IETF Logo Mail Archive

Re: [IPFIX] unobserved fields

Paul Aitken <paitken@cisco.com> Sun, 09 December 2012 18:01 UTC

Return-Path: <paitken@cisco.com>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55D3E21F844E for <ipfix@ietfa.amsl.com>; Sun, 9 Dec 2012 10:01:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.556
X-Spam-Level:
X-Spam-Status: No, score=-10.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DmNCwJyQJ+mF for <ipfix@ietfa.amsl.com>; Sun, 9 Dec 2012 10:01:40 -0800 (PST)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by ietfa.amsl.com (Postfix) with ESMTP id 53E0721F8441 for <ipfix@ietf.org>; Sun, 9 Dec 2012 10:01:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3740; q=dns/txt; s=iport; t=1355076100; x=1356285700; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=EwTNsUuG/o0Bf5AVVhGen8+dcBGQ8Hz87wIjxPDzNF0=; b=PJS+UdDttHozN+CCQcs8psyHvLr/XbwiqH7P1HBFCBPsCYzOqCbOjicW MPgGJv1wXAE+07nPX6ERd+sUfGuLLvBwa+x/jgbB6FTDB4fPT9g7zn/qq iv+kCe2CVoJ71kjcyJa02byPi31Q2FHwI3hSh6Hkv8eiYhSnRtl5HWzjp U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgsIAErRxFCQ/khR/2dsb2JhbABEg0i7FhZzgh4BAQECAQEBAQE1NgoBBQsLGAkWDwkDAgECARUwBg0BBQIBAYgHBgy+V4w/C4Q4A5YGgRyET4pdgnOBbQ
X-IronPort-AV: E=McAfee;i="5400,1158,6921"; a="148014107"
Received: from ams-core-1.cisco.com ([144.254.72.81]) by ams-iport-1.cisco.com with ESMTP; 09 Dec 2012 18:01:39 +0000
Received: from [10.55.82.214] (dhcp-10-55-82-214.cisco.com [10.55.82.214]) by ams-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id qB9I1cJr015116; Sun, 9 Dec 2012 18:01:38 GMT
Message-ID: <50C4D203.3090204@cisco.com>
Date: Sun, 09 Dec 2012 18:01:39 +0000
From: Paul Aitken <paitken@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Brian Trammell <trammell@tik.ee.ethz.ch>
References: <50C2314C.20300@plixer.com> <50C23D17.3030503@cisco.com> <88D44B6F-F10C-47FD-947C-A9171AD7F127@tik.ee.ethz.ch>
In-Reply-To: <88D44B6F-F10C-47FD-947C-A9171AD7F127@tik.ee.ethz.ch>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: IETF IPFIX Working Group <ipfix@ietf.org>
Subject: Re: [IPFIX] unobserved fields
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Dec 2012 18:01:41 -0000

Brian,

> Hi, Paul, Andrew,
>
> I'm not sure I understand the proposed mechanism here...
>
> Observed/unobserved is a per-field/per-record attribute, while extended field specifiers modify IEs per-column: every instance of a given IE in a Template is "decorated" with its extension.

Actually each EFS can contribute additional data within the template 
(ie, applying per column) and/or additional info within data records 
(ie, applying per row).

Look at slide 7 here: 
http://tools.ietf.org/agenda/85/slides/slides-85-ipfix-2.pdf

eg, within the template we'd want to indicate which OID is being 
exported, while we want to indicate indices per data-record.


> As I understand the requirements for -unobserved-fields, we want a way to distinguish, from an MP: "I am capable of observing this attribute, but it was not present in the observation"

Or, I don't (yet) have sufficient data to calculate a derived metric, eg 
average / min / max, count or time based metrics.


> versus "I am not capable of observing this attribute". We have the second already: simply leave the IE out of the template.

No. Leaving the metric out of the template does not actively indicate 
that the MP is not capable of measuring it. A CP cannot make any 
assumptions about metrics which the MP isn't reporting. Rather than this 
*passive* method, we're missing a way for the MP to *actively* inform 
the CP that although it's capable of measuring some metric, it's 
currently not able to provide any further information about the metric.


> And, indeed, you can also use leaving things out of the template to signify the first: the presence of a field in some templates from an EP/MP combination implies that it's observable, its absence in the other implies it's not observed.

No it doesn't. That's the whole point of -unobserved-fields! The MP 
could have observed it and between the MP and EP, decided not to export 
it. eg, certain IP addresses, user names, URLs, could be filtered from 
export stream for privacy or security. The absence of a field in the 
template isn't directly related to the field's observability.


> FWIW, YAF does this for those things that haven't moved behind the 6313 curtain: no reverse elements if it's not a biflow, for instance.
>
> Given that, how would you use a per-IE specifier to signal a per-record attribute? What am I missing?

EFS are also per-record, eg OID index. See the MIB draft.

P.


> On 7 Dec 2012, at 20:01, Paul Aitken <paitken@cisco.com> wrote:
>
>> Andrew,
>>
>>> My earlier email about Extended Field Specifiers reminded me of an other draft (draft-aitken-ipfix-unobserved-fields) that doesn't seem to have gone anywhere, but that I would love to move forward. Having a standard way to know if  field is unobserved/NULL for a given flow would be very valuable.
>> It's not that this draft didn't go anywhere. Rather, I've written all I can for now, yet the WG isn't in a position to adopt the work. However it's a real issue that needs to be solved -in fact, we're already using some of the techniques in this document - so in my mind it's only "on hold" until I think of something to add and/or the WG can adopt it.
>>
>> You're right, Extended Field Specifiers would allow us to tag each field with an "Observed" attribute with advantages:
>>
>>     - we wouldn't need to change fields to varlen just to report length = 0.
>>
>>     - we could have a many-valued reason rather than a boolean.
>>         ie, we can report why the value is not available or not applicable.
>>
>> P.
>> _______________________________________________
>> IPFIX mailing list
>> IPFIX@ietf.org
>> https://www.ietf.org/mailman/listinfo/ipfix

v2.23.0 | Report a Bug | By Email