented by Reverse Information
Elements. The representation of these Reverse Information Elements
within Templates is detailed in section 5. A Flow Record may be
considered to be a Biflow Record by the Collecting Process if it
contains at least one Reverse Information Element AND at least one
Directional Key Field. Flow Records containing Reverse Information
Elements but no Directional Key Fields are illegal, and MUST be
dropped by the Collecting Process. The Collecting Process SHOULD log
the receipt of illegal Biflow Flow Records.
Note that since the IPFIX information model makes no distinction
between zeroes and null values, if a given flow has no reverse
direction, it may only be unambiguously represented as a Biflow Flow
Record if all its Reverse Information Elements are counters.
Exporting Processes SHOULD switch to a Template containing no Reverse
Information Elements when exporting flows without a reverse
direction.
Trammell & Boschi Expires March 3, 2007 [Page 6]
Internet-Draft IPFIX Biflow Export August 2006
By the definition of Observation Domain in section 2 of the IPFIX
Protocol draft [I-D.ietf-ipfix-protocol], Biflows may be composed
only of packets observed within the same Observation Domain. This
implies that Metering Processes that build Biflows out of Uniflow
halves must ensure that the two Uniflow halves were observed within
the same Observation Domain.
5. Direction Assignment
Metering Processes, where possible, SHOULD define the Biflow Source
to be the initiator of the Biflow, subject to the best effort of the
Metering Process. This can be roughly approximated by a Metering
Process observing packets in both directions simply assuming the
first packet seen in a given Biflow is the packet initiating the
flow. A Metering Process may improve upon this method by using
knowledge of the transport or application protocols (e.g., TCP flags,
DNS question/answer counts) to better approximate the flow-initiating
packet.
There are circumstances in which initiator direction assignment is
unavailable. For instance, when building flow records from sampled
or particularly lossy packet sources, the correlation between the
first packet seen and the first packet sent is broken. Also, when
assembling Biflows from Uniflows generated by Metering Processes only
capable of observing a single direction of traffic, for example a
Observation Point on a router line card in an asymmetric routing
infrastructure, the timestamp information available at biflow
assembly time may not be of sufficiently high precision or
synchronization to positively identify the first packet.
In such cases, the Metering Process MAY assign direction arbitrarily,
though it SHOULD be consistent in its choice of direction. Arbitrary
direction assignment MAY use Flow Key fields, for example the
interface number or source address, in order to maintain this
consistency. No facility is provided for the Metering Process or
Exporting Process to communicate whether arbitrary direction
assignment is in effect for a given Biflow or Observation Domain.
Regardless of the method used to assign direction, the Exporting
Process MAY export additional information about each Biflow (e.g.,
TCP flags information, high-precision timestamps) in order to assist
the Collecting Process in determining the flow initiator or revising
the Metering Process' estimate of the flow initiator.
Trammell & Boschi Expires March 3, 2007 [Page 7]
Internet-Draft IPFIX Biflow Export August 2006
6. Record Representation
As noted above, Biflows are exported using a single Flow Record, each
of which contains the Flow Key fields once, and both forward and
reverse direction information elements for each non-key field. The
IPFIX Information Model is extended to provide a "reverse"
Information Element counterpart to each presently defined "forward"
Information Element, as required by any Information Element that may
be a non-key field in a Biflow.
6.1. Reverse Information Element Private Enterprise Number
Reverse Information Elements are specified as a separate "dimension"
in the Information Element space, by having IANA assign a single
Private Enterprise Number (PEN) to this draft, and to define that PEN
to signify "IPFIX Reverse Information Element" (the Reverse PEN).
This reverse PEN would serve as a "reverse direction flag" in the
template; each Information Element number within this PEN space would
be assigned to the reverse counterpart of the corresponding IANA-
assigned public Information Element number. In other words, to
generate a reverse information element in a template corresponding to
a given forward information element, simply set the enterprise bit
and define the Information Element within the Reverse PEN space, as
in the figure below.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| flowStartSeconds 150 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
forward |
|
reverse V
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|1| (rev) flowStartSeconds 150 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| reverse PEN TBA |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: Example Mapping between Forward and Reverse IEs using
Reverse PEN
As the Reverse Information Element dimension is treated explicitly as
such, new Information Elements can be added freely to the IANA-
managed space without concern for whether a reverse element should
also be added. Aside from the initial allocation of an enterprise
number for this purpose, there is no additional maintenance overhead
for supporting reverse information elements in the information model.
Trammell & Boschi Expires March 3, 2007 [Page 8]
Internet-Draft IPFIX Biflow Export August 2006
Note that certain Information Elements in the IPFIX Information Model
[I-D.ietf-ipfix-info] are not reversible; that is, they are
semantically meaningless as reverse Information Elements. A
Collecting Process MUST note the Information Element identifier of
any Information Element so used as a Reverse Information Element, and
MAY discard that Information Element from the Flow Record, as with
unassigned Information Elements as in section 9 of the IPFIX Protocol
draft [I-D.ietf-ipfix-protocol]. Non-reversible Information Elements
represent properties of the Biflow record as a whole, or are intended
for internal the use of the IPFIX Protocol itself. They therefore
cannot by definition be associated with a single direction or
endpoint of the flow.
The following specific Information Elements are not reversible:
1. Identifiers defined in section 5.1 of the Information Model which
cannot be associated with a single direction of Uniflow
collection: flowId (5.1.7), templateId (5.1.8),
observationDomainId (5.1.9), and commonPropertiesId (5.1.11).
2. Process configuration elements defined in section 5.2 of the
Information Model.
3. Process statistics elements defined in section 5.3 of the
Information Model.
4. paddingOctets (5.12.1).
Any future addition to the Information Element Registry by IANA which
meets the criteria defined above SHOULD also be considered to be non-
reversible by the Collecting Process.
Note that Information Elements commonly used as Flow Keys (e.g.
header fields defined in sections 5.4 and 5.5 of the Information
Model) are not necessarily non-reversible, as they may be used as
value fields in certain contexts, as when associating ICMP error
messages with the flows that caused them.
6.2. Example
The following example describes a biflow record as specified above.
The "IPFIX Reverse Information Element" PEN is assigned for the
purpose of differentiating forward from reverse information elements.
This private enterprise number is denoted as TBA, as it has not yet
been assigned by IANA (Cf. section 7).
The information exported in this case is:
Trammell & Boschi Expires March 3, 2007 [Page 9]
Internet-Draft IPFIX Biflow Export August 2006
o The start time of the flow: flowStartSeconds in the IPFIX
Information Model [I-D.ietf-ipfix-info], with a length of 4 octets
o The reverse start time of the flow: flowStartSeconds in the IPFIX
Information Model [I-D.ietf-ipfix-info], with a length of 4
octets, and the enterprise bit set to 1. The following PEN is the
Reverse PEN (not yet assigned, indicated with TBA in the draft)
o The IPv4 source IP address: sourceIPv4Address in the IPFIX
Information Model [I-D.ietf-ipfix-info], with a length of 4 octets
o The IPv4 destination IP address:destinationIPv4Address in the
IPFIX Information Model [I-D.ietf-ipfix-info], with a length of 4
octets
o The source port: sourceTransportPort in the IPFIX Information
Model [I-D.ietf-ipfix-info], with a length of 2 octets
o The destination port: destinationTransportPort in the IPFIX
Information Model [I-D.ietf-ipfix-info], with a length of 2 octets
o The protocol identifier: protocolIdentifier in the IPFIX
Information Model [I-D.ietf-ipfix-info], with a length of 1 octet
o The number of octets of the Flow: octetTotalCount in the IPFIX
Information Model [I-D.ietf-ipfix-info], with a length of 4 octets
o The reverse number of octets of the Flow: octetTotalCount in the
IPFIX Information Model [I-D.ietf-ipfix-info], with a length of 4
octets, and the enterprise bit set to 1. The following PEN is the
Reverse PEN (not yet assigned, indicated with TBA in the draft)
o The number of packets of the Flow: octetTotalCount in the IPFIX
Information Model [I-D.ietf-ipfix-info], with a length of 4 octets
o The reverse number of packets of the Flow: octetTotalCount in the
IPFIX Information Model [I-D.ietf-ipfix-info], with a length of 4
octets, and the enterprise bit set to 1. The following PEN is the
Reverse PEN (not yet assigned, indicated with TBA in the draft)
and the resulting template would look like the diagram below:
Trammell & Boschi Expires March 3, 2007 [Page 10]
Internet-Draft IPFIX Biflow Export August 2006
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Set ID = 2 | Length = 64 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Template ID >= 256 | Field Count = 11 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| flowStartSeconds 150 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|1| flowStartSeconds 150 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| reverse PEN TBA |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| sourceIPv4Address 8 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| destinationIPv4Address 12 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| sourceTransportPort 7 | Field Length = 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| destinationTransportPort 11 | Field Length = 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| protocolIdentifier 4 | Field Length = 1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| octetTotalCount 85 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|1| octetTotalCount 85 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| reverse PEN TBA |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| packetTotalCount 86 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|1| packetTotalCount 86 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| reverse PEN TBA |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: Single Record Biflow Template Set
The following example data record represents a typical HTTP
transaction. Its format is defined by the example template, above.
Trammell & Boschi Expires March 3, 2007 [Page 11]
Internet-Draft IPFIX Biflow Export August 2006
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Set ID >= 256 | Length = 41 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 2006-02-01 17:00:00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 2006-02-01 17:00:01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 192.0.2.2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 192.0.2.3 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 32770 | 80 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 6 | 18000 . . .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. . . | 128000 . . .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. . . | 65 . . .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. . . | 110 . . .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. . . |
+-+-+-+-+-+-+-+-+
Figure 3: Single Record Biflow Data Set
7. IANA Considerations
This document specifies the creation of a new dimension in the
information element space defined by the IPFIX Information Model
[I-D.ietf-ipfix-info]. This new dimension is defined by the
allocation of a new Private Enterprise Number (PEN). The Internet
Assigned Numbers Authority (IANA) is requested to allocate this PEN
and to assign it to this draft, with the draft authors as the point
of contact.
8. Security Considerations
The same security considerations as for the IPFIX Protocol
[I-D.ietf-ipfix-protocol] apply.
9. Open Issues
1. Consider adding deployment examples, showing where biflow
assembly would happen for single-metering process architectures
Trammell & Boschi Expires March 3, 2007 [Page 12]
Internet-Draft IPFIX Biflow Export August 2006
as well as for multiple-metering process architectures. Clarify
language about the benefits of assembling biflows as close to the
metering interface as possible.
2. Do we need a way to annotate how direction assignment was done?
That is, does the Collecting Process need a new IE saying "flows
from this odId have direction assigned by initiator", or the
like?
3. The arbitrary direction assignment method is not satisfactory as
a backup for initiator direction assignment. We must address how
to do direction assignment for biflows assembled from sampled or
lossy packet sources in a consistent way, that is compatible with
the realities of traffic on backbone links and routing across
transit ASs. This is a point for wider discussion within the
IPFIX Working Group.
10. Acknowledgments
We would like to thank Lutz Mark, Juergen Quittek, Andrew Johnson,
Paul Aitken, Benoit Claise, and Carsten Schmoll for their
contributions and comments. Special thanks to Michelle Cotton for
her assistance in navigating the IANA process for enterprise number
assignment.
11. References
11.1. Normative References
[I-D.ietf-ipfix-protocol]
Claise, B., "IPFIX Protocol Specification",
draft-ietf-ipfix-protocol-22 (work in progress),
June 2006.
[I-D.ietf-ipfix-info]
Quittek, J., "Information Model for IP Flow Information
Export", draft-ietf-ipfix-info-12 (work in progress),
June 2006.
11.2. Informative References
[RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander,
"Requirements for IP Flow Information Export (IPFIX)",
RFC 3917, October 2004.
[I-D.ietf-ipfix-as]
Trammell & Boschi Expires March 3, 2007 [Page 13]
Internet-Draft IPFIX Biflow Export August 2006
Zseby, T., "IPFIX Applicability", draft-ietf-ipfix-as-10
(work in progress), August 2006.
[I-D.boschi-ipfix-reducing-redundancy]
Boschi, E., "Reducing redundancy in IPFIX and PSAMP
reports", draft-boschi-ipfix-reducing-redundancy-02 (work
in progress), June 2006.
[RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 2434,
October 1998.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
Authors' Addresses
Brian H. Trammell
CERT Network Situational Awareness
Software Engineering Institute
4500 Fifth Avenue
Pittsburgh, PA 15213
US
Phone: +1 412 268 9748
Email: bht@cert.org
Elisa Boschi
Hitachi Europe SAS
Immeuble Le Theleme
1503 Route les Dolines
06560 Valbonne
France
Phone: +33 4 89874100
Email: elisa.boschi@hitachi-eu.com
Trammell & Boschi Expires March 3, 2007 [Page 14]
Internet-Draft IPFIX Biflow Export August 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Trammell & Boschi Expires March 3, 2007 [Page 15]
| PAFTECH AB 2003-2026 | 2026-04-23 04:12:20 |