Re: [IPFIX] new IPFIX fields for traffic classification
Paul Aitken <paitken@cisco.com> Tue, 14 June 2011 10:04 UTC
Return-Path: <paitken@cisco.com>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD31521F85DA for <ipfix@ietfa.amsl.com>; Tue, 14 Jun 2011 03:04:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dqOQzStorGqG for <ipfix@ietfa.amsl.com>; Tue, 14 Jun 2011 03:04:04 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by ietfa.amsl.com (Postfix) with ESMTP id 650F121F85D5 for <ipfix@ietf.org>; Tue, 14 Jun 2011 03:04:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=paitken@cisco.com; l=5725; q=dns/txt; s=iport; t=1308045843; x=1309255443; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=yXidkrqMKzkL2EkmT+0NDmgg6dyONU4AV7bOXRXGH3E=; b=NFYUWSRE97LIbumMW+qyYkecV3l/4BDdDVVgNGQSFMuXeHBnWj1wMT+J J6OyZrUWm4bBv6ZJ4vzHGkv8wdVk7jqpJ9AqxuflSEKPXALlUn7iGQeH1 SI7cRBjDIA/o1ROmmOwhWFl/LoJtBCyXns2cNPg4NtlXUh+F4B9ZWF1/r I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EAL8w902Q/khM/2dsb2JhbABSpjd3qhmeL4YkBJFHhFeLDw
X-IronPort-AV: E=Sophos;i="4.65,363,1304294400"; d="scan'208";a="93856294"
Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-1.cisco.com with ESMTP; 14 Jun 2011 10:03:53 +0000
Received: from cisco.com (mrwint.cisco.com [64.103.70.36]) by ams-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id p5EA3rm3015872; Tue, 14 Jun 2011 10:03:53 GMT
Received: from [10.61.100.192] (dhcp-10-61-100-192.cisco.com [10.61.100.192]) by cisco.com (8.14.4+Sun/8.8.8) with ESMTP id p5EA3pGO019133; Tue, 14 Jun 2011 11:03:51 +0100 (BST)
Message-ID: <4DF73207.1060700@cisco.com>
Date: Tue, 14 Jun 2011 11:03:51 +0100
From: Paul Aitken <paitken@cisco.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110516 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: Chris Inacio <inacio@cert.org>
References: <4DF626E8.80606@cisco.com> <73F44306-67AE-4776-95EE-224BB8D63275@tik.ee.ethz.ch> <9D1F34B6-9254-4FC4-8745-31653B533A87@cert.org>
In-Reply-To: <9D1F34B6-9254-4FC4-8745-31653B533A87@cert.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: IETF IPFIX Working Group <ipfix@ietf.org>
Subject: Re: [IPFIX] new IPFIX fields for traffic classification
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2011 10:04:04 -0000
Chris,
We've been asked to export strings coming from a classification engine.
We need an extensible scheme which allows the classification team to
export their information with zero intervention from us or from any
external registry maintainer as they add new classifications.
An ID-based export has multiple disadvantages as you list below - not
least of which is that it stalls the dev/rel cycle while new IDs are
requested from the registry maintainer (say, IANA). Most importantly,
there can be no central registry for on-box user-defined classifications.
The main disadvantages of exporting the strings directly are bandwidth
and interoperability. However, the main advantage is that new
classifications can be exported immediately.
Since we're exporting the strings in enterprise-specific IDs, there's
essentially no interoperability (unless others also export cisco PEN IDs
- which is unwise). Interoperability and bandwidth would both be
improved by moving to IANA elements.
Cheers,
P.
On 13/06/11 16:45, Chris Inacio wrote:
> On Jun 13, 2011, at 11:22 AM, Brian Trammell wrote:
>
>> Hi, Paul,
>>
>> A suggestion: if these are encoded in strings, why not specify a delimiter-separated ID space and have a single flowClassification string with this delimiter separated space.
>>
>> IE "flowClassification" = "email.gmail", "ftp-group.ftp-data" and so on?
>>
>> This would allow sub-sub-sub categories, as well ("voip.skype.datachannel.noudp.v5")
>>
>> Cheers,
>>
>> Brian
>>
> I have a lot more to say down below; but I agree with Brian. If there is a desire to start using string fields like this in the protocol, then I think having some structure in the strings that allows them to be somewhat hierarchal maybe, would be wise.
>
>
>> On Jun 13, 2011, at 5:04 PM, Paul Aitken wrote:
>>
>>> Dear IPFIX experts,
>>>
>>> Cisco would like to define some new IPFIX fields for traffic classification so we can attach classification information to each exported flow.
>>>
>>> Unlike many other fields, we don't propose to encode these fields numerically, so the usual option table mapping numbers to names won't be necessary.
>>>
>>> Instead, these fields would contain strings. Each field would be extensible so new strings could be added in future. In fact, we expect this to be a regular occurrence as new classifications are defined.
>>>
>>> However, it's not desirable - and perhaps not even possible - to list all the classification values. So there won't be any complete or exhaustive value list for any of these fields, and IANA won't maintain a registry for each field.
>>>
>>> This is similar to the existing wlanSSID, interfaceName and VRFname fields: while we can define the purpose of these fields, the values cannot be listed exhaustively. These can only be defined as generic strings, and no attempt should be made to register all the possible values.
>>>
>>> While we've already defined enterprise-specific fields, we feel these fields will be generally useful to the community. Nevil has asked for discussion before approving our request for new IANA field allocations.
>>>
>>> So, please discuss... ;-)
>>>
>>>
>>> Specifically, the fields which we'd like to define are:
>>>
>>> * Category = a protocol attribute which broadly groups a set of protocols having the same characteristic.
>>> e.g. file-sharing, email.
>>>
>>> * Sub-category = a second level category attribute
>>> e.g. p2p-file-transfer, gmail
>>>
>>> * Application-group = a protocol attribute which groups a set of protocols belonging to same application.
>>> e.g. ftp-group
>>>
>>>
>>> Cheers,
>>> P.
> Why would you (being Cisco) want to use strings?
>
> There are the obvious downsides to table mappings: have to have some type of out-of-band mechanism to distribute them, or define some new options records that allows them to be distributed. If not sending them from probe to collector, then you need a central registry. The consensus mechanism of the central repository is too slow, strings are agile. Strings more easily allow ``quiet-mode'' before introducing a product to market, making the suits happy, by eliminating the central repository. I understand that these are all problems, but I would argue these are still better problems to have than having strings.
>
>
> The problem with strings: The model without a central repository means everyone developing their own strings, mostly incompatible ones. (The collector will then have to guess that Cisco's "email:mua" is the same as my "smtp:user-agent". Or push the problem back up to the user.) Strings are a lot less efficient. IPFIX's design is clearly architected to bandwidth reduction by sending the type-length information very infrequently, and including reduced length encoding - strings are not bandwidth friendly.
>
> I would still argue for a bandwidth efficient interoperable protocol. I don't think adding strings would create an interoperable protocol.
>
> So that said, what I would ask of you Paul, is to describe the why's that make this string mapping so attractive?
>
> (Although if we can all figure out how to get bonuses from our respective employers for writing RFC's, we can start working on the SIP protocol model to define the strings, and I'm fully on board! :) )
>
>
> Best regards,
> Chris Inacio
>
>
>
>>> _______________________________________________
>>> IPFIX mailing list
>>> IPFIX@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ipfix
>> _______________________________________________
>> IPFIX mailing list
>> IPFIX@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipfix
- [IPFIX] new IPFIX fields for traffic classificati… Paul Aitken
- Re: [IPFIX] new IPFIX fields for traffic classifi… Brian Trammell
- Re: [IPFIX] new IPFIX fields for traffic classifi… Chris Inacio
- Re: [IPFIX] new IPFIX fields for traffic classifi… Paul Aitken
- Re: [IPFIX] new IPFIX fields for traffic classifi… Paul Aitken