Internet Draft J. Quittek
Document: draft-quittek-psamp-ipfix-00.txt NEC Europe Ltd.
Expires: April 2003
October 2002
On the Relationship between PSAMP and IPFIX
<draft-quittek-psamp-ipfix-00.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC 2026. Internet-Drafts are
working documents of the Internet Engineering Task Force (IETF), its
areas, and its working groups. Note that other groups may also
distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Distribution of this document is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
This memo discusses the relationship between the packet sampling
(PSAMP) working group and the IP flow information export (IPFIX)
working group. The goals of writing this memo are: avoiding
duplication of work, increase mutual benefits between the groups, and
harmonize the documents and standards developed by the groups.
Therefore, potential overlap of both group's activities is analyzed,
activities in both groups that potentially complement each other are
pointed out, and common issues are listed that should be harmonized
between the groups.
Juergen Quittek [Page 1]
�
Internet-Draft Relationship between PSAMP and IPFIX October 2002
Table of Contents
1 Introduction ................................................. 2
2 Working Group Goals .......................................... 3
2.1 IPFIX Goals ................................................ 3
2.2 PSAMP Goals ................................................ 4
3 Architectures ................................................ 4
3.1 IPFIX Architecture ......................................... 5
3.2 PSAMP Architecture ......................................... 5
3.3 Achitecture Comparison ..................................... 6
4 Potential Overlap, Complement, and Harmonization ............. 7
4.1 Terminology ................................................ 7
4.2 Packet selection and sampling model ........................ 7
4.3 PSAMP as IPFIX component ................................... 7
4.3.1 Packet Sampling .......................................... 7
4.3.2 Packet Selection ......................................... 8
4.4 IPFIX export for PSAMP ..................................... 8
4.4.1 Information Model ........................................ 8
4.4.2 Export Protocol .......................................... 8
4.5 Configuration .............................................. 9
5 Security Considerations ...................................... 9
6 References ................................................... 9
7 Author's Address ............................................. 10
8 Full Copyright Statement ..................................... 10
1. Introduction
The packet sampling (PSAMP) working group and the IP flow information
export (IPFIX) working group both aim at standardizing technology for
observing traffic a network devices and for exporting some part of
the observation to other devices. Also, both working groups consider
packet sampling as a component of their technology. While for the
IPFIX WG packet sampling is just one out of many components
considered, it is the focus of the PSAMP WG.
This memo discusses the relationship between the two WGs. The goals
of writing this memo are:
- avoiding duplication of work,
- increase mutual benefits between the groups,
- harmonize the documents and standards developed by the groups.
In order to achive this, the following issues are analyzed:
- potential overlap of both group's activities,
Juergen Quittek [Page 2]
�
Internet-Draft Relationship between PSAMP and IPFIX October 2002
- potential mutual complements between the groups,
- common issues that should be harmonized.
The analysis start with brief summaries of each WG's goal and a
comparison of the respective architectures. Then four ...
2. Working Group Goals
The following is a brief summary of the goals of the two working
groups. A more detailed description can be found in the respective
working group charters at http://www.ietf.org/html.charters/psamp-
charter.html and http://www.ietf.org/html.charters/ipfix-
charter.html.
2.1. IPFIX Goals
The IP flow information export (IPFIX) working group was estabished
in October 2001 with the goal to select a protocol for IP flow
inforamtion export out of devices measuring network traffic. The
working goup's charter lists the following steps:
- Define the notion of a "standard IP flow".
- Devise data encodings for IP flows.
- Consider the notion of IP flow information export based upon
packet sampling.
- Identify and address any security privacy concerns affecting
flow data.
- Specify the transport mapping for carrying IP flow information
- Ensure that the flow export system is reliable and efficient.
The output of the group will be structured into four documents:
o Requirements for IP flow inforamtion export
o IP flow information architecture
o IP flow information export information model
o IP flow information export applicability
The protocol itself should not be developed by the working group but
selected out of already existing protocols or protocols developed for
this purpose externally of the IETF.
Juergen Quittek [Page 3]
�
Internet-Draft Relationship between PSAMP and IPFIX October 2002
The focus of the working group is on improving and standardizing
existing state-of-the-art technology and common practise.
2.2. PSAMP Goals
The packet sampling (PSAMP) working group was established in August
2002 with the goals of
- specifying a set of selection operations by which packets are
sampled
- specifying the information that is to be made available for
reporting on sampled packets
- describing protocols by which information on sampled packets is
reported to applications
- describing protocols by which packet selection and reporting
configured.
In contrast to IPFIX, the PSAMP WG is chartered to develop new
technology that is not already widely available and for which a
common practise does not exist, so far.
The output of the group will be structured into four documents:
o Framework document
o Packet selector and packet information document
o Report format and report stream format document
o Export and requirements for collectors document
o MIB document
3. Architectures
For both working groups, architectures are still under definition.
This memo tries to sketch the basic architectures as they ar
currently being discussed in [IPFIX-REQ],[IPFIX-ARCH],[PSAMP-FRM],
and [PSAMP-PSS]. These architecture snapshots are used in the
diuscussion of potential overlaps and complements furhter below. It
should be noted that during architecture development, both
architectures might evolve such that some of the arguments stated
below in this memo do not hold anymore.
Juergen Quittek [Page 4]
�
Internet-Draft Relationship between PSAMP and IPFIX October 2002
3.1. IPFIX Architecture
The IPFIX architecture contains six main components: observation
point, metering process, flow records, exporting process, export
protocol, and collecting process [IPFIX-REQ].
At the observation point, IP packets are observed. Observed packets
are metered by the metering process. Metering results are stored in
flow records. The exporting process exports information stored in
flow records to the collecting process.
+------+ packet +-------+ flow +-------+ flow +-------+
|obser-| headers|meter- | records|export-| records |collec-|
|vation+------->|ing +------->|ing +-------->|ting |
|point | |process| |process| IPFIX |process|
+------+ +-------+ +-------+ protocol+-------+
Figure 1: Sketch of the basic IPFIX architecture
Possible entity relationships between these components are not
completely defined, yet. However, in general the assumption holds
that each component may have several instances.
According to [IPFIX-REQ], the metering process can be divided into
packet header capturing, timestamping, classifying, and maintaining
flow records. Before any of these functions, sampling may be applied.
packet header capturing
|
timestamping
|
v
+----->+
| |
| classifying
| |
+------+
|
maintaining flow records
|
v
Figure 2: Functions of the metering process, from [IPFIX-REQ]
3.2. PSAMP Architecture
PSAMP architecture development is even at an earlier stage than the
IPFIX architecture. Therefore, the potential changes until
completion are potentially more significant.
Juergen Quittek [Page 5]
�
Internet-Draft Relationship between PSAMP and IPFIX October 2002
Basically, the PSAMP architecture contains XX main components:
observation point, packet sampling and selecting process, packet
exporting process, collecting process, and packet sampling
configuration [PSAMP-FRM].
+--------------------------+
---->| Configuration +<-----------+
+----+-----------------+---+ |
| | |
v v |
+------+ pack- +---------+ packet +-------+ packet +---+---+
|obser-| ets |selecting| infor- |export-| infor- |collec-|
|vation+------>|&sampling+------->|ing +------->|ting |
|point | |process | mation |process| mation |process|
+------+ +---------+ +-------+ +-------+
Figure 3: Sketch of the basic PSAMP architecture
Packets are observed at the observation point and selected and/or
sampled by the selecting and sampling process [PSAMP-PSS]. The
generated per packet information is exported by an exporting process
to a collecting process. The selecting and sampling process and the
exporting process are configured either based on external input or by
feedback from the collector.
Again, entity relationships between these components are not clear,
yet, but it can be assumed that each component may have multiple
instances.
3.3. Achitecture Comparison
The basic structure of both architectures is quite similar, but there
are two significant architectural differences that can be observed.
The first one contains the information that is gathered and exported.
IPFIX produces and exports flow records containing information per
flow. This information is created based on the observation of a
potentially large number of packets. In contrast, PSAMP generates
and exports information per packet. Consequently, the PSAMP
architecture contains a selecting and sampling process where the
IPFIX architecture uses a more complex metering process.
The second difference concerns configuration. It is an explicit goal
of the PSAMP WG to define ways of configuring the packet selecting
and sampling process and the exporting process. For IPFIX,
configuration of metering process and exporting process is mentioned
in the requirements document, but there are no plans yet for
standardizing IPFIX configuration.
Juergen Quittek [Page 6]
�
Internet-Draft Relationship between PSAMP and IPFIX October 2002
4. Potential Overlap, Complement, and Harmonization
4.1. Terminology
As the architecture sketches in Figures 1 and 3 show that there are
several similarities between PSAMP and IPFIX. Both working groups
address the same general subject of observing IP traffic, processing
the observation, and exporting the obtained information.
Therefore, it is desirable and appears to be quite feasible to agree
on a common terminology to be used by both working groups.
4.2. Packet selection and sampling model
The PSAMP WG already started developing a model for packet selection
and packet sampling [PSAMP-PSS]. In the IPFIX WG this issue will
probably not be specified in detail in any of the documents. They
are mentioned implicitly or explicitly as functions of the IPFIX
metering process, but the model of seleting and sampling appears to
be vague. The IPFIX WG should consider using the PSAMP model when
discussing packet selection and sampling.
4.3. PSAMP as IPFIX component
The metering process of IPFIX (shown in Figure 2) contains capturing
packet headers as first step. This function could be provided by a
component implementing the PSAMP architecture in two different ways.
The IPFIX metering process can serve as PSAMP collecting process.
Then packet information sampled by a PSAMP component could be send
from the PSAMP exporting process to the IPFIX metering process using
the PSAMP protocol. Alternatively, without using a standardized
protocol or API, the PSAMP selecting ans sampling process could
directly provide packet information to the IPFIX metering process.
In both cases, the PSAMP component would perform the packet header
capturing function and the sampling function of the IPFIX metering
process, and potenitlally also the timestamping function.
4.3.1. Packet Sampling
The IPFIX metering process considers the applicaton of a sampling
function before each of its other functions. But so far, the IPFIX
working group has not made an effort to clearly specify the sampling
function.
The specification of sampling functions started already in the PSAMP
WG [PSAMP-PSS] should be re-used by the IPFIX WG for defining the
sampling function of the metering process.
Juergen Quittek [Page 7]
�
Internet-Draft Relationship between PSAMP and IPFIX October 2002
4.3.2. Packet Selection
The IPFIX architecture does not explicitly talk about packet
selection, but the packet header classification function of the IPFIX
metering process implicitly includes the option of packet selection:
For packet headers that cannot be matched to already existing flow
records, a decision need to be made on whether or not to create a new
flow record for this packet.
An explicit packet selection performed by a PSAMP component could
contribute to this function of the IPFIX metering process, for
example by already filtering all packets for which no flow record
would be generated.
4.4. IPFIX export for PSAMP
PSAMP needs to specify an information model, a data model, and a
protocol for exporting packet information. This is similar to the
task of IPFIX, where the same kind of specifications is required for
the export of flow records. IPFIX already made good progress in
specifying an information model [IPFIX-INFO] and the selection of a
protocol is progressing.
4.4.1. Information Model
Therefore, the PSAMP WG should discuss, whether or not output of the
IPFIX WG can be used. The IPFIX flow information model may already
include all information required for modeling packet information.
The PSAMP WG could perform data modeling by just aelectiing a subset
of the IPFIX data model to be used. If the IPFIX model would be fine
in general for PSAMP, but a few packet attributes are missing, then
it should be prefered to the IPFIX WG should be asked to extend their
data model by the missing attributes instead of defining PSAMP
extensions of the model.
4.4.2. Export Protocol
If the IPFIX information model can be adopted by PSAMP, then there is
potential to also use the IPFIX data model and protocol for PSAMP.
In general, this should be possible, because an extreme case of a
flow is a flow containing just a single packet. This is supported by
IPFIX. Furthermore, [IPFIX-REQ] requests the IPFIX protocol to be
flexible and extensible. The PSAMP WG should study the protocol
selected as IPFIX protocol and discuss using it also as PSAMP
protocol. Of course, it should be investigated carefully, whether or
not there are PSAMP requirements not met by the IPFIX protocol.
Juergen Quittek [Page 8]
�
Internet-Draft Relationship between PSAMP and IPFIX October 2002
4.5. Configuration
For the IPFIX working group, a configuration protocol or a MIB module
definition is out of scope. But for PSAMP, this is explicitly
mentioned by the charter. It is not clear, whether in the future
there will be a desire to standardize IPFIX configuration. There
might be reason not to so, for example allowing implementors to have
differentiators for their products. However, if the IPFIX WG ever
considers standardizing consideration, it should make sure, that
IPFIX configuration will be consistent with PSAMP configuration.
This applies to the configuration of sampling and packet selection as
well as to the selection of attributes to be exported, the
specification of data collectors to export information to, the export
transmission rate, and the method of congestion handling (if
configurable).
5. Security Considerations
If the PSAMP WG discusses to use the IPFIX protocol also for PSAMP,
it should study carefully, whether or not the PSAMP security
requirements are stricter than the IPFIX security requirements and
whether all PSAMP security requirements are covered by the IPFIX
protocol.
6. References
[IPFIX-REQ] Quittek, J., Zseby, T., Claise, B., Zander, S., Carle, G.,
Norseth, K.C., "Requirements for IP Flow Information
Export", work in progress, <draft-ietf-ipfix-reqs-06.txt>,
September 2002.
[IPFIX-ARCH]
Norseth, K.C., Sadasivan, G., "Architecture Model for IP
Flow Information Export", work in progress, <draft-ietf-
ipfix-architecture-02.txt>, June 2002.
[IPFIX-INFO]
Norseth, K.C., Sadasivan, G., "Data Model for IP Flow
Information Export", work in progress, <draft-ietf-ipfix-
data-00.txt>, February 2002.
[PSAMP-FRM] Duffield, N., "A Framework for Passive Packet Measurement",
work in progress, <draft-ietf-psamp-framework-00.txt>,
September 2002.
[PSAMP-PSS] Zseby, T., Molina, M., Raspall, F., "Sampling and Filtering
Techniques for IP Packet Selection", work in progress,
<draft-ietf-psamp-sample-tech-00.txt>, October 2002.
Juergen Quittek [Page 9]
�
Internet-Draft Relationship between PSAMP and IPFIX October 2002
7. Author's Address
Juergen Quittek
NEC Europe Ltd.
Network Laboratories
Adenauerplatz 6
69115 Heidelberg
Germany
Phone: +49 6221 90511-15
EMail: quittek@ccrle.nec.de
8. Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Juergen Quittek [Page 10]