Re: [IPFIX] Options Templates, Templates, and related Data Sets sent in separate transport sessions
Garri Djavadyan <g.djavadyan@gmail.com> Wed, 10 April 2024 10:32 UTC
Return-Path: <g.djavadyan@gmail.com>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCA57C14F696 for <ipfix@ietfa.amsl.com>; Wed, 10 Apr 2024 03:32:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HCOJz5JcEMQ7 for <ipfix@ietfa.amsl.com>; Wed, 10 Apr 2024 03:32:52 -0700 (PDT)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C878FC14F689 for <ipfix@ietf.org>; Wed, 10 Apr 2024 03:32:52 -0700 (PDT)
Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-a51beae2f13so462471766b.1 for <ipfix@ietf.org>; Wed, 10 Apr 2024 03:32:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712745170; x=1713349970; darn=ietf.org; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:from:to:cc:subject:date :message-id:reply-to; bh=cB33ksv5RvGCR72l75yj/P6DEik9mGD8mkWAnKaDB2g=; b=ccjRR82k9iZfY+MYUa+7bbSsBpbh2T1npqlbt6ZCwZShKRZ7p+HUaUfUXrNTeIA8vl HCqKcb5cbRbFDz5dus1rguHQgb5Fl5p5LQwkXWg8U5JRG752uan3EWQrT+mj9ov4bqM1 fP0HPZh29P/JJxGUsRE939YjZIVe1L7u6MYQf3oA7zzaJWqbJM1mDmHfBccGK3igT6xG fHqJoWXL4ikUpVWxIhOjc2RXvY8PYGoZJMRso0D9hlMT345pWFnDiekCMeCZuk8x34j3 nTJfaAYG5aCXXnH14IcMmB7n9ULh8ahvEHKO1dt9MKYD/5RFdJi/uAL8de0HLJMTA+MJ xLRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712745170; x=1713349970; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=cB33ksv5RvGCR72l75yj/P6DEik9mGD8mkWAnKaDB2g=; b=EMS8+uy5ZLvuDJC0X51mLiVe9JRPORTMorP3p0Qp/w6nRF8F6Z8t66/Qj4+aBDxDII FaFGama1cYP8deex+2tDkmfjELGIRIggt25LUlkZJeTwC6sXzCaP622d2xNu6V2rG6s4 Pxf01rlml8qRMskrSAtNdD47w3DvUUN6xl8JYyM6oe+8uet7V2zsPIfAP9qXuUIsn+bL idhpdR2R5bA9hfuUao+4xtWVBTFaZ2cUd0cPIBO2JBdi9giudVvAoXyaMMVaOtLsHwvJ LwoTBXHVBPrDbBdj+85XomQcrUkxk/ioAWOHwohpUcwSDXCXvA58O3xKUx65zSV78gQb kYHQ==
X-Gm-Message-State: AOJu0YzJnpBrfC0m8Ijrw4SYIUDbbA9D6OlRB2pYlOTXfBGU7hfAQsJt x13WkpCDSndz0SffPP1ifyUhuW580LzzORZPwB56mXQ1cYo/3r7ppd4cLSMV
X-Google-Smtp-Source: AGHT+IHYmW9vvfPlpxF0tkrd22XQIpuYg3jimX5DnXjnHgE0LL2BAHJJQinilkdHEicTX8ldW9C3qA==
X-Received: by 2002:a17:907:6089:b0:a45:ad29:725c with SMTP id ht9-20020a170907608900b00a45ad29725cmr1597026ejc.62.1712745169456; Wed, 10 Apr 2024 03:32:49 -0700 (PDT)
Received: from ?IPv6:2a02:a210:2280:c00:4e94:e21b:393c:8e98? (2a02-a210-2280-0c00-4e94-e21b-393c-8e98.cable.dynamic.v6.ziggo.nl. [2a02:a210:2280:c00:4e94:e21b:393c:8e98]) by smtp.gmail.com with ESMTPSA id k12-20020a17090646cc00b00a4e3fda23f5sm6745979ejs.165.2024.04.10.03.32.47 for <ipfix@ietf.org> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Apr 2024 03:32:47 -0700 (PDT)
Message-ID: <438e0375e03289542bf75b736ef9f5ab8c8e2a64.camel@gmail.com>
From: Garri Djavadyan <g.djavadyan@gmail.com>
To: "ipfix@ietf.org" <ipfix@ietf.org>
Date: Wed, 10 Apr 2024 12:32:41 +0200
In-Reply-To: <A5A2FC21-5867-42ED-8881-47523353861F@trammell.ch>
References: <095e959a3b1f5c557fe1e463754379edc21b32ea.camel@gmail.com> <7a9c6493-ac7e-4cd1-9703-a5f33f1b7330@ciena.com> <05853a655a6db65bdf2ccc4983b2fada93654d49.camel@gmail.com> <e24aac704ebc70ee72f13671dd6485cb3ec77f94.camel@gmail.com> <A5A2FC21-5867-42ED-8881-47523353861F@trammell.ch>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.52.0
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipfix/MUa9l3if5PIWDSanzKFH0MjeuZs>
Subject: Re: [IPFIX] Options Templates, Templates, and related Data Sets sent in separate transport sessions
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipfix/>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2024 10:32:56 -0000
Thank you for your comments, Brian!
As the vendor does not participate in this discussion, I feel I should
be playing devil's advocate for the sake of understanding the reasons
for the misinterpretation that can help future IPFIX implementers.
Brian, I think one can say that what the vendor is doing is what is
written in 7011 §8 ¶4: they assign and maintain Data-Template IDs per
one Transport Session + Observation Domain ID, and the Options-Template
IDs per other Transport Session + the same Observation Domain ID.
Then, it seems they assume that the Collecting process can scope the
(Options) Data Records in one Transport Session to the Data Records in
other Transport Session because the Observation Domain ID is the same.
The Observation Domain ID is still unique per the Exporting Process,
and they can claim that both Transport Sessions are initiated by the
same Exporting Process.
Maybe it can help if the definition for the Observation Domain ID also
mentions that it is unique per Transport Session as the Collecting
Process is unable to assert if Transport Sessions are related to the
same Exporting Process?
Also, the Observation Domain ID section in 7011 §8 says:
Collecting Processes SHOULD use the Transport Session and the
Observation Domain ID field to separate different export streams
originating from the same Exporter.
I think it can also help if there is a definition for an Export Stream
in the Terminology. That definition may emphasise that it is a stream
of related Template, Options-Template, and Data Records carried over
the same Transport Session.
Again, I am sorry if the above may seem too obvious to making no sense.
Just trying to understand the vendor's logic in attempt to improve the
document.
Thank you.
Kind regards,
Garri Djavadyan
On Wed, 2024-04-10 at 10:50 +0200, Brian Trammell (IETF) wrote:
> There are no protocol police, of course, but…
>
> “[t]he Exporting Process assigns and maintains Template IDs per
> Transport Session and Observation Domain” et seq (7011 §8 ¶4) seems
> to me to pretty clearly preclude the exporter behavior you describe;
> a fairly strong requirement that templates were scoped to a transport
> session is the reason we had to go through so much handwaving to
> attempt to describe transport session semantics in a sessionless
> protocol.
>
> I’m not sure what update would make this any clearer, unless that
> sentence in 7011 §8 ¶4 could be strengthened with normative language.
> (FWIW I’d consider that an editorial erratum, since the requirement
> to scope templates to a session for interop purposes underpins the
> entire design of template management)
>
> Cheers,
>
> Brian
>
> > On 10 Apr 2024, at 10:18, Garri Djavadyan <g.djavadyan@gmail.com>
> > wrote:
> >
> > Unfortunately, after a few months of discussing and sharing
> > excerpts
> > from RFC5153 and RFC7011 with the vendor, they refused to admit
> > non-
> > compliance by stating that "there is no explicit mandatory
> > requirement
> > for these templates [Templates and Options-Templates] to share a
> > transport session".
> >
> > I understand that they are fixated on the "explicit mandatory
> > requirements" because what they had designed is already implemented
> > in
> > hardware and not easy to change. I guess there was a confusion over
> > the
> > RFC's UDP and SCTP requirements during the early architecture
> > design
> > phase.
> >
> > Considering that this happened to one vendor, do you think the
> > RFC7011
> > can be updated a bit to make it more explicit in that all related
> > template and data records must be carried over the same transport
> > session, so that future RFC 7011 implementers do not fall into the
> > same
> > trap again?
> >
> > Thank you.
> >
> > Kind regards,
> > Garri Djavadyan
> >
> >
> > On Tue, 2024-02-06 at 00:29 +0100, Garri Djavadyan wrote:
> > > Paul,
> > >
> > > Thank you so much for your reply.
> > >
> > > Indeed, a source address translator in front of several Exporters
> > > that
> > > use two Transport UDP Sessions to represent one IPFIX export
> > > stream,
> > > have conflicting Observation Domain IDs, and different
> > > samplingInterval
> > > values in the Data Records would be a nightmare for a Collecting
> > > Process that treats multiple Transport Sessions sourced from the
> > > same
> > > IP as the same export stream.
> > >
> > > It seems I did not pay enough attention to the following sentence
> > > in
> > > the section 3.1 of the RFC7011:
> > >
> > > Collecting Processes SHOULD use the Transport Session and the
> > > Observation Domain ID field to separate different export
> > > streams
> > > originating from the same Exporter.
> > >
> > >
> > > I think a definition of the Export Stream in the Terminology (2)
> > > section of the RFC7011 could also help avoid doubts, saying
> > > something
> > > like:
> > >
> > > A Transport Session carrying related Template Records, Options
> > > Template Records, and Data Records.
> > >
> > >
> > > Now it is clear that we faced a bug that needs to be reported to
> > > the
> > > respective vendor.
> > >
> > > Thank you.
> > >
> > > Kind regards,
> > > Garri Djavadyan
> > >
> > >
> > >
> > > On Mon, 2024-02-05 at 10:17 +0000, Aitken, Paul wrote:
> > > > Garri,
> > > >
> > > > From the receiver's point of view, the different transport
> > > > sessions
> > > > are
> > > > independent export streams which could come from different
> > > > Exporters.
> > > > The receiver can't tell whether these come from one exporter or
> > > > two.
> > > > The
> > > > data in the "options" Export Stream cannot be scoped to data in
> > > > the
> > > > other stream as Template IDs are unique per Transport Session
> > > > and
> > > > the
> > > > Observation Domain is locally unique to the Exporting Process
> > > > and
> > > > multiple EPs may be in play.
> > > >
> > > > Only SCTP provides multiple streams; TPC and UDP do not. See
> > > > section
> > > > 6.1
> > > > of RFC 5153.
> > > >
> > > > P.
> > > >
> > > >
> > > > On 03/02/24 14:38, Garri Djavadyan wrote:
> > > > > Hi IPFIX experts,
> > > > >
> > > > >
> > > > > Recently, my colleagues and I faced an IPFIX exporter
> > > > > implementation
> > > > > that sends IPFIX messages with the Template and related Data
> > > > > Sets
> > > > > in
> > > > > one transport UDP session and the Options Template and
> > > > > related
> > > > > Data
> > > > > Sets in another transport UDP session (sourced from a
> > > > > different
> > > > > UDP
> > > > > port) to the same IPFIX collector port.
> > > > >
> > > > > While trying to understand this behaviour, I checked RFC7011
> > > > > and
> > > > > a
> > > > > few
> > > > > related RFCs but could not find any notes suggesting use
> > > > > cases
> > > > > when
> > > > > it
> > > > > might be necessary. Also, I could not find any notes
> > > > > prohibiting
> > > > > this.
> > > > >
> > > > > However, we know of at least one use case when sending the
> > > > > aforementioned 4 IPFIX messages over 2 separate transport
> > > > > sessions
> > > > > is
> > > > > undesirable. For example, when multiple self-sufficient IPFIX
> > > > > collectors are listening on the same UDP socket using the
> > > > > socket
> > > > > option
> > > > > SO_REUSEPORT (for horizontal scaling), the kernel-level load-
> > > > > balancing
> > > > > algorithm can distribute 2 related sessions of the same
> > > > > exporter
> > > > > to
> > > > > different processes. As a result, the process receiving the
> > > > > Flow
> > > > > Records, cannot process them properly without the related
> > > > > Options.
> > > > > In
> > > > > theory, it can also happen in the environments where layer-4
> > > > > load-
> > > > > balancers are used to distribute transport UDP sessions
> > > > > between
> > > > > IPFIX
> > > > > collecting hosts.
> > > > >
> > > > > Considering this, could you please help answer the following
> > > > > question?
> > > > >
> > > > > Did I interpret the IPFIX RFCs correctly and the mentioned
> > > > > exporter's
> > > > > behaviour is a compliant implementation?
> > > > >
> > > > > There is a note in the "Template Management" section 8 of
> > > > > RFC7011
> > > > > saying:
> > > > >
> > > > > Options Templates and Templates that are related or
> > > > > interdependent
> > > > > (e.g., by sharing common properties as described in
> > > > > [RFC5473])
> > > > > SHOULD be sent together in the same IPFIX Message.
> > > > >
> > > > > but the Templates and the Options Templates in the case that
> > > > > I
> > > > > mentioned are not interdependant by the common properties per
> > > > > RFC5473.
> > > > >
> > > > >
> > > > >
> > > > > Thank you in advance!
> > > > >
> > > > >
> > > > > Kind regards,
> > > > > Garri Djavadyan
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > IPFIX mailing list
> > > > > IPFIX@ietf.org
> > > > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ipfix__;!!OSsGDw!J3DauxNGB6V13gsv8HRy629ddHwNTtJFeE5njPIdVQCVssXh2upsaiMkWBlmd8llnYXke9dEef0WZvmNag$
> > > > > [ietf[.]org]
> > >
> >
> > _______________________________________________
> > IPFIX mailing list
> > IPFIX@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipfix
>
- [IPFIX] Options Templates, Templates, and related… Garri Djavadyan
- Re: [IPFIX] Options Templates, Templates, and rel… Aitken, Paul
- Re: [IPFIX] Options Templates, Templates, and rel… Garri Djavadyan
- Re: [IPFIX] Options Templates, Templates, and rel… Garri Djavadyan
- Re: [IPFIX] Options Templates, Templates, and rel… Brian Trammell (IETF)
- Re: [IPFIX] Options Templates, Templates, and rel… Garri Djavadyan