[IPFIX] NetFlow v9 to IPFIX conversion

Petr Velan <petr.velan@cesnet.cz> Tue, 06 January 2015 12:03 UTC

Return-Path: <thorgrin@gmail.com>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id BDA821AC40E for <ipfix@ietfa.amsl.com>; Tue, 6 Jan 2015 04:03:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id A7NIzIlNxHv8 for <ipfix@ietfa.amsl.com>; Tue, 6 Jan 2015 04:03:36 -0800 (PST)
Received: from mail-lb0-x234.google.com (mail-lb0-x234.google.com [IPv6:2a00:1450:4010:c04::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1AD21AC40B for <ipfix@ietf.org>; Tue, 6 Jan 2015 04:03:31 -0800 (PST)
Received: by mail-lb0-f180.google.com with SMTP id l4so18952788lbv.25 for <ipfix@ietf.org>; Tue, 06 Jan 2015 04:03:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=4KECCnhGZ/xaNadJ+utTismGTDopXfKZiZL1ZH57+64=; b=aNRhHOA32fPz3DIKZedjVzTgjwwgg9e9z+ctSsHpO3n3pKcUOywvxniC+ZLzTUiS7X x0suivJxMA+AVtsFci1r2WWiQ1KEWzz4bJHIsuOAKOEgoZu/IMnUgtqiBylhRezUwhMZ GxZ+jQtnXhNxuJw296UaDp2cVsUfKbYMyqIhXmU8wic88LNqgMMeiJ/3fwFVieM3AgSz L0Fzr8cLp9bdxSrHS36Ez0Ae9XbWrt+1JSCKb+EI1AV+Ncu7YYbmhx1ODXdpbSlj6SSh 1i9sz/UJ6N9EEkff91WZR2oHczvWzQ/esTI6M0BQyWXc66WREEq2HPES+X8ZOtw+8Vwx u7kQ==
MIME-Version: 1.0
X-Received: by with SMTP id br8mr60211211lbb.69.1420545809934; Tue, 06 Jan 2015 04:03:29 -0800 (PST)
Sender: thorgrin@gmail.com
Received: by with HTTP; Tue, 6 Jan 2015 04:03:29 -0800 (PST)
Date: Tue, 06 Jan 2015 13:03:29 +0100
X-Google-Sender-Auth: F04W6HxRBNBdwul-RiCf5p9svDw
Message-ID: <CALbOe5O0e3tw--vCrj9FkFWVvoMAb9iZaXyRYqfNFSSqQUT94w@mail.gmail.com>
From: Petr Velan <petr.velan@cesnet.cz>
To: ipfix@ietf.org
Content-Type: multipart/alternative; boundary="001a11c36f44637073050bfa98b0"
Archived-At: http://mailarchive.ietf.org/arch/msg/ipfix/cyV1HElKuy8jsoMapUs-qi20mD0
Subject: [IPFIX] NetFlow v9 to IPFIX conversion
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix/>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jan 2015 12:15:02 -0000

Hello all,

I'm not sure whether this is the right place to ask, but we encountered
following problem when converting NetFlow v9 messages to IPFIX.

Some vendors (I've heard of ntop) are using elements IDs large than 32767
in NetFlow v9. When converting messages with these elements to IPFIX, they
are considered to be Enterprise Numbers. To generate proper IPFIX message,
we need to do one of the following:
a) Generate a list of the elements and map them to PEN of the correct
vendor. However, this would result in an attempt to cover all possible
elements that anybody used in NetFlow v9. Moreover, we would still have to
somehow handle the cases where the element is unknown
b) Request a PEN for NetFlow compatibility and just add this PEN for every
element that has ID larger than 32767.

Personally, I believe that the b) is more general and error-prone. Do you
think, that it would be possible to dedicate whole PEN to this cause?

Thank you for any opinions,

Petr Velan