idnits 2.17.1 draft-ietf-psamp-protocol-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 13. -- Found old boilerplate from RFC 3978, Section 5.5 on line 2097. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 2069. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 2076. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 2082. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 18) being 60 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([PSAMP-MIB], [PSAMP-INFO], [RFC2119], [PSAMP-TECH], [PSAMP-FMWK], [PSAMP-PROTO], [IPFIX-PROTO], [RFC1889], [IPFIX-ARCH], [IPFIX-INFO]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 7 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 8 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 2006) is 6616 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'PSAMP-PROTO' is mentioned on line 139, but not defined == Missing Reference: 'RFC1889' is mentioned on line 209, but not defined ** Obsolete undefined reference: RFC 1889 (Obsoleted by RFC 3550) == Missing Reference: 'IPFIX-REQ' is mentioned on line 384, but not defined == Missing Reference: 'PSAMP-FWMK' is mentioned on line 861, but not defined == Missing Reference: 'IFPIX-INFO' is mentioned on line 1090, but not defined == Missing Reference: 'RFC2804' is mentioned on line 1945, but not defined == Missing Reference: 'RFC 2434' is mentioned on line 1973, but not defined ** Obsolete undefined reference: RFC 2434 (Obsoleted by RFC 5226) == Unused Reference: 'RFC1771' is defined on line 1987, but no explicit reference was found in the text ** Obsolete normative reference: RFC 1771 (Obsoleted by RFC 4271) ** Obsolete normative reference: RFC 2434 (Obsoleted by RFC 5226) == Outdated reference: A later version (-11) exists of draft-ietf-psamp-sample-tech-07 == Outdated reference: A later version (-11) exists of draft-ietf-psamp-info-03 -- Unexpected draft version: The latest known version of draft-ietf-ipfix-arch is -02, but you're referring to -09. -- Possible downref: Normative reference to a draft: ref. 'IPFIX-ARCH' == Outdated reference: A later version (-15) exists of draft-ietf-ipfix-info-11 == Outdated reference: A later version (-26) exists of draft-ietf-ipfix-protocol-19 == Outdated reference: A later version (-06) exists of draft-ietf-psamp-mib-05 == Outdated reference: A later version (-13) exists of draft-ietf-psamp-framework-10 Summary: 8 errors (**), 0 flaws (~~), 19 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 PSAMP working group 3 Internet Draft EDITOR: B. Claise 4 draft-ietf-psamp-protocol-04.txt Cisco Systems 5 Expires: September 2006 March 2006 7 Packet Sampling (PSAMP) Protocol Specifications 9 Status of this Memo 10 By submitting this Internet-Draft, each author represents that any 11 applicable patent or other IPR claims of which he or she is aware 12 have been or will be disclosed, and any of which he or she becomes 13 aware will be disclosed, in accordance with Section 6 of BCP 79. 15 Internet-Drafts are working documents of the Internet Engineering 16 Task Force (IETF), its areas, and its working groups. Note that 17 other groups may also distribute working documents as Internet- 18 Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six 21 months and may be updated, replaced, or obsoleted by other documents 22 at any time. It is inappropriate to use Internet-Drafts as 23 reference material or to cite them other than as "work in progress". 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt 27 The list of Internet-Draft Shadow Directories can be accessed at 28 http://www.ietf.org/shadow.html 30 This Internet-Draft will expire on September 30, 2006. 32 Copyright Notice 34 Copyright (C) The Internet Society (2006). 36 Abstract 38 This document specifies the export of packet information from a 39 PSAMP Exporting Process to a PSAMP Collecting Process. For export 40 of packet information the IP Flow Information eXport (IPFIX) 41 protocol is used, as both the IPFIX and PSAMP architecture match 42 very well and the means provided by the IPFIX protocol are 43 sufficient. The document specifies in detail how the IPFIX protocol 44 is used for PSAMP export of packet information. 46 Conventions used in this document 48 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 49 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 50 document are to be interpreted as described in RFC 2119 [RFC2119]. 52 Table of Contents 53 1. Introduction................................................3 54 2. PSAMP Documents Overview....................................3 55 3. Terminology.................................................4 56 3.1 IPFIX Terminology..........................................4 57 3.2 PSAMP Terminology..........................................8 58 3.2.1 Packet Streams and Packet Content.....................8 59 3.2.2 Selection Process.....................................9 60 3.2.3 Reporting............................................10 61 3.2.4 Exporting Process....................................11 62 3.2.5 PSAMP Device.........................................11 63 3.2.6 Selection Methods....................................11 64 3.3 IPFIX and PSMAP Terminology Comparison....................13 65 3.3.1 PSAMP and IPFIX Processes............................13 66 3.3.2 Packet Report, Packet Interpretation, and Data Record14 67 4. Differences between PSAMP and IPFIX........................14 68 4.1 Architecture Point of View................................14 69 4.2 Protocol Point of View....................................16 70 4.3 Information Model Point of View...........................16 71 5. PSAMP Requirements versus the IPFIX Solution...............16 72 5.1 High Level View of the Integration........................17 73 6. Using the IPFIX Protocol for PSAMP.........................18 74 6.1 Selector ID...............................................18 75 6.2 The Selection Sequence....................................18 76 6.3 The Exporting Process.....................................18 77 6.4 Packet Report.............................................18 78 6.4.1 Basic Packet Report..................................19 79 6.4.2 Extended Packet Report...............................21 80 6.5 Report Interpretation.....................................23 81 6.5.1 Selection Sequence Report Interpretation.............23 82 6.5.2 Selector Report Interpretation.......................25 83 6.5.2.1 Systematic Count-Based Sampling......................25 84 6.5.2.2 Systematic Time-Based Sampling.......................27 85 6.5.2.3 Random n-out-of-N Sampling...........................28 86 6.5.2.4 Uniform Probabilistic Sampling.......................29 87 6.5.2.5 Property Match Filtering.............................30 88 6.5.2.6 Hash-Based Filtering.................................32 89 6.5.2.7 Other Selection Methods..............................35 90 6.5.3 Selection Sequence Statistics Report Interpretation..35 91 6.5.4 Accuracy Report Interpretation.......................38 92 7. Security Considerations....................................41 93 8. IANA Considerations........................................41 94 8.1 IPFIX Related Considerations..............................41 95 8.2 PSAMP Related Considerations..............................41 96 9. References.................................................42 97 9.1 Normative References......................................42 98 9.2 Informative References....................................42 99 10. Acknowledgments...........................................43 101 1. 102 Introduction 104 The name PSAMP is a contraction of the phrase Packet SAMPling. The 105 word "sampling" captures the idea that only a subset of all packets 106 passing a network element will be selected for reporting. PSAMP 107 selection operations include random selection, deterministic 108 selection (filtering), and deterministic approximations to random 109 selection (hash-based selection). 111 The IP Flow information export (IPFIX) protocol specified in [IPFIX- 112 PROTO] exports IP traffic information [IPFIX-INFO] observed at 113 network devices. This matches the general protocol requirements 114 outlined in the PSAMP framework [PSAMP-FMWK]. However, there are 115 some architectural differences between IPFIX and PSAMP in the 116 requirements for an export protocol. While the IPFIX architecture 117 [IPFIX-ARCH] is focused on gathering and exporting IP traffic flow 118 information, the focus of the PSAMP framework [PSAMP-FMWK] is on 119 exporting information on individual packets. This basic difference 120 and a set of derived differences in protocol requirements are 121 outlined in Section 4. Despite these differences, the IPFIX protocol 122 is well suited as PSAMP protocol. Section 5 specifies how the IPFIX 123 protocol is used for the export of packet samples. Required 124 extensions of the IPFIX information model are specified in the PSAMP 125 information model [PSAMP-INFO]. 127 2. 128 PSAMP Documents Overview 130 [PSAMP-FMWK]: "A Framework for Packet Selection and Reporting", 131 describes the PSAMP framework for network elements to select subsets 132 of packets by statistical and other methods, and to export a stream 133 of reports on the selected packets to a collector. 135 [PSAMP-TECH]: "Sampling and Filtering Techniques for IP Packet 136 Selection", describes the set of packet selection techniques 137 supported by PSAMP. 139 [PSAMP-PROTO]: "Packet Sampling (PSAMP) Protocol Specifications" 140 (this document), specifies the export of packet information from a 141 PSAMP Exporting Process to a PSAMP Collecting Process. 143 [PSAMP-INFO]: "Information Model for Packet Sampling Exports" defines 144 an information and data model for PSAMP. 146 [PSAMP-MIB]: "Definitions of Managed Objects for Packet Sampling" 147 describes the PSAMP Management Information Base. 149 3. 150 Terminology 152 As the IPFIX export protocol is used to export the PSAMP information, 153 the relevant IPFIX terminology from [IPFIX-PROTO] is copied over in 154 this document. The terminology summary table in section 4.1 gives a 155 quick overview of the relationships between the different IPFIX 156 terms. The PSAMP terminology defined here is fully consistent with 157 all terms listed in [PSAMP-TECH] and [PSAMP-FMWK] but only 158 definitions that are only relevant to the PSAMP protocol appear here. 159 Section 5.4 applies the PSAMP terminology to the IPFIX protocol 160 terminology. 162 3.1 163 IPFIX Terminology 165 The IPFIX terminology section has been entirely copied over from 166 [IPFIX-PROTO], except for the IPFIX Exporting Process term, which is 167 defined more precisely in the PSAMP terminology section. 169 Observation Point 171 An Observation Point is a location in the network where IP packets 172 can be observed. Examples include: a line to which a probe is 173 attached, a shared medium, such as an Ethernet-based LAN, a single 174 port of a router, or a set of interfaces (physical or logical) of a 175 router. 177 Note that every Observation Point is associated with an Observation 178 Domain (defined below), and that one Observation Point may be a 179 superset of several other Observation Points. For example one 180 Observation Point can be an entire line card. That would be the 181 superset of the individual Observation Points at the line card's 182 interfaces. 184 Observation Domain 186 An Observation Domain is the largest set of Observation Points for 187 which Flow information can be aggregated by a Metering Process. 189 Each Observation Domain presents itself using a unique ID to the 190 Collecting Process to identify the IPFIX Messages it generates. For 191 example, a router line card may be an observation domain if it is 192 composed of several interfaces, each of which is an Observation 193 Point. Every Observation Point is associated with an Observation 194 Domain. 196 IP Traffic Flow or Flow 198 There are several definitions of the term 'flow' being used by the 199 Internet community. Within the context of IPFIX we use the following 200 definition: 202 A Flow is defined as a set of IP packets passing an Observation Point 203 in the network during a certain time interval. All packets belonging 204 to a particular Flow have a set of common properties. Each property 205 is defined as the result of applying a function to the values of: 207 1. one or more packet header field (e.g. destination IP address), 208 transport header field (e.g. destination port number), or 209 application header field (e.g. RTP header fields [RFC1889]) 211 2. one or more characteristics of the packet itself (e.g. number 212 of MPLS labels, etc...) 214 3. one or more of fields derived from packet treatment (e.g. next 215 hop IP address, the output interface, etc...) 217 A packet is defined to belong to a Flow if it completely satisfies 218 all the defined properties of the Flow. 220 This definition covers the range from a Flow containing all packets 221 observed at a network interface to a Flow consisting of just a single 222 packet between two applications. It includes packets selected by a 223 sampling mechanism. 225 Flow Key 227 Each of the fields which 228 1. Belong to the packet header (e.g. destination IP address) 229 2. Are a property of the packet itself (e.g. packet length) 230 3. Are derived from packet treatment (e.g. AS number) 231 and which are used to define a Flow are termed Flow Keys. 233 Flow Record 235 A Flow Record contains information about a specific Flow that was 236 observed at an Observation Point. A Flow Record contains measured 237 properties of the Flow (e.g. the total number of bytes for all the 238 Flow's packets) and usually characteristic properties of the Flow 239 (e.g. source IP address). 241 Metering Process 243 The Metering Process generates Flow Records. Inputs to the process 244 are packet headers and characteristics observed at an Observation 245 Point, and packet treatment at the Observation Point (for example the 246 selected output interface). 248 The Metering Process consists of a set of functions that includes 249 packet header capturing, timestamping, sampling, classifying, and 250 maintaining Flow Records. 252 The maintenance of Flow Records may include creating new records, 253 updating existing ones, computing Flow statistics, deriving further 254 Flow properties, detecting Flow expiration, passing Flow Records to 255 the Exporting Process, and deleting Flow Records. 257 Exporter 259 A device which hosts one or more Exporting Processes is termed an 260 Exporter. 262 IPFIX Device 264 An IPFIX Device hosts at least one Observation Point, a Metering 265 Process and an Exporting Process. 267 Collecting Process 269 A Collecting Process receives Flow Records from one or more 270 Exporting Processes. The Collecting Process might process or store 271 received Flow Records, but such actions are out of scope for this 272 document. 274 Collector 276 A device which hosts one or more Collecting Processes is termed a 277 Collector. 279 Template 281 Template is an ordered sequence of pairs, used to 282 completely specify the structure and semantics of a particular set of 283 information that needs to be communicated from an IPFIX Device to a 284 Collector. Each Template is uniquely identifiable by means of a 285 Template ID. 287 IPFIX Message 289 An IPFIX Message is a message originating at the Exporting Process 290 that carries the IPFIX records of this Exporting Process and whose 291 destination is a Collecting Process. An IPFIX Message is 292 encapsulated at the transport layer. 294 Message Header 296 The Message Header is the first part of an IPFIX Message, which 297 provides basic information about the message such as the IPFIX 298 version, length of the message, message sequence number, etc. 300 Template Record 302 A Template Record defines the structure and interpretation of fields 303 in a Data Record. 305 Data Record 307 A Data Record is a record that contains values of the parameters 308 corresponding to a Template Record. 310 Options Template Record 312 An Options Template Record is a Template Record that defines the 313 structure and interpretation of fields in a Data Record, including 314 defining how to scope the applicability of the Data Record. 316 Set 318 Set is a generic term for a collection of records that have a similar 319 structure. In an IPFIX Message, one or more Sets follow the Message 320 Header. 322 There are three different types of Sets: Template Set, Options 323 Template Set, and Data Set. 325 Template Set 327 A Template Set is a collection of one or more Template Records that 328 have been grouped together in an IPFIX Message. 330 Options Template Set 332 An Options Template Set is a collection of one or more Options 333 Template Records that have been grouped together in an IPFIX Message. 335 Data Set 336 A Data Set is one or more Data Records, of the same type, that are 337 grouped together in an IPFIX Message. Each Data Record is previously 338 defined by a Template Record or an Options Template Record. 340 Information Element 342 An Information Element is a protocol and encoding independent 343 description of an attribute which may appear in an IPFIX Record. The 344 IPFIX information model [IPFIX-INFO] defines the base set of 345 Information Elements for IPFIX. The type associated with an 346 Information Element indicates constraints on what it may contain and 347 also determines the valid encoding mechanisms for use in IPFIX. 349 +------------------+---------------------------------------------+ 350 | | Contents | 351 | +--------------------+------------------------+ 352 | Set | Template | Record | 353 +------------------+--------------------+------------------------+ 354 | Data Set | / | Data Record(s) | 355 +------------------+--------------------+------------------------+ 356 | Template Set | Template Record(s) | / | 357 +------------------+--------------------+------------------------+ 358 | Options Template | Options Template | / | 359 | Set | Record(s) | | 360 +------------------+--------------------+------------------------+ 361 Figure A: Terminology Summary Table 363 3.2 364 PSAMP Terminology 366 The PSAMP terminology section has been copied over from [PSAMP-TECH]. 368 3.2.1 Packet Streams and Packet Content 370 Observed Packet Stream 372 The Observed Packet Stream is the set of all packets observed at the 373 Observation Point. 375 Packet Stream 377 A packet stream denotes a set of packets that flows past some 378 specified point within the Selection Process. An example of a Packet 379 Stream is the output of the Selection Process. Note that packets 380 selected from a stream, e.g. by Sampling, do not necessarily possess 381 a property by which they can be distinguished from packets that have 382 not been selected. For this reason the term "stream" is favored over 383 "flow", which is defined as set of packets with common properties 384 [IPFIX-REQ]. 386 Packet Content 388 The packet content denotes the union of the packet header (which 389 includes link layer, network layer and other encapsulation headers) 390 and the packet payload. 392 3.2.2 Selection Process 394 Selection Process 396 A Selection Process takes the Observed Packet Stream as its input and 397 selects a subset of that stream as its output. 399 Selection State 401 A Selection Process may maintain state information for use by the 402 Selection Process. At a given time, the Selection State may depend 403 on packets observed at and before that time, and other variables. 404 Examples include: 406 (i) sequence numbers of packets at the input of Selectors; 408 (ii) a timestamp of observation of the packet at the 409 Observation Point; 411 (iii) iterators for pseudorandom number generators; 413 (iv) hash values calculated during selection; 415 (v) indicators of whether the packet was selected by a 416 given Selector. 418 Selection Processes may change portions of the Selection State as a 419 result of processing a packet. Selection state for a packet is to 420 reflect the state after processing the packet. 422 Selector 424 A Selector defines the action of a Selection Process on a single 425 packet of its input. If selected, the packet becomes an element of 426 the output Packet Stream. 428 The Selector can make use of the following information in determining 429 whether a packet is selected: 431 (i) the Packet Content; 433 (ii) information derived from the packet's treatment at the 434 Observation Point; 436 (iii) any selection state that may be maintained by the 437 Selection Process. 439 Composite Selector 441 A Composite Selector is an ordered composition of Selectors, in which 442 the output Packet Stream issuing from one Selector forms the input 443 Packet Stream to the succeeding Selector. 445 Primitive Selector 447 A Selector is primitive if it is not a Composite Selector. 449 Selector ID 451 The Selector ID is the unique ID identifying a Primitive Selector. 452 The ID is unique within the Observation Domain. 454 Selection Sequence 456 From all the packets observed at an Observation Point, only a few 457 packets are selected by one or more Selectors. The Selection 458 Sequence is a unique value per Observation Domain describing the 459 Observation Point and the Selector IDs through which the packets are 460 selected. 462 3.2.3 Reporting 464 Packet Reports 466 Packet Reports comprise a configurable subset of a packet's input to 467 the Selection Process, including the Packet Content, information 468 relating to its treatment (for example, the output interface), and 469 its associated selection state (for example, a hash of the Packet 470 Content) 472 Report Interpretation 473 Report Interpretation comprises subsidiary information, relating to 474 one or more packets, that are used for interpretation of their Packet 475 Reports. Examples include configuration parameters of the Selection 476 Process. 478 Report Stream 480 The Report Stream is the output of a Selection Process, comprising 481 two distinguished types of information: Packet Reports, and Report 482 Interpretation. 484 3.2.4 Exporting Process 486 Exporting Process 488 An Exporting Process sends, in the form of Export Packets, the output 489 of one or more Selection Processes to one or more Collectors. 491 Export Packet 493 An Export Packet is a combination of Report Interpretation(s) and/or 494 one or more Packet Reports that are bundled by the Exporting Process 495 into a Export Packet for exporting to a Collector. 497 3.2.5 PSAMP Device 499 PSAMP Device 501 A PSAMP Device is a device hosting at least an Observation Point, a 502 Selection Process and an Exporting Process. Typically, corresponding 503 Observation Point(s), Selection Process(es) and Exporting Process(es) 504 are co-located at this device, for example at a router. 506 3.2.6 Selection Methods 508 Filtering 510 A filter is a Selector that selects a packet deterministically based 511 on the Packet Content, or its treatment, or functions of these 512 occurring in the Selection State. Examples include field match 513 Filtering, and Hash-based Selection. 515 Sampling 517 A Selector that is not a filter is called a Sampling operation. This 518 reflects the intuitive notion that if the selection of a packet 519 cannot be determined from its content alone, there must be some type 520 of Sampling taking place. 522 Content-independent Sampling 524 A Sampling operation that does not use Packet Content (or quantities 525 derived from it) as the basis for selection is called a Content- 526 independent Sampling operation. Examples include systematic 527 Sampling, and uniform pseudorandom Sampling driven by a pseudorandom 528 number whose generation is independent of Packet Content. Note that 529 in Content-independent Sampling it is not necessary to access the 530 Packet Content in order to make the selection decision. 532 Content-dependent Sampling 534 A Sampling operation where selection is dependent on Packet Content 535 is called a Content-dependent Sampling operation. Examples include 536 pseudorandom selection according to a probability that depends on the 537 contents of a packet field. Note that this is not a filter, because 538 the selection is not deterministic. 540 Hash Domain 542 A subset of the Packet Content and the packet treatment, viewed as an 543 N-bit string for some positive integer N. 545 Hash Range 547 A set of M-bit strings for some positive integer M that define the 548 range of values the result of the hash operation can take. 550 Hash Function 552 A deterministic map from the Hash Domain into the Hash Range. 554 Hash Selection Range 556 A subset of the Hash Range. The packet is selected if the action of 557 the Hash Function on the Hash Domain for the packet yields a result 558 in the Hash Selection Range. 560 Hash-based Selection 562 Filtering specified by a Hash Domain, a Hash Function, a Hash Range 563 and a Hash Selection Range. 565 Approximative Selection 566 Selectors in any of the above categories may be approximated by 567 operations in the same or another category for the purposes of 568 implementation. For example, uniform pseudorandom Sampling may be 569 approximated by Hash-based Selection, using a suitable Hash Function 570 and Hash Domain. In this case, the closeness of the approximation 571 depends on the choice of Hash Function and Hash Domain. 573 Population 575 A Population is a Packet Stream, or a subset of a Packet Stream. A 576 Population can be considered as a base set from which packets are 577 selected. An example is all packets in the Observed Packet Stream 578 that are observed within some specified time interval. 580 Population Size 582 The Population Size is the number of all packets in the Population. 584 Sample Size 586 The number of packets selected from the Population by a Selector. 588 Configured Selection Fraction 590 The Configured Selection Fraction is the ratio of the number of 591 packets selected by a Selector from an input Population, to the 592 Population Size, as based on the configured selection parameters. 594 Attained Selection Fraction 596 The Attained Selection Fraction is the actual ratio of the 597 number of packets selected by a Selector from an input 598 Population, to the Population Size. For some Sampling methods the 599 Attained Selection Fraction can differ from the Configured Selection 600 Fraction due to, for example, the inherent statistical variability in 601 Sampling decisions of probabilistic Sampling and Hash-based 602 Selection. Nevertheless, for large Population Sizes and properly 603 configured Selectors, the Attained Selection Fraction usually 604 approaches the Configured Selection Fraction. 606 3.3 607 IPFIX and PSMAP Terminology Comparison 609 The PSAMP terminology has been specified with an IPFIX background, as 610 PSAMP and IPFIX have similar terms. However, this section explains 611 the non compatible terms between IPFIX and PSAMP. 613 3.3.1 PSAMP and IPFIX Processes 614 The figure B indicates the sequence of the processes (selection and 615 exporting) within the PSAMP Device. 617 +----------+ +-----------+ 618 Observed | Metering | | Exporting | 619 Packet--->| Process |----->| Process |--->Collector 620 Stream +----------+ +-----------+ 622 Figure B: PSAMP Processes 624 The Selection Process, which takes an Observed Packet Stream as its 625 input and produces Packet Reports as its output, is an integral part 626 of the Metering Process, which by its definition produces Flow 627 Records as its output. 629 3.3.2 Packet Report, Packet Interpretation, and Data Record 631 The PSAMP terminology speaks of Packet Report and Packet 632 Interpretation, while the IPFIX terminology speaks of Data Record and 633 (Option) Template Record. The PSAMP Packet Report, which comprises 634 information about the observed packet, can be viewed as analogous to 635 the IPFIX Data Record defined by a Template Record. The PSAMP Packet 636 Interpretation, which comprises subsidiary information used for the 637 interpretation of the Packet Reports, can be viewed as analogous to 638 the IPFIX Data Record defined by an Option Template Record. 640 4. 641 Differences between PSAMP and IPFIX 643 The output of the IPFIX working group relevant for this draft is 644 structured into three documents: 645 - IP Flow information architecture [IPFIX-ARCH] 646 - IPFIX protocol specifications [IPFIX-PROTO] 647 - IP Flow information export information model [IPFIX-INFO] 649 4.1 650 Architecture Point of View 652 Traffic Flow measurement as described in the IPFIX requirements 653 [RFC3917] and the IPFIX architecture [IPFIX-ARCH] can be separated 654 into two stages: packet processing and Flow processing. 655 Figure C illustrates these stages. 657 In stage 1, all processing steps act on packets. Packets are 658 captured, time stamped, selected by one or more selection steps and 659 finally forwarded to packet classification that maps packets to 660 Flows. The packets selection steps may include Filtering and 661 Sampling functions. 663 In stage 2, all processing steps act on Flows. After packets are 664 classified (mapped to Flows), Flows are generated or updated if they 665 exist already. Flow generation and update steps may be performed 666 repeatedly for aggregating Flows. Finally, Flows are exported. 668 Packet Sampling as described in the PSAMP framework [PSAMP-FMWK] 669 covers only stage 1 of the IPFIX architecture with the packet 670 classification replaced by packet record export. 672 IPFIX architecture PSAMP framework 674 packet header packet header 675 capturing \ capturing 676 | | | 677 timestamping | timestamping 678 | | | 679 v | v 680 +------>+ | stage 1: +------>+ 681 | | > packet | | 682 | packet | processing | packet 683 | selection | | selection 684 | | | | | 685 +-------+ | +-------+ 686 | | | 687 v | v 688 packet / packet record 689 classification \ export 690 | | 691 v | 692 +------>+ | 693 | | | 694 | Flow generation | 695 | and update | stage 2: 696 | | > Flow 697 | v | processing 698 | Flow | 699 | selection | 700 | | | 701 +-------+ | 702 | | 703 v | 704 Flow Record / 705 export 707 Figure C: Comparison of IPFIX architecture and PSAMP framework 709 4.2 710 Protocol Point of View 712 Concerning the protocol, the major difference between IPFIX and PSAMP 713 is that the IPFIX protocol exports Flow Records while the PSAMP 714 protocol exports Packet Records. From a pure export point of view, 715 IPFIX will not distinguish a Flow Record composed of several packets 716 aggregated together from a Flow Record composed of a single packet. 717 So the PSAMP export can be seen as special IPFIX Flow Record 718 containing information about a single packet. 720 All extensions of the IPFIX protocol that are required to satisfy the 721 PSAMP requirements have already been incorporated in the IPFIX 722 protocol [IPFIX-PROTO], which was developed in parallel with the 723 PSAMP protocol. An example is the need for a data type for protocol 724 fields that have flexible length, such as an octet array. This was 725 added to the IPFIX protocol specification in order to meet the 726 requirement of the PSAMP protocol to report content of captured 727 packets, for example the first octets of a packet. 729 4.3 730 Information Model Point of View 732 From the information model point of view, the overlap between both 733 the IPFIX and PSAMP protocols is quite large. Most of the 734 Information Elements in the IPFIX protocol are also relevant for 735 exporting packet information, for example all fields reporting packet 736 header properties. Only a few Information Elements, such as 737 flowCount, packetCount (whose value will always be 1 for PSAMP) etc., 738 cannot be used in a meaningful way by the PSAMP protocol. Also, 739 IPFIX protocol requirements concerning stage 2 of figure C do not 740 apply to the PSAMP metering process. 742 Further required extensions apply to the information model. Even if 743 the IPFIX charter speaks of Sampling, no Sampling related Information 744 Elements are specified in [IPFIX-INFO]. The task of specifying them 745 was intentionally left for the PSAMP information model [PSAMP-INFO]. 746 A set of several additional fields is required for satisfying the 747 requirements for the PSAMP information model [PSAMP-TECH]. 749 Exploiting the extensibility of the IPFIX information model, the 750 required extension is covered by the PSAMP information model 751 specified in [PSAMP-INFO]. 753 5. 754 PSAMP Requirements versus the IPFIX Solution 756 In the "Generic Requirements for PSAMP" section, [PSAMP-FMWK] 757 describes some requirements that affect directly the PSAMP export 758 protocol. 760 In the "Generic Selection Process Requirements" section, [PSAMP-FMWK] 761 describes one requirement that, if not directly related to the export 762 protocol, will put some constraints on it. Parallel Measurements: 763 multiple independent selection processes at the same entity. 765 Finally, [PSAMP-FMWK] describes a series of requirements specifying 766 the different Information Elements that MUST and SHOULD be reported 767 to the Collector. Nevertheless IPFIX, being a generic export 768 protocol, can export any Information Elements as long as there are 769 described in the information model. So these requirements are mainly 770 targeted for the [PSAMP-INFO] document. 772 The PSAMP protocol specifications meets almost all the protocol 773 requirements stated in the PSAMP framework document [PSAMP-FMWK]: 775 * Extensibility 776 * Parallel measurement processes 777 * Encrypted packets 778 * Indication of information loss 779 * Accuracy 780 * Privacy 781 * Timeliness 782 * Congestion avoidance 783 * Secure export 784 * Export rate limit 785 * Microsecond timestamp resolution 787 The only requirement that is not met is Export Packet compression. 788 With the choice of IPFIX as PSAMP export protocol, the export packet 789 compression option mentioned in the section 8.5 of the framework 790 document [PSAMP-FMWK] is not addressed. 792 5.1 793 High Level View of the Integration 795 The Template Record in the Template Set is used to describe the 796 different PSAMP Information Elements that will be exported to the 797 Collector. The Collector decodes the Template Record in the Template 798 Set and knows which Information Elements to expect when it receives 799 the Data Records in the Data Set, i.e. the PSAMP Packet Reports. 800 Typically, in the base level of the PSAMP functionality, the Template 801 Set will contain the input sequence number, the packet fragment (some 802 number of contiguous bytes from the start of the packet or from the 803 start of the payload) and the Selection Sequence. 805 The Options Template Record in the Options Template Set is used to 806 describe the different PSAMP Information Elements that concern the 807 Metering Process itself: Sampling and/or Filtering functions, and the 808 associated parameters. The Collector decodes the Options Template 809 Records in the Option Template Set and knows which Information 810 Elements to expect when it receives the Data Records in the Data Set, 811 i.e. the PSAMP Report Interpretation. Typically, the Options 812 Template would contain the Selection Sequence, the Sampling or 813 Filtering functions, and the Sampling or Filtering associated 814 parameters. 816 PSAMP requires all the different possibilities of the IPFIX protocol 817 specifications [IPFIX-PROTO]. That is the 3 types of Set (Data Set, 818 Template Set and Options Templates Set) with the 2 types of Templates 819 Records (Template Record and Options Template Record), as described 820 in the figure A. As a consequence, PSAMP can't rely on a subset of 821 the IPFIX protocol specifications are described in [IPFIX-PROTO]. 822 The entire IPFIX protocol specifications [IPFIX-PROTO] MUST be 823 implemented for the PSAMP protocol. 825 6. 826 Using the IPFIX Protocol for PSAMP 828 6.1 829 Selector ID 831 The Selector ID is the unique ID identifying a Primitive Selector. 832 Each Primitive Selector MUST have a unique ID within the Observation 833 Domain. The Selector ID is represented by the selectorId Information 834 Element [PSAMP-INFO]. 836 6.2 837 The Selection Sequence ID 839 From all the packets observed at an Observation Point, a subset of 840 packets is selected by one or more Selectors. The Selection Sequence 841 is the combination of an Observation Point and one or more 842 Selector(s) through which the packets are selected. The Selection 843 Sequence ID is a unique value representing that combination. The 844 Selection Sequence ID is represented by the selectionSequenceId 845 Information Element [PSAMP-INFO]. 847 6.3 848 The Exporting Process 850 An Exporting Process MUST be able to limit the export rate according 851 to a configurable value. The Exporting Process MAY limit the export 852 rate on a per Collecting Process basis. 854 6.4 855 Packet Report 857 For each Selection Sequences, for each selected packet, a Packet 858 Report MUST be created. The format of the Packet Report is specified 859 in a Template Record contained in a Template Set. 861 There are two types of Packet Report, as described in [PSAMP-FWMK]: 862 the basic Packet Report and the extended Packet Report. 864 6.4.1 Basic Packet Report 866 For each selected packet, the Packet Report MUST contain the 867 following information: 868 - The selectionSequenceId Information Element 869 - The hash value (digestHashValue) generated by the digest hash 870 function. If there are no digest functions in the selection 871 sequence then no element needs to be sent. If there is more than 872 one digest function then each hash value must be included in 873 the same order as they appear in the selection sequence. 874 - Some number of contiguous bytes from the start of the packet, 875 including the packet header (which includes link layer, network layer 876 and other encapsulation headers) and some subsequent bytes of the 877 packet payload. Alternatively, the number of contiguous bytes may 878 start at the beginning of the payload. The dataLinkFrameSection, 879 mplsLabelStackSection, mplsPayloadPacketSection, ipPacketSection, and 880 ipPayloadPacketSection PSAMP Information Elements are available for 881 this use. 883 For each selected packet, the Packet Report SHOULD contain the 884 following information: 885 - the observationTimeMicroSeconds Information Element 887 In the Packet Report, the PSAMP device MUST be capable of exporting 888 the number of observed packets and the number of packets selected by 889 each instance of its Primitive Selectors (as described by the non 890 scope Information Elements of the Selection Sequence Statistics 891 Report Interpretation) although it MAY be a configurable option not 892 to include them. If exported, the Attained Selection Fraction may 893 be calculated precisely for the Observed Packet Stream. The Packet 894 Report MAY include only the final selector packetSelected, to act as 895 an index for that selection sequence in the Selection Sequence 896 Statistics Report Interpretation, which also allows the calculation 897 of the Attained Selection Fraction. 899 The contiguous Information Elements (dataLinkFrameSection, 900 mplsLabelStackSection, mplsPayloadPacketSection, ipPacketSection, 901 and ipPayloadPacketSection) MAY be encoded with a fixed length field 902 or with a variable sized field. If one of these Information 903 Elements is encoded with a fixed length field whose length is too 904 long for the number of contiguous bytes in the selected packet, 905 padding MUST NOT be used. In this case, the Exporting Process MUST 906 export the information either in a new Template Record with the 907 correct fixed length field, or either in a new Template Record with 908 a variable length field. 910 Here is an example of a basic Packet Report, with a 911 SelectionSequenceId value of 9 and ipHeaderPacketSection Information 912 Element of 12 bytes, 0x4500 005B A174 0000 FF11 832E, encoded with a 913 fixed length field. 915 IPFIX Template Record: 917 0 1 2 3 918 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 919 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 920 | Set ID = 2 | Length = 24 | 921 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 922 | Template ID = 260 | Field Count = 4 | 923 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 924 | selectionSequenceId = 301 | Field Length = 4 | 925 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 926 | digestHashValue = 326 | Field Length = 4 | 927 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 928 | ipHeaderPacketSection = 313 | Field Length = 12 | 929 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 930 |observationTimeMicroSeconds=324| Field Length = 4 | 931 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 933 The associated IPFIX Data Record: 935 0 1 2 3 936 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 937 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 938 | Set ID = 260 | Length = 28 | 939 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 940 | 9 | 941 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 942 | 0x9123 0613 | 943 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 944 | 0x4500 005B | 945 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 946 | 0xA174 0000 | 947 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 948 | 0xFF11 832E | 949 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 950 | observation time encoded as dateTimeSeconds [IPFIX-PROTO] | 951 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 953 Figure D: Example of a Basic Packet Report 955 Here is an example of a basic Packet Report, with a 956 SelectionSequenceId value of 9 and ipHeaderPacketSection Information 957 Element of 12 bytes, 0x4500 005B A174 0000 FF11 832E, encoded with a 958 variable sized field. 960 IPFIX Template Record: 962 0 1 2 3 963 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 964 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 965 | Set ID = 2 | Length = 16 | 966 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 967 | Template ID = 261 | Field Count = 2 | 968 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 969 | selectionSequenceId = 301 | Field Length = 4 | 970 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 971 | ipHeaderPacketSection = 313 | Field Length = 65535 | 972 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 974 The associated IPFIX Data Record: 976 0 1 2 3 977 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 978 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 979 | Set ID = 261 | Length = 21 | 980 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 981 | 9 | 982 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 983 | Length = 12 | 0x4500 ... | 984 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 985 | ... 005B | 0xA174 ... | 986 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 987 | ... 0000 | 0xFF11 ... | 988 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 989 | ... 832E | 990 +-+-+-+-+-+-+-+-+ 992 Figure E: Example of a Basic Packet Report, 993 with a variable sized field 995 6.4.2 Extended Packet Report 997 Alternatively to the basic Packet Report, the extended Packet Report 998 MAY contain other Information Elements related to the protocols used 999 in the packet (such as source and destination IP addresses), related 1000 to the packet treatment (such as output interface, destination BGP 1001 autonomous system), or related to the Selection State associated with 1002 the packet (such as timestamp, hash value). 1004 It is envisaged that selection of fields for extended Packet Reports 1005 may be used to reduce reporting bandwidth, in which case the option 1006 to report some number of contiguous bytes from the start of the 1007 packet, mandatory in the basic Packet Report, may not be exercised. 1008 In this case, the Packet Content MAY be omitted. Note this 1009 configuration is quite similar to an IPFIX device for which a 1010 Template Record containing information about a single packet is 1011 reported. 1013 Example of a detailed Extended Packet Report: 1015 IPFIX Template Record: 1017 0 1 2 3 1018 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1019 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1020 | Set ID = 2 | Length = 32 | 1021 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1022 | Template ID = 261 | Field Count = 6 | 1023 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1024 |0| selectionSequenceId = 301 | Field Length = 4 | 1025 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1026 |0| sourceIPv4Address = 44 | Field Length = 4 | 1027 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1028 |0| destinationIPv4Address = 45 | Field Length = 4 | 1029 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1030 |0| totalLengthIPv4 = 190 | Field Length = 2 | 1031 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1032 |0| tcpSourcePort = 182 | Field Length = 2 | 1033 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1034 |0| tcpDestinationPort = 183 | Field Length = 2 | 1035 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1037 The associated IPFIX Data Record: 1039 0 1 2 3 1040 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1041 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1042 | Set ID = 261 | Length = 20 | 1043 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1044 | 9 | 1045 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1046 | 10.0.0.1 | 1047 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1048 | 10.0.1.106 | 1049 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1050 | 72 | 1372 | 1051 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1052 | 80 | 1053 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1054 Figure F: Example of an Extended Packet Report 1056 6.5 1057 Report Interpretation 1059 To make full sense of the Packet Reports there are a number of 1060 additional pieces of information that must be communicated to the 1061 Collector: 1062 - The details about which Selectors and Observation Points are being 1063 used within a Selection Sequences MUST be provided using the 1064 Selection Sequence Report Interpretation. 1065 - The configuration details of each Selector MUST be provided using 1066 the Selector Report Interpretation. 1067 - The Selector ID statistics MUST be provided using the Selection 1068 Sequence Statistics Report Interpretation. 1069 - The accuracies of the reported fields MUST be provided using the 1070 Accuracy Report Interpretation. 1072 6.5.1 Selection Sequence Report Interpretation 1074 Each Packet Report contains a selectionSequenceId Information Element 1075 that identifies the particular combination of Observation Point and 1076 Selector(s) used for its selection. For every selectionSequenceId 1077 Information Element in use, the PSAMP Device MUST export a Selection 1078 Sequence Report Interpretation using an Options Template with the 1079 following Information Elements: 1081 Scope: selectionSequenceId 1082 Non-Scope: one Information Element representing 1083 the Observation Point 1084 selectorId (one or more) 1086 An Information Element representing the Observation Point would 1087 typically be taken from the ingressInterface, egressInterface, 1088 lineCardId, exporterIPv4Address, exporterIPv6Address Information 1089 Elements (specified in [IPFIX-INFO]), but not limited to those: any 1090 Information Element specified in [IFPIX-INFO] or [PSAMP-INFO] can 1091 potentially be used. In case of more complex Observation Points 1092 (such as a list of interfaces, a bus, etc..), a new Information 1093 Element describing the new type of Observation Point must be 1094 specified, along with an option template record describing it in more 1095 details (if necessary). 1097 If the packets are selected by a Composite Selector, the Selection 1098 Sequence is composed of several Primitive Selectors. In such a case, 1099 the Selection Sequence Report Interpretation MUST contain the list of 1100 all the Primitive Selector IDs in the Selection Sequence. If 1101 multiple Selectors are contained in the Selection Sequence Report 1102 Interpretation, the selectorId's MUST be identified in the order they 1103 are used. 1105 Example of two Selection Sequences: 1107 Selection Sequence 7 (Filter->Sampling): 1108 ingressInterface 5 1109 selectorId 5 (Filter, match IPV4SourceAddress 10.0.0.1) 1110 selectorId 10 (Sampler, Random 1 out-of ten) 1112 Selection Sequence 9 (Sampling->Filtering): 1113 ingressInterface 5 1114 selectorId 10 (Sampler, Random 1 out-of ten) 1115 selectorId 5 (Filter, match IPV4SourceAddress 10.0.0.1) 1117 IPFIX Options Template Record: 1119 0 1 2 3 1120 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1121 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1122 | Set ID = 3 | Length = 26 | 1123 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1124 | Template ID = 262 | Field Count = 4 | 1125 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1126 | Scope Field Count = 1 |0| selectionSequenceId = 301 | 1127 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1128 | Scope 1 Length = 4 |0| ingressInterface = 10 | 1129 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1130 | Field Length = 4 |0| selectorId = 300 | 1131 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1132 | Field Length = 4 |0| selectorId = 300 | 1133 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1134 | Field Length = 4 | 1135 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1137 The associated IPFIX Data Record: 1139 0 1 2 3 1140 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1142 | Set ID = 262 | Length = 36 | 1143 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1144 | 7 | 1145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1146 | 5 | 1147 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1148 | 5 | 1149 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1150 | 10 | 1151 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1152 | 9 | 1153 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1154 | 5 | 1155 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1156 | 10 | 1157 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1158 | 5 | 1159 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1161 Figure G: Example of a Selection Sequence Report Interpretation 1163 Notes: 1164 * There are two Records here in the same Data Set. Each record 1165 defines a different Selection Sequence. 1166 * If, for example, a different Selection Sequence is composed of 1167 three Selectors then a different Options Template with three 1168 selectorId Information Elements (instead of two) must be used. 1170 6.5.2 Selector Report Interpretation 1172 An IPFIX Data Record, defined by an Option Template Record, MUST be 1173 used to send the configuration details of every Selector in use. The 1174 Option Template Record MUST contain the selectorId Information 1175 Element as the Scope field and the SelectorAlgorithm Information 1176 Element followed by some specific configuration parameters: 1178 Scope: selectorId 1179 Non-scope: selectorAlgorithm 1180 algorithm specific Information Elements 1182 The algorithm specific Information Elements are specified in the 1183 following subsections, depending on the selection method represented 1184 by the value of the selectorAlgorithm. 1186 6.5.2.1 Systematic Count-Based Sampling 1188 In systematic count-based Sampling, the start and stop triggers for 1189 the Sampling interval are defined in accordance with the spatial 1190 packet position (packet count) [PSAMP-TECH]. 1192 The REQUIRED algorithm specific Information Elements in the case of 1193 systematic count-based Sampling are: 1195 samplingPacketInterval: number of packets selected in a row 1196 samplingPacketSpace: number of packets between selections 1198 Example of a simple 1 out-of 10 systematic count-based Selector 1199 definition, where the samplingPacketInterval is 1 and the 1200 samplingPacketSpace is 9. 1202 IPFIX Options Template Record: 1204 0 1 2 3 1205 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1206 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1207 | Set ID = 3 | Length = 26 | 1208 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1209 | Template ID = 263 | Field Count = 4 | 1210 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1211 | Scope Field Count = 1 |0| selectorId = 302 | 1212 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1213 | Scope 1 Length = 4 |0| selectorAlgorithm = 304 | 1214 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1215 | Field Length = 1 |0|samplingPacketInterval = 305 | 1216 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1217 | Field Length = 1 |0| samplingPacketSpace = 306 | 1218 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1219 | Field Length = 1 | 1220 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1222 Associated IPFIX Data Record: 1224 0 1 2 3 1225 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1226 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1227 | Set ID = 263 | Length = 11 | 1228 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1229 | 15 | 1230 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1231 | 1 | 1 | 9 | 1232 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1234 Figure H: Example of the Selector Report Interpretation, 1235 For Systematic Count-Based Sampling 1237 Notes: 1238 * A selectorAlgorithm value of 1 represents systematic count-based 1239 Sampling. 1240 * samplingPacketInterval and samplingPacketSpace are of type 1241 unsigned32 but are compressed down to one octet here, as allowed by 1242 the IPFIX protocol specifications [IPFIX-PROTO]. 1244 6.5.2.2 Systematic Time-Based Sampling 1246 In systematic time-based Sampling, the start and stop triggers are 1247 used to define the Sampling intervals [PSAMP-TECH]. The REQUIRED 1248 algorithm specific Information Elements in the case of systematic 1249 time-based Sampling are: 1251 samplingTimeInterval: time (in us) when packets are selected 1252 samplingTimeSpace: time (in us) between selections 1254 Example of a 100 us out-of 1000 us systematic time-based Selector 1255 definition, where the samplingTimeInterval is 100 and the 1256 samplingTimeSpace is 900 1258 IPFIX Options Template Record: 1260 0 1 2 3 1261 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1262 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1263 | Set ID = 3 | Length = 26 | 1264 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1265 | Template ID = 264 | Field Count = 4 | 1266 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1267 | Scope Field Count = 1 |0| selectorId = 302 | 1268 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1269 | Scope 1 Length = 4 |0| selectorAlgorithm = 304 | 1270 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1271 | Field Length = 1 |0| samplingTimeInterval = 307 | 1272 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1273 | Field Length = 1 |0| samplingTimeSpace = 308 | 1274 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1275 | Field Length = 2 | 1276 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1278 Associated IPFIX Data Record: 1280 0 1 2 3 1281 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1282 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1283 | Set ID = 264 | Length = 12 | 1284 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1285 | 16 | 1286 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1287 | 2 | 100 | 900 | 1288 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1290 Figure I: Example of the Selector Report Interpretation, 1291 For Systematic Time-Based Sampling 1293 Notes: 1294 * A selectorAlgorithm value of 2 represents systematic time-based 1295 Sampling. 1296 * samplingTimeInterval and samplingTimeSpace are of type unsigned32 1297 but are compressed down here. 1299 6.5.2.3 Random n-out-of-N Sampling 1301 In random n-out-of-N Sampling, n elements are selected out of the 1302 parent population that consists of N elements [PSAMP-TECH]. The 1303 REQUIRED algorithm specific Information Elements in case of random n- 1304 out-of-N Sampling are: 1306 samplingSize: number of packets selected 1307 samplingPopulation: number of packets in selection population 1309 Example of a 1 out-of 10 random n-out-of-N Sampling Selector: 1311 IPFIX Options Template Record: 1313 0 1 2 3 1314 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1315 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1316 | Set ID = 3 | Length = 26 | 1317 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1318 | Template ID = 265 | Field Count = 4 | 1319 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1320 | Scope Field Count = 1 |0| selectorId = 302 | 1321 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1322 | Scope 1 Length = 4 |0| selectorAlgorithm = 304 | 1323 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1324 | Field Length = 1 |0| samplingSize = 309 | 1325 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1326 | Field Length = 1 |0| samplingPopulation = 310 | 1327 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1328 | Field Length = 1 | 1329 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1331 Associated IPFIX Data Record: 1333 0 1 2 3 1334 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1335 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1336 | Set ID = 265 | Length = 11 | 1337 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1338 | 17 | 1339 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1340 | 3 | 1 | 10 | 1341 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1343 Figure J: Example of the Selector Report Interpretation, 1344 For Random n-out-of-N Sampling 1346 Notes: 1347 * A selectorAlgorithm value of 3 represents Random n-out-of-N 1348 Sampling. 1349 * samplingSize and samplingPopulation are of type unsigned32 but are 1350 compressed down to one octet here. 1352 6.5.2.4 Uniform Probabilistic Sampling 1354 In uniform probabilistic Sampling, each element has the same 1355 probability p of being selected from the parent population [PSAMP- 1356 TECH]. The algorithm specific Information Element in case of uniform 1357 probabilistic Sampling is: 1359 samplingProbablility: a floating point number for the Sampling 1360 probability. 1362 Example of a 15% uniform probability Sampling Selector: 1364 IPFIX Options Template Record: 1366 0 1 2 3 1367 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1368 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1369 | Set ID = 3 | Length = 22 | 1370 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1371 | Template ID = 271 | Field Count = 3 | 1372 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1373 | Scope Field Count = 1 |0| selectorId = 302 | 1374 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1375 | Field Length = 4 |0| selectorAlgorithm = 304 | 1376 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1377 | Field Length = 1 |0| samplingProbabilility = 311 | 1378 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1379 | Field Length = 4 | 1380 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1382 Associated IPFIX Data Record: 1384 0 1 2 3 1385 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1386 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1387 | Set ID = 271 | Length = 11 | 1388 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1389 | 20 | 1390 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1391 | 4 | 0.15 | 1392 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1393 | | 1394 +-+-+-+-+-+-+-+-+ 1396 Figure K: Example of the Selector Report Interpretation, 1397 For Uniform Probabilistic Sampling 1399 Notes: 1400 * A selectorAlgorithm value of 4 represents Uniform Probabilistic 1401 Sampling. 1402 * samplingProbablility is of type float64 but is compressed down to a 1403 float32 here. 1405 6.5.2.5 Property Match Filtering 1407 This classification includes match(es) on field(s) within a packet 1408 and/or on properties of the router state. With this method, a packet 1409 is selected if a specific field in the packet equals a predefined 1410 value. 1412 The algorithm specific Information Elements defining configuration 1413 parameters for property match filtering are taken from the full range 1414 of available Information Elements. 1416 When multiple different Information Elements are defined, the filter 1417 acts as a logical AND. Note that the logical OR is not covered by 1418 these PSAMP specifications. The property match Filtering Options 1419 Template Record MUST NOT have multiple identical Information 1420 Elements. The result of the filter is independent from the order of 1421 the Information Elements in the Option Template Record, but the order 1422 may be important for implementation purposes, as the first filter 1423 will have to work at a higher rate. In any case, an implementation 1424 is not constrained to respect the filter ordering as long as the 1425 result is the same, and it may even implement the composite Filtering 1426 in Filtering in one single step. 1428 Since encryption alters the meaning of encrypted fields, when the 1429 Property Match Filtering classification is based on the encrypted 1430 field(s) in the packet, it MUST be able to recognize that the 1431 field(s) are not available and MUST NOT select those packets. 1432 Even if they are ignored, the encrypted packets MUST be accounted for 1433 in the Selector packetsObserved Information Element [PSAMP-INFO], 1434 part of the Selection Sequence Statistics Report Interpretation. 1436 Example of a match based filter Selector, whose rules are: 1437 IPv4 Source Address = 10.0.0.1 1438 IPv4 Next-Hop Address = 10.0.1.1 1440 IPFIX Options Template Record: 1442 0 1 2 3 1443 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1444 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1445 | Set ID = 3 | Length = 26 | 1446 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1447 | Template ID = 266 | Field Count = 4 | 1448 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1449 | Scope Field Count = 1 |0| selectorId = 302 | 1450 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1451 | Scope 1 Length = 4 |0| selectorAlgorithm = 304 | 1452 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1453 | Field Length = 1 |0| sourceIPv4Address = 8 | 1454 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1455 | Field Length = 4 |0| ipNextHopIPv4Address = 15 | 1456 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1457 | Field Length = 4 | 1458 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1460 Associated IPFIX Data Record: 1462 0 1 2 3 1463 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1464 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1465 | Set ID = 266 | Length = 11 | 1466 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1467 | 21 | 1468 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1469 | 5 | 10.0.0 ... | 1470 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1471 | ... .1 | 10.0.1 ... | 1472 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1473 | ... .1 | 1474 +-+-+-+-+-+-+-+-+ 1476 Figure L: Example of the Selector Report Interpretation, 1477 For match based and router state Filtering 1479 Notes: 1480 * A selectorAlgorithm value of 5 represents property match Filtering. 1482 * In this filter there is a mix of information from the packet and 1483 information from the router. 1485 6.5.2.6 Hash-Based Filtering 1487 In hash based selection a hash function is run on IPv4 traffic 1488 the following fields MUST be used as input to that hash function: 1489 - IP identification field 1490 - Flags field 1491 - Fragment offset 1492 - Source IP address 1493 - Destination IP address 1494 - A number of bytes from the IP payload. The number of bytes and 1495 starting offset MUST be configurable if the hash function supports 1496 it. 1498 For the bytes taken from the IP payload, IPSX has a fixed offset 1499 of 0 bytes and a fixed size of 8 bytes. The number and offset of 1500 payload bytes in the BOB function MUST be configurable. If any 1501 of the configured set of bytes from the IP payload are unavailable 1502 then 0 MUST be used, which may result in a different value than 1503 if the hash function is run on a subset of the input. 1505 The minimum configuration ranges MUST be as follows: 1506 Number of bytes: from 8 to 32 1507 Offset: from 0 to 64 1509 If the selected payload bytes are not available and the hash function 1510 can take a variable sized input then the hash function MUST be run 1511 with the information which is available and a shorter size. Passing 1512 0 as a substitute for missing payload bytes is only acceptable if 1513 the hash function takes a fixed size as is the case with IPSX. 1515 If the hash function can take an initialization value then this 1516 value MUST be configurable. 1518 A hash-based selection function MAY be configurable as a digest 1519 function. Any selection process which is configured as a digest 1520 function MUST have the output value included in the basic packet 1521 report for any selected packet. 1523 Each hash function used as a hash-based selector requires its own 1524 value for the selectorAlgorithm. Currently we have BOB (6), IPSX (7) 1525 and CRC (8) defined and any MAY be used for either Filtering 1526 or creating a Packet Digest. Only BOB is recommended though and 1527 SHOULD be used. 1529 The REQUIRED algorithm specific Information Elements in case of hash 1530 based selection are: 1532 hashIPPayloadOffset - The payload offset used by a hash based 1533 Selector 1534 hashIPPayloadSize - The payload size used by a hash based 1535 Selector 1536 hashOutputRangeMin - One or more values for the beginning of 1537 each potential output range. 1538 hashOutputRangeMax - One or more values for the end of each 1539 potential output range. 1540 hashSelectedRangeMin - One or more values for the beginning of 1541 each selected range. 1542 hashSelectedRangeMax - One or more values for the end of each 1543 selected range. 1544 hashDigestOutput - A boolean value, TRUE if the output from 1545 this selector has been configured to be 1546 included in the packet report as a packet 1547 digest. 1549 NOTE: If more than one selection or output range needs to be sent 1550 then the minimum and maximum elements may be repeated as needed. 1551 These MUST make one or more non-overlapping ranges. The elements 1552 SHOULD be sent as pairs of minimum and maximum in ascending order, 1553 however if they are sent out of order then there will only be one 1554 way to interpret the ranges to produce a non-overlapping range and 1555 the Collecting Process MUST be prepared to accept and decode this. 1557 The following algorithm specific Information Element MAY be sent, 1558 but is optional for security considerations: 1559 hashInitialiserValue - The initialiser value to the hash function. 1561 Since encryption alters the meaning of encrypted fields, when the 1562 Hash-Based Filtering classification is based on the encrypted 1563 field(s) in the packet, it MUST be able to recognize that the 1564 field(s) are not available and MUST NOT select those packets select 1565 those packets. Even if they are ignored, the encrypted packets MUST 1566 be accounted in the Selector packetsObserved Information Element 1567 [PSAMP-INFO], part of the Selection Sequence Statistics Report 1568 Interpretation. 1570 Example of a hash based filter Selector, whose configuration is: 1571 Hash Function = BOB 1572 Hash IP Payload Offset = 0 1573 Hash IP Payload Size = 16 1574 Hash Initialiser Value = 0x9A3F9A3F 1575 Hash Output Range = 0 to 0xFFFFFFFF 1576 Hash Selected Range = 100 to 200 and 400 to 500 1578 IPFIX Options Template Record: 1580 0 1 2 3 1581 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1582 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1583 | Set ID = 3 | Length = 50 | 1584 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1585 | Template ID = 269 | Field Count = 8 | 1586 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1587 | Scope Field Count = 1 |0| selectorId = 300 | 1588 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1589 | Scope 1 Length = 4 |0| selectorAlgorithm = 302 | 1590 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1591 | Field Length = 1 |0| hashIPpayloadOffset = 327 | 1592 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1593 | Field Length = 4 |0| hashIPpayloadSize = 328 | 1594 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1595 | Field Length = 4 |0| hashInitialiserValue = 329 | 1596 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1597 | Field Length = 4 |0| hashOutputRangeMin = 330 | 1598 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1599 | Field Length = 4 |0| hashOutputRangeMax = 331 | 1600 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1601 | Field Length = 4 |0| hashSeletionRangeMin = 332 | 1602 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1603 | Field Length = 4 |0| hashSeletionRangeMax = 333 | 1604 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1605 | Field Length = 4 |0| hashSeletionRangeMin = 332 | 1606 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1607 | Field Length = 4 |0| hashSeletionRangeMax = 333 | 1608 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1609 | Field Length = 4 | 1610 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1612 Associated IPFIX Data Record: 1614 0 1 2 3 1615 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1616 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1617 | Set ID = 266 | Length = 45 | 1618 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1619 | 22 | 1620 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1621 | 6 | ... | 1622 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1623 | ... 0 | ... | 1624 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1625 | ... 16 | 0x9A3F9A ... | 1626 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1627 | ... 3F | ... | 1628 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1629 | ... 0 | 0xFFFFFF ... | 1630 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1631 | ... FF | ... 100 | 1632 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1633 | ... | ... 200 | 1634 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1635 | ... | ... 400 | 1636 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1637 | ... | ... 500 | 1638 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1639 | ... | 1640 +-+-+-+-+-+-+-+-+ 1642 Figure M: Example of the Selector Report Interpretation, 1643 for Hash Based Filtering 1645 Notes: 1646 * A selectorAlgorithm value of 6 represents hash-based Filtering 1647 using the BOB algorithm. 1649 6.5.2.7 Other Selection Methods 1651 Some potential new selection methods MAY be added. Some of the new 1652 selection methods, such as non-uniform probabilistic Sampling and 1653 flow state dependent Sampling, are described in [PSAMP-TECH], with 1654 further references. 1656 Each new selection method MUST be assigned a unique value for the 1657 selectorAlgorithm Information Element. Its configuration 1658 parameter(s), along with the way to report it/them with an Options 1659 Template, MUST be clearly specified. 1661 6.5.3 Selection Sequence Statistics Report Interpretation 1663 A Selector MAY be used in multiple Selection Sequences. However, 1664 each use of a Selector must be independent, so each separate logical 1665 instance of a Selector MUST maintain its own individual Selection 1666 State and statistics. 1668 The Selection Sequence Statistics Report Interpretation MUST include 1669 the number of observed packets (Population Size) and the number of 1670 packets selected (Sample Size) by each instance of its Primitive 1671 Selectors. 1673 Within a Selection Sequence composed of several Primitive Selectors, 1674 the number of packets selected for one Selector is equal to the 1675 number of packets seen by the next Selector. The order of the 1676 Selectors in the Selection Sequence Statistics Report Interpretation 1677 MUST match the order of the Selectors in the Selection Sequence. 1679 If the full set of statistics is not sent part of the Basic Packet 1680 Reports, the PSAMP Device MUST export a Selection Sequence Statistics 1681 Report Interpretation for every Selection Sequence, using an Options 1682 Template containing the following Information Elements: 1684 Scope: selectionSequenceId 1685 Non-scope: packetsObserved 1686 packetsSelected (first) 1687 ... 1688 packetsSelected (last) 1690 The packetsObserved Information Element [PSAMP-INFO] MUST contain the 1691 number of packets seen at the Observation Point, and as a consequence 1692 passed to the first Selector in the Selection Sequence. The 1693 packetsSelected Information Element [PSAMP-INFO] contains the number 1694 of packets selected by a Selector in the Selection Sequence. 1696 The Attained Selection Fraction for the Selection Sequence is 1697 calculated by dividing the number of observed packets 1698 (packetsObserved Information Element) by the value of selected 1699 packets (packetsSelected Information Element) for the last Selector. 1700 The Attained Selection Fraction can be calculated for each Selector 1701 by dividing the number of packets selected for that Selector by the 1702 value for the previous Selector. 1704 The statistics for the whole sequence SHOULD be taken at a single 1705 logical point in time; the input value for a Selector MUST equal the 1706 output value of the previous selector. 1708 The Selection Sequence Statistics Report Interpretation MUST be 1709 exported periodically. 1711 Example of Selection Sequence Statistics Report Interpretation: 1713 Selection Sequence 7 (Filter->Sampling): 1715 Observed 100 (observationPointId 1, Interface 5) 1716 Selected 50 (selectorId 5, match IPV4SourceAddress 10.0.0.1) 1717 Selected 6 (selectorId 10, Sampler: Random one out-of ten) 1719 Selection Sequence 9 (Sampling->Filtering): 1721 Observed 100 (observationPointId 1, Interface 5) 1722 Selected 10 (selectorId 10, Sampler: Random one out-of ten) 1723 Selected 3 (selectorId 5, match IPV4SourceAddress 10.0.0.1) 1725 IPFIX Options Template Record: 1727 0 1 2 3 1728 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1729 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1730 | Set ID = 3 | Length = 26 | 1731 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1732 | Template ID = 267 | Field Count = 4 | 1733 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1734 | Scope Field Count = 1 |0| selectionSequenceId = 301 | 1735 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1736 | Scope 1 Length = 4 |0| packetsObserved = 318 | 1737 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1738 | Field Length = 4 |0| packetsSelected = 319 | 1739 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1740 | Field Length = 4 |0| packetsSelected = 319 | 1741 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1742 | Field Length = 4 | 1743 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1745 The associated IPFIX Data Record: 1747 0 1 2 3 1748 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1749 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1750 | Set ID = 267 | Length = 36 | 1751 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1752 | 7 | 1753 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1754 | 100 | 1755 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1756 | 50 | 1757 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1758 | 6 | 1759 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1760 | 9 | 1761 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1762 | 100 | 1763 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1764 | 10 | 1765 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1766 | 3 | 1767 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1769 Figure N: Example of the Selection Sequence Statistics Report 1770 Interpretation 1772 Notes: 1773 * The Attained Sampling Fractions for Selection Sequence 7 are: 1774 Filter 10: 50/100 1775 Sampler 5: 6/50 1776 Number of samples selected: 6 1778 * The Attained Sampling Fractions for Selection Sequence 9 are: 1779 Sampler 5: 10/100 1780 Filter 10: 3/10 1781 Number of samples selected: 3 1783 6.5.4 Accuracy Report Interpretation 1784 In order for the Collecting Process to determine the inherent 1785 accuracy of the reported quantities (for example timestamps), the 1786 PSAMP Device SHOULD send an Accuracy Report Interpretation. 1788 The Accuracy Report Interpretation MUST be exported by an Option 1789 Template Record with a scope that contains the Information Element 1790 for which the accuracy is required. In case the accuracy is specific 1791 to a template, a second scope containing the templateId value MUST be 1792 added to the Option Template Record. The accuracy SHOULD be reported 1793 either with the fixedError Information Element [PSAMP-INFO], or with 1794 the relativeError Information Element [PSAMP-INFO]. 1796 Accuracy Report Interpretation using the fixedError Information 1797 Element: 1798 Scope: informationElementId 1799 Non-scope: fixedError 1801 Accuracy Report Interpretation using the fixedError Information 1802 Element and a double scope: 1803 Scope: templateId 1804 informationElementId 1805 Non-scope: fixedError 1807 Accuracy Report Interpretation using the relativeError Information 1808 Element: 1809 Scope: informationElementId 1810 Non-scope: relativeError 1812 Accuracy Report Interpretation using the relativeError Information 1813 Element and a double scope: 1814 Scope: templateId 1815 informationElementId 1816 Non-scope: relativeError 1818 For example, the accuracy of an Information Element whose Abstract 1819 Data Type is dateTimeMilliSeconds [IPFIX-INFO], for which the unit is 1820 specified as milliseconds, can be specified with the fixedError 1821 Information Element with the milliseconds units. In this case, the 1822 error interval is the Information Element value +/- the value 1823 reported in the fixedError. 1825 For example, the accuracy of an Information Element to estimate the 1826 accuracy of a sampled flow, for which the unit would be specified in 1827 octets, can be specified with the relativeError Information Element 1828 with the octet units. In this case, the error interval is the 1829 Information Element value +/- the value reported in the relativeError 1830 time the reported Information Element value. 1832 Alternatively to reporting either the fixedError Information Element 1833 or the relativeError Information Element in the Accuracy Report 1834 Interpretation, both Information Elements MAY be present. This 1835 scenario could help in more complex situations where the system clock 1836 drifts, on the top of having its own accuracy, during the duration of 1837 a measurement. 1839 If the accuracy of a reported quantity changes on the Metering 1840 Process, a new Accuracy Report Interpretation MUST be generated. The 1841 Collecting Process MUST keep the accuracy of the latest Accuracy 1842 Report Interpretation. 1844 Example of an Accuracy Report Interpretation using the fixedError 1845 Information Element and a double scope: the timeMicroSeconds 1846 contained in the Template 5 has an accuracy of +/- 2 ms, represented 1847 by the fixedError Information Element. 1848 Scope: templateId = 6 1849 informationElementId = timeMicroSeconds 1850 Non-scope: fixedError = 2 ms 1852 IPFIX Options Template Record: 1854 0 1 2 3 1855 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1856 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1857 | Set ID = 3 | Length = 22 | 1858 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1859 | Template ID = 267 | Field Count = 3 | 1860 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1861 | Scope Field Count = 2 |0| templateId = 145 | 1862 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1863 | Scope 1 Length = 2 |0| InformationElementId = 303 | 1864 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1865 | Scope 2 Length = 2 |0| fixedError = 320 | 1866 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1867 | Field Length = 4 | 1868 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1870 The associated IPFIX Data Record: 1872 0 1 2 3 1873 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1874 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1875 | Set ID = 267 | Length = 12 | 1876 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1877 | 5 | 324 | 1878 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1879 | 2 (encoded as a float32) | 1880 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1882 Figure O: Example of the Selection Sequence Statistics Report 1883 Interpretation 1885 Notes: 1886 * fixedError is of type float64 but is compressed down to a float32 1887 here. 1889 The second example displays an Accuracy Report Interpretation using 1890 the relativeError Information Element and a single scope: the 1891 timeMicroSeconds has an error of 5 percents, represented by the 1892 proportionalAccuracy Information Element. 1893 Scope: informationElementId = timeMicroSeconds 1894 Non-scope: relativeError = 0.05 1896 IPFIX Options Template Record: 1898 0 1 2 3 1899 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1900 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1901 | Set ID = 3 | Length = 18 | 1902 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1903 | Template ID = 268 | Field Count = 2 | 1904 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1905 | Scope Field Count = 1 |0| InformationElementId = 303 | 1906 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1907 | Scope 1 Length = 2 |0| relativeError= 321 | 1908 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1909 | Field Length = 4 | 1910 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1912 The associated IPFIX Data Record: 1914 0 1 2 3 1915 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1917 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1918 | Set ID = 267 | Length = 10 | 1919 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1920 | 324 | 0.05 ... | 1921 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1922 | ...(encoded as a float32) | 1923 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1925 Figure P: Example of the Selection Sequence Statistics Report 1926 Interpretation 1928 Notes: 1929 * relativeError is of type float64 but is compressed down to a 1930 float32 here. 1932 7. 1933 Security Considerations 1935 As IPFIX has been selected as the PSAMP export protocol and as the 1936 PSAMP security requirements are not stricter than the IPFIX security 1937 requirements, refer to the IPFIX export protocol [IPFIX-PROTO] for 1938 the security considerations. 1940 In the basic Packet Report, a PSAMP Device exports some number of 1941 contiguous bytes from the start of the packet, including the packet 1942 header (which includes link layer, network layer and other 1943 encapsulation headers) and some subsequent bytes of the packet 1944 payload. The PSAMP Device SHOULD NOT export the full payload of 1945 conversations, as this would mean wiretapping [RFC2804]. 1947 8. 1948 IANA Considerations 1950 The PSAMP Protocol, as set out in this document, has two sets of 1951 assigned numbers. Considerations for assigning them are discussed in 1952 this section, using the example policies as set out in the 1953 "Guidelines for IANA Considerations" document IANA-RFC [RFC2434]. 1955 8.1 1956 IPFIX Related Considerations 1958 As the PSAMP protocol uses the IPFIX protocol, refer to the IANA 1959 considerations section in [IPFIX-PROTO] for the assignments of 1960 numbers used in the protocol and for the numbers used in the 1961 information model. 1963 8.2 1964 PSAMP Related Considerations 1966 Each new selection method MUST be assigned a unique value for the 1967 selectorAlgorithm Information Element. Its configuration 1968 parameter(s), along with the way to report it/them with an Options 1969 Template, MUST be clearly specified. 1971 New assignments for the PSAMP selection method will be administered 1972 by IANA, on a First Come First Served basis [RFC 2434], subject to 1973 Expert Review [RFC 2434], i.e. review by one of a group of experts 1974 designated by an IETF Operations and Management Area Director. The 1975 group of experts must double check the Information Elements 1976 definitions with already defined Information Elements for 1977 completeness, accuracy and redundancy. Those experts will initially 1978 be drawn from the Working Group Chairs and document editors of the 1979 IPFIX and PSAMP Working Groups. 1981 9. 1982 References 1984 9.1 1985 Normative References 1987 [RFC1771] Y. Rekhter, T. Li, "A Border Gateway Protocol 4 (BGP-4)", 1988 RFC 1771, March 1995 1990 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1991 Requirement Levels", BCP 14, RFC 2119, March 1997 1993 [RFC2434] H. Alvestrand, T. Narten, "Guidelines for Writing an IANA 1994 Considerations Section in RFCs", RFC 2434, October 1998 1996 [PSAMP-TECH] T. Zseby, M. Molina, N. Duffield, S. Niccolini, F. 1997 Raspall, "Sampling and Filtering Techniques for IP Packet Selection" 1998 draft-ietf-psamp-sample-tech-07.txt 2000 [PSAMP-INFO] T. Dietz, F. Dressler, G. Carle, B. Claise, "Information 2001 Model for Packet Sampling Exports", draft-ietf-psamp-info-03.txt 2003 [IPFIX-ARCH] G. Sadasivan, N. Brownlee, B. Claise, J. Quittek, 2004 "Architecture Model for IP Flow Information Export" draft-ietf-ipfix- 2005 arch-09.txt" 2007 [IPFIX-INFO] J. Quittek, S. Bryant, B. Claise, J. Meyer, "Information 2008 Model for IP Flow Information Export" draft-ietf-ipfix-info-11.txt 2010 [IPFIX-PROTO] B. Claise (Editor) "IPFIX Protocol Specifications", 2011 draft-ietf-ipfix-protocol-19.txt 2013 9.2 2014 Informative References 2016 [PSAMP-MIB] T. Dietz, B. Claise "Definitions of Managed Objects for 2017 Packet Sampling" draft-ietf-psamp-mib-05.txt 2019 [PSAMP-FMWK] D. Chiou, B. Claise, N. Duffield, A. Greenberg, M. 2020 Grossglauser, P. Marimuthu, J. Rexford, G. Sadasivan, "A Framework 2021 for Passive Packet Measurement" draft-ietf-psamp-framework-10.txt 2023 [RFC3917] J. Quittek, T. Zseby, B. Claise, S. Zander, "Requirements 2024 for IP Flow Information Export", RFC 3917, October 2004 2026 10. 2027 Acknowledgments 2029 The authors would like to thank the PSAMP group, especially Paul 2030 Aitken for fruitful discussions and for proofreading the document 2031 several times. 2033 Authors' Addresses 2035 Benoit Claise 2036 Cisco Systems 2037 De Kleetlaan 6a b1 2038 1831 Diegem 2039 Belgium 2040 Phone: +32 2 704 5622 2041 E-mail: bclaise@cisco.com 2043 Juergen Quittek 2044 NEC Europe Ltd. 2045 Network Laboratories 2046 Kurfuersten-Anlage 36 2047 69115 Heidelberg 2048 Germany 2049 Phone: +49 6221 90511-15 2050 Email: quittek@ccrle.nec.de 2052 Andrew Johnson 2053 Cisco Systems 2054 96 Commercial Quay 2055 Edinburgh EH6 6LX 2056 Scotland 2057 Phone: +44 131 561 3641 2058 Email: andrjohn@cisco.com 2060 Intellectual Property Statement 2062 The IETF takes no position regarding the validity or scope of any 2063 Intellectual Property Rights or other rights that might be claimed to 2064 pertain to the implementation or use of the technology described in 2065 this document or the extent to which any license under such rights 2066 might or might not be available; nor does it represent that it has 2067 made any independent effort to identify any such rights. Information 2068 on the procedures with respect to rights in RFC documents can be 2069 found in BCP 78 and BCP 79. 2071 Copies of IPR disclosures made to the IETF Secretariat and any 2072 assurances of licenses to be made available, or the result of an 2073 attempt made to obtain a general license or permission for the use of 2074 such proprietary rights by implementers or users of this 2075 specification can be obtained from the IETF on-line IPR repository at 2076 http://www.ietf.org/ipr. 2078 The IETF invites any interested party to bring to its attention any 2079 copyrights, patents or patent applications, or other proprietary 2080 rights that may cover technology that may be required to implement 2081 this standard. Please address the information to the IETF at ietf- 2082 ipr@ietf.org. 2084 The IETF has been notified of intellectual property rights claimed in 2085 regard to some or all of the specification contained in this 2086 document. For more information consult the online list of claimed 2087 rights. 2089 Disclaimer of Validity 2091 This document and the information contained herein are provided on an 2092 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 2093 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 2094 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 2095 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 2096 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 2097 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2099 Copyright Statement 2101 Copyright (C) The Internet Society (2006). This document is subject 2102 to the rights, licenses and restrictions contained in BCP 78, and 2103 except as set forth therein, the authors retain all their rights. 2105 Acknowledgment 2107 Funding for the RFC Editor function is currently provided by the 2108 Internet Society