idnits 2.17.1 draft-nachum-smartap-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 13 has weird spacing: '...Tapping techn...' == Line 21 has weird spacing: '...ologies and ...' == Line 25 has weird spacing: '...rements allow...' == Line 29 has weird spacing: '...SmarTap can ...' == Line 144 has weird spacing: '...tapping are ...' == (10 more instances...) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 7 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group Youval Nachum 2 Internet Draft Net Optics, an Ixia Company 3 Intended status: Proposed Standard Linda Dunbar 4 Expires: July 2014 Huawei 5 January 23, 2014 Tal Mizrahi 6 Marvell 8 Network Smart Tapping (SmarTap) 9 draft-nachum-smartap-00.txt 11 Abstract 13 Tapping technologies provide traffic visibility to network 14 analysis tools such as monitors, traffic recorders and security 15 systems. Current tapping architectures and protocols are vendor 16 specific and adapted to legacy networks. 18 Emerging networking such as large scale datacenters for cloud 19 applications and Mobile backhaul networks demand accurate and fast 20 network traffic visibility. These networks are built on Layer 2 21 technologies and infrastructure to support virtual machines 22 mobility, growing number of devices including mobile users. 24 SmarTap architecture is designed to support emerging network 25 requirements allowing network analysis tools to gain full 26 visibility of network traffic. SmarTap technology monitors each 27 link and each component of the network. It captures packets, 28 classifies them and sends them to tools with relevant packet 29 attributes. SmarTap can provide attributes such as flow-ID, 30 tapping-location, tapping-time and statistics. 32 Status of this Memo 34 This Internet-Draft is submitted to IETF in full conformance with 35 the provisions of BCP 78 and BCP 79. 37 Internet-Drafts are working documents of the Internet Engineering 38 Task Force (IETF), its areas, and its working groups. Note that 39 other groups may also distribute working documents as Internet- 40 Drafts. 42 Internet-Drafts are draft documents valid for a maximum of six 43 months and may be updated, replaced, or obsoleted by other 44 documents at any time. It is inappropriate to use Internet-Drafts 45 as reference material or to cite them other than as "work in 46 progress." 47 The list of current Internet-Drafts can be accessed at 48 http://www.ietf.org/ietf/1id-abstracts.txt. 50 The list of Internet-Draft Shadow Directories can be accessed at 51 http://www.ietf.org/shadow.html. 53 This Internet-Draft will expire on July 23, 2014. 55 Copyright Notice 57 Copyright (c) 2014 IETF Trust and the persons identified as the 58 document authors. All rights reserved. 60 This document is subject to BCP 78 and the IETF Trust's Legal 61 Provisions Relating to IETF Documents 62 (http://trustee.ietf.org/license-info) in effect on the date of 63 publication of this document. Please review these documents 64 carefully, as they describe your rights and restrictions with 65 respect to this document. Code Components extracted from this 66 document must include Simplified BSD License text as described in 67 Section 4.e of the Trust Legal Provisions and are provided without 68 warranty as described in the Simplified BSD License. 70 Table of Contents 72 1. Introduction ................................................. 4 73 1.1. SmarTap Motivation ...................................... 4 74 1.2. Terms and Abbreviations Used in this Document ........... 4 75 1.3. Existing Network Tapping Architecture ................... 5 76 1.4. Network Analysis Tools Functionality .................... 7 77 1.5. Emerging Networks ....................................... 7 78 1.5.1. Emerging Networks characteristics .................. 8 79 1.6. Networks Visibility Requirements ........................ 8 80 2. SmarTap Description .......................................... 8 81 2.1. SmarTap Functionality ................................... 8 82 2.2. SmarTap Configuration ................................... 9 83 2.2.1. Tapping Location .................................. 10 84 2.2.2. Tapping Time stamping ............................. 10 85 2.2.3. Flow Digest ....................................... 11 86 2.2.4. Packet Format ..................................... 11 87 3. SmarTap Deployment Options .................................. 12 88 3.1. SmarTap with Network Analysis Tools .................... 13 89 3.2. SmarTap with Layer-3 Networks .......................... 14 90 4. Security Considerations ..................................... 14 91 5. IANA Considerations ......................................... 14 92 6. References .................................................. 14 93 6.1. Informative References ................................. 14 94 7. Acknowledgments ............................................. 14 96 1. Introduction 98 Emerging networks such as large scale datacenters and Mobile 99 backhauls demand the use of network analysis tools to enable 100 stable and secure operation of the network. Network analysis tools 101 such as Application Aware Network Performance Monitoring [AA-NPM], 102 Intrusion Detection Systems (IDS) and Network Recorders (Such as 103 financial transactions and phone calls) require visibility to the 104 raw traffic, its tapping location and its exact tapping time. 106 Network visibility building blocks are network TAPs, SPAN ports 107 and Network Packet Brokers NPB). TAP refers to a device located at 108 the network which passes a copy of every packet to the monitoring 109 tools. SPAN port, Switched Port Analyzer, mirrors what comes into 110 the target port or out of the target port to the sniffer port for 111 monitoring purposes. NPB device aggregates the monitored traffic 112 from multiple ports to a single port or load balances the 113 monitored traffic to multiple tools. 115 SmarTap, introduced in this memo, defines a protocol and an 116 architecture that standardize the way network TAPs, SPAN ports and 117 NPBs interact with network analysis tools. SmarTap provides high 118 resolution network visibility by capturing raw packets with their 119 exact tapping-time, tapping-location and relevant statistics and 120 sends it to the tools in a standard form. 122 1.1. SmarTap Motivation 124 Network analysis tools require full and accurate visibility to the 125 traffic that traverses the network. SmarTap standardizes the way 126 tapping devices communicate with network analysis tools, specifies 127 the information required by the tools and defines its data 128 structure. 130 1.2. Terms and Abbreviations Used in this Document 132 AA-NPM: Application Aware Network Performance Monitoring 134 IDS: Intrusion Detection System 136 NPB: Network Packet Broker 138 VM: Virtual Machine 140 1.3. Existing Network Tapping Architecture 142 Common network tapping architectures consists of network TAPs and 143 Network Packets Brokers (NPBs). All links that are subject to 144 tapping are connected to network TAPs in the following 145 manner. Figure 1 depicts a link between Router-1 and Router-2 that 146 is subject to tapping. The network TAP is connected between 147 router-1 and Router-2 as described by Figure 1. 149 *--------------* *-----* *--------------* 150 | Router-1 |-----| TAP |-----| router-2 | 151 *--------------* *-----* *--------------* 152 | 153 | 154 | 155 *--------* 156 | AA-NPM | 157 *--------* 159 Figure 1 Tapping Device 161 The network TAP is transparent to Router-1 and Router-2 in all 162 layers. It relays all packets from Router-1 to Router-2 and vice 163 versa without any packet modification. 165 The network TAP also supports network high availability. In case 166 of TAP failure, the network TAP can be bypassed and router-1 is 167 directly connected with router-2. In case of link failure at 168 Router-1 or Router-2 the network TAP mimics the failure to the 169 other router to enable network fast reroute. 171 The network TAP is also connected to the network analysis tools, 172 for example Application Aware Network Performance Monitoring tool 173 (AA-NPM) as described by Figure 1. The network TAP can either 174 redirect the packets to the network analysis tools or just 175 duplicate it, i.e. forward the original packet to the next router 176 and transmit the copied packet to the tool. 178 *--------------* *-----* *--------------* 179 | Router-1 |-----| TAP |-----| router-2 | 180 *--------------* *-----* *--------------* 181 | 182 | 183 | 184 *--------* 185 | NPB | 186 *--------* 187 | | 188 | | 189 | | 190 *---------* *---------* 191 | AA-NPM-1| | AA-NPM-2| 192 *---------* *---------* 194 Figure 2 Tapping Device with NPB (regeneration). 196 Networks that monitor the traffic by multiple tools or monitor 197 multiple links use Network Packet Brokers to aggregate or 198 REF _Ref367009627 \r \h \* MERGEFORMAT Figure 2 depicts an NPB 199 duplicates all received packets from the network TAP to AA-NPM-1 200 and AA-NPM-2. Figure 3 depicts an NPB that aggregates traffic, 201 i.e., sends all received packets from TAP-1 and TAP-2 to the AA- 202 NPM. 204 *-----* *-----* 205 |TAP-1| |TAP-2| 206 *-----* *-----* 207 | | 208 | | 209 | | 210 *---------* 211 | NPB | 212 *---------* 213 | 214 | 215 | 216 *--------* 217 | AA-NPM | 218 *--------* 220 Figure 3 Tapping Device with NPB (aggregation). 222 1.4. Network Analysis Tools Functionality 224 Network analysis tools analyze tapped packets according to the 225 packet fields and accompanied data such as: 227 - Tapping location 228 - Tapping time 229 - Packet transmitter and receiver location 230 - Packet next hop and previous hop 231 - Flow-ID 232 - Packet statistics 234 Network analysis tools in legacy networks deduce the tapping 235 location of the packet from the received port. In networks where 236 the TAP is directly connected to the tool, or using an NPB with a 237 packet redirection, the received port at the tool indicates the 238 tapping location. Networks using an aggregation NPB mark the 239 tapped packet at the NPB with a vendor specific indication to 240 indicate the received port. 242 Network analysis Tools at Layer 3 networks deduce the next and 243 previous hop of the tapped packets from the packet source and 244 destination MAC addresses. The packet source MAC address refers to 245 the previous hop router and the packet destination MAC address 246 refers to the next hop router. 248 At Layer 3 networks the source and destination IP addresses of the 249 tapped packet refer to the source and destination location of the 250 packet transmitter and receiver. 252 Network analysis tools in legacy networks refer to the tapping 253 time of the tapped packet as the time that the packet is analyzed 254 by the tool or received by the NPB. 256 1.5. Emerging Networks 258 SmarTap is designed to support emerging networks such as cloud 259 computing, mobile Backhaul, large scale datacenters and finance 260 computing. It also has huge advantages at the legacy Layer 3 261 networks. 263 1.5.1. Emerging Networks characteristics 265 Emerging networks such as mobile backhauls and large scale 266 datacenters support mobile entities like virtual machines and 267 cellular devices. Mobile entities move through the network while 268 their connections remain stable at all networking layers. 270 Emerging network traffic is mostly Layer 2 based to allow 271 efficient mobility while timing and performance become more 272 critical and accurate. 274 1.6. Networks Visibility Requirements 276 Some of the characteristic of emerging networks conflict with the 277 behavior of network TAPs, as presented above. Network analysis 278 tools require full and accurate visibility to the tapped packet 279 location, time and data. 281 In Layer 2 based network, IP addresses are not location oriented 282 and MAC addresses remain unchanged throughout the packet route. 283 Therefore, the location of the sender and the receiver of the 284 tapped packet cannot be deduced from the IP addresses of the 285 tapped packet, while last hop and next hop cannot be deduced from 286 the tapped packet MAC addresses. 288 Analysis tools require the exact tapping time of the tapped 289 packets. If the tapping time is measured by the NPB, the time at 290 which a tapped packet is received by the tool or by the NPB 291 includes network propagation delay and is thus not accurate 292 enough. 294 Emerging networks provide tremendous rate of traffic to analyze in 295 comparison to the processing resources of typical tools. The 296 common way to overcome this gap is by using an NPB to load balance 297 traffic between multiple tools. Emerging networks require 298 additional actions to overcome the increasing gap. 300 2. SmarTap Description 302 2.1. SmarTap Functionality 304 SmarTap provides additional functionality beyond existing TAP 305 technologies. It taps packets with their relevant metadata and 306 sends it to the tools. Packet metadata includes: Timestamp, 307 Location, related statistics and packet digest. The SmarTap device 308 is typically connected to a remote tool, and can send the tapped 309 packets with their metadata encapsulated within a tunnel. 311 SmarTap supports multiple options to mitigate traffic load over 312 the tools. It can truncate tapped packets to a preconfigured size 313 (e.g., 64 or 128 bytes). Tapped packets can be sent to the tools 314 statistically with a preconfigured ratio or rate. Traffic can be 315 monitor by the TAP and sent to the tools conditionally. For 316 example, SmarTap can filter the packets that are sent to the tools 317 according to predefined filters or rate limits. 319 2.2. SmarTap Configuration 321 SmarTap is a tapping element that is connected to the target 322 tapped link in the same manner as a TAP. Figure 4 depicts a target 323 link between Switch-1 and Switch-2 that needs to be monitored. 325 The SmarTap is connected to Switch-1 and Switch-2 and is 326 functioning as a regular TAP i.e. the SmarTap is transparent to 327 Switch-1 and Switch-2 and has all TAP capabilities. Moreover, the 328 SmarTap taps packets from Switch-1 to Switch-2 (and vice versa) 329 and sends them to a preconfigured target port with the packets' 330 metadata. The target port can be any port at the SmarTap. Figure 4 331 "Switch-3". In configuration A the tools or the NPB can be 332 connected to any network element, switch or router, and receive 333 all the tapped packets with their metadata by tunnels. Figure 5 334 depicts a SmarTap that is directly connected to the tool and sends 335 the tapped packets with their metadata directly to the tool 336 without the need to encapsulate them over tunnels. 338 *--------------* *---------* *--------------* 339 | Switch-1 |-----| SmarTap |-----| Switch-2 | 340 *--------------* *---------* *--------------* 341 | 342 | 343 | 344 *--------------* 345 | Switch-3 | 346 *--------------* 348 Figure 4 SmarTap Device Configuration A. 350 *--------------* *---------* *--------------* 351 | Switch-1 |-----| SmarTap |-----| Switch-2 | 352 *--------------* *---------* *--------------* 353 | 354 | 355 | 356 *--------------* 357 | AA-NPM | 358 *--------------* 360 Figure 5 SmarTap Device Configuration B. 362 2.2.1. Tapping Location 364 One of the tapped packet attributes is its tapping location, which 365 indicates the link the packet was tapped from. In a simple 366 scenario where the SmarTap is connected directly to the tool, the 367 tapping location can be deduced from the received port. Otherwise, 368 the tapping location, if needed, should be inserted to the tapped 369 packet Metadata. There are a few options to describe tapping 370 location: 372 . Global Grid references 373 . Tap-ID 374 . Link-ID 375 . Received tunnel 377 2.2.2. Tapping Time stamping 379 There are several options for sending tapped packets with time 380 stamping: 382 . A tapped packet may be sent to the tools with the tapping 383 time at the packet's metadata. 384 . A packet may be sent with no packet modification (as it was 385 received on the link). 387 . Timestamp may be global or local to the network. Time 388 synchronization and accuracy are determined by the tools. 389 2.2.3. Flow Digest 391 Tapped packets are sent to the tool with a preconfigured statistic 392 information embedded within the packet metadata, for example 393 packet rate. The configuration of which packets to tap and what is 394 the required statistic information is configured by the monitoring 395 tool. Packet statistics is standard compatible for example sFlow, 396 Netflow or RMON and is collected and provided by the tapping 397 device. 399 2.2.4. Packet Format 401 Packet format includes the tapped packet and its metadata. A 402 tapped packet may be transmitted to the tool without any packet 403 modification in the same way as it was transmitted on the tapped 404 link. A packet can be also truncated to a predefined size, 64B, 405 128B. 407 Optionally, a metadata field is added to the packet. Metadata is 408 in TLV format: Type, Length, and Value. 410 The tunneling protocol used for tapped packets is IP GRE. 412 Figure 6 and Figure 7 describe the tapped packet format and a 413 tapped packet example. The packets start from left to right. 415 *-------------------* 416 | Tapped packet | 417 *-------------------* 419 *-------*-------------------* 420 | TLV-1 | Tapped packet | 421 *-------*-------------------* 423 *-------*-------*-------------------* 424 | TLV-2 | TLV-1 | Tapped packet | 425 *-------*-------*-------------------* 427 *-------*-------*-------*-------------------* 428 | TLV-3 | TLV-2 | TLV-1 | Tapped packet | 429 *-------*-------*-------*-------------------* 431 *-------*-------*-------*-------*-------------------* 432 | GRE | TLV-3 | TLV-2 | TLV-1 | Tapped packet | 433 *-------*-------*-------*-------*-------------------* 435 Figure 6 Packet Format. 437 *-----*----------*---------*------------*---------------* 438 | GRE | Location | Flow-ID | Timestamp | Tapped packet | 439 *-----*----------*---------*------------*---------------* 440 Figure 7 Packet example. 442 3. SmarTap Deployment Options 443 *-------------------* 444 | | 445 +-------| Interconnect |-------+ 446 | | | | 447 | *-------------------* | 448 | | 449 *-----------------* *----------------* 450 | Edge Device | | Edge Device | 451 *-----------------* *----------------* 452 | | 453 *-----------------* ********* 454 | Core | *SmarTap* 455 *-----------------* ********* 456 | | | 457 *-------* *----------* *----------------* 458 | Agg | | Network | | Core | 459 *-------* | Analysis | *----------------* 460 | | Tool | | | 461 *----------* *----------* | ********* 462 |Hypervisor| | *SmarTap* 463 *----------* | ********* 464 | | | 465 ********* *-------* *-------* 466 *SmarTap* * Host * * Host * 467 ********* *-------* *-------* 468 | 469 *--------* 470 |Virtual | 471 |Machine | 472 *--------* 473 Figure 8 SmarTap deployment example. 475 SmarTap deployment is tightly connected to the network analysis 476 tool and its visibility requirements. SmarTap is applied on each 477 link that needs to be tapped whether it is a physical link or 478 virtual switch on a hypervisor. Each SmarTap is configured with 479 information such as which data to Tap, what is the required format 480 of the packets and its metadata and the target tools. 482 3.1. SmarTap with Network Analysis Tools 484 Network analysis tools are connected to all SmarTaps that are 485 relevant to their application. The SmarTaps are either connected 486 directly to the tools or by using tunnels. Each tool gets its 487 required information in a central location and creates a 488 networking picture. 490 SmarTap architecture can offload the tools by distributing the 491 traffic classification and counting to the SmarTaps. In this 492 option tools only get the digested data such as standard 493 statistics with the relevant packets. 495 Offline tools have also full visibility to all the relevant data 496 they need: the exact location, time and relevant statistics. In 497 this scenario all information received from the SmarTaps is 498 captured, stored and mapped to its exact time and location. 500 3.2. SmarTap with Layer-3 Networks 502 SmarTaps that are used at layer-3 networks are still functioning 503 as TAPs with additional functionality. The tapping location of the 504 received packet, its transmitter and sender location can still be 505 deduced from the MAC and IP addresses of the tapped packet. All 506 SmarTap advantages are also valid for layer-3 networks. SmarTap 507 provides tapped packets with their Metadata, for example: 508 location, tapping time and related statistics. With SmarTap 509 architecture packet tapping location can be derived directly from 510 the metadata which is simple and more accurate. 512 4. Security Considerations 514 To be updated in a future version of this draft. 516 5. IANA Considerations 518 There are no IANA actions required by this document. 520 RFC Editor: please delete this section before publication. 522 6. References 524 6.1. Informative References 526 [AA-NPM] Application Aware Network Performance Monitoring 528 7. Acknowledgments 530 This document was prepared using 2-Word-v2.0.template.dot. 532 Author's addresses 534 Youval Nachum 535 Net Optics, an Ixia Company, IL, LLC 536 13 Amal Street, Building A 537 Rosh Ha'Ayin, 48091 Israel 538 Email: youval@netoiptics.com 540 Linda Dunbar 541 Huawei Technologies 542 5430 Legacy Drive, Suite #175 543 Plano, TX 75024, USA 544 Phone: (469) 277 5840 545 Email: ldunbar@huawei.com 547 Tal Mizrahi 548 Marvell 549 6 Hamada St. 550 Yokneam, 20692 Israel 551 Email: talmi@marvell.com