idnits 2.17.1 draft-ietf-ipfix-flow-selection-tech-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of lines with control characters in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 14, 2011) is 4792 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 2051' is mentioned on line 606, but not defined -- Obsolete informational reference (is this intentional?): RFC 5101 (Obsoleted by RFC 7011) -- Obsolete informational reference (is this intentional?): RFC 5102 (Obsoleted by RFC 7012) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force L. Peluso 3 Internet-Draft University of Napoli 4 Intended status: Standards Track T. Zseby 5 Expires: September 15, 2011 Fraunhofer Institute FOKUS 6 S. D'Antonio 7 CINI Consortium/University of 8 Napoli "Parthenope" 9 C. Henke 10 Fraunhofer Institute FOKUS 11 March 14, 2011 13 Flow Selection Techniques 14 draft-ietf-ipfix-flow-selection-tech-05.txt 16 Abstract 18 Flow selection is the process of selecting a subset of flows from all 19 flows observed at an observation point. The objective of flow 20 selection is to reduce the effort of post-processing flow data and 21 transferring flow records. The flow selection process can be enabled 22 at different stages of the measurement process. It can be applied 23 either directly after classification or at recording/exporting time 24 by limiting the number of flows to be stored and/or exported to the 25 collecting process. This document describes motivations for flow 26 selection and presents flow selection techniques. It furthermore 27 provides an information model for configuring flow selection 28 techniques and discusses what information about a flow selection 29 process is worth exporting through a suitable information model. 31 Requirements Language 33 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 34 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 35 document are to be interpreted as described in RFC 2119 [RFC2119]. 37 Status of this Memo 39 This Internet-Draft is submitted in full conformance with the 40 provisions of BCP 78 and BCP 79. 42 Internet-Drafts are working documents of the Internet Engineering 43 Task Force (IETF). Note that other groups may also distribute 44 working documents as Internet-Drafts. The list of current Internet- 45 Drafts is at http://datatracker.ietf.org/drafts/current/. 47 Internet-Drafts are draft documents valid for a maximum of six months 48 and may be updated, replaced, or obsoleted by other documents at any 49 time. It is inappropriate to use Internet-Drafts as reference 50 material or to cite them other than as "work in progress." 52 This Internet-Draft will expire on September 15, 2011. 54 Copyright Notice 56 Copyright (c) 2011 IETF Trust and the persons identified as the 57 document authors. All rights reserved. 59 This document is subject to BCP 78 and the IETF Trust's Legal 60 Provisions Relating to IETF Documents 61 (http://trustee.ietf.org/license-info) in effect on the date of 62 publication of this document. Please review these documents 63 carefully, as they describe your rights and restrictions with respect 64 to this document. Code Components extracted from this document must 65 include Simplified BSD License text as described in Section 4.e of 66 the Trust Legal Provisions and are provided without warranty as 67 described in the Simplified BSD License. 69 This document may contain material from IETF Documents or IETF 70 Contributions published or made publicly available before November 71 10, 2008. The person(s) controlling the copyright in some of this 72 material may not have granted the IETF Trust the right to allow 73 modifications of such material outside the IETF Standards Process. 74 Without obtaining an adequate license from the person(s) controlling 75 the copyright in such materials, this document may not be modified 76 outside the IETF Standards Process, and derivative works of it may 77 not be created outside the IETF Standards Process, except to format 78 it for publication as an RFC or to translate it into languages other 79 than English. 81 Table of Contents 83 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 84 2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 85 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 86 4. Flow selection as a function of the IPFIX Exporter . . . . . . 7 87 4.1. Flow selection in the metering process . . . . . . . . . . 9 88 4.2. Flow selection in the Flow Recording Process . . . . . . . 9 89 4.3. Flow selection during the export process . . . . . . . . . 11 90 5. Flow selection as a function of the IPFIX Mediator . . . . . . 12 91 6. Flow selection techniques . . . . . . . . . . . . . . . . . . 14 92 6.1. Flow selection based on flow record content . . . . . . . 14 93 6.2. Flow selection based on flow record arrival time or 94 sequence . . . . . . . . . . . . . . . . . . . . . . . . . 14 95 6.3. Flow selection on external events . . . . . . . . . . . . 14 96 7. Information model for flow selection information export . . . 14 97 7.1. Meter process related (TBD1-TBD3) . . . . . . . . . . . . 16 98 7.1.1. fsNotMetPacketTsFirst . . . . . . . . . . . . . . . . 17 99 7.1.2. fsNotMetPacketTsLast . . . . . . . . . . . . . . . . . 17 100 7.1.3. fsNotMetBytesCount . . . . . . . . . . . . . . . . . . 18 101 7.2. Flow Recording Process related (TBD4-TBD11) . . . . . . . 18 102 7.2.1. fsNotExpPacketDroppedRecPrTsFirst . . . . . . . . . . 18 103 7.2.2. fsNotExpPacketDroppedRecPrTsLast . . . . . . . . . . . 19 104 7.2.3. fsNotExpByteInDroppedRecPrCount . . . . . . . . . . . 19 105 7.2.4. fsFlowRecDroppedRecPrTsFirst . . . . . . . . . . . . . 20 106 7.2.5. fsFlowRecDroppedRecPrTsLast . . . . . . . . . . . . . 20 107 7.2.6. fsFlowRecNotExpRecPrCount . . . . . . . . . . . . . . 20 108 7.2.7. fsPacketNotExpRecPrCount . . . . . . . . . . . . . . . 21 109 7.2.8. fsBytesNotExpRecPrCount . . . . . . . . . . . . . . . 21 110 7.3. Flow export process related (TBD12-TBD19) . . . . . . . . 21 111 7.3.1. fsPacketNotExpInDroppedFlowRecTsFirst . . . . . . . . 22 112 7.3.2. fsPacketNotExpInDroppedFlowRecTsLast . . . . . . . . . 22 113 7.3.3. fsBytesNotExpInDroppedFlowRecCount . . . . . . . . . . 23 114 7.3.4. fsFlowRecDroppedExpPrTsFirst . . . . . . . . . . . . . 23 115 7.3.5. fsFlowRecDroppedExpPrTsLast . . . . . . . . . . . . . 24 116 7.3.6. fsFlowRecNotExpCount . . . . . . . . . . . . . . . . . 24 117 7.3.7. fsPacketNotExpCount . . . . . . . . . . . . . . . . . 24 118 7.3.8. fsBytesNotExpCount . . . . . . . . . . . . . . . . . . 25 119 8. Implementation requirements . . . . . . . . . . . . . . . . . 25 120 9. Information Model for Configuration of Flow Selection 121 Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . 25 122 9.1. flowSelectorMethod . . . . . . . . . . . . . . . . . . . . 26 123 9.2. flowMaxAdmitFlowRecords . . . . . . . . . . . . . . . . . 27 124 9.3. flowRecordBytesSize . . . . . . . . . . . . . . . . . . . 27 125 9.4. flowRecordPacketsSize . . . . . . . . . . . . . . . . . . 28 126 9.5. flowInactivityTime . . . . . . . . . . . . . . . . . . . . 28 127 9.6. ipVersion . . . . . . . . . . . . . . . . . . . . . . . . 29 128 9.7. sourceIPv4Address . . . . . . . . . . . . . . . . . . . . 29 129 9.8. destinationIPv4Address . . . . . . . . . . . . . . . . . . 29 130 9.9. sourceIPv6Address . . . . . . . . . . . . . . . . . . . . 30 131 9.10. destinationIPv6Address . . . . . . . . . . . . . . . . . . 30 132 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 133 11. Security Considerations . . . . . . . . . . . . . . . . . . . 30 134 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 31 135 12.1. Normative References . . . . . . . . . . . . . . . . . . . 31 136 12.2. Informative References . . . . . . . . . . . . . . . . . . 31 137 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 32 139 1. Introduction 141 This document describes flow selection techniques for traffic 142 measurements. As stated in [RFC5475], packet selection is the 143 process of selecting a subset of packets among those collected at an 144 observation point. The element on which this selection mechanism is 145 performed is a single packet and the selection decision is random, 146 deterministic or based on packet properties. In contrast to this, 147 flow selection techniques consider flows as the basic elements on 148 which a selection process is performed. A flow is defined as a set 149 of packets with common properties [RFC5101]. Flow selection reduces 150 the resource demands for capturing, storing, exporting and post- 151 processing flow-based measurement results. Flow state dependent 152 packet sampling allows for reducing reource usage while capturing 153 traffic packets since only a subset of the observed packets is 154 captured depending on the values of variables describing flow state. 155 In case an elephant flow has to be selected, then all packets have to 156 be captured and, therefore, there is no gain deriving from the use of 157 flow state dependent packte sampling. In this case a dynanic 158 extraction of flow definitions corresponding to large flows would be 159 beneficial [EsVa01]. Maintaining and exporting all flow records to 160 the collecting process can exhaust available resources with the 161 result that measurement data is discarded which reduces the utility 162 of the measurement data and makes accurate estimations impossible. 163 Flow Selection can be applied to only select flows that are of 164 interest for a certain application or to select a representative 165 subset of the flows. Selecting representative subsets of flows 166 allows for flow characteristic estimation while reducing the 167 measurement data. Example applications in which flow selections can 168 be applied are accounting, attack and intrusion detection, traffic 169 engineering, traffic classification, etc.. In many networks few 170 large flows contribute to the majority of the overall traffic volume 171 [DuLT01a], [DuLT01b], which is also referred to as "Quasi-Zipf-Law" 172 [KuXW04]. This "elephant and mice" phenomenon plays an important 173 role in flow based measurements as it poses challenges on the flow 174 selection process depending on the application and the available 175 resources. For example in accounting purposes it is useful to 176 concentrate on the so-called "heavy hitter" flows to cope with a 177 limited flow cache size or limited transmission capacity in times 178 when resources are scarce. 180 2. Scope 182 This document describes flow selection techniques and their 183 parameters. It addresses the configuration of flow selection 184 techniques and defines which information should be reported by 185 devices that perform flow selection. It only describes processes 186 directly acting on traffic flows during the metering phase and/or the 187 export phase. Therefore it is assumed that flow selection is 188 performed after packets are classified into flows. This document 189 does not address the flow selection effects that might arise from 190 sampling or filtering packets in the metering process before the 191 classification process is performed. Such packet selection 192 techniques are described in [RFC5475] and, therefore, are out of the 193 scope of this document. 195 3. Terminology 197 In this document, as in [RFC5101] and [RFC5476], the first letter of 198 each IPFIX-specific and PSAMP-specific term is capitalized along with 199 the IPFIX Mediation-specific terms defined here. This document is 200 consistent with the terminology introduced in [RFC5101], [RFC5470], 201 [RFC5475] and [RFC3917]. Further some additional terms are presented 202 which extend the terminology. 204 * Classification 206 Is a filtering process in which packets are mapped to specific 207 flow records based on the packet properties. These properties 208 make up the flow key (e.g. header information, packet content, AS 209 number). In case a flow record for this specific flow key already 210 exist the flow record is updated, otherwise a new flow record is 211 created. 213 * Flow Recording Process 215 The Flow Recording Process maintains the flow records during the 216 Metering Process. It is responsible for creating new Flow 217 Records, updating and deleting existing ones, computing Flow 218 statistics, detecting Flow expiration times and passing the Flow 219 Records to the Export Process. 221 * Flow Selection Process 223 A Flow Selection Process takes classified packets or flow records 224 as its input and selects a subset of that set as its output. A 225 Flow Selection Process MAY run on several instances within the 226 IPFIX architecture. A Flow Selection Process SHOULD BE used by 227 the Metering Process to reduce the amount of resources for flow 228 recording. A Flow Selection Process MAY also be part of an IPFIX 229 export process and MAY be available as an Intermediate Selection 230 Process running on an IPFIX Mediator. 232 * Flow Selection State 233 A Flow Selection Process may maintain state information for use by 234 the Flow Selection Process. At a given time, the Flow Selection 235 State may depend on flows observed at and before that time, as 236 well as other variables. Examples include: 238 (i) number of accounted flow records; 240 (ii) memory space available for flow recording; 242 (iii) state of the pseudorandom number generators; 244 (iv) hash values calculated during the selection. 246 (v) timestamps of flow observation (e.g. first or last packet 247 of flow) and flow duration 249 * Flow Selector 251 A Flow Selector defines the action of a Flow Selection Process on 252 a single flow of its input. The Flow Selector can make use of the 253 following information in order to establish whether or not a flow 254 has to be selected or not: 256 (i) the content of the flow record; 258 (ii) any information state related to the flow recording 259 process; 261 (iii) any flow selection state that may be maintained by the 262 Flow Selection Process. 264 4. Flow selection as a function of the IPFIX Exporter 266 Figure 1 shows the IPFIX reference model as defined in [RFC5470], and 267 extends it by introducing the functional components where flow 268 selection can take place. 270 Packet(s) coming in to Observation Point(s) 271 | | 272 v v 273 +----------------+---------------------------+ +-----+-------+ 274 | Metering Process on an | | | 275 | Observation Point | | | 276 | | | | 277 | packet header capturing | | | 278 | | |...| Metering | 279 | timestamping | | Process N | 280 | | | | | 281 | packet selection | | | 282 | | | | | 283 | classification | | | 284 | | | | | 285 | flow state dependent packet sampling (*) | | | 286 | | | | | 287 | aggregation | | | 288 | | | | | 289 | flow recording (*) | | | 290 | | | | | 291 | | Timing out Flows | | | 292 | | Handle resource overloads | | | 293 +--------|-----------------------------------+ +-----|-------+ 294 | | 295 Flow Records (selected by Observation Domain) Flow Records 296 | | 297 +----------------------+----------------------+ 298 | 299 +----------------------|---------------+ 300 | Export Process v | 301 | +---------------+-----------+ | 302 | | flow export (*) | | 303 | +---------------+-----------+ | 304 | | | 305 +----------------------+---------------+ 306 | 307 v 308 IPFIX export packet to Collector 310 (*) indicates where flow selection can take place. 312 Figure 1: Flow selection as a function of the IPFIX Exporter 314 In contrast to packet selection, flow selection is always applied 315 after the packets are classified into flows. Flows can be selected 316 at different stages of the measurement chain: 318 1. during metering [RFC5475]; 320 2. during flow recording; 322 3. during flow export. 324 4.1. Flow selection in the metering process 326 The main reason for applying flow selection during the metering 327 process is that the Flow Recording Process may not have, at a certain 328 point in time, enough memory and processing resources to record and 329 manage all observable flows. Further the measurement application may 330 only be interested in certain flows, depending on Flow properties 331 (e.g. flow key, flow duration, flow size). 333 Therefore a number of policies can be applied during the metering 334 process, the more simpler ones being to discard packets of 335 uninteresting flows or to discard new packets which cannot be 336 assigned to existing flow records. More complex policies are 337 applicable, mainly aimed at detecting the so called elephant flows, 338 so as to prioritize flows carrying a higher traffic volume in the 339 Flow Recording Process. For instance, [EsVa01] proposes criteria to 340 define a packet as eligible to create a new flow record (sample and 341 hold, multistage filters). 343 Regardless of specific algorithms, we are concerned about identifying 344 what information on the flow state dependent packet sampling is worth 345 keeping and making available to applications (by exporting it out of 346 an IPFIX device). An option could be to keep a cumulative counter of 347 the total number of packets and bytes that were not taken into 348 account for measurement purposes because of flow state dependent 349 sampling. Furthermore, it is possible to keep a timestamp for the 350 first and last of these discarded packets. In practice, this implies 351 aggregating all these packets in a single macro flow, and keeping 352 track of its volume and duration. Storing more detailed information 353 about packets which have not been measured because of flow state 354 dependent sampling would contradict the fact that the sampling is 355 done because of lack of memory and/or processing resources. 357 4.2. Flow selection in the Flow Recording Process 359 Within the Metering Process the flow selection during the Flow 360 Recording Process has a special role. The Flow Recording Process can 361 use memory information to derive if a packet which would create a new 362 flow record should be discarded or not. Under certain circumstances, 363 it may be advantageous to discard an existing flow record during the 364 flow recording process in order to make room for a new one which has 365 been created upon arrival of a new packet. For example, an algorithm 366 to make the decision whether to discard a new incoming packet or an 367 existing flow record is described in [Moli03]. 369 In this section we focus on the selection of the information to be 370 stored regarding the record removal rather than on the details of the 371 decision making algorithm. For the reasons we mentioned above, it 372 does not make sense to store separate information for each discarded 373 flow record, as it would contradict the motivation why discarding is 374 done (i.e. lack of memory resources). The information that can be 375 kept with a limited overhead is the cumulative counter of the total 376 number of not yet exported packets and bytes belonging to flow 377 records that were removed during the Flow Recording Process. 379 Ideally, we MAY keep also a timestamp for the first (T_fd) and last 380 (T_ld) not yet exported packets belonging to every discarded flow 381 record. This would mean aggregating all these packets in a macro 382 flow, and keeping track of its volume and duration. To do so, we 383 would need to maintain a timestamp of the first and last non- 384 exported packets in each flow record. The values of such timestamps 385 would be checked whenever a record is discarded in order to verify 386 whether they are smaller or larger than T_fd and T_ld, respectively. 387 If so, the timestamps would be updated. 389 Another information that MAY be easily maintained is the number of 390 discarding actions, along with the timestamps of the first and last 391 action. This information SHOULD NOT be used by applications to re- 392 normalize the received per flow statistics (because a flow may be 393 discarded and created multiple times), but rather to monitor and 394 control the performance of the implemented policy. Note that we take 395 into account a discarding event only when the discarded flow record 396 contains data about traffic which has not been exported. 397 Differently, the removal of a record whose traffic was exported 398 (either after a timeout or after the arrival of specific packets, 399 e.g. TCP FIN or RST) is part of the normal operation of an IPFIX 400 flow metering system. Note also that we consider only the case when 401 the elimination of a flow record during the Flow Recording Process 402 leads to the complete loss of all the information contained in the 403 flow record itself. 405 The implementation of a different policy, such as immediate export of 406 the flow record before elimination, or freezing of the flow record 407 and moving it to another area of memory for later exporting, is not 408 considered as an elimination and therefore it is out of the scope of 409 this document. 411 Along with the information about the number of discarded flow records 412 and associated packets and bytes, it is useful to keep cumulative 413 information about the number of flow records containing not yet 414 exported traffic and being currently handled by the Flow Recording 415 Process. Another information worth keeping is the cumulative number 416 of not exported packets and bytes contained in them. 418 4.3. Flow selection during the export process 420 The export process may implement policies for exporting only a subset 421 of the flow records which have been stored in the system memory. The 422 decision to export only a subset of the flow records can be motivated 423 by the existence of an explicit policy which filters out the flow 424 records to be exported. An example of such a policy could be to 425 export only the flow records associated to flows whose accounted 426 traffic is below a certain threshold, or to implement a more complex 427 mechanism such as the one described in [DuLT01a] or [DuLT01b]. 429 Another motivation which might bring to the export of a subset of 430 stored flow records is resource limitation. For example, the export 431 process has been assigned a limited time slot to operate or it 432 exports only a predefined number of packets. Hybrid cases can happen 433 where the export of a subset of the flow records is motivated by the 434 co-existence of resource limitations and ad-hoc policies which are 435 applied in order to optimize the export process. For example, given 436 that the export process applies to a subset of the flow records, such 437 subset is selected so that the overall number of exported packets and 438 bytes belonging to the subset is maximized. 440 Selecting flow records during the export process raises the issue of 441 identifying the information which is worth keeping about the flow 442 selection process. Two different scenarios cab be envisaged. If a 443 flow record is not exported and then it does not feed the Flow 444 Recording Process, the scenario is the same as when the deletion of 445 the flow record is caused by the need to make room to another record. 446 The metrics to be kept are cumulative packets and bytes associated 447 with non-exported flow records, timestamps of the first and last 448 packets belonging to non-exported flow records, counter of dropping 449 events and timestamps of first and last dropping event. 451 If a record eligible for exporting is not exported and it enters the 452 Flow Recording Process it has a chance of being exported in the 453 future. It would be beneficial for an application to get 454 information, in terms of number of generated packets and bytes, about 455 the flow records which are not being exported due to the existence of 456 exporting policies and/or resource limitations. This is intended to 457 make it possible to detect potential pathologic conditions, like the 458 missed export of a large number of flow records and/or associated 459 traffic, or the growing number of flow records being involved in the 460 Flow Recording Process. 462 The selection of the flow records to be exported implies performing a 463 complete scanning of the memory area where flow information is 464 stored, thus jeopardizing the efficiency of the overall export 465 process. For this reason, flow export protocol specification does 466 not include flow selection during the Flow Recording Process as a 467 mandatory function even if the information model has been designed to 468 enable such function. 470 5. Flow selection as a function of the IPFIX Mediator 472 As shown in Figure 2, flow selection can be performed as an 473 intermediate process within an IPFIX Mediator [IPFIX-MED]. This 474 process selects the flow records from a sequence which meet pre- 475 defined criteria and exports these flow records to an IPFIX 476 Collector. This selection function can be seen as a more fine- 477 grained process with respect to the selection performed by an 478 Exporter. In other terms, the criteria used to drive the selection 479 process on an IPFIX Mediator might be applied to the set of flow 480 records coming from the Exporter, thus triggering a further flow 481 selection process. 483 Packet(s) coming in to Observation Point(s) 484 | 485 IPFIX Original | 486 Exporter v 487 +------------------+-------------------+ 488 | | 489 | Metering Process on an | 490 | Observation Point | 491 | | | 492 | Flow metering and selection | 493 | | | 494 | Flow recording and selection | 495 | | | 496 | Flow export and selection | 497 | | | 498 +------------------+-------------------+ 499 | 500 v 501 Flow Records (selected by Observation Domain) 502 | 503 IPFIX Mediator v 504 +------------------+-------------------+ 505 | | 506 | Collecting process | 507 | | | 508 | Flow selection (*) | 509 | | | 510 | Export process | 511 | | | 512 +------------------+-------------------+ 513 | 514 v 515 Flow Records 517 Figure 2: Flow selection as a function of the IPFIX Mediator 519 As an example, if an IPFIX Mediator interacts with a set of IPFIX 520 Collectors, flow records arriving at the IPFIX Mediator might be 521 selected based on the IPFIX Collector requesting flow information. 522 As described in previous sections, flow selection can take place 523 during metering, recording, and export processes of an Exporter 524 depending on the policies which are implemented to meet application 525 requirements. In case flow selection is performed at Mediator's 526 level, we envisage the use of flow selection techniques as a step of 527 the export process aimed to identify the flow records to be exported 528 among those stored in the system's memory. This is because the 529 lighter is the Intermediate Selection Process, the better is the 530 performance of the mediation framework. 532 6. Flow selection techniques 534 We can distinguish the following selection techniques: 536 1. based on flow record content (i.e. all reported flow 537 characteristics); 539 2. based on flow record arrival time; 541 3. based on external events like the exhaustion of local resources. 543 6.1. Flow selection based on flow record content 545 Flow selection can be done based on fields in an IPFIX flow record. 546 This can be done similarly to field match filtering for packet 547 selection described in [RFC5475]. The difference is that instead of 548 packet fields flow record fields are here used to drive the selection 549 decision. An example would be to select flow records based on 550 parameters like the flow size in bytes or the number of packets. 551 Another application would be to select flow records based on either 552 flow start time or flow keys (IP addresses, ports) of the stored flow 553 record. 555 6.2. Flow selection based on flow record arrival time or sequence 557 Flow records can be selected based on their arrival time at the 558 export process. An example would be to select a number of flow 559 records during certain time intervals. Another option is to select 560 flow records based on the order they arrive at the export process. 561 In such case, one can either periodically select the k-th records or 562 select randomly a set of flow records. 564 6.3. Flow selection on external events 566 The selection of flow records can be also triggered by external 567 events. An example would be to activate flow selection based on the 568 value of a router state parameter like the number of entries in the 569 flow cache. 571 7. Information model for flow selection information export 573 In this section we define the elements devoted to containing the 574 information described in the previous sections. Some elements have 575 been associated with a pair of timestamps, which are referred to as 576 element_nameTsFirst and element_nameTsLast. We would like to point 577 out that only packet or flow related counts have associated 578 timestamps, while bytes related counts do not. The reason is that 579 element_nameTsFirst and element_nameTsLast are referred to the 580 timestamp of the first and last received packets belonging to not 581 exported flows, while timestamp is meanliness with regard to bytes 582 information. 584 Note that all the following information elements are aimed at 585 describing macro flows parameters (e.g. the total number of packets 586 and bytes contained in all dropped or not created flow records). 587 Some of these macro flows parameters are additive, in the sense that 588 it is only possible to add contributions to them, but never subtract 589 some amount. For example, the macro flow of the packets contained in 590 flow records that are discarded from the flow reporting process 591 receives an addition when a flow record is discarded, and this 592 addition can never be subtracted. On the other side, some macro flow 593 parameters can dynamically receive and loose additions. For example, 594 the macro flows of packets not yet exported receives an addition when 595 a new packet arrives, and looses addition as an export event takes 596 place. Associating a timestamp to the oldest and most recent 597 additions in case of additive flows is an easy task, while it is 598 complicated for the others (it would require to maintain full state 599 information) and that is why we did not define timestamps for these 600 information elements. 602 The information elements herein introduced are defined in accordance 603 with the IPFIX information model [RFC5102]. Furthermore, the data 604 types used to represent the Flow Selection-related information 605 elements are those defined in section 3.1 of the IPFIX information 606 model [RFC 2051]. 608 List of additional Flow Selection information elements: 610 +-------+---------------------------------------+ 611 | ID | Name | 612 +-------+---------------------------------------+ 613 | TBD1 | fsNotMetPacketTsFirst | 614 +-------+---------------------------------------+ 615 | TBD2 | fsNotMetPacketTsLast | 616 +-------+---------------------------------------+ 617 | TBD3 | fsNotMetBytesCount | 618 +-------+---------------------------------------+ 619 | TBD4 | fsNotExpPacketDroppedRecPrTsFirst | 620 +-------+---------------------------------------+ 621 | TBD5 | fsNotExpPacketDroppedRecPrTsLast | 622 +-------+---------------------------------------+ 623 | TBD6 | fsNotExpByteInDroppedRecPrCount | 624 +-------+---------------------------------------+ 625 | TBD7 | fsFlowRecDroppedRecPrTsFirst | 626 +-------+---------------------------------------+ 627 | TBD8 | fsFlowRecDroppedRecPrTsLast | 628 +-------+---------------------------------------+ 629 | TBD9 | fsFlowRecNotExpRecPrCount | 630 +-------+---------------------------------------+ 631 | TBD10 | fsPacketNotExpRecPrCount | 632 +-------+---------------------------------------+ 633 | TBD11 | fsBytesNotExpRecPrCount | 634 +-------+---------------------------------------+ 635 | TBD12 | fsPacketNotExpInDroppedFlowRecTsFirst | 636 +-------+---------------------------------------+ 637 | TBD13 | fsPacketNotExpInDroppedFlowRecTsLast | 638 +-------+---------------------------------------+ 639 | TBD14 | fsBytesNotExpInDroppedFlowRecCount | 640 +-------+---------------------------------------+ 641 | TBD15 | fsFlowRecDroppedExpPrTsFirst | 642 +-------+---------------------------------------+ 643 | TBD16 | fsFlowRecDroppedExpPrTsLast | 644 +-------+---------------------------------------+ 645 | TBD17 | fsFlowRecNotExpCount | 646 +-------+---------------------------------------+ 647 | TBD18 | fsPacketNotExpCount | 648 +-------+---------------------------------------+ 649 | TBD19 | fsBytesNotExpCount | 650 +-------+---------------------------------------+ 652 7.1. Meter process related (TBD1-TBD3) 654 Information Elements presented in this section are related to Flow 655 Selection performed during the Metering Process. 657 +------+-----------------------+ 658 | ID | Name | 659 +------+-----------------------+ 660 | TBD1 | fsNotMetPacketTsFirst | 661 +------+-----------------------+ 662 | TBD2 | fsNotMetPacketTsLast | 663 +------+-----------------------+ 664 | TBD3 | fsNotMetBytesCount | 665 +------+-----------------------+ 667 7.1.1. fsNotMetPacketTsFirst 669 Description: 671 Specifies the timestamp of the first packet not metered because of 672 the use of the flow state dependent sampling. Together with the 673 IE fsMeterUnmeasPacketCountTsLast it allows to evaluate the count 674 of packets that were not metered by the Metering Process because 675 of the use of the flow sampling. 677 Abstract Data Type: dateTimeSeconds 679 ElementId: TBD1 681 Status: Proposed 683 Units: seconds 685 7.1.2. fsNotMetPacketTsLast 687 Description: 689 Specifies the timestamp of the last packet not metered because of 690 the use of the flow state dependent sampling. Together with the 691 IE fsMeterUnmeasPacketCountTsFirst it allows to evaluate the count 692 of packets that were not metered by the Metering Process because 693 of the use of the flow sampling. 695 Abstract Data Type: dateTimeSeconds 697 ElementId: TBD2 699 Status: Proposed 701 Units: seconds 703 7.1.3. fsNotMetBytesCount 705 Description: 707 This Information Element specifies the count of bytes that were 708 not metered by the Metering Process because of the use of the flow 709 state dependent sampling. 711 Abstract Data Type: unsigned64 713 Data Type Semantics: deltaCounter 715 ElementId: TBD3 717 Status: Proposed 719 Units: bytes 721 7.2. Flow Recording Process related (TBD4-TBD11) 723 Information Elements presented in this section are related to Flow 724 Selection performed during the Flow Recording Process. 726 +-------+-----------------------------------+ 727 | ID | Name | 728 +-------+-----------------------------------+ 729 | TBD4 | fsNotExpPacketDroppedRecPrTsFirst | 730 +-------+-----------------------------------+ 731 | TBD5 | fsNotExpPacketDroppedRecPrTsLast | 732 +-------+-----------------------------------+ 733 | TBD6 | fsNotExpByteInDroppedRecPrCount | 734 +-------+-----------------------------------+ 735 | TBD7 | fsFlowRecDroppedRecPrTsFirst | 736 +-------+-----------------------------------+ 737 | TBD8 | fsFlowRecDroppedRecPrTsLast | 738 +-------+-----------------------------------+ 739 | TBD9 | fsFlowRecNotExpRecPrCount | 740 +-------+-----------------------------------+ 741 | TBD10 | fsPacketNotExpRecPrCount | 742 +-------+-----------------------------------+ 743 | TBD11 | fsBytesNotExpRecPrCount | 744 +-------+-----------------------------------+ 746 7.2.1. fsNotExpPacketDroppedRecPrTsFirst 748 Description: 750 Specifies the timestamp of the first non-exported packet that was 751 contained in the flow records eliminated from the Flow Recording 752 Process because of resource limitations/policies in the Flow 753 Recording Process. 755 Abstract Data Type: dateTimeSeconds 757 ElementId: TBD4 759 Status: Proposed 761 Units: seconds 763 7.2.2. fsNotExpPacketDroppedRecPrTsLast 765 Description: 767 Specifies the timestamp of the last non-exported packet that was 768 contained in the flow records eliminated from the Flow Recording 769 Process because of resource limitations/policies in the Flow 770 Recording Process. 772 Abstract Data Type: dateTimeSeconds 774 ElementId: TBD5 776 Status: Proposed 778 Units: seconds 780 7.2.3. fsNotExpByteInDroppedRecPrCount 782 Description: 784 This Information Element specifies the count of the non-exported 785 bytes that were contained in the flow records eliminated from the 786 Flow Recording Process because of resource limitations/policies in 787 the Flow Recording Process. 789 Abstract Data Type: unsigned64 791 Abstract Data Type: deltaCounter 793 ElementId: TBD6 795 Status: Proposed 797 Units: bytes 799 7.2.4. fsFlowRecDroppedRecPrTsFirst 801 Description: 803 Specifies the timestamp of the first flow record elimination event 804 occurring during the Flow Recording Process. Together with the IE 805 fsFlowRecDroppedRecPrTsLast it allows to estimate the count of 806 flow records containing non-exported packets eliminated from the 807 Flow Recording Process because of resources limitations/policies 808 in the Flow Recording Process. 810 Abstract Data Type: dateTimeSeconds 812 ElementId: TBD7 814 Status: Proposed 816 Units: seconds 818 7.2.5. fsFlowRecDroppedRecPrTsLast 820 Description: 822 Specifies the timestamp of the last flow record elimination event 823 occurring during the Flow Recording Process. Together with the IE 824 fsFlowRecDroppedRecPrTsFirst it allows to estimate the count of 825 flow records containing non-exported packets eliminated from the 826 Flow Recording Process because of resources limitations/policies 827 in the Flow Recording Process. 829 Abstract Data Type: dateTimeSeconds 831 ElementId: TBD8 833 Status: Proposed 835 Units: seconds 837 7.2.6. fsFlowRecNotExpRecPrCount 839 Description: 841 This Information Element specifies the count of the flow records 842 currently existing in the Flow Recording Process containing at 843 least one non-exported packet. 845 Abstract Data Type: unsigned32 846 Data Type Semantics: deltaCounter 848 ElementId: TBD9 850 Status: Proposed 852 Units: flow records 854 7.2.7. fsPacketNotExpRecPrCount 856 Description: 858 This Information Element specifies the count of non-exported 859 packets contained in flow records of the Flow Recording Process. 861 Abstract Data Type: unsigned32 863 Data Type Semantics: deltaCounter 865 ElementId: TBD10 867 Status: Proposed 869 Units: packets 871 7.2.8. fsBytesNotExpRecPrCount 873 Description: 875 This Information Element specifies the count of non-exported bytes 876 contained in flow records of the Flow Recording Process. 878 Abstract Data Type: dateTimeSeconds 880 Data Type Semantics: deltaCounter 882 ElementId: TBD11 884 Status: Proposed 886 Units: bytes 888 7.3. Flow export process related (TBD12-TBD19) 890 Information Elements presented in this section are related to Flow 891 Selection performed during the Flow Export Process. 893 +-------+---------------------------------------+ 894 | ID | Name | 895 +-------+---------------------------------------+ 896 | TBD12 | fsPacketNotExpInDroppedFlowRecTsFirst | 897 +-------+---------------------------------------+ 898 | TBD13 | fsPacketNotExpInDroppedFlowRecTsLast | 899 +-------+---------------------------------------+ 900 | TBD14 | fsBytesNotExpInDroppedFlowRecCount | 901 +-------+---------------------------------------+ 902 | TBD15 | fsFlowRecDroppedExpPrTsFirst | 903 +-------+---------------------------------------+ 904 | TBD16 | fsFlowRecDroppedExpPrTsLast | 905 +-------+---------------------------------------+ 906 | TBD17 | fsFlowRecNotExpCount | 907 +-------+---------------------------------------+ 908 | TBD18 | fsPacketNotExpCount | 909 +-------+---------------------------------------+ 910 | TBD19 | fsBytesNotExpCount | 911 +-------+---------------------------------------+ 913 7.3.1. fsPacketNotExpInDroppedFlowRecTsFirst 915 Description: 917 Specifies the timestamp of the first non-exported packet belonging 918 to an eliminated flow record. Together with the IE 919 fsPacketNotExpInDroppedFlowRecTsLast it allows to estimate the 920 count of non-exported packets that were contained in the flow 921 records eliminated from the Flow Recording Process because of 922 resource limitations/policies in the export process. 924 Abstract Data Type: dateTimeSeconds 926 ElementId: TBD12 928 Status: Proposed 930 Units: seconds 932 7.3.2. fsPacketNotExpInDroppedFlowRecTsLast 934 Description: 936 Specifies the timestamp of the last non-exported packet belonging 937 to an eliminated flow record. Together with the IE 938 fsPacketNotExpInDroppedFlowRecTsFirst it allows to estimate the 939 count of non-exported packets that were contained in the flow 940 records eliminated from the Flow Recording Process because of 941 resource limitations/policies in the export process. 943 Abstract Data Type: unsigned64 945 ElementId: TBD13 947 Status: Proposed 949 Units: bytes 951 7.3.3. fsBytesNotExpInDroppedFlowRecCount 953 Description: 955 This Information Element specifies the count of non-exported bytes 956 that were contained in the flow records eliminated from the Flow 957 Recording Process because of resource limitations/policies in the 958 export process. 960 Abstract Data Type: unsigned32 962 Data Type Semantics: deltaCounter 964 ElementId: TBD14 966 Status: Proposed 968 Units: bytes 970 7.3.4. fsFlowRecDroppedExpPrTsFirst 972 Description: 974 Specifies the timestamp of the first flow record elimination event 975 occurring during the Flow Recording Process. Together with the IE 976 fsFlowRecDroppedExpPrTsLast it allows to estimate the count of 977 flow records containing non-exported packets eliminated from the 978 Flow Recording Process because of resource limitations/policies in 979 the export process. 981 Abstract Data Type: dateTimeSeconds 983 ElementId: TBD15 985 Status: Proposed 987 Units: seconds 989 7.3.5. fsFlowRecDroppedExpPrTsLast 991 Description: 993 Specifies the timestamp of the last flow record elimination event 994 occurring during the Flow Recording Process. Together with the IE 995 fsFlowRecDroppedExpPrTsFirst it allows to estimate the count of 996 flow records containing non-exported packets eliminated from the 997 Flow Recording Process because of resource limitations/policies in 998 the export process. 1000 Abstract Data Type: dateTimeSeconds 1002 ElementId: TBD16 1004 Status: Proposed 1006 Units: seconds 1008 7.3.6. fsFlowRecNotExpCount 1010 Description: 1012 This Information Element specifies the count of the flow records 1013 currently existing in the Flow Recording Process, containing non- 1014 exported traffic and not being exported because of exporting 1015 process resource limitations/policies. 1017 Abstract Data Type: unsigned32 1019 Data Type Semantics: deltaCounter 1021 ElementId: TBD17 1023 Status: Proposed 1025 Units: flow records 1027 7.3.7. fsPacketNotExpCount 1029 Description: 1031 This Information Element specifies the count of non-exported 1032 packets contained in the flow records of the Flow Recording 1033 Process not being exported because of exporting process resource 1034 limitations/policies. 1036 Abstract Data Type: unsigned32 1037 Data Type Semantics: deltaCounter 1039 ElementId: TBD18 1041 Status: Proposed 1043 Units: packets 1045 7.3.8. fsBytesNotExpCount 1047 Description: 1049 This Information Element specifies the count of non-exported bytes 1050 contained in the flow records of the Flow Recording Process not 1051 being exported because of exporting process resource limitations/ 1052 policies. 1054 Abstract Data Type: unsigned64 1056 Data Type Semantics: deltaCounter 1058 ElementId: TBD19 1060 Status: Proposed 1062 Units: bytes 1064 8. Implementation requirements 1066 In order to implement the described information model counters for 1067 non-exported packets and bytes have to be inserted in the flow 1068 records as flow metrics. Sometimes these counters are referred to as 1069 delta counts. An implementation may also keep absolute counts for 1070 purposes not being specified in this information model (both delta 1071 and absolute counters can be exported in the IPFIX information model, 1072 see [RFC5102]). In addition, to fully support this information 1073 model, it would be REQUIRED to keep in a flow record the timestamps 1074 of the first and last non-exported packets. An implementation may 1075 need to keep timestamps of the first and last exported packets for 1076 other purposes than those of this information model, or to join the 1077 two timers for the last exported and first exported packets, or even 1078 to approximate them with the time of the export event. 1080 9. Information Model for Configuration of Flow Selection Techniques 1082 This section aims at describing the representative parameters of the 1083 flow selection techniques presented above. To this regard, it 1084 provides the basis of an information model to be adopted in order to 1085 configure the flow selection process within an IPFIX device. The 1086 information elements herein introduced are defined in accordance with 1087 the IPFIX information model [RFC5102].. Furthermore, the data types 1088 used to represent the Flow Selection-related information elements are 1089 those defined in section 3.1 of the IPFIX information model [RFC 1090 2051]. 1092 List of Flow Selection information elements: 1094 +-------+-------------------------+-------+-----------------------+ 1095 | ID | Name | ID | Name | 1096 +-------+-------------------------+-------+-----------------------+ 1097 | 304 | flowSelectorMethod | TBD21 | flowRecordPacketsSize | 1098 +-------+-------------------------+-------+-----------------------+ 1099 | TBD22 | flowMaxAdmitFlowRecords | TBD23 | flowInactivityTime | 1100 +-------+-------------------------+-------+-----------------------+ 1101 | TBD24 | flowRecordBytesSize | | | 1102 +-------+-------------------------+-------+-----------------------+ 1104 9.1. flowSelectorMethod 1106 Description: 1108 This Information Element identifies the flow selection method that 1109 is applied by the Flow Selection process, in accordance with what 1110 is described in section 5 of this document. 1112 Some of these methods may have parameters in order to fully 1113 support the selected technique. For that reason, further 1114 Information Elements are defined in the following subsections. 1116 Flow selection methods identifiers are herein defined: 1118 +----+-------------------+------------------------------------------+ 1119 | ID | Method | Parameters | 1120 +----+-------------------+------------------------------------------+ 1121 | 1 | Selection based | flowMaxAdmitFlowRecords | 1122 | | on flow size | flowRecordBytesSize | 1123 | | count | flowRecordPacketsSize | 1124 +----+-------------------+------------------------------------------+ 1125 | 2 | Selection based | flowMaxAdmitFlowRecords ipVersion | 1126 | | on flow content | sourceIPv4Address destinationIPv4Address | 1127 | | property match | sourceIPv6Address destinationIPv6Address | 1128 | | | flowDestinationPort | 1129 +----+-------------------+------------------------------------------+ 1130 +----+-------------------+------------------------------------------+ 1131 | 3 | Selection based | flowMaxAdmitFlowRecords | 1132 | | on flow record | flowInactivityTime | 1133 | | arrival time or | | 1134 | | sequence | | 1135 +----+-------------------+------------------------------------------+ 1136 | 4 | Selection based | flowMaxAdmitFlowRecords | 1137 | | on external | | 1138 | | events | | 1139 +----+-------------------+------------------------------------------+ 1141 Abstract Data Type: selectorAlgorithm 1143 Data Type Semantics: identifier 1145 ElementId: 304 1147 Status: current 1149 9.2. flowMaxAdmitFlowRecords 1151 Description: 1153 This Information Element specifies the maximum number of eligible 1154 flow records which might be created in the flow cache. It is used 1155 by the Selector Process in order to identify the time when flow 1156 selection should be triggered. A value of 0 means that the Flow 1157 Selection State related to the memory space available for flow 1158 recording MUST be used to estimate the max flow cache size. 1160 For example, this Information Element MAY be used to set the 1161 configuration of a flow size count Flow Selector. 1163 Abstract Data Type: unsigned32 1165 Data Type Semantics: quantity 1167 ElementId: TBD21 1169 Status: Proposed 1171 Units: flow records 1173 9.3. flowRecordBytesSize 1175 Description: 1177 This Information Element specifies the minimum number of bytes 1178 contained in a flow record to be considered as not eligible for 1179 removal. It MAY be used for elephant flows identification. 1181 For example, this Information Element MAY be used to describe the 1182 configuration of a flow size count Flow Selector. 1184 Abstract Data Type: unsigned64 1186 Data Type Semantics: quantity 1188 ElementId: TBD22 1190 Status: Proposed 1192 Units: bytes 1194 9.4. flowRecordPacketsSize 1196 Description: 1198 This Information Element specifies the minimum number of packets 1199 contained in a flow record to be considered as not eligible for 1200 removal. It MAY be used for elephant flows identification. 1202 For example, this Information Element MAY be used to describe the 1203 configuration of a flow size count Flow Selector. 1205 Abstract Data Type: unsigned32 1207 Data Type Semantics: quantity 1209 ElementId: TBD23 1211 Status: Proposed 1213 Units: packets 1215 9.5. flowInactivityTime 1217 Description: 1219 This Information Element specifies the time interval in 1220 microseconds during which the corresponding flow record MAY be 1221 considered as still active. It is used by the metering process 1222 and/or the flow recording process in order to make the decision on 1223 whether to discard an existing flow to make room for a new one. 1225 For example, this Information Element MAY be used to describe the 1226 configuration of a flow arrival time Flow Selector. 1228 Abstract Data Type: dateTimeMicroseconds 1230 Data Type Semantics: quantity 1232 ElementId: TBD24 1234 Status: Proposed 1236 Units: microseconds 1238 9.6. ipVersion 1240 Description: 1242 The IP version field in the IP packet header. 1244 Abstract Data Type: unsigned8 1246 Data Type Semantics: identifier 1248 ElementId: 60 1250 Status: current 1252 9.7. sourceIPv4Address 1254 Description: 1256 The IPv4 source address in the IP packet header. 1258 Abstract Data Type: ipv4Address 1260 Data Type Semantics: identifier 1262 ElementId:8 1264 Status: current 1266 9.8. destinationIPv4Address 1268 Description: 1270 The IPv4 destination address in the IP packet header. 1272 Abstract Data Type: ipv4Address 1273 Data Type Semantics: identifier 1275 ElementId:12 1277 Status: current 1279 9.9. sourceIPv6Address 1281 Description: 1283 The IPv6 source address in the IP packet header. 1285 Abstract Data Type: ipv6Address 1287 Data Type Semantics: identifier 1289 ElementId:27 1291 Status: current 1293 9.10. destinationIPv6Address 1295 Description: 1297 The IPv6 destination address in the IP packet header. 1299 Abstract Data Type: ipv6Address 1301 Data Type Semantics: identifier 1303 ElementId:28 1305 Status: current 1307 10. IANA Considerations 1309 This document introduces several new information elements as an 1310 extension to the IPFIX information model. Values TBD1-TBD19 in this 1311 document should be replaced with the assigned numbers by IANA. 1313 11. Security Considerations 1315 In this section security issues concerning an IPFIX device performing 1316 flow selection are pointed out. In case the flow selection function 1317 is activated an IPFIX device might be exposed to security threats. 1318 Since flow selection implies analysing flow packets, associating them 1319 to a specific traffic flow and selecting flow records, a malicious 1320 user who was able to gain control of an IPFIX device might access 1321 both packet and flow data, thus violating their confidentiality. 1323 Furthermore, the intruder might be attracted by the possibility of 1324 altering the flow selection process by modifying the criteria used to 1325 select flow records. In this case, the IPFIX device would export 1326 flow data which are different from the ones that the Collector 1327 expects to receive. 1329 It is apparent that these security threats can be mitigated by 1330 authenticating entities that interact with the IPFIX device and 1331 keeping information for flow selection configuration confidential. 1333 12. References 1335 12.1. Normative References 1337 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1338 Requirement Levels", BCP 14, RFC 2119, March 1997. 1340 12.2. Informative References 1342 [DuLT01a] Duffield, N., Lund, C., and M. Thorup, "Charging from 1343 Sampled Network Usage", ACM Internet Measurement Workshop 1344 IMW 2001, San Francisco, USA, November 2001. 1346 [DuLT01b] Duffield, N., Lund, C., and M. Thorup, "Properties and 1347 Prediction of Flow Statistics from Sampled Packet 1348 Streams", ACM SIGCOMM Internet Measurement Workshop 2002, 1349 November 2002. 1351 [EsVa01] Estan, C. and G,. Varghese, "New Directions in Traffic 1352 Measurement and Accounting: Focusing on the Elephants, 1353 Ignoring the Mice", ACM SIGCOMM Internet Measurement 1354 Workshop 2001, San Francisco (CA), November 2001. 1356 [IPFIX-MED] 1357 Kobayashi, A., Claise, B., Muenz, G., and K. Ishibashi, 1358 "IPFIX Mediation: Framework", Internet 1359 Draft draft-ietf-ipfix-mediators-framework-09, 1360 October 2010. 1362 [KuXW04] Kumar, K., Xu, J., Wang, J., Spatschek, O., and L. Li, 1363 "Space-code bloom filter for efficient per-flow traffic 1364 measurement", INFOCOM 2004 Twenty-third AnnualJoint 1365 Conference of the IEEE Computer and Communications 1366 Societies, March 2004. 1368 [Moli03] Molina, M., "A scalable and efficient methodology for flow 1369 monitoring in the Internet", International Teletraffic 1370 Congress (ITC-18), Berlin, September 2003. 1372 [RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander, 1373 "Requirements for IP Flow Information Export", 1374 RFC3917 Requirements for IP Flow Information Export 1375 (IPFIX), July 2008. 1377 [RFC5101] Claise, B., "Specification of the IP Flow Information 1378 Export (IPFIX) Protocol for the Exchange of IP Traffic 1379 Flow Information", RFC5101 Specification of the IP Flow 1380 Information Export (IPFIX) Protocol for the Exchange of IP 1381 Traffic Flow Information, January 2008. 1383 [RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and J. 1384 Meyer, "Information Model for IP Flow Information Export", 1385 RFC 5102, January 2008. 1387 [RFC5470] Sadasivan, G., Bownlee, N., Claise, B., and J. Quittek, 1388 "Architecture for IP Flow Information Export", 1389 RFC5470 Architecture for IP Flow Information Export, 1390 September 2006. 1392 [RFC5475] Zseby, T., Molina, M., Raspall, F., Duffield, N., and S. 1393 Niccolini, "Sampling and Filtering techniques for IP 1394 Packet Selection", RFC5475 Sampling and Filtering 1395 techniques for IP Packet Selection, July 2008. 1397 [RFC5476] Claise, B., Johnson, A., and B. Claise, "Packet Sampling 1398 (PSAMP) Protocol Specifications", RFC5476 Packet Sampling 1399 (PSAMP) Protocol Specifications (IPFIX), March 2009. 1401 Authors' Addresses 1403 Lorenzo Peluso 1404 University of Napoli 1405 Via Claudio 21 1406 Napoli 80125 1407 Italy 1409 Phone: +39 081 7683821 1410 Email: lorenzo.peluso@unina.it 1411 Tanja Zseby 1412 Fraunhofer Institute FOKUS 1413 Kaiserin-Augusta-Allee 31 1414 Berlin 10589 1415 Germany 1417 Phone: +49 30 3463 7153 1418 Email: tanja.zseby@fokus.fraunhofer.de 1420 Salvatore D'Antonio 1421 CINI Consortium/University of Napoli "Parthenope" 1422 Monte S.Angelo, Via Cinthia 1423 Napoli 80126 1424 Italy 1426 Phone: +39 081 679944 1427 Email: salvatore.dantonio@uniparthenope.it 1429 Christian Henke 1430 Fraunhofer Institute FOKUS 1431 Kaiserin-Augusta-Allee 31 1432 Berlin 10589 1433 Germany 1435 Phone: +49 30 3463 7366 1436 Email: christian.henke@fokus.fraunhofer.de