idnits 2.17.1 draft-ietf-ipfix-mediators-framework-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? -- It seems you're using the 'non-IETF stream' Licence Notice instead Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 11, 2009) is 5550 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'Note' is mentioned on line 134, but not defined -- No information found for draft-ietf-I-D - is the name correct? == Outdated reference: A later version (-10) exists of draft-ietf-ipfix-mib-05 ** Obsolete normative reference: RFC 5101 (Obsoleted by RFC 7011) ** Obsolete normative reference: RFC 5102 (Obsoleted by RFC 7012) == Outdated reference: A later version (-05) exists of draft-ietf-ipfix-file-03 -- No information found for draft-ietf-ipfix-mediation-problem-statement - is the name correct? Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPFIX Working Group A. Kobayashi 3 Internet-Draft H. Nishida 4 Intended status: Informational NTT PF Lab. 5 Expires: August 15, 2009 B. Claise 6 Cisco Systems 7 February 11, 2009 9 IPFIX Mediation: Framework 10 draft-ietf-ipfix-mediators-framework-02 12 Status of this Memo 14 This Internet-Draft is submitted to IETF in full conformance with the 15 provisions of BCP 78 and BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on August 15, 2009. 35 Copyright Notice 37 Copyright (c) 2009 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. 47 Abstract 49 This document describes a framework for IPFIX Mediation. This 50 framework details the IPFIX Mediation reference model and the 51 components of an IPFIX Mediator. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. Terminology and Definition . . . . . . . . . . . . . . . . . . 4 57 3. IPFIX/PSAMP Documents Overview . . . . . . . . . . . . . . . . 6 58 3.1. IPFIX Documents Overview . . . . . . . . . . . . . . . . . 6 59 3.2. PSAMP Documents Overview . . . . . . . . . . . . . . . . . 6 60 4. IPFIX Mediation Reference Model . . . . . . . . . . . . . . . 7 61 5. IPFIX Mediation Functional and Logical Blocks . . . . . . . . 10 62 5.1. Collecting Process . . . . . . . . . . . . . . . . . . . . 10 63 5.2. Exporting Process . . . . . . . . . . . . . . . . . . . . 10 64 5.3. Intermediate Process . . . . . . . . . . . . . . . . . . . 10 65 5.3.1. Selection Function . . . . . . . . . . . . . . . . . . 10 66 5.3.2. Aggregation Function . . . . . . . . . . . . . . . . . 12 67 5.3.3. Correlation Function . . . . . . . . . . . . . . . . . 13 68 5.3.4. Modification Function . . . . . . . . . . . . . . . . 14 69 5.4. IPFIX File Writer/Reader . . . . . . . . . . . . . . . . . 15 70 5.5. Flow Expiration . . . . . . . . . . . . . . . . . . . . . 16 71 5.6. Information Model . . . . . . . . . . . . . . . . . . . . 17 72 5.7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 17 73 6. Security Considerations . . . . . . . . . . . . . . . . . . . 19 74 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 75 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 76 8.1. Normative References . . . . . . . . . . . . . . . . . . . 21 77 8.2. Informative References . . . . . . . . . . . . . . . . . . 22 78 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 23 79 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24 81 1. Introduction 83 IPFIX Mediation has two classes of mediation: context mediation for 84 traffic data and transport mediation for transport protocols that do 85 not affect content. Context mediation aggregates, correlates, 86 filters, or modifies Data Records. Transport mediation changes the 87 transport protocol that carries IPFIX Messages. This document 88 describes the framework for IPFIX Mediation. The motivation for the 89 IPFIX Mediation standard comes from the need for functional blocks 90 supporting IP traffic growth, multifaceted traffic measurement, and a 91 heterogeneous environment, as described in detail in 92 [I-D.ietf-ipfix-mediator-ps]. The standard specification requires a 93 definition of IPFIX Mediation and IPFIX Mediator. 95 This document is organized as follows. Section 2 defines terminology 96 related to IPFIX Mediation. Section 3 describes a high level 97 reference model. Section 4 details the components of the IPFIX 98 Mediator. 100 2. Terminology and Definition 102 The terms in this section are in line with those in the IPFIX 103 Protocol specifications [RFC5101] and the PSAMP specification 104 document [I-D.ietf-psamp-protocol]. The terms Observation Point, 105 Observation Domain, Flow Key, Flow Record, Exporting Process, 106 Exporter, IPFIX Device, Collecting Process, Collector, IPFIX Message, 107 Metering Process, and Information Element are defined in the IPFIX 108 protocol specifications [RFC5101], the term Packet Report is defined 109 in the PSAMP specification document [I-D.ietf-psamp-protocol], and 110 the terms IPFIX Mediation, IPFIX Mediator, Original Exporter, IPFIX 111 Proxy, IPFIX Concentrator, IPFIX Distributor, IPFIX Masquerading 112 Proxy are defined in the IPFIX Mediation problem statement document 113 [I-D.ietf-ipfix-mediator-ps]. Additional terms required for the 114 IPFIX Mediation are defined here. All these terms have an initial 115 capital letter in this document. 117 Intermediate Process 119 An Intermediate Process generates new sets of Data Records/ 120 Template Records from input Data Records/Template Records. 122 Mediator Observation Domain 124 A Mediator Observation Domain indicates the largest set of 125 Observation Points from the viewpoint of a Collector, and a 126 Mediator Observation Domain ID is used in an IPFIX Message header, 127 such as the Observation Domain ID in [RFC5101]. However, the 128 Mediator Observation Domain ID may not indicate the physical 129 entity of an Original Exporter. For example, the value may 130 indicate the set of Exporters or set of line cards in an Exporter. 131 The Mediator Observation Domain ID is 0 when an IPFIX Masquerading 132 Proxy screens out the Mediator Observation Domain ID. 134 [Note] 135 [RFC5101] mentions that the Observation Domain ID should be 0 when 136 no specific Observation Domain ID is relevant for the entire IPFIX 137 Message, in the case of a hierarchy of Collectors when aggregated 138 Data Records are exported. However, even in the case of 139 aggregation, the IPFIX Mediator can set a meaningful value. This 140 shows the conflict between Observation Domain ID and Mediator 141 Observation Domain ID. 143 Transport Session Information 145 The Transport Session is specified in [RFC5101]. In SCTP, the 146 Transport Session Information is the SCTP association. In TCP and 147 UDP, the Transport Session Information corresponds to a 5-tuple 148 {Exporter IP address, Collector IP address, Exporter transport 149 port, Collector transport port, and transport protocol}. 151 3. IPFIX/PSAMP Documents Overview 153 3.1. IPFIX Documents Overview 155 The IPFIX protocol [RFC5101] provides network administrators with 156 access to IP flow information. The architecture for the export of 157 measured IP flow information out of an IPFIX Exporting Process to a 158 Collecting Process is defined in [I-D.ietf-ipfix-architecture], per 159 the requirements defined in [RFC3917]. The IPFIX protocol [RFC5101] 160 specifies how IPFIX Data Records and Templates are carried via a 161 number of transport protocols from IPFIX Exporting Processes to IPFIX 162 Collecting Processes. IPFIX has a formal description of IPFIX 163 Information Elements, their names, types, and additional semantic 164 information, as specified in [RFC5102]. [I-D.ietf-ipfix-mib] 165 specifies the IPFIX Management Information Base. Finally, 166 [I-D.ietf-ipfix-as] describes what types of applications can use the 167 IPFIX protocol and how they can use the information provided. It 168 furthermore shows how the IPFIX framework relates to other 169 architectures and frameworks. The storage of IPFIX Messages in a 170 file is specified in [I-D.ietf-ipfix-file]. 172 3.2. PSAMP Documents Overview 174 The framework for packet selection and reporting 175 [I-D.ietf-psamp-framework] enables network elements to select subsets 176 of packets by statistical and other methods and to export a stream of 177 reports on the selected packets to a Collector. The set of packet 178 selection techniques (sampling, filtering, and hashing) standardized 179 by PSAMP is described in [I-D.ietf-psamp-sample-tech]. The PSAMP 180 protocol [I-D.ietf-psamp-protocol] specifies the export of packet 181 information from a PSAMP Exporting Process to a Collector. Like 182 IPFIX, PSAMP has a formal description of its Information Elements, 183 their names, types, and additional semantic information. The PSAMP 184 information model is defined in [I-D.ietf-psamp-info]. 185 [I-D.ietf-psamp-mib] describes the PSAMP Management Information Base. 187 4. IPFIX Mediation Reference Model 189 The figure below shows the high-level reference model for IPFIX 190 Mediation based on [I-D.ietf-ipfix-architecture]. This figure covers 191 the various possible scenarios that can exist in an IPFIX measurement 192 system. 194 +---------------------------+ +---------------------------+ 195 | Collector {l} | | Collector {k} | 196 |[*Application(s)] | |[*Application(s)] | 197 |[Collecting Process(es)] |....|[Collecting Process(es)] | 198 +---------------------------+ +---------------------------+ 199 ^ ^ ^ ^ 200 | | | | 201 | +------....----+ | 202 | | | 203 IPFIX (Flow Records / Packet Reports) 204 | | | 205 +----------------+----+-----+ +-------+-------------------+ 206 |IPFIX Mediator {j} | |IPFIX Mediator {n} | 207 |[*Applications(s)] | |[*Applications(s)] | 208 |[Exporting Process(es)] | |[Exporting Process(es)] | 209 |[Intermediate Process(es)] |....|[Intermediate Process(es)] | 210 |[Collecting Process(es)] | |[Collecting Process(es)] | 211 +---------------------------+ +---------------------------+ 212 ^ ^ ^ 213 | | | 214 | +------....-----+ 215 | | 216 IPFIX (Flow Records / Packet Reports) 217 | | 218 +----------------+----------+ +----+----------------------+ 219 |IPFIX Original Exporter {i}| |IPFIX Original Exporter {m}| 220 |[Exporting Process(es)] | |[Exporting Process(es)] | 221 |[Metering Process(es)] |....|[Metering Process(es)] | 222 |[Observation Point(s)] | |[Observation Point(s)] | 223 +---------------------------+ +---------------------------+ 224 ^ ^ ^ ^ 225 | | | | 226 Packets coming to Observation Points 228 Figure A: Reference Model for IPFIX Mediation. 230 The various functional components are indicated within brackets []. 231 The functional components within [*] are not part of this document 232 and [I-D.ietf-ipfix-architecture]. 234 The figure below shows the basic IPFIX Mediator component model. The 235 IPFIX Mediator is formally defined as consisting of one or more 236 Collecting Processes, zero or more Intermediate Processes, and one or 237 more Exporting Processes. Basically, the IPFIX Mediator devices, 238 i.e., IPFIX Proxy, IPFIX Masquerading Proxy, IPFIX Distributor, and 239 IPFIX Concentrator, described in [I-D.ietf-ipfix-mediator-ps] are 240 composed of these components. 242 IPFIX (Flow Records / Packet Reports) 243 ^ 244 ^ | 245 +------------------------|-|---------------------+ 246 | IPFIX Mediator | | | 247 | | | | 248 | .---------------------|-+-------------------. | 249 | .----------------------+--------------------.| | 250 | | Exporting Process(es) |' | 251 | '----------------------^--------------------' | 252 | | | | 253 | .---------------------|-+-------------------. | 254 | .----------------------+--------------------.| | 255 | | Intermediate Process(es) (optional) |' | 256 | '----------------------^--------------------' | 257 | | | | 258 | .---------------------|-+-------------------. | 259 | .----------------------+--------------------.| | 260 | | Collecting Process(es) |' | 261 | '----------------------^--------------------' | 262 +------------------------|-|---------------------+ 263 | 264 IPFIX (Flow Records / Packet Reports) 266 Figure B: IPFIX Mediator Basic Component Model. 268 An Original Exporter with an IPFIX Mediation is modeled as follows. 270 IPFIX (Flow Records / Packet Reports) 271 ^ ^ 272 +---------------------------|-|------------------------+ 273 | Original Exporter | | | 274 | | | | 275 | .---------------------|-+-------------------. | 276 | .----------------------+--------------------.| | 277 | | Exporting Process(es) |' | 278 | '----------------------^--------------------' | 279 | | | | 280 | .---------------------|-+-------------------. | 281 | .----------------------+--------------------.| | 282 | | Intermediate Process(es) |' | 283 | '---------^-----------------------^---------' | 284 | |Flow Record or | | 285 | | Packet Reports | | 286 | .------------+----------. .---------+-------------. | 287 | | Metering Process {i} |..| Metering Process {n} | | 288 | '------------^----------' '---------^-------------' | 289 | | | | 290 | .------------+----------. .---------+-------------. | 291 | | Observation Point {i} |..| Observation Point {n} | | 292 | '------------^----------' '---------^-------------' | 293 +--------------|-----------------------|---------------+ 294 | | 295 Packets coming to Observation Points 297 Figure C: Component Model for Original Exporter with Mediation. 299 5. IPFIX Mediation Functional and Logical Blocks 301 This section describes the details of each component and examples 302 applicable to that component for IPFIX Mediation and IPFIX Mediators. 304 5.1. Collecting Process 306 The Collecting Processes described in [RFC5101] receive Data Records 307 with information relating to their treatment in the Metering Process 308 and Exporting Process in the Original Exporter, such as sampling 309 rate, IPFIX Message header information, and Transport Session 310 Information. The Collecting Processes transmit the set of data to 311 multiple components: Intermediate Processes and Exporting Processes. 312 In other words, the processes may duplicate received Data Records and 313 transmit them to multiple components in sequence or in parallel. 315 5.2. Exporting Process 317 The Exporting Processes described in [RFC5101] transmit Data Records 318 to one or multiple Collectors. The processes manage the reporting 319 Template and create IPFIX Messages. 321 5.3. Intermediate Process 323 The Intermediate Processes generate new sets of Data Records from 324 input Data Records with context information collected by the 325 Collecting Process that includes the "Export Time" and "Observation 326 Domain ID" included in IPFIX Message headers. The processes host one 327 of several functions defined below or a combination of them, in any 328 sequence or in any set. In the case of a combination, the output of 329 each function can be the input of other functions. The following 330 subsections show the details of each function. 332 5.3.1. Selection Function 334 The Selection Function determines which input Data Records are 335 selected by matching them under a filtering policy and then transmits 336 them to the next processes or functions. The function is similar to 337 the Selection Process described in [I-D.ietf-psamp-sample-tech]. The 338 function covers several selection techniques, such as property match 339 filtering and sampling. In property match filtering, if the value of 340 a specified Information Element equals a configured value, the 341 function selects a Data Record to transmit. 343 The combination of the Selection Functions and other functions 344 provides some useful applications. 346 Data-based Collector Selection 348 The combination of one or multiple Selection Functions and 349 Exporting Processes can determine to which Collector input Data 350 Records are exported. Applicable examples include exporting Data 351 Records to a dedicated Collector on the basis of customer or 352 organization peering. For example, selectors select Data Records 353 on the basis of a peering AS number, as shown in the following 354 figure. The set of Data Records is exported to a dedicated 355 Collector on the basis of the peering AS number. 357 .----------------------. 358 | Intermediate Process | +----------------+ 359 | | | Exporting | 360 | +- Selection #1 ------->| Process #1 |--> Collector #1 361 Data | | Peering AS #10 | '-----------------' 362 Record| | | +----------------+ 363 --------+- Selection #2 ------->| Exporting |--> Collector #2 364 | | Peering AS #20 | | Process #2 | 365 | | | '----------------' 366 | | | +----------------+ 367 | +- Selection #1 ------->| Exporting |--> Collector #3 368 | Peering AS #30 | | Process #3 | 369 '----------------------' '----------------' 371 Figure D: Exporting classified Data Records to dedicated 372 Collector. 374 Flow Selection and Aggregation 376 The combination of one or multiple Selection Functions and 377 Aggregation Functions can efficiently reduce the amount of Flow 378 Records. For example, a selector selects small Flows consisting 379 of a small number of packets and then transmits them to the 380 Aggregation Function. Another selector selects other Flows and 381 then transmits them to the Exporting Process, as shown in the 382 following figure. This results in aggregation based on the 383 distribution of the number of packets per Flow. 385 .-------------------------------------+ +-------------------+ 386 | Intermediate Process | | Exporting Process | 387 | | | | 388 Data | +- Selection #1 -----> Aggregation ---->| | 389 Record| | packetDeltaCount <= 5 | | | 390 --------+ | | | 391 | | | | | 392 | +- Selection #2 ----------------------->| | 393 | packetDeltaCount > 5 | | | 394 '-------------------------------------' '-------------------' 396 Figure E: Flow Selection and Aggregation 398 5.3.2. Aggregation Function 400 The Aggregation Function creates aggregated Flow Records from input 401 Flow Records/Packet Reports. The aggregation method is divided into 402 three types. 404 Flow Key Field Selection 406 Decreasing the number of fields considered as Flow Keys, such as 407 three, two, or one Flow Key field, creates more aggregated Flow 408 Records. The function gathers Data Records within a given 409 interval time and then merges the Data Records that have common 410 properties. If the values of given Flow Key fields are the same, 411 that means those Data Records have common properties, and the 412 function merges them in accordance with the aggregation policy. 414 In addition, the function can create statistical data and 415 subsidiary information related to the aggregated Flow Records. 416 Examples include the number of input Data Records, the given 417 interval time, and a new set of Flow Keys. 419 Time Composition 421 Time composition is defined as aggregation of Flow Records with 422 identical Flow Key values within a given interval time. The 423 function may also compute Flow Records statistics, such as the 424 maximum, and minimum values of each counter. The statistics 425 enable the visualization of the behavior of traffic volume over a 426 long time period. The function provides some advantages. 428 * reducing the number of Flow Records for long-running Flows 430 * computing the active time period for long-running Flows 431 * revealing the up-and-down traffic volume within an active time 433 Short period Flow Records created by configurating a short 434 active time, e.g., 1 or 10 sec, are merged within a certain 435 time period, e.g., 60 or 300 sec, at an IPFIX Mediator. While 436 merging, the IPFIX Mediator computes new metrics such as 437 maximum and minimum. It produces more precise maximum and 438 minimum values without increasing the number of Flow Records on 439 a Collector. 441 Space Composition 443 Space composition is defined as aggregation on a larger 444 Observation Domain or on a set of Observation Points. Generally, 445 Flow Key fields are included in a Flow Record. In that case, 446 other properties that are not included in a Flow Record, such as 447 the Exporter IP address or Observation Domain ID, become Flow Key 448 fields. 450 In addition, a group identifier indicating a spatial Observation 451 Domain can also become a new Flow Key. For example, a group can 452 indicate an area on an ISP network, or a link aggregation 453 interface composed of physical interfaces. The group can also 454 make a relation to a set of values of specified Information 455 Elements in the Flow Records by the configuring rule. After 456 converting from the values of specified Information Elements to 457 the group identifier, the function can create aggregated Flow 458 Records by a general aggregation process. 460 5.3.3. Correlation Function 462 The Correlation Function creates new metrics by evaluating the 463 correlation among sets of Flow Records/Packet Reports. These sets 464 can be Flow Records gathered during a certain period, a pair of 465 consecutive Packet Reports, or Packet Reports exported by different 466 Exporters indicating the same packet. After producing new metrics, 467 the function outputs Flow Records with the new metrics field. 468 Applicable examples are as follows. 470 o One way delay follows from the correlation of Packet Reports 471 exported from different Exporters on the path. 473 o Packet interval time, or jitter, follows the correlation of 474 consecutive Packet Reports exported from the same Exporter. 476 o Difference values follow the correlation of Flow Records observed 477 at ingress or egress interfaces. The values help to confirm the 478 result of a queueing or rate-limiting function. 480 o Average/maximum/minimum values follow the correlation of each in a 481 set of Flow Records. 483 5.3.4. Modification Function 485 The Modification Function modifies input Data Records without 486 changing their granularity. The function can add new Information 487 Elements, delete existing Information Elements, or modify the value 488 of specified Information Elements. If the function modifies the data 489 structure of an original Template, it also needs to modify the value 490 of the "flowKeyIndicator". 492 Adding specified Information Elements 494 The function obtains the value of a specified Information Element 495 and then adds it to Data Records. There are several methods to 496 obtain the value: retrieving the value from a database or 497 calculating the value on the basis of the value of other 498 Information Elements and received traffic data. 500 Applicable examples include adding derived packet property 501 parameters. Doing that can compensate for traditional exporting 502 devices or probes that are unable to add packet property 503 parameters. Therefore, Collectors do not need to recognize the 504 difference among implementations of routers from several vendors 505 or among Exporter types, such as router, switch, or probe. 506 Typical derived packet property parameters include the following. 508 * The "bgpNextHop{IPv4|IPv6}Address" described in [RFC5102] 509 indicates the egress router of a network domain. That is 510 useful for making a traffic matrix that covers the whole 511 network domain. 513 * The BGP community value indicates the same group of destination 514 or source IP addresses. 516 * The "mplsVpnRouteDistinguisher" described in [RFC5102], which 517 cannot be extracted from the core router in MPLS networks, 518 indicates the VPN customer's identification. Network operators 519 can monitor the traffic behavior of each customer by adding 520 "mplsVpnRouteDistinguisher" to Data Records. 522 Deleting specified Information Elements 524 This function deletes existing Information Elements according to 525 instruction rules, which indicate whether an Information Element 526 should be removed. 528 Applicable examples include hiding network topology information 529 and private information. In the case of IPFIX exporting across 530 domains, the function can avoid creating a vulnerability by 531 deleting unnecessary Information Elements. Examples of network 532 topology information include "ipNextHopIP{v4|v6}Address", 533 "bgpNextHopIP{v4|v6}Address", and "bgp{Next| 534 Prev}AdjacentAsNumber", described in [RFC5102]. In addition, 535 MPLS-related Information Elements, such as 536 "mplsLabelStackSection", are useless for the customers in the case 537 of feeding Flow Records/Packet Reports to VPN customers. 539 Modifying the value of specified Information Elements 541 This function modifies the value of specified Information 542 Elements. 544 Applicable examples include anonymizing customers' private 545 information, such as IP address and port number, according to a 546 privacy protection policy. The function may also report 547 anonymized fields and the anonymization method as subsidiary 548 information. 550 5.4. IPFIX File Writer/Reader 552 The IPFIX File Writer/Reader on an IPFIX Mediator complies with 553 [I-D.ietf-ipfix-file] as well. The IPFIX File Writer stores input 554 Data Records from any process in a file system. If received Data 555 Records include uninteresting Information Elements, the Modification 556 Function can delete these elements before the IPFIX File Writer 557 handles them. 559 In contrast, the IPFIX File Reader retrieves stored Data Records when 560 administrators want to retrieve past Data Records from a given time 561 period. If the data structure of output Data Records from the IPFIX 562 File Reader is different from what administrators want, the 563 Modification Function can modify the data structure. 565 The figure shows the IPFIX component model with an IPFIX File Writer/ 566 Reader. 568 IPFIX (Flow Records / Packet Reports) 569 ^ 570 ^ | 571 .----------------------|-+--------------------. 572 .-----------------------+---------------------.| 573 | Exporting Process(es) / IPFIX File Writer |' 574 '----^------------------^---------------------' 575 | | | 576 | .-------------|-+--------------------. 577 | .--------------+---------------------.| 578 | | Intermediate Process(es) |' 579 | '--------------^-^-------------------' 580 | | | 581 .---+------------------|-+--------------------. 582 .-----------------------+---------------------.| 583 | Collecting Process(es) / IPFIX File Reader |' 584 '-----------------------^---------------------' 585 | 586 IPFIX (Flow Records / Packet Reports) 588 Figure E: IPFIX Mediator Component Model with IPFIX File Writer/ 589 Reader. 591 5.5. Flow Expiration 593 The Aggregation Function needs expiration conditions to export cached 594 Flow Records. These conditions are described in 595 [I-D.ietf-ipfix-architecture]. In the case of IPFIX Mediation, these 596 conditions are as follows. 598 o If there are no input Data Records belonging to a cached Flow for 599 a certain time period, aggregated Flow Records will expire. This 600 time period should be configurable at the Intermediate Process. 602 o If the IPFIX Mediator experiences resource constraints, aggregated 603 Flow Records may prematurely expire (e.g., lack of memory to store 604 Flow Records). 606 o For long-running Flows, the Intermediate Process should cause the 607 Flow to expire on a regular basis or based on an expiration 608 policy. This periodicity or expiration policy should be 609 configurable at the Intermediate Process. 611 The Correlation Function also needs similar expiration conditions. 612 However, when cached Flow Records prematurely expire and the function 613 cannot compute their correlation, cached Flow Records may be 614 discarded. 616 5.6. Information Model 618 IPFIX Mediation reuses the general information model from [RFC5102] 619 and from [I-D.ietf-psamp-info]. The Correlation Function uses the 620 additional Information Elements indicating the minimum and maximum 621 values for packet count and octet count. 623 5.7. Examples 625 As an example in the case of Intermediate Processes having different 626 functions, a Collecting Process/IPFIX File Reader replicates Data 627 Records, if necessary, and transmits them to a suitable Intermediate 628 Process/Exporting Process. An example figure is shown below. 630 IPFIX IPFIX IPFIX 631 ^ ^ ^ 632 | | | 633 .------------. .-----+-------. .-----+-------. .------+------. 634 | IPFIX File | | Exporting | | Exporting | | Exporting | 635 | Writer | | Process {i}| | Process {j}|....| Process {n}| 636 '-----^-^----' '-----^-------' '-----^-------' '------^------' 637 | | | | | 638 | +-------------+ | Flow Records 639 | Flow Records / Packet Reports | 640 | .------+-------. .-----+--------. .------+-------. 641 | | Intermediate | | Intermediate | | Intermediate | 642 | | Process {l} | | Process {m} | | Process {p} | 643 | | | | |...| | 644 | | Selection | | Selection | | | 645 Flow Records | ^ | | ^ | | | 646 | | | | | | | | | 647 | | Correlation | | Modification| | Modification| 648 | | ^ | | ^ | | ^ | 649 | | | | | | | | | | 650 | | Selection | | Aggregation |...| Selection | 651 | | ^ | | ^ ^ | | ^ | 652 | '------|-------' '-----|-|------' '------|-------' 653 | | | | | 654 | +---------------+ | Flow Records 655 | | | | 656 | Flow Records / Packet Reports | 657 .------+------. .------+------. .------+------. .-----+------. 658 | Collecting | | Collecting | | Collecting | | IPFIX File | 659 | Process {i}| | Process {j}|...| Process {n}| | Reader | 660 '------^------' '------^------' '------^------' '------------' 661 | | | 662 IPFIX IPFIX IPFIX 664 Figure F: Functional Block Examples for IPFIX Mediator. 666 6. Security Considerations 668 An IPFIX measurement system must also prevent the security threats 669 related to IPFIX Mediation that follow as well as the security 670 threats described in the security consideration section in [RFC5101]. 672 o attacks against IPFIX Mediators 674 IPFIX Mediators need to prevent unauthorized access or denial-of- 675 service (DoS) attacks from untrusted public networks. One 676 solutions is that IPFIX Mediators host the packet filter function 677 to reject malicious packets at an outside interface. 679 o man-in-the-middle attacks by untrusted IPFIX Mediators 681 The Collector-Mediator-Exporter structure model would increase the 682 risk of man-in-the-middle attacks. One solutions is that IPFIX 683 Collectors and Exporters must verify trusted IPFIX Mediators to 684 prevent connection to untrusted IPFIX Mediators. 686 o configuration of IPFIX Mediation 688 In the case of IPFIX Distributors and IPFIX Masquerading Proxies, 689 an accidental misconfiguration and unauthorized access to 690 configuration data could lead to the crucial problem of disclosure 691 of confidential traffic data. 692 To eliminate these risks, IPFIX Mediators must provide the 693 authentication function for authorized administrators and the 694 facilities to help in tracing configuration changes to their 695 origin. 697 7. IANA Considerations 699 This document has no actions for IANA. 701 8. References 703 8.1. Normative References 705 [I-D.ietf-ipfix-architecture] 706 Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, 707 "Architecture for IP Flow Information Export", 708 draft-ietf-I-D.ietf-ipfix-architectureitecture-12.txt(work 709 in progress) , September 2006. 711 [I-D.ietf-ipfix-as] 712 Zseby, T., Boschi, E., Brownlee, N., and B. Claise, "IPFIX 713 Applicability", draft-ietf-ipfix-as-12 (work in 714 progress) , June 2007. 716 [I-D.ietf-ipfix-mib] 717 Dietz, T., Claise, B., and A. Kobayashi, "Definitions of 718 Managed Objects for IP Flow Information Export", 719 draft-ietf-ipfix-mib-05 (work in progress) , 720 November 2008. 722 [I-D.ietf-psamp-framework] 723 Duffield, N., "A Framework for Packet Selection and 724 Reporting", draft-ietf-psamp-framework-13.txt , June 2008. 726 [I-D.ietf-psamp-info] 727 Dietz, T., Claise, B., Aitken, P., Dressler, F., and G. 728 Carle, "Information Model for Packet Sampling Exports", 729 draft-ietf-psamp-info-11.txt (work in progress) , 730 October 2008. 732 [I-D.ietf-psamp-mib] 733 Dietz, T. and B. Claise, "Definitions of Managed Objects 734 for Packet Sampling", draft-ietf-psamp-mib-06 (work in 735 progress) , June 2006. 737 [I-D.ietf-psamp-protocol] 738 Claise, B., Quittek, J., and A. Johnson, "Packet Sampling 739 (PSAMP) Protocol Specifications", 740 draft-ietf-psamp-protocol-09.txt , December 2007. 742 [I-D.ietf-psamp-sample-tech] 743 Zseby, T., Molina, M., Duffield, N., Niccolini, S., and F. 744 Raspall, "Sampling and Filtering Techniques for IP Packet 745 Selection", draft-ietf-psamp-sample-tech-11.txt , 746 July 2008. 748 [RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander, 749 "Requirements for IP Flow Information Export(IPFIX)", 750 October 2004. 752 [RFC5101] Claise, B., "Specification of the IP Flow Information 753 Export (IPFIX) Protocol for the Exchange of IP Traffic 754 Flow Information", January 2008. 756 [RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and J. 757 Meyer, "Information Model for IP Flow Information Export", 758 January 2008. 760 8.2. Informative References 762 [I-D.ietf-ipfix-file] 763 Trammell, B., Boschi, E., Mark, L., Zseby, T., and A. 764 Wagner, "An IPFIX-Based File Format", 765 draft-ietf-ipfix-file-03.txt(work in progress) , 766 October 2008. 768 [I-D.ietf-ipfix-mediator-ps] 769 Kobayashi, A., Nishida, H., Sommer, C., Dressler, F., 770 Stephan, E., and B. Claise, "IPFIX Mediation: Problem 771 Statement", 772 draft-ietf-ipfix-mediation-problem-statement-02.txt(work 773 in progress) , September 2009. 775 Appendix A. Acknowledgements 777 The authors gratefully acknowledge the contributions of 779 Keisuke Ishibashi, 780 Tsuyoshi Kondoh, and 781 Daisuke Matsubara. 783 Authors' Addresses 785 Atsushi Kobayashi 786 NTT Information Sharing Platform Laboratories 787 3-9-11 Midori-cho 788 Musashino-shi, Tokyo 180-8585 789 Japan 791 Phone: +81-422-59-3978 792 Email: akoba@nttv6.net 794 Haruhiko Nishida 795 NTT Information Sharing Platform Laboratories 796 3-9-11 Midori-cho 797 Musashino-shi, Tokyo 180-8585 798 Japan 800 Phone: +81-422-59-3978 801 Email: nishida.haruhiko@lab.ntt.co.jp 803 Benoit Claise 804 Cisco Systems 805 De Kleetlaan 6a b1 806 Diegem 1831 807 Belgium 809 Phone: +32 2 704 5622 810 Email: bclaise@cisco.com