IETF Logo Mail Archive

Re: [IPFIX] unobserved fields

Brian Trammell <trammell@tik.ee.ethz.ch> Sun, 09 December 2012 09:32 UTC

Return-Path: <trammell@tik.ee.ethz.ch>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75ABC21F85D9 for <ipfix@ietfa.amsl.com>; Sun, 9 Dec 2012 01:32:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b8SKaa8Ty9XU for <ipfix@ietfa.amsl.com>; Sun, 9 Dec 2012 01:32:16 -0800 (PST)
Received: from smtp.ee.ethz.ch (smtp.ee.ethz.ch [129.132.2.219]) by ietfa.amsl.com (Postfix) with ESMTP id AEFA921F84BC for <ipfix@ietf.org>; Sun, 9 Dec 2012 01:32:15 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by smtp.ee.ethz.ch (Postfix) with ESMTP id 809BDD9310; Sun, 9 Dec 2012 10:32:11 +0100 (MET)
X-Virus-Scanned: by amavisd-new on smtp.ee.ethz.ch
Received: from smtp.ee.ethz.ch ([127.0.0.1]) by localhost (.ee.ethz.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Mz1S+5IRsdN5; Sun, 9 Dec 2012 10:32:11 +0100 (MET)
Received: from [10.0.27.113] (cust-integra-122-165.antanet.ch [80.75.122.165]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: briant) by smtp.ee.ethz.ch (Postfix) with ESMTPSA id 08D9AD930C; Sun, 9 Dec 2012 10:32:11 +0100 (MET)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Brian Trammell <trammell@tik.ee.ethz.ch>
In-Reply-To: <50C23D17.3030503@cisco.com>
Date: Sun, 09 Dec 2012 10:32:15 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <88D44B6F-F10C-47FD-947C-A9171AD7F127@tik.ee.ethz.ch>
References: <50C2314C.20300@plixer.com> <50C23D17.3030503@cisco.com>
To: Paul Aitken <paitken@cisco.com>
X-Mailer: Apple Mail (2.1499)
Cc: IETF IPFIX Working Group <ipfix@ietf.org>
Subject: Re: [IPFIX] unobserved fields
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Dec 2012 09:32:17 -0000

Hi, Paul, Andrew,

I'm not sure I understand the proposed mechanism here...

Observed/unobserved is a per-field/per-record attribute, while extended field specifiers modify IEs per-column: every instance of a given IE in a Template is "decorated" with its extension.
 
As I understand the requirements for -unobserved-fields, we want a way to distinguish, from an MP: "I am capable of observing this attribute, but it was not present in the observation" versus "I am not capable of observing this attribute". We have the second already: simply leave the IE out of the template. And, indeed, you can also use leaving things out of the template to signify the first: the presence of a field in some templates from an EP/MP combination implies that it's observable, its absence in the other implies it's not observed. FWIW, YAF does this for those things that haven't moved behind the 6313 curtain: no reverse elements if it's not a biflow, for instance.

Given that, how would you use a per-IE specifier to signal a per-record attribute? What am I missing?

Cheers,

Brian

On 7 Dec 2012, at 20:01, Paul Aitken <paitken@cisco.com> wrote:

> Andrew,
> 
>> My earlier email about Extended Field Specifiers reminded me of an other draft (draft-aitken-ipfix-unobserved-fields) that doesn't seem to have gone anywhere, but that I would love to move forward. Having a standard way to know if  field is unobserved/NULL for a given flow would be very valuable.
> 
> It's not that this draft didn't go anywhere. Rather, I've written all I can for now, yet the WG isn't in a position to adopt the work. However it's a real issue that needs to be solved -in fact, we're already using some of the techniques in this document - so in my mind it's only "on hold" until I think of something to add and/or the WG can adopt it.
> 
> You're right, Extended Field Specifiers would allow us to tag each field with an "Observed" attribute with advantages:
> 
>    - we wouldn't need to change fields to varlen just to report length = 0.
> 
>    - we could have a many-valued reason rather than a boolean.
>        ie, we can report why the value is not available or not applicable.
> 
> P.
> _______________________________________________
> IPFIX mailing list
> IPFIX@ietf.org
> https://www.ietf.org/mailman/listinfo/ipfix

v2.23.0 | Report a Bug | By Email