IETF Logo Mail Archive

Re: [IPFIX] [Sender: ipfix-bounces@ietf.org] Re: Maji - an open source IPFIX meter implementation

Gerhard Muenz <muenz@net.in.tum.de> Wed, 25 February 2009 08:23 UTC

Return-Path: <muenz@net.in.tum.de>
X-Original-To: ipfix@core3.amsl.com
Delivered-To: ipfix@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 28EF83A689A for <ipfix@core3.amsl.com>; Wed, 25 Feb 2009 00:23:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[AWL=-0.257, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_55=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QU0rTXUoCVA8 for <ipfix@core3.amsl.com>; Wed, 25 Feb 2009 00:23:42 -0800 (PST)
Received: from mail-out1.informatik.tu-muenchen.de (maildmz1.informatik.tu-muenchen.de [131.159.0.3]) by core3.amsl.com (Postfix) with ESMTP id BD47D3A6951 for <ipfix@ietf.org>; Wed, 25 Feb 2009 00:23:41 -0800 (PST)
Received: from phoenix.net.informatik.tu-muenchen.de (phoenix.net.informatik.tu-muenchen.de [131.159.14.1]) by services.net.informatik.tu-muenchen.de (Postix Mailer @ mail) with ESMTP id B3C114720D; Wed, 25 Feb 2009 09:23:58 +0100 (CET)
Received: from [131.159.20.108] (repulse.net.informatik.tu-muenchen.de [131.159.20.108]) by phoenix.net.informatik.tu-muenchen.de (Postfix) with ESMTP id 9A4C82807; Wed, 25 Feb 2009 09:23:58 +0100 (CET)
Message-ID: <49A50021.3050100@net.in.tum.de>
Date: Wed, 25 Feb 2009 09:24:01 +0100
From: Gerhard Muenz <muenz@net.in.tum.de>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: Andrew Johnson <andrjohn@cisco.com>
References: <4998D006.1030106@cs.waikato.ac.nz> <49A2C8D8.3000402@net.in.tum.de> <49A31B3C.8070004@cisco.com> <49A3C322.4030000@net.in.tum.de> <49A3F1CA.80801@cisco.com> <FDB62598-788E-4F28-945B-F13C0D99A419@tik.ee.ethz.ch> <49A3F7FD.7080902@net.in.tum.de> <49A3FA98.6060403@cisco.com> <49A3FDE1.6040405@net.in.tum.de> <49A408AD.7080201@cisco.com> <49A4100C.3070902@net.in.tum.de> <49A41630.4030208@cisco.com>
In-Reply-To: <49A41630.4030208@cisco.com>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms030108080405050506000107"
X-Virus-Scanned: ClamAV using ClamSMTP
Cc: ipfix@ietf.org
Subject: Re: [IPFIX] [Sender: ipfix-bounces@ietf.org] Re: Maji - an open source IPFIX meter implementation
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Feb 2009 08:23:43 -0000

Hi Andrew,

>>> Looking again, you seem to have have a start, stop and mask value for
>>> each filter.  So what would you expect the behaviour to be of a filter
>>> that demands a TCP flags value of 0 when faced with a UDP packet?
>>
>> I do not know. Is it defined somewhere?
> 
> Not as far as I know, however if you're matching on and IPv4 address of
> 192.168.0.1, I would not expect all IPv6 traffic to pass the filter.

Is it useful to add a note to PSAMP-TECH?

>>> My instinct is that it should reject the UDP packet because it cannot
>>> provide a TCP flags value of 0.  An alternate filter could be set up to
>>> accept UDP packets.
>>>
>>> If we agree on that point, then how about a TCP flags filter that
>>> filtered on TCP flags being in the range 0x00 to 0xFF.  It would accept
>>> all values for the TCP flags field, but reject packets that didn't have
>>> the field.
>>
>> Then, we could place a property match filter in front of the Cache that
>> matches all fields of the Cache Layout with mask=0x00 (or start=0 and
>> end=infinity) to ensure that all fields are present.
> 
> Exactly.
> 
> 
>> However, I'm a little bit confused about the following paragraph in
>> PSAMP-TECH:
>>
>> 6.1 Property Match Filtering
>>
>>     ....
>>
>>     A packet is selected if Field=Value. Masks and ranges are only
>>     supported to the extent to which [RFC5102] allows them e.g. by
>>     providing explicit fields like the netmasks for source and
>>     destination addresses.
>>
>> Also, PSAMP-PROTOCOL does not allow to export a value range [start,
>> stop] in an Option :(
> 
> Yes, I know.  It's very difficult to export min/max/mask using IPFIX
> without defining new Information Elements for each field you want to
> filter on.

Hm, I do not think that defining min/max/mask IEs for every existing IE
is needed. I'm sure that a better solution can be found.

>> Note that the configuration data model is based in PSAMP-MIB where
>> "start", "stop" and "mask" are mentioned as parameters of property match
>> filtering. It seems that these parameters are outdated?
> 
> When we added the Filtering Interpretation Report in version 02 we
> didn't have min/max/mask either.  There's just no easy way to export
> this sort of think in IPFIX without defining three additional I.E.s per
> field.  Unless anyone can think of something?

Yes:
http://tools.ietf.org/html/draft-sommer-ipfix-mediator-ext-01

In my opinion, the current property match filtering specified in PSAMP
is too restrictive because it only covers simplistic fiters that are
rarely used in practice. Maybe it should be removed from the documents
until a better solution is found.

Cheers,
Gerhard

-- 
Dipl.-Ing. Gerhard Münz
Chair for Network Architectures and Services (I8)
Department of Informatics
Technische Universität München
Boltzmannstr. 3, 85748 Garching bei München, Germany
Phone:  +49 89 289-18008       Fax: +49 89 289-18033
E-mail: muenz@net.in.tum.de    WWW: http://www.net.in.tum.de/~muenz

v2.23.0 | Report a Bug | By Email