Re: [IPFIX] new IPFIX fields for traffic classification
Chris Inacio <inacio@cert.org> Mon, 13 June 2011 15:45 UTC
Return-Path: <inacio@cert.org>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BB3D11E80DF for <ipfix@ietfa.amsl.com>; Mon, 13 Jun 2011 08:45:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vrMUauysslQj for <ipfix@ietfa.amsl.com>; Mon, 13 Jun 2011 08:45:23 -0700 (PDT)
Received: from plainfield.sei.cmu.edu (plainfield.sei.cmu.edu [192.58.107.45]) by ietfa.amsl.com (Postfix) with ESMTP id 125A811E80E1 for <ipfix@ietf.org>; Mon, 13 Jun 2011 08:45:23 -0700 (PDT)
Received: from pawpaw.sei.cmu.edu (pawpaw.sei.cmu.edu [10.64.21.22]) by plainfield.sei.cmu.edu (8.14.4/8.14.4/1294) with ESMTP id p5DFjDHJ003663; Mon, 13 Jun 2011 11:45:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cert.org; s=jthatj15xw2j; t=1307979913; bh=gg3dOepQLKDyeUPya3w3SHh3DTf7aJ/LDV7ZOnZgEoA=; h=From:To:CC:Date:Subject:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version:Sender: Reply-To; b=Pef5nbAzzUIMq+RJQL7XIDh3ECDQ/Om+M/mdG2A53m6XvPlHnWwNcI3mDIo2yNwsQ CpdHK8+mZeiPaWFqUuQ7Mb6UsUZsHlo2vAdkvF0WfXeo3C/PA3qVIye7FGCRtWo2q3 wructPcq13faZ0vXfo17o5uo9s7szTqg3oOXhzK0=
Received: from owa.sei.cmu.edu (vader.sei.cmu.edu [10.64.28.14]) by pawpaw.sei.cmu.edu (8.14.4/8.14.4/1348) with ESMTP id p5DFjCQq019675; Mon, 13 Jun 2011 11:45:13 -0400
Received: from EXCHANGE.sei.cmu.edu ([10.64.28.12]) by vader.sei.cmu.edu ([10.64.28.14]) with mapi; Mon, 13 Jun 2011 11:45:12 -0400
From: Chris Inacio <inacio@cert.org>
To: Brian Trammell <trammell@tik.ee.ethz.ch>
Date: Mon, 13 Jun 2011 11:45:14 -0400
Thread-Topic: [IPFIX] new IPFIX fields for traffic classification
Thread-Index: Acwp4ODhrSFAxksQTqifdHKM3QlJHQ==
Message-ID: <9D1F34B6-9254-4FC4-8745-31653B533A87@cert.org>
References: <4DF626E8.80606@cisco.com> <73F44306-67AE-4776-95EE-224BB8D63275@tik.ee.ethz.ch>
In-Reply-To: <73F44306-67AE-4776-95EE-224BB8D63275@tik.ee.ethz.ch>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IETF IPFIX Working Group <ipfix@ietf.org>
Subject: Re: [IPFIX] new IPFIX fields for traffic classification
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jun 2011 15:45:24 -0000
On Jun 13, 2011, at 11:22 AM, Brian Trammell wrote:
> Hi, Paul,
>
> A suggestion: if these are encoded in strings, why not specify a delimiter-separated ID space and have a single flowClassification string with this delimiter separated space.
>
> IE "flowClassification" = "email.gmail", "ftp-group.ftp-data" and so on?
>
> This would allow sub-sub-sub categories, as well ("voip.skype.datachannel.noudp.v5")
>
> Cheers,
>
> Brian
>
I have a lot more to say down below; but I agree with Brian. If there is a desire to start using string fields like this in the protocol, then I think having some structure in the strings that allows them to be somewhat hierarchal maybe, would be wise.
> On Jun 13, 2011, at 5:04 PM, Paul Aitken wrote:
>
>> Dear IPFIX experts,
>>
>> Cisco would like to define some new IPFIX fields for traffic classification so we can attach classification information to each exported flow.
>>
>> Unlike many other fields, we don't propose to encode these fields numerically, so the usual option table mapping numbers to names won't be necessary.
>>
>> Instead, these fields would contain strings. Each field would be extensible so new strings could be added in future. In fact, we expect this to be a regular occurrence as new classifications are defined.
>>
>> However, it's not desirable - and perhaps not even possible - to list all the classification values. So there won't be any complete or exhaustive value list for any of these fields, and IANA won't maintain a registry for each field.
>>
>> This is similar to the existing wlanSSID, interfaceName and VRFname fields: while we can define the purpose of these fields, the values cannot be listed exhaustively. These can only be defined as generic strings, and no attempt should be made to register all the possible values.
>>
>> While we've already defined enterprise-specific fields, we feel these fields will be generally useful to the community. Nevil has asked for discussion before approving our request for new IANA field allocations.
>>
>> So, please discuss... ;-)
>>
>>
>> Specifically, the fields which we'd like to define are:
>>
>> * Category = a protocol attribute which broadly groups a set of protocols having the same characteristic.
>> e.g. file-sharing, email.
>>
>> * Sub-category = a second level category attribute
>> e.g. p2p-file-transfer, gmail
>>
>> * Application-group = a protocol attribute which groups a set of protocols belonging to same application.
>> e.g. ftp-group
>>
>>
>> Cheers,
>> P.
Why would you (being Cisco) want to use strings?
There are the obvious downsides to table mappings: have to have some type of out-of-band mechanism to distribute them, or define some new options records that allows them to be distributed. If not sending them from probe to collector, then you need a central registry. The consensus mechanism of the central repository is too slow, strings are agile. Strings more easily allow ``quiet-mode'' before introducing a product to market, making the suits happy, by eliminating the central repository. I understand that these are all problems, but I would argue these are still better problems to have than having strings.
The problem with strings: The model without a central repository means everyone developing their own strings, mostly incompatible ones. (The collector will then have to guess that Cisco's "email:mua" is the same as my "smtp:user-agent". Or push the problem back up to the user.) Strings are a lot less efficient. IPFIX's design is clearly architected to bandwidth reduction by sending the type-length information very infrequently, and including reduced length encoding - strings are not bandwidth friendly.
I would still argue for a bandwidth efficient interoperable protocol. I don't think adding strings would create an interoperable protocol.
So that said, what I would ask of you Paul, is to describe the why's that make this string mapping so attractive?
(Although if we can all figure out how to get bonuses from our respective employers for writing RFC's, we can start working on the SIP protocol model to define the strings, and I'm fully on board! :) )
Best regards,
Chris Inacio
>>
>> _______________________________________________
>> IPFIX mailing list
>> IPFIX@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipfix
>
> _______________________________________________
> IPFIX mailing list
> IPFIX@ietf.org
> https://www.ietf.org/mailman/listinfo/ipfix
- [IPFIX] new IPFIX fields for traffic classificati… Paul Aitken
- Re: [IPFIX] new IPFIX fields for traffic classifi… Brian Trammell
- Re: [IPFIX] new IPFIX fields for traffic classifi… Chris Inacio
- Re: [IPFIX] new IPFIX fields for traffic classifi… Paul Aitken
- Re: [IPFIX] new IPFIX fields for traffic classifi… Paul Aitken