IETF Logo Mail Archive

[IPFIX] Draft Standard version of RFC5101

Benoit Claise <bclaise@cisco.com> Sun, 27 March 2011 14:57 UTC

Return-Path: <bclaise@cisco.com>
X-Original-To: ipfix@core3.amsl.com
Delivered-To: ipfix@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 92DA23A6866 for <ipfix@core3.amsl.com>; Sun, 27 Mar 2011 07:57:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.603
X-Spam-Level:
X-Spam-Status: No, score=-2.603 tagged_above=-999 required=5 tests=[AWL=-0.005, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YIXNt96PJMRJ for <ipfix@core3.amsl.com>; Sun, 27 Mar 2011 07:57:26 -0700 (PDT)
Received: from av-tac-bru.cisco.com (weird-brew.cisco.com [144.254.15.118]) by core3.amsl.com (Postfix) with ESMTP id C057F3A6823 for <ipfix@ietf.org>; Sun, 27 Mar 2011 07:57:25 -0700 (PDT)
X-TACSUNS: Virus Scanned
Received: from strange-brew.cisco.com (localhost.cisco.com [127.0.0.1]) by av-tac-bru.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id p2REQumc005649 for <ipfix@ietf.org>; Sun, 27 Mar 2011 16:26:56 +0200 (CEST)
Received: from [10.55.90.99] (dhcp-10-55-90-99.cisco.com [10.55.90.99]) by strange-brew.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id p2REQpr9000745 for <ipfix@ietf.org>; Sun, 27 Mar 2011 16:26:51 +0200 (CEST)
Message-ID: <4D8F492A.6040605@cisco.com>
Date: Sun, 27 Mar 2011 16:26:50 +0200
From: Benoit Claise <bclaise@cisco.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: "ipfix@ietf.org" <ipfix@ietf.org>
Content-Type: multipart/alternative; boundary="------------010004050205080108000003"
Subject: [IPFIX] Draft Standard version of RFC5101
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Mar 2011 14:57:28 -0000

Dear all,

Here is the list of things to be changed in the Draft Standard version 
of RFC5101.
Along the years, I've been collecting (from different people a list of 
what could be improved in IPFIX. Many points come from discussions with 
Paul Aitken.

Some of points below should be discussed.

1. what must be changed is obviously 
http://www.rfc-editor.org/errata_search.php?rfc=5101

2. the email thread 
http://www.ietf.org/mail-archive/web/ipfix/current/msg05652.html 
suggests to change the definition from "IP Traffic Flow or Flow" to 
"Traffic Flow or Flow", and from "IP packets" to "packets" when RFC5101 
will go from Proposed Standard to Draft Standard.

3. Different Template Record management between the transport protocol 
(feedback from the IPFIX interop)

SCTP transport

    If the Collecting Process receives a Template that has
    already been received but that has not previously been withdrawn
    (i.e., a Template Record from the same Exporter Observation Domain
    with the same Template ID received on the SCTP association), then the
    Collecting Process MUST shut down the association.


So an identical Template Record is resent (like in UDP), the Collecting 
Process MUST shut down the association
First problem: we don't have the same statement for TCP, which only says:

    If the Collecting Process receives a malformed IPFIX Message, it MUST
    discard the IPFIX Message and SHOULD log the error.

So this is not consistent as we don't know what "malformed" means.
Thinking some more about it, is this really a mistake if SCTP and TCP 
would behave as UDP, i.e. accept the exact same (Options) Template 
Record to be resent? Proposal with something such as: It's NOT 
RECOMMENDED that _identical _Template Record are resent in SCTP and 
TCP.... but it will not cause the SCTP association or TCP association to 
be shut down...
Before applying this change, we have to double-check if there are no 
complications for draft-ietf-ipfix-export-per-sctp-stream-08

4.

OLD:

Exporting Process ID
                         The identifier of the Exporting Process for
                         which lack of reliability is reported.  There
                         are three Information Elements specified in
                         [RFC5102  <http://tools.ietf.org/html/rfc5102>] that can be used for this purpose:
                         exporterIPv4Address, exporterIPv6Address, or
                         exportingProcessId.  This Information Element
                         MUST be defined as a Scope Field.

NEW:

Exporting Process ID
                         The identifier of the Exporting Process for
                         which lack of reliability is reported.  There
                         are three Information Elements specified in
                         [RFC5102  <http://tools.ietf.org/html/rfc5102>] that can be used for this purpose:
                         exporterIPv4Address, exporterIPv6Address, or
                         exportingProcessId.  This Information Element,
                         _or these Information Elements if multiple are
_                         _needed,_  MUST be defined as a Scope Field

Justification: both the address and process ID are needed to identify a 
specific exporter in the case  of multiple exporters at the same address.



5.

10.3.6.  Template Management

    Following a configuration change that can modify the interpretation
    of the Data Records (for example, a sampling rate change) a new
    Template ID MUST be used, and the old Template ID MUST NOT be reused
    until its lifetime (see Section 10.3.7) has expired.

In section 10.3.7.  Collecting Process, we read:

    The Template lifetime at the Collecting Process MUST be at least 3
    times higher than the Template refresh timeout configured on the
    Exporting Process.


In Flexible NetFlow, template refresh is in units of packets, so that 
template export scales with the volume of exported data.
If we're no longer exporting any packets then the "3 times higher" 
threshold will never be reached... so the templates will never expire.
eg, if we're exporting templates every 1,000 packets, then the lifetime 
on the collector should be 3,000 packets. Yet once we're no longer using 
the template, we'll be exporting 0 packets...
So the RFC should specify the units, or give an alternative mechanism.


6.

Section 8:
    If the measurement parameters change such that a new Template is
    required, the Template MUST be withdrawn (using a Template Withdraw
    Message and a new Template definition) or an unused Template ID MUST
    be used.  Examples of the measurement changes are: a new sampling
    rate, a new Flow expiration process, a new filtering definition, etc.

A new sampling rate etc may not require a new template at all; it may be 
expressed with the same template, just different data. The template 
belongs to the transport layer and really has nothing to do with the 
sampler change!

Proposal: remove "a new sampling rate"


7.

Section 4.3.  The Exporting Process Reliability Statistics Option Template

    time first flow dropped
                         The timestamp of the first Flow was dropped by
                         the Metering Process.  For this timestamp, any
                         of the "flowStart" timestamp Information
                         Elements flowStartMilliseconds,
                         flowStartMicroseconds, flowStartNanoseconds, and
                         flowStartDeltaMicroseconds can be used.

    time last flow dropped
                         The timestamp of the last IP packet that was
                         ignored by the Metering Process.  For this
                         timestamp, any of the "flowEnd" timestamp
                         Information Elements flowEndMilliseconds,
                         flowEndMicroseconds, flowEndNanoseconds, and
                         flowEndDeltaMicroseconds can be used.

Firstly, these definitions are inconsistent since the names and the 
first definition say "flow" while the second definition says "IP 
packet". Obviously "IP packet" != "flow" :-o

Secondly, "The timestamp of the first Flow was dropped by the Metering 
Process." is bad English: at least it's missing "that".

8.

Section 4.3.  The Exporting Process Reliability Statistics Option Template

These statistics where defined before we introduced the concept of 
Transport Session.
  This full section 3.4 should be re-specified for "4.3 The Transport 
Session Reliability Statistics Option Template"


9.

Section 4.2.  The Metering Process Reliability Statistics Option Template

Suppose a packet cannot be classified before it's dropped. Which
Metering Process (meteringProcessId) should report this?

Suppose the packet pertains to several monitors. If some or all of
them cannot record the packet (eg, cache full), should they all report
the loss? That might look like some random number of packets had been
lost, when in fact it's only one.



10.

Do we want to have a new IE  for the template lifetime, to be sent in an 
Options Template Record.


Regards, Benoit.

v2.23.0 | Report a Bug | By Email