Re: [IPFIX] NetFlow v9 to IPFIX conversion

Paul Aitken <paitken@Brocade.com> Tue, 06 January 2015 15:32 UTC

Return-Path: <paitken@Brocade.com>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EA1E1A8835 for <ipfix@ietfa.amsl.com>; Tue, 6 Jan 2015 07:32:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 54Hys9b7FSC8 for <ipfix@ietfa.amsl.com>; Tue, 6 Jan 2015 07:32:10 -0800 (PST)
Received: from mx0a-000f0801.pphosted.com (mx0a-000f0801.pphosted.com [IPv6:2620:100:9001:7a::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89C591A8888 for <ipfix@ietf.org>; Tue, 6 Jan 2015 07:31:38 -0800 (PST)
Received: from pps.filterd (m0048193 [127.0.0.1]) by mx0a-000f0801.pphosted.com (8.14.5/8.14.5) with SMTP id t06F0O7C016070; Tue, 6 Jan 2015 07:31:32 -0800
Received: from brmwp-exchub01.corp.brocade.com ([208.47.132.227]) by mx0a-000f0801.pphosted.com with ESMTP id 1rqruk4b1b-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 06 Jan 2015 07:31:32 -0800
Received: from EMEAWP-CASH02.corp.brocade.com (172.29.19.10) by BRMWP-EXCHUB01.corp.brocade.com (172.16.186.99) with Microsoft SMTP Server (TLS) id 14.3.123.3; Tue, 6 Jan 2015 08:31:31 -0700
Received: from EMEA-EXCH01.corp.brocade.com ([fe80::18c9:7b21:74fd:7e48]) by EMEAWP-CASH02.corp.brocade.com ([fe80::548c:8759:5d5e:1c0b%12]) with mapi; Tue, 6 Jan 2015 16:31:29 +0100
From: Paul Aitken <paitken@Brocade.com>
To: Brian Trammell <ietf@trammell.ch>
Date: Tue, 6 Jan 2015 16:31:28 +0100
Thread-Topic: [IPFIX] NetFlow v9 to IPFIX conversion
Thread-Index: AdApvL0dTq7Cy6gvTj+bJm200CjLjQAAWXkA
Message-ID: <23B7BE54EACBED43957AB709C564F7B70185A1FCCD@EMEA-EXCH01.corp.brocade.com>
References: <CALbOe5O0e3tw--vCrj9FkFWVvoMAb9iZaXyRYqfNFSSqQUT94w@mail.gmail.com> <23B7BE54EACBED43957AB709C564F7B70185A1FC39@EMEA-EXCH01.corp.brocade.com> <CE3C776B-2C96-4370-BD7C-4EC3DE73F2A0@trammell.ch>
In-Reply-To: <CE3C776B-2C96-4370-BD7C-4EC3DE73F2A0@trammell.ch>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68, 1.0.33, 0.0.0000 definitions=2015-01-06_05:2015-01-06,2015-01-06,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1501060152
Archived-At: http://mailarchive.ietf.org/arch/msg/ipfix/-b-gEisjBba4hPnuJGwnV_nLyuA
Cc: "ipfix@ietf.org" <ipfix@ietf.org>
Subject: Re: [IPFIX] NetFlow v9 to IPFIX conversion
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix/>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jan 2015 15:32:13 -0000

Brian,


> -----Original Message-----
> From: Brian Trammell [mailto:ietf@trammell.ch]
> Sent: 06 January 2015 14:26
> To: Paul Aitken
> Cc: Petr Velan; ipfix@ietf.org
> Subject: Re: [IPFIX] NetFlow v9 to IPFIX conversion
> 
> hi Paul, Petr,
> 
> So unless I misunderstand here, what we're talking about is third party vendors
> who have more or less NF9-compatible exporters that are squatting on chunks
> of the NF9 IE number space

Correct - though "squatting" might not be quite the right word. These IDs were allocated with cisco's knowledge in order to prevent NFv9 ID clashes.


> (i.e., there are no Cisco-defined IEs for NetFlow 9 which are > 2^15).

I believe there are many Cisco IEs > 32768.


> So the first question is why aren't they using IPFIX in the first place? But alas...

Doubtless it was easier to use some NFv9 IDs than to upgrade exporters and collectors to IPFIX.


> It doesn't seem right to me to use Cisco's PEN for this, since even though Cisco
> has reserved the squatted blocks they know about to prevent interoperability
> problems, there is no guarantee they know about all the blocks that exist, and
> it's kind of unfair to ask one company to burn PEN space to correct the mistakes
> of others.

+1


> I'd be in favor of asking IANA for a new PEN for this, since it really is a protocol-
> level incompatibility between NetFlow 9 and IPFIX, and it would be a relatively
> quick AD-sponsored or opsawg draft to do. (I do think it needs an RFC, so that
> the PEN registry can point at something to say "what is this?"; see e.g. PEN
> 29305 for RFC 5103).
> 
> Yes, this has the problem that squatting blocks might collide with each other. I'm
> perfectly okay with that. As a matter of policy, we should not sanction the de
> facto creation of codepoints in public or semipublic registries through squatting,
> and while building a registry of squatted blocks to appropriate PENs is a more
> *elegant* solution, it seems like way too much effort for the community to
> expend to come up with a nice fix to a messy problem caused by the lazy.

As far as I know, that registry currently has just 5 non-cisco entries, so it wouldn't be hard to code.

However as you say there could be other ID conflicts which aren't known about today, and a new PEN would remove the guesswork.

P.


> > On 06 Jan 2015, at 14:52, Paul Aitken <paitken@Brocade.com> wrote:
> >
> > Petr, please see replies inline:
> >
> >
> > From: IPFIX [mailto:ipfix-bounces@ietf.org] On Behalf Of Petr Velan
> > Sent: 06 January 2015 12:03
> > To: ipfix@ietf.org
> > Subject: [IPFIX] NetFlow v9 to IPFIX conversion
> >
> > Hello all,
> >
> > I'm not sure whether this is the right place to ask, but we encountered
> following problem when converting NetFlow v9 messages to IPFIX.
> >
> > Some vendors (I've heard of ntop) are using elements IDs large than 32767 in
> NetFlow v9.
> >
> > [P] That’s not invalid in NFv9. RFC 3954 allows a 16-bit “Field Type” ID.
> >
> >
> > When converting messages with these elements to IPFIX, they are considered
> to be Enterprise Numbers. To generate proper IPFIX message, we need to do
> one of the following:
> > a) Generate a list of the elements and map them to PEN of the correct vendor.
> However, this would result in an attempt to cover all possible elements that
> anybody used in NetFlow v9. Moreover, we would still have to somehow handle
> the cases where the element is unknown
> >
> > [P] When I was netflow–police at cisco, the guys at Plixer helped to identify
> non-cisco NFv9 exporters, and I allocated blocks of 500 or 1000 IDs for each
> them in the 50,000 – 60,000 range – effectively blacklisting those IDs so that
> cisco wouldn’t create duplicate IDs.  At that time there were just 5 such blocks
> recognized by Cisco. If we can identify a PEN for each block then it’d be simple
> to write a decoder. Unfortunately this method doesn’t extend to recognizing
> future allocations, or export IDs that weren’t known to us at the time.
> >
> > BTW, you’re also supposing that the IDs < 32768 are identical and will remain
> so in future.
> >
> >
> > b) Request a PEN for NetFlow compatibility and just add this PEN for every
> element that has ID larger than 32767.
> >
> > [P] It’d be more accurate to use Cisco’s PEN for this ;-)  However in principal
> it’s a NFv9-in-IPFIX indicator.
> >
> >
> >
> > Personally, I believe that the b) is more general and error-prone. Do you think,
> that it would be possible to dedicate whole PEN to this cause?
> >
> > [P] I believe you could convince IANA to allocate an ID. However I’m not yet
> convinced that it’s a good idea.
> >
> > P.
> >
> >
> > Thank you for any opinions,
> >
> > Petr Velan
> >
> > _______________________________________________
> > IPFIX mailing list
> > IPFIX@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipfix