Re: [IPFIX] NetFlow v9 to IPFIX conversion
Paul Aitken <paitken@brocade.com> Thu, 16 April 2015 09:54 UTC
Return-Path: <paitken@Brocade.com>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C75F1B30BF for <ipfix@ietfa.amsl.com>; Thu, 16 Apr 2015 02:54:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.266
X-Spam-Level:
X-Spam-Status: No, score=-2.266 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3sfeG2xaO47A for <ipfix@ietfa.amsl.com>; Thu, 16 Apr 2015 02:54:42 -0700 (PDT)
Received: from mx0b-000f0801.pphosted.com (mx0b-000f0801.pphosted.com [67.231.152.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA3771ACDEB for <ipfix@ietf.org>; Thu, 16 Apr 2015 02:54:42 -0700 (PDT)
Received: from pps.filterd (m0000700.ppops.net [127.0.0.1]) by mx0b-000f0801.pphosted.com (8.14.7/8.14.7) with SMTP id t3G9V5cK011212; Thu, 16 Apr 2015 02:54:35 -0700
Received: from brmwp-exchub01.corp.brocade.com ([208.47.132.227]) by mx0b-000f0801.pphosted.com with ESMTP id 1tsmk3aw62-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 16 Apr 2015 02:54:35 -0700
Received: from BRMWP-EXMB12.corp.brocade.com (172.16.59.130) by BRMWP-EXCHUB01.corp.brocade.com (172.16.186.99) with Microsoft SMTP Server (TLS) id 14.3.123.3; Thu, 16 Apr 2015 03:54:34 -0600
Received: from EMEAWP-CASH01.corp.brocade.com (172.29.18.10) by BRMWP-EXMB12.corp.brocade.com (172.16.59.130) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Thu, 16 Apr 2015 03:54:33 -0600
Received: from [172.27.212.80] (172.27.212.80) by imapeu.brocade.com (172.29.18.15) with Microsoft SMTP Server (TLS) id 8.3.298.1; Thu, 16 Apr 2015 11:54:31 +0200
Message-ID: <552F86D6.4050704@brocade.com>
Date: Thu, 16 Apr 2015 10:54:30 +0100
From: Paul Aitken <paitken@brocade.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.5.0
MIME-Version: 1.0
To: Petr Velan <petr.velan@cesnet.cz>, Gerhard Muenz <muenz@net.in.tum.de>
References: <CALbOe5O0e3tw--vCrj9FkFWVvoMAb9iZaXyRYqfNFSSqQUT94w@mail.gmail.com> <54AC4097.1050602@plixer.com> <CALbOe5M8VtTLANGZDUG=bQH-z6eKLK7ckTPTUY0AueX_ioUs1Q@mail.gmail.com> <551DA857.2050104@net.in.tum.de> <CALbOe5OokEaC-d2_mX8qupHMJ3X+udv4a7rOkKU=0GHfwSXxJw@mail.gmail.com>
In-Reply-To: <CALbOe5OokEaC-d2_mX8qupHMJ3X+udv4a7rOkKU=0GHfwSXxJw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040401040503000409030408"
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68, 1.0.33, 0.0.0000 definitions=2015-04-16_04:2015-04-15,2015-04-16,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1504160082
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipfix/dhuQLXZGRrHbUNTiRhuWI4fnNwo>
Cc: "ipfix@ietf.org" <ipfix@ietf.org>
Subject: Re: [IPFIX] NetFlow v9 to IPFIX conversion
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix/>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2015 09:54:46 -0000
Petr, > the problem we are facing here is that the NetFlow v9 ID space is not > centrally managed NetFlow v9 is a cisco protocol, and the IDs are allocated by Cisco's netflow police. Contact ipfix-iana@cisco.com. Anyone using NFv9 IDs without contacting them is asking for trouble (ie, ID collisions). > therefore we cannot hope to cover all possible IDs and vendors, since > they can change. Moreover, as you say, the owner of a PEN maintains > his ID registry, therefore we should not use someones PEN just because > he defined the nf9 elements. Equally, nobody should be self-defining NFv9 elements without reference to Cisco, because they've no idea what IDs Cisco (or others) might use in future. > What I propose is similar to RFC 5612. We should define an NetFlow to > IPFIX conversion PEN which could be used by anyone for mapping nf9 > elements with ID > 2^15. The ID of that element would not be changed, > only the PEN would be added, which, as an added benefit, would be > fairly easy to implement in IPFIX mediators. No central management is > necessary, just as you need to know the nf9 elements that you use, you > would have to know the semantics from the appropriate vendor. The > collisions cannot be avoided, however, they are not managed in nf9 either. > > As you say, there is currently no PEN for general experimental use > that could be used as a fallback. Even if there was, you shouldn't use such a PEN in a released product because it could conflict with someone else's usage. P. > I think that creating a specific PEN for this task is the right solution. > > Best regards, > Petr > > On Thu, Apr 2, 2015 at 10:36 PM, Gerhard Muenz <muenz@net.in.tum.de > <mailto:muenz@net.in.tum.de>> wrote: > > > Hi Petr, > > I do not understand the use case of the new PEN that you suggest. > > It does not make sense to register a PEN for an ID space that is > not centrally managed in a kind of registry because uniqueness of > ID usage must be ensured. Usually, the owner of a PEN maintains > such a registry. > > Is there a registry that lists all vendor specific Netflow 9 Field > Types? > If not, how can you be sure that there are no collisions in the ID > space? > > I think that you need to find and use the PENs of the vendors that > have defined the additional Netflow 9 Field Types IEs, regardless > of whether the IDs are below or above 2^15. Unfortunately, there > is no PEN for general experimental use (at least I have not found > any) that you could use as a fallback if you do not find an > appropriate vendor PEN. > > If you want to use your own non-standard IEs, then you should use > the PEN of your organization: > > 8057 > CESNET > CESNET masters team > masters&cesnet.cz <http://cesnet.cz> > > Maybe, you can also use this PEN to map Field Types for which you > do not find a vendor. > > Regards, > Gerhard > > > > On 26.03.2015 08:14, Petr Velan wrote: >> Hi Andrew, all, >> >> thank you for your explanation regarding nprobe. >> >> However, we also need a fallback for unknown exporters with IEs > >> 2^15. The generic requests for PENs need organization name, >> contact name and email address. I can try to request the PEN for >> NetFlow v9 compatibility myself, but I'd like it to be more >> public. Therefore, I suggest to complete the request with >> something like: >> *Organization Name*: NetFlow v9 to IPFIX >> *Contact Name*: IPFIX WG >> *Contact E-Mail: *ipfix@ietf.org <mailto:ipfix@ietf.org> >> >> This is just a first proposal to get things moving, please add >> your thoughts. Once the PEN is granted, we can move forward and >> explain its purpose in a short RFC. >> >> Petr >> >> On Tue, Jan 6, 2015 at 9:07 PM, Andrew Feren <andrewf@plixer.com >> <mailto:andrewf@plixer.com>> wrote: >> >> Hi Petr, >> >> On 01/06/2015 07:03 AM, Petr Velan wrote: >>> Hello all, >>> >>> I'm not sure whether this is the right place to ask, but we >>> encountered following problem when converting NetFlow v9 >>> messages to IPFIX. >>> >>> Some vendors (I've heard of ntop) are using elements IDs >>> large than 32767 in NetFlow v9. When converting messages >>> with these elements to IPFIX, they are considered to be >>> Enterprise Numbers. To generate proper IPFIX message, we >>> need to do one of the following: >>> a) Generate a list of the elements and map them to PEN of >>> the correct vendor. However, this would result in an attempt >>> to cover all possible elements that anybody used in NetFlow >>> v9. Moreover, we would still have to somehow handle the >>> cases where the element is unknown >> This should help with ntop/nprobe >> >> Recent versions of nprobe (since version 5.5.5 I think) all >> use the following mapping. >> >> PEN = 35632 and IPFIXID = (v9ID - 57472) >> >> For example, one v9 IE that nprobe exports is >> MYSQL_SERVER_VERSION 57667. The IPFIX equivalent would be >> MYSQL_SERVER_VERSION(35632/195). >> >> The nprobe docs have a complete list. >> >> Older versions of nprobe (pre ~2010) use IEs not in RFC 3954, >> but later allocated in IANA. There is no good way to convert >> those v9 exports to IPFIX. >> >> -Andrew >> >> >>> b) Request a PEN for NetFlow compatibility and just add this >>> PEN for every element that has ID larger than 32767. >>> >>> Personally, I believe that the b) is more general and >>> error-prone. Do you think, that it would be possible to >>> dedicate whole PEN to this cause? >>> >>> Thank you for any opinions, >>> >>> Petr Velan >>> >>> >>> >>> _______________________________________________ >>> IPFIX mailing list >>> IPFIX@ietf.org <mailto:IPFIX@ietf.org> >>> https://www.ietf.org/mailman/listinfo/ipfix >> >> >> >> >> _______________________________________________ >> IPFIX mailing list >> IPFIX@ietf.org <mailto:IPFIX@ietf.org> >> https://www.ietf.org/mailman/listinfo/ipfix > >
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Petr Velan
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Paul Aitken
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Gerhard Muenz
- [IPFIX] NetFlow v9 to IPFIX conversion Petr Velan
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Paul Aitken
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Brian Trammell
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Paul Aitken
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Brian Trammell
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Andrew Feren
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Andrew Feren
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Petr Velan
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Paul Aitken