IPFIX Working Group EDITORS: K.C. Norseth Internet Draft Consultant Expiration Date: December 2002 Ganesh Sadasivan Cisco Systems, Inc. June 2002 Architecture Model for IP Flow Information Export draft-ietf-ipfix-architecture-02.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This memo defines the architecture, for the export of measured IP flow information out of an IPFIX device to a collector, per the requirements defined in [2]. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. Norseth & Sadasivan [Page 1] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 Table of Contents 1 Introduction ........................................... 3 2 Scope .................................................. 3 3 Terminology ............................................ 3 4 IPFIX reference Model .................................. 7 4.1 IPFIX protocol ......................................... 10 4.2 Export Process ......................................... 10 4.3 Observation Domain ..................................... 11 4.4 Metering Process Functions ............................. 11 4.4.1 Flow Classification .................................... 11 4.4.2 Selection Criteria Of Packets .......................... 12 4.4.3 Function on properties that determines a flow type (Fi) . 12 4.4.4 Sampling packets on a flow type (Si) ................... 12 4.5 Selection Criteria of flows for export ................. 13 4.6 Collector .............................................. 13 4.7 Applications ........................................... 14 5 IPFIX Protocol ......................................... 14 5.1 Selection Criteria for IPFIX Protocol .................. 14 5.1.1 Common for IPFIX Device and Collector .................. 14 5.1.2 IPFIX Protocol on IPFIX Device (At Export Process) ..... 14 5.1.3 Intellectual Property Rights ........................... 15 5.1.4 IPFIX Protocol on Collector ............................ 15 5.2 Export Models .......................................... 15 5.2.1 Export Model with Reliable Control Connection .......... 15 5.3 Collector Crash Detection and Recovery ................. 16 5.3.1 Export Model with Reliable Control Connection .......... 16 5.4 Collector Redundancy ................................... 16 6 Security Consideration ................................. 17 6.1 Data security .......................................... 17 6.1.1 No security ............................................ 17 6.1.2 Authentication only .................................... 17 6.1.3 Encryption ............................................. 18 6.2 IPFIX end point authentication ......................... 18 6.3 Denial of service (DoS) attack prevention .............. 19 6.3.1 Network under attack ................................... 19 6.3.2 Generic DoS attack on the IPFIX system ................. 19 6.3.3 IPFIX Specific DoS attack .............................. 19 7 Flow Expiration ........................................ 19 8 IANA Consideration ..................................... 20 9 References ............................................. 20 10 Acknowledgements ....................................... 20 11 Author's Addresses ..................................... 21 12 Full Copyright Statement ............................... 22 Norseth & Sadasivan [Page 2] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 1. Introduction There are several applications e.g., Usage-based Accounting, Traffic Profiling, Traffic engineering, Attack/Intrusion Detection, QoS Monitoring, that require require flow-based IP traffic measurements. It is hence important to have a standard way of exporting information related to IP flows. This document defines architecture for IP traffic flow monitoring, measuring and exporting. It provides a high-level description of the key components and their functions. 2. Scope This document defines architecture for IPFIX. The main objective of this document is to: * Describe the key architectural components of IPFIX. * Define the architectural requirements, e.g., Recovery, Security, etc for the IPFIX framework. * Define the criteria to select the IPFIX Protocol. * Specify the control/data message formats and handshaking details to pass the IP flow information. 3. Terminology * IP Traffic Flow or Flow: A flow is defined as a set of IP packets passing an observation point in the network during a certain time interval. All packets belonging to a particular flow have a set of common properties derived from the data contained in the packet and from the packet treatment at the observation point. In this draft we define the flow more specifically. A flow is defined as a set of packets passing an observation point in the network during a certain time interval. All packets belonging to a particular flow have a set of common properties. Each property is defined as the result of applying a function to the values of: 1. One or more of packet header fields (eg. destination IP address) 2. One or more properties of the packet itself (eg. packet length) 3. One or more of fields derived from packet treatment (eg. AS number) A packet is defined to belong to a flow if it matches all the defined properties of the flow. Each of the fields from 1., 2. Norseth & Sadasivan [Page 3] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 and 3. mentioned above are referred to as flow keys. Though a flow could match a general application-level end-to-end stream, its definition is not restricted to this alone. The above definition covers a broad range from a flow containing all packets observed on a set of observation points to a flow consisting of just a single packet between two applications with a specific sequence number observed at a single observation point. Some examples of flows are listed below: Example 1: To create flows, we define the different fields to distinguish flows. The different combination of the field values creates unique flows. If the keys are defined as {source IP address, destination IP address, TOS}, then all of these are different flows. 1. {192.1.40.1, 171.6.23.5, 4} 2. {192.1.40.23, 171.6.23.67, 4} 3. {192.1.40.23, 171.6.23.67, 2} 4. {198.20.9.200, 171.6.23.67, 4} Example 2: To create flows, we can apply a match function to all the packets that pass through an observation point, in order to aggregate some values. This could be done by defining the keys as {source IP address, destination IP address, TOS} like in the example 1, and applying the function which masks the least significant 8 bits of the source IP address and destination IP address (i.e. the resultant is a /24 address). The 4 flows from example 1 would now be aggregated into 3 flows, by merging the flows 1. and 2. into a single flow. 1. {192.1.40.0/24, 171.6.23.0/24, 4} 2. {192.1.40.0/24, 171.6.23.0/24, 2} 3. {198.20.9.0/24, 171.6.23.0/24, 4} Example 3: To create flows, we can filter some field values on all packets that pass the observation point, in order to select only certain flows. The filter is defined by choosing fixed values for specific fields from the packet. All the packets that go from a customer network 192.1.40.0/24 to another customer network 171.6.23.0/24 with TOS value of 4 define a flow. All other combinations don't define a flow and are not taken into account. The 3 flows from example 2 would now be reduced to 1 flow, by filtering away the second and the third flow. {192.1.40.0/24, 171.6.23.0/24, 4}. The above example can be thought of as a function F takes as input {source IP address, destination IP address, TOS}. The Norseth & Sadasivan [Page 4] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 function selects only the packets which satisfy all the 3 conditions which are: * mask the least significant 8 bits of source IP address, compare against 192.1.40.0. * mask the least significant 8 bits of destination IP address, compare against 171.6.23.0. * tos value equal to 4. Depending on the values of {source IP address, destination IP address, TOS} of the different observed packets, the metering process function F would choose/filter/aggregate different sets of packets, which would create different flows. In other words, based on various combination of values of {source IP address, destination IP address, TOS}, F(source IP address, destination IP address, TOS) would result in the definition of one or more flows. The function F is referred to as Flow Type. * Flow Key: Each of the fields which belong to 1. Packet header (eg. destination IP address) 2. Property of the packet itself (eg. packet length) 3. Derived from packet treatment (eg. AS number) which is used to define a flow is termed as flow key. * Flow Type: A function F which would take input as a set of flow keys and the output would be one or more flows depending on the combination of values for the set of flow keys. * Flow Record: A flow record contains information about a specific flow that was metered at an observation point. A flow record contains measured properties of the flow (e.g. the total number of bytes of all packets of the flow) and usually characteristic properties of the flow (e.g. source IP address). * Export Process: The process of sending flow records to one or more collectors. * IPFIX Device: A device hosting at least an observation point, a metering process and a export process. Typically, corresponding observation point(s), metering process(es), and exporter process(es) are co-located at this device, for example, at a router. Norseth & Sadasivan [Page 5] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 * Collector: The collector receives flow records from one or more exporters. The collector might process or store received flow record, but these actions are out of the scope of this document. * Observation Point: The observation point is a location in the network where IP packets can be observed. Examples are, a line to which a probe is attached, a shared medium, such as an Ethernet-based LAN, a single port of a router, or a set of interfaces (physical or logical) of a router. * Metering Process: The metering process generates flow records. Input to the process are IP packets observed in an observation point. The metering process consists of a set of functions that includes packet header capturing, timestamping, sampling, classifying, and maintaining flow records. * Observation Domain: The set of observation points which is the largest aggregatable set of flow information at the IPFIX Device is termed as an observation domain. The observation domain presents itself a unique ID to the collector for identifying the export packets generated by it. One or more Observation Domains can interface with the same export process. Example: The observation domain could be a router line-card, composed of several interfaces with each interface being an observation point. * Template: Template is an ordered n-tuple (eg. , TLV), used to completely identify the structure and semantics of a particular information that needs to be communicated from the IPFIX Device to the collector. Each template is uniquely identifiable by some means (eg. by using a Template ID). * Control Information, Data Stream: The information that needs to be exported from the IPFIX device can be classified into the following categories: - Control Information : This includes the flow type definition, selection criteria for packets within the flow send by the export process and any IPFIX protocol messages (eg. Keepalives). This stream carries all the information for the end-points to understand the IPFIX protocol and specifically for the receiver to understand and interpret the data send by the sender. Norseth & Sadasivan [Page 6] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 - Flow record : This includes data records corresponding to the information on various observed flows at each of the observation point.This is also called as Data Stream. The definitions in this section is intended be identical with that in the IPFIX data model [3] and in the event of a discrepancy, the definition specified in this document supercedes the one defined in the latter. 4. IPFIX reference Model The figure below shows the reference model for IPFIX. This figure covers the various possible scenarios that can exist in an IPFIX system. +----------------+ +----------------+ |[*Application 1]| ..|[*Application n]| +--------+-------+ +-------+--------+ ^ ^ ~ ~ +~~~~~~~~~~+~~~~~~~~+ ! v +---------------------+ +------------------+ |IPFIX Device(1) | | Collector(1) | |[Export Process] |<--------------->| | | | | | +---------------------+ +------------------+ .... .... +----------------------+ +------------------+ |IPFIX Device(i) | | Collector(j) | |[Obsv Point(s)] |<-------------->| [*Application(s)]| |[Metering Process(es)]| +---->| | |[Export Process] | | +------------------+ +----------------------+ . .... . .... +----------------------+ | +------------------+ |IPFIX Device(m) | | | Collector(n) | |[Obsv Point(s)] |<---------+---->| [*Application(s)]| |[Metering Process(es)]| | | |[Export Process] | +------------------+ +----------------------+ The various functional components are indicated within []. The functional components within [*] are not part of the IPFIX framework. Norseth & Sadasivan [Page 7] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 The interfaces shown by "<-->" are defined by the the IPFIX framework and those shown by "<~~>" are not. The figure below shows a typical IPFIX device. Norseth & Sadasivan [Page 8] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 +---------------------------------------------------+ | IPFIX Device | | +---------------------------------------+ +-----+ | | | Observation Domain 1 | | e | | | | +------------------------+ (*) | | | | | | | Selection Criteria for +----+---------> x | | | | | Flow export | | | | | | | | +------------------------+ | | | p | | | | ^ ^ | | | | | | | |(*) | (*) | | | o | | | | | | | | | | | | | +---......--+------------+ | | r | | | | | | | | | | | | +----+----+ +----+----+ | | t | | | | |Metering | |Metering | | | | | | | |Process 1| |Process N| | | | | | | |(Packet | |(Packet | | | | | | | | Level) | | Level) | | | | | | | +---------+ +---------+ | | | | | | ^ ^ | | | | | | | | | | | | | | +-----+------+ +-----+------+| | | | | | |Obsv Point 1| ... |Obsv Point M|| | | | | | +------------+ +------------+| | | | | +---------------------------------------+ | | |export | .... | ------> | +---------------------------------------+ | P | |towards | | Observation Domain K | | | |the | | +------------------------+ (*) | | r | |collector(s) | | | Selection Criteria for +----+---------> | | | | | Flow export | | | | o | | | | +------------------------+ | | | | | | | ^ ^ | | | c | | | | |(*) | (*) | | | | | | | | | | | | e | | | | +---......--+------------+ | | | | | | | | | | s | | | | +----+----+ +----+----+ | | | | | | |Metering | |Metering | | | s | | | | |Process 1| |Process N| | | | | | | +---------+ +---------+ | | | | | | ^ ^ | | | | | | | | | | | | | | +-----+------+ +-----+------+| | | | | | |Obsv Point 1| ... |Obsv Point M|| | | | | | +------------+ +------------+| | | | | +---------------------------------------+ +-----+ | +---------------------------------------------------+ Norseth & Sadasivan [Page 9] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 In this figure the functional blocks are shown in rectangular boxes. The interface shown by (*) is applicable only if the optional metering process at the flow level is present. Otherwise the metering process(es) at the packet level interfaces directly with the exporting function. Note that in case of multiple observation domains, a unique ID per observation domain must be transmitted as a parameters to the exporting function. 4.1. IPFIX protocol At the IPFIX device, the protocol functionality may be split between observation domain and export process. At a high level, IPFIX protocol at the IPFIX device does the following: 1. Encode the control information into templates. 2. Encode the flows observed at the observation points into flow records. 3. Packetize the flow record and/or control information into export packets based on the export policies. 4. Use the underlying transport layer to send the export packets to the collector. At a high level, IPFIX protocol at the collector is responsible for the following: 1. Receive and store the control information. 2. Decode and store the flow records using the control information. 4.2. Export Process The Export Process is the functional block that interacts with observation domain(s) on one side and collector(s) on the other side. The typical functions of an export process may include: * Accept control information and data streams from one or more observation domains and separate them into separate export packet streams based on observation domain. * Run the part of the IPFIX protocol which deals with packetization and transport of flow records/control information with the collector. This involves: - Gather flow records from the metering process(es) and export them towards the collector(s), using the data stream. Norseth & Sadasivan [Page 10] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 - Export the control information regarding the flow and metering process(es) towards the collector(s). * Optionally monitor the status of the collector and execute a fail over in case of problem. 4.3. Observation Domain The Observation Domain is the functional block, which MUST manage the flows generated from all the valid {Observation Point, Metering Process} combination defined within itself. The typical functions of an Observation Domain MAY include: * Encoding the flow records and sending them to the export process. * Encoding the control information into templates and sending them to the export process. * Deciding which flow records/control information to export using rules based on time, thresholds, configuration events etc. * Aggregating flow records generated by one or more metering processes. * Flow record maintenance which may include creating new records, updating existing ones, computing flow statistics, deriving further flow properties, adding non-flow specific information (in some cases fields like AS numbers) detecting flow expiration, passing flows record to the exporting process, and deleting flow records. * Perform appropriate middle-box functions to translate the flow information. 4.4. Metering Process Functions 4.4.1. Flow Classification The collector MUST be able to map the flow record to the corresponding property types defined by the flow type. In addition the collector, when it receives the flow records, MAY need the following to interpret the flow records further: a. Observation Point. b. Selection Criteria of Packets A flow record can be better analyzed if the Observation Point from which it is measured is known. As such it is recommended that the flow record carry the Observation Point information along with the flow records when exported. In cases where there is a single observation point or where the observation point information is not relevant, the exporter MAY choose not to add this to the flow records. Norseth & Sadasivan [Page 11] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 4.4.2. Selection Criteria Of Packets The measurement device MAY define rules so that only certain packets within a flow can be chosen for measurement at an observation point. This MAY be done by one of the two types of methods defined below or a combination of them. A combination of each of these ways can be adopted to select the packets .i.e. one can define a set of methods {F1, S1, F2, S2, S3} executed in certain sequence at an observation point to collect flows of a particular type. 4.4.3. Function on properties that determines a flow type (Fi) Packets that satisfy a function on the fields defined by the packet header fields or fields obtained while doing the packet processing or the properties of the packet itself. Example: Mask/Match of the fields that define a filter. The filter may be defined as {Protocol == TCP, Destination Port between 80 and 120}. Multiple such filters could be used in any sequence to select packets. 4.4.4. Sampling packets on a flow type (Si) Packets that satisfy the sampling criteria for this flow type. Example: Sample every 100th packet that was received at an observation point and collect the flow information for a particular flow type. choosing all the packets is a special case where sampling rate is 1:1. The figure below shows the operations which MAY be applied as part of a typical metering process. Norseth & Sadasivan [Page 12] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 packet header capturing | timestamping | v +----->+ | | | sampling Si (1:1 in case of no sampling) | | | classifying Fi (NULL when No criteria) | | +------+ | | v Flows 4.5. Selection Criteria of flows for export There MAY be additional rules defined within the observation domain so that only certain flows records are picked up for export. This MAY be done by either one or a combination of Si, Fi. Example: The flow records which meet the following selection criteria are only exported. 1. All flow records whose destination IP address matches {20.3.1.5}. 2. Every other (.i.e. sampling rate 1 in 2) flow record whose destination IP address matches {160.0.1.30}. 4.6. Collector Collector is a subsystem that interacts with one or more IPFIX devices. The functions of the collector MAY include: * Identifying, accepting and decoding export packets from different {Export Process, Observation Domain} pairs . * Running the IPFIX protocol. * Storing the control information and flow records received from IPFIX device. * Notifying the IPFIX device its status and problems. Norseth & Sadasivan [Page 13] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 4.7. Applications Applications that use the information collected by IPFIX may be Billing, Intrusion Detection sub-systems, etc. These applications may be an integral part of the collector or collocated to the collector. The way by which these applications interface with IPFIX system to get the desired information is out of this document's scope. 5. IPFIX Protocol 5.1. Selection Criteria for IPFIX Protocol There are existing standard practices in the area of flow export like Netflow, CRANE, LFAP etc. The charter mentions to choose the the protocol among these existing practices that fits the IPFIX requirements the most. There may be additions or modifications made to the chosen protocol to fit it exactly into the IPFIX architecture. The following is the list of criteria that the candidate protocol SHOULD meet in order to be the qualified into the IPFIX architecture. This is based on the requirements specified in the requirement document [2]. 5.1.1. Common for IPFIX Device and Collector 1. Transparency over transport protocol. Ability to operate over a congestion aware transport like TCP or SCTP is a MUST. 2. Transparency over any underlying security protocols. 3. The protocol SHOULD be based on a flexible data model based on templates. 4. The protocol SHOULD be based on a extensible information model. 5.1.2. IPFIX Protocol on IPFIX Device (At Export Process) 1. Ability to detect loss of connectivity with the collector and trigger the appropriate action (eg. a switch over to an alternate collector.) 2. Optionally export flow records to multiple collectors. 3. Optionally re-transmit lost flow records. 4. Exchange control information from the collector, monitor export process and detect any overload in the process of exporting. Norseth & Sadasivan [Page 14] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 5.1.3. Intellectual Property Rights The protocol must abide by the intellectual property rights as defined in rfc: 2026. Specifically section: 10.3.1. All Contributions. If the protocol does not abide by this, it will not be considered. 5.1.4. IPFIX Protocol on Collector 1. Receive and decode the flow records from the IPFIX devices. 2. Ability to indicate flow record losses to the exporting IPFIX device and/or IPFIX users. 3. Optionally notify the status and overload conditions to the IPFIX device. Once the selection is made from the set of candidate protocols, this section would be replaced by the chosen protocol. 5.2. Export Models 5.2.1. Export Model with Reliable Control Connection As mentioned in the selection criteria, the control information and data stream MUST be transported over a congestion-aware transport protocol. If the network in which the IPFIX device and collector are located does not guarantee reliability, at least the control information SHOULD be exported over a reliable transport. There could be network security concerns between IPFIX device and collector. To avoid re-inventing the wheel, and to reduce the complexity of flow export protocol, one or a combination of the following methods MAY be adopted as a solution to achieve security : * IP Authentication Header MAY be used when the threat environment requires stronger integrity protections, but does not require confidentiality. * IP Encapsulating Security Payload (ESP) MAY be used to provide confidentiality and integrity. * If the transport protocol used is TCP, optionally TCP MD5 signature option MAY be used to protect against spoofed TCP segments. * If the transport protocol used is TCP, optionally TLS MAY be used to add integrity, authenticity and confidentiality. The data stream MAY be exported over an reliable or unreliable transport protocol. Norseth & Sadasivan [Page 15] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 As explained above the transport connection (in the case of a connection oriented protocol) is pre-setup between the IPFIX device and the collector. Once connected, the collector side receives the control information and uses this information to interpret the flow records. The IPFIX device SHOULD set the keepalive (eg. keepalive timeout in the case of TCP; the HEARTBEAT interval in the case of SCTP; IPFIX protocol level Keepalive if any) to a sufficiently low value so that it can quickly detect a collector crash. 5.3. Collector Crash Detection and Recovery 5.3.1. Export Model with Reliable Control Connection The collector crash is detected at the IPFIX device by the break in control connection (depending on the transport protocol the connection timeout mechanisms differ). On detecting a Keepalive timeout, the IPFIX device SHOULD stop sending the flow export data to the collector and try reconnecting the transport connection. This is valid for a single collector scenario. If there are multiple collectors for the same IPFIX device, the IPFIX device opens control connections to each of the collectors. But data gets sent only to one of the collectors which is chosen as the primary. There could be one or more collectors configured as secondary and a priority assigned to them. The primary collector crash is detected at the IPFIX device by the break in control connection (depending on the transport protocol the connection timeout mechanisms differ). On detecting loss of connectivity, the IPFIX device opens data stream with the secondary collector of the next highest priority. This collector now becomes the primary. The maximum export data loss would be the amount of data exported in the time between when the loss of connectivity to the collector happened, and the time at which this was detected by the IPFIX device. 5.4. Collector Redundancy Since IPFIX protocol requires a congestion-aware transport, achieving redundancy using multicast is not an option. Multiple pairs could be setup, each to a different collector from the same IPFIX device. The control and data information are then replicated on each of the control information and data stream. Norseth & Sadasivan [Page 16] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 6. Security Consideration IP flow information can be used for various purposes, such as usage accounting, traffic profiling, traffic engineering, and intrusion detection. For each application, the security requirement may differ significantly from one to another. To be able to satisfy the security needs of various IPFIX users, the architecture of IPFIX MUST provide different levels of security protection. 6.1. Data security IPFIX data consists of control information and data stream generated by the IPFIX device. The IPFIX data may exist in both the IPFIX device and the collector. In addition, the data is also transferred on the wire from the exporter to the collector when it is reported. To provide security, the data SHOULD be protected from adversity. The protection of IPFIX data within the end system (IPFIX device and collector) is out of the scope. It is assumed that the end system operator will provide adequate security for the IPFIX data. The IPFIX architecture MUST allow different levels of protection to the IPFIX data on the wire. Where ever security functions are required it is recommended to leverage to lower layers using either IPsec or TLS, if they can successfully satisfy the security requirement of IPFIX data protection. To protect the data on the wire, three levels of granularity SHOULD be supported: 6.1.1. No security No security is required when the transport between the IPFIX device and the collector is perceived as safe. This option allows the protocol to run most efficiently without extra overhead and an IPFIX solution MUST support it. 6.1.2. Authentication only The authentication only protection provides the IPFIX users the assurance of data integrity and authenticity. The data exchanged between the IPFIX device and the collector is protected by authentication signature. Any modification of the IPFIX data will be Norseth & Sadasivan [Page 17] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 detected by the recipient, resulting in discarding of the received data. However, the authentication only option doesn't offer data confidentiality. The IPFIX user SHOULD avoid use this option when sensitive or confidential information is being exchanged. An IPFIX solution SHOULD support this option. The authentication only option SHOULD provide replay attack protection. Some means to achieve this level of security are: * TCP with MD5 options. * IP Authentication Header 6.1.3. Encryption Data encryption provides the best protection for IPFIX data. The IPFIX data is encrypted at the sender and only the intended recipient can decrypt and have access to the data. This option MUST be used when the transport between the exporter and the collector are unsafe and the IPFIX data needs to be protected. It is recommended to use the underlying security layer functions for this purpose. Some means to achieve this level of security are: * Encapsulating Security Payload. * Transport Layer Security Protocol The data encryption option adds overhead to the IPFIX data transfer. It may limit the rate that an export can report its flow to the collector due to the heavy resource requirement of running encryption. 6.2. IPFIX end point authentication It is important to make sure that the IPFIX device is talking to the "right" collector instead of a masqueraded collector. The same logic also holds true from the collector point of view that it want to make sure it is collecting the flow information from the "right" IPFIX device. The IPFIX architecture SHOULD allow the authentication capability so that either one-way or mutual authentication can be performed between the IPFIX device and collector. The IPFIX architecture SHOULD use the existing transport protection protocols such as TLS to fulfill the authentication requirement. Norseth & Sadasivan [Page 18] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 6.3. Denial of service (DoS) attack prevention Since one of the potential usages for IPFIX is for intrusion detection, it is important for the IPFIX architecture to support some kind of DoS resistance. 6.3.1. Network under attack The Network itself may be under attack, resulting in an overwhelming number of IPFIX messages. The IPFIX SHOULD try to capture as much information as possible. However, when large amount IPFIX messages are generated in a short period of time, the IPFIX may become overloaded. 6.3.2. Generic DoS attack on the IPFIX system The IPFIX system may subject to generic DoS attacks, just as any system on any open networks. These types of attacks are not IPFIX specific. Preventing and responding to such types of attacks are out of the scope of IPFIX WG. 6.3.3. IPFIX Specific DoS attack There is a specific attack on the IPFIX portion of the IPFIX device or Collector. (To be added and discussed on the general list). 7. Flow Expiration A flow is considered to be inactive if no packets of this flow has been observed at the observation point for a given timeout interval. The flow can be exported under the following conditions: 1. If the exporter can deduce the end of a flow, the exporter SHOULD export the flow records when the end of the flow is detected. For example: flow generated by TCP type of traffic where the FIN or RST bits indicate the end of the flow 2. If the flow has been inactive for a certain period of time. This inactivity timeout SHOULD be configurable. For example: flow generated by UDP type of traffic. Norseth & Sadasivan [Page 19] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 3. For long aging flows, the exporter SHOULD export the flow records on regular basis, in order to: a. Report the flow records periodic accounting information to the collector b. Avoid counter wrapping This activity timeout SHOULD be configurable c. Prevent an attacker from indefinitely delaying the delivery of flow information to an IDS application by intentionally generating packets which fall within long aging flows. 4. If the exporter experiences resources constraints, a flow MAY be prematurely expired (example: memory) 8. IANA Consideration Need Port number assigned from IANA [more to be written] 9. References [1] IP Flow Information Export (IPFIX) [2] J. Quittek ,T. Zseby, B. Claise,"Requirements for IP Flow Information Export", (work in progress) ,Internet Draft, Internet Engineering Task Force, , August 2002 [3] K.C. Norseth, Paul Calato,"Data Model for IP Flow Information Export", (work in progress) ,Internet Draft, Internet Engineering Task Force, , August 2002 10. Acknowledgements We like to thank all the people contributing to the requirements discussion on the mailing list, and the design teams for many valuable comments. George Carle Tanja Zseby Paul Calato Dave Plonka KC Norseth Benoit Claise Ganesh Sadasivan Vamsi Valluri Cliff Wang Ram Gopal Norseth & Sadasivan [Page 20] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 Jc Martin Carter Bullard Juergen Quittek Reinaldo Penno Nevil Brownlee Simon Leinen 11. Author's Addresses Benoit Claise Cisco Systems De Kleetlaan 6a b1 1831 Diegem Belgium Phone: +32 2 704 5622 Email: bclaise@cisco.com Ganesh Sadasivan Cisco Systems, Inc. 170 W. Tasman Dr. San Jose, CA 95134 USA Phone: +1 (408) 527-0251 Email: gsadasiv@cisco.com K.C. Norseth Consultant 934 S. Palos Verdes Dr. Kaysville, Utah 84037 Phone: +1 (801) 546-3316 Email: kcn@norseth.com Juergen Quittek NEC Europe Ltd. Adenauerplatz 6 69115 Heidelberg Germany Phone: +49 6221 90511-15 EMail: quittek@ccrle.nec.de Norseth & Sadasivan [Page 21] Internet Draft draft-ietf-ipfix-architecture-02.txt June 2002 Kevin Zhang XACCT Technologies, Inc. 2900 Lakeside Drive Santa Clara, CA 95054 Phone +1 301 992 4697 Email: kevin.zhang@xacct.com 12. Full Copyright Statement "Copyright (C) The Internet Society (date). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into. Norseth & Sadasivan [Page 22]