Network Working Group T. Dietz Internet-Draft NEC Europe Ltd. Expires: M„rz 31, 2004 F. Dressler G. Carle University of Tuebingen B. Claise Cisco Systems October 2003 Information Model for Packet Sampling Exports Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on M„rz 31, 2004. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract This document defines an information and data model for the Packet Sampling (PSAMP) protocol. It is used by the PSAMP protocol for encoding sampled packet data and information related to the sampling process. The model is an extension to IPFIX information model. Dietz, et al. draft-ietf-psamp-info-00.txt [Page 1] Internet-Draft PSAMP Information Model October 2003 Table of Contents 1. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Relationship between PSAMP and IPFIX . . . . . . . . . . . . 4 4. Properties of a PSAMP Information Element . . . . . . . . . 4 5. Type Space . . . . . . . . . . . . . . . . . . . . . . . . . 5 5.1 byteArray . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.2 Comparison of types in IPFIX and PSAMP . . . . . . . . . . . 6 6. The PSAMP Attributes . . . . . . . . . . . . . . . . . . . . 6 6.1 PSAMP Usage of IPFIX Attributes . . . . . . . . . . . . . . 7 6.2 Flow Attributes . . . . . . . . . . . . . . . . . . . . . . 7 6.2.1 selectorId . . . . . . . . . . . . . . . . . . . . . . . . . 7 6.2.2 sequenceNumber . . . . . . . . . . . . . . . . . . . . . . . 7 6.2.3 packetStart . . . . . . . . . . . . . . . . . . . . . . . . 8 6.2.4 samplingMethod . . . . . . . . . . . . . . . . . . . . . . . 8 6.2.5 intervalCount . . . . . . . . . . . . . . . . . . . . . . . 9 6.2.6 spacingCount . . . . . . . . . . . . . . . . . . . . . . . . 9 6.2.7 intervalTime . . . . . . . . . . . . . . . . . . . . . . . . 10 6.2.8 spacingTime . . . . . . . . . . . . . . . . . . . . . . . . 10 6.2.9 samplingRate . . . . . . . . . . . . . . . . . . . . . . . . 11 7. Using XML Schema for Information Models . . . . . . . . . . 11 8. Security Considerations . . . . . . . . . . . . . . . . . . 11 Normative References . . . . . . . . . . . . . . . . . . . . 12 Informative References . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 13 A. XML Namespace Issues . . . . . . . . . . . . . . . . . . . . 14 Intellectual Property and Copyright Statements . . . . . . . 15 Dietz, et al. draft-ietf-psamp-info-00.txt [Page 2] Internet-Draft PSAMP Information Model October 2003 1. Open Issues This draft covers some open issues which have to be solved in a future version of this draft: We currently define the filtering method attribute as an enumeration. This implies that an extension is very easy. Nevertheless, it might be appropriate to have single attributes for each method in order to integrate special information about the filtering/sampling method directly into the attribute. The PSAMP protocol allows to define more than one sampling or filtering method which are applied in a sequential order. Therfore, the order of the attributes in a template becomes important. This is a primary difference to the semantics of the flow template in the IPFIX definition. Currently, we do not have a proper definition for the ordering of flow attributes. We introduced a usage property for each attribute. It is not clear if the meaning of this property falls into the domain of the reference property. Thus the usage property may vanish in the future and the reference property will replace it and become mandatory. The unit property is currently optional, but we would like to have information about units wherever possible. The units property may become mandatory in a future version of this document and we would define the unit as "not applicable" when no unit can be given. This document only defines the attributes for exporting PSAMP data that are not defined by the IPFIX information model. Nevertheless, we should include a usage statement for the attributes defined by IPFIX when used by the PSAMP export protocol. The export of sampled data may not need all attributes defined by the IPFIX information model. Thus a section within this document should give an overview of flow attributes defined in the IPFIX information model and their usage in the PSAMP environment. 2. Introduction Packet sampling techniques are required for various measurement scenarios. The packet sampling (PSAMP) protocol provides mechanisms for the packet selection using different filtering and sampling techniques. A standard way for the export and storage of such sampled packet data is required. The definition of the PSAMP information and data model is based on the IP Flow Information eXport (IPFIX) protocol. Dietz, et al. draft-ietf-psamp-info-00.txt [Page 3] Internet-Draft PSAMP Information Model October 2003 This document examines the IPFIX information model [I-D.ietf-ipfix-info] and extends it for the PSAMP requirements. Therefore, the structure of this document is strongly based on the IPFIX document. 3. Relationship between PSAMP and IPFIX As described in IETF working document draft-quittek-psamp-ipfix-01.txt [I-D.quittek-psamp-ipfix], a PSAMP data record can be seen as a very special IPFIX flow record. It represents an IPFIX flow containing just a single packet. Therefore, the IPFIX information model can be used as a basis for PSAMP reports. Nevertheless, there are properties required by PSAMP reports which cannot be modeled using the IPFIX information model. This Document describes an extension to the IPFIX model which allows the modeling of information and date required by PSAMP. 4. Properties of a PSAMP Information Element The PSAMP information elements are in accordance with the definitions of IPFIX. Nevertheless, we have two additional properties - applicability and usage - that must be defined for the PSAMP attributes. Furthermore, we strongly recommend to define the optional "unit" element for every attribute if applicable. Therefore, the list is slightly modified to comply with this suggestion. Information elements defined in this specification, or by extension MUST have the following properties defined: Name - a unique and meaningful name for the field. The preferred spelling for the name is to use mixed case if the name is compound, with an initial lower case letter. (E.g. "sourceAddress"). Description - the semantics of this information element. It describes how this field is derived from the flow or other information available to the observer. Type - the type space for attributes is constrained to facilitate implementation. The existing type space does however encompass most basic types used in modern programming languages, as well as some derived types (such as IP Address types) which are common to this domain and useful to distinguish. Field Id - a numeric identifier administered by IANA. This is used for compact identification of an information item when encoding templates in the protocol. Dietz, et al. draft-ietf-psamp-info-00.txt [Page 4] Internet-Draft PSAMP Information Model October 2003 Applicability - a statement in which flow records the attribute is used. An attribute can be exported in a data flow record, a options data flow record or both. Usage - a description in which context this attribute could be used. Some attributes are only meaningful within the context of a specific data flow e.g., some sampling method parameters only make sense when they are exported for a specific sampling method or a small range of sampling methods. Information elements defined in this specification, or by extension MAY have the following properties defined: Vendor ID - when extension is done outside of the scope of the IANA IPFIX fieldId range, a vendorId MUST be provided. This identifier is based on IANA assigned enterprise identifiers. Units - if the field is a measure of some kind, the units identify what the measure is. Reference - identifies additional specifications which more precisely define this item or provide additional context for its use. Enumerated range - some items may have a specific set of numeric identifiers associated with a set of discrete values this element may take. The meaning of each discrete value and a human readable name should be assigned. Range - some elements may only be able to take on a restricted set of values which can be expressed as a range (e.g. 0 through 511 inclusive). If this is the case, the valid inclusive range should be specified. 5. Type Space The following subsections describe the basic types from which most PSAMP information elements should be constructed. The elements are mostly taken from the IPFIX information model. Nevertheless, there are a few differences to the type space defined by the IPFIX information model: the removal of the type double and the addition of the type byteArray. We anticipate that the next version of the IPFIX information model draft will contain a matching type, which will then be used by this draft. Since this draft only adds the byteArray data type to the type space it will not duplicate the corresponding section of the IPFIX Dietz, et al. draft-ietf-psamp-info-00.txt [Page 5] Internet-Draft PSAMP Information Model October 2003 Information Model [I-D.ietf-ipfix-info]. As in the IPFIX information model, by describing Information Elements in terms of a well defined type space, versus describing these details in each Element declaration, greater consistency of the existing Information Model is expected. This should also simplify the process of extending the Information Model over time, and maintain this consistency. 5.1 byteArray The type "byteArray" represents an array of binary data. Typically, it is to be used to encode a portion of a data packet. The length of the array is encoded in the first 4 byte, in particular, the first 4 byte represent a length value of type "unsignedInt". 5.2 Comparison of types in IPFIX and PSAMP +-------------------+-------+-------+ | Type | IPFIX | PSAMP | +-------------------+-------+-------+ | int | x | x | | unsingedInt | x | x | | long | x | x | | unsignedLong | x | x | | float | x | x | | double | x | - | | byteArray | - | x | | hexBinary | x | x | | string | x | x | | boolean | x | x | | byte | x | x | | unsignedByte | x | x | | short | x | x | | unsignedShort | x | x | | dateTime | x | x | | ipdr:dateTimeMsec | x | x | | ipdr:ipV4Addr | x | x | | ipdr:ipV6Addr | x | x | | ipdr:UUID | x | x | | ipdr:dateTimeUsec | x | x | +-------------------+-------+-------+ 6. The PSAMP Attributes This sections describes the attributes used by the PSAMP exporting functions. In addition the attributes described by the IPFIX Dietz, et al. draft-ietf-psamp-info-00.txt [Page 6] Internet-Draft PSAMP Information Model October 2003 information model [I-D.ietf-ipfix-info] are used by the PSAMP export functions where applicable. Thus, only those attributes are defined here that are not already defined by the IPFIX information model. 6.1 PSAMP Usage of IPFIX Attributes Not all attributes defined by the IPFIX information model may be needed by the PSAMP protocol. This section should give an overview of the IPFIX attributes that are used in the PSAMP context. TBD. 6.2 Flow Attributes 6.2.1 selectorId Description: The unique Id of a selector which defines the sampling instance. Type: The selectorId element is of type UUID. Field Id: ? Applicability: This attribute is used in the data flow record and the options data flow record. Usage: The attribute is used to specify which options data flow record was used to sample the arriving data record. It must be present in each data flow record and each options data flow record. 6.2.2 sequenceNumber Description: The sequence number of a sample packet. Type: The sequenceNumber element is of type unsignedInt. Field Id: ? Applicability: This attribute is used in the data flow record. Usage: The attribute is used to specify the sequence number of a sample packet to record loss of packets while exporting data flow records. Dietz, et al. draft-ietf-psamp-info-00.txt [Page 7] Internet-Draft PSAMP Information Model October 2003 6.2.3 packetStart Description: The first n bytes of the sampled packet. NOTE: We anticipate that a data type that matches the requirements here will be introduced by the IPFIX Info Model (REFERENCE HERE) really soon. So we decided not to specify an applicable data type within this document. Type: The packetStart element is of type byteArray. Field Id: ? Applicability: This attribute is used in the data flow record. Usage: 6.2.4 samplingMethod Description: The sampling or filtering method used to sample a packet. TBD: The available sampling methods have to get a fixed value. We currently have the following: +------------------------+-------+ | Method | Value | +------------------------+-------+ | Select All | 1 | | Systematic Count Based | 2 | | Systematic Time Based | 3 | | Random n-out-of-N | 4 | | Random Probabilistic | 5 | +------------------------+-------+ The filtering methods are still missing. We are not sure if the data type is appropriate but in order to make the method list extensible it is the only alternative. Type: The samplingMethod element is of type unsignedInt. Field Id: ? Applicability: This attribute is used in the options data flow Dietz, et al. draft-ietf-psamp-info-00.txt [Page 8] Internet-Draft PSAMP Information Model October 2003 record. Usage: The attribute is used to specify the sampling or filtering method that was used to sample a packet. It is exported in the options data flow record to specify how a collector has to interpret a data flow record. 6.2.5 intervalCount Description: This attribute is used to specify the interval for count based sampling methods. Type: The intervalCount element is of type unsignedInt. Field Id: ? Applicability: This attribute is used in the options data flow record. Units: The unit of measure is packets. Usage: The attribute is used to specify the number of consecutive packets that are sampled by the Systematic Count Based sampling method. 6.2.6 spacingCount Description: This attribute is used to specify the spacing for count based sampling methods. Type: The spacingCount element is of type unsignedInt. Field Id: ? Applicability: This attribute is used in the options data flow record. Units: The unit of measure is packets. Usage: Dietz, et al. draft-ietf-psamp-info-00.txt [Page 9] Internet-Draft PSAMP Information Model October 2003 The attribute is used to specify the interval between two consecutive sampling intervals in packets. It is specified for the Systematic Count Based sampling method. 6.2.7 intervalTime Description: This attribute is used to specify the interval for time based sampling methods. Type: The intervalTime element is of type dateTimeUsec. Field Id: ? Applicability: This attribute is used in the options data flow record. Units: The unit of measure is microseconds. Usage: The attribute is used to specify the time in microseconds while packets are sampled consecutively by the Systematic Time Based sampling method. 6.2.8 spacingTime Description: This attribute is used to specify the spacing for time based sampling methods. Type: The spacingTime element is of type dateTimeUsec. Field Id: ? Applicability: This attribute is used in the options data flow record. Units: The unit of measure is microseconds. Usage: The attribute is used to specify the interval between two consecutive sampling intervals in microseconds. It is specified for the Systematic Time Based sampling method. Dietz, et al. draft-ietf-psamp-info-00.txt [Page 10] Internet-Draft PSAMP Information Model October 2003 6.2.9 samplingRate Description: This attribute is used to specify the sampling rate for the n-out-of-N and the Probabilistic sampling methods. Type: The samplingRate element is of type unsignedInt. Field Id: ? Applicability: This attribute is used in the options data flow record. Units: The unit of measure is probability * 1000000. Usage: The attribute is used to specify the sampling rate for the n-out-of-N and the Probabilistic sampling methods. The probability is given as an unsigned integer value which must be divided by 1000000. 7. Using XML Schema for Information Models The wide availability of XML aware tools is a primary consideration for this choice. In particular libraries for parsing XML documents are readily available. Also mechanisms such as the Extensible Style Sheet Language (XSL) allow for transforming a source XML document into other documents. This draft was initially authored in XML and transformed according to RFC2629. It should be noted that the use of XML processors is not mandatory for the deployment of PSAMP. In particular exporting processes which may run on constrained platforms do not produce or consume XML as part of their operation. It is expected that IPFIX/PSAMP collectors MAY take advantage of the machine readability of the Information Model vs. hardcoding their behavior or inventing proprietary means for accommodating extensions. 8. Security Considerations The PSAMP information model itself does not directly introduce security issues. Rather it defines a set of attributes which may for privacy or business issues be considered sensitive information. The underlying protocol used to exchange the information described here must therefore apply appropriate procedures to guarantee the integrity and confidentiality of the exported information. Such Dietz, et al. draft-ietf-psamp-info-00.txt [Page 11] Internet-Draft PSAMP Information Model October 2003 protocols are defined in separate documents, specifically the IPFIX Protocol document [I-D.ietf-ipfix-protocol]. Normative References [I-D.ietf-ipfix-reqs] Quittek, J., "Requirements for IP Flow Information Export", draft-ietf-ipfix-reqs-10 (work in progress), June 2003. [I-D.ietf-ipfix-info] Calato, P., "Information Model for IP Flow Information Export", draft-ietf-ipfix-info-01 (work in progress), August 2003. [I-D.ietf-ipfix-protocol] Claise, B., "IPFIX Protocol Specifications", draft-ietf-ipfix-protocol-00 (work in progress), June 2003. Informative References [I-D.ietf-ipfix-architecture] Sadasivan, G. and K. Norseth, "Architecture Model for IP Flow Information Export", draft-ietf-ipfix-architecture-02 (work in progress), June 2002. [I-D.ietf-psamp-framework] Duffield, N., "A Framework for Passive Packet Measurement", draft-ietf-psamp-framework-03 (work in progress), July 2003. [I-D.ietf-psamp-sample-tech] Zseby, T., Molina, M., Raspall, F. and N. Duffield, "Sampling and Filtering Techniques for IP Packet Selection", draft-ietf-psamp-sample-tech-02 (work in progress), June 2003. [I-D.quittek-psamp-ipfix] Quittek, J. and B. Claise, "On the Relationship between PSAMP and IPFIX", draft-quittek-psamp-ipfix-01 (work in progress), March 2003. [I-D.ietf-psamp-mib] Dietz, T., "Definitions of Managed Objects for Packet Sampling", draft-ietf-psamp-mib-00 (work in progress), June 2003. Dietz, et al. draft-ietf-psamp-info-00.txt [Page 12] Internet-Draft PSAMP Information Model October 2003 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, June 1999. [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between Information Models and Data Models", RFC 3444, January 2003. [RFC3470] Hollenbeck, S., Rose, M. and L. Masinter, "Guidelines for the Use of Extensible Markup Language (XML) within IETF Protocols", BCP 70, RFC 3470, January 2003. Authors' Addresses Thomas Dietz NEC Europe Ltd. Network Laboratories Kurfuersten-Anlage 36 Heidelberg 69115 Germany Phone: +49 6221 90511-28 EMail: dietz@ccrle.nec.de URI: http://www.ccrle.nec.de/ Falko Dressler University of Tuebingen Wilhelm-Schickard-Institute for Computer Science Auf der Morgenstelle 10C Tuebingen 71076 Germany Phone: +49 7071 29-70522 EMail: dressler@informatik.uni-tuebingen.de URI: http://net.informatik.uni-tuebingen.de/ Georg Carle University of Tuebingen Wilhelm-Schickard-Institute for Computer Science Auf der Morgenstelle 10C Tuebingen 71076 Germany Phone: +49 7071 29-70505 EMail: carle@informatik.uni-tuebingen.de URI: http://net.informatik.uni-tuebingen.de/ Dietz, et al. draft-ietf-psamp-info-00.txt [Page 13] Internet-Draft PSAMP Information Model October 2003 Benoit Claise Cisco Systems De Kleetlaan 6a b1 Degem 1813 Belgium Phone: +32 2 704 5622 EMail: bclaise@cisco.com Appendix A. XML Namespace Issues This proposal does not currently address possible IANA implications associated with XML Namespace URIs. The use of Namespaces as an extension mechanism implies that an IANA registered Namespace URI should be available and that directory names below this base URI be assigned for relevant IETF specifications. The author is not aware of this mechanism today. Dietz, et al. draft-ietf-psamp-info-00.txt [Page 14] Internet-Draft PSAMP Information Model October 2003 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION Dietz, et al. draft-ietf-psamp-info-00.txt [Page 15] Internet-Draft PSAMP Information Model October 2003 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Dietz, et al. draft-ietf-psamp-info-00.txt [Page 16]