Internet Draft J. Quittek Document: draft-quittek-psamp-ipfix-00.txt NEC Europe Ltd. Expires: April 2003 October 2002 On the Relationship between PSAMP and IPFIX Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC 2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Distribution of this document is unlimited. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract This memo discusses the relationship between the packet sampling (PSAMP) working group and the IP flow information export (IPFIX) working group. The goals of writing this memo are: avoiding duplication of work, increase mutual benefits between the groups, and harmonize the documents and standards developed by the groups. Therefore, potential overlap of both group's activities is analyzed, activities in both groups that potentially complement each other are pointed out, and common issues are listed that should be harmonized between the groups. Juergen Quittek [Page 1] Internet-Draft Relationship between PSAMP and IPFIX October 2002 Table of Contents 1 Introduction ................................................. 2 2 Working Group Goals .......................................... 3 2.1 IPFIX Goals ................................................ 3 2.2 PSAMP Goals ................................................ 4 3 Architectures ................................................ 4 3.1 IPFIX Architecture ......................................... 5 3.2 PSAMP Architecture ......................................... 5 3.3 Achitecture Comparison ..................................... 6 4 Potential Overlap, Complement, and Harmonization ............. 7 4.1 Terminology ................................................ 7 4.2 Packet selection and sampling model ........................ 7 4.3 PSAMP as IPFIX component ................................... 7 4.3.1 Packet Sampling .......................................... 7 4.3.2 Packet Selection ......................................... 8 4.4 IPFIX export for PSAMP ..................................... 8 4.4.1 Information Model ........................................ 8 4.4.2 Export Protocol .......................................... 8 4.5 Configuration .............................................. 9 5 Security Considerations ...................................... 9 6 References ................................................... 9 7 Author's Address ............................................. 10 8 Full Copyright Statement ..................................... 10 1. Introduction The packet sampling (PSAMP) working group and the IP flow information export (IPFIX) working group both aim at standardizing technology for observing traffic a network devices and for exporting some part of the observation to other devices. Also, both working groups consider packet sampling as a component of their technology. While for the IPFIX WG packet sampling is just one out of many components considered, it is the focus of the PSAMP WG. This memo discusses the relationship between the two WGs. The goals of writing this memo are: - avoiding duplication of work, - increase mutual benefits between the groups, - harmonize the documents and standards developed by the groups. In order to achive this, the following issues are analyzed: - potential overlap of both group's activities, Juergen Quittek [Page 2] Internet-Draft Relationship between PSAMP and IPFIX October 2002 - potential mutual complements between the groups, - common issues that should be harmonized. The analysis start with brief summaries of each WG's goal and a comparison of the respective architectures. Then four ... 2. Working Group Goals The following is a brief summary of the goals of the two working groups. A more detailed description can be found in the respective working group charters at http://www.ietf.org/html.charters/psamp- charter.html and http://www.ietf.org/html.charters/ipfix- charter.html. 2.1. IPFIX Goals The IP flow information export (IPFIX) working group was estabished in October 2001 with the goal to select a protocol for IP flow inforamtion export out of devices measuring network traffic. The working goup's charter lists the following steps: - Define the notion of a "standard IP flow". - Devise data encodings for IP flows. - Consider the notion of IP flow information export based upon packet sampling. - Identify and address any security privacy concerns affecting flow data. - Specify the transport mapping for carrying IP flow information - Ensure that the flow export system is reliable and efficient. The output of the group will be structured into four documents: o Requirements for IP flow inforamtion export o IP flow information architecture o IP flow information export information model o IP flow information export applicability The protocol itself should not be developed by the working group but selected out of already existing protocols or protocols developed for this purpose externally of the IETF. Juergen Quittek [Page 3] Internet-Draft Relationship between PSAMP and IPFIX October 2002 The focus of the working group is on improving and standardizing existing state-of-the-art technology and common practise. 2.2. PSAMP Goals The packet sampling (PSAMP) working group was established in August 2002 with the goals of - specifying a set of selection operations by which packets are sampled - specifying the information that is to be made available for reporting on sampled packets - describing protocols by which information on sampled packets is reported to applications - describing protocols by which packet selection and reporting configured. In contrast to IPFIX, the PSAMP WG is chartered to develop new technology that is not already widely available and for which a common practise does not exist, so far. The output of the group will be structured into four documents: o Framework document o Packet selector and packet information document o Report format and report stream format document o Export and requirements for collectors document o MIB document 3. Architectures For both working groups, architectures are still under definition. This memo tries to sketch the basic architectures as they ar currently being discussed in [IPFIX-REQ],[IPFIX-ARCH],[PSAMP-FRM], and [PSAMP-PSS]. These architecture snapshots are used in the diuscussion of potential overlaps and complements furhter below. It should be noted that during architecture development, both architectures might evolve such that some of the arguments stated below in this memo do not hold anymore. Juergen Quittek [Page 4] Internet-Draft Relationship between PSAMP and IPFIX October 2002 3.1. IPFIX Architecture The IPFIX architecture contains six main components: observation point, metering process, flow records, exporting process, export protocol, and collecting process [IPFIX-REQ]. At the observation point, IP packets are observed. Observed packets are metered by the metering process. Metering results are stored in flow records. The exporting process exports information stored in flow records to the collecting process. +------+ packet +-------+ flow +-------+ flow +-------+ |obser-| headers|meter- | records|export-| records |collec-| |vation+------->|ing +------->|ing +-------->|ting | |point | |process| |process| IPFIX |process| +------+ +-------+ +-------+ protocol+-------+ Figure 1: Sketch of the basic IPFIX architecture Possible entity relationships between these components are not completely defined, yet. However, in general the assumption holds that each component may have several instances. According to [IPFIX-REQ], the metering process can be divided into packet header capturing, timestamping, classifying, and maintaining flow records. Before any of these functions, sampling may be applied. packet header capturing | timestamping | v +----->+ | | | classifying | | +------+ | maintaining flow records | v Figure 2: Functions of the metering process, from [IPFIX-REQ] 3.2. PSAMP Architecture PSAMP architecture development is even at an earlier stage than the IPFIX architecture. Therefore, the potential changes until completion are potentially more significant. Juergen Quittek [Page 5] Internet-Draft Relationship between PSAMP and IPFIX October 2002 Basically, the PSAMP architecture contains XX main components: observation point, packet sampling and selecting process, packet exporting process, collecting process, and packet sampling configuration [PSAMP-FRM]. +--------------------------+ ---->| Configuration +<-----------+ +----+-----------------+---+ | | | | v v | +------+ pack- +---------+ packet +-------+ packet +---+---+ |obser-| ets |selecting| infor- |export-| infor- |collec-| |vation+------>|&sampling+------->|ing +------->|ting | |point | |process | mation |process| mation |process| +------+ +---------+ +-------+ +-------+ Figure 3: Sketch of the basic PSAMP architecture Packets are observed at the observation point and selected and/or sampled by the selecting and sampling process [PSAMP-PSS]. The generated per packet information is exported by an exporting process to a collecting process. The selecting and sampling process and the exporting process are configured either based on external input or by feedback from the collector. Again, entity relationships between these components are not clear, yet, but it can be assumed that each component may have multiple instances. 3.3. Achitecture Comparison The basic structure of both architectures is quite similar, but there are two significant architectural differences that can be observed. The first one contains the information that is gathered and exported. IPFIX produces and exports flow records containing information per flow. This information is created based on the observation of a potentially large number of packets. In contrast, PSAMP generates and exports information per packet. Consequently, the PSAMP architecture contains a selecting and sampling process where the IPFIX architecture uses a more complex metering process. The second difference concerns configuration. It is an explicit goal of the PSAMP WG to define ways of configuring the packet selecting and sampling process and the exporting process. For IPFIX, configuration of metering process and exporting process is mentioned in the requirements document, but there are no plans yet for standardizing IPFIX configuration. Juergen Quittek [Page 6] Internet-Draft Relationship between PSAMP and IPFIX October 2002 4. Potential Overlap, Complement, and Harmonization 4.1. Terminology As the architecture sketches in Figures 1 and 3 show that there are several similarities between PSAMP and IPFIX. Both working groups address the same general subject of observing IP traffic, processing the observation, and exporting the obtained information. Therefore, it is desirable and appears to be quite feasible to agree on a common terminology to be used by both working groups. 4.2. Packet selection and sampling model The PSAMP WG already started developing a model for packet selection and packet sampling [PSAMP-PSS]. In the IPFIX WG this issue will probably not be specified in detail in any of the documents. They are mentioned implicitly or explicitly as functions of the IPFIX metering process, but the model of seleting and sampling appears to be vague. The IPFIX WG should consider using the PSAMP model when discussing packet selection and sampling. 4.3. PSAMP as IPFIX component The metering process of IPFIX (shown in Figure 2) contains capturing packet headers as first step. This function could be provided by a component implementing the PSAMP architecture in two different ways. The IPFIX metering process can serve as PSAMP collecting process. Then packet information sampled by a PSAMP component could be send from the PSAMP exporting process to the IPFIX metering process using the PSAMP protocol. Alternatively, without using a standardized protocol or API, the PSAMP selecting ans sampling process could directly provide packet information to the IPFIX metering process. In both cases, the PSAMP component would perform the packet header capturing function and the sampling function of the IPFIX metering process, and potenitlally also the timestamping function. 4.3.1. Packet Sampling The IPFIX metering process considers the applicaton of a sampling function before each of its other functions. But so far, the IPFIX working group has not made an effort to clearly specify the sampling function. The specification of sampling functions started already in the PSAMP WG [PSAMP-PSS] should be re-used by the IPFIX WG for defining the sampling function of the metering process. Juergen Quittek [Page 7] Internet-Draft Relationship between PSAMP and IPFIX October 2002 4.3.2. Packet Selection The IPFIX architecture does not explicitly talk about packet selection, but the packet header classification function of the IPFIX metering process implicitly includes the option of packet selection: For packet headers that cannot be matched to already existing flow records, a decision need to be made on whether or not to create a new flow record for this packet. An explicit packet selection performed by a PSAMP component could contribute to this function of the IPFIX metering process, for example by already filtering all packets for which no flow record would be generated. 4.4. IPFIX export for PSAMP PSAMP needs to specify an information model, a data model, and a protocol for exporting packet information. This is similar to the task of IPFIX, where the same kind of specifications is required for the export of flow records. IPFIX already made good progress in specifying an information model [IPFIX-INFO] and the selection of a protocol is progressing. 4.4.1. Information Model Therefore, the PSAMP WG should discuss, whether or not output of the IPFIX WG can be used. The IPFIX flow information model may already include all information required for modeling packet information. The PSAMP WG could perform data modeling by just aelectiing a subset of the IPFIX data model to be used. If the IPFIX model would be fine in general for PSAMP, but a few packet attributes are missing, then it should be prefered to the IPFIX WG should be asked to extend their data model by the missing attributes instead of defining PSAMP extensions of the model. 4.4.2. Export Protocol If the IPFIX information model can be adopted by PSAMP, then there is potential to also use the IPFIX data model and protocol for PSAMP. In general, this should be possible, because an extreme case of a flow is a flow containing just a single packet. This is supported by IPFIX. Furthermore, [IPFIX-REQ] requests the IPFIX protocol to be flexible and extensible. The PSAMP WG should study the protocol selected as IPFIX protocol and discuss using it also as PSAMP protocol. Of course, it should be investigated carefully, whether or not there are PSAMP requirements not met by the IPFIX protocol. Juergen Quittek [Page 8] Internet-Draft Relationship between PSAMP and IPFIX October 2002 4.5. Configuration For the IPFIX working group, a configuration protocol or a MIB module definition is out of scope. But for PSAMP, this is explicitly mentioned by the charter. It is not clear, whether in the future there will be a desire to standardize IPFIX configuration. There might be reason not to so, for example allowing implementors to have differentiators for their products. However, if the IPFIX WG ever considers standardizing consideration, it should make sure, that IPFIX configuration will be consistent with PSAMP configuration. This applies to the configuration of sampling and packet selection as well as to the selection of attributes to be exported, the specification of data collectors to export information to, the export transmission rate, and the method of congestion handling (if configurable). 5. Security Considerations If the PSAMP WG discusses to use the IPFIX protocol also for PSAMP, it should study carefully, whether or not the PSAMP security requirements are stricter than the IPFIX security requirements and whether all PSAMP security requirements are covered by the IPFIX protocol. 6. References [IPFIX-REQ] Quittek, J., Zseby, T., Claise, B., Zander, S., Carle, G., Norseth, K.C., "Requirements for IP Flow Information Export", work in progress, , September 2002. [IPFIX-ARCH] Norseth, K.C., Sadasivan, G., "Architecture Model for IP Flow Information Export", work in progress, , June 2002. [IPFIX-INFO] Norseth, K.C., Sadasivan, G., "Data Model for IP Flow Information Export", work in progress, , February 2002. [PSAMP-FRM] Duffield, N., "A Framework for Passive Packet Measurement", work in progress, , September 2002. [PSAMP-PSS] Zseby, T., Molina, M., Raspall, F., "Sampling and Filtering Techniques for IP Packet Selection", work in progress, , October 2002. Juergen Quittek [Page 9] Internet-Draft Relationship between PSAMP and IPFIX October 2002 7. Author's Address Juergen Quittek NEC Europe Ltd. Network Laboratories Adenauerplatz 6 69115 Heidelberg Germany Phone: +49 6221 90511-15 EMail: quittek@ccrle.nec.de 8. Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Juergen Quittek [Page 10]