< draft-claise-ipfix-eval-netflow-03.txt   draft-claise-ipfix-eval-netflow-04.txt >
Internet Draft B. Claise Internet Draft B. Claise
Document: draft-claise-ipfix-eval-netflow-03.txt Cisco Systems Document: draft-claise-ipfix-eval-netflow-04.txt Cisco Systems
Expires: April 2003 October 2002 Expires: August 2003 February 2003
Evaluation Of NetFlow Version 9 Against IPFIX Requirements Evaluation Of NetFlow Version 9 Against IPFIX Requirements
<draft-claise-ipfix-eval-netflow-03.txt> <draft-claise-ipfix-eval-netflow-04.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of [RFC 2026]. Internet-Drafts are all provisions of Section 10 of [RFC 2026]. Internet-Drafts are
working documents of the Internet Engineering Task Force (IETF), its working documents of the Internet Engineering Task Force (IETF), its
areas, and its working groups. Note that other groups may also areas, and its working groups. Note that other groups may also
distribute working documents as Internet-Drafts. distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
Months and may be updated, replaced, or obsolete by other documents months and may be updated, replaced, or obsolete by other documents
at any time. It is inappropriate to use Internet-Drafts as reference at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Distribution of this document is unlimited. Distribution of this document is unlimited.
skipping to change at page 2, line 6 skipping to change at page 2, line 8
This document provides an evaluation of the applicability of the This document provides an evaluation of the applicability of the
NetFlow flow record export protocol version 9 as an IPFIX protocol. NetFlow flow record export protocol version 9 as an IPFIX protocol.
It compares the properties and capabilities of the NetFlow flow It compares the properties and capabilities of the NetFlow flow
record export protocol version 9 to the IPFIX requirements [IPFIX- record export protocol version 9 to the IPFIX requirements [IPFIX-
REQ]. REQ].
Table of Contents Table of Contents
1. Introduction...................................................3 1. Introduction...................................................3
2. Architectural Considerations...................................5 2. Architectural Considerations...................................6
2.1 NetFlow Protocol Overview..................................6 2.1 NetFlow Protocol Overview..................................6
2.2 General Applicability......................................7 2.2 General Applicability......................................7
2.2.1 Flow Definition........................................7 2.2.1 Flow Definition........................................7
2.2.2 Observation Point......................................7 2.2.2 Observation Point......................................7
2.2.3 The Metering Process and the Flow Record...............7 2.2.3 The Metering Process and the Flow Record...............7
2.2.4 The Exporting Process..................................7 2.2.4 The Exporting Process..................................8
2.2.5 The Collecting Process.................................8 2.2.5 The Collecting Process.................................8
2.3 Architectural Differences..................................8 2.3 Architectural Differences..................................8
3. Item Level Compliance Evaluation...............................9 3. Item Level Compliance Evaluation...............................9
3.1 Terminology (section 2)...................................10 3.1 Terminology (section 2)...................................10
3.1.1 IP Traffic Flow (2.1).................................10 3.1.1 IP Traffic Flow (2.1).................................10
3.1.2 Observation Point (2.2)...............................10 3.1.2 Observation Point (2.2)...............................10
3.1.3 Metering Process (2.3)................................10 3.1.3 Metering Process (2.3)................................10
3.1.4 Flow Record (2.4).....................................10 3.1.4 Flow Record (2.4).....................................10
3.1.5 Exporting Process (2.5)...............................10 3.1.5 Exporting Process (2.5)...............................10
3.1.6 Collecting Process (2.6)..............................10 3.1.6 Collecting Process (2.6)..............................10
3.2 Applications Requiring IP Flow Information Export (3).....11 3.2 Applications Requiring IP Flow Information Export (3).....11
3.3 Distinguishing Flows (4)..................................11 3.3 Distinguishing Flows (4)..................................11
3.3.1 Interface (4.1).......................................11 3.3.1 Interface (4.1).......................................11
3.3.2 IP Header Fields (4.2)................................11 3.3.2 IP Header Fields (4.2)................................11
3.3.3 Transport Header Fields (4.3).........................11 3.3.3 Transport Header Fields (4.3).........................11
3.3.4 MPLS (4.4)............................................11 3.3.4 MPLS (4.4)............................................12
3.3.5 DiffServ Code Point (4.5).............................12 3.3.5 DiffServ Code Point (4.5).............................12
3.3.6 Header Compression and Encryption (4.6)...............12 3.3.6 Header Compression and Encryption (4.6)...............12
3.4 Metering Process (5)......................................12 3.4 Metering Process (5)......................................12
3.4.1 Reliability (5.1).....................................12 3.4.1 Reliability (5.1).....................................12
3.4.2 Sampling (5.2)........................................12 3.4.2 Sampling (5.2)........................................12
3.4.3 Overload Behavior (5.3)...............................13 3.4.3 Overload Behavior (5.3)...............................13
3.4.4 Timestamps (5.4)......................................14 3.4.4 Timestamps (5.4)......................................14
3.4.5 Time Synchronization (5.5)............................14 3.4.5 Time Synchronization (5.5)............................14
3.4.6 Flow Expiration (5.6).................................14 3.4.6 Flow Expiration (5.6).................................15
3.4.7 Multicast (5.7).......................................14 3.4.7 Multicast (5.7).......................................15
3.4.8 Packet Fragmentation (5.8)............................14 3.4.8 Packet Fragmentation (5.8)............................15
3.4.9 Ignore Port Copy (5.9)................................15 3.4.9 Ignore Port Copy (5.9)................................15
3.5 Data Export (6)...........................................15 3.5 Data Export (6)...........................................15
3.5.1 Information Model (6.1)...............................15 3.5.1 Information Model (6.1)...............................15
3.5.2 Data Model (6.2)......................................16 3.5.2 Data Model (6.2)......................................17
3.5.3 Data Transfer (6.3)...................................16 3.5.3 Data Transfer (6.3)...................................17
3.5.3.1 Congestion Awareness (6.3.1)......................16 3.5.3.1 Congestion Awareness (6.3.1)......................17
3.5.3.2 Reliability (6.3.2)...............................17 3.5.3.2 Reliability (6.3.2)...............................17
3.5.3.3 Security (6.3.3)..................................17 3.5.3.3 Security (6.3.3)..................................18
3.5.4 Push and Pull Mode Reporting (6.4)....................17 3.5.4 Push and Pull Mode Reporting (6.4)....................18
3.5.5 Regular Reporting Interval (6.5)......................17 3.5.5 Regular Reporting Interval (6.5)......................18
3.5.6 Notification on Specific Events (6.6).................17 3.5.6 Notification on Specific Events (6.6).................19
3.5.7 Anonymization (6.6)...................................17 3.5.7 Anonymization (6.6)...................................19
3.6 Configuration (7).........................................18
3.6.1 Configuration of the Metering Process (7.1)...........18 3.6 Configuration (7).........................................19
3.6.2 Configuration of the Exporting Process (7.2)..........18 3.6.1 Configuration of the Metering Process (7.1)...........19
3.7 General Requirements Compliance (8).......................18 3.6.2 Configuration of the Exporting Process (7.2)..........19
3.7.1 Openness (8.1)........................................18 3.7 General Requirements Compliance (8).......................20
3.7.2 Number of Exporting Processes (8.2)...................18 3.7.1 Openness (8.1)........................................20
3.7.3 Several Collecting Processes (8.3)....................19 3.7.2 Number of Exporting Processes (8.2)...................20
3.8 Compliance Summary........................................19 3.7.3 Several Collecting Processes (8.3)....................20
4. Security Considerations.......................................23 3.8 Compliance Summary........................................20
5. References....................................................23 4. Security Considerations.......................................24
6. Acknowledgments...............................................24 5. References....................................................24
6. Acknowledgments...............................................25
1. Introduction 1. Introduction
This document provides an evaluation of the applicability of the This document provides an evaluation of the applicability of the
NetFlow flow record export protocol version 9 as an IPFIX protocol. NetFlow flow record export protocol version 9 as an IPFIX protocol.
First, the general NetFlow architecture is introduced and its First, the general NetFlow architecture is introduced. Its
application to the communication between an IPFIX exporting process application to the communication between an IPFIX exporting process
and an IPFIX collecting process is discussed in Section 2. Section 3 and an IPFIX collecting process is discussed in Section 2. Section 3
discusses in detail, to which degree requirements stated in [IPFIX- discusses in detail, to which degree requirements stated in [IPFIX-
REQ] are met. REQ] are met.
This document uses the terminology defined in [IPFIX-REQ]. This document uses the terminology defined in [IPFIX-REQ].
Note that the generic term NetFlow refers to multiple different Note that the generic term NetFlow refers to multiple different
notions: the metering process, the exporting process and the export notions: the metering process, the exporting process and the export
protocol, as defined in the IPFIX terminology section of [IPFIX- protocol, as defined in the IPFIX terminology section of [IPFIX-
skipping to change at page 3, line 46 skipping to change at page 4, line 4
- How and where is it documented? - How and where is it documented?
All documentation related to NetFlow can be found at: All documentation related to NetFlow can be found at:
http://www.cisco.com/go/netflow http://www.cisco.com/go/netflow
More specifically, the ôNetFlow Services Solutions Guideö covers a More specifically, the ôNetFlow Services Solutions Guideö covers a
NetFlow overview, the basic and advanced concepts, the explanation NetFlow overview, the basic and advanced concepts, the explanation
of the different versions along with the data types exported, some of the different versions along with the data types exported, some
configuration examples, etc. For reference, see: configuration examples, etc. For reference, see:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/netflsol/n http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/netflsol/n
fwhite.htm fwhite.htm
The new flexible and extensible NetFlow flow record export version 9 The new flexible and extensible NetFlow flow record export version 9
is described in the IETF draft "Cisco Systems NetFlow Services is described in the IETF draft "Cisco Systems NetFlow Services
Export Version 9" [NETFLOW9], as well as in the following document: Export Version 9" [NETFLOW9-1], as well as in the following
http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/ntfo_wp.htm documents:
Note that [NETFLOW9-1] is about to be submitted to the rfc-editor. 1.http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/tflow_wp.htm
2.http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1829/pro
ducts_feature_guide09186a00801341b2.html
- Are there concrete plans for standardizing it? - Are there concrete plans for standardizing it?
The way to standardize NetFlow is via the IETF IPFIX Working Group. The way to standardize NetFlow is via the IETF IPFIX Working Group.
In parallel, Cisco Systems intention is to produce an Information In parallel, Cisco Systems intention is to produce an Information
RFC out of [NETFLOW9]. RFC out of the next version of [NETFLOW9-1].
- Is standardization already in progress? - Is standardization already in progress?
No other standardization than the participation to the IETF IPFIX No other standardization than the participation to the IETF IPFIX
Working Group is currently taking place. Working Group is currently taking place.
- Is it proprietary to a certain company? - Is it proprietary to a certain company?
NetFlow is a proprietary protocol from Cisco Systems. NetFlow is a proprietary protocol from Cisco Systems.
skipping to change at page 5, line 14 skipping to change at page 5, line 16
Nevertheless, Cisco Systems has no intention to use this patent to Nevertheless, Cisco Systems has no intention to use this patent to
prevent other vendors to implement a NetFlow-like solution. prevent other vendors to implement a NetFlow-like solution.
An Intellectual Property Right message has been sent to the IETF An Intellectual Property Right message has been sent to the IETF
rfc-editor team to post a similar message at rfc-editor team to post a similar message at
http://www.ietf.org/ipr.html http://www.ietf.org/ipr.html
- Is it already implemented? - Is it already implemented?
The NetFlow flow record export protocol version 9 protocol is Yes, the NetFlow flow record export protocol version 9 code is
currently at the stage of the Early Field Test, while NetFlow flow already implemented and available on the Cisco web site since the
record export versions 1, 5, 7 and 8 have been implemented for years Cisco Systems IOS version 12.0(24)S. Note that the NetFlow flow
now. record export versions 1, 5, 7 and 8 have been implemented for many
years now.
- Is it already in commercial use? - Is it already in commercial use?
Yes. Cisco Systems developed its own NetFlow Collector (the correct
term is ôcollecting processö according to [IPFIX-REQ]), that already
supports the NetFlow flow record export protocol version 9. For more
details, see
http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/index.html
Some Cisco Systems partners are currently developing NetFlow Some Cisco Systems partners are currently developing NetFlow
Collectors (the correct term is ôcollecting processö according to Collectors able to receive NetFlow version 9 flow records.
[IPFIX-REQ]) able to receive NetFlow version 9 flow records. Note that many different companies or organizations have already
While many different companies or organizations have already
implemented NetFlow Collectors for the previous NetFlow flow record implemented NetFlow Collectors for the previous NetFlow flow record
export protocols versions. Ex: Concord Communications, Hewlett export protocols versions. Ex: Concord Communications, Hewlett
Packard, Narus, Xacct, Portal, Apogee Networks, Infovista, etc. to Packard, Narus, Xacct, Portal, Apogee Networks, Infovista, etc. to
name just a few. name just a few.
- Is it available from more than one source? - Is it available from more than one source?
As the inventor of NetFlow, Cisco Systems is the only company As the inventor of NetFlow, Cisco Systems is the only company
implementing this new version 9 on its devices. But, if we speak of implementing this new version 9 on its devices. But, if we speak of
the previous NetFlow flow record export protocol versions, then the the previous NetFlow flow record export protocol versions, then the
majority of our competitors implemented those versions. majority of our competitors implemented those versions.
- Is it already widely used? - Is it already widely used?
The NetFlow flow record export protocol version 9 has been beta
The new NetFlow flow record export protocol version 9 is in Early tested by some of our customers for some time now. Since its
Field Test right now, while the previous NetFlow flow record export official availability, it is currently under test at some other
versions have been implemented by our competitors. As a consequence, customer sites as well. Note that the previous NetFlow flow record
NetFlow is widely used through out the industry. export versions have been implemented by our competitors. As a
consequence, yes, NetFlow is widely used through out the industry.
2. Architectural Considerations 2. Architectural Considerations
This section introduces the architecture of the NetFlow and suggests
a way of applying it to the communication between an IPFIX exporting This section introduces the architecture of NetFlow and suggests a
way of applying it to the communication between an IPFIX exporting
process and an IPFIX collecting process. process and an IPFIX collecting process.
2.1 NetFlow Protocol Overview 2.1 NetFlow Protocol Overview
This section discusses the most recent evolution of the NetFlow flow This section discusses the most recent evolution of the NetFlow flow
record export protocol, which is known as Version 9. The record export protocol, which is known as Version 9. The
distinguishing feature of the NetFlow Version 9 format compared to distinguishing feature of the NetFlow Version 9 format compared to
the previous versions, is that it is template based. Template is a the previous versions, is that it is template based. Template is a
collection of fields along with the description of their structure collection of fields along with the description of their structure
and semantics. and semantics.
skipping to change at page 6, line 41 skipping to change at page 7, line 8
that supports the parsing of this new export protocol format. that supports the parsing of this new export protocol format.
- Templates which are sent to the collecting process contains the - Templates which are sent to the collecting process contains the
structural information about the exported Flow Records fields. So, structural information about the exported Flow Records fields. So,
even if the collecting process does not understand the semantics of even if the collecting process does not understand the semantics of
new fields, it can still interpret the Flow Record. new fields, it can still interpret the Flow Record.
- Even if the NetFlow flow record export protocol version 9 has been - Even if the NetFlow flow record export protocol version 9 has been
created with a IP flow record background in mind, note that the created with a IP flow record background in mind, note that the
Information Model can be extended with any data types and could Information Model can be extended with any data types and could
potentially serve any reporting purposes. E.g. the NetFlow metering potentially serve any reporting purposes. e.g. the NetFlow metering
process configuration. process configuration.
2.2 General Applicability 2.2 General Applicability
2.2.1 Flow Definition 2.2.1 Flow Definition
A NetFlow flow is identified as a unidirectional stream of packets A NetFlow flow is identified as a unidirectional stream of packets
between a given source and destinationùboth defined by a network- between a given source and destination, both defined by a network-
layer IP address and transport-layer source and destination port layer IP addresses and transport-layer port numbers. Typically in
numbers. Typically in case of ingress NetFlow, a flow is identified case of ingress NetFlow, a flow is identified as the combination of
as the combination of the following seven key fields: source IP the following seven key fields: source IP address, destination IP
address, destination IP address, source port number, destination address, source port number, destination port number, layer 3
port number, layer 3 protocol type, ToS byte, input logical protocol type, ToS byte, input logical interface (ifIndex). In case
interface (ifIndex). In case of egress NetFlow, a flow is identified of egress NetFlow, a flow is identified as the combination of the
as the combination of the following seven key fields: source IP following seven key fields: source IP address, destination IP
address, destination IP address, source port number, destination address, source port number, destination port number, layer 3
port number, layer 3 protocol type, ToS byte, output logical protocol type, ToS byte, output logical interface (ifIndex).
interface (ifIndex).
These seven key fields define a unique flow. If a new observed These seven key fields define a unique flow. If a new observed
packet contains a different set of these seven key fields, then this packet contains a different set of these seven key fields, then this
packet will create a new flow. Note that a flow contains other packet will create a new flow. Note that a flow contains other
accounting fields (such as the number of packets, number of bytes, accounting fields (such as the number of packets, number of bytes,
the BGP AS, etc). the BGP AS, etc).
2.2.2 Observation Point 2.2.2 Observation Point
NetFlow can be enabled per interface (physical/logical) per linecard NetFlow can be enabled per interface (physical/logical) per linecard
or per system. However implementation restrictions apply on a or per system. However implementation restrictions apply on a
skipping to change at page 10, line 39 skipping to change at page 11, line 4
Total Compliance of NetFlow Flow Record definition with the IPFIX Total Compliance of NetFlow Flow Record definition with the IPFIX
Flow Record definition. Flow Record definition.
3.1.5 Exporting Process (2.5) 3.1.5 Exporting Process (2.5)
Total Compliance of NetFlow Exporting Process with the IPFIX Total Compliance of NetFlow Exporting Process with the IPFIX
Exporting Process definition. The NetFlow Exporting Process may send Exporting Process definition. The NetFlow Exporting Process may send
the flow records to 2 different collecting processes. the flow records to 2 different collecting processes.
3.1.6 Collecting Process (2.6) 3.1.6 Collecting Process (2.6)
Total Compliance of NetFlow Collector with the IPFIX collecting Total Compliance of NetFlow Collector with the IPFIX collecting
process definition. process definition.
3.2 Applications Requiring IP Flow Information Export (3) 3.2 Applications Requiring IP Flow Information Export (3)
Total Compliance of NetFlow regarding the different applications Total Compliance of NetFlow regarding the different applications
described in [IPFIX-REQ] which require IP flow information export, described in [IPFIX-REQ] which require IP flow information export,
i.e. Usage-based Accounting, Traffic Profiling, Traffic Engineering, i.e. Usage-based Accounting, Traffic Profiling, Traffic Engineering,
Attack/Intrusion Detection and QoS Monitoring. Actually, the Attack/Intrusion Detection and QoS Monitoring. Actually, the
Information Model associated with NetFlow flow record export version Information Model associated with NetFlow flow record export version
9 [NETFLOW9] contains all the data types needed to satisfy the 9 [NETFLOW9-1] contains all the data types needed to satisfy the
requirements of the different applications described in the section requirements of the different applications described in the section
ôApplications Requiring IP Flow Information Exportö from [IPFIX- ôApplications Requiring IP Flow Information Exportö from [IPFIX-
REQ]. REQ].
3.3 Distinguishing Flows (4) 3.3 Distinguishing Flows (4)
ôBut anyway, it MUST be ensured that a collecting process is able to
clearly identify for each received flow record which set of
properties was used for distinguishing this flow from other ones.ö,
as defined in [IPFIX-REQ]ô.
From the Template ID and the Observation Domain we can find back the
set of properties used to distinguish the flow. Total Compliance
3.3.1 Interface (4.1) 3.3.1 Interface (4.1)
Total Compliance of the interface as a flow distinguisher. Total Compliance of the interface as a flow distinguisher.
In case of ingress NetFlow, a flow is identified, amongst other In case of ingress NetFlow, a flow is identified, amongst other
fields, by the input logical interface (ifIndex). In case of egress fields, by the input logical interface (ifIndex). In case of egress
NetFlow, a flow is identified, amongst other fields by output NetFlow, a flow is identified, amongst other fields by output
logical interface (ifIndex). All flow records will report both the logical interface (ifIndex). All flow records will report both the
input and output ifIndexes. input and output ifIndexes.
3.3.2 IP Header Fields (4.2) 3.3.2 IP Header Fields (4.2)
skipping to change at page 11, line 36 skipping to change at page 12, line 4
input and output ifIndexes. input and output ifIndexes.
3.3.2 IP Header Fields (4.2) 3.3.2 IP Header Fields (4.2)
source IP address (MUST): Total Compliance source IP address (MUST): Total Compliance
destination IP address (MUST): Total Compliance destination IP address (MUST): Total Compliance
protocol type (TCP,UDP,ICMP,...) (MUST): Total Compliance protocol type (TCP,UDP,ICMP,...) (MUST): Total Compliance
IP version number (SHOULD): Upcoming Compliance IP version number (SHOULD): Upcoming Compliance
3.3.3 Transport Header Fields (4.3) 3.3.3 Transport Header Fields (4.3)
Total Compliance of the port numbers of the transport header as a Total Compliance of the port numbers of the transport header as a
flow distinguisher. flow distinguishers.
3.3.4 MPLS (4.4) 3.3.4 MPLS (4.4)
Total Compliance of the MPLS label as a flow distinguisher, if the Total Compliance of the MPLS label as a flow distinguisher, if the
observation point is located at a device supporting Multiprotocol observation point is located at a device supporting Multiprotocol
Label Switching. Label Switching.
3.3.5 DiffServ Code Point (4.5) 3.3.5 DiffServ Code Point (4.5)
Total Compliance, as NetFlow distinguishes flow by the TOS byte Total Compliance, as NetFlow distinguishes flow by the TOS byte
skipping to change at page 12, line 34 skipping to change at page 12, line 42
Extension required for total compliance. Extension required for total compliance.
3.4.2 Sampling (5.2) 3.4.2 Sampling (5.2)
ôThe metering process MAY support packet sampling.ö, as defined in ôThe metering process MAY support packet sampling.ö, as defined in
[IPFIX-REQ]ô. Total Compliance. NetFlow supports packet sampling. [IPFIX-REQ]ô. Total Compliance. NetFlow supports packet sampling.
ôIf sampling is supported the sampling configuration MUST be well ôIf sampling is supported the sampling configuration MUST be well
defined. The sampling configuration includes the sampling method and defined. The sampling configuration includes the sampling method and
all its parameters.ö, as defined in [IPFIX-REQ]. Total Compliance. all its parameters.ö, as defined in [IPFIX-REQ]. Total Compliance.
See the Options Template from [NETFLOW9]: a template that describes See the Options Template from [NETFLOW9-1]: a template that
the format of the Flow measurement parameters (like the sampling describes the format of the Flow measurement parameters (like the
algorithm, sampling interval) done at the metering process. sampling algorithm, sampling interval) done at the metering process.
ôIf the sampling configuration is changed during operation, the new öIf the sampling configuration is changed during operation, the new
sampling configuration with its parameters MUST be indicated to all sampling configuration with its parameters MUST be indicated to all
collecting processes receiving the affected flow records. Changing collecting processes receiving the affected flow records. Changing
the sampling configuration includes: start sampling, stop sampling, the sampling configuration includes: adding a sampling function to
change sampling method, and change sampling parameter.ô, as defined the metering process, removing a sampling function from the metering
in [IPFIX-REQ]ô. process, change sampling method, and change sampling parameter(s).ö
Start sampling: Total Compliance as defined in [IPFIX-REQ]ô.
Stop sampling: Extension Required
Adding a sampling function to the metering process: Total Compliance
Removing a sampling function from the metering process: Total
Compliance
Change sampling method: Total Compliance Change sampling method: Total Compliance
Change sampling parameter: Total Compliance Change sampling parameter: Total Compliance
Example: If the metering process starts NetFlow sampling, a new
Option Template will be sent to the collecting process; it will
contain the sampling parameters. If the sampling method or sampling
parameters are changed, a new Option Template [NETFLOW9-1] with the
new method/parameters and with a new Template ID [NETFLOW9-1] will
be sent to the collecting process; it will contain the same Source
ID [NETFLOW9-1] so that the collecting process can deduce that the
previous Template ID is not active anymore. Now in case of removing
a sampling function from the metering process, i.e. going back to
full NetFlow, the same process will apply: a new Option Template
[NETFLOW9-1] with the same Source ID [NETFLOW9-1], with the new
method/parameters and with a new Template ID [NETFLOW9-1] will be
sent to the collecting process so that the collecting process can
deduce that the NetFlow sampling is stopped.
In conclusion: Total Compliance for this entire section
3.4.3 Overload Behavior (5.3) 3.4.3 Overload Behavior (5.3)
ôIn case of an overload, for example lack of memory or processing ôIn case of an overload, for example lack of memory or processing
power, the metering process MAY change its behavior in order to cope power, the metering process MAY change its behavior in order to cope
with the lack of resources.ö, as defined in [IPFIX-REQ]. with the lack of resources.ö, as defined in [IPFIX-REQ].
Total Compliance. Total Compliance.
ôFor some flows, the change of behavior might have an impact on the ôFor some flows, the change of behavior might have an impact on the
data that would be stored in the associated flow records after the data that would be stored in the associated flow records after the
change, for example if the packet classification is changed or the change, for example if the packet classification is changed or the
skipping to change at page 13, line 40 skipping to change at page 14, line 22
Compliance. A new Template ID for the new template configuration Compliance. A new Template ID for the new template configuration
will be generated and the collecting process will be able to will be generated and the collecting process will be able to
distinguish the new flow records from the old ones. distinguish the new flow records from the old ones.
In case of memory, flow records or CPU overload, Total Compliance. In case of memory, flow records or CPU overload, Total Compliance.
Overload of memory: not possible because NetFlow allocates the Overload of memory: not possible because NetFlow allocates the
entire cache memory at initialization. entire cache memory at initialization.
Overload of flow records: not possible because in case the NetFlow Overload of flow records: not possible because in case the NetFlow
cache becomes full, the flow records will be expired with a smaller cache becomes full, the flow records will be expired with a smaller
timeout! This change in the exporting process behavior doesnÆt need timeout! This change in the exporting process behavior doesnÆt need
to be reported: anyway the flow records contain the absolute to be reported: anyway the flow records contain the absolute amps.
timestamps.
Overload of CPU: the throughput will be lowered in order for NetFlow Overload of CPU: the throughput will be lowered in order for NetFlow
to account all traffic. to account all traffic.
In case of cpu overload, in order to avoid a lower throughput, some In case of cpu overload, in order to avoid a lower throughput, some
new automatic actions (like new template with sampling NetFlow new automatic actions (like new template with sampling NetFlow
instead of full NetFlow or new template with higher sampling rate instead of full NetFlow or new template with higher sampling rate
etcà) could be implemented without much effort. etcà) could be implemented without much effort.
Note that in both examples above, a new Template ID for the new Note that in both examples above, a new Template ID for the new
template configuration will be generated and the collecting process template configuration will be generated and the collecting process
will be able to distinguish the new flow records from the old ones. will be able to distinguish the new flow records from the old ones.
3.4.4 Timestamps (5.4) 3.4.4 Timestamps (5.4)
Total Compliance. TOTAL Compliance.
3.4.5 Time Synchronization (5.5) 3.4.5 Time Synchronization (5.5)
Total Compliance. The flow records contain both the flow start and the flow end
The export packet header contains the UTC time of the export packet sysUpTime. See FIRST_SWITCHED and LAST_SWITCHED in [NETFLOW9-1]. The
generation. This header also contains the router sysUpTime at the exporter could periodically send an Option Template [NETFLOW9-1]
time of the export packet generation. The UTC time the router booted containing a time synchronization pair composed of a sysUpTime and a
can therefore be deduced. The flow records contain the flow start unix_msecs (Number of milli seconds since 0000 UTC 1970), taken at
and flow end sysUpTime, so that the NetFlow collector can deduce the the same point in time. The NetFlow collector could deduce the flow
flow start and flow end UTC time. start and flow end UTC time of every single flow record.
TOTAL Compliance.
3.4.6 Flow Expiration (5.6) 3.4.6 Flow Expiration (5.6)
Total Compliance of the NetFlow flow expiration mechanism with the Total Compliance of the NetFlow flow expiration mechanism with the
IPFIX requirements. IPFIX requirements.
The routing device checks the NetFlow cache once per second and The routing device checks the NetFlow cache once per second and
expires the flow in the following instances: expires the flow in the following instances:
1. Transport is completed (TCP FIN or RST). 1. Transport is completed (TCP FIN or RST).
skipping to change at page 15, line 46 skipping to change at page 16, line 31
12. timestamp of the first packet of the flow: Total Compliance 12. timestamp of the first packet of the flow: Total Compliance
13. timestamp of the last packet of the flow: Total Compliance 13. timestamp of the last packet of the flow: Total Compliance
14. if sampling is used, sampling configuration: Total Compliance 14. if sampling is used, sampling configuration: Total Compliance
15. unique identifier of the observation point: Total Compliance 15. unique identifier of the observation point: Total Compliance
(the ifIndex) (the ifIndex)
16. unique identifier of the exporting process: Total Compliance 16. unique identifier of the exporting process: Total Compliance
(the IP address and the Observation Domain Identifier) (the IP address and the Observation Domain Identifier)
ôThe exporting process SHOULD be able to report the following ôThe exporting process SHOULD be able to report the following
attributes for each metered flowö, as defined in [IPFIX-REQ]: attributes for each metered flowö, as defined in [IPFIX-REQ]:
17. input interface (ifIndex): Total Compliance 17. if protocol type is ICMP, ICMP type and code: Total Compliance
18. output interface (ifIndex): Total Compliance 18. input interface (ifIndex): Total Compliance
19. multicast replication factor. Total Compliance 19. output interface (ifIndex): Total Compliance
20. multicast replication factor. Total Compliance
ôThe exporting process MAY be able to report the following ôThe exporting process MAY be able to report the following
attributes for each metered flowö, as defined in [IPFIX-REQ]: attributes for each metered flowö, as defined in [IPFIX-REQ]:
20. Time To Live: Extension required for Total Compliance 21. Time To Live (in case of IPv4) or Hop Limit (in case of IPv6):
21. IP header flags: Extension required for Total Compliance Extension required for Total Compliance
22. TCP header flags: Total Compliance 22. IP header flags: Extension required for Total Compliance
23. dropped packet counter at the observation point: Extension 23. TCP header flags: Total Compliance
24. dropped packet counter at the observation point: Extension
required for Total Compliance required for Total Compliance
24. fragmented packet counter: Extension Required for Total 25. fragmented packet counter: Extension Required for Total
Compliance Compliance
25. Next hop IP address: Total Compliance 26. Next hop IP address: Total Compliance
In addition, the exporting process MAY be able to report attributes In addition, the exporting process MAY be able to report attributes
related to inter-autonomous system routing of a flow, for example by related to inter-autonomous system routing of a flow, for example by
reporting BGP Autonomous System numbers. Total Compliance reporting BGP Autonomous System numbers. Total Compliance
3.5.2 Data Model (6.2) 3.5.2 Data Model (6.2)
ôThe data model MUST be extensibleö, as defined in [IPFIX-REQ]. ôThe data model MUST be extensibleö, as defined in [IPFIX-REQ].
Total Compliance. While all data types discussed in [NETFLOW9] Total Compliance. While all data types discussed in [NETFLOW9-1]
concern the IP flows and the metering process, nothing prevents concern the IP flows and the metering process, nothing prevents
NetFlow version 9 to export whatever type of data. For example, a NetFlow version 9 to export whatever type of data. For example, a
MIB variable or the output of a ôshow commandö on the router. MIB variable or the output of a ôshow commandö on the router.
NetFlow version 9 is extensible to whatever data type. NetFlow version 9 is extensible to whatever data type.
ôThe data model used for exporting flow information MUST be flexible ôThe data model used for exporting flow information MUST be flexible
concerning the flow attributes contained in flow recordsö, as concerning the flow attributes contained in flow recordsö, as
defined in [IPFIX-REQ]. defined in [IPFIX-REQ].
Total Compliance. Total Compliance.
ôThe Data Model SHOULD be independent of the underlying transport ôThe Data Model SHOULD be independent of the underlying transport
protocol, i.e. the data transferö, as defined in [IPFIX-REQ]. protocol, i.e. the data transferö, as defined in [IPFIX-REQ].
Total Compliance. Total Compliance.
3.5.3 Data Transfer (6.3) 3.5.3 Data Transfer (6.3)
3.5.3.1 Congestion Awareness (6.3.1) 3.5.3.1 Congestion Awareness (6.3.1)
ôFor the data transfer, a congestion aware protocol MUST be ôFor the data transfer, a congestion aware protocol MUST be
supportedö, as defined in [IPFIX-REQ]. supportedö, as defined in [IPFIX-REQ].
Upcoming Compliance with SCTP. Upcoming Compliance with SCTP. For more details on possible
implementations of the NetFlow flow record export protocol version 9
using SCTP, refer to the draft draft-djernaes-netflow-9-transport-
00.
Note that the flow record export protocol version 9 is independent Note that the flow record export protocol version 9 is independent
of the underlying transport protocol. of the underlying transport protocol.
3.5.3.2 Reliability (6.3.2) 3.5.3.2 Reliability (6.3.2)
Total Compliance. A sequence ID exists per export packet so that the ôLoss of flow records during the data transfer from the exporting
collecting process would know if it misses export packets or if process to the collecting process MUST be indicated at the
packets reordering occurred in the network. collecting process. This indication MUST allow the collecting
process to gauge the number of flow records lost.ö, as defined in
[IPFIX-REQ].
Total Compliance. A sequence ID exists per export packet and per
observation domain [NETFLOW9-1] so that the collecting process would
know if it misses export packets or if packets reordering occurred
in the network.
ôPlease note that if an unreliable transport protocol is used,
reliability can be provided by higher layers. If reliability is
provided by higher layers, only lack of overall reliability MUST be
indicated. For example reordering could be dealt with by adding a
sequence number to each packet.ö, as defined in [IPFIX-REQ].
Total Compliance.
ôThe data transfer between exporting process and collecting process
MUST be open to reliability extensions including at least
- retransmission of lost flow records,
- detection of disconnection and fail-over, and
- acknowledgement of flow records by the collecting process.ö,
as defined in [IPFIX-REQ].
Upcoming Compliance with SCTP. For more details on possible
implementations of the NetFlow flow record export protocol version 9
using SCTP, refer to the draft draft-djernaes-netflow-9-transport-
00.
3.5.3.3 Security (6.3.3) 3.5.3.3 Security (6.3.3)
Extension Required for total Compliance for confidentiality, Extension Required for total Compliance for confidentiality,
integrity and authenticity for the flow record export protocol integrity and authenticity for the flow record export protocol
version 9 itself. version 9 itself.
But note that exporting the NetFlow flow records from the exporting But note that exporting the NetFlow flow records from the exporting
process to the metering process over an IPSEC [IPSEC] tunnel would process to the metering process over an IPSEC [IPSEC] tunnel would
fulfill all the confidentiality, integrity and authenticity fulfill all the confidentiality, integrity and authenticity
requirements. requirements.
3.5.4 Push and Pull Mode Reporting (6.4) 3.5.4 Push and Pull Mode Reporting (6.4)
ôThe exporting process MUST support push mode reporting, it MAY
support pull mode reporting.ö, as defined in [IPFIX-REQ].
NetFlow is a Push Mode Reporting mechanism and doesnÆt support the NetFlow is a Push Mode Reporting mechanism and doesnÆt support the
Pull Mode. Pull Mode.
3.5.5 Regular Reporting Interval (6.5) 3.5.5 Regular Reporting Interval (6.5)
Total Compliance. For long aging flows, the exporting process Total Compliance. For long aging flows, the exporting process
exports the flow records on regular basis, in order to: exports the flow records on regular basis, in order to:
1. report the flow records periodic accounting information 1. report the flow records periodic accounting information
to the collecting process to the collecting process
2. avoid counter wrapping 2. avoid counter wrapping
skipping to change at page 18, line 36 skipping to change at page 20, line 11
3.6.2 Configuration of the Exporting Process (7.2) 3.6.2 Configuration of the Exporting Process (7.2)
Total Compliance. Total Compliance.
3.7 General Requirements Compliance (8) 3.7 General Requirements Compliance (8)
3.7.1 Openness (8.1) 3.7.1 Openness (8.1)
Total Compliance. Total Compliance.
3.7.2 Number of Exporting Processes (8.2) 3.7.2 Scalability (8.2)
ôData collection from hundreds of different exporting processes MUST ôData collection from hundreds of different exporting processes MUST
be supported.ö, as defined in [IPFIX-REQ]. be supported.ö, as defined in [IPFIX-REQ].
Total Compliance. Total Compliance.
ôThe collecting process MUST be able to distinguish several hundred ôThe collecting process MUST be able to distinguish several hundred
exporting processes by their identifiers.ö, as defined in [IPFIX- exporting processes by their identifiers.ö, as defined in [IPFIX-
REQ]. REQ].
Total Compliance, the identifier being the IP address of the Total Compliance, the identifier being the IP address of the
exporting process and the Observation Domain identifier. exporting process and the Observation Domain identifier.
The Observation Domain is defined as: The Observation Domain is defined as:
The set of observation points which is the largest aggregatable set The set of observation points which is the largest aggregatable set
of flow information at the metering process is termed as an of flow information at the metering process is termed as an
Observation Domain. The Observation Domain presents itself a unique Observation Domain. The Observation Domain presents itself a unique
identifier to the collecting process for identifying the export identifier to the collecting process for identifying the export
packets generated by it. One or more Observation Domains can packets generated by it. One or more Observation Domains can
interface with the same export process. Example: The Observation interface with the same export process. Example: The Observation
skipping to change at page 19, line 41 skipping to change at page 21, line 12
----------------------------------------------. ----------------------------------------------.
B: IPFIX Requirement Status | B: IPFIX Requirement Status |
----------------------------------------. | ----------------------------------------. |
A: NetFlow Version 9 Compliance | | A: NetFlow Version 9 Compliance | |
----------------------------------. | | ----------------------------------. | |
| | | | | |
| Sect. | Requirement | | | | Sect. | Requirement | | |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 2. | Terminology | T | | | 2. | Terminology | T | |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 3. | Applicatitons | T | | | 3. | Applications | T | |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 4. | DISTINGUISHING FLOWS | | 4. | DISTINGUISHING FLOWS |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 4 | Distinguish set of | | |
| | properties | T | M |
|-------+-------------------------+-----+-----|
| 4.1 | Interfaces | T | M | | 4.1 | Interfaces | T | M |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 4.2 | Source IP address | T | M | | 4.2 | Source IP address | T | M |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 4.2 | Destination IP address | T | M | | 4.2 | Destination IP address | T | M |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 4.2 | Protocol Type | T | M | | 4.2 | Protocol Type | T | M |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 4.2 | IP version | T | S | | 4.2 | IP version | U | M |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 4.3 | Transport Header Fields | T | M | | 4.3 | Transport Header Fields | T | M |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 4.4 | MPLS | T | M | | 4.4 | MPLS | T | M |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 4.5 | DiffServ Code Point | T | M | | 4.5 | DiffServ Code Point | T | M |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 4.6 | Header Compres/Encrypt. | T | M | | 4.6 | Header Compres/Encrypt. | T | M |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 5. | METERING PROCESS | | 5. | METERING PROCESS |
skipping to change at page 21, line 24 skipping to change at page 22, line 46
| | last packet | | | | | last packet | | |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 6.1. | Sampling configuration | T | M | | 6.1. | Sampling configuration | T | M |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 6.1. | observation point | T | M | | 6.1. | observation point | T | M |
| | identifier | | | | | identifier | | |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 6.1. | export process | T | M | | 6.1. | export process | T | M |
| | identifier | | | | | identifier | | |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 6.1. | ICMP type and code | T | S |
|-------+-------------------------+-----+-----|
| 6.1. | Input Interface | T | S | | 6.1. | Input Interface | T | S |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 6.1. | OutputInterface | T | S | | 6.1. | OutputInterface | T | S |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 6.1. | Multicast Replication | T | S | | 6.1. | Multicast Replication | T | S |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 6.1. | Time to Live | E | May | | 6.1. | Time to Live | E | May |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 6.1. | IP Header Flags | E | May | | 6.1. | IP Header Flags | E | May |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
skipping to change at page 22, line 7 skipping to change at page 23, line 31
| 6.2. | Extensibility | T | M | | 6.2. | Extensibility | T | M |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 6.2. | Transport Independant | T | S | | 6.2. | Transport Independant | T | S |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 6.3. | DATA TRANSFER | | 6.3. | DATA TRANSFER |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 6.3.1.| Congestion aware | U | M | | 6.3.1.| Congestion aware | U | M |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 6.3.2.| Reliability | T | M | | 6.3.2.| Reliability | T | M |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 6.3.2.| Open to reliability | | |
| | Extensions | U | M |
|-------+-------------------------+-----+-----|
| 6.3.3.| Confidentiality | E | S | | 6.3.3.| Confidentiality | E | S |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 6.3.4.| Integrity | E | M | | 6.3.4.| Integrity | E | M |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 6.3.5.| Authenticity | E | M | | 6.3.5.| Authenticity | E | M |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 6.4. | Push mode | T | M | | 6.4. | Push mode | T | M |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
| 6.4. | Pull mode | F | May | | 6.4. | Pull mode | F | May |
|-------+-------------------------+-----+-----| |-------+-------------------------+-----+-----|
skipping to change at page 23, line 22 skipping to change at page 24, line 48
comparison against the specific Security requirements in the IPFIX comparison against the specific Security requirements in the IPFIX
requirements document [IPFIX-REQ] where they are specifically requirements document [IPFIX-REQ] where they are specifically
addressed by sections 6.3.3 and 10. addressed by sections 6.3.3 and 10.
The NetFlow flow record export protocol could be run on the top of The NetFlow flow record export protocol could be run on the top of
IPSEC [IPSEC] to assure security. IPSEC [IPSEC] to assure security.
5. References 5. References
[IPFIX-REQ] J. Quittek et al., "Requirements for IP Flow Information [IPFIX-REQ] J. Quittek et al., "Requirements for IP Flow Information
Export", draft-ietf-ipfix-reqs-06.txt, work in progress, Export", draft-ietf-ipfix-reqs-09.txt, work in progress,
July 2002. August 2003.
[NETFLOW9] B. Claise et al., "Cisco Systems NetFlow Services Export
Version 9", draft-bclaise-netflow-9-00.txt, work in
progress, June 2002.
[NETFLOW9-1] B. Claise et al., "Cisco Systems NetFlow Services [NETFLOW9-1] B. Claise et al., "Cisco Systems NetFlow Services
Export Version 9", draft-bclaise-netflow-9-01.txt, work Export Version 9", draft-bclaise-netflow-9-01.txt, work
in progress, October 2002 in progress, October 2002
[UDP] J. Postel, "User Datagram Protocol", RFC 768, August [UDP] J. Postel, "User Datagram Protocol", RFC 768, August
1980 1980
[TCP] "TRANSMISSION CONTROL PROTOCOL DARPA INTERNET PROGRAM [TCP] "TRANSMISSION CONTROL PROTOCOL DARPA INTERNET PROGRAM
PROTOCOL SPECIFICATION", RFC 793, September 1981 PROTOCOL SPECIFICATION", RFC 793, September 1981
 End of changes. 50 change blocks. 
108 lines changed or deleted 181 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/