IETF Logo Mail Archive

Re: [IPFIX] [Sender: ipfix-bounces@ietf.org] Re: Maji - an open source IPFIX meter implementation

Andrew Johnson <andrjohn@cisco.com> Wed, 25 February 2009 15:06 UTC

Return-Path: <andrjohn@cisco.com>
X-Original-To: ipfix@core3.amsl.com
Delivered-To: ipfix@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6419C3A6A22 for <ipfix@core3.amsl.com>; Wed, 25 Feb 2009 07:06:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.999
X-Spam-Level:
X-Spam-Status: No, score=-9.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_55=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5iLAKMqBOE7t for <ipfix@core3.amsl.com>; Wed, 25 Feb 2009 07:06:10 -0800 (PST)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by core3.amsl.com (Postfix) with ESMTP id 623723A68AC for <ipfix@ietf.org>; Wed, 25 Feb 2009 07:06:08 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.38,265,1233532800"; d="scan'208";a="34809184"
Received: from ams-dkim-1.cisco.com ([144.254.224.138]) by ams-iport-1.cisco.com with ESMTP; 25 Feb 2009 15:06:13 +0000
Received: from ams-core-1.cisco.com (ams-core-1.cisco.com [144.254.224.150]) by ams-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n1PF6Doi023939; Wed, 25 Feb 2009 16:06:13 +0100
Received: from cisco.com (mrwint.cisco.com [64.103.71.48]) by ams-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id n1PF6DHk019052; Wed, 25 Feb 2009 15:06:13 GMT
Received: from [144.254.153.39] (dhcp-144-254-153-39.cisco.com [144.254.153.39]) by cisco.com (8.11.7p3+Sun/8.8.8) with ESMTP id n1PF63k10420; Wed, 25 Feb 2009 15:06:03 GMT
Message-ID: <49A55E5E.9060609@cisco.com>
Date: Wed, 25 Feb 2009 15:06:06 +0000
From: Andrew Johnson <andrjohn@cisco.com>
User-Agent: Thunderbird 2.0.0.19 (X11/20090105)
MIME-Version: 1.0
To: Gerhard Muenz <muenz@net.in.tum.de>
References: <4998D006.1030106@cs.waikato.ac.nz> <49A2C8D8.3000402@net.in.tum.de> <49A31B3C.8070004@cisco.com> <49A3C322.4030000@net.in.tum.de> <49A3F1CA.80801@cisco.com> <FDB62598-788E-4F28-945B-F13C0D99A419@tik.ee.ethz.ch> <49A3F7FD.7080902@net.in.tum.de> <49A3FA98.6060403@cisco.com> <49A3FDE1.6040405@net.in.tum.de> <49A408AD.7080201@cisco.com> <49A4100C.3070902@net.in.tum.de> <49A41630.4030208@cisco.com> <49A50021.3050100@net.in.tum.de>
In-Reply-To: <49A50021.3050100@net.in.tum.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4129; t=1235574373; x=1236438373; c=relaxed/simple; s=amsdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=andrjohn@cisco.com; z=From:=20Andrew=20Johnson=20<andrjohn@cisco.com> |Subject:=20Re=3A=20[IPFIX]=20[Sender=3A=20ipfix-bounces@ie tf.org]=20Re=3A=20Maji=20-=20an=20open=20source=0A=20IPFIX=2 0meter=20implementation |Sender:=20; bh=cWTOPe/4bx9vp6GYjjTe/JKpFh/haecSbGuM7GG+7bk=; b=s/YZ08pxmK12pPL2UQQpz3LCbDtiPkSQIlHnT5VuI+13rYiFuUs6rHMteq gAjQp7S3QOzxQHcQkbYRM1txMBHA+QSrjqLXWPGGPe4qzjSBe6jeolBNkJ1R 1B4nCT/QFz;
Authentication-Results: ams-dkim-1; header.From=andrjohn@cisco.com; dkim=pass ( sig from cisco.com/amsdkim1002 verified; );
Cc: ipfix@ietf.org
Subject: Re: [IPFIX] [Sender: ipfix-bounces@ietf.org] Re: Maji - an open source IPFIX meter implementation
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Feb 2009 15:06:11 -0000

Gerhard Muenz wrote:
> Hi Andrew,
> 
>>>> Looking again, you seem to have have a start, stop and mask value for
>>>> each filter.  So what would you expect the behaviour to be of a filter
>>>> that demands a TCP flags value of 0 when faced with a UDP packet?
>>> I do not know. Is it defined somewhere?
>> Not as far as I know, however if you're matching on and IPv4 address of
>> 192.168.0.1, I would not expect all IPv6 traffic to pass the filter.
> 
> Is it useful to add a note to PSAMP-TECH?

Probably, but maybe too late now.


>>>> My instinct is that it should reject the UDP packet because it cannot
>>>> provide a TCP flags value of 0.  An alternate filter could be set up to
>>>> accept UDP packets.
>>>>
>>>> If we agree on that point, then how about a TCP flags filter that
>>>> filtered on TCP flags being in the range 0x00 to 0xFF.  It would accept
>>>> all values for the TCP flags field, but reject packets that didn't have
>>>> the field.
>>> Then, we could place a property match filter in front of the Cache that
>>> matches all fields of the Cache Layout with mask=0x00 (or start=0 and
>>> end=infinity) to ensure that all fields are present.
>> Exactly.
>>
>>
>>> However, I'm a little bit confused about the following paragraph in
>>> PSAMP-TECH:
>>>
>>> 6.1 Property Match Filtering
>>>
>>>     ....
>>>
>>>     A packet is selected if Field=Value. Masks and ranges are only
>>>     supported to the extent to which [RFC5102] allows them e.g. by
>>>     providing explicit fields like the netmasks for source and
>>>     destination addresses.
>>>
>>> Also, PSAMP-PROTOCOL does not allow to export a value range [start,
>>> stop] in an Option :(
>> Yes, I know.  It's very difficult to export min/max/mask using IPFIX
>> without defining new Information Elements for each field you want to
>> filter on.
> 
> Hm, I do not think that defining min/max/mask IEs for every existing IE
> is needed. I'm sure that a better solution can be found.

Perhaps, I'd certainly like to think so, but so far I've not seen any real
contenders.  I can't think of anything that doesn't need data types and/or
deviate a lot from how we use IPFIX today.


>>> Note that the configuration data model is based in PSAMP-MIB where
>>> "start", "stop" and "mask" are mentioned as parameters of property match
>>> filtering. It seems that these parameters are outdated?
>> When we added the Filtering Interpretation Report in version 02 we
>> didn't have min/max/mask either.  There's just no easy way to export
>> this sort of think in IPFIX without defining three additional I.E.s per
>> field.  Unless anyone can think of something?
> 
> Yes:
> http://tools.ietf.org/html/draft-sommer-ipfix-mediator-ext-01

I don't see how this helps, other than the ability to exclude certain
values.  I didn't see any indication of how to handle multiple uses of
the same I.E., but presumably they follow the same rule as for different
I.E.s and are added with an AND operation, and are therefore
automatically conflicting.

For example, how would you represent a match on the TCP syn flag?  With
min/max/flags we could have 0x02, 0x02, 0x02.  Easy.

In the Filtering Interpretation Report you could use multiple inclusion
filters / selection paths:

  OP1, TCP flags = 0x02
  OP1, TCP flags = 0x03
  OP1, TCP flags = 0x06
  OP1, TCP flags = 0x07
  ...
  OP1, TCP flags = 0x1A
  OP1, TCP flags = 0x1B
  OP1, TCP flags = 0x1E
  OP1, TCP flags = 0x1F

Yuck.

How would this be done with
http://tools.ietf.org/html/draft-sommer-ipfix-mediator-ext-01?


> In my opinion, the current property match filtering specified in PSAMP
> is too restrictive because it only covers simplistic fiters that are
> rarely used in practice. Maybe it should be removed from the documents
> until a better solution is found.

Well, a future draft could extend the filtering mechanisms, but I don't
think we should discard what we have today.  A new selection type can be
added later when we have a way of representing more complex solutions.

Cheers

Andrew

v2.23.0 | Report a Bug | By Email