Internet Draft G. Pohl Document: Fraunhofer FOKUS Expires: June 2005 L. Mark Fraunhofer FOKUS E. Boschi Fraunhofer FOKUS January 2005 Use of IPFIX for Export of Per-Packet Information Status of this Memo This document is an Internet-Draft and is subject to all provisions of section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Pohl, Mark, Boschi Expires June 2005 [Page 1] Use of IPFIX for Export of Per-Packet Information Abstract This document describes the usage of the IP Flow Information Export (IPFIX) protocol for the case of exporting and processing per-packet information. The main idea is to export two types of records per flow: the first one contains the usual flow information plus a unique flow identifier while the other one consists of the actual per-packet information plus a flow identifier that refers to the flow the specific packet belongs to -- that means the flow identifier is used to associate the packet data to its corresponding flow. Table of Contents 1. Introduction 2 2. Terminology 2 3. General Problem Statement 3 4. Export Per-Packet Information 3 5. Processing Per-Packet Data for One-Way-Delay Measurements 5 6. IPFIX for per-packet information export and PSAMP 6 7. Export and evaluation considerations 6 8. IANA Consideration 7 9. Security Considerations 7 10. References 7 10.1 Normative References 7 10.2 Informative References 7 11. Author's Addresses 8 12. Intellectual Property Statement 9 13. Copyright Statement 9 14. Disclaimer 9 1. Introduction In the scope of passive QoS Measurements, there is often the need to exchange and export measurement data in a finer granularity then per flows. One typical application is passive One-Way-Delay measurement; this draft takes it as example when demonstrating the need for information export on a per-packet basis. The IPFIX protocol however, has been designed to export flow records. A possible approach to export packet records using IPFIX could be exporting flow records containing information about single packets. This method has been proposed by the PSAMP working group in [Cla204]. Exporting flow related information per-packet introduces a high degree of redundancy. This draft shows how packet information and flow information can be efficiently exported and related using IPFIX. 2. Terminology Collecting Process The collecting process receives records of flow or packet information. The data is stored for later processing (by the calculation process) Exporting Process The exporting processes send flow and packet records to the collecting processes. The records are generated by the measurement process. Filtering Filtering selects a subset of packets by applying deterministic functions on parts of the packet content like Pohl, Mark, Boschi Expires June 2005 [Page 2] Use of IPFIX for Export of Per-Packet Information header fields or parts of the payload. A filtering process needs to process the packet (look at packet header and/or payload) in order to make the selection decision. Measurement Device A measurement device has access to at least one observation point. It is hosting at least one measurement process and one export process. Metering/Measurement Process The measurement process generates records of packet and flow information. Packets passing the observation point are captured, time stamped, filtered and classified. The measurement process calculates the packet Ids. Passive One-Way-Delay Measurement Abbreviated: POWD Measurement 3. General Problem Statement In [Cla104] the IPFIX working group has defined a protocol to transport measurement data containing flow information. The main purpose of the protocol is to exchange information about IP traffic flows. In this scope a flow is defined by a set of key attributes (source/destination address, source/destination port, Layer3 Protocol Type, TOS/DSCP byte, interface of the flow exporting network element). As such, a flow is a collection of packets that share a set of common attributes. However, for a number of metrics there is a need to export per-packet data. Undoubtedly a single packet could be considered a special case of a flow and thus, per-packet information could be exported using flow records. Doing this though would have consequences on the efficiency of the exporting procedure, as it would mean additional overhead. Packets belonging to the same flow share common attributes, i.e. source address, destination address, etc. Exporting these attributes on a per-packet basis, each time with a different packet ID, would be redundant information. There are cases however, where it is desirable to keep flow information along with the per-packet information, that is, when analyzing packet characteristics while observing flows. This document proposes a solution that reduces the overhead caused by the flow properties while keeping a link to flow information. 4. Export Per-Packet Information Figure 1 depicts three packets belonging to flow A and one packet that belongs to flow B, respectively. The upper part of Figure 1 shows export records containing packet information plus flow information (source and destination address). Undoubtedly, the flow information introduces a huge amount of redundancy, as it is repeated for every packet in every record. Minimizing the redundancy is a common problem in relational data base design and we apply here similar solutions to those proposed in that area. In the lower part of Figure 1 we separate flow from packet information. In order to maintain the relation between Packet Properties and Flow Properties we introduce indices (idxA and idxB) for the Flow Properties that are unique for all Flow Property entries. The purpose of the indices is to serve as "primary key" that identifies rows of the Flow Properties. The Pohl, Mark, Boschi Expires June 2005 [Page 3] Use of IPFIX for Export of Per-Packet Information rows are then referenced by the Packet Properties by using the appropriate value for the flow identifier. One-packet flows +------+------+------------+---------+ | srcA | dstA | packet info| ... | +------+------+------------+---------+ | srcA | dstA | packet info| ... | +------+------+------------+---------+ | srcB | dstB | packet info| ... | +------+------+------------+---------+ | srcA | dstA | packet info| ... | +------+------+------------+---------+ Packet Properties +-----+------------+---------+ Flow Properties >idxA | packet info| ... | +------+------+-----+ +-----+------------+---------+ | srcA | dstA |idxA < >idxA | packet info| ... | +------+------+-----+ +-----+------------+---------+ | srcB | dstB |idxB <-------->idxB | packet info| ... | +------+------+-----+ +-----+------------+---------+ >idxB | packet info| ... | +-----+------------+---------+ here, the linkage of one packet and flow B (srcB, dstB, idxB) is explicitly drawn Figure 1: Flow information and packet information The IPFIX protocol is template based like NetFlow version 9. For a complete description of features of IPFIX refer to []. Templates define the structure of data to be exported, including describing data fields to be exported together with their type and meaning. For Measurement Process Results we define two different template records, namely Flow Properties and Packet Properties. In Figure 2, the Flow Properties template defines the attributes for a flow; e.g. IP source and destination address and the flow identifier. The flow identifier is a unique identifier for flow definitions; this field allows packet records to reference flow attributes. Subsequent data records of this template define the actual flows. The format for the information related to single packets is defined in the Packet Properties template. This information is packet specific and normally not shared between many packets. Otherwise one would rather consider the information as flow related and therefore it needs not be exported in everyrecord. Pohl, Mark, Boschi Expires June 2005 [Page 4] Use of IPFIX for Export of Per-Packet Information +------------------+ +-------------------+ | Template Set | | Template Set | | | | | Description of | Flow Properties | | Packet Properties | exported data +----------+-------+ +----------+--------+ ...........|.........................|......................... | | +----------v-------+ +----------v--------+ | Data Set | | Data Set | exported data | <------+ | with references | Flow Properties | | Packet Properties | by means of +------------------+ +-------------------+ flow identfier Figure 2: Template FlowSet and Data FlowSet dependencies 5. Processing Per-Packet Data for One-Way-Delay Measurements To demonstrate how to use IPFIX efficiently to export per-packet information, this section proposes how to use the IPFIX protocol for exporting flow information and per-packet information for OWD computation. In order to acquire a One-Way path delay information, two measurement points with synchronized clocks must exist, one at each end of the path under examination. Both measurement points will capture packets, assign them timestamps and generate an identifier for a packet passingthat point. Each measurement point will export its measurement data to a collecting process where the data are correlated based on the packet identifiers and timestamps and then the delay is calculated as a difference of two timestamps of a packet pair. The templates that would be needed for exporting measurement data of this kind are illustrated in Figure 3. The upper part of the figure shows the template containing the information concerning flows. The lower part displays the template with the packet properties. For passive One-Way-Delay measurement, the Packet Properties template consists of at least Timestamp and Packet ID. Additionally, this template contains a flow identifier field. In packet records, the value of this field will contain one of the unique indices of the flow records exported before. Pohl, Mark, Boschi Expires June 2005 [Page 5] Use of IPFIX for Export of Per-Packet Information +-------------------+-------------------+-----------------------+.. | flowID | sourceAddressV4 | destinationAddressV4 | | | | | | unsigned32/vendor | ipv4Address/ID 8 | ipv4Address/ID 12 | +-------------------+-------------------+-----------------------+.. ..+------------------+--------------------+---------------------+.. | classOfServiceV4 | protocolIdentifier | transportSourcePort | | | | | | octet/ID 5 | octet/ID 4 | unsigned16/ID 7 | ..+------------------+--------------------+---------------------+.. ..+--------------------------+ | transportDestinationPort | | | | unsigned16/ID 11 | ..+--------------------------+ FlowPropTemplate =================================================================== PacketPropTemplate +-------------------+-------------------+-------------------+.. | packetTimestamp | packetID | packetLength | | | | | | unsigned64/vendor | unsigned32/vendor | unsigned32/vendor | +-------------------+-------------------+-------------------+.. ..+-------------------+ | flowID | | | | unsigned32/vendor | ..+-------------------+ Figure 3: Example Templates for Flow and Packet Properties The delay is derived by a calculation step: At the collection point packet records of two measurement points are gathered and correlated by means of the packet ID. The resulting delay data records are exported in a similar manner as the packet data have been. Especially, the linkage between delay data and flow information is represented with the discussed flow identifier fields. The OWD properties contain the Packet Pair ID (which is the packet ID matching that of the two contributing packet records), a timestamp (which is the timestamp of the packet passing the reference monitor point) in order to reconstruct a time series, the calculated delay value, and finally a flow identifier. 6. IPFIX for per-packet information export and PSAMP In [Cla204] the PSAMP working group proposes to use IPFIX to export packet information from a PSAMP Exporting Process to a PSAMP Collecting Process. Even though no new version of the draft has been produced the solution seems to be accepted from the group. While IPFIX is well suited for the purpose due to the good match between the IPFIX and PSAMP architectures and to the fact that IPFIX satisfies PSAMP requirements, the described approach has a high degree of redundancy. It proposes to treat packets as flows and export per-packet information using flow records. We propose to use the solution described in this draft to efficiently export PSAMP packet information. 7. Export and evaluation considerations Pohl, Mark, Boschi Expires June 2005 [Page 6] Use of IPFIX for Export of Per-Packet Information The main advantage of this proposed method to export per-packet information is the reduced amount of measurement data that has to be transferred from the exporter to the collector. In addition there is less storage capacity needed at the collector side. On the other hand there is some extra processing power needed on the exporter side to manage flow information and to assign packets to flows. The collector has to process records of two templates instead of just one but has to read and write less data. Additional effort is needed when post processing the measurement data, because now the correlation of flow and packet information is needed. In the above example (see Figure 3) using IPFIX to export the measurement data for each received packet 28 bytes have to be transferred (sourceAddressV4=4, destinationAddressV4=4, classOfServiceV4=1, protocolIdentifier=1, transportSourcePort=2, transportDestionationPort=2, packetTimestamp=8, packetID=4, packetLength=2). Disregarding the IPFIX protocol overhead a flow of 1000 packets produces 28000 bytes of measurement data. Using the proposed optimization each packet produces an export of only 16 bytes (packetTimestamp=8, packetID=4, packetLength=2, flowID=2). The export of the flow information produces 16 bytes (sourceAddressV4=4, destinationAddressV4=4, classOfServiceV4=1, protocolIdentifier=1, transportSourcePort=2, transportDestionationPort=2, flowID =2). For a flow of 1000 packet this sums up to 16016 bytes. This is a decrease of more than 40 percent. 8. IANA Consideration This document does not imply any IANA action. 9. Security Considerations For the proposed use of the IPFIX protocol for export of per-packet information the security considerations as for the IPFIX protocol apply. 10. References 10.1 Normative References [Cla104] Benoit Claise: IPFIX Protocol Specification, IETF draft work in progress , August 2004 10.2 Informative References [DuGG03] Nick Duffield, et Al.: A Framework for Packet Selection and reporting, Internet Draft , September 2004 [DuGr00] Nick Duffield, Matthias Grossglauser: Trajectory Sampling for Direct Traffic Observation, Proceedings of ACM SIGCOMM 2000, Stockholm, Sweden, August 28 - September 1, 2000 [QuZC04] J. Quittek, et Al.: Requirements for IP Flow Information Export, Internet Draft , June 2004 [GrDM98] Ian D. GRAHAM, Stephen F. DONNELLY, Stele MARTIN, Jed MARTENS, John G. CLEARY: Nonintrusive and Accurate Measurement of Unidirectional Delay and Pohl, Mark, Boschi Expires June 2005 [Page 7] Use of IPFIX for Export of Per-Packet Information Delay Variation on the Internet, INET'98, Geneva, Switzerland, July 21-24, 1998 [TPBC03] T. Zseby, E. Boschi, R. Penno, N. Brownlee, B. Claise: IPFIX Applicability, Internet Draft , July 2004 [Cla204] Benoit Claise: PSAMP Protocol Specification, Internet Draft , February 2004 11. Author's Addresses Elisa Boschi Fraunhofer Institute for Open Communication Systems Kaiserin-Augusta-Allee 31 10589 Berlin Germany Phone: +49-30-34 63 7366 Fax: +49-30-34 53 8366 Email: boschi@fokus.fraunhofer.de Lutz Mark Fraunhofer Institute for Open Communication Systems Kaiserin-Augusta-Allee 31 10589 Berlin Germany Phone: +49-30-34 63 7306 Fax: +49-30-34 53 8306 Email: mark@fokus.fraunhofer.de Guido Pohl Fraunhofer Institute for Open Communication Systems Kaiserin-Augusta-Allee 31 10589 Berlin Germany Phone: +49-30-34 63 7164 Fax: +49-30-34 53 8164 Email: pohl@fokus.fraunhofer.de Pohl, Mark, Boschi Expires June 2005 [Page 8] Use of IPFIX for Export of Per-Packet Information 12. Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. 13. Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. 14. Disclaimer This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Pohl, Mark, Boschi Expires June 2005 [Page 9]