Re: [ipfix] IPFIX followup charter

[Brian Trammell <bht@cert.org>]

Tanja,

As co-author of the biflow draft, of course I agree with you that it  
should be included in this charter. There has not been much  
discussion among the wider group on the biflow draft because there  
has not been a full working group meeting since the effort was  
initiated. That said, in one-on-one meetings in Vancouver, we did  
recieve some very good feedback and are incorporating it into a -02  
draft that will be available well before Dallas for discussion.

There's not a whole lot of content in -01 (or the forthcoming -02 for  
that matter) mainly because single-record biflow export is a  
relatively simple idea with a relatively simple design. I personally  
don't anticipate that adding the biflow draft to the proposed short- 
term charter will have a significant impact on the amount of time  
required to see it to completion.

Given that many of us in the security-oriented flow analysis  
community, where the question "did anyone answer?" often separates  
mere concern from actionability, consider biflow export support to be  
quite important, failure to improve upon the relatively inefficient  
current methods for biflow export in IPFIX may hinder its adoption as  
anything other than a slightly more complicated NetFlow V9: another  
data source to read from and translated to one of a number of  
proprietary collection protocols as near to the sensing edge as  
possible. Delaying official WG action on this until July 2007, as I  
believe leaving biflow support off the next charter and allowing for  
one IETF meeting cycle of slack in the schedule implies, won't help  
IPFIX adoption within this community. By that time, CERT/NetSA's own  
biflow export system will have been in production use for a year,  
albeit with CERT private enterprise IEs standing in for official  
reverse-direction value fields.

It would instead be preferable to continue this work within the  
working group without delay.

Regards,

Brian

On Feb 2, 2006, at 5:27 AM, Tanja Zseby wrote:

> Hi Jürgen and all,
>
> I agree that due to the high amount of drafts we need to decide on  
> the most important ones for the first round. Nevertheless, I think  
> we should consider to include the bi-flow draft already now in the  
> new charter.
> The idea for such a draft originated at the last FloCon workshop  
> where a lot of people had doubts about IPFIX because it currently  
> lacks information on how to do bi-flow matching/reporting. Many of  
> the participants have written their own programs in the past to  
> allow bi-flow analysis from NetFlow data. So as a result of  
> discussions during the workshop, Brian and Elisa decided to work on  
> such a draft. I agree that there is not yet very much content in  
> the current version of the draft but since this request came from a  
> larger community I consider it as important.
>
> Brian, Elisa maybe you can comment on this? Do you share my  
> viewpoint? How would you prioritize your work in IPFIX (since you  
> are also co-authors in other drafts)?
>
> Best regards,
> Tanja
>
> -----Original Message-----
> From: majordomo listserver [mailto:majordomo@mil.doit.wisc.edu] On  
> Behalf Of Juergen Quittek
> Sent: Tuesday, January 31, 2006 11:42 PM
> To: ipfix@net.doit.wisc.edu
> Subject: [ipfix] IPFIX followup charter
>
> Dear all,
>
> As you know, the IPFIX working group has completed its charter by  
> submitting all planned documents (with a delay of several years) to  
> the IESG for publication as RFC.  Also the PSAMP WG will reach this  
> status soon.
>
> Building on the results of these WGs, there are a lot of related  
> ongoing activities that are producing Internet drafts related to  
> IPFIX.  Several of them have already been presented at recent IPFIX  
> and PSAMP sessions.  But working on them is not covered by the  
> IPFIX or PSAMP charter.  If we want to continue this IPFIX-related  
> work, we need a new charter that gives it a home at the IETF.
>
> The text below lists and discusses related work and suggests a  
> charter for a follow-up WG.  It is the output of several  
> discussions  with Tanja, Benoit, and Nevil.
>
> The proposed charter is very short-lived and includes only the  
> three most mature work items out of a longer list of candidates.   
> The basic idea is completing this charter within less than a year  
> and then re-chartering to cover further work items that have  
> progressed until then.  This lean work model with short-lived  
> charters allows the group to focus on a limited number of issues  
> and is preferable to long-lived WGs working on many issues in  
> parallel.  (It is highly recommended by the IESG.)
>
> Please have a look at it and state whether or not you think it  
> makes sense to have an IPFIX follow-up WG.  Also please read the  
> proposed charter carefully and express your objections, concerns,  
> comments, requests for modifications, etc.
>
> The plan is to elaborate the new charter proposal on this list and  
> submit an agreed version to our area directors soon.  The deadline  
> for requesting BoF sessions at the next IETF meeting in Dallas is  
> February 13.
>
> Thanks,
>
>     Juergen
>
>
> =======================================================
> Why do we need to continue the work of IPFIX and PSAMP?
> =======================================================
>
> IPFIX has completed its charter and PSAMP will do so very soon.   
> Still, there are a lot of ongoing activities in the community of  
> these two WGs:
>
> 1. Flow aggregation
>    draft-dressler-ipfix-aggregation-01.txt
>
> 2. reducing redundancy in IPFIX and PSAMP reports
>    draft-boschi-export-perpktinfo-00.txt
>
> 3. IPFIX implementation guidelines
>    draft-boschi-ipfix-implementation-guidelines-00.txt
>
> 4. Path-coupled meter configuration
>    draft-fessi-nsis-m-nslp-framework-02.txt
>    draft-dressler-nsis-metering-nslp-03.txt
>    (currently under discussion in the NSIS WG, but not covered
>    by the NSIS charter. It is a candidate work item for NSIS
>    re-chartering, but the NSIS WG asks if it would not be better
>    covered by IPFIX)
>
> 5. IPFIX reliability
>    draft-bclaise-ipfix-reliability-00.txt
>
> 6. Reporting bi-directional flows with IPFIX
>    draft-boschi-ipfix-biflow-01.txt
>
> 7. a format for storing IPFIX records
>    draft-trammell-ipfix-file-00.txt
>
> 8. IPFIX MIB module
>    no I-D yet, but two teams working on it independently.
>
> 9. Common IPFIX templates
>    draft-stephan-isp-templates-01.txt
>
> 10. Reliable server pooling for IPFIX
>     draft-coene-rserpool-applic-ipfix-01.txt
>
> 11. Flow sampling
>     draft-molina-flow-selection-00.txt (expired)
>
> Did I miss something?
>
>
> 1.-4. and 9. have already been discussed at past IPFIX or PSAMP  
> sessions.
>
> This list shows two things.
>   - There is a community interested in IPFIX that is not too small.
>   - This community and is willing to further work on issues IPFIX- 
> related
>     issues in the IETF.
> This is a very good starting point for a charter discussion.
>
>
> ============================
> Which work items are suited?
> ============================
>
> Not all of the issues listed above are at a stage, where they  
> should be considered as a WG work item, but 1.-4. are quite well  
> developed and 5.
> and 6. are candidates.  Since 4. is a candidate for NSIS re- 
> chartering, I dropped it from the following considerations.
>
> Each of 1.-3. has been presented at IPFIX or PSAMP sessions already  
> two times with some discussion on the suggested approach.  For all  
> I sense an agreement in the IPFIX WG (at least no objections so  
> far) that these issues are relevant work and potential WG work  
> items (to be confirmed on the list, of course).
>
>   - The flow aggregation work is rather mature.  Actually this  
> draft covers
>     something that is missing in IPFIX: How to tell the collector  
> that the
>     metering probe does not have the standard (Netflow default)  
> configuration,
>     but filters and aggregates certain flows.
>     There are some terminology problems and a set of technical  
> issues to be
>     solved, but there is not problem with the general direction and  
> the chosen
>     approach.  Still, thorough reviews are missing as well as a  
> discussion on
>     how to fit it well into the IPFIX architecture.
>
>   - Reducing redundancy in IPFIX and PSAMP reports is an issue that  
> was
>     received very well by both WGs when past versions of the IDs  
> were presented.
>     It is considered a useful method of applying IPFIX efficiently.
>     Still, the current drafts were considered as to specific.  They  
> apply
>     the optimization to packet reports only. At the last PSAMP  
> meeting it was
>     noted that the method should be generalized such that it can be  
> applied to
>     all redundant IPFIX transmissions.  This generalization needs  
> to be done,
>     but the way to go is clear and basically agreed on.
>
>   - The implementation guidelines are considered the most important  
> work item
>     by many WG members (including myself).  Many people are  
> currently implementing
>     IPFIX and several recommendations were identified at the first  
> IPFIX interop
>     (next one is scheduled for end of February).  The sooner this  
> document is
>     available, the more will help improving ongoing implementations.
>     My problem with this item is that the current individual draft  
> is in a bad
>     shape.  Therefore, the milestones for this item are later than  
> for the
>     others.
>
> The two weaker candidates for WG items are IPFIX reliability and  
> reporting of bidirectional flows.  Both have been requested on the  
> IPFIX mailing list several time in the past years, but we could not  
> agree on making them part of the basic IPFIX standard.
> But as add-ons, that integrate well with the standard, they can be  
> considered, particularly since I heard about operator requests for  
> both of them.
> A problem of these issues is that so far they have not been  
> presented at IPFIX or PSAMP sessions and there has not been a  
> discussion yet on the approaches followed by the existing drafts.   
> Therefore, these two are not included in the draft proposal below.
>
>
> =================================
> Charter Proposal:
> Efficient Use of IPFIX (USEIPFIX)
> =================================
>
> The IPFIX working group has specified the IPFIX protocol for  
> exporting flow records. The PSAMP working group has specified the  
> usage of the IPFIX protocol for exporting packet records. With both  
> specifications available, several implementers have started  
> building applications using the IPFIX protocol.
>
> At a first interoperability testing event, several IPFIX protocol  
> implementations were tested. The experiences made at this event  
> were fed back to IPFIX protocol specification, particularly for  
> removing ambiguities.  In addition, several lessons were learned  
> about how to implement and use IPFIX correctly and efficiently.   
> The exchange among different implementers further led to new ideas  
> for advanced usage of IPFIX.  Many of these ideas are currently  
> documented in individual Internet drafts.
>
> The goal of the USEIPFIX working group is producing best current  
> practice and guideline documents concerning implementation,  
> application and usage of the IPFIX protocol.
>
> Out of scope are modifications of the core IPFIX and PSAMP protocol  
> specifications.  In scope is the definition of new IPFIX and PSAMP  
> information elements within the documents produced by the USEIPFIX WG.
>
> Specific Goals of the USEIPFIX WG are:
>
> o Developing guidelines for implementers based on experiences
>   gained individually by implementers and jointly at interoperability
>   testing events.  The guidelines will give recommendations for
>   integrating IPFIX observation points, measurement processes, and
>   exporting processes into the packet flow at different kinds of IPFIX
>   devices.  They will make suggestions for efficient implementation of
>   the IPFIX protocol features and identify parts of the IPFIX
>   specification that have already been misunderstood by several
>   implementers.  For some implementation choices that the protocol
>   specification leaves to the implementer, the guidelines will discuss
>   advantages and disadvantages of the different choices.
>
> o Developing methods and means for an efficient use of the IPFIX
>   protocol that reduces redundancy in flow reports.  The basic idea
>   to be followed is very simple.  For multiple flow records that all
>   report the same value in one or more of the contained IPFIX
>   information elements, these values are removed from the flow records
>   and instead reported once for all in a separate record.  Such an
>   approach integrates very well with the IPFIX protocol and only needs
>   few means for expressing the relationship between flow records and
>   corresponding separate records.
>
> o Develop a method for flow aggregation reducing the amount of
>   measurement data exchanged between IPFIX exporters and IPFIX
>   collectors.  Using aggregation techniques, measurement  
> information of
>   multiple similar flows is aggregated into few meta-flow records.
>   Applied aggregation rules need to be communicate.
>
> o Investigate further ways of efficiently using the IPFIX protocols
>   including but not limited to
>     - providing reliability for IPFIX transmissions,
>     - reporting bi-directional flows,
>     - path-coupled configuration of IPFIX devices,
>     - reporting the configuration of IPFIX devices,
>     - flow sampling at IPFIX devices,
>     - storing IPFIX flow records and packet records.
>   These issues are not current work items of the USEIPFIX WG but are
>   evaluated as candidates for potential future work items.
>
>
> Milestones:
>
> Mar 2006  Initial version of flow aggregation methods Mar 2006   
> Initial version of reducing redundandy in IPFIX records Mar 2006   
> IPFIX and PSAMP interoperability testing event (not a real WG  
> milestone?) Apr 2006  Initial version of implementation guidelines  
> Jul 2006  Submit flow aggregation methods to IESG Sep 2006  Submit  
> reducing redundancy in IPFIX records to IESG Sep 2006  Submit  
> implementation guidelines to IESG
>
>
> --
> Help        mailto:majordomo@net.doit.wisc.edu and say "help" in  
> message body
> Unsubscribe mailto:majordomo@net.doit.wisc.edu and say "unsubscribe  
> ipfix" in message body
> Archive     http://ipfix.doit.wisc.edu/archive/
>
>
> --
> Help        mailto:majordomo@net.doit.wisc.edu and say "help" in  
> message body
> Unsubscribe mailto:majordomo@net.doit.wisc.edu and say
> "unsubscribe ipfix" in message body
> Archive     http://ipfix.doit.wisc.edu/archive/