IETF Logo Mail Archive

Re: [IPFIX] unobserved fields

Paul Aitken <paitken@cisco.com> Mon, 10 December 2012 09:53 UTC

Return-Path: <paitken@cisco.com>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1D0421F8E4F for <ipfix@ietfa.amsl.com>; Mon, 10 Dec 2012 01:53:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.561
X-Spam-Level:
X-Spam-Status: No, score=-10.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l3YnksX+Ai8o for <ipfix@ietfa.amsl.com>; Mon, 10 Dec 2012 01:53:58 -0800 (PST)
Received: from ams-iport-4.cisco.com (ams-iport-4.cisco.com [144.254.224.147]) by ietfa.amsl.com (Postfix) with ESMTP id 4C7D021F8E45 for <ipfix@ietf.org>; Mon, 10 Dec 2012 01:53:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4161; q=dns/txt; s=iport; t=1355133238; x=1356342838; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=BV9JwP1GNQKp6XtMT75V04hCDu2vL8AHs8zh88BITCo=; b=CALtGTTOQyThFb83eXfDZCStns/LlLTejdA8ImR4tn8tbX4o40IbdH/C RQg8laQiju1Sf1ygvkInEbC3t95wg+KcWkrQHRy2WfpgGIiJeUJ+hqLDt 5cBmO2lp5lLiaw+lvjoBX6DnbvqovilV5ss6R1aReygtIDiU1ekv8AXpU M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AkwHAO+wxVCQ/khM/2dsb2JhbABEg0i7KRZzgh4BAQEDAThAAQULCxgJFg8JAwIBAgFFBg0BBQIBAYgHBrYMjD+EQwOWBoVril2Ccw
X-IronPort-AV: E=McAfee;i="5400,1158,6921"; a="10299085"
Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-4.cisco.com with ESMTP; 10 Dec 2012 09:53:37 +0000
Received: from [10.55.84.15] (dhcp-10-55-84-15.cisco.com [10.55.84.15]) by ams-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id qBA9rbRi005110; Mon, 10 Dec 2012 09:53:37 GMT
Message-ID: <50C5B121.1080007@cisco.com>
Date: Mon, 10 Dec 2012 09:53:37 +0000
From: Paul Aitken <paitken@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Brian Trammell <trammell@tik.ee.ethz.ch>
References: <50C2314C.20300@plixer.com> <50C23D17.3030503@cisco.com> <88D44B6F-F10C-47FD-947C-A9171AD7F127@tik.ee.ethz.ch> <50C4D203.3090204@cisco.com> <7F3700A3-0562-47B0-8BEC-394951179E8C@tik.ee.ethz.ch>
In-Reply-To: <7F3700A3-0562-47B0-8BEC-394951179E8C@tik.ee.ethz.ch>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: IETF IPFIX Working Group <ipfix@ietf.org>
Subject: Re: [IPFIX] unobserved fields
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2012 09:53:59 -0000

Brian,

> Ahhhh -- okay, so you'd be proposing using an indexing mechanism, as with MIB objects, to explicitly link one IE in a record with another to allow the "observation index" IE to expose the observation state of each IE?

No. There's only one IE.

In MIB export, the template effectively says "here is a MIB, with two 
extensions; the first defines the OID (in the template); the second 
defines the index (in the data records)". Appropriate sizes are given, 
and the template and data records are extended accordingly. So instead 
of getting a 4-byte value in the data record, there might be 6 bytes: 
the 4 bytes value followed by a 2-bytes index. However the index has no 
IE of its own, so each new extension does not require a new IE.

In the unobserved fields scenario, the template would says "here is an 
IE, with an extension (in the data records)", and that extension would 
indicate the observability of the IE. So instead of 4 bytes of RTT time, 
there might be 5 bytes: 4 bytes of RTT (being zero, presumably), and 1 
byte reporting "insufficient time".


> I think an example illustrating this -- how MIB-style EFS would support -unobserved-fields -- in the next rev of -unobserved-fields would be very useful.

Are MIBS ever unobserved?


> A couple of other points inline...
>
> On 9 Dec 2012, at 19:01, Paul Aitken <paitken@cisco.com> wrote:
>
>>> As I understand the requirements for -unobserved-fields, we want a way to distinguish, from an MP: "I am capable of observing this attribute, but it was not present in the observation"
>> Or, I don't (yet) have sufficient data to calculate a derived metric, eg average / min / max, count or time based metrics.
>>
>>
>>> versus "I am not capable of observing this attribute". We have the second already: simply leave the IE out of the template.
>> No. Leaving the metric out of the template does not actively indicate that the MP is not capable of measuring it. A CP cannot make any assumptions about metrics which the MP isn't reporting. Rather than this *passive* method, we're missing a way for the MP to *actively* inform the CP that although it's capable of measuring some metric, it's currently not able to provide any further information about the metric.
> Absolutely agree; I'm pointing out the "way to do this today" -- which is ambiguous.

Great, we agree.


>>> And, indeed, you can also use leaving things out of the template to signify the first: the presence of a field in some templates from an EP/MP combination implies that it's observable, its absence in the other implies it's not observed.
>> No it doesn't. That's the whole point of -unobserved-fields! The MP could have observed it and between the MP and EP, decided not to export it. eg, certain IP addresses, user names, URLs, could be filtered from export stream for privacy or security. The absence of a field in the template isn't directly related to the field's observability.
> As above. I'm not saying this is the right way to do things; I'm saying it's the de facto approach.

Which has this huge gap...


>>> FWIW, YAF does this for those things that haven't moved behind the 6313 curtain: no reverse elements if it's not a biflow, for instance.
>>>
>>> Given that, how would you use a per-IE specifier to signal a per-record attribute? What am I missing?
>> EFS are also per-record, eg OID index. See the MIB draft.
> Okay, so EFS -- specificially, any extension applying an "indexing" feature -- allows specifying that one IE in a Template is present to modify another, so the per-record information still appears in the record; it's just that EFS has allowed an explicit linkage between the IEs, where before we'd have only an implicit linkage (bad, because it's very easy to interpret incorrectly) or an explicit linkage keyed to a specific function in the definition of the IE, e.g. flowKeyIndicator (less bad but still bad, because continuing along these lines you run out of IEs pretty quickly)...correct?

Sort of, except there's only one IE with additional data. I'm not 
proposing new IEs for every new attribute specified in an EFS.

P.

v2.23.0 | Report a Bug | By Email