One document matched: draft-ietf-ipfix-biflow-04.txt
Differences from draft-ietf-ipfix-biflow-03.txt
IPFIX Working Group B. Trammell
Internet-Draft CERT/NetSA
Intended status: Informational E. Boschi
Expires: October 13, 2007 Hitachi Europe
April 11, 2007
Bidirectional Flow Export using IPFIX
draft-ietf-ipfix-biflow-04.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 13, 2007.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document describes an efficient method for exporting
bidirectional flow (Biflow) information using the IP Flow Information
Export (IPFIX) protocol, representing each Biflow using a single Flow
Record.
Trammell & Boschi Expires October 13, 2007 [Page 1]
Internet-Draft IPFIX Biflow Export April 2007
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. IPFIX Documents Overview . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Rationale and History . . . . . . . . . . . . . . . . . . . . 5
4. Biflow Semantics . . . . . . . . . . . . . . . . . . . . . . . 6
5. Direction Assignment . . . . . . . . . . . . . . . . . . . . . 8
5.1. Direction by Initiator . . . . . . . . . . . . . . . . . . 8
5.2. Direction by Perimeter . . . . . . . . . . . . . . . . . . 9
5.3. Arbitrary Direction . . . . . . . . . . . . . . . . . . . 10
6. Record Representation . . . . . . . . . . . . . . . . . . . . 10
6.1. Reverse Information Element Private Enterprise Number . . 11
6.2. Enterprise-Specific Reverse Information Elements . . . . . 12
6.3. biflowDirection Information Element . . . . . . . . . . . 13
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
8. Security Considerations . . . . . . . . . . . . . . . . . . . 14
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
10.1. Normative References . . . . . . . . . . . . . . . . . . . 15
10.2. Informative References . . . . . . . . . . . . . . . . . . 15
Appendix A. Example . . . . . . . . . . . . . . . . . . . . . . . 15
Appendix B. XML Specification of biflowDirection Information
Element . . . . . . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20
Intellectual Property and Copyright Statements . . . . . . . . . . 21
Trammell & Boschi Expires October 13, 2007 [Page 2]
Internet-Draft IPFIX Biflow Export April 2007
1. Introduction
Many flow analysis tasks benefit from association of the upstream and
downstream flows of a bidirectional communication, e.g., separating
answered and unanswered TCP requests, calculating round trip times,
etc. Metering processes that are not part of an asymmetric routing
infrastructure, especially those deployed within a single Observation
Domain through which bidirectional traffic flows, are well positioned
to observe bidirectional flows (Biflows). In such topologies, the
total resource requirements for Biflow assembly are often lower if
the Biflows are assembled at the Metering Process as opposed to the
Collecting Process. The IPFIX Protocol requires only information
model extensions to be complete as a solution for exporting Biflow
data.
To that end, we propose a Biflow export method using a single Flow
Record per Biflow in this document. We explore the semantics of
bidirectional flow data in section 4, Biflow Semantics; examine the
various possibilities for determining Biflow direction in the section
5, Direction Assignment; then define the Biflow export method in
section 6, Record Representation.
This export method requires additional Information Elements to
represent data values for the reverse direction of each biflow, and a
single additional Information Element to represent direction
assignment information, as described in sections 6.1 through 6.3.
The selection of this method was motivated by an exploration of other
possible methods of Biflow export using IPFIX; however, these methods
have important drawbacks, as discussed in section 3, Rationale and
History.
1.1. IPFIX Documents Overview
"Specification of the IPFIX Protocol for the Exchange of IP Traffic
Flow Information" [I-D.ietf-ipfix-protocol] (informally, the IPFIX
Protocol document) and its associated documents define the IPFIX
Protocol, which provides network engineers and administrators with
access to IP traffic flow information.
"Architecture for IP Flow Information Export"
[I-D.ietf-ipfix-architecture] (the IPFIX Architecture document)
defines the architecture for the export of measured IP flow
information out of an IPFIX Exporting Process to an IPFIX Collecting
Process, and the basic terminology used to describe the elements of
this architecture, per the requirements defined in "Requirements for
IP Flow Information Export" [RFC3917]. The IPFIX Protocol document
then covers the details of the method for transporting IPFIX data
records and templates via a congestion-aware transport protocol from
Trammell & Boschi Expires October 13, 2007 [Page 3]
Internet-Draft IPFIX Biflow Export April 2007
an IPFIX Exporting Process to an IPFIX Collecting Process.
"Information Model for IP Flow Information Export"
[I-D.ietf-ipfix-info] (informally, the IPFIX Information Model
document) describes the Information Elements used by IPFIX, including
details on Information Element naming, numbering, and data type
encoding. Finally, "IPFIX Applicability" [I-D.ietf-ipfix-as]
describes the various applications of the IPFIX protocol and their
use of information exported via IPFIX, and relates the IPFIX
architecture to other measurement architectures and frameworks.
This document references the Protocol and Architecture documents for
terminology, uses the IPFIX Protocol to define an bidirectional flow
export method, and proposes additions to the information model
defined in the IPFIX Information Model document.
2. Terminology
Capitalized terms used in this document that are defined in the
Terminology section of the IPFIX Protocol document
[I-D.ietf-ipfix-protocol] are to be interpreted as defined there.
The following additional terms are defined in terms of the protocol
document terminology.
Directional Key Field: A Directional Key Field is a single field in
a Flow Key as defined in the IPFIX Protocol document
[I-D.ietf-ipfix-protocol] that is specifically associated with a
single endpoint of the flow. sourceIPv4Address and
destinationTransportPort are example common directional key
fields.
Non-directional Key Field: A Non-directional Key Field is a single
field within a Flow Key as defined in the IPFIX Protocol document
[I-D.ietf-ipfix-protocol] that is not specifically associated with
either endpoint of the flow. protocolIdentifier is an example
common non-directional key field.
Uniflow (Unidirectional Flow): A Uniflow is a Flow as defined in
the IPFIX Protocol document [I-D.ietf-ipfix-protocol], restricted
such that the Flow is composed only of packets sent from a single
endpoint to another single endpoint.
Biflow (Bidirectional Flow): A Biflow is a Flow as defined in the
IPFIX Protocol document [I-D.ietf-ipfix-protocol], composed of
packets sent in both directions between two endpoints. A Biflow
is composed from two Uniflows such that:
Trammell & Boschi Expires October 13, 2007 [Page 4]
Internet-Draft IPFIX Biflow Export April 2007
1. each Non-directional Key Field of each Uniflow is identical to
its counterpart in the other, and
2. each Directional Key Field of each Uniflow is identical to its
reverse direction counterpart in the other
A Biflow contains two Non-Key Fields for each value it represents
associated with a single direction or endpoint: one for the
forward direction and one for the reverse direction, as defined
below.
Biflow Source: The source of a Biflow is the endpoint identified by
the source Directional Key Fields in the biflow.
Biflow Destination: The destination of a Biflow is the endpoint
identified by the destination Directional Key Fields in the
biflow.
Forward direction (of a Biflow): The direction of a Biflow composed
of packets sent by the Biflow Source. Values associated with the
forward direction of a Biflow are represented using normal
Information Elements. In other words, a Uniflow may be defined as
a Biflow having only a forward direction.
Reverse direction (of a Biflow): The direction of a Biflow composed
of packets sent by the Biflow Destination. Values associated with
the reverse direction of a Biflow are represented using reverse
Information Elements, as defined below.
Reverse Information Element: An Information Element defined as
corresponding to a normal Information Element, but associated with
the reverse direction of a Biflow.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. Rationale and History
In selecting the Single Record Biflow export method described in this
document as the recommendation for bidirectional flow export using
IPFIX, we considered several other possible methods.
The first and most obvious would be simply to export biflows as two
uniflows adjacent in the record stream; a Collecting Process could
then reassemble them with minimal state requirements. However, this
has the drawbacks that it is merely an informal arrangement the
Trammell & Boschi Expires October 13, 2007 [Page 5]
Internet-Draft IPFIX Biflow Export April 2007
Collecting Process cannot rely upon, and that it is not bandwidth-
efficient, duplicating the export of flow key data in each uniflow
record.
We then considered the method outlined in Reducing Redundancy in
IPFIX and PSAMP Reports [I-D.ietf-ipfix-reducing-redundancy] for
reducing this bandwidth inefficiency. This would also formally link
the two uniflows into a single construct, by exporting the flow key
as Common Properties then exporting each direction's information as
Specific Properties. However, it would do so at the expense of
additional overhead to transmit the commonPropertiesId, and
additional state management requirements at both the Collecting and
Exporting Process.
A proposal was made on the IPFIX mailing list to use the Multiple
Information Element feature of the protocol to export forward and
reverse counters using identical Information Element in the same Flow
Record. In this approach, the first instance of a counter would
represent the forward direction, and the second instance of the same
counter would represent the reverse. This had the disadvantage of
conflicting with the presently defined semantics for these counters,
and, as such, was abandoned.
4. Biflow Semantics
As stated in the Terminology section above, a Biflow is simply a Flow
representing packets flowing in both directions between two endpoints
on a network. There are compelling reasons to treat Biflows as
single entities (as opposed to merely ad-hoc combinations of Uniflow
halves) within IPFIX. First, as most application-layer network
protocols are inherently bidirectional, a Biflow-based data model
more accurately represents the behavior of the network, and enables
easier application of flow data to answering interesting questions
about network behavior. Second, exporting Biflow data can result in
improved export efficiency by eliminating the duplication of Flow Key
data in an IPFIX message stream, and improve collection efficiency by
removing the burden of biflow matching from the Collecting Process
where possible.
Biflows are somewhat more semantically complicated than Uniflows.
First, when handling Uniflows, the semantics of "source" and
"destination" Information Elements are clearly defined by the
semantics of the underlying packet header data: the source
Information Elements represent the source header fields, and the
destination Information Elements represent the destination header
fields. When representing Biflows with single IPFIX Data Records,
the definitions of source and destination must be chosen more
Trammell & Boschi Expires October 13, 2007 [Page 6]
Internet-Draft IPFIX Biflow Export April 2007
carefully.
As in the Terminology section above, we define the Source of a Biflow
to be that identified by the source Directional Key Field(s), and the
Destination of the Biflow to be that identified by the destination
Directional Key Field(s). Note that, for IANA-registered Information
Elements or those defined by the IPFIX Information Model
[I-D.ietf-ipfix-info], Source Key Fields are represented by
Information Elements whose names begin with "source", and Destination
Key Fields are represented by Information Elements whose names begin
with "destination"; it is recommended that vendor-specific
information elements follow these conventions, as well.
Methods for assignment of Source and Destination by the Metering and
Exporting Processes are described in the following section.
As the Source and Destination of a Biflow are defined in terms of its
Directional Keys, Biflow values are also split info "forward" and
"reverse" directions. As in the Terminology section above, the
Forward direction of a Biflow is composed of packets sent by the
Biflow Source, and the Reverse direction of a Biflow is composed of
packets sent by the Destination. In other words, the two directions
of a Biflow may be roughly thought of as the two Uniflow halves that
were matched to compose the Biflow. A Biflow record, then, contains
each Flow Key record once, and both forward and reverse direction
information elements for each non-key field.
The Reverse direction values are represented by Reverse Information
Elements. The representation of these Reverse Information Elements
within Templates is detailed in section 5. A Flow Record may be
considered to be a Biflow Record by the Collecting Process if it
contains at least one Reverse Information Element AND at least one
Directional Key Field. Flow Records containing Reverse Information
Elements but no Directional Key Fields are illegal, and MUST be
dropped by the Collecting Process. The Collecting Process SHOULD log
the receipt of illegal Biflow Flow Records.
Note that since the IPFIX information model makes no distinction
between zeroes and null values, if a given flow has no reverse
direction, it may only be unambiguously represented as a Biflow Flow
Record if all its Reverse Information Elements are counters.
Exporting Processes SHOULD switch to a Template containing no Reverse
Information Elements when exporting flows without a reverse
direction.
By the definition of Observation Domain in section 2 of the IPFIX
Protocol document [I-D.ietf-ipfix-protocol], Biflows may be composed
only of packets observed within the same Observation Domain. This
Trammell & Boschi Expires October 13, 2007 [Page 7]
Internet-Draft IPFIX Biflow Export April 2007
implies that Metering Processes that build Biflows out of Uniflow
halves must ensure that the two Uniflow halves were observed within
the same Observation Domain.
5. Direction Assignment
Due to the variety of flow measurement applications and restrictions
on Metering Process deployment, one single method of assigning the
directions of a Biflow will not apply in all cases. The following
sections describe three methods of direction assignment, and
recommend them based upon Metering Process position and measurement
application requirements.
As the method selection is dependent on Metering Process position, it
is sufficient to configure the direction assignment method at
Collecting and Exporting Processes out-of-band. However, for
Exporting Processes that use multiple direction selection methods, or
for Collecting Processes accepting data from Exporting Processes
using a variety of methods, a biflowDirection Information Element is
provided for optional representation of direction assignment
information.
Regardless of the direction assignment method selected, the Exporting
Process MAY export additional information about each Biflow (e.g.,
TCP flags information, high-precision timestamps) in order to assist
the Collecting Process in determining the flow initiator or revising
the Metering Process' direction selection.
5.1. Direction by Initiator
If the measurement application requires the determination of the
initiator and responder of a given communication, the Metering
Process SHOULD define the Biflow Source to be the initiator of the
Biflow, where possible. This can be roughly approximated by a
Metering Process observing packets in both directions simply assuming
the first packet seen in a given Biflow is the packet initiating the
flow. A Metering Process may improve upon this method by using
knowledge of the transport or application protocols (e.g., TCP flags,
DNS question/answer counts) to better approximate the flow-initiating
packet.
Note that direction assignment by initiator is most easily done by a
single Metering Process positioned on a local link layer, or a single
Metering Process observing bidirectional packet flows at a symmetric
perimeter routing point. Note also that if Biflows are exported
after being matched among multiple Metering Processes, the clocks of
the Metering Processes MUST be synchronized such that the first
Trammell & Boschi Expires October 13, 2007 [Page 8]
Internet-Draft IPFIX Biflow Export April 2007
packet seen can be determined.
+-------+ +-------+
| N0 | | N1 |
+---+---+ +---+---+
| | +---------+
<===+=====+=====+======>+ access +<===> Internet
| | router |
+---+---+ +---------+
| MP |
+---+---+
Local Link Metering Process Position
+-------+ +-------+
| N0 | | N1 |
+---+---+ +---+---+
| | +---------+
<===+===========+======>+ access +<===> Internet
| router |
| +----+--+
+----+ MP |
+-------+
Symmetric Routing Point Metering Process Position
5.2. Direction by Perimeter
If the measurement application is deployed at a network perimeter,
such that there is a stable set of addresses that can be defined as
"inside" that perimeter, and there is no measurement application
requirement to determine the initiator and responder of a given
communication, then the Metering Process SHOULD assign the Biflow
Source to be the endpoint outside the perimeter.
No facility is provided for exporting the address set defining the
interior of a perimeter; this set may be deduced by the Collecting
Process observing the set of Biflow destination addresses.
Trammell & Boschi Expires October 13, 2007 [Page 9]
Internet-Draft IPFIX Biflow Export April 2007
+---------+
Local Net ====>+ access +====> Internet
| router |
+----+----+
|
+---+---+
| MP |
+---+---+
|
+----+----+
| access |
Local Net <====+ router +<==== Internet
+---------+
Perimeter Metering Process Position
5.3. Arbitrary Direction
If the measurement application is deployed in a network core, such
that there is no stable set of addresses defining a perimeter (e.g.,
due to BGP updates) and no requirement or ability to determine the
initiator or responder of a given communication, then the Metering
Process MAY assign the Biflow Source and Biflow Destination endpoints
arbitrarily.
In this case, the Metering Process SHOULD be consistent in its choice
of direction. Arbitrary direction assignment MAY use Flow Key
fields, for example the interface number, in order to maintain this
consistency.
|
V
+----+----+ +---------+
<===+ core | | core +===>
| router +<========>+ router |
===>+ +---+---+ | +<===
+-----+ MP | +----+----+
+-------+ |
V
Transit/Core Metering Process Position
6. Record Representation
As noted above, Biflows are exported using a single Flow Record, each
of which contains the Flow Key fields once, and both forward and
reverse direction information elements for each non-key field. The
Trammell & Boschi Expires October 13, 2007 [Page 10]
Internet-Draft IPFIX Biflow Export April 2007
IPFIX Information Model is extended to provide a "reverse"
Information Element counterpart to each presently defined "forward"
Information Element, as required by any Information Element that may
be a non-key field in a Biflow.
6.1. Reverse Information Element Private Enterprise Number
Reverse Information Elements are specified as a separate "dimension"
in the Information Element space, by having IANA assign a single
Private Enterprise Number (PEN) to this document, and to define that
PEN to signify "IPFIX Reverse Information Element" (the Reverse PEN).
This reverse PEN would serve as a "reverse direction flag" in the
template; each Information Element number within this PEN space would
be assigned to the reverse counterpart of the corresponding IANA-
assigned public Information Element number. In other words, to
generate a reverse information element in a template corresponding to
a given forward information element, simply set the enterprise bit
and define the Information Element within the Reverse PEN space, as
in the figure below.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| flowStartSeconds 150 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
forward |
|
reverse V
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|1| (rev) flowStartSeconds 150 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| reverse PEN TBD1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 5: Example Mapping between Forward and Reverse IEs using
Reverse PEN
As the Reverse Information Element dimension is treated explicitly as
such, new Information Elements can be added freely to the IANA-
managed space without concern for whether a reverse element should
also be added. Aside from the initial allocation of an enterprise
number for this purpose, there is no additional maintenance overhead
for supporting reverse information elements in the information model.
Note that certain Information Elements in the IPFIX Information Model
[I-D.ietf-ipfix-info] are not reversible; that is, they are
semantically meaningless as reverse Information Elements. A
Trammell & Boschi Expires October 13, 2007 [Page 11]
Internet-Draft IPFIX Biflow Export April 2007
Collecting Process MUST note the Information Element identifier of
any Information Element so used as a Reverse Information Element, and
MAY discard that Information Element from the Flow Record, as with
unassigned Information Elements as in section 9 of the IPFIX Protocol
document [I-D.ietf-ipfix-protocol]. Non-reversible Information
Elements represent properties of the Biflow record as a whole, or are
intended for internal the use of the IPFIX Protocol itself.
Therefore, by definition, they cannot be associated with a single
direction or endpoint of the flow.
The following specific Information Elements are not reversible:
1. Identifiers defined in section 5.1 of the Information Model which
cannot be associated with a single direction of Uniflow
collection: flowId (5.1.7), templateId (5.1.8),
observationDomainId (5.1.9), and commonPropertiesId (5.1.11).
2. Process configuration elements defined in section 5.2 of the
Information Model.
3. Process statistics elements defined in section 5.3 of the
Information Model.
4. paddingOctets (5.12.1).
5. biflowDirection (defined in section 6.3 of this document).
Any future addition to the Information Element Registry by IANA which
meets the criteria defined above SHOULD also be considered to be non-
reversible by the Collecting Process.
Note that Information Elements commonly used as Flow Keys (e.g.
header fields defined in sections 5.4 and 5.5 of the Information
Model) are not necessarily non-reversible, as they may be used as
value fields in certain contexts, as when associating ICMP error
messages with the flows that caused them.
6.2. Enterprise-Specific Reverse Information Elements
Note that the Reverse PEN defined above is only available for
allocating reverse counterparts of IANA-registered IPFIX Information
Elements. No facility is provided for allocating reverse
counterparts of enterprise-specific Information Elements.
The allocation of enterprise-specific Information Elements for IPFIX
is left to the discretion of the enterprise allocating them. Note
that, as enterprise-specific Information Elements are designed for
the internal use of private enterprises, the lack of any guidance or
Trammell & Boschi Expires October 13, 2007 [Page 12]
Internet-Draft IPFIX Biflow Export April 2007
standard on Information Element allocation policies poses no
interoperability issues. However, if a private enterprise's own
Information Element registry anticipates the allocation of reversible
Information Elements, and the use of this specification for the
export of Biflow data, that registry MAY reserve one of the fifteen
available bits in the Information Element ID to signify the reverse
direction. For example, if the most significant bit were selected,
this would reserve Information Element IDs 0x4000 to 0x7FFF for the
reverse direction of Information Element IDs 0x0000 to 0x3FFF.
6.3. biflowDirection Information Element
Description: A description of the biflow direction assignment
method used to assign source and destination to this flow. This
Information Element MAY be present in a Flow Data Record, or
applied to all flows exported from an Exporting Process or
Observation Domain using IPFIX Options. If this Information
Element is not present in a Flow Record or associated with a flow
via scope, it is assumed that the configuration of the biflow
direction assignment method is done out-of-band. This field may
take the following values:
+-------+------------------+----------------------------------------+
| Value | Name | Description |
+-------+------------------+----------------------------------------+
| 0x00 | arbitrary | Direction was assigned arbitrarily. |
| 0x01 | initiator | The Biflow Source is the flow |
| | | initiator, as determined by the |
| | | Metering Process' best effort to |
| | | detect the initiator. |
| 0x02 | reverseInitiator | The Biflow Destination is the flow |
| | | initiator, as determined by the |
| | | Metering Process' best effort to |
| | | detect the initiator. This value is |
| | | provided for the convenience of |
| | | Exporting Processes to revise an |
| | | initiator estimate without re-encoding |
| | | the Biflow Record. |
| 0x03 | perimeter | The Biflow Source is the endpoint |
| | | outside of a defined perimeter. The |
| | | perimeter's definition is implicit in |
| | | the set of Biflow Source and Biflow |
| | | Destination addresses exported in the |
| | | Biflow Records. |
+-------+------------------+----------------------------------------+
Trammell & Boschi Expires October 13, 2007 [Page 13]
Internet-Draft IPFIX Biflow Export April 2007
Abstract Data Type: octet
Data Type Semantics: identifier
ElementId: TBD2
Status: current
7. IANA Considerations
This document specifies the creation of a new dimension in the
information element space defined by the IPFIX Information Model
[I-D.ietf-ipfix-info]. This new dimension is defined by the
allocation of a new Private Enterprise Number (PEN). The Internet
Assigned Numbers Authority (IANA) has assigned private enterprise
number TBD1 to this document as the "IPFIX Reverse Information
Element Private Enterprise", with this document's authors as point of
contact.
[NOTE for IANA: The text TBD1 should be replaced with the assigned
private enterprise number where it appears in this document.]
This document specifies the creation of a new IPFIX Information
Element, biflowDirection, as defined in section 6.3. IANA has
assigned Information Element number TBD2 in the IPFIX Information
Element Number registry for the biflowDirection information element.
[NOTE for IANA: The IPFIX Information Element Number registry has not
yet been created; its creation is requested in section 7.1 of
draft-ietf-ipfix-info-14.txt.]
[NOTE for IANA: The text TBD2 should be replaced with the assigned
biflowDirection Information Element number where it appears in this
document.]
8. Security Considerations
The same security considerations as for the IPFIX Protocol
[I-D.ietf-ipfix-protocol] apply.
9. Acknowledgments
We would like to thank Lutz Mark, Juergen Quittek, Andrew Johnson,
Paul Aitken, Benoit Claise, and Carsten Schmoll for their
contributions and comments. Special thanks to Michelle Cotton for
Trammell & Boschi Expires October 13, 2007 [Page 14]
Internet-Draft IPFIX Biflow Export April 2007
her assistance in navigating the IANA process for enterprise number
assignment, and for the IANA pre-review of the document.
10. References
10.1. Normative References
[I-D.ietf-ipfix-protocol]
Claise, B., "Specification of the IPFIX Protocol for the
Exchange", draft-ietf-ipfix-protocol-24 (work in
progress), November 2006.
[I-D.ietf-ipfix-info]
Quittek, J., "Information Model for IP Flow Information
Export", draft-ietf-ipfix-info-15 (work in progress),
February 2007.
10.2. Informative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander,
"Requirements for IP Flow Information Export (IPFIX)",
RFC 3917, October 2004.
[I-D.ietf-ipfix-architecture]
Sadasivan, G., "Architecture for IP Flow Information
Export", draft-ietf-ipfix-architecture-12 (work in
progress), September 2006.
[I-D.ietf-ipfix-as]
Zseby, T., "IPFIX Applicability", draft-ietf-ipfix-as-11
(work in progress), February 2007.
[I-D.ietf-ipfix-reducing-redundancy]
Boschi, E., "Reducing Redundancy in IPFIX and PSAMP
Reports", draft-ietf-ipfix-reducing-redundancy-03 (work in
progress), March 2007.
Appendix A. Example
The following example describes a biflow record as specified in
section 6, above. The "IPFIX Reverse Information Element" PEN is
assigned for the purpose of differentiating forward from reverse
information elements.
Trammell & Boschi Expires October 13, 2007 [Page 15]
Internet-Draft IPFIX Biflow Export April 2007
The information exported in this case is:
o The start time of the flow: flowStartSeconds in the IPFIX
Information Model [I-D.ietf-ipfix-info], with a length of 4 octets
o The reverse start time of the flow: flowStartSeconds in the IPFIX
Information Model [I-D.ietf-ipfix-info], with a length of 4
octets, and the enterprise bit set to 1. The following PEN is the
Reverse PEN.
o The IPv4 source IP address: sourceIPv4Address in the IPFIX
Information Model [I-D.ietf-ipfix-info], with a length of 4 octets
o The IPv4 destination IP address:destinationIPv4Address in the
IPFIX Information Model [I-D.ietf-ipfix-info], with a length of 4
octets
o The source port: sourceTransportPort in the IPFIX Information
Model [I-D.ietf-ipfix-info], with a length of 2 octets
o The destination port: destinationTransportPort in the IPFIX
Information Model [I-D.ietf-ipfix-info], with a length of 2 octets
o The protocol identifier: protocolIdentifier in the IPFIX
Information Model [I-D.ietf-ipfix-info], with a length of 1 octet
o The number of octets of the Flow: octetTotalCount in the IPFIX
Information Model [I-D.ietf-ipfix-info], with a length of 4 octets
o The reverse number of octets of the Flow: octetTotalCount in the
IPFIX Information Model [I-D.ietf-ipfix-info], with a length of 4
octets, and the enterprise bit set to 1. The following PEN is the
Reverse PEN.
o The number of packets of the Flow: packetTotalCount in the IPFIX
Information Model [I-D.ietf-ipfix-info], with a length of 4 octets
o The reverse number of packets of the Flow: packetTotalCount in the
IPFIX Information Model [I-D.ietf-ipfix-info], with a length of 4
octets, and the enterprise bit set to 1. The following PEN is the
Reverse PEN.
and the resulting template would look like the diagram below:
Trammell & Boschi Expires October 13, 2007 [Page 16]
Internet-Draft IPFIX Biflow Export April 2007
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Set ID = 2 | Length = 64 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Template ID >= 256 | Field Count = 11 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| flowStartSeconds 150 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|1| flowStartSeconds 150 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| reverse PEN TBD1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| sourceIPv4Address 8 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| destinationIPv4Address 12 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| sourceTransportPort 7 | Field Length = 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| destinationTransportPort 11 | Field Length = 2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| protocolIdentifier 4 | Field Length = 1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| octetTotalCount 85 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|1| octetTotalCount 85 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| reverse PEN TBD1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0| packetTotalCount 86 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|1| packetTotalCount 86 | Field Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| reverse PEN TBD1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 6: Single Record Biflow Template Set
The following example data record represents a typical HTTP
transaction. Its format is defined by the example template, above.
Trammell & Boschi Expires October 13, 2007 [Page 17]
Internet-Draft IPFIX Biflow Export April 2007
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Set ID >= 256 | Length = 41 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 2006-02-01 17:00:00 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 2006-02-01 17:00:01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 192.0.2.2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 192.0.2.3 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 32770 | 80 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 6 | 18000 . . .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. . . | 128000 . . .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. . . | 65 . . .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. . . | 110 . . .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. . . |
+-+-+-+-+-+-+-+-+
Figure 7: Single Record Biflow Data Set
Appendix B. XML Specification of biflowDirection Information Element
This appendix contains a machine-readable description of the
biflowDirection information element defined in this document, coded
in XML. Note that this appendix is of informational nature, while
the text in section 6.3 is normative.
The format in which this specification is given is described by the
XML Schema in Appendix B of the IPFIX Information Model
[I-D.ietf-ipfix-info].
<?xml version="1.0" encoding="UTF-8"?>
<fieldDefinitions xmlns="urn:ietf:params:xml:ns:ipfix-info"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:ns:ipfix-info
ipfix-info.xsd">
Trammell & Boschi Expires October 13, 2007 [Page 18]
Internet-Draft IPFIX Biflow Export April 2007
<field name="biflowDirection" dataType="unsigned8"
dataTypeSemantics="identifier" group="misc"
elementId="TBD2" applicability="all" status="current">
<description>
<paragraph>
A description of the biflow direction assignment method
used to assign source and destination to this flow. This
Information Element MAY be present in a Flow Data Record,
or applied to all flows exported from an Exporting
Process or Observation Domain using IPFIX Options. If this
Information Element is not present in a Flow Record or
associated with a flow via scope, it is assumed that the
configuration of the biflow direction assignment method is
done out-of-band. This field may take the following
values:
</paragraph>
<artwork>
+-------+------------------+----------------------------------------+
| Value | Name | Description |
+-------+------------------+----------------------------------------+
| 0x00 | arbitrary | Direction was assigned arbitrarily. |
| 0x01 | initiator | The Biflow Source is the flow |
| | | initiator, as determined by the |
| | | Metering Process' best effort to |
| | | detect the initiator. |
| 0x02 | reverseInitiator | The Biflow Destination is the flow |
| | | initiator, as determined by the |
| | | Metering Process' best effort to |
| | | detect the initiator. This value is |
| | | provided for the convenience of |
| | | Exporting Processes to revise an |
| | | initiator estimate without re-encoding |
| | | the Biflow Record. |
| 0x03 | perimeter | The Biflow Source is the endpoint |
| | | outside of a defined perimeter. The |
| | | perimeter's definition is implicit in |
| | | the set of Biflow Source and Biflow |
| | | Destination addresses exported in the |
| | | Biflow Records. |
+-------+------------------+----------------------------------------+
</artwork>
</description>
</field>
</fieldDefinitions>
Trammell & Boschi Expires October 13, 2007 [Page 19]
Internet-Draft IPFIX Biflow Export April 2007
Authors' Addresses
Brian H. Trammell
CERT Network Situational Awareness
Software Engineering Institute
4500 Fifth Avenue
Pittsburgh, PA 15213
US
Phone: +1 412 268 9748
Email: bht@cert.org
Elisa Boschi
Hitachi Europe SAS
Immeuble Le Theleme
1503 Route les Dolines
06560 Valbonne
France
Phone: +33 4 89874100
Email: elisa.boschi@hitachi-eu.com
Trammell & Boschi Expires October 13, 2007 [Page 20]
Internet-Draft IPFIX Biflow Export April 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Trammell & Boschi Expires October 13, 2007 [Page 21]
| PAFTECH AB 2003-2026 | 2026-04-23 04:04:40 |