idnits 2.17.1 draft-ietf-ipfix-as-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 22. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1275. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1244. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1251. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1257. ** Found boilerplate matching RFC 3978, Section 5.4, paragraph 1 (on line 1264), which is fine, but *also* found old RFC 2026, Section 10.4C, paragraph 1 text on line 1226. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. == In addition to a regular copyright notice, the document also has a copyright notice embedded in the text. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 13 instances of too long lines in the document, the longest one being 3 characters in excess of 72. == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 497 has weird spacing: '...seconds can...' == Line 500 has weird spacing: '... - If time ...' == Line 522 has weird spacing: '...seconds can...' == Line 525 has weird spacing: '... - If time ...' == Line 530 has weird spacing: '...) that can ...' == (1 more instance...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 2006) is 6527 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 2720' is mentioned on line 874, but not defined == Missing Reference: 'RFC 3917' is mentioned on line 910, but not defined -- Possible downref: Non-RFC (?) normative reference: ref. 'IPFIX-INFO' -- Possible downref: Non-RFC (?) normative reference: ref. 'IPFIX-PROTO' -- Possible downref: Non-RFC (?) normative reference: ref. 'PSAMP-INFO' ** Downref: Normative reference to an Informational RFC: RFC 3917 -- Obsolete informational reference (is this intentional?): RFC 2598 (Obsoleted by RFC 3246) -- Obsolete informational reference (is this intentional?): RFC 2679 (Obsoleted by RFC 7679) -- Obsolete informational reference (is this intentional?): RFC 2680 (Obsoleted by RFC 7680) -- Obsolete informational reference (is this intentional?): RFC 2960 (Obsoleted by RFC 4960) -- Obsolete informational reference (is this intentional?): RFC 3330 (Obsoleted by RFC 5735) -- Obsolete informational reference (is this intentional?): RFC 3588 (Obsoleted by RFC 6733) Summary: 7 errors (**), 0 flaws (~~), 12 warnings (==), 17 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft Tanja Zseby 3 Document: Fraunhofer FOKUS 4 Expires: October 2006 Elisa Boschi 5 Hitachi 6 Nevil Brownlee 7 CAIDA 8 Benoit Claise 9 Cisco Systems 11 May 2006 13 IPFIX Applicability 14 draft-ietf-ipfix-as-07.txt 16 Status of this Memo 18 By submitting this Internet-Draft, each author represents that 19 any applicable patent or other IPR claims of which he or she is 20 aware have been or will be disclosed, and any of which he or she 21 becomes aware will be disclosed, in accordance with Section 6 of 22 BCP 79. 24 Internet-Drafts are working documents of the Internet 25 Engineering Task Force (IETF), its areas, and its working 26 groups. Note that other groups may also distribute working 27 documents as Internet-Drafts. 28 Internet-Drafts are draft documents valid for a maximum of six 29 months and may be updated, replaced, or obsoleted by other 30 documents at any time. It is inappropriate to use Internet- 31 Drafts as reference material or to cite them other than as "work 32 in progress." 34 The list of current Internet-Drafts can be accessed at 35 http://www.ietf.org/ietf/1id-abstracts.txt. 37 The list of Internet-Draft Shadow Directories can be accessed at 38 http://www.ietf.org/shadow.html. 40 Copyright Notice 42 Copyright (C) The Internet Society (2006). 44 Abstract 46 This document describes the applicability of the IP Flow 47 Information Export (IPFIX) protocol for a variety of 48 applications. It shows how applications can use IPFIX, describes 49 the relevant information elements (IEs) and shows opportunities 50 and limitations of the protocol. The document furthermore 51 describes relations of the IPFIX framework to other 52 architectures and frameworks. 54 Table of Contents 55 1. Introduction.............................................4 56 2. Applications of IPFIX....................................4 57 2.1 Accounting...............................................4 58 2.1.1 Example.................................................5 59 2.2 Traffic Profiling........................................7 60 2.3 Traffic Engineering......................................7 61 2.4 Network Security.........................................8 62 2.5 QoS Monitoring..........................................10 63 2.5.1 Correlating Events from Multiple Observation Points....11 64 2.5.2 Examples...............................................11 65 2.6 Inter-Domain Exchange of IPFIX data.....................13 66 2.7 Export of Derived Metrics...............................13 67 2.8 Summary.................................................14 68 3. Relation of IPFIX to Other Frameworks and Protocols.....14 69 3.1 IPFIX and PSAMP.........................................14 70 3.2 IPFIX and RMON..........................................15 71 3.3 IPFIX and IPPM..........................................15 72 3.4 IPFIX and AAA...........................................16 73 3.4.1 Connecting via an AAA Client...........................17 74 3.4.2 Connecting via an Application Specific Module (ASM)....17 75 3.5 IPFIX and RTFM..........................................18 76 3.5.1 Architecture...........................................18 77 3.5.2 Flow Definition........................................19 78 3.5.3 Configuration and Management...........................19 79 3.5.4 Data Collection........................................19 80 3.5.5 Data Model Details.....................................20 81 3.5.6 Transport Protocol.....................................20 82 3.5.7 Summary................................................20 83 4. Limitations.............................................21 84 4.1 Using IPFIX for other Applications than in RFC3917......21 85 4.2 Using a Different Transport Protocol than SCTP..........21 86 4.3 Push vs. Pull Mode......................................21 87 4.4 Template ID number......................................22 88 4.5 Exporting Bidirectional Flow Information................22 89 4.6 IPFIX and IPv6..........................................23 90 5. Security Considerations.................................23 91 6. Normative References....................................24 92 7. Informative References..................................24 93 8. Acknowledgements........................................26 94 9. Authors' Addresses......................................26 95 10. Full Copyright Statement................................27 96 11. Intellectual Property Statement.........................27 97 12. Copyright Statement.....................................28 98 13. Disclaimer..............................................28 100 1. Introduction 102 The IPFIX protocol defines how IP Flow information can be 103 exported from routers, measurement probes or other devices. It 104 is intended to provide this information as input to various 105 applications. IPFIX is a general data transport protocol, easily 106 extensible to suit the needs of different applications. This 107 document describes how typical applications that can use the 108 IPFIX protocol. It shows opportunities and limitations of the 109 protocol. Furthermore, the relationship of IPFIX to other 110 frameworks and architectures is described. 112 2. Applications of IPFIX 114 IPFIX data enables several critical applications. The IPFIX 115 target applications and the requirements that originate from 116 those applications are described in [RFC3917]. Those 117 requirements were used as basis for the design of the IPFIX 118 protocol. This section describes how these target applications 119 can use the IPFIX protocol. Considerations for using IPFIX for 120 other applications than described in [RFC3917] can be found in 121 section 4.1. 123 2.1 Accounting 125 Usage based accounting is one of the major applications for 126 which the IPFIX protocol has been developed. IPFIX records 127 provide fine-grained measurement results for highly flexible and 128 detailed resource usage accounting. 129 In order to realize usage-based accounting with IPFIX the flow 130 definition has to be chosen in accordance to the tariff model. 131 Flows can be distinguished by various IEs (e.g. packet header 132 fields) from [IPFIX-INFO]. Due to the flexible IPFIX flow 133 definition, arbitrary flow-based accounting models can be 134 realized without extensions to the IPFIX protocol. 136 A tariff can, for instance, be based on individual end-to-end 137 flows, in which case accounting can be realized with a flow 138 definition determined by the quintuple consisting of source 139 address (sourceIPv4Address), destination address 140 (destinationIPv4Address), protocol (protocolIdentifier) and port 141 numbers (e.g., udpSourcePort, udpDestinationPort). Another 142 example is a class-dependent tariff (e.g. in a DiffServ 143 network). In this case flows could be distinguished just by the 144 DiffServ codepoint (DSCP) (ipDiffServCodePoint) and IP addresses 145 (sourceIPv4Address, destinationIPv4Address). The essential 146 elements needed for accounting are the number of transferred 147 packets and bytes per flow, which can be represented by the per- 148 flow counter IEs (e.g., packetTotalCount, octetTotalCount). 150 For accounting purposes, it would be advantageous to have the 151 ability to use IPFIX flow records as accounting input in an AAA 152 infrastructure. AAA servers then could provide the mapping 153 between user and flow information. 155 Note that the reliability requirements defined in [RFC3917] are 156 not sufficient to guarantee the level of reliability that is 157 needed for many usage-based accounting systems. Particular 158 reliability requirements for accounting systems are discussed in 159 [RFC2975]. 161 2.1.1 Example 162 Please note: [RFC3330] demands the use of the address block 163 192.0.2.0/24 for example addresses. In the example below we use 164 two example networks. In order to be conformant to [RFC3330] we 165 divide the given address block into two networks by subnetting 166 with a 25 bit netmask (192.0.2.0/25) as follows: 168 Network A: 192.0.2.0 ... 192.0.2.127 169 Network B: 192.0.2.128 ... 192.0.2.255 171 Let's suppose someone has a Service Level Agreement (SLA) in a 172 DiffServ network requiring accounting based on traffic volume. 173 Flows are distinguished by source and destination address. The 174 information to export in this case is: 175 - IPv4 source IP address: sourceIPv4Address in [IPFIX-INFO], 176 with a length of 4 octets 177 - IPv4 destination IP address: destinationIPv4Address in 178 [IPFIX-INFO], with a length of 4 octets 179 - DSCP: ipDiffServCodePoint in [IPFIX-INFO], with a length of 180 1 octet 181 - Number of octets of the Flow: OctetDeltaCount in [IPFIX- 182 INFO], with a length of 4 octets 184 The template set will look as follows: 186 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 187 | Set ID = 2 | Length = 24 octets | 188 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 189 | Template ID 256 | Field Count = 4 | 190 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 191 |0| sourceIPv4Address = 8 | Field Length = 4 | 192 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 193 |0| destinationIPv4Address = 12 | Field Length = 4 | 194 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 195 |0| ipDiffServCodePoint = 195 | Field Length = 1 | 196 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 197 |0| OctetDeltaCount = 1 | Field Length = 4 | 198 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 200 The information to be exported might be as listed in the 201 following example table: 203 Src. IP addr. | Dst. IP addr. | DSCP | Octets Number 204 --------------+---------------+--------+-------------- 205 192.0.2.12 | 192.0.2.144 | 46 | 120868 206 192.0.2.24 | 192.0.2.156 | 46 | 310364 207 192.0.2.36 | 192.0.2.168 | 46 | 241239 209 In the example we use Diffserv CodePoint 46, recommended for the 210 Expedited Forwarding Per Hop Behavior (EF PHB) in [RFC2598]. 212 The Flow Records will then look as follows: 214 0 1 2 3 215 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 216 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 217 | Set ID = 256 | Length = 43 | 218 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 219 | 192.0.2.12 | 220 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 221 | 192.0.2.144 | 222 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 223 | 46 | 120868 | 224 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 225 | | 192.0.2.24 | 226 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 227 | | 192.0.2.156 | 228 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 229 | | 46 | 310364 | 230 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 231 | | 192.0.2.36 | 232 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 233 | | 192.0.2.168 | 234 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 235 | | 46 | | 236 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 237 | 241239 | 238 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 240 2.2 Traffic Profiling 241 Measurement results reported in IPFIX records can be used for 242 traffic profiling. IPFIX records captured over a long period of 243 time can be used to track and anticipate network growth and 244 usage. Such Information is valuable for trend analysis and 245 network planning. 247 The parameters of interest are determined by the profiling 248 objectives. Example parameters for traffic profiling are flow 249 duration, flow volume, burstiness, the distribution of used 250 services and protocols, the amount of packets of a specific 251 type, etc. [RFC3917]. 253 The distribution of services and protocols in use can be 254 analyzed by configuring appropriate flows keys for flow 255 discrimination. Protocols can be distinguished by the 256 protocolIdentifier IE. Portnumbers (e.g., udpDestinationPort) 257 often provide information about services in use. Those flow keys 258 are defined in [IPFIX-INFO]. If portnumbers are not sufficient 259 for service discrimination, further parts of the packet may be 260 needed. Header fields can be expressed by IEs from [IPFIX-INFO] 261 Packet payload can be reported by using the IE 262 ipPayloadPacketSection in [PSAMP-INFO]. 264 The flow duration can be calculated from the flow time stamp IEs 265 defined in [IPFIX-INFO] (e.g., flowEndMicroseconds - 266 flowStartMicroseconds). The number of packets and number of 267 bytes of a flow are represented in the per-flow counter IEs 268 (e.g., packetTotalCount, octetTotalCount). The burstiness of a 269 flow can be calculated from the flow volume measured at 270 different time intervals. 272 2.3 Traffic Engineering 274 Traffic engineering aims at the optimization of network resource 275 utilization and traffic performance [RFC2702]. Typical 276 parameters are link utilization, load between specific network, 277 nodes, number, size and entry/exit points of active flows and 278 routing information [RFC3917]. 279 Size of flows in packets and bytes can be reported by IEs 280 packetTotalCount, octetTotalCount. Link utilization can be 281 reported by using a coarse grained flow definition (e.g. based 282 on identifier IEs such as egressInterface or ingressInterface) 283 and per-flow counter IEs (e.g. packetTotalCount, 284 octetTotalCount) defined in [IPFIX-INFO]. 286 The load between specific network nodes can be reported in the 287 same way if one interface of a network node receives only 288 traffic from exactly one neighbor node (as usually the case). If 289 the ingress interface is not sufficient for an unambiguous 290 identification of the neighbor node, sub-IP header fields IEs 291 (like sourceMacAddress) can be added as flow keys. 293 The IE observedFlowTotalCount provides the number of all flows 294 exported for the observation domain since the last 295 initialization of the metering process [IPFIX-INFO]. If this IE 296 is exported at subsequent points in time, one can derive the 297 number of active flows in a specific time interval from the 298 difference of the reported counters. The configured flow 299 termination criteria have to be taken into account to interpret 300 that numbers correctly. 302 Entry and exit points can be derived from flow records if 303 metering processes are installed at all edges of the network and 304 results are mapped in accordance to flow keys. For this and 305 other analysis methods that require the mapping of records from 306 different observation points, the same flow keys should be used 307 at all observation points. The path that packets take through a 308 network can be investigated by using hash-based sampling 309 techniques as described in [DuGr00] and [PSAMP-TECH]. For this 310 IEs from [PSAMP-INFO] are needed. 312 Neither [IPFIX-INFO] nor [PSAMP-INFO] defines IEs suitable for 313 exporting routing information. 315 2.4 Network Security 317 Attack and intrusion detection are among the IPFIX target 318 applications described in [RFC3917]. Due to the enormous amount 319 of different network attack types, only general requirements 320 could be addressed in [RFC3917]. 322 IPFIX can export flow information for arbitrary flow definitions 323 as defined in [IPFIX-PROTO]. Packet information can be exported 324 with IPFIX by using the additional information elements 325 described in [PSAMP-INFO]. With this theoretically all 326 information about traffic in the network at IP layer and above 327 is accessible. This data can be used either directly to detect 328 anomalies or can provide the basis for further post processing 329 to generate more complex attack detection metrics. 331 Depending on the attack type different metrics are useful. A 332 sudden increase of traffic load can be a hint that an attack has 333 been launched. The overall traffic at an observation point can 334 be monitored using per-flow counter IEs like packetTotalCount, 335 octetTotalCount as described in 2.3. The number of active flows 336 can be monitored by regular reporting of the 337 observedFlowTotalCount. 339 A sudden increase of flows from different sources to one 340 destination may be caused by an attack on a specific host or 341 network node using spoofed addresses. Many flows to the same 342 machine but on different ports or many flows to the same port 343 and different machines may be an indicator for vertical or 344 horizontal port scanning activities. An unusual ratio of TCP-SYN 345 to TCP-FIN packets can refer to SYN-flooding. Worms may leave 346 signatures in traffic patterns. 348 The amount of metrics useful for attack detection is as diverse 349 as attack patterns themselves. Attackers adapt rapidly to 350 circumvent detection methods and try to hide attack patterns 351 using slow or stealth attacks. Furthermore, unusual traffic 352 patterns are not always caused by malicious activities. A sudden 353 traffic increase may be caused by legitimate users who seek 354 access to a recently published content. Strange traffic patterns 355 may also be caused by mis-configuration. 357 The difficult task is the separation of good from bad packets to 358 prepare and launch counteraction. This may require a deeper look 359 into packet content by using further header field IEs from 360 [IPFIX-INFO] and/or packet payload from IE 361 ipPayloadPacketSection in [PSAMP-INFO]. Multi-step analysis 362 techniques may be useful, e.g., to launch an in-depth analysis 363 (e.g. based on packet information) in case the flow information 364 shows suspicious patterns. In order to supervise traffic to a 365 specific host or network node one has to apply filtering methods 366 as those described in [PSAMP-TECH]. 368 Mapping the two directions of a communication is often useful 369 for checking correct protocol behavior (see section 4.5). A 370 correlation of IPFIX data from multiple observation points (see 371 section 2.5.1) allows assessing the propagation of an attack and 372 can help to locate its source. 374 The integration of previous measurement results helps to review 375 traffic changes over time for detection of traffic anomalies and 376 provides the basis for forensic analysis. A standardized storage 377 format for IPIFX data would support the offline analysis of data 378 from different operators. 380 Nevertheless, capturing full packet traces at all observation 381 points in the network is not viable due to resource limitations 382 and privacy concerns. Therefore metrics should be chosen wisely 383 to allow a solid detection with minimal resource consumption. 385 Resources can be saved for instance by using coarser grained 386 flow definitions, reporting pre-processed metrics (e.g. with 387 additional information elements) or deployment of sampling 388 methods. 390 Detecting security incidents in real-time often requires the 391 pre-processing of data already at the measurement device. 392 Immediate data export in case of a potential incident is 393 desired. IPIFX supports such source-triggered exporting of 394 information due to the push model approach. Nevertheless, 395 further exporting criteria have to be implemented to export 396 IPFIX records upon incident detection events and not only upon 397 flow end or fixed time intervals. 399 Security incidents can become a threat to IPFIX processes 400 themselves (see also security considerations in [IPFIX-PROTO]). 401 If an attack generates a large amount of flows (e.g. by sending 402 packets with spoofed addresses or simulating flow termination) 403 exporting and collecting process may get overloaded by the 404 immense amount of records that are exported. A flexible 405 deployment of packet or flow sampling methods can prevent the 406 exhaustion of resources. 408 Intrusion detection would profit from the combination of IPFIX 409 functions with AAA functions (see section 3.4). Such an 410 interoperation enables further means for attacker detection, 411 advanced defense strategies and secure inter-domain cooperation. 413 2.5 QoS Monitoring 415 QoS monitoring is one target application of the IPFIX protocol 416 [RFC3917]. QoS monitoring is the passive observation of the 417 transmission quality for single flows or traffic aggregates in 418 the network. One example of its use is the validation of QoS 419 guarantees in service level agreements (SLAs). Typical QoS 420 parameters are loss [RFC2680], one-way [RFC2679] and round-trip 421 delay [RFC2681] and delay variation [RFC3393]. The calculation 422 of those QoS metrics requires per-packet processing. Reporting 423 packet information with IPFIX is possible by simply considering 424 a single packet as flow. [IPFIX-PROTO] also allows the reporting 425 of multiple identical information elements in one flow record. 426 Using this feature for reporting information about multiple 427 packets in one record would require additional agreement on 428 semantics regarding the order of information elements (e.g. 429 which timestamp belongs to which packet payload in a sequence of 430 information elements). [PSAMP-INFO] defines useful additional 431 information elements for exporting per packet information with 432 IPFIX. 434 2.5.1 Correlating Events from Multiple Observation Points 436 Some QoS metrics require the correlation of data from multiple 437 observation points. For this the clocks of the involved metering 438 processes must be synchronized. Furthermore, it is necessary to 439 recognize that the same packet was observed at different 440 observation point. 441 This can be done by capturing parts of the packet content 442 (packet header and/or parts of the payload) that do not change 443 on the way to the destination. Based on the packet content it 444 can be recognized when the same packet arrived at another 445 observation point. To reduce the amount of measurement data a 446 unique packet ID can be calculated from the packet content e.g. 447 by using a CRC or hash function instead of transferring and 448 comparing the unprocessed content. Considerations on collision 449 probability and efficiency of using such packet IDs are 450 described in [GrDM98, DuGr00, ZsZC01]. 452 IPFIX allows the reporting of several IP and transport header 453 fields (see section 5.3 and 5.4 in [IPFIX-INFO]). Using only 454 those fields for packet recognition or ID generation can be 455 sufficient in scenarios where those header fields vary a lot 456 among subsequent packets, where a certain amount of packet ID 457 collisions is tolerable or where packet IDs need to be unique 458 only for a small time interval. 460 For including packet payload information the information element 461 ipPayloadPacketSection defined in [PSAMP-INFO] can be used. The 462 information element ipHeaderPacketSection can also be used. But 463 header fields that can change on the way from source to 464 destination have to be excluded from the packet ID generation, 465 because they may differ at different observation points. 467 For reporting packet IDs generated by a CRC or hash function the 468 information element digestHashValue defined in [PSAMP-INFO] can 469 be used. 471 2.5.2 Examples 473 The following examples show which information elements need to 474 be reported by IPFIX to generate specific QoS metrics. As an 475 alternative the metrics can be generated directly at the 476 exporter and IPIFX can be used to export the metrics (see 477 section 2.7) 479 2.5.2.1 RTT measurements with packet pair matching (single-point) 480 The passive measurement of round-trip-times (RTT) can be 481 performed by using packet pair matching techniques as described 482 in [Brow00]. For the measurements, request/response packet pairs 483 from protocols such as DNS, ICMP, SNMP or TCP (SYN/SYN_ACK, 484 DATA/ACK) are utilized to passively observe the RTT [Brow00]. 485 This technique requires the correlation of data from both 486 directions. 488 Required information elements per packet (DNS example): 489 - Packet arrival time: observationTimeMicroseconds [PSAMP-INFO] 490 - DNS header: ipPayloadPacketSection [PSAMP-INFO] 492 Required functions: 493 - Recognition of request/response packet pairs 495 Remarks: 496 - Requires information elements from [PSAMP-INFO] 497 - observationTimeMicroseconds can be substituted by 498 flowStartMicroseconds [IPFIX-INFO], because a single packet 499 can be represented as a flow. 500 - If time values with a higher granularity are needed 501 observationTimeNanoseconds can be used. 503 2.5.2.2 One-way Delay Measurements (multi-point) 505 Passive one-way-delay measurements require the collection of 506 data at two observation points. The recognition of packets at 507 the second observation point can be based on parts of the packet 508 content directly. A more efficient way is to use a packet ID 509 (generated from packet content). 511 Required information elements per packet (with packet ID): 512 - Packet arrival time: observationTimeMicroseconds [PSAMP-INFO] 513 - Packet ID: digestHashValue [PSAMP-INFO] 515 Required functions: 516 - packet ID generation 517 - delay calculation (from arrival times at the two observation 518 points) 520 Remarks: 521 - Requires information elements from [PSAMP-INFO] 522 - observationTimeMicroseconds can be substituted by 523 flowStartMicroseconds [IPFIX-INFO], because a single packet 524 can be represented as a flow. 525 - If time values with a higher granularity are needed 526 observationTimeNanoseconds can be used. 528 - The amount of content used for ID generation influences the 529 number of collisions (different packets that map to the same 530 ID) that can occur. Investigations on this and other 531 considerations on packet ID generation can be found in 532 [GrDM98], [DuGr00], and [ZsZC01]. 534 2.6 Inter-Domain Exchange of IPFIX data 536 IPFIX data can be used to share information with neighbor 537 providers. A few recommendations should to be considered if 538 IPFIX records travel over the public Internet compared to its 539 usage within a single domain. First of all, security threats are 540 higher if data travels over the public Internet. Protection 541 against disclosure or manipulation of data is even more 542 important than for intra-domain usage. Therefore IPsec or 543 Transport Layer Security (TLS) should be used as described in 544 [IPFIX-PROTO]. 546 Furthermore data transfer should be congestion-aware in order to 547 allow untroubled co-existence with other data flows. That means 548 transport over SCTP or TCP is required. 550 Some ISPs are still reluctant to share information due to 551 concerns that competing ISPs might exploit network information 552 from neighbor providers to strengthen their own position in the 553 market. Nevertheless, technical needs have already triggered the 554 exchange of data in the past (e.g. exchange of routing 555 information by BGP). The need to provide inter-domain guarantees 556 is one big incentive to increase inter-domain cooperation. The 557 necessity to defend networks against current and future threats 558 (denial of service attacks, worm distributions, etc.) will 559 hopefully increase the willingness to exchange measurement data 560 between providers. 562 2.7 Export of Derived Metrics 564 The IPFIX protocol is used to transport flow and packet 565 information to provide the input for the calculation of a 566 variety metrics (e.g. for QoS validation or attack detection). 567 IPFIX can also be used to transfer these metrics directly, e.g. 568 if the metric calculation is co-located with measurement and 569 exporting process. 571 It doesn't matter which measurement and post-processing 572 functions are applied to generate a specific metric. IPFIX can 573 be used to transport the results from passive and active 574 measurements and from post-processing operations. For the 575 reporting of derived metrics additional information elements 576 need to be defined. 578 2.8 Summary 580 The following table shows an overview of the information 581 elements required for the target applications described in 582 [RFC3917] (M-mandatory, R-recommended, O-optional). 584 | Application |[IPFIX-INFO]| [PSAMP-INFO] | additional IEs | 585 +-------------+------------+--------------+-----------------+ 586 | Accounting | M | - | - | 587 +-------------+------------+--------------+-----------------+ 588 | Traffic | M | O | - | 589 | Profiling | | | | 590 +-------------+------------+--------------+-----------------+ 591 | Traffic | M | - | O | 592 | Engineering | | | (routing info) | 593 +-------------+------------+--------------+-----------------+ 594 | Attack | M | R | R | 595 | Detection | | |(derived metrics)| 596 +-------------+------------+--------------+-----------------+ 597 | QoS | M | M | O | 598 | Monitoring | |(most metrics)|(derived metrics)| 599 +-------------+------------+--------------+-----------------+ 601 For accounting the IEs in [IPFIX-INFO] are sufficient. For 602 traffic profiling additionally IEs from [PSAMP-INFO] can be 603 useful to gain more insight into the traffic. For traffic 604 engineering flow information from [IPFIX-INFO] is sufficient but 605 it would profit from routing information, which could be 606 exported by IPFIX. Attack detection usually profits from further 607 insight into the traffic. This can be achieved with IEs from 608 [PSAMP-INFO]. Furthermore the reporting of derived metrics in 609 additional IEs would be useful. Most QoS metrics require the use 610 of IEs from [PSAMP-INFO]. IEs from [PSAMP-INFO]are also useful 611 for the mapping of results from different observation points as 612 described in section 2.5.1. 614 3. Relation of IPFIX to Other Frameworks and Protocols 616 3.1 IPFIX and PSAMP 618 PSAMP defines packet selection methods, their configuration at 619 routers and probes and the reporting of packet information. 621 PSAMP uses IPIFX as basis for exporting packet information 622 [PSAMP-PROTO]. [PSAMP-INFO] describes further information 623 elements for exporting packet information and reporting 624 configuration information. 626 The main difference between IPFIX and PSAMP is that IPFIX 627 addresses the export of flow records whereas PSAMP addresses the 628 export of packet records. Furthermore, PSAMP explicitly 629 addresses remote configuration. It defines a MIB for the 630 configuration of packet selection processes. Remote 631 configuration is not (yet) addressed in IPFIX, but one could 632 consider extending the PSAMP MIB to also allow configuration of 633 IPFIX processes. 635 3.2 IPFIX and RMON 637 RMON [RFC3577] is a widely used monitoring system that gathers 638 traffic data from RMON Agents in network devices in a general 639 way using SNMP. The RMON MIB is divided into sections, each 640 section providing different monitoring functions. For example, 641 the 'Hosts' section gathers statistics for hosts which are 642 active on the network being monitored. 644 RMON has three MIBs that deal with flow information: 646 - The Application Performance Measurement MIB (APM-MIB) 647 [RFC3729] has a complex system for tracking user application 648 performance, with flow reporting and SLA threshold 649 notification-trigger configuration, and persistence across 650 DHCP lease expirations. It requires full RMON2-MIB 651 protocolDirTable implementation. 653 - The Transport Performance Metrics MIB (TPM-MIB) [RFC4150] 654 breaks out the APM-MIB user flow data into statistics based on 655 the IPPM metrics. It requires APM-MIB and RMON2-MIB. 657 - The Synthetic Sources for Performance Monitoring Algorithms 658 MIB (SSPM-MIB) [RFC4149] is used to configure and run packet 659 and flow generators for performance testing purposes. It 660 requires RMON2-MIB. 662 3.3 IPFIX and IPPM 664 The IPFIX protocol can be used to carry IPPM network performance 665 metrics or information that can be used to calculate those 666 metrics (see sections 2.5 and 2.7). 668 3.4 IPFIX and AAA 669 AAA defines a protocol and architecture for authentication, 670 authorization and accounting for service usage [RFC2903]. The 671 DIAMETER protocol [RFC3588] is used for AAA communication, which 672 is needed for network access services (Mobile IP, NASREQ, and 673 ROAMOPS). The AAA architecture [RFC2903] provides a framework 674 for extending AAA support to other services. DIAMETER defines 675 the exchange of messages between AAA entities, e.g. between AAA 676 clients at access devices and AAA servers, and among AAA 677 servers. DIAMETER is used for the transfer of accounting 678 records. In order to form accounting records for usage-based 679 accounting measurement data from the network is required. IPFIX 680 defines a protocol to export such data from routers, measurement 681 probes and other devices. Therefore it looks promising to 682 connect those two architectures. 684 As shown in section 2.1 accounting can be realized without an 685 AAA infrastructure. Accounting applications can directly 686 incorporate an IPFIX collecting process to receive IPFIX records 687 with information about the transmitted volume. Nevertheless, if 688 an AAA infrastructure is in place, the cooperation between IPFIX 689 and AAA provides many valuable synergistic benefits. IPFIX 690 records can provide the input for AAA accounting functions and 691 provide the basis for the generation of DIAMETER accounting 692 records. Further potential features include the mapping of a 693 user ID to flow information (by using authentication 694 information) or facilitating the secure authorized exchange of 695 DIAMETER accounting records with neighbor domains. The last 696 feature is especially useful in roaming scenarios where the user 697 connects to a foreign network and the home provider generates 698 the invoice. 700 Coupling an IPFIX collecting process with AAA functions has also 701 high potential for intrusion and attack detection. AAA controls 702 network access and maintains data about users and nodes. AAA 703 functions can help to identify the source of malicious traffic. 704 They are able to deny access to suspicious users or nodes. 705 Therefore coupling those functions with an IPFIX collecting 706 process can provide an efficient defense against network 707 attacks. Sharing IPFIX records (either directly or encapsulated 708 in DIAMETER) with neighbor providers allows an efficient inter- 709 domain attack detection. The AAA infrastructure can also be used 710 to configure measurement functions in the network as proposed in 711 [RFC3334]. 713 Two possibilities exist to connect IPFIX and AAA: 715 - Connecting via an AAA Client 716 - Connecting via an Application Specific Module (ASM) 717 Both are explained in the following sections. The approaches 718 only require few additional functions. They do not require any 719 changes to IPFIX or DIAMETER. 721 3.4.1 Connecting via an AAA Client 723 One possibility of connecting IPFIX and AAA is to run an AAA 724 client on the IPFIX collector. This client can generate DIAMETER 725 accounting messages and send them to an AAA server. The mapping 726 of the flow information to a user ID can be done in the AAA 727 server by using data from the authentication process. DIAMETER 728 accounting messages can be sent to the accounting application or 729 to other AAA servers (e.g. in roaming scenarios). 731 +---------+ DIAMETER +---------+ 732 | AAA-S |------------->| AAA-S | 733 +---------+ +---------+ 734 ^ 735 | DIAMETER 736 | 737 | 738 +--+--------+--+ 739 | | AAA-C | | 740 + +--------+ | 741 | | 742 | Collector | 743 +--------------+ 744 ^ 745 | IPFIX 746 | 747 +------------+ 748 | Exporter | 749 +------------+ 751 Figure 2: IPFIX collector connects to AAA server via AAA client 753 3.4.2 Connecting via an Application Specific Module (ASM) 755 Another possibility is to directly connect the IPFIX collector 756 with the AAA server via an application specific module (ASM). 757 Application specific modules have been proposed by the IRTF AAA 758 architecture research group (AAARCH) in [RFC2903]. They act as 759 an interface between AAA server and service equipment. In this 760 case the IPFIX collector is part of the ASM. The ASM acts as an 761 interface between the IPFIX protocol and the input interface of 762 the AAA server. The ASM translates the received IPFIX data into 763 an appropriate format for the AAA server. The AAA server then 764 can add information about the user ID and generate a DIAMETER 765 accounting record. This accounting record can be sent to an 766 accounting application or to other AAA servers. 768 +---------+ DIAMETER +---------+ 769 | AAA-S |------------->| AAA-S | 770 +---------+ +---------+ 771 ^ 772 | 773 +------------------+ 774 | ASM | 775 | +------------+ | 776 | | Collector | | 777 +------------------+ 778 ^ 779 | IPFIX 780 | 781 +------------+ 782 | Exporter | 783 +------------+ 785 Figure 3: IPFIX connects to AAA server via ASM 787 3.5 IPFIX and RTFM 789 The Real-time Traffic Flow Measurement (RTFM) working group 790 defined an architecture for flow measurement [RFC2722]. This 791 section compares the Real-time Traffic Flow Measurement (RTFM) 792 framework with the IPFIX framework. 794 3.5.1 Architecture 796 The RTFM architecture is very similar to the IPFIX architecture. 797 It defines meter, meter reader and a manager as building blocks 798 of the measurement architecture. The manager configures the 799 meter and the meter reader collects data from the meter. 800 In RTFM the building blocks communicate via SNMP. 801 The IPFIX architecture [IPFIX-ARCH] defines metering, exporting 802 and collecting processes. IPFIX speaks about processes instead 803 of devices to clarify that multiple of those processes may be 804 collocated on the same machine. 805 Both definitions do not contradict each other. One could see the 806 metering process as part of the meter and the collecting process 807 as part of the meter reader. 808 One difference is that IPFIX currently does not define a 809 managing process, because remote configuration was at least 810 initially out of scope for the working group. 812 3.5.2 Flow Definition 814 RTFM and IPFIX both consider flows as a group of packets which 815 share a common set of properties. A flow is completely specified 816 by that set of values, together with a termination criterion 817 (like inactivity timeout). 819 A difference is that RTFM defines flows as bidirectional. An 820 RTFM meter matches packets from B to A and A to B as separate 821 parts of a single flow, and maintains two sets of packet and 822 byte counters, one for each direction. 824 IPFIX does not explicitly state whether flows are uni- or 825 bidirectional. Nevertheless information elements for describing 826 flow properties were defined only for one direction in [IPFIX- 827 INFO]. Nevertheless, there are several solutions for reporting 828 bi-directional flow information (see section 4.5). 830 3.5.3 Configuration and Management 832 In RTFM, remote configuration is the only way to configure a 833 meter. This is done by using SNMP and a specific Meter MIB [RFC 834 2720]. The IPFIX group currently does not address IPFIX remote 835 configuration. 837 IPFIX metering processes export the layout of data within their 838 templates, from time to time. IPFIX collecting processes use 839 that template information to determine how they should interpret 840 the IPFIX flow data they receive. 842 3.5.4 Data Collection 844 One major difference between IPFIX and RTFM is the data 845 collection model. RTFM retrieves data in pull mode whereas IPFIX 846 uses a push mode model to send data to collecting processes. 848 An RTFM meter reader pulls data from a meter by using SNMP. SNMP 849 security on the meter determines whether a reader is allowed to 850 pull data from it. An IPFIX exporting process is configured to 851 export records to a specified list of IPFIX collecting 852 processes. The condition when to send IPFIX records (e.g. flow 853 termination) has to be configured in the exporting or metering 854 process. 856 3.5.5 Data Model Details 857 RTFM defines all its attributes in the RTFM Meter MIB [RFC 858 2720]. IPFIX information elements are defined in [IPFIX-INFO]. 860 RTFM uses continuously-incrementing 64-bit counters for the 861 storage of the number of packets of a flow. The counters are 862 never reset and just wrap back to zero if the maximum value is 863 exceeded. Flows can be read at any time. The difference between 864 counter readings gives the counts for activity in the interval 865 between readings. 866 IPFIX allows absolute (totalCounter) and relative counters 867 (deltaCounter) [IPFIX-INFO]. The totalCounter is never reset and 868 just wraps to zero if values are too large, exactly as the 869 counters used in RTFM. The deltaCounter is reset to zero when 870 the associated flow record is exported. 872 3.5.6 Transport Protocol 874 RTFM has a standards-track Meter MIB [RFC 2720], which is used 875 both to configure a meter and to store metering results. The 876 MIB provides a way to read lists of attributes with a single 877 Object Identifier (called a 'package'), which reduces the SNMP 878 overhead for flow data collection. SNMP, of course, normally 879 uses UDP as its transport protocol. Since RTFM requires a 880 reliable flow data transport system, an RTFM meter reader must 881 time out and resend unanswered SNMP requests. Apart from being 882 clumsy, this can limit the maximum data transfer rate from meter 883 to meter reader. 885 IPFIX is designed to work over a variety of different transport 886 protocols. SCTP [RFC2960] and SCTP-PR [RFC3758] are mandatory. 887 UDP and TCP are optional. In addition, the IPFIX protocol 888 encodes data much more efficiently than SNMP does, hence IPFIX 889 has lower data transport overheads than RTFM. 891 3.5.7 Summary 893 IPFIX exports flow information in push model by using SCTP, TCP 894 or UDP. It currently does not address remote configuration. RTFM 895 data collection is using the pull model and runs over SNMP. RTFM 896 addresses remote configuration which also runs over SNMP. Both 897 frameworks allow a very flexible flow definition, although RTFM 898 is based on a bi-directional flow definition. 900 4. Limitations 901 The goal of this section is to show the limitations of IPFIX and 902 to give advice where not to use IPFIX or in which cases 903 additional considerations are required. 905 4.1 Using IPFIX for other Applications than in RFC3917 907 IPFIX provides a generic export mechanism. Due to its template 908 based structure, it is a quite flexible protocol. Network 909 operators and users may want to use it also for other 910 applications than those described in [RFC 3917]. 912 Apart from sending raw flow information it can be used to send 913 aggregated or post-processed data. For this new templates and 914 information elements can be defined if needed. Due to its push 915 mode operation IPFIX is also suited to send network initiated 916 events like alarms and other notifications. It can be used for 917 exchanging information among network nodes to autonomously 918 improve network operation. 920 Nevertheless, the IPFIX design is based on the requirements that 921 originate only from the target applications stated in [RFC 922 3917]. Using IPFIX for other purposes requires a careful 923 checking of IPFIX capabilities against application requirements. 924 Only with this, can one decide whether IPFIX is a suitable 925 protocol to meet the needs of a specific application. 927 4.2 Using a Different Transport Protocol than SCTP 929 SCTP is the preferred protocol for IPFIX, i.e. a conforming 930 implementation must work over SCTP. Although IPFIX can also work 931 over TCP or UDP, both protocols have drawbacks [IPFIX-PROTO]. 932 Users should make sure they have good reasons befor using 933 protocols other than SCTP in a specific environment. 935 4.3 Push vs. Pull Mode 937 IPFIX works in push mode. That means IPFIX records are 938 automatically exported without waiting for a request. 939 The responsibility for initiating a data export lies with the 940 exporting process. 942 Criteria for exporting data need to be configured at the 943 exporting process. Therefore push mode has more benefits if the 944 trigger for data export is related to events at the exporting 945 process (e.g. flow termination, memory shortage due to large 946 amount of flows, etc.). If the protocol used pull mode, the 947 exporting process would need to wait for a request to send the 948 data. With push mode it can send data immediately e.g. before 949 memory shortage would require a discarding of data. 951 With push mode one can prevent the overloading of resources at 952 the exporting process by simply exporting the information as 953 soon as certain thresholds are about to exceed. Therefore 954 exporting criteria are often related to traffic characteristics 955 (e.g. flow timeout) or resource limitations (e.g. size of flow 956 cache). But traffic characteristics are usually quite dynamic 957 and often impossible to predict. If those are used to trigger 958 flow export, the exporting rate and the resource consumption for 959 flow export becomes variable and unpredictable. 961 Pull mode has advantages if the trigger for data export is 962 related to events at the collecting process (e.g. a specific 963 application requests immediate input). 965 In a pull mode, a request could simply be forwarded to the 966 exporting process. In a push mode, the exporting configuration 967 must be changed to trigger the export of the requested data. 968 Furthermore, with pull mode one can prevent the overloading of 969 the collecting process by the arrival of more records than it 970 can process. 972 Whether this is a relevant drawback depends on the flexibility 973 of the IPFIX configuration and how IPFIX configuration rules are 974 implemented. 976 4.4 Template ID number 978 The IPFIX specification limits the different template ID numbers 979 that can be assigned to the newly generated template records in 980 an observation domain. In particular, template IDs up to 255 are 981 reserved for Template or option sets (or other sets to be 982 created) and template IDs from 256 to 65535 are assigned to data 983 sets. In the case of many exports requiring many different 984 templates, the set of Template IDs could be exhausted. 986 4.5 Exporting Bidirectional Flow Information 988 Although IPFIX does not explicitly state that flows are 989 unidirectional, information elements that describe flow 990 characteristics are defined only for one direction in [IPFIX- 991 INFO]. [IPFIX-PROTO] allows the reporting of multiple identical 992 information elements in one flow record. With this information 993 elements for forward and reverse direction can be reported in 994 one flow record. 996 But this is not sufficient. Using this feature for reporting 997 bidirectional flow information would require an agreement on the 998 semantic of information elements (e.g. first counter is counter 999 for the forward direction, second counter for reverse 1000 direction). 1002 Another option is to use two adjacent flow records to report 1003 both directions of a bidirectional flow separately. This 1004 approach requires additional means for mapping those records and 1005 is quite inefficient due to the redundant reporting of flow 1006 keys. 1008 4.6 IPFIX and IPv6 1010 There are two issues to consider: 1012 - Generation and reporting of IPFIX records about IPv6 traffic 1013 - Exporting IPFIX records over IPv6 1015 The generation and reporting of IPFIX records about IPv6 traffic 1016 is possible as appropriate information elements exist in [IPFIX- 1017 INFO]. 1018 Exporting IPFIX records over IPv6 is not explicitly addressed in 1019 [IPFIX-PROTO]. Since IPFIX runs over SCTP, SCTP-PR, UDP or TCP, 1020 it is trivial to run IPFIX over IPv6 networks, provided that the 1021 transport protocol being used to carry IPFIX is running on the 1022 IPv6 network. 1024 5. Security Considerations 1026 This document describes the usage of IPFIX in various scenarios. 1027 Security requirements for IPFIX target applications and security 1028 considerations for IPFIX are addressed in [RFC3917] and [IPFIX- 1029 PROTO]. Those requirements have to be met for the usage of 1030 IPFIX. To our current knowledge, the usage scenarios proposed in 1031 section 2 do not induce further security hazards. 1033 Section 3 of this document describes how IPFIX can be used in 1034 combination with other frameworks. New security hazards can 1035 arise when two individually secure frameworks are combined. For 1036 the combination of AAA with IPFIX an application specific module 1037 (ASM) or an IPFIX collector can function as transit point for 1038 the messages. It has to be ensured that at this point the 1039 applied security mechanisms (e.g. encryption of messages) are 1040 maintained. 1042 6. Normative References 1044 [IPFIX-INFO] J. Quittek, S. Bryant, J. Meyer, "Information Model 1045 for IP Flow Information Export", Internet Draft 1046 , work in progress, May 1047 2005 1049 [IPFIX-PROTO] B. Claise (Editor), "IPFIX Protocol Specification", 1050 Internet Draft , 1051 work in progress, April 2006 1053 [PSAMP-INFO] T. Dietz, F. Dressler, G. Carle, B. Claise, 1054 "Information Model for Packet Sampling Exports", 1055 Internet Draft , work 1056 in progress, March 2006 1058 [RFC3917] J. Quittek, T. Zseby, B. Claise, S. Zander, 1059 "Requirements for IP Flow Information Export", RFC 1060 3917, October 2004 1062 7. Informative References 1064 [Brow00] Nevil Brownlee, "Packet Matching for NeTraMet 1065 Distributions", 1066 http://www2.auckland.ac.nz/net//Internet/rtfm/meeti 1067 ngs/47-adelaide/pp-dist/ 1069 [DuGr00] Nick Duffield, Matthias Grossglauser, "Trajectory 1070 Sampling for Direct Traffic Observation", 1071 Proceedings of ACM SIGCOMM 2000, Stockholm, Sweden, 1072 August 28 - September 1, 2000 1074 [GrDM98] Ian D. Graham, Stephen F. Donnelly, Stele Martin, 1075 Jed Martens, John G. Cleary, "Nonintrusive and 1076 Accurate Measurement of Unidirectional Delay and 1077 Delay Variation on the Internet", INET'98, Geneva, 1078 Switzerland, 21-24 July, 1998 1080 [IPFIX-ARCH] G. Sadasivan, N. Brownlee, B. Claise, J. Quittek, 1081 "Architecture for IP Flow Information Export", 1082 Internet Draft , work in progress, March 2005 1085 [PSAMP-PROTO] Benoit Claise (Ed.), Packet Sampling (PSAMP) 1086 Protocol Specifications, Internet Draft , work in progress, 1088 March 2006 1090 [PSAMP-TECH] T. Zseby, M. Molina, N. Duffield, S. Niccolini, F. 1091 Raspall, "Sampling and Filtering Techniques for IP 1092 Packet Selection" Internet Draft , work in progress, July 2005 1095 [RFC2598] V. Jacobson, K. Nichols, K. Poduri, "An Expedited 1096 Forwarding PHB", RFC 2598, June 1999 1098 [RFC2679] G. Almes, S. Kalidindi, M. Zekauskas, "A One-way 1099 Delay Metric for IPPM", RFC 2679, September 1999 1101 [RFC2680] G. Almes, S. Kalidindi, M. Zekauskas, "A One-way 1102 Packet Loss Metric for IPPM",RFC 2680, September 1103 1999 1105 [RFC2681] G. Almes, S. Kalidindi, M. Zekauskas, "A Round-trip 1106 Delay Metric for IPPM", RFC 2681, September 1999 1108 [RFC2702] D. Awduche, J. Malcolm, J. Agogbua, M. O'Dell, J. 1109 McManus, "Requirements for Traffic Engineering Over 1110 MPLS", RFC 2702, September 1999 1112 [RFC2722] Brownlee, N., Mills, C., G. Ruth, "Traffic Flow 1113 Measurement: Architecture", RFC 2722, October 1999 1115 [RFC2903] C. de Laat, G. Gross, L. Gommans, J. Vollbrecht, D. 1116 Spence, "Generic AAA Architecture", RFC 2903, 1117 August 2000 1119 [RFC2960] R. Stewart (ed.) "Stream Control Transmission 1120 Protocol", RFC 2960, October 2000 1122 [RFC2975] B. Aboba, J. Arkko, D. Harrington, "Introduction to 1123 Accounting Management", RFC 2975, October 2000 1125 [RFC3330] IANA, "Special-Use IPv4 Addresses", RFC 3330 1126 September 2002 1128 [RFC3334] T. Zseby, S. Zander, G. Carle, "Policy-Based 1129 Accounting", RFC 3334, October 2002 1131 [RFC3393] C. Demichelis, P. Cimento, "IP Packet Delay 1132 Variation Metric for IPPM", RFC 3393, November 2002 1134 [RFC3577] S. Waldbusser, R. Cole, C. Kalbfleisch, 1135 D.Romascanu, "Introduction to the Remote Monitoring 1136 (RMON) Family of MIB Module", RFC 3577, August 2003 1138 [RFC3588] P. Calhoun, J. Loughney, E. Guttman, G. Zorn, J. 1139 Arkko, "Diameter Base Protocol", RFC 3588, 1140 September 2003 1142 [RFC3729] S. Waldbusser, "Application Performance Measurement 1143 MIB", RFC 3729, March 2004 1145 [RFC3758] R. Stewart, M. Ramalho, Q. Xie, M. Tuexen, P. 1146 Conrad, "Stream Control Transmission Protocol 1147 (SCTP) Partial Reliability Extension", RFC 3758, 1148 May 2004 1150 [RFC4149] C. Kalbfleisch, R. Cole, D. Romascanu, "Definition 1151 of Managed Objects for Synthetic Sources for 1152 Performance Monitoring Algorithms", RFC 4149, 1153 August 2005 1155 [RFC4150] R. Dietz, R. Cole, "Transport Performance Metrics 1156 MIB", RFC 4150, August 2005 1158 [ZsZC01] T. Zseby, S. Zander, G. Carle, "Evaluation of 1159 Building Blocks for Passive One-way-delay 1160 Measurements", Proceedings of Passive and Active 1161 Measurement Workshop (PAM 2001), Amsterdam, The 1162 Netherlands, April 23-24, 2001 1164 8. Acknowledgements 1166 We would like to thank the following persons for their 1167 contribution, discussion on the mailing list and valuable 1168 comments: 1170 Sebastian Zander 1171 Robert Loewe 1172 Reinaldo Penno 1173 Lutz Mark 1174 Andy Biermann 1176 Part of the work has been developed in the research project 6QM 1177 co-funded with support from the European Commission. 1179 9. Authors' Addresses 1181 Tanja Zseby 1182 Fraunhofer Institute for Open Communication Systems (FOKUS) 1183 Kaiserin-Augusta-Allee 31 1184 10589 Berlin, Germany 1185 Phone: +49 30 3463 7153 1186 Email: zseby@fokus.fhg.de 1188 Elisa Boschi 1189 Hitachi Europe SAS 1190 Immeuble Le Theleme 1191 1503 Route des Dolines 1192 06560 Valbonne, France 1193 Phone: +33 4 89874180 1194 Email: elisa.boschi@hitachi-eu.com 1196 Nevil Brownlee 1197 CAIDA (UCSD/SDSC) 1198 9500 Gilman Drive 1199 La Jolla, CA 92093-0505 1200 Phone : +1 858 534 8338 1201 Email : nevil@caida.org 1203 Benoit Claise 1204 Cisco Systems 1205 De Kleetlaan 6a b1 1206 1831 Diegem 1207 Belgium 1208 Phone: +32 2 704 5622 1209 Email: bclaise@cisco.com 1211 10.Full Copyright Statement 1213 "Copyright (C) The Internet Society (2006). All Rights Reserved. 1214 This document and translations of it may be copied and furnished 1215 to others, and derivative works that comment on or otherwise 1216 explain it or assist in its implementation may be prepared, 1217 copied, published and distributed, in whole or in part, without 1218 restriction of any kind, provided that the above copyright 1219 notice and this paragraph are included on all such copies and 1220 derivative works. However, this document itself may not be 1221 modified in any way, such as by removing the copyright notice or 1222 references to the Internet Society or other Internet 1223 organizations, except as needed for the purpose of developing 1224 Internet standards in which case the procedures for copyrights 1225 defined in the Internet Standards process must be followed, or 1226 as required to translate it into. 1228 11. Intellectual Property Statement 1230 The IETF has been notified by Cisco of intellectual property 1231 rights claimed in regard to some or all of the specification 1232 contained in this document. For more information, see 1233 http://www.ietf.org/ietf/IPR/cisco-ipr-draft-ietf-ipfix-as- 1234 02.txt 1236 The IETF takes no position regarding the validity or scope of 1237 any Intellectual Property Rights or other rights that might be 1238 claimed to pertain to the implementation or use of the 1239 technology described in this document or the extent to which any 1240 license under such rights might or might not be available; nor 1241 does it represent that it has made any independent effort to 1242 identify any such rights. Information on the procedures with 1243 respect to rights in RFC documents can be found in BCP 78 and 1244 BCP 79. 1246 Copies of IPR disclosures made to the IETF Secretariat and any 1247 assurances of licenses to be made available, or the result of an 1248 attempt made to obtain a general license or permission for the 1249 use of such proprietary rights by implementers or users of this 1250 specification can be obtained from the IETF on-line IPR 1251 repository at http://www.ietf.org/ipr. 1253 The IETF invites any interested party to bring to its attention 1254 any copyrights, patents or patent applications, or other 1255 proprietary rights that may cover technology that may be 1256 required to implement this standard. Please address the 1257 information to the IETF at ietf-ipr@ietf.org. 1259 12. Copyright Statement 1261 Copyright (C) The Internet Society (2006). This document is 1262 subject to the rights, licenses and restrictions contained in 1263 BCP 78, and except as set forth therein, the authors retain all 1264 their rights. 1266 13. Disclaimer 1268 This document and the information contained herein are provided 1269 on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE 1270 REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND 1271 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, 1272 EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY 1273 THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY 1274 RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS 1275 FOR A PARTICULAR PURPOSE.