IETF Logo Mail Archive

Re: [IPFIX] unobserved fields

Brian Trammell <trammell@tik.ee.ethz.ch> Mon, 10 December 2012 09:19 UTC

Return-Path: <trammell@tik.ee.ethz.ch>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9411121F8E32 for <ipfix@ietfa.amsl.com>; Mon, 10 Dec 2012 01:19:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rxtt6pGCLaEu for <ipfix@ietfa.amsl.com>; Mon, 10 Dec 2012 01:19:26 -0800 (PST)
Received: from smtp.ee.ethz.ch (smtp.ee.ethz.ch [129.132.2.219]) by ietfa.amsl.com (Postfix) with ESMTP id CCA4921F8E34 for <ipfix@ietf.org>; Mon, 10 Dec 2012 01:19:24 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by smtp.ee.ethz.ch (Postfix) with ESMTP id AFE41D930B; Mon, 10 Dec 2012 10:19:20 +0100 (MET)
X-Virus-Scanned: by amavisd-new on smtp.ee.ethz.ch
Received: from smtp.ee.ethz.ch ([127.0.0.1]) by localhost (.ee.ethz.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id fdJP0Ns0g61Y; Mon, 10 Dec 2012 10:19:20 +0100 (MET)
Received: from [192.168.0.79] (unknown [195.101.98.59]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: briant) by smtp.ee.ethz.ch (Postfix) with ESMTPSA id A0A99D9308; Mon, 10 Dec 2012 10:19:04 +0100 (MET)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Brian Trammell <trammell@tik.ee.ethz.ch>
In-Reply-To: <50C4D203.3090204@cisco.com>
Date: Mon, 10 Dec 2012 10:18:25 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <7F3700A3-0562-47B0-8BEC-394951179E8C@tik.ee.ethz.ch>
References: <50C2314C.20300@plixer.com> <50C23D17.3030503@cisco.com> <88D44B6F-F10C-47FD-947C-A9171AD7F127@tik.ee.ethz.ch> <50C4D203.3090204@cisco.com>
To: Paul Aitken <paitken@cisco.com>
X-Mailer: Apple Mail (2.1499)
Cc: IETF IPFIX Working Group <ipfix@ietf.org>
Subject: Re: [IPFIX] unobserved fields
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2012 09:19:26 -0000

hi, Paul, all,

Ahhhh -- okay, so you'd be proposing using an indexing mechanism, as with MIB objects, to explicitly link one IE in a record with another to allow the "observation index" IE to expose the observation state of each IE?

I think an example illustrating this -- how MIB-style EFS would support -unobserved-fields -- in the next rev of -unobserved-fields would be very useful.

A couple of other points inline...

On 9 Dec 2012, at 19:01, Paul Aitken <paitken@cisco.com> wrote:

>> As I understand the requirements for -unobserved-fields, we want a way to distinguish, from an MP: "I am capable of observing this attribute, but it was not present in the observation"
> 
> Or, I don't (yet) have sufficient data to calculate a derived metric, eg average / min / max, count or time based metrics.
> 
> 
>> versus "I am not capable of observing this attribute". We have the second already: simply leave the IE out of the template.
> 
> No. Leaving the metric out of the template does not actively indicate that the MP is not capable of measuring it. A CP cannot make any assumptions about metrics which the MP isn't reporting. Rather than this *passive* method, we're missing a way for the MP to *actively* inform the CP that although it's capable of measuring some metric, it's currently not able to provide any further information about the metric.

Absolutely agree; I'm pointing out the "way to do this today" -- which is ambiguous.

>> And, indeed, you can also use leaving things out of the template to signify the first: the presence of a field in some templates from an EP/MP combination implies that it's observable, its absence in the other implies it's not observed.
> 
> No it doesn't. That's the whole point of -unobserved-fields! The MP could have observed it and between the MP and EP, decided not to export it. eg, certain IP addresses, user names, URLs, could be filtered from export stream for privacy or security. The absence of a field in the template isn't directly related to the field's observability.

As above. I'm not saying this is the right way to do things; I'm saying it's the de facto approach.

>> FWIW, YAF does this for those things that haven't moved behind the 6313 curtain: no reverse elements if it's not a biflow, for instance.
>> 
>> Given that, how would you use a per-IE specifier to signal a per-record attribute? What am I missing?
> 
> EFS are also per-record, eg OID index. See the MIB draft.

Okay, so EFS -- specificially, any extension applying an "indexing" feature -- allows specifying that one IE in a Template is present to modify another, so the per-record information still appears in the record; it's just that EFS has allowed an explicit linkage between the IEs, where before we'd have only an implicit linkage (bad, because it's very easy to interpret incorrectly) or an explicit linkage keyed to a specific function in the definition of the IE, e.g. flowKeyIndicator (less bad but still bad, because continuing along these lines you run out of IEs pretty quickly)...correct?

Cheers,

Brian

v2.23.0 | Report a Bug | By Email