Internet DRAFT - draft-choukir-tsvwg-flow-metadata-encoding

draft-choukir-tsvwg-flow-metadata-encoding







Internet Engineering Task Force                           T. Eckert, Ed.
Internet-Draft                                                 A. Zamfir
Intended status: Standards Track                              A. Choukir
Expires: January 16, 2014                                       C. Eckel
                                                     Cisco Systems, Inc.
                                                           July 15, 2013


    Protocol Independent Encoding for Signaling Flow Characteristics
             draft-choukir-tsvwg-flow-metadata-encoding-01

Abstract

   This document describes a protocol independent encoding for flow
   characteristics (a.k.a. metadata).  A flow is defined as a set of IP
   packets passing through a network in a given direction.  All packets
   belonging to a particular flow have a set of common properties (e.g.
   IP, port, transport).  Flow metadata exposes key characteristics of
   the flow such as the originating application, the type of media in
   use (e.g.  audio, video) and others as defined in
   [I-D.eckert-intarea-flow-metadata-framework].  The flow
   characteristics are expressed in terms of information elements.
   These information elements are signaled either out of band or in band
   but always along the same path of the flow associated with the
   application.

   [I-D.eckert-intarea-flow-metadata-framework] defines the overall
   framework for flow metadata and the definition of the flow
   characteristics, whereas this document captures the encoding of these
   characteristics.  The mapping of flow metadata encoding to different
   signaling protocols is outside the scope of this document.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 16, 2014.



Eckert, et al.          Expires January 16, 2014                [Page 1]

Internet-Draft           Flow Metadata Encoding                July 2013


Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   4
   2.  Encoding Overview . . . . . . . . . . . . . . . . . . . . . .   4
     2.1.  General Principles  . . . . . . . . . . . . . . . . . . .   4
     2.2.  Encoding Goals  . . . . . . . . . . . . . . . . . . . . .   4
       2.2.1.  Transport independence  . . . . . . . . . . . . . . .   5
       2.2.2.  Standard and Vendor Specific Namespaces . . . . . . .   5
       2.2.3.  Multiple Producers  . . . . . . . . . . . . . . . . .   5
       2.2.4.  Upstream and Downstream . . . . . . . . . . . . . . .   6
       2.2.5.  Application to Network and Network to Application . .   6
       2.2.6.  Extensibility . . . . . . . . . . . . . . . . . . . .   6
       2.2.7.  Flexibility . . . . . . . . . . . . . . . . . . . . .   6
       2.2.8.  Per Producer Security . . . . . . . . . . . . . . . .   6
       2.2.9.  Compact Encoding  . . . . . . . . . . . . . . . . . .   7
   3.  Encoding specification  . . . . . . . . . . . . . . . . . . .   7
     3.1.  Layout  . . . . . . . . . . . . . . . . . . . . . . . . .   7
       3.1.1.  Sections  . . . . . . . . . . . . . . . . . . . . . .   7
       3.1.2.  Security Tokens . . . . . . . . . . . . . . . . . . .   8
       3.1.3.  Subsections . . . . . . . . . . . . . . . . . . . . .   9
       3.1.4.  Upstream and Downstream  Blocks . . . . . . . . . . .  10
       3.1.5.  Complete Encoding Example . . . . . . . . . . . . . .  10
       3.1.6.  Compact Encoding Example  . . . . . . . . . . . . . .  11
     3.2.  Encoding Structures . . . . . . . . . . . . . . . . . . .  12
     3.3.  ABNF  . . . . . . . . . . . . . . . . . . . . . . . . . .  15
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .  17
   5.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  17
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  17
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .  17
     6.2.  Informative References  . . . . . . . . . . . . . . . . .  17
   Appendix A.  Encoding usage examples  . . . . . . . . . . . . . .  18
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  18



Eckert, et al.          Expires January 16, 2014                [Page 2]

Internet-Draft           Flow Metadata Encoding                July 2013


1.  Introduction

   This document describes a protocol independent encoding for flow
   characteristics (a.k.a. metadata).  A flow is defined as a set of IP
   packets passing through a network in a given direction.  All packets
   belonging to a particular flow have a set of common properties (e.g.
   IP, port, transport).  Flow metadata exposes key characteristics of
   the flow such as the originating application, the type of media in
   use (e.g.  audio, video) and others as defined in
   [I-D.eckert-intarea-flow-metadata-framework].  The flow
   characteristics are expressed in terms of information elements.
   These information elements are signaled either out of band or in band
   but always along the same path of the flow associated with the
   application.

   As flow characteristics across different signaling protocols are
   identical, they benefit from a single definition and encoding
   irrespective of the signaling protocol in use (e.g. RSVP
   [I-D.zamfir-tsvwg-flow-metadata-rsvp], STUN
   [I-D.martinsen-mmusic-malice], and PCP [I-D.wing-pcp-flowdata]).
   Different network deployments call for different protocols or
   combination of protocols as described in
   [I-D.eckert-intarea-flow-metadata-framework].  The flow
   characteristics can be processed by intermediate network nodes for
   the purpose of applying a particular treatment to the flow or simply
   for gathering insight on the nature of the traffic crossing the
   network node.

   Flows, and the corresponding metadata, are inherently unidirectional,
   in the direction from the source to the destination (e.g. from Alice
   to Bob).  In some cases, there may be a related flow in the reverse
   direction (e.g. from Bob to Alice), but this is treated as a separate
   flow, not a bidirectional flow.  The metadata can characterize data
   in the same direction as the flow (upstream) or in the opposite
   direction (downstream).  The encoding mechanism enabling signaling
   for either or both directions.  The metadata can be signaled by the
   application itself and/or by network elements that have visibility of
   the flow data.  The encoding supports distinguishing between
   attribute information originated by an application from attribute
   information originated by a network device.  The encoding allows to
   segregates information coming from the application from information
   coming from the network.









Eckert, et al.          Expires January 16, 2014                [Page 3]

Internet-Draft           Flow Metadata Encoding                July 2013


1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.  Encoding Overview

2.1.  General Principles

   This specification assumes that the flow is specified by the
   transport protocol which carries the metadata.  As an example, in
   STUN, flow identifiers such as IP addresses and ports are present in
   layer 3 and 4 headers of STUN messages (see
   [I-D.martinsen-mmusic-malice]).  In RSVP, the same is obtained from
   the SESSION and SENDER-TEMPLATE objects (see
   [I-D.zamfir-tsvwg-flow-metadata-rsvp]).  In PCP the source IP is part
   of the request common header; other flow identifiers need to be
   embedded in an opcode data or an option (see[I-D.wing-pcp-flowdata]).

   The Flow Metadata characteristics are to be interpreted in the
   context of the flow defined by the signaling protocol.  In this
   specification Flow Metadata encoding does not carry any flow
   identifiers but merely the flow characteristics.  The specification
   could be extended to carry the flow identifiers if needed.

   The encoding defined herein does not relate to any specific signaling
   but rather allows different signaling protocols to transport flow
   characteristics.  As the encoding is shared amongst several
   protocols, it is versioned independently to allow, if needed, its
   evolution without impacting the signaling protocol.

2.2.  Encoding Goals

   The following goals have been considered in the design of the
   encoding:

   o  Transport independence

   o  Allow for a standard namespace as well as vendor specific
      namespaces

   o  Support multiple producers of flow characteristics

   o  Ability to encode flow characteristics for both the flow itself
      (upstream) and the flow in the reverse direction (downstream).





Eckert, et al.          Expires January 16, 2014                [Page 4]

Internet-Draft           Flow Metadata Encoding                July 2013


   o  Ability to communicate flow characteristics from an application to
      the network as well as from the network back to the application

   o  Extensibility while allowing for backwards compatibility

   o  Flexibility

   o  Support for integrity, authentication and authorization on a per
      producer basis

   o  Compact encoding

2.2.1.  Transport independence

   One goal of this proposal is to provide an encoding that can be used
   by more than one transport protocol.  This should help maintain
   consistency across standardization of flow metadata usage by various
   signaling protocols, and it should simplify implementations that make
   use of different signaling protocols when transporting flow metadata.
   One example is an application that may use different signaling
   protocols depending on the environment, peer protocol support, etc.
   Another is a middlebox on an administrative boundary that may need to
   perform protocol interworking functions.

2.2.2.  Standard and Vendor Specific Namespaces

   Vendors need the ability to define and use proprietary Metadata when
   they are delivering a pre-standard feature or product or when the
   encoded information is of commercially sensitive nature.  This
   specification provides support for both standard and vendor specific
   defined flow characteristics.

2.2.3.  Multiple Producers

   Multiple producers may contribute flow characteristics to the Flow
   Metadata information associated with a given flow.

   Applications are one category of candidates for generating Flow
   Metadata as they have precise knowledge of the flows they insert into
   the network.  Middleboxes constitute a second class of Metadata
   producers.  Deep Packet Inspection engines are deployed to recognize
   the originator and nature of the flows traversing a network.  Media
   Termination Points (e.g. MCU, transcoders) are deployed to offer
   additional services to applications.  Media Termination Points have
   knowledge of the transformations they apply on the flow they receive
   and can therefore update the characteristics of the flow.  Other
   proxies and gateways exist for other applications and could produce
   information in relation to the flow.



Eckert, et al.          Expires January 16, 2014                [Page 5]

Internet-Draft           Flow Metadata Encoding                July 2013


2.2.4.  Upstream and Downstream

   As explained in the introduction, a flow is unidirectional by
   definition, but some use cases and signaling protocols require or
   allow to signal both upstream and downstream flow characteristics.
   For example, in the context of a home user that needs to prioritize
   its upstream and downstream flow an end-to-edge protocol can expose
   flow characteristics to the edge ISP node controlling its access link
   for both its upstream and downstream flow.  This allows the edge node
   to apply proper treatment to both directions.

2.2.5.  Application to Network and Network to Application

   In accordance with [I-D.eckert-intarea-flow-metadata-framework], flow
   characteristics may be communicated both from application to network
   as well as from network to application.  The encoding rules are the
   same regardless of the direction of the communication.  The ability
   to differentiate between the two is provided by the transport
   protocol.  For example, when using PCP, application to network
   communication is via a PCP request, and network to application
   communication is via a PCP response.

2.2.6.  Extensibility

   New use cases and new deployment scenarios will require the use of
   new flow characteristics.  For this reason the encoding should
   support new metadata (i.e. new information elements) in a backwards
   compatible way.  New information element definitions supplement but
   do not redefine existing definitions.  An application or a network
   node always signals its currently supported set of information
   elements and devices leverage the subset they understand for the
   purpose of applying treatment to, or gathering information about, the
   application flows.

2.2.7.  Flexibility

   Distinct use cases and individual applications have a need for
   different subsets of information elements.  The encoding should
   support the signaling of any subset of information elements for that
   purpose.  For example, a video conferencing application might need to
   signal metadata for both its audio and video flows.  A video
   surveillance application might signal video flows only, but may need
   to indicate which one has priority based on embedded analytics.

2.2.8.  Per Producer Security

   Treatment applied on the basis of metadata may involve the
   consumption of scarce network resources and therefore contribute to



Eckert, et al.          Expires January 16, 2014                [Page 6]

Internet-Draft           Flow Metadata Encoding                July 2013


   their exhaustion.  Consequently, integrity, authentication, and
   authorization are all important aspects of any security mechanism
   used to secure the metadata.

   This specification defines an optional security element container;
   however, the actual security mechanism to be used is outside the
   scope of this specification.

2.2.9.  Compact Encoding

   One of the goals of the encoding described in this specification is
   to be compact and consume minimal space in the signaling protocol
   payload.  Most of the protocols have limited space for Metadata
   purposes and do not support semantic fragmentation.  The strategy of
   the encoding is to minimize the encoding structures used for the
   common signaling case.  The common case is foreseen to be the
   application signaling standard flow characteristics.

3.  Encoding specification

3.1.  Layout

   This section describes the encoding layout proposed by this
   specification.  It describes the following:

   o  How the application and network producers coexist using sections
      in Figure 1

   o  Application of an optional security token to a section in Figure 2

   o  The division of a section into standard and vendor specific sub-
      sections in Figure 3

   o  The division of a sub-section into upstream and downstream blocks
      in Figure 4

   o  A full example using all the encoding building blocks in Figure 5

3.1.1.  Sections

   The flow characteristics are grouped in sections within the encoding.
   A section pertains to an application or to a network producer.  To
   segregate application and network producer sections the encoding uses
   a network marker.  The application section does not use a network
   marker and therefore must come first if present.  The encoding MUST
   contain at least an application or a network section.  Figure 1 shows
   an example that contains an application section and two network
   sections.



Eckert, et al.          Expires January 16, 2014                [Page 7]

Internet-Draft           Flow Metadata Encoding                July 2013


                    +--------------------------------+
                    |      Application Section       |
                    +--------------------------------+
                    +--------------------------------+
                    |         Network-1 Marker       |
                    +--------------------------------+
                    +--------------------------------+
                    |                                |
                    |                                |
                    |         Network-1 Section      |
                    |                                |
                    +--------------------------------+
                    +--------------------------------+
                    |         Network-2 Marker       |
                    +--------------------------------+
                    +--------------------------------+
                    |                                |
                    |                                |
                    |         Network-2 Section      |
                    |                                |
                    |                                |
                    |                                |
                    +--------------------------------+

                        Figure 1: Encoding section

3.1.2.  Security Tokens

   A section MAY include at most one security token.  The security
   token, if present, MUST appear at the beginning of the section.  In
   the following example, a separate security token is added to each
   section contained in the previous example.

                    +--------------------------------+
                    |         Security Token         |
                    +--------------------------------+
                    +--------------------------------+
                    |      Application Section       |
                    +--------------------------------+
                    +--------------------------------+
                    |         Network-1 Marker       |
                    +--------------------------------+
                    +--------------------------------+
                    |         Security Token N-1     |
                    +--------------------------------+
                    +--------------------------------+
                    |                                |
                    |                                |



Eckert, et al.          Expires January 16, 2014                [Page 8]

Internet-Draft           Flow Metadata Encoding                July 2013


                    |         Network-1 Section      |
                    |                                |
                    +--------------------------------+
                    +--------------------------------+
                    |         Network-2 Marker       |
                    +--------------------------------+
                    +--------------------------------+
                    |         Security Token N-2     |
                    +--------------------------------+
                    +--------------------------------+
                    |                                |
                    |                                |
                    |         Network-2 Section      |
                    |                                |
                    |                                |
                    |                                |
                    +--------------------------------+

                    Figure 2: Encoding security tokens

3.1.3.  Subsections

   A section may be divided into standard and vendor sub-sections.  A
   section MUST at least have one subsection.  A section MUST contain at
   most one standard sub-section and can contain multiple vendor
   subsections for different vendors.  A standard and a vendor sub-
   section are segregated through a vendor marker.  The standard
   subsection does not use the vendor marker and therefore must come
   first if present.  Figure 3 shows a sample section content.

                    +--------------------------------+
                    |                                |
                    |                                |
                    |      Standard Subsection       |
                    |                                |
                    +--------------------------------+
                    +--------------------------------+
                    |         Vendor-1 Marker        |
                    +--------------------------------+
                    +--------------------------------+
                    |       Vendor-1 Subsection      |
                    |                                |
                    |                                |
                    |                                |
                    |                                |
                    |                                |
                    +--------------------------------+
                    +--------------------------------+



Eckert, et al.          Expires January 16, 2014                [Page 9]

Internet-Draft           Flow Metadata Encoding                July 2013


                    |         Vendor-2 Marker        |
                    +--------------------------------+
                    +--------------------------------+
                    |       Vendor-2 Subsection      |
                    |                                |
                    |                                |
                    |                                |
                    |                                |
                    |                                |
                    +--------------------------------+

                      Figure 3: Encoding subsections

3.1.4.  Upstream and Downstream Blocks

   A subsection MUST contain at least one upstream or downstream block.
   A subsection contains at most one upstream block and at most one
   downstream block.  Upstream and downstream blocks are composed of
   metadata tags, with each tag representing an encoding of a specific
   information element.  If the upstream and downstream blocks are both
   present, the upstream block MUST come first.

                    +--------------------------------+
                    |          Upstream block        |
                    | +------------+  +------------+ |
                    | |  MD tag    |  |  MD tag    | |
                    | +------------+  +------------+ |
                    +--------------------------------+
                    +--------------------------------+
                    |        Downstream block        |
                    | +------------+  +------------+ |
                    | |  MD tag    |  |  MD tag    | |
                    | +------------+  +------------+ |
                    +--------------------------------+

             Figure 4: Encoding upstream and downstream blocks

3.1.5.  Complete Encoding Example

   Figure 5 shows a complete example combining the application and
   network sections together with their standard and vendor sub-
   sections.  The metadata tags appearing in a standard and in a vendor
   sub-section are managed by separate registries.  See
   [I-D.eckert-intarea-flow-metadata-framework] for a full coverage of
   the information model and how the registries are handled.

                 +--------------------------------+
                 |         Security Token         |



Eckert, et al.          Expires January 16, 2014               [Page 10]

Internet-Draft           Flow Metadata Encoding                July 2013


                 +--------------------------------+
                 +--------------------------------+ ^  ^
                 |          Upstream block        | |  |A
                 | +------------+  +------------+ | |  |P
                 | |  MD tag    |  |  MD tag    | | |S |P
                 | +------------+  +------------+ | |T |L
                 +--------------------------------+ |D |I
                 +--------------------------------+ |  |C
                 |         Downstream block       | |  |A
                 | +------------+                 | |  |T
                 | |  MD tag    |                 | |  |I
                 | +------------+                 | |  |O
                 +--------------------------------+ v  |N
                 +--------------------------------+    |
                 |     Vendor section marker      |    |S
                 +--------------------------------+    |E
                 +--------------------------------+ ^  |C
                 |          Upstream block        | |V |T
                 | +------------+  +------------+ | |N |I
                 | |  MD tag    |  |  MD tag    | | |D |O
                 | +------------+  +------------+ | |  |N
                 +--------------------------------+ v  v
                 +--------------------------------+    ^
                 |     Network section marker     |    |
                 +--------------------------------+    |
                 +--------------------------------+    |N
                 |         Security Token         |    |E
                 +--------------------------------+    |T
                 +--------------------------------+    |W
                 |         Downstream block       |    |O
                 | +------------+                 |    |R
                 | |  MD tag    |                 |    |K
                 | +------------+                 |    |
                 +--------------------------------+    |
                 +--------------------------------+    |S
                 |     Vendor section marker      |    |E
                 +--------------------------------+    |C
                 +--------------------------------+    |T
                 |         Downstream block       |    |I
                 | +------------+                 |    |O
                 | |  MD tag    |                 |    |N
                 | +------------+                 |    |
                 +--------------------------------+    v

                    Figure 5: Complete encoding example

3.1.6.  Compact Encoding Example




Eckert, et al.          Expires January 16, 2014               [Page 11]

Internet-Draft           Flow Metadata Encoding                July 2013


   Figure 6 shows an encoding example for flow metadata standard
   characteristics produced by an application for the upstream (same as
   5-tuple) direction.  As can be seen in the figure no network marker
   is used as we are signaling for the application.  In the same way
   there is no vendor marker as we are signaling standard flow
   characteristics.  This example also assumes a use case where no
   security token is needed.  Further examples are given in Appendix A.

                    +--------------------------------+
                    |          Upstream block        |
                    | +------------+  +------------+ |
                    | |  MD tag    |  |  MD tag    | |
                    | +------------+  +------------+ |
                    +--------------------------------+

                    Figure 6: Compact encoding example

3.2.  Encoding Structures

   This section explores the encoding looking more closely at the
   encoding structures.

      Figure 7 shows the encoding used by an application using only
      standard metadata tags.

      Figure 8 shows the encoding used by an application using only
      vendor specific metadata tags.

      Figure 9 shows the encoding for network producers using only
      standard metadata tags.

   The three scenarios expose all the encoding structures.  These
   structures may be combined in various ways to support other
   scenarios.

   The encoding makes use of Type Length Value (TLV) as the base
   building block, plus some level of nesting to create the different
   encoding structures.  The type indicates which encoding structure is
   in use.  In case of a marker, the length gives the size of the marker
   but not of the delimited section or sub-section.

   As explained previously, application and network sections MUST
   contain at least one standard or vendor sub-section and MAY contain a
   security token.  The value of the security token TLV is broken down
   in two parts, a security-scheme indicating the security method used
   and the security-value holding the security payload specific to the
   security scheme.  The definition of the different security schemes
   and their payloads are left to a separate document.



Eckert, et al.          Expires January 16, 2014               [Page 12]

Internet-Draft           Flow Metadata Encoding                July 2013


   The value of the upstream and downstream block TLVs are subdivided in
   metadata tags.  Each tag is itself a TLV specifying a flow
   characteristic.  A metadata tag MUST appear only once in an upstream
   or a downstream block.  On the one hand the security token, the
   upstream and the downstream block, the vendor and network marker
   types are defined within the same registry.  On the other hand the
   tag types are defined in a separate registry from the enclosing
   encoding structures.  The separation of the registries is possible as
   the metadata tags are part of the upstream and downstream block TLV
   value and therefore do not collide with the encoding structures.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+^S
   |        Security-type          |             Length            ||E
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|C
   |       Security-scheme         |                               :|
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               :|T
   :                       Security-value                          :|O
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+vK
   |        Upstream-type          |             Length            |  ^U
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+^M|P
   |           Tag-type            |             Length            ||D|
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| |B
   :                           Tag-value                           :|T|L
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+v |O
   :                            ...                                :  |C
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  vK
   |        Downstream-type        |             Length            |  ^D
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  |N
   |           Tag-type            |             Length            |  |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  |B
   :                           Tag-value                           :  |L
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  |O
   :                            ...                                :  |C
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  vK

                                 Figure 7

   Figure 8 adds the vendor sub-section marker which starts a vendor
   section.  The vendor marker is a TLV whose type is defined in the
   same registry as the security token.  Its value is the vendor's
   Private Enterprise Number (PEN) allocated by IANA.  The vendor marker
   does not include the downstream and the upstream block but rather
   sets the context to interpret them.  Multiple vendor sub-sections
   within the same application or network section are allowed as long as
   they pertain to different vendors.




Eckert, et al.          Expires January 16, 2014               [Page 13]

Internet-Draft           Flow Metadata Encoding                July 2013


    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |        Security-type          |             Length            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       Security-scheme         |                               :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               :
   :                       Security-value                          :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ^
   |           PEN-type            |             Length            | |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
   |                            PEN-id                             | |V
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |E
   |        Upstream-type          |             Length            | |N
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |D
   |           Tag-type            |             Length            | |O
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |R
   :                           Tag-value                           : |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |S
   :                            ...                                : |E
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |C
   |        Downstream-type        |             Length            | |T
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |I
   |           Tag-type            |             Length            | |O
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |N
   :                           Tag-value                           : |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
   :                            ...                                : |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v

                                 Figure 8

   Figure 9 adds the network marker that starts a network section.  The
   network marker is a TLV whose type is defined within the same
   registry as the security token.  The value of the network marker is
   the network precedence that indicates the administrative preference
   for the network producer flow characteristics.  The precedence allows
   to merge information from different network producers and retain only
   the preferred one.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ^
   |         Network-type          |             Length            | |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
   |                          Precedence                           | |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
   |        Security-type          |             Length            | |P



Eckert, et al.          Expires January 16, 2014               [Page 14]

Internet-Draft           Flow Metadata Encoding                July 2013


   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |R
   |       Security-scheme         |                               : |O
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               : |D
   :                       Security-value                          : |U
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |C
   |        Upstream-type          |             Length            | |E
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |R
   |           Tag-type            |             Length            | |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |S
   :                           Tag-value                           : |E
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |C
   :                            ...                                : |T
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |I
   |        Downstream-type        |             Length            | |O
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |N
   |           Tag-type            |             Length            | |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
   :                           Tag-value                           : |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
   :                            ...                                : |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ v

                                 Figure 9

   All the constructs above can be combined to signal standard and
   vendor specific metadata tags for different producers and allow to
   secure each producer's information independently.

3.3.  ABNF

   MD-block = Version (Application-block / 1*Network-block /
   (Application-block 1*Network-block))

   Network-blocks = Network-tlv Producer-block

   Application-block = Producer-block ; For the application we do not
   ; require the Producer-tlv

   Producer-block = [Security-tlv] (Standard-block / 1*Vendor-block /
   (Standard-block 1*Vendor-block))

   Vendor-blocks = PEN-tlv Flow-block

   Standard-block = Flow-block; We do not require the PEN-tlv
   ; for the standard metadata tags

   Flow-block = Upstream-tlv / Downstream-tlv /
   (Upstream-tlv Downstream-tlv)



Eckert, et al.          Expires January 16, 2014               [Page 15]

Internet-Draft           Flow Metadata Encoding                July 2013


   ; If both present, upstream must come first

   PEN-tlv = PEN-type Length PEN-id

   Network-tlv = Network-type Length Precedence

   Security-tlv = Security-type Length Security-scheme Security-value

   Upstream-tlv = Upstream-type Length Upstream-value

   Upstream-value = Attribute-list

   Downstream-tlv = Downstream-type Length Downstream-value

   Downstream-value = Attribute-list

   Attribute-list = 1*(Attribute-tlv)

   Attribute-tlv = Tag-type Length Attribute-value

   ;---------
   ;TERMINALS
   ;---------

   Version = %x01 ;  NEW-VER will be picked up as the first
   ;  version of the encoding

   PEN-id = 4(OCTET); Private Enterprise Number defined by IANA

   Length = 2(OCTET); 16-bit length field

   Precedence = 4(OCTET);  Indicates the preferred source of information
   ; for a producer-type

   Security-scheme = OCTET; Type of security used

   Security-value =  *(OCTET)
   ; length of this field must match Length of Security-tlv + 2

   Tag-type = 2(OCTET); Value according to IANA/Vendor-specific registry

   Producer-type = Zero %x01; The first foreseen producer is MD-NETWORK
   ; to cover for DPI engines, gateways and others
   ; Further values may be allocated later


   Security-type = Zero %x00 ;




Eckert, et al.          Expires January 16, 2014               [Page 16]

Internet-Draft           Flow Metadata Encoding                July 2013


   Upstream-type = Zero %x01 ;

   Downstream-type = Zero %x02 ;

   PEN-type = Zero %x03 ;

   Network-type = Zero %x04

   Attribute-value = *(OCTET) ;

   Zero = %x00

                                 Figure 10

4.  Security Considerations

   A security token, as described in Section 3.1.2, is a mechanism
   provided as part of the encoding to protect flow characteristics.  A
   signaling protocol used to transport the encoded metadata may provide
   additional security mechanisms.  The protocol specific and encoding
   specific security mechanisms may be used in combination to achieve
   the required level of security.

5.  Acknowledgements

   We would like to thank Yann Poupet and Davide Cuda for reviewing this
   document and helping us proof its content.  We would also like to
   express our gratitude to Sergio Mena de la Cruz for contributing
   ideas, proofing the text and for his work on validating the grammar.

6.  References

6.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

6.2.  Informative References

   [I-D.eckert-intarea-flow-metadata-framework]
              Eckert, T., Penno, R., Choukir, A., and C. Eckel, "A
              Framework for Signaling Flow Characteristics between
              Applications and the Network", draft-eckert-intarea-flow-
              metadata-framework-00 (work in progress), July 2013.

   [I-D.martinsen-mmusic-malice]





Eckert, et al.          Expires January 16, 2014               [Page 17]

Internet-Draft           Flow Metadata Encoding                July 2013


              Penno, R., Martinsen, P., Wing, D., and A. Zamfir, "Meta-
              data Attribute signaLling with ICE", draft-martinsen-
              mmusic-malice-00 (work in progress), July 2013.

   [I-D.wing-pcp-flowdata]
              Wing, D., Penno, R., and T. Reddy, "PCP Flowdata Option",
              draft-wing-pcp-flowdata-00 (work in progress), July 2013.

   [I-D.zamfir-tsvwg-flow-metadata-rsvp]
              Eckert, T., Zamfir, A., and A. Choukir, "Flow Metadata
              Signaling with RSVP", draft-zamfir-tsvwg-flow-metadata-
              rsvp-00 (work in progress), July 2013.

Appendix A.  Encoding usage examples

   TBD

Authors' Addresses

   Toerless Eckert (editor)
   Cisco Systems, Inc.
   San Jose
   US

   Email: eckert@cisco.com


   Anca Zamfir
   Cisco Systems, Inc.
   Lausanne
   CH

   Email: ancaz@cisco.com


   Amine Choukir
   Cisco Systems, Inc.
   Lausanne
   CH

   Email: amchouki@cisco.com










Eckert, et al.          Expires January 16, 2014               [Page 18]

Internet-Draft           Flow Metadata Encoding                July 2013


   Charles Eckel
   Cisco Systems, Inc.
   170 West Tasman Drive
   San Jose, CA  95134
   US

   Email: eckelcu@cisco.com












































Eckert, et al.          Expires January 16, 2014               [Page 19]