TOC |
|
By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”
The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 7, 2009.
This document describes a framework for an IPFIX Mediation. This framework details an IPFIX Mediation reference model and the components of the IPFIX Mediation device (IPFIX Mediator).
1.
Introduction
2.
Terminology
3.
IPFIX Mediation Reference Model
4.
IPFIX Mediation Functional and Logical Blocks
4.1.
Collecting Process
4.2.
Exporting Process
4.3.
Intermediate Process
4.3.1.
Flow Selection Function
4.3.2.
Flow-based Collector Selection Function
4.3.3.
Aggregation Function
4.3.4.
Correlation Function
4.3.5.
Modification Function
4.4.
IPFIX File Writer/Reader
4.5.
Flow Expiration
4.6.
Information Model
4.7.
Examples
5.
Security Considerations
6.
IANA Considerations
7.
References
7.1.
Normative References
7.2.
Informative References
Appendix A.
Acknowledgements
§
Authors' Addresses
§
Intellectual Property and Copyright Statements
TOC |
IPFIX Mediation reroutes, replicates, filters, aggregates, correlates, or modifies Flow Records/Packet Reports or changes a transport protocol. This document describes the framework for IPFIX Mediation. The motivation for the IPFIX Mediation standard comes from the need for flow-based measurement system support for large-scale networks, interdomain networks, and coexistence with traditional Exporters as described in detail in [I‑D.ietf‑ipfix‑mediator‑ps] (Kobayashi, A., Nishida, H., Sommer, C., Dressler, F., Stephan, E., and B. Claise, “IPFIX Mediation: Problem Statement,” September 2008.). The standard specification requires a definition of IPFIX Mediation and IPFIX Mediation device (IPFIX Mediator).
This document is organized as follows. Section 2 describes terminology related to IPFIX Mediation. Section 3 describes a high level reference model. Section 4 details the components of the IPFIX Mediator.
TOC |
The terms in this section are in line with those in the IPFIX specification document [RFC5101] (Claise, B., “Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information,” January 2008.) and the PSAMP specification document [I‑D.ietf‑psamp‑protocol] (Claise, B., Quittek, J., and A. Johnson, “Packet Sampling (PSAMP) Protocol Specifications,” December 2007.). Additional terms required for the IPFIX Mediation are also defined with those in the IPFIX Mediator problem statement [I‑D.ietf‑ipfix‑mediator‑ps] (Kobayashi, A., Nishida, H., Sommer, C., Dressler, F., Stephan, E., and B. Claise, “IPFIX Mediation: Problem Statement,” September 2008.). All these terms are capitalized in this document.
- Observation Point
An Observation Point is a location in the network where IP packets can be observed. Examples include: a line to which a probe is attached, a shared medium, such as an Ethernet-based LAN, a single port of a router, or a set of interfaces (physical or logical) of a router.
Note that every Observation Point is associated with an Observation Domain (defined below), and that one Observation Point may be a superset of several other Observation Points. For example, one Observation Point can be an entire line card. That would be the superset of the individual Observation Points at the line card's interfaces.- Observation Domain
An Observation Domain is the largest set of Observation Points for which Flow information can be aggregated by a Metering Process. For example, a router line card may be an Observation Domain if it is composed of several interfaces, each of which is an Observation Point. In the IPFIX Message it generates, the Observation Domain includes its Observation Domain ID, which is unique per Exporting Process. That way, the Collecting Process can identify the specific Observation Domain from the Exporter that sends the IPFIX Messages. Every Observation Point is associated with an Observation Domain. It is RECOMMENDED that Observation Domain IDs also be unique per IPFIX Device.- Flow Key
Each of the fields that:
1. belong to the packet header (e.g., destination IP address),
2. are a property of the packet itself (e.g., packet length),
3. are derived from packet treatment (e.g., Autonomous System (AS) number),
and that are used to define a Flow are termed Flow Keys.- Flow Record
A Flow Record contains information about a specific Flow that was observed at an Observation Point. A Flow Record contains measured properties of the Flow (e.g., the total number of bytes for all the Flow's packets) and usually characteristic properties of the Flow (e.g., source IP address).- Packet Reports
Packet Reports comprise a configurable subset of a packet's input to the Selection Process, including the Packet Content, information relating to its treatment (for example, the output interface), and its associated selection state (for example, a hash of the Packet Content).- Exporting Process
The Exporting Process sends Flow Records to one or more Collecting Processes. The Flow Records are generated by one or more Metering Processes.- Exporter
A device that hosts one or more Exporting Processes is termed an Exporter.- IPFIX Device
An IPFIX Device hosts at least one Exporting Process. It may host further Exporting Processes and arbitrary numbers of Observation Points and Metering Processes.- Collecting Process
A Collecting Process receives Flow Records from one or more Exporting Processes. The Collecting Process might process or store received Flow Records, but such actions are out of the scope of this document.- Collector
A device that hosts one or more Collecting Processes is termed a Collector.- IPFIX Message
An IPFIX Message is a message originating at the Exporting Process that carries the IPFIX records of this Exporting Process and whose destination is a Collecting Process. An IPFIX Message is encapsulated at the transport layer.- Information Element
An Information Element is a protocol and encoding-independent description of an attribute that may appear in an IPFIX Record. The IPFIX information model [RFC5102] (Quittek, J., Bryant, S., Claise, B., Aitken, P., and J. Meyer, “Information Model for IP Flow Information Export,” January 2008.) defines the base set of Information Elements for IPFIX. The type associated with an Information Element indicates constraints on what it may contain and also determines the valid encoding mechanisms for use in IPFIX.- IPFIX Mediation
An IPFIX Mediation is a generic term for functions doing something for Flow Records, Packet Reports, and IPFIX Messages. IPFIX Mediation is located in between components: Metering Processes, Exporting Processes, Collecting Processes, and other applications. IPFIX Mediation can be included in any IPFIX Devices. IPFIX Mediation consists of a set of some of the following functions:The modification of Flow Records/Packet Reports includes these processes:
- rerouting input Flow Records/Packet Reports to an appropriate Collecting Process
- replicating input Flow Records/Packet Reports
- filtering and selecting input Flow Records/Packet Reports
- aggregating input Flow Records/Packet Reports based on new Flow Keys
- correlating a set of Flow Records/Packet Reports for creating new Flow Records/Packet Reports with new metrics
- modifying input Flow Records/Packet Reports
- changing transport protocols that carry IPFIX Messages
IPFIX Mediation can be included in any device, such as routers, switches, NMS (Network Management Systems), or stand-alone devices.
- changing the value of specified Information Elements
- adding new Information Elements by deriving further Flow or packet properties from existing fields or calculating new metrics
- deleting specified Information Elements.
- Flow-Based Collector Selection
The Flow-Based Collector Selection evaluates an input Flow Record/Packet Report based on the value of the specified Information Element and then selects a Collector for each input Flow Record/Packet Report.- IPFIX Mediator
An IPFIX Mediator contains one or more functions defined in IPFIX Mediation. The IPFIX Mediator can be a stand-alone or a virtual device. It also contains one or more Collecting Processes and one or more Exporting Processes.- Original Exporter
An Original Exporter is an IPFIX Device that hosts Observation Points where IP packets can be directly observed.- IPFIX Proxy
An IPFIX Proxy is an IPFIX Mediator that receives IPFIX Messages from an Original Exporter and sends IPFIX Messages to one or more Collectors. It may alter part of an IPFIX Message to comply with IPFIX Protocol specifications. It may also change the type of transport protocol, such as UDP, TCP, SCTP, and PR-SCTP, and convert a legacy protocol message to an IPFIX Message, if necessary.- IPFIX Concentrator
An IPFIX Concentrator is an IPFIX Mediator that receives Flow Records/Packet Reports, aggregates them, then exports the aggregated Flow Records.- IPFIX Distributor
An IPFIX Distributor is an IPFIX Mediator that reroutes input Flow Records/Packet Reports based on the result of Flow-Based Collector Selection. It may filter or replicate input Flow Records/Packet Reports, if necessary.- IPFIX Masquerading Proxy
An IPFIX Masquerading Proxy is an IPFIX Mediator that screens out a part of the data of input Flow Records/Packet Reports according to configured policies. It can thus, for example, hide the network topology information or customers' IP addresses.- Intermediate Process
An Intermediate Process in IPFIX Mediators can be considered as a partial Metering Process taken from the Metering Process in Original Exporters as described in [RFC3917] (Quittek, J., Zseby, T., Claise, B., and S. Zander, “Requirements for IP Flow Information Export(IPFIX),” October 2004.).
The Intermediate Process generates new sets of Data Records/Packet Reports from input Data Records/Packet Reports.- Mediator Observation Domain
An IPFIX Mediator does not host the Observation Points and Observation Domain. The Observation Domain ID in the IPFIX header sent by the IPFIX Mediator also indicates the largest set of Observation Points from the viewpoint of a Collector. However, this value does not indicate the physical entity of an Original Exporter.- Transport Session Information
The Transport Session is specified in [RFC5101] (Claise, B., “Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information,” January 2008.). In SCTP, the Transport Session Information is the SCTP association. In TCP and UDP, the Transport Session Information corresponds to a 5-tuple {Exporter IP address, Collector IP address, Exporter transport port, Collector transport port, and transport protocol}.
TOC |
The figure below shows the high-level reference model for IPFIX Mediation based on [I‑D.ietf‑ipfix‑architecture] (Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, “Architecture for IP Flow Information Export,” September 2006.). This figure covers the various possible scenarios that can exist in an IPFIX measurement system.
+---------------------------+ +---------------------------+ | Collector {l} | | Collector {k} | |[*Application(s)] | |[*Application(s)] | |[IPFIX File Reader/Writer] | |[IPFIX File Reader/Writer] | |[Collecting Process(es)] |....|[Collecting Process(es)] | +---------------------------+ +---------------------------+ ^ ^ ^ ^ | | | | | +------....----+ | | | | IPFIX (Flow Records / Packet Reports) | | | +----------------+----+-----+ +-------+-------------------+ |IPFIX Mediator {j} | |IPFIX Mediator {n} | |[*Applications(s)] | |[*Applications(s)] | |[Exporting Process(es)] | |[Exporting Process(es)] | |[Intermediate Process(es)] |....|[Intermediate Process(es)] | |[Collecting Process(es)] | |[Collecting Process(es)] | +---------------------------+ +---------------------------+ ^ ^ ^ | | | | +------....-----+ | | IPFIX (Flow Records / Packet Reports) | | +----------------+----------+ +----+----------------------+ |IPFIX Original Exporter {i}| |IPFIX Original Exporter {m}| |[Exporting Process(es)] | |[Exporting Process(es)] | |[Metering Process(es)] |....|[Metering Process(es)] | |[Observation Point(s)] | |[Observation Point(s)] | +---------------------------+ +---------------------------+ ^ ^ ^ ^ | | | | Packets coming in to Observation Points
Figure A: Reference Model for IPFIX Mediation.
The various functional components are indicated within brackets []. The functional components within [*] are not part of [I‑D.ietf‑ipfix‑architecture] (Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, “Architecture for IP Flow Information Export,” September 2006.).
The figure below shows the basic IPFIX Mediator component model. The IPFIX Mediator is formally defined to consist of one or more Collecting Processes, zero or more Intermediate Processes, and one or more Exporting Processes. Basically, IPFIX Mediator devices, i.e., IPFIX Proxy, IPFIX Masquerading Proxy, IPFIX Distributor, and IPFIX Concentrator, described in [I‑D.ietf‑ipfix‑mediator‑ps] (Kobayashi, A., Nishida, H., Sommer, C., Dressler, F., Stephan, E., and B. Claise, “IPFIX Mediation: Problem Statement,” September 2008.), are composed of these components.
IPFIX(Flow Records/Packet Reports) ^ ^ | +------------------------|-|---------------------+ | IPFIX Mediator | | | | | | | | .---------------------|-+-------------------. | | .----------------------+--------------------.| | | | Exporting Process (es) |' | | '----------------------^--------------------' | | | | | | .---------------------|-+-------------------. | | .----------------------+--------------------.| | | | Intermediate Process (es) (optional) |' | | '----------------------^--------------------' | | | | | | .---------------------|-+-------------------. | | .----------------------+--------------------.| | | | Collecting Process (es) |' | | '----------------------^--------------------' | +------------------------|-|---------------------+ | IPFIX(Flow Records/Packet Reports)
Figure B: IPFIX Mediator Basic Component Model.
An Original Exporter with a Mediation function is modeled as follows.
IPFIX (Flow Records/Packet Reports) ^ ^ +---------------------------|-|------------------------+ | Original Exporter | | | | | | | | .---------------------|-+-------------------. | | .----------------------+--------------------.| | | | Exporting Process(es) |' | | '----------------------^--------------------' | | | | | | .---------------------|-+-------------------. | | .----------------------+--------------------.| | | | Intermediate Process(es) |' | | '---------^-----------------------^---------' | | |Flow Record or | | | | Packet Reports | | | .------------+----------. .---------+-------------. | | | Metering Process {i} |..| Metering Process {n} | | | '------------^----------' '---------^-------------' | | | | | | .------------+----------. .---------+-------------. | | | Observation Point {i} |..| Observation Point {n} | | | '------------^----------' '---------^-------------' | +--------------|-----------------------|---------------+ | | Packets coming in to Observation Points
Figure C: Component Model for Original Exporter with Mediation.
TOC |
The section describes the details of each component and examples applicable to that component for IPFIX Mediation and IPFIX Mediator.
TOC |
The Collecting Processes described in [RFC5101] (Claise, B., “Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information,” January 2008.) receive Flow Records/Packet Reports with information relating to their treatment in the Metering Process and Exporting Process in the Original Exporter, such as sampling rate, IPFIX header information, and Transport Session Information. The Collecting Processes forward the set of data to multiple components: Intermediate Processes and Exporting Processes. In other words, the processes may duplicate received Flow Records/Packet Reports and forward them to multiple components in sequence or in parallel.
TOC |
The Exporting Processes described in [RFC5101] (Claise, B., “Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information,” January 2008.) forward Flow Records/Packet Reports to one or multiple Collectors. The processes manage the reporting Template and make IPFIX Messages.
TOC |
Intermediate Processes generate new sets of Flow Records/Packet Reports from input Flow Records/Packet Reports with IPFIX header information "Export Time" and "Observation Domain ID". The processes host one of several functions defined below or a combination of them, in any sequence or in any set. In the case of a combination, the output of each function can be the input of other functions. The following subsections show the details of each function.
TOC |
The Flow Selection function determines which input Flow Records/Packet Reports are selected by matching under a filtering policy and then forwards them to the next processes or functions. The function is similar to the Selection Process described in [I‑D.ietf‑psamp‑framework] (Duffield, N., “A Framework for Packet Selection and Reporting,” June 2008.). The function covers several selection techniques, such as property match filtering and Flow selection, which are described in [I‑D.ietf‑psamp‑framework] (Duffield, N., “A Framework for Packet Selection and Reporting,” June 2008.) and [I‑D.peluso‑flowselection] (Peluso, L., Zseby, T., D'Antonio, S., and M. Molina, “Flow selection Techniques,” November 2007.), respectively. In property match filtering, if the value of a specified Information Element equals a configured value, the function selects Flow Records/Packet Reports to forward.
TOC |
The Flow-based Collector Selection function determines to which Collector input Flow Records/Packet Reports are exported. The function may also determine the type of Transport Session. The function evaluates the value of a specified Information Element in input Flow Records/Packet Reports and then selects the Collector. These selection criteria are similar to the property match filtering in Mediator Selection Function.
Applicable examples include exporting Flow Records/Packet Reports to a dedicated Collector on the basis of customers or organizations peering. The function classifies Flow Records/Packet Reports on the basis of a peering AS number, as shown in the following figure. The set of classified Flow Records/Packet Reports is exported to a dedicated Collector on the basis of the peering AS number.
.----------------------------. | Intermediate Process | | .----------------------. | | | Flow-Based Collector | | | | Selection Function | | | | | | | | Peering AS #10 | | | | +-------------------+-+---> Collector #1 | | | Peering AS #20 | | Flow --+---+--+-------------------+-+---> Collector #2 Records | | | Peering AS #30 | | | | +-------------------+-+---> Collector #3 | '----------------------' | '----------------------------'
Figure D: Exporting classified Flow Records to dedicated Collector.
TOC |
The Aggregation function creates aggregated Flow Records from input Flow Records/Packet Reports. The aggregation method is divided into three types:
- Choosing Shorter Flow Key
Choosing a shorter Flow Key than the Flow Key of input Flow Records, such as three, two, or a single Flow Key, can create more aggregated Flow Records. The function gathers Flow Records/Packet Reports within a given interval time and then distinguishes Flow Records/Packet Reports that have common properties. If values of a given key field are the same, that means those Flow Records/Packet Reports have common properties, and the function merges them in accordance with aggregation rules described in [I‑D.dressler‑ipfix‑aggregation] (Dressler, F., Sommer, C., Munz, G., and A. Kobayashi, “IPFIX Aggregation,” July 2008.).
In addition, the function can create statistical data and subsidiary information related to the aggregated Flow Records. Examples include the number of input Flow Records/Packet Reports, the given interval time, and a set of a new Flow Key.- Time Composition
Time composition is defined as aggregation with the same Flow Key for long-running Flows. The function may also compute Flow Records statistics, such as average, maximum, and minimum value of each counter. The statistics help to visualize the behavior of traffic volume over a long time period.
As another approach, the function collects Flow Records/Packet Reports of a shorter time period from an Original Exporter, and then computes these statistics. Even if output Flow Records of the function indicate a general time period, the accuracy of the minimum, maximum, and average value can be improved.- Space Composition
Space composition is defined as aggregation on a larger Observation Domain or on a set of Observation Points. In that case, a Flow key can be applied to other properties, such as Exporter IP address and Observation Domain ID.
In addition, a group identifier indicating a spatial Observation Domain can also become a new Flow Key. For example, a group can indicate an area on an ISP network, or a link aggregation interface composd of physical interfaces. The group can also make a relation to a set of values of specified Information Elements in Flow Records by the configuring rule. After converting from the values of specified Information Elements to the group identifier, the function can create aggregated Flow Records by a general aggregation process.
TOC |
The Correlation function creates new metrics from by evaluating the correlation among sets of Flow Records/Packets Records. These sets can be Flow Records gathered during a certain period, a pair of consecutive Packet Reports, or Packet Reports exported by different Exporters indicating the same packet. After offering new metrics, the function outputs Flow Records with the new metrics field. Applicable examples are as follows.
TOC |
The Modification function modifies input Flow Records/Packet Reports without changing their granularity. The function can add new Information Elements, delete existing Information Elements, or modify the value of specified Information Elements. If the function modifies the data structure of an original Template, it also needs to modify the value of the "flowKeyIndicator".
- Adding specified Information Elements
The function obtains the value of a specified Information Element and then adds it into Flow Records/Packet Reports. There are several methods to obtain the value: retrieving the value from a database or calculating the value based on the value of other Information Elements and received traffic data.- Applicable examples include adding derived packet property parameters instead of Original Exporters. Doing that can compensate for traditional Exporters or probes unable to add packet property parameters. Therefore, Collectors do not need to recognize the difference among implementations of routers from several vendors or among Exporter types, such as router, switch, or probe. Typical derived packet property parameters include the following.
- The "bgpNextHop{IPv4|IPv6}Address" described in [RFC5102] (Quittek, J., Bryant, S., Claise, B., Aitken, P., and J. Meyer, “Information Model for IP Flow Information Export,” January 2008.) indicates the egress router of a network domain. That is useful for making a traffic matrix that covers the whole network domain.
- The BGP Community value indicates the same group of destination or source IP addresses.
- The "mplsVpnRouteDistinguisher" described in [RFC5102] (Quittek, J., Bryant, S., Claise, B., Aitken, P., and J. Meyer, “Information Model for IP Flow Information Export,” January 2008.), which cannot be extracted from the core router in MPLS networks, indicates the VPN customer's identification. Network operators can monitor the traffic behavior of each customer by adding "mplsVpnRouteDistinguisher" to Flow Records/Packet Reports.
- Deleting specified Information Elements
This function deletes existing Information Elements according to instruction rules, which indicate whether an Information Element should be removed.- Applicable examples include hiding network topology information and private information. In the case of IPFIX exporting across domains, the function can avoid making a vulnerability by deleting unnecessary Information Elements. Examples of network topology information include "ipNextHopIP{v4|v6}Address", "bgpNextHopIP{v4|v6}Address", and "bgp{Next|Prev}AdjacentAsNumber", described in [RFC5102] (Quittek, J., Bryant, S., Claise, B., Aitken, P., and J. Meyer, “Information Model for IP Flow Information Export,” January 2008.). In addition, MPLS-related Information Elements, such as "mplsLabelStackSection", are useless for customers in the case of feeding Flow Records/Packet Reports to VPN customers.
- Modifying the value of specified Information Elements
This function modifies the value of specified Information Elements.- Applicable examples include anonymizing customers' private information, such as IP address and port number, according to a privacy protection policy. Several annonymization techniques are described in [I‑D.boschi‑ipfix‑anon] (Boschi, E. and B. Trammell, “IP Flow Anonymisation Support,” July 2008.). The function also reports anonymization methods and part of anonymized data as subsidiary information.
TOC |
The IPFIX File Writer stores input Flow Records/Packet Reports from any process in a storage system. If received Flow Records/Packet Reports include uninteresting Information Elements, the Modification Function can delete these elements before the IPFIX File Writer handles them. Therefore, IPFIX File Writers can accept input from any process. In either case, input needs to include the IPFIX header information and the Transport Session Information along with Flow Records/Packet Reports.
In contrast, the IPFIX File Reader retrieves stored Flow Records/Packet Reports when operators want to retrieve past Flow Records/Packet Reports on the basis of a given time period. If the data structure of output Flow Records/Packet Reports from the IPFIX File Reader is different from what operators want, the Modification function can modify the data structure. Therefore, the output of IPFIX File Readers can be input to any components. The IPFIX File Writer/Reader are described in [I‑D.ietf‑ipfix‑file] (Trammell, B., Boschi, E., Mark, L., Zseby, T., and A. Wagner, “An IPFIX-Based File Format,” October 2008.) in detail.
The figure shows the IPFIX component model with IPFIX File Writer/Reader. IPFIX File Writer/Reader are located in the same position of Exporting Process/Collecting Process, respectively.
IPFIX (Flow Records/Packet Reports) ^ ^ | .----------------------|-+--------------------. .-----------------------+---------------------.| | Exporting Process (es) / IPFIX File Writer |' '----^------------------^---------------------' | | | | .-------------|-+--------------------. | .--------------+---------------------.| | | Intermediate Process (es) |' | '--------------^-^-------------------' | | | .---+------------------|-+--------------------. .-----------------------+---------------------.| | Collecting Process (es) / IPFIX File Reader |' '-----------------------^---------------------' | IPFIX (Flow Records/Packet Reports)
Figure E: IPFIX Mediator Component Model with IPFIX File Writer/Reader.
TOC |
The Aggregation function needs expiration conditions to export cached Flow Records. These conditions are described in [I‑D.ietf‑ipfix‑architecture] (Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, “Architecture for IP Flow Information Export,” September 2006.). In the case of IPFIX Mediation, these conditions are as follows:
The Correlation function also needs similar expiration conditions. However, when cached Flow Records/Packet Reports prematurely expire and the function can not compute the correlation among them, cached Flow Records/Packet reports may be discarded.
TOC |
IPFIX Mediation reuse the general information model from [RFC5101] (Claise, B., “Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information,” January 2008.) and from [I‑D.ietf‑psamp‑info] (Dietz, T., Claise, B., Aitken, P., Dressler, F., and G. Carle, “Information Model for Packet Sampling Exports,” October 2008.). The following new Information Elements for IPFIX Mediation are also needed.
+-----+---------------------------+-----+---------------------------+ | ID | Name | ID | Name | +-----+---------------------------+-----+---------------------------+ | XXX | averageBitRate | XXX | averagePacketsRate | | XXX | minimumBitRate | XXX | minimumPacketsRate | | XXX | maximumBitRate | XXX | maximumPacketsRate | +-----+---------------------------+-----+---------------------------+
TOC |
As example, in case of Intermediate Processes having different functions, a Collecting Process/IPFIX File Reader replicates Flow Records/Packet Reports, if necessary, and forwards them to a suitable Intermediate Process/Exporting Process. Example figure is shown below.
IPFIX IPFIX IPFIX ^ ^ ^ | | | .------------. .-----+-------. .-----+-------. .------+------. | IPFIX File | | Exporting | | Exporting | | Exporting | | Writer | | Process {i}| | Process {j}|....| Process {n}| '-----^-^----' '-----^-------' '-----^-------' '------^------' | | | | | | +-------------+ | Flow Records | Flow Records / Packet Reports | | .------+-------. .-----+--------. .------+-------. | | Intermediate | | Intermediate | | Intermediate | | | Process {l} | | Process {m} | | Process {p} | | | | | |...| | | | Flow-based | | Flow-based | | | | | Collector | | Collector | | | | | Selection | | Selection | | | Flow Records | ^ | | ^ | | | | | | | | | | | | | | Correlation | | Modification| | Modification| | | ^ | | ^ | | ^ | | | | | | | | | | | | | Selection | | Aggregation |...| Selection | | | ^ | | ^ ^ | | ^ | | '------|-------' '-----|-|------' '------|-------' | | | | | | +---------------+ | Flow Records | | | | | Flow Records / Packet Reports | .------+------. .------+------. .------+------. .-----+------. | Collecting | | Collecting | | Collecting | | IPFIX File | | Process {i}| | Process {j}|...| Process {n}| | Reader | '------^------' '------^------' '------^------' '------------' | | | IPFIX IPFIX IPFIX
Figure F: Functional Block Examples for IPFIX Mediator.
TOC |
IPFIX Mediators use the IPFIX protocol. Security considerations about Flow Records are described in [RFC5101] (Claise, B., “Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information,” January 2008.).
TOC |
This document has no actions for IANA.
TOC |
TOC |
[I-D.ietf-ipfix-architecture] | Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, “Architecture for IP Flow Information Export,” draft-ietf-I-D.ietf-ipfix-architectureitecture-12.txt(work in progress) , September 2006. |
[I-D.ietf-psamp-framework] | Duffield, N., “A Framework for Packet Selection and Reporting,” draft-ietf-psamp-framework-13.txt , June 2008. |
[I-D.ietf-psamp-info] | Dietz, T., Claise, B., Aitken, P., Dressler, F., and G. Carle, “Information Model for Packet Sampling Exports,” draft-ietf-psamp-info-11.txt (work in progress) , October 2008. |
[I-D.ietf-psamp-protocol] | Claise, B., Quittek, J., and A. Johnson, “Packet Sampling (PSAMP) Protocol Specifications,” draft-ietf-psamp-protocol-09.txt , December 2007. |
[RFC3917] | Quittek, J., Zseby, T., Claise, B., and S. Zander, “Requirements for IP Flow Information Export(IPFIX),” October 2004. |
[RFC5101] | Claise, B., “Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information,” January 2008. |
[RFC5102] | Quittek, J., Bryant, S., Claise, B., Aitken, P., and J. Meyer, “Information Model for IP Flow Information Export,” January 2008. |
TOC |
[I-D.boschi-ipfix-anon] | Boschi, E. and B. Trammell, “IP Flow Anonymisation Support,” draft-boschi-ipfix-anon-01.txt (work in progress) , July 2008. |
[I-D.dressler-ipfix-aggregation] | Dressler, F., Sommer, C., Munz, G., and A. Kobayashi, “IPFIX Aggregation,” draft-dressler-ipfix-aggregation-05.txt (work in progress) , July 2008. |
[I-D.ietf-ipfix-file] | Trammell, B., Boschi, E., Mark, L., Zseby, T., and A. Wagner, “An IPFIX-Based File Format,” draft-ietf-ipfix-file-03.txt(work in progress) , October 2008. |
[I-D.ietf-ipfix-mediator-ps] | Kobayashi, A., Nishida, H., Sommer, C., Dressler, F., Stephan, E., and B. Claise, “IPFIX Mediation: Problem Statement,” draft-ietf-ipfix-mediation-problem-statement-01.txt(work in progress) , September 2008. |
[I-D.peluso-flowselection] | Peluso, L., Zseby, T., D'Antonio, S., and M. Molina, “Flow selection Techniques,” draft-peluso-flowselection-tech-01.txt(work in progress) , November 2007. |
TOC |
The authors gratefully acknowledge the contributions of
Keisuke Ishibashi,
Tsuyoshi Kondoh, and
Daisuke Matsubara.
TOC |
Atsushi Kobayashi | |
NTT Information Sharing Platform Laboratories | |
3-9-11 Midori-cho | |
Musashino-shi, Tokyo 180-8585 | |
Japan | |
Phone: | +81-422-59-3978 |
Email: | akoba@nttv6.net |
Haruhiko Nishida | |
NTT Information Sharing Platform Laboratories | |
3-9-11 Midori-cho | |
Musashino-shi, Tokyo 180-8585 | |
Japan | |
Phone: | +81-422-59-3978 |
Email: | nishida.haruhiko@lab.ntt.co.jp |
Benoit Claise | |
Cisco Systems | |
De Kleetlaan 6a b1 | |
Diegem 1831 | |
Belgium | |
Phone: | +32 2 704 5622 |
Email: | bclaise@cisco.com |
TOC |
Copyright © The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an “AS IS” basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.