Re: [IPFIX] NetFlow v9 to IPFIX conversion

Petr Velan <petr.velan@cesnet.cz> Thu, 26 March 2015 07:14 UTC

Return-Path: <thorgrin@gmail.com>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 121CA1ACDD1 for <ipfix@ietfa.amsl.com>; Thu, 26 Mar 2015 00:14:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14cDG215Rnen for <ipfix@ietfa.amsl.com>; Thu, 26 Mar 2015 00:14:06 -0700 (PDT)
Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9951A1A7002 for <ipfix@ietf.org>; Thu, 26 Mar 2015 00:14:05 -0700 (PDT)
Received: by lagg8 with SMTP id g8so38325656lag.1 for <ipfix@ietf.org>; Thu, 26 Mar 2015 00:14:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=4wK+oL8IV0xGy78RcT0+guKshmPGCTTtgCP6kKOnpgw=; b=GO+1xmEJEJrIu9eVZVQ+wfAcfNZ5XY28uYR4fspm4hC0SRJ7wdMbp2TEzTXUpQjq1o Wkc6i6Tl3oCZDgvTCFT8Xbg+vyWT7td1OwrBIFDmiW+A89KbVbgP3GHyX9EZkOjdxJsP lykfA62iDQCYj4twf0XoF+qr/6k7M2TAh+2iLMijAg2M+7791YKs8/HL/BXi+bVYgHID yvJnJxnY+hlfbqJ3xXEiXodYJqghNFnzq21ICkbCjL4zHG60OoxAayf4P1+/tgRj+sQM AGHvbC886NqPGvCXHT40hKtVPwa3OhMbm0hLI14RqDH4PBdJz7++07gQWI302gqOaLR8 LjrA==
MIME-Version: 1.0
X-Received: by 10.112.134.167 with SMTP id pl7mr11718315lbb.63.1427354043893; Thu, 26 Mar 2015 00:14:03 -0700 (PDT)
Sender: thorgrin@gmail.com
Received: by 10.25.16.17 with HTTP; Thu, 26 Mar 2015 00:14:03 -0700 (PDT)
In-Reply-To: <54AC4097.1050602@plixer.com>
References: <CALbOe5O0e3tw--vCrj9FkFWVvoMAb9iZaXyRYqfNFSSqQUT94w@mail.gmail.com> <54AC4097.1050602@plixer.com>
Date: Thu, 26 Mar 2015 08:14:03 +0100
X-Google-Sender-Auth: tCC7zqus4vpEKFgWsvxiVe_Cncs
Message-ID: <CALbOe5M8VtTLANGZDUG=bQH-z6eKLK7ckTPTUY0AueX_ioUs1Q@mail.gmail.com>
From: Petr Velan <petr.velan@cesnet.cz>
To: Andrew Feren <andrewf@plixer.com>
Content-Type: multipart/alternative; boundary=089e011767f9c14c5405122bc233
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipfix/4f_WckbuPBzNTbk_g66YBbac83Q>
Cc: ipfix@ietf.org
Subject: Re: [IPFIX] NetFlow v9 to IPFIX conversion
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix/>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 07:14:08 -0000

Hi Andrew, all,

thank you for your explanation regarding nprobe.

However, we also need a fallback for unknown exporters with IEs > 2^15. The
generic requests for PENs need organization name, contact name and email
address. I can try to request the PEN for NetFlow v9 compatibility myself,
but I'd like it to be more public. Therefore, I suggest to complete the
request with something like:
*Organization Name*: NetFlow v9 to IPFIX
*Contact Name*: IPFIX WG
*Contact E-Mail: *ipfix@ietf.org

This is just a first proposal to get things moving, please add your
thoughts. Once the PEN is granted, we can move forward and explain its
purpose in a short RFC.

Petr

On Tue, Jan 6, 2015 at 9:07 PM, Andrew Feren <andrewf@plixer.com> wrote:

>  Hi Petr,
>
> On 01/06/2015 07:03 AM, Petr Velan wrote:
>
>     Hello all,
>
>  I'm not sure whether this is the right place to ask, but we encountered
> following problem when converting NetFlow v9 messages to IPFIX.
>
>  Some vendors (I've heard of ntop) are using elements IDs large than 32767
> in NetFlow v9. When converting messages with these elements to IPFIX, they
> are considered to be Enterprise Numbers. To generate proper IPFIX message,
> we need to do one of the following:
>  a) Generate a list of the elements and map them to PEN of the correct
> vendor. However, this would result in an attempt to cover all possible
> elements that anybody used in NetFlow v9. Moreover, we would still have to
> somehow handle the cases where the element is unknown
>
> This should help with ntop/nprobe
>
> Recent versions of nprobe (since version 5.5.5 I think) all use the
> following mapping.
>
> PEN = 35632 and IPFIXID = (v9ID - 57472)
>
> For example, one v9 IE that nprobe exports is MYSQL_SERVER_VERSION 57667.
> The IPFIX equivalent would be
> MYSQL_SERVER_VERSION(35632/195).
>
> The nprobe docs have a complete list.
>
> Older versions of nprobe (pre ~2010) use IEs not in RFC 3954, but later
> allocated in IANA.  There is no good way to convert those v9 exports to
> IPFIX.
>
> -Andrew
>
>
>   b) Request a PEN for NetFlow compatibility and just add this PEN for
> every element that has ID larger than 32767.
>
>  Personally, I believe that the b) is more general and error-prone. Do you
> think, that it would be possible to dedicate whole PEN to this cause?
>
>  Thank you for any opinions,
>
> Petr Velan
>
>
>
> _______________________________________________
> IPFIX mailing listIPFIX@ietf.orghttps://www.ietf.org/mailman/listinfo/ipfix
>
>
>