IETF Logo Mail Archive

Re: [IPFIX] NetFlow v9 to IPFIX conversion

Paul Aitken <paitken@brocade.com> Thu, 16 April 2015 09:54 UTC

Return-Path: <paitken@Brocade.com>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C75F1B30BF for <ipfix@ietfa.amsl.com>; Thu, 16 Apr 2015 02:54:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.266
X-Spam-Level:
X-Spam-Status: No, score=-2.266 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3sfeG2xaO47A for <ipfix@ietfa.amsl.com>; Thu, 16 Apr 2015 02:54:42 -0700 (PDT)
Received: from mx0b-000f0801.pphosted.com (mx0b-000f0801.pphosted.com [67.231.152.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA3771ACDEB for <ipfix@ietf.org>; Thu, 16 Apr 2015 02:54:42 -0700 (PDT)
Received: from pps.filterd (m0000700.ppops.net [127.0.0.1]) by mx0b-000f0801.pphosted.com (8.14.7/8.14.7) with SMTP id t3G9V5cK011212; Thu, 16 Apr 2015 02:54:35 -0700
Received: from brmwp-exchub01.corp.brocade.com ([208.47.132.227]) by mx0b-000f0801.pphosted.com with ESMTP id 1tsmk3aw62-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 16 Apr 2015 02:54:35 -0700
Received: from BRMWP-EXMB12.corp.brocade.com (172.16.59.130) by BRMWP-EXCHUB01.corp.brocade.com (172.16.186.99) with Microsoft SMTP Server (TLS) id 14.3.123.3; Thu, 16 Apr 2015 03:54:34 -0600
Received: from EMEAWP-CASH01.corp.brocade.com (172.29.18.10) by BRMWP-EXMB12.corp.brocade.com (172.16.59.130) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Thu, 16 Apr 2015 03:54:33 -0600
Received: from [172.27.212.80] (172.27.212.80) by imapeu.brocade.com (172.29.18.15) with Microsoft SMTP Server (TLS) id 8.3.298.1; Thu, 16 Apr 2015 11:54:31 +0200
Message-ID: <552F86D6.4050704@brocade.com>
Date: Thu, 16 Apr 2015 10:54:30 +0100
From: Paul Aitken <paitken@brocade.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.5.0
MIME-Version: 1.0
To: Petr Velan <petr.velan@cesnet.cz>, Gerhard Muenz <muenz@net.in.tum.de>
References: <CALbOe5O0e3tw--vCrj9FkFWVvoMAb9iZaXyRYqfNFSSqQUT94w@mail.gmail.com> <54AC4097.1050602@plixer.com> <CALbOe5M8VtTLANGZDUG=bQH-z6eKLK7ckTPTUY0AueX_ioUs1Q@mail.gmail.com> <551DA857.2050104@net.in.tum.de> <CALbOe5OokEaC-d2_mX8qupHMJ3X+udv4a7rOkKU=0GHfwSXxJw@mail.gmail.com>
In-Reply-To: <CALbOe5OokEaC-d2_mX8qupHMJ3X+udv4a7rOkKU=0GHfwSXxJw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040401040503000409030408"
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68, 1.0.33, 0.0.0000 definitions=2015-04-16_04:2015-04-15,2015-04-16,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1504160082
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipfix/dhuQLXZGRrHbUNTiRhuWI4fnNwo>
Cc: "ipfix@ietf.org" <ipfix@ietf.org>
Subject: Re: [IPFIX] NetFlow v9 to IPFIX conversion
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix/>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2015 09:54:46 -0000

Petr,

> the problem we are facing here is that the NetFlow v9 ID space is not 
> centrally managed

NetFlow v9 is a cisco protocol, and the IDs are allocated by Cisco's 
netflow police. Contact ipfix-iana@cisco.com.

Anyone using NFv9 IDs without contacting them is asking for trouble (ie, 
ID collisions).


> therefore we cannot hope to cover all possible IDs and vendors, since 
> they can change. Moreover, as you say, the owner of a PEN maintains 
> his ID registry, therefore we should not use someones PEN just because 
> he defined the nf9 elements.

Equally, nobody should be self-defining NFv9 elements without reference 
to Cisco, because they've no idea what IDs Cisco (or others) might use 
in future.


> What I propose is similar to RFC 5612. We should define an NetFlow to 
> IPFIX conversion PEN which could be used by anyone for mapping nf9 
> elements with ID > 2^15. The ID of that element would not be changed, 
> only the PEN would be added, which, as an added benefit, would be 
> fairly easy to implement in IPFIX mediators. No central management is 
> necessary, just as you need to know the nf9 elements that you use, you 
> would have to know the semantics from the appropriate vendor. The 
> collisions cannot be avoided, however, they are not managed in nf9 either.
>
> As you say, there is currently no PEN for general experimental use 
> that could be used as a fallback.

Even if there was, you shouldn't use such a PEN in a released product 
because it could conflict with someone else's usage.

P.


> I think that creating a specific PEN for this task is the right solution.
>
> Best regards,
> Petr
>
> On Thu, Apr 2, 2015 at 10:36 PM, Gerhard Muenz <muenz@net.in.tum.de 
> <mailto:muenz@net.in.tum.de>> wrote:
>
>
>     Hi Petr,
>
>     I do not understand the use case of the new PEN that you suggest.
>
>     It does not make sense to register a PEN for an ID space that is
>     not centrally managed in a kind of registry because uniqueness of
>     ID usage must be ensured. Usually, the owner of a PEN maintains
>     such a registry.
>
>     Is there a registry that lists all vendor specific Netflow 9 Field
>     Types?
>     If not, how can you be sure that there are no collisions in the ID
>     space?
>
>     I think that you need to find and use the PENs of the vendors that
>     have defined the additional Netflow 9 Field Types IEs, regardless
>     of whether the IDs are below or above 2^15. Unfortunately, there
>     is no PEN for general experimental use (at least I have not found
>     any) that you could use as a fallback if you do not find an
>     appropriate vendor PEN.
>
>     If you want to use your own non-standard IEs, then you should use
>     the PEN of your organization:
>
>     8057
>       CESNET
>         CESNET masters team
>           masters&cesnet.cz <http://cesnet.cz>
>
>     Maybe, you can also use this PEN to map Field Types for which you
>     do not find a vendor.
>
>     Regards,
>     Gerhard
>
>
>
>     On 26.03.2015 08:14, Petr Velan wrote:
>>     Hi Andrew, all,
>>
>>     thank you for your explanation regarding nprobe.
>>
>>     However, we also need a fallback for unknown exporters with IEs >
>>     2^15. The generic requests for PENs need organization name,
>>     contact name and email address. I can try to request the PEN for
>>     NetFlow v9 compatibility myself, but I'd like it to be more
>>     public. Therefore, I suggest to complete the request with
>>     something like:
>>     *Organization Name*: NetFlow v9 to IPFIX
>>     *Contact Name*: IPFIX WG
>>     *Contact E-Mail: *ipfix@ietf.org <mailto:ipfix@ietf.org>
>>
>>     This is just a first proposal to get things moving, please add
>>     your thoughts. Once the PEN is granted, we can move forward and
>>     explain its purpose in a short RFC.
>>
>>     Petr
>>
>>     On Tue, Jan 6, 2015 at 9:07 PM, Andrew Feren <andrewf@plixer.com
>>     <mailto:andrewf@plixer.com>> wrote:
>>
>>         Hi Petr,
>>
>>         On 01/06/2015 07:03 AM, Petr Velan wrote:
>>>         Hello all,
>>>
>>>         I'm not sure whether this is the right place to ask, but we
>>>         encountered following problem when converting NetFlow v9
>>>         messages to IPFIX.
>>>
>>>         Some vendors (I've heard of ntop) are using elements IDs
>>>         large than 32767 in NetFlow v9. When converting messages
>>>         with these elements to IPFIX, they are considered to be
>>>         Enterprise Numbers. To generate proper IPFIX message, we
>>>         need to do one of the following:
>>>         a) Generate a list of the elements and map them to PEN of
>>>         the correct vendor. However, this would result in an attempt
>>>         to cover all possible elements that anybody used in NetFlow
>>>         v9. Moreover, we would still have to somehow handle the
>>>         cases where the element is unknown
>>         This should help with ntop/nprobe
>>
>>         Recent versions of nprobe (since version 5.5.5 I think) all
>>         use the following mapping.
>>
>>         PEN = 35632 and IPFIXID = (v9ID - 57472)
>>
>>         For example, one v9 IE that nprobe exports is
>>         MYSQL_SERVER_VERSION 57667. The IPFIX equivalent would be
>>         MYSQL_SERVER_VERSION(35632/195).
>>
>>         The nprobe docs have a complete list.
>>
>>         Older versions of nprobe (pre ~2010) use IEs not in RFC 3954,
>>         but later allocated in IANA.  There is no good way to convert
>>         those v9 exports to IPFIX.
>>
>>         -Andrew
>>
>>
>>>         b) Request a PEN for NetFlow compatibility and just add this
>>>         PEN for every element that has ID larger than 32767.
>>>
>>>         Personally, I believe that the b) is more general and
>>>         error-prone. Do you think, that it would be possible to
>>>         dedicate whole PEN to this cause?
>>>
>>>         Thank you for any opinions,
>>>
>>>         Petr Velan
>>>
>>>
>>>
>>>         _______________________________________________
>>>         IPFIX mailing list
>>>         IPFIX@ietf.org  <mailto:IPFIX@ietf.org>
>>>         https://www.ietf.org/mailman/listinfo/ipfix
>>
>>
>>
>>
>>     _______________________________________________
>>     IPFIX mailing list
>>     IPFIX@ietf.org  <mailto:IPFIX@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/ipfix
>
>

v2.23.0 | Report a Bug | By Email